aquasecurity
feat(helm): add sslCertDir parameter
Description
Add trivy.sslCertDir parameter to Helm chart to mount a host path containing CA certificates into the container (for example /etc/ssl/certs).
The same behavior is already available in the trivy-operator Helm chart.
This PR fixes the following error when using a vulnerability DB hosted on a private registry with a certificate signed by a custom CA :
2025-10-22T09:25:42Z INFO Adding schema version to the DB repository for backward compatibility repository="registry.example.com/proxy.ghcr.io/aquasecurity/trivy-db:2"
2025-10-22T09:25:42Z INFO Redis scan cache url="redis://trivy-redis:6379"
2025-10-22T09:25:42Z INFO [vulndb] Need to update DB
2025-10-22T09:25:42Z INFO [vulndb] Downloading vulnerability DB...
2025-10-22T09:25:42Z INFO [vulndb] Downloading artifact... repo="registry.example.com/proxy.ghcr.io/aquasecurity/trivy-db:2"
2025-10-22T09:25:42Z FATAL Fatal error failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from registry.example.com/proxy.ghcr.io/aquasecurity/trivy-db:2: OCI repository error: 2 errors occurred:
* Get "https://registry.example.com/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority
* Get "https://registry.example.com/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority
Checklist
- [x] I've read the guidelines for contributing to this repository.
- [x] I've followed the conventions in the PR title.
- [ ] I've added tests that prove my fix is effective or that my feature works.
- [ ] I've updated the documentation with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)
- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
@keliansb thanks for your contribution! I left some notes, WDYT?
@afdesk I did the same configuration as the one already available in the trivy-operator Helm chart.
Should both charts be aligned? If not, I can update my PR based on your comments.
@keliansb thanks for your contribution! I left some notes, WDYT?
@afdesk I did the same configuration as the one already available in the trivy-operator Helm chart. Should both charts be aligned? If not, I can update my PR based on your comments.
thanks for your answer!
actually, a part of my comments is resolved in trivy-operator: the docs and configmap https://github.com/aquasecurity/trivy-operator/blob/main/deploy/helm/templates/configmaps/trivy.yaml#L31
about other part (sslCertHostPath/sslCertMountPath and hostPath.type) - it would be great to here an opinion, and may be we should change it in the both repos.
/cc @simar7
@keliansb thanks for your contribution! I left some notes, WDYT?
@afdesk I did the same configuration as the one already available in the trivy-operator Helm chart. Should both charts be aligned? If not, I can update my PR based on your comments.
thanks for your answer!
actually, a part of my comments is resolved in trivy-operator: the docs and configmap https://github.com/aquasecurity/trivy-operator/blob/main/deploy/helm/templates/configmaps/trivy.yaml#L31
about other part (
sslCertHostPath/sslCertMountPathandhostPath.type) - it would be great to here an opinion, and may be we should change it in the both repos./cc @simar7
I agree with @afdesk - the other option would be to refactor them so the common parts can be shared but that can be done in a separate PR.
