Add trivy

Utwo · Utwo · commit 562ee557d69e · 2025-02-01T23:07:08.000+02:00
diff --git a/infra/argocd/clusters/k3d-apps-secret.yaml b/infra/argocd/clusters/k3d-apps-secret.yaml
@@ -14,6 +14,7 @@ spec:
             ingressNginx: "true"
             keda: "true"
             rollouts: "true"
+            trivyOperator: "true"
           stringData:
             name: ENC[AES256_GCM,data:9exv/ld6rZA=,iv:9N6qQyLWvijt79A2fOzc9o/fpwUCUx2JVFMq1GFkKX0=,tag:RvLcIQ9lsJgdqjs+lPRNfw==,type:str]
             server: ENC[AES256_GCM,data:/9AHbxcjW3UBv+j3y+AjcT1iFIjVbvybbxZGVEzm0rr6ZEEqMsw=,iv:x75RrCQ3FREKm6ZGx3mmMsgbyT0EXeBuDJJegwCjFos=,tag:iUPmbMYWfc0DdU3+w++0TA==,type:str]
@@ -33,8 +34,8 @@ sops:
             eVpFT1pHMFJPYTNtTlhtblFzZzJveEkK4ihkLkZFN35QcvigsTod1OWQc19Ozj2H
             95dh6IL4ROKug3HiLrcQwItsFiKP3+u+3RKx4mQN3CBSaM+ilvWLQg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-21T12:49:56Z"
-    mac: ENC[AES256_GCM,data:Y6byGonFhNO5IFoaaubcGO7/8lQFbQ3yUyvtg6TETK55tR/UVjrwr3j3GNwz3mowg5CWdQiW2gx83xDl+RoRTuZbEQTE2vUBEsdspi5niJydQNfLi4em/CRRlcIEe8Y/wMJjPWvCuwzU4O+ieuwUkeIU1n/uNcubFDJP6CwJmKo=,iv:OB3jBhoAA4RiJb5zhjHtv/v0NJQxT9T4vigf498ORx0=,tag:JaVpjPxxS47tAUTNhpsAkA==,type:str]
+    lastmodified: "2025-02-01T12:21:24Z"
+    mac: ENC[AES256_GCM,data:ycNc/XzZv4F1VKVmkWK3DSr7Wctu00TdIOzNtSKM6iz5612x7hQU1T9S79bB40AHkx1Brm36+x5PMPjM4JhF863dc+XqnQK56WPuVUESD+WNL72FZexNFh0zVEw/TF7CH6rlfITV70rQJpj2vkd6HtLhYJJvLP40Tj3rhDmrULo=,iv:mvmY08YpRhr17PZ2Y3pn5XJvCicu9G5GA2Sy3mjlf5s=,tag:YIDa2VaIhC2cM3QUlZR6Rg==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.9.3
diff --git a/infra/argocd/project.yaml b/infra/argocd/project.yaml
@@ -36,7 +36,22 @@ spec:
   clusterResourceWhitelist:
     - group: "*"
       kind: "*"
-  description: Applications
+  description: Applications owned by us
+  destinations:
+    - namespace: "*"
+      server: "*"
+  sourceRepos:
+    - "*"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: services
+spec:
+  clusterResourceWhitelist:
+    - group: "*"
+      kind: "*"
+  description: External services
   destinations:
     - namespace: "*"
       server: "*"
diff --git a/monitoring/grafana/helm-chart-values/values.yaml b/monitoring/grafana/helm-chart-values/values.yaml
@@ -35,6 +35,14 @@ dashboardProviders:
         editable: true
         options:
           path: /var/lib/grafana/dashboards/vm
+      - name: "trivy"
+        orgId: 1
+        folder: "trivy"
+        type: file
+        disableDeletion: false
+        editable: true
+        options:
+          path: /var/lib/grafana/dashboards/trivy
 
 dashboards:
   vm:
@@ -44,6 +52,10 @@ dashboards:
     VMSingle:
       gnetId: 10229
       revision: 37
+  trivy:
+    trivy-operator:
+      gnetId: 17813
+      revision: 2
 
 grafana.ini:
   server:
diff --git a/services/argo-apps/trivy.yaml b/services/argo-apps/trivy.yaml
@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: trivy-operator
+  namespace: argocd
+spec:
+  goTemplate: true
+  generators:
+    - clusters:
+        selector:
+          matchLabels:
+            trivyOperator: "true"
+        values:
+          clusterName: "{{.name}}"
+    - list:
+        elements:
+          - name: in-cluster
+            values:
+              clusterName: k3d-control
+  template:
+    metadata:
+      name: "trivy-operator-{{.values.clusterName}}"
+    spec:
+      project: services
+      source:
+        chart: trivy-operator
+        repoURL: https://aquasecurity.github.io/helm-charts/
+        targetRevision: 0.25.0
+        helm:
+          valuesObject:
+            trivy:
+              severity: HIGH,CRITICAL
+              ignoreUnfixed: true
+            serviceMonitor:
+              enabled: true
+              labels:
+                release: "kube-prometheus-stack-{{.values.clusterName}}"
+      destination:
+        name: "{{.name}}"
+        namespace: trivy-operator
+      syncPolicy:
+        automated: {}
+        createNamespace: true
diff --git a/services/init-argo-apps.yaml b/services/init-argo-apps.yaml
@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argo-apps-services
+  namespace: argocd
+spec:
+  project: services
+  source:
+    path: services/argo-apps
+    repoURL: https://github.com/Utwo/k8s-playground
+    targetRevision: HEAD
+  destination:
+    namespace: argocd
+    name: in-cluster
+  syncPolicy:
+    automated: {}
