deploy/helm/values.yaml

# Default values for the trivy-operator Helm chart, these are used to render
# the templates into valid k8s Resources.

# -- global values provide a centralized configuration for 'image.registry', reducing the potential for errors.
# If left blank, the chart will default to the individually set 'image.registry' values
global:
  image:
    registry: ""

# -- managedBy is similar to .Release.Service but allows to overwrite the value
managedBy: Helm

# -- targetNamespace defines where you want trivy-operator to operate. By
# default, it's a blank string to select all namespaces, but you can specify
# another namespace, or a comma separated list of namespaces.
targetNamespaces: ""

# -- excludeNamespaces is a comma separated list of namespaces (or glob patterns)
# to be excluded from scanning. Only applicable in the all namespaces install
# mode, i.e. when the targetNamespaces values is a blank string.
excludeNamespaces: ""

# -- targetWorkloads is a comma seperated list of Kubernetes workload resources
# to be included in the vulnerability and config-audit scans
# if left blank, all workload resources will be scanned
targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"

# -- nameOverride override operator name
nameOverride: ""

# -- fullnameOverride override operator full name
fullnameOverride: ""

operator:
  # -- namespace to install the operator, defaults to the .Release.Namespace
  namespace: ""
  # -- replicas the number of replicas of the operator's pod
  replicas: 1

  # -- number of old history to retain to allow rollback (if not set, default Kubernetes value is set to 10)
  revisionHistoryLimit: ~

  # -- additional annotations for the operator deployment
  annotations: {}

  # -- additional labels for the operator deployment
  labels: {}

  # -- additional labels for the operator pod
  podLabels: {}

  # -- leaderElectionId determines the name of the resource that leader election
  # will use for holding the leader lock.
  leaderElectionId: "trivyoperator-lock"

  # -- logDevMode the flag to enable development mode (more human-readable output, extra stack traces and logging information, etc)
  logDevMode: false

  # -- scanJobTTL the set automatic cleanup time after the job is completed
  scanJobTTL: ""

  # -- scanSecretTTL set an automatic cleanup for scan job secrets
  scanSecretTTL: ""

  # -- scanJobTimeout the length of time to wait before giving up on a scan job
  scanJobTimeout: 5m

  # -- scanJobsConcurrentLimit the maximum number of scan jobs create by the operator
  scanJobsConcurrentLimit: 10

  # -- scanNodeCollectorLimit the maximum number of node collector jobs create by the operator
  scanNodeCollectorLimit: 1

  # -- scanJobsRetryDelay the duration to wait before retrying a failed scan job
  scanJobsRetryDelay: 30s

  # -- the flag to enable vulnerability scanner
  vulnerabilityScannerEnabled: true
  # -- the flag to enable sbom generation, required for enabling ClusterVulnerabilityReports
  sbomGenerationEnabled: true
  # -- the flag to enable cluster sbom cache generation
  clusterSbomCacheEnabled: false
  # -- scannerReportTTL the flag to set how long a report should exist. "" means that the ScannerReportTTL feature is disabled
  scannerReportTTL: "24h"
  # -- cacheReportTTL the flag to set how long a cluster sbom report should exist. "" means that the cacheReportTTL feature is disabled
  cacheReportTTL: "120h"
  # -- configAuditScannerEnabled the flag to enable configuration audit scanner
  configAuditScannerEnabled: true
  # -- rbacAssessmentScannerEnabled the flag to enable rbac assessment scanner
  rbacAssessmentScannerEnabled: true
  # -- infraAssessmentScannerEnabled the flag to enable infra assessment scanner
  infraAssessmentScannerEnabled: true
  # -- clusterComplianceEnabled the flag to enable cluster compliance scanner
  clusterComplianceEnabled: true
  # -- batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed.
  batchDeleteLimit: 10
  # -- vulnerabilityScannerScanOnlyCurrentRevisions the flag to only create vulnerability scans on the current revision of a deployment.
  vulnerabilityScannerScanOnlyCurrentRevisions: true
  # -- configAuditScannerScanOnlyCurrentRevisions the flag to only create config audit scans on the current revision of a deployment.
  configAuditScannerScanOnlyCurrentRevisions: true
  # -- batchDeleteDelay the duration to wait before deleting another batch of config audit reports.
  batchDeleteDelay: 10s
  # -- accessGlobalSecretsAndServiceAccount The flag to enable access to global secrets/service accounts to allow `vulnerability scan job` to pull images from private registries
  accessGlobalSecretsAndServiceAccount: true
  # -- builtInTrivyServer The flag enables the usage of built-in trivy server in cluster. It also overrides the following trivy params with built-in values
  # trivy.mode = ClientServer and serverURL = http://<serverServiceName>.<trivy operator namespace>:4975
  builtInTrivyServer: false
  # -- builtInServerRegistryInsecure is the flag to enable insecure connection from the built-in Trivy server to the registry.
  builtInServerRegistryInsecure: false
  # -- controllerCacheSyncTimeout the duration to wait for controller resources cache sync (default: 5m).
  controllerCacheSyncTimeout: "5m"

  # -- trivyServerHealthCheckCacheExpiration The flag to set the interval for trivy server health cache before it invalidate
  trivyServerHealthCheckCacheExpiration: 10h

  # -- metricsFindingsEnabled the flag to enable metrics for findings
  metricsFindingsEnabled: true

  # -- metricsVulnIdEnabled the flag to enable metrics about cve vulns id
  # be aware of metrics cardinality is significantly increased with this feature enabled.
  metricsVulnIdEnabled: false

  # -- exposedSecretScannerEnabled the flag to enable exposed secret scanner
  exposedSecretScannerEnabled: true

  # -- MetricsExposedSecretInfo the flag to enable metrics about exposed secrets
  # be aware of metrics cardinality is significantly increased with this feature enabled.
  metricsExposedSecretInfo: false

  # -- MetricsConfigAuditInfo the flag to enable metrics about configuration audits
  # be aware of metrics cardinality is significantly increased with this feature enabled.
  metricsConfigAuditInfo: false

  # -- MetricsRbacAssessmentInfo the flag to enable metrics about Rbac Assessment
  # be aware of metrics cardinality is significantly increased with this feature enabled.
  metricsRbacAssessmentInfo: false

  # -- MetricsInfraAssessmentInfo the flag to enable metrics about Infra Assessment
  # be aware of metrics cardinality is significantly increased with this feature enabled.
  metricsInfraAssessmentInfo: false

  # -- MetricsImageInfo the flag to enable metrics about Image Information of scanned images
  # This information has image os information including os family, name/version, and if end of service life has been reached
  # be aware of metrics cardinality is significantly increased with this feature enabled.
  metricsImageInfo: false

  # -- MetricsClusterComplianceInfo the flag to enable metrics about Cluster Compliance
  # be aware of metrics cardinality is significantly increased with this feature enabled.
  metricsClusterComplianceInfo: false

  # -- serverAdditionalAnnotations the flag to set additional annotations for the trivy server pod
  serverAdditionalAnnotations: {}

  # -- webhookBroadcastURL the flag to set reports should be sent to a webhook endpoint. "" means that the webhookBroadcastURL feature is disabled
  webhookBroadcastURL: ""

  # -- webhookBroadcastTimeout the flag to set timeout for webhook requests if webhookBroadcastURL is enabled
  webhookBroadcastTimeout: 30s

  # -- webhookBroadcastCustomHeaders the flag to set webhook endpoint sent with custom defined headers if webhookBroadcastURL is enabled
  webhookBroadcastCustomHeaders: ""

  # -- webhookSendDeletedReports the flag to enable sending deleted reports if webhookBroadcastURL is enabled
  webhookSendDeletedReports: false

  # -- privateRegistryScanSecretsNames is map of namespace:secrets, secrets are comma seperated which can be used to authenticate in private registries in case if there no imagePullSecrets provided example : {"mynamespace":"mySecrets,anotherSecret"}
  privateRegistryScanSecretsNames: {}

  # -- mergeRbacFindingWithConfigAudit the flag to enable merging rbac finding with config-audit report
  mergeRbacFindingWithConfigAudit: false

  # -- httpProxy is the HTTP proxy used by Trivy operator to download the default policies from GitHub.
  httpProxy: ~

  # -- httpsProxy is the HTTPS proxy used by Trivy operator to download the default policies from GitHub.
  httpsProxy: ~

  # -- noProxy is a comma separated list of IPs and domain names that are not subject to proxy settings.
  noProxy: ~

  # -- vaulesFromConfigMap name of a ConfigMap to apply OPERATOR_* environment variables. Will override Helm values.
  valuesFromConfigMap: ""

  # -- valuesFromSecret name of a Secret to apply OPERATOR_* environment variables. Will override Helm AND ConfigMap values.
  valuesFromSecret: ""

image:
  registry: "mirror.gcr.io"
  repository: "aquasec/trivy-operator"
  # -- tag is an override of the image tag, which is by default set by the
  # appVersion field in Chart.yaml.
  tag: ""
  # -- pullPolicy set the operator pullPolicy
  pullPolicy: IfNotPresent
  # -- pullSecrets set the operator pullSecrets
  pullSecrets: []

# -- service only expose a metrics endpoint for prometheus to scrape,
# trivy-operator does not have a user interface.
service:
  # -- if true, the Service doesn't allocate any IP
  headless: true
  # -- port exposed by the Service
  metricsPort: 80
  # -- annotations added to the operator's service
  annotations: {}
  # -- appProtocol of the monitoring service
  metricsAppProtocol: TCP
  # -- the Service type
  type: ClusterIP
  # -- the nodeport to use when service type is LoadBalancer or NodePort. If not set, Kubernetes automatically select one.
  nodePort:

# -- Prometheus ServiceMonitor configuration -- to install the trivy operator with the ServiceMonitor
# you must have Prometheus already installed and running. If you do not have Prometheus installed, enabling this will
# have no effect.
serviceMonitor:
  # -- enabled determines whether a serviceMonitor should be deployed
  enabled: false
  # -- The namespace where Prometheus expects to find service monitors
  namespace: ~
  # -- Interval at which metrics should be scraped. If not specified Prometheus’ global scrape interval is used.
  interval: ~
  # -- Additional annotations for the serviceMonitor
  annotations: {}
  # -- Additional labels for the serviceMonitor
  labels: {}
  # -- HonorLabels chooses the metric’s labels on collisions with target labels
  honorLabels: true
  # -- EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
  endpointAdditionalProperties: {}

trivyOperator:
  # -- vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports `Trivy`
  vulnerabilityReportsPlugin: "Trivy"
  # -- configAuditReportsPlugin the name of the plugin that generates config audit reports.
  configAuditReportsPlugin: "Trivy"
  # -- scanJobCompressLogs control whether scanjob output should be compressed or plain
  scanJobCompressLogs: true
  # -- scanJobAffinity affinity to be applied to the scanner pods and node-collector
  scanJobAffinity: []
  # -- scanJobTolerations tolerations to be applied to the scanner pods so that they can run on nodes with matching taints
  scanJobTolerations: []
  # -- If you do want to specify tolerations, uncomment the following lines, adjust them as necessary, and remove the
  # square brackets after 'scanJobTolerations:'.
  # - key: "key1"
  #   operator: "Equal"
  #   value: "value1"
  #   effect: "NoSchedule"
  # -- scanJobNodeSelector nodeSelector to be applied to the scanner pods so that they can run on nodes with matching labels
  scanJobNodeSelector: {}
  # -- If you do want to specify nodeSelector, uncomment the following lines, adjust them as necessary, and remove the
  # square brackets after 'scanJobNodeSelector:'.
  #   nodeType: worker
  #   cpu: sandylake
  #   teamOwner: operators

  # -- scanJobCustomVolumesMount add custom volumes mount to the scan job
  scanJobCustomVolumesMount: []
  #  - name: var-lib-etcd
  #    mountPath: /var/lib/etcd
  #    readOnly: true

  # -- scanJobCustomVolumes add custom volumes to the scan job
  scanJobCustomVolumes: []
  #  - name: var-lib-etcd
  #    hostPath:
  #    path: /var/lib/etcd

  # -- useGCRServiceAccount the flag to enable the usage of GCR service account for scanning images in GCR
  useGCRServiceAccount: true
  # -- scanJobAutomountServiceAccountToken the flag to enable automount for service account token on scan job
  scanJobAutomountServiceAccountToken: false

  # -- scanJobAnnotations comma-separated representation of the annotations which the user wants the scanner jobs and pods to be
  # annotated with. Example: `foo=bar,env=stage` will annotate the scanner jobs and pods with the annotations `foo: bar` and `env: stage`
  scanJobAnnotations: ""

  # -- scanJobPodTemplateLabels comma-separated representation of the labels which the user wants the scanner pods to be
  # labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage`
  scanJobPodTemplateLabels: ""

  # -- skipInitContainers when this flag is set to true, the initContainers will be skipped for the scanner and node collector pods
  skipInitContainers: false

  # -- scanJobPodTemplatePodSecurityContext podSecurityContext the user wants the scanner and node collector pods to be amended with.
  # Example:
  #   RunAsUser: 10000
  #   RunAsGroup: 10000
  #   RunAsNonRoot: true
  scanJobPodTemplatePodSecurityContext: {}

  # -- scanJobPodTemplateContainerSecurityContext SecurityContext the user wants the scanner and node collector containers (and their
  # initContainers) to be amended with.
  scanJobPodTemplateContainerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    privileged: false
    readOnlyRootFilesystem: true
    # -- For filesystem scanning, Trivy needs to run as the root user
    # runAsUser: 0

  # -- scanJobPodPriorityClassName Priority class name to be set on the pods created by trivy operator jobs. This accepts a string value
  scanJobPodPriorityClassName: ""

  # -- reportResourceLabels comma-separated scanned resource labels which the user wants to include in the Prometheus
  # metrics report. Example: `owner,app`
  reportResourceLabels: ""

  # -- reportRecordFailedChecksOnly flag is to record only failed checks on misconfiguration reports (config-audit and rbac assessment)
  reportRecordFailedChecksOnly: true

  # -- skipResourceByLabels comma-separated labels keys which trivy-operator will skip scanning on resources with matching labels
  skipResourceByLabels: ""

  # -- metricsResourceLabelsPrefix Prefix that will be prepended to the labels names indicated in `reportResourceLabels`
  # when including them in the Prometheus metrics
  metricsResourceLabelsPrefix: "k8s_label_"

  # -- additionalReportLabels comma-separated representation of the labels which the user wants the scanner pods to be
  # labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage`
  additionalReportLabels: ""

  # -- policiesConfig Custom Rego Policies to be used by the config audit scanner
  # See https://github.com/aquasecurity/trivy-operator/blob/main/docs/tutorials/writing-custom-configuration-audit-policies.md for more details.
  policiesConfig: ""

  # -- excludeImages is comma separated glob patterns for excluding images from scanning.
  # Example: pattern: `k8s.gcr.io/*/*` will exclude image: `k8s.gcr.io/coredns/coredns:v1.8.0`.
  excludeImages: ""

trivy:
  # -- createConfig indicates whether to create config objects
  createConfig: true
  image:
    # -- registry of the Trivy image
    registry: mirror.gcr.io
    # -- repository of the Trivy image
    repository: aquasec/trivy
    # -- tag version of the Trivy image
    tag: 0.58.0
    # -- imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret
    # It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace
    imagePullSecret: ~

    # -- pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent)
    pullPolicy: IfNotPresent

  # -- mode is the Trivy client mode. Either Standalone or ClientServer. Depending
  # on the active mode other settings might be applicable or required.
  mode: Standalone

  # -- sbomSources trivy will try to retrieve SBOM from the specified sources (oci,rekor)
  sbomSources: ""

  # -- includeDevDeps include development dependencies in the report (supported: npm, yarn) (default: false)
  # note: this flag is only applicable when trivy.command is set to filesystem
  includeDevDeps: false

  # -- whether to use a storage class for trivy server or emptydir (one mey want to use ephemeral storage)
  storageClassEnabled: true

  # -- storageClassName is the name of the storage class to be used for trivy server PVC. If empty, tries to find default storage class
  storageClassName: ""

  # -- storageSize is the size of the trivy server PVC
  storageSize: "5Gi"

  # -- labels is the extra labels to be used for trivy server statefulset
  labels: {}

  # -- podLabels is the extra pod labels to be used for trivy server
  podLabels: {}

  # -- priorityClassName is the name of the priority class used for trivy server
  priorityClassName: ""

  # -- additionalVulnerabilityReportFields is a comma separated list of additional fields which
  # can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target, Class, PackagePath and PackageType
  additionalVulnerabilityReportFields: ""

  # -- httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub.
  httpProxy: ~

  # -- httpsProxy is the HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub.
  httpsProxy: ~

  # -- noProxy is a comma separated list of IPs and domain names that are not subject to proxy settings.
  noProxy: ~

  # -- Registries without SSL. There can be multiple registries with different keys.
  nonSslRegistries: {}
  #  pocRegistry: poc.myregistry.harbor.com.pl
  #  qaRegistry: qa.registry.aquasec.com
  #  internalRegistry: registry.registry.svc:5000

  # -- sslCertDir can be used to override the system default locations for SSL certificate files directory, example: /ssl/certs
  sslCertDir: ~

  # -- The registry to which insecure connections are allowed. There can be multiple registries with different keys.
  insecureRegistries: {}
  #  pocRegistry: poc.myregistry.harbor.com.pl
  #  qaRegistry: qa.registry.aquasec.com
  #  internalRegistry: registry.registry.svc:5000

  # -- Mirrored registries. There can be multiple registries with different keys.
  # Make sure to quote registries containing dots
  registry:
    mirror: {}
    # "docker.io": docker-mirror.example.com

  # -- severity is a comma separated list of severity levels reported by Trivy.
  severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL

  # -- slow this flag is to use less CPU/memory for scanning though it takes more time than normal scanning. It fits small-footprint
  slow: true
  # -- ignoreUnfixed is the flag to show only fixed vulnerabilities in
  # vulnerabilities reported by Trivy. Set to true to enable it.
  #
  ignoreUnfixed: false
  # -- a comma separated list of file paths for Trivy to skip
  skipFiles:
  # -- a comma separated list of directories for Trivy to skip
  skipDirs:

  # -- offlineScan is the flag to enable the offline scan functionality in Trivy
  # This will prevent outgoing HTTP requests, e.g. to search.maven.org
  offlineScan: false

  # -- timeout is the duration to wait for scan completion.
  timeout: "5m0s"

  # -- ignoreFile can be used to tell Trivy to ignore vulnerabilities by ID (one per line)
  ignoreFile: ~
  # ignoreFile:
  #   - CVE-1970-0001
  #   - CVE-1970-0002

  # -- ignorePolicy can be used to tell Trivy to ignore vulnerabilities by a policy
  # If multiple policies would match, then the most specific one has precedence over the others.
  # See https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-open-policy-agent for more details.
  # See https://github.com/aquasecurity/trivy/blob/v0.19.2/contrib/example_policy/basic.rego for more details on ignorePolicy filtering.
  #
  # ignorePolicy.application.my-app-.: |
  #  package trivy

  #  import data.lib.trivy

  #  default ignore = true
  # applies to all workloads in namespace "application" with the name pattern "my-app-*"
  # ignorePolicy.kube-system: |
  #  package trivy

  #  import data.lib.trivy

  #  default ignore = true
  # applies to all workloads in namespace "kube-system"
  # ignorePolicy: |
  #  package trivy

  #  import data.lib.trivy

  #  default ignore = true
  # applies to all other workloads

  # -- vulnType can be used to tell Trivy to filter vulnerabilities by a pkg-type (library, os)
  vulnType: ~

  # -- resources resource requests and limits for scan job containers
  resources:
    requests:
      cpu: 100m
      memory: 100M
      # ephemeralStorage: "2Gi"
    limits:
      cpu: 500m
      memory: 500M
      # ephemeralStorage: "2Gi"

  # -- githubToken is the GitHub access token used by Trivy to download the vulnerabilities
  # database from GitHub. Only applicable in Standalone mode.
  githubToken: ~

  # -- serverURL is the endpoint URL of the Trivy server. Required in ClientServer mode.
  #
  # serverURL: "https://trivy.trivy:4975"

  # -- clientServerSkipUpdate is the flag to enable skip databases update for Trivy client.
  # Only applicable in ClientServer mode.
  clientServerSkipUpdate: false

  # -- skipJavaDBUpdate is the flag to enable skip Java index databases update for Trivy client.
  skipJavaDBUpdate: false

  # -- serverInsecure is the flag to enable insecure connection to the Trivy server.
  serverInsecure: false

  # -- serverToken is the token to authenticate Trivy client with Trivy server. Only
  # applicable in ClientServer mode.
  serverToken: ~

  # -- existingSecret if a secret containing gitHubToken, serverToken or serverCustomHeaders has been created outside the chart (e.g external-secrets, sops, etc...).
  # Keys must be at least one of the following: trivy.githubToken, trivy.serverToken, trivy.serverCustomHeaders
  # Overrides trivy.gitHubToken, trivy.serverToken, trivy.serverCustomHeaders values.
  # Note: The secret has to be named "trivy-operator-trivy-config".
  # existingSecret: true

  # -- serverTokenHeader is the name of the HTTP header used to send the authentication
  # token to Trivy server. Only application in ClientServer mode when
  # trivy.serverToken is specified.
  serverTokenHeader: "Trivy-Token"

  # -- serverCustomHeaders is a comma separated list of custom HTTP headers sent by
  # Trivy client to Trivy server. Only applicable in ClientServer mode.
  serverCustomHeaders: ~
  # serverCustomHeaders: "foo=bar"

  dbRegistry: "mirror.gcr.io"
  dbRepository: "aquasec/trivy-db"

  # -- The username for dbRepository authentication
  #
  dbRepositoryUsername: ~

  # -- The password for dbRepository authentication
  #
  dbRepositoryPassword: ~

  # -- javaDbRegistry is the registry for the Java vulnerability database.
  javaDbRegistry: "mirror.gcr.io"
  javaDbRepository: "aquasec/trivy-java-db"

  # -- The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env)
  #
  dbRepositoryInsecure: "false"

  # -- The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from mirror.gcr.io/aquasec/trivy-checks
  #
  useBuiltinRegoPolicies: "false"
  # -- The Flag to enable the usage of external rego policies config-map, this should be used when the user wants to use their own rego policies
  #
  externalRegoPoliciesEnabled: false
  # -- To enable the usage of embedded rego policies, set the flag useEmbeddedRegoPolicies. This should serve as a fallback for air-gapped environments.
  # When useEmbeddedRegoPolicies is set to true, useBuiltinRegoPolicies should be set to false.
  useEmbeddedRegoPolicies: "true"

  # -- The Flag is the list of supported kinds separated by comma delimiter to be scanned by the config audit scanner
  #
  supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"

  # -- command. One of `image`, `filesystem` or `rootfs` scanning, depending on the target type required for the scan.
  # For 'filesystem' and `rootfs` scanning, ensure that the `trivyOperator.scanJobPodTemplateContainerSecurityContext` is configured
  # to run as the root user (runAsUser = 0).
  command: image
  # -- imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter.
  # Only applicable in image scan mode.
  imageScanCacheDir: "/tmp/trivy/.cache"
  # -- filesystemScanCacheDir the flag to set custom path for trivy filesystem scan `cache-dir` parameter.
  # Only applicable in filesystem scan mode.
  filesystemScanCacheDir: "/var/trivyoperator/trivy-db"
  # -- serverUser this param is the server user to be used to download db from private registry
  serverUser: ""
  # -- serverPassword this param is the server user to be used to download db from private registry
  serverPassword: ""
  # -- serverServiceName this param is the server service name to be used in cluster
  serverServiceName: "trivy-service"
  # -- debug One of `true` or `false`. Enables debug mode.
  debug: false

  server:
    # -- resources set trivy-server resource
    resources:
      requests:
        cpu: 200m
        memory: 512Mi
        # ephemeral-storage: "2Gi"
      limits:
        cpu: 1
        memory: 1Gi
        # ephemeral-storage: "2Gi"

    # -- podSecurityContext set trivy-server podSecurityContext
    podSecurityContext:
      runAsUser: 65534
      runAsNonRoot: true
      fsGroup: 65534

    # -- securityContext set trivy-server securityContext
    securityContext:
      privileged: false
      readOnlyRootFilesystem: true

    # -- the number of replicas of the trivy-server
    replicas: 1

  # -- vaulesFromConfigMap name of a ConfigMap to apply TRIVY_* environment variables. Will override Helm values.
  valuesFromConfigMap: ""

  # -- valuesFromSecret name of a Secret to apply TRIVY_* environment variables. Will override Helm AND ConfigMap values.
  valuesFromSecret: ""

compliance:
  # -- failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report
  # this limit is for preventing the report from being too large per control checks
  failEntriesLimit: 10
  # -- reportType this flag control the type of report generated (summary or all)
  reportType: summary
  # -- cron this flag control the cron interval for compliance report generation
  cron: 0 */6 * * *
  # -- specs is a list of compliance specs to be used by the cluster compliance scanner
  #  - k8s-cis-1.23
  #  - k8s-nsa-1.0
  #  - k8s-pss-baseline-0.1
  #  - k8s-pss-restricted-0.1
  #  - eks-cis-1.4
  #  - rke2-cis-1.24
  specs:
    - k8s-cis-1.23
    - k8s-nsa-1.0
    - k8s-pss-baseline-0.1
    - k8s-pss-restricted-0.1

rbac:
  create: true
serviceAccount:
  # -- Specifies whether a service account should be created.
  create: true
  annotations: {}
  # -- name specifies the name of the k8s Service Account. If not set and create is
  # true, a name is generated using the fullname template.
  name: ""

# -- podAnnotations annotations added to the operator's pod
podAnnotations: {}

podSecurityContext: {}
  # fsGroup: 2000

# -- securityContext security context
securityContext:
  privileged: false
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL

volumeMounts:
  # do not remove , required for policies bundle
  - mountPath: /tmp
    name: cache-policies
    readOnly: false

volumes:
  # do not remove , required for policies bundle
  - name: cache-policies
    emptyDir: {}

resources: {}
  # -- We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi
# -- nodeSelector set the operator nodeSelector
nodeSelector: {}

# -- tolerations set the operator tolerations
tolerations: []

# -- affinity set the operator affinity
affinity: {}

# -- priorityClassName set the operator priorityClassName
priorityClassName: ""

  # -- automountServiceAccountToken the flag to enable automount for service account token
automountServiceAccountToken: true

policiesBundle:
  # -- registry of the policies bundle
  registry: mirror.gcr.io
  # -- repository of the policies bundle
  repository: aquasec/trivy-checks
  # -- tag version of the policies bundle
  tag: 1
   # -- registryUser is the user for the registry
  registryUser: ~
  # -- registryPassword is the password for the registry
  registryPassword: ~
  # -- existingSecret if a secret containing registry credentials that have been created outside the chart (e.g external-secrets, sops, etc...).
  # Keys must be at least one of the following: policies.bundle.oci.user, policies.bundle.oci.password
  # Overrides policiesBundle.registryUser, policiesBundle.registryPassword values.
  # Note: The secret has to be named "trivy-operator".
  existingSecret: false
  # -- insecure is the flag to enable insecure connection to the policy bundle registry
  insecure: false


nodeCollector:
  # -- useNodeSelector determine if to use nodeSelector (by auto detecting node name) with node-collector scan job
  useNodeSelector: true
  # -- registry of the node-collector image
  registry: ghcr.io
  # -- repository of the node-collector image
  repository: aquasecurity/node-collector
  # -- tag version of the node-collector image
  tag: 0.3.1
  # -- imagePullSecret is the secret name to be used when pulling node-collector image from private registries example : reg-secret
  # It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace
  imagePullSecret: ~
  # -- excludeNodes comma-separated node labels that the node-collector job should exclude from scanning (example kubernetes.io/arch=arm64,team=dev)
  excludeNodes:
  # -- tolerations to be applied to the node-collector so that they can run on nodes with matching taints
  tolerations: []
  # -- If you do want to specify tolerations, uncomment the following lines, adjust them as necessary, and remove the
  # square brackets after 'scanJobTolerations:'.
  # - key: "key1"
  #   operator: "Equal"
  #   value: "value1"
  #   effect: "NoSchedule"
  # -- node-collector pod volume mounts definition for collecting config files information
  volumeMounts:
    - name: var-lib-etcd
      mountPath: /var/lib/etcd
      readOnly: true
    - name: var-lib-kubelet
      mountPath: /var/lib/kubelet
      readOnly: true
    - name: var-lib-kube-scheduler
      mountPath: /var/lib/kube-scheduler
      readOnly: true
    - name: var-lib-kube-controller-manager
      mountPath: /var/lib/kube-controller-manager
      readOnly: true
    - name: etc-systemd
      mountPath: /etc/systemd
      readOnly: true
    - name: lib-systemd
      mountPath: /lib/systemd/
      readOnly: true
    - name: etc-kubernetes
      mountPath: /etc/kubernetes
      readOnly: true
    - name: etc-cni-netd
      mountPath: /etc/cni/net.d/
      readOnly: true

  # -- node-collector pod volumes definition for collecting config files information
  volumes:
    - name: var-lib-etcd
      hostPath:
        path: /var/lib/etcd
    - name: var-lib-kubelet
      hostPath:
        path: /var/lib/kubelet
    - name: var-lib-kube-scheduler
      hostPath:
        path: /var/lib/kube-scheduler
    - name: var-lib-kube-controller-manager
      hostPath:
        path: /var/lib/kube-controller-manager
    - name: etc-systemd
      hostPath:
        path: /etc/systemd
    - name: lib-systemd
      hostPath:
        path: /lib/systemd
    - name: etc-kubernetes
      hostPath:
        path: /etc/kubernetes
    - name: etc-cni-netd
      hostPath:
        path: /etc/cni/net.d/