auto-discovery/cloud-aws/values.yaml from secureCodeBox/secureCodeBox

auto-discovery/cloud-aws/values.yaml
Summary

Maintainability

Test Coverage

Issues
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0

# -- Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
imagePullSecrets: []

image:
  repository: securecodebox/auto-discovery-cloud-aws
  tag: null
  # -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
  pullPolicy: IfNotPresent

config:
  # -- settings to connect to AWS and receive the updates
  aws:
    # -- url of the SQS queue which receives the state changes. Can be overridden by setting the SQS_QUEUE_URL environment variable.
    queueUrl: ""
    # -- aws region to connect to. Can be overridden by setting the AWS_REGION environment variable.
    region: ""
  # -- settings to configure how scans get created in kubernetes
  kubernetes:
    scanConfigs:
      - scanType: trivy-image
        # -- unique name to distinguish scans
        name: "trivy"
        # -- parameters used for the scans created by the containerAutoDiscovery, all parameters support templating
        parameters:
          - "{{ .ImageID }}"
        # -- interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset.
        repeatInterval: "168h"
        # -- labels to be added to the scans started by the auto-discovery, all label values support templating
        labels: {}
        # -- annotations to be added to the scans started by the auto-discovery, all annotation values support templating
        annotations: {}
        # -- hookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
        # Both matchLabels and matchExpressions are supported.
        # All values in the matchLabels map support templating.
        # MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list.
        hookSelector: {}
      - scanType: trivy-sbom-image
        # -- unique name to distinguish scans
        name: "trivy-sbom"
        # -- parameters used for the scans created by the containerAutoDiscovery, all parameters support templating
        parameters:
          - "{{ .ImageID }}"
        # -- interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset.
        repeatInterval: "168h"
        # -- labels to be added to the scans started by the auto-discovery, all label values support templating
        labels: {}
        # -- annotations to be added to the scans started by the auto-discovery, all annotation values support templating
        annotations:
          dependencytrack.securecodebox.io/project-name: "{{ .Image.ShortName }}"
          dependencytrack.securecodebox.io/project-version: "{{ .Image.Version }}"
        # -- hookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
        # Both matchLabels and matchExpressions are supported.
        # All values in the matchLabels map support templating.
        # MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list.
        hookSelector: {}

# -- Authentication information for AWS, use this to configure the secret which contains the access key. Creating this secret is optional, when running on AWS itself the auto discovery will automatically use the IAM role to authenticate.
awsAuthentication:
  # -- name of the kubernetes secret that contains the access key
  userSecret: aws-credentials
  # -- Name of the key that contains the AWS_ACCESS_KEY_ID
  accessKeyIdKey: aws-access-key-id
  # -- Name of the key that contains the AWS_SECRET_ACCESS_KEY
  secretAccessKeyKey: aws-secret-access-key
  # -- Name of the key that contains the AWS_SESSION_TOKEN
  sessionTokenKey: aws-session-token

# -- Sets the securityContext on the operators container level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
securityContext:
  # securityContext.runAsNonRoot -- Enforces that the Operator image is run as a non root user
  runAsNonRoot: true
  # securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system
  readOnlyRootFilesystem: true
  # securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated
  allowPrivilegeEscalation: false
  # securityContext.privileged -- Ensures that the operator container is not run in privileged mode
  privileged: false
  capabilities:
    drop:
      # securityContext.capabilities.drop[0] -- This drops all linux privileges from the operator container. They are not required
      - all

# -- Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
podSecurityContext: {}

# resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
resources:
  limits:
    cpu: 100m
    memory: 100Mi
  requests:
    cpu: 100m
    memory: 20Mi