Skip to content

Commit

Permalink
chore: Use mirror.gcr.io instead ghcr.io as helm chart default (#…
Browse files Browse the repository at this point in the history
…2331)

* chore: Use mirror.gcr.io instead ghcr.io as helm chart default

* update docs

* update goreleaser

* chore: fix a registry name

* chore: add space for rerun workflow

* chore: add another space

* ci: change a github running type

* revert: keep target for private registry test

---------

Co-authored-by: afdesk <[email protected]>
  • Loading branch information
simar7 and afdesk authored Nov 26, 2024
1 parent 720a4e3 commit 72ac532
Show file tree
Hide file tree
Showing 22 changed files with 149 additions and 148 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -188,10 +188,10 @@ jobs:
kubectl describe node
- name: Load operator image to cluster
run: >
docker tag ghcr.io/aquasecurity/trivy-operator:${{ github.sha }}-amd64
ghcr.io/aquasecurity/trivy-operator:e2e
docker tag mirror.gcr.io/aquasec/trivy-operator:${{ github.sha }}-amd64
mirror.gcr.io/aquasec/trivy-operator:e2e
docker save -o trivy-operator.tar ghcr.io/aquasecurity/trivy-operator:e2e
docker save -o trivy-operator.tar mirror.gcr.io/aquasec/trivy-operator:e2e
kind load image-archive trivy-operator.tar
- name: Init E2E tests (Install kuttl & helm)
Expand Down
11 changes: 6 additions & 5 deletions .github/workflows/chart-testing.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,9 @@ jobs:
- name: Release snapshot
uses: goreleaser/goreleaser-action@v6
with:
version: v1.7.0
args: release -f=goreleaser-e2e.yaml --snapshot --skip-publish --rm-dist
version: v2.4.8
args: release -f=goreleaser-e2e.yaml --snapshot --skip=publish --clean

- name: Install kind and create cluster
run: |
curl -Lo ./kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION }}/kind-linux-amd64
Expand All @@ -69,10 +70,10 @@ jobs:
cmd: yq -i '.appVersion = "ct"' ./deploy/helm/Chart.yaml
- name: Load operator image to cluster
run: >
docker tag ghcr.io/aquasecurity/trivy-operator:${{ github.sha }}-amd64
ghcr.io/aquasecurity/trivy-operator:ct
docker tag mirror.gcr.io/aquasec/trivy-operator:${{ github.sha }}-amd64
mirror.gcr.io/aquasec/trivy-operator:ct
docker save -o trivy-operator.tar ghcr.io/aquasecurity/trivy-operator:ct
docker save -o trivy-operator.tar mirror.gcr.io/aquasec/trivy-operator:ct
kind load image-archive trivy-operator.tar
- name: Set up python
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/private-registries.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -83,10 +83,10 @@ jobs:
-n private
- name: Load operator image to cluster
run: >
docker tag ghcr.io/aquasecurity/trivy-operator:${{ github.sha }}-amd64
ghcr.io/aquasecurity/trivy-operator:e2e
docker tag mirror.gcr.io/aquasec/trivy-operator:${{ github.sha }}-amd64
mirror.gcr.io/aquasec/trivy-operator:e2e
docker save -o trivy-operator.tar ghcr.io/aquasecurity/trivy-operator:e2e
docker save -o trivy-operator.tar mirror.gcr.io/aquasec/trivy-operator:e2e
kind load image-archive trivy-operator.tar
- name: Init E2E tests (Install kuttl & helm)
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-snapshot.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:
- name: Scan Trivy Operator image for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/aquasecurity/trivy-operator:${{ github.sha }}-amd64'
image-ref: 'mirror.gcr.io/aquasec/trivy-operator:${{ github.sha }}-amd64'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
Expand Down
40 changes: 20 additions & 20 deletions .goreleaser.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ dockers:
- image_templates:
- "docker.io/aquasec/trivy-operator:{{ .Version }}-amd64"
- "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-amd64"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-amd64"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-amd64"
use: buildx
goos: linux
dockerfile: build/trivy-operator/Dockerfile
Expand All @@ -90,7 +90,7 @@ dockers:
- image_templates:
- "docker.io/aquasec/trivy-operator:{{ .Version }}-ubi8-amd64"
- "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-amd64"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-amd64"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-amd64"
use: buildx
goos: linux
dockerfile: build/trivy-operator/Dockerfile.ubi8
Expand All @@ -110,7 +110,7 @@ dockers:
- image_templates:
- "docker.io/aquasec/trivy-operator:{{ .Version }}-arm64"
- "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-arm64"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-arm64"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-arm64"
use: buildx
goos: linux
dockerfile: build/trivy-operator/Dockerfile
Expand All @@ -130,7 +130,7 @@ dockers:
- image_templates:
- "docker.io/aquasec/trivy-operator:{{ .Version }}-ubi8-arm64"
- "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-arm64"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-arm64"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-arm64"
use: buildx
goos: linux
dockerfile: build/trivy-operator/Dockerfile.ubi8
Expand All @@ -150,7 +150,7 @@ dockers:
- image_templates:
- "docker.io/aquasec/trivy-operator:{{ .Version }}-s390x"
- "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-s390x"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-s390x"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-s390x"
use: buildx
goos: linux
dockerfile: build/trivy-operator/Dockerfile
Expand All @@ -170,7 +170,7 @@ dockers:
- image_templates:
- "docker.io/aquasec/trivy-operator:{{ .Version }}-ppc64le"
- "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ppc64le"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ppc64le"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ppc64le"
use: buildx
goos: linux
dockerfile: build/trivy-operator/Dockerfile
Expand All @@ -190,7 +190,7 @@ dockers:
- image_templates:
- "docker.io/aquasec/trivy-operator:{{ .Version }}-ubi8-s390x"
- "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-s390x"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-s390x"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-s390x"
use: buildx
goos: linux
dockerfile: build/trivy-operator/Dockerfile.ubi8
Expand All @@ -210,7 +210,7 @@ dockers:
- image_templates:
- "docker.io/aquasec/trivy-operator:{{ .Version }}-ubi8-ppc64le"
- "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-ppc64le"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-ppc64le"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-ppc64le"
use: buildx
goos: linux
dockerfile: build/trivy-operator/Dockerfile.ubi8
Expand Down Expand Up @@ -252,18 +252,18 @@ docker_manifests:
- "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-arm64"
- "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-s390x"
- "public.ecr.aws/aquasecurity/trivy-operator:{{ .Version }}-ubi8-ppc64le"
- name_template: "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}"
image_templates:
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-amd64"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-arm64"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-s390x"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ppc64le"
- name_template: "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8"
image_templates:
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-amd64"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-arm64"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-s390x"
- "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-ppc64le"
# - name_template: "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}"
# image_templates:
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-amd64"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-arm64"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-s390x"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ppc64le"
# - name_template: "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8"
# image_templates:
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-amd64"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-arm64"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-s390x"
# - "ghcr.io/aquasecurity/trivy-operator:{{ .Version }}-ubi8-ppc64le"

signs:
- cmd: cosign
Expand Down
6 changes: 3 additions & 3 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,9 +88,9 @@ have to

## Build Binaries

| Binary | Image | Description |
|----------------------|------------------------------------------------|---------------------------------------------------------------|
| `trivy-operator` | `ghcr.io/aquasecurity/trivy-operator:dev` | Trivy Operator |
| Binary | Image | Description |
|------------------|-------------------------------------------|----------------|
| `trivy-operator` | `mirror.gcr.io/aquasec/trivy-operator:dev` | Trivy Operator |

To build all Trivy-operator binary, run:

Expand Down
10 changes: 5 additions & 5 deletions deploy/helm/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ Keeps security report resources updated
| global | object | `{"image":{"registry":""}}` | global values provide a centralized configuration for 'image.registry', reducing the potential for errors. If left blank, the chart will default to the individually set 'image.registry' values |
| image.pullPolicy | string | `"IfNotPresent"` | pullPolicy set the operator pullPolicy |
| image.pullSecrets | list | `[]` | pullSecrets set the operator pullSecrets |
| image.registry | string | `"ghcr.io"` | |
| image.repository | string | `"aquasecurity/trivy-operator"` | |
| image.registry | string | `"mirror.gcr.io"` | |
| image.repository | string | `"aquasec/trivy-operator"` | |
| image.tag | string | `""` | tag is an override of the image tag, which is by default set by the appVersion field in Chart.yaml. |
| managedBy | string | `"Helm"` | managedBy is similar to .Release.Service but allows to overwrite the value |
| nameOverride | string | `""` | nameOverride override operator name |
Expand Down Expand Up @@ -143,8 +143,8 @@ Keeps security report resources updated
| trivy.ignoreUnfixed | bool | `false` | ignoreUnfixed is the flag to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to true to enable it. |
| trivy.image.imagePullSecret | string | `nil` | imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace |
| trivy.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent) |
| trivy.image.registry | string | `"ghcr.io"` | registry of the Trivy image |
| trivy.image.repository | string | `"aquasecurity/trivy"` | repository of the Trivy image |
| trivy.image.registry | string | `"mirror.gcr.io"` | registry of the Trivy image |
| trivy.image.repository | string | `"aquasec/trivy"` | repository of the Trivy image |
| trivy.image.tag | string | `"0.57.1"` | tag version of the Trivy image |
| trivy.imageScanCacheDir | string | `"/tmp/trivy/.cache"` | imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. Only applicable in image scan mode. |
| trivy.includeDevDeps | bool | `false` | includeDevDeps include development dependencies in the report (supported: npm, yarn) (default: false) note: this flag is only applicable when trivy.command is set to filesystem |
Expand Down Expand Up @@ -183,7 +183,7 @@ Keeps security report resources updated
| trivy.storageSize | string | `"5Gi"` | storageSize is the size of the trivy server PVC |
| trivy.supportedConfigAuditKinds | string | `"Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"` | The Flag is the list of supported kinds separated by comma delimiter to be scanned by the config audit scanner |
| trivy.timeout | string | `"5m0s"` | timeout is the duration to wait for scan completion. |
| trivy.useBuiltinRegoPolicies | string | `"false"` | The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from ghcr.io/aquasecurity/trivy-checks |
| trivy.useBuiltinRegoPolicies | string | `"false"` | The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from mirror.gcr.io/aquasec/trivy-checks |
| trivy.useEmbeddedRegoPolicies | string | `"true"` | To enable the usage of embedded rego policies, set the flag useEmbeddedRegoPolicies. This should serve as a fallback for air-gapped environments. When useEmbeddedRegoPolicies is set to true, useBuiltinRegoPolicies should be set to false. |
| trivy.valuesFromConfigMap | string | `""` | vaulesFromConfigMap name of a ConfigMap to apply TRIVY_* environment variables. Will override Helm values. |
| trivy.valuesFromSecret | string | `""` | valuesFromSecret name of a Secret to apply TRIVY_* environment variables. Will override Helm AND ConfigMap values. |
Expand Down
10 changes: 5 additions & 5 deletions deploy/helm/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -185,8 +185,8 @@ operator:
valuesFromSecret: ""

image:
registry: "ghcr.io"
repository: "aquasecurity/trivy-operator"
registry: "mirror.gcr.io"
repository: "aquasec/trivy-operator"
# -- tag is an override of the image tag, which is by default set by the
# appVersion field in Chart.yaml.
tag: ""
Expand Down Expand Up @@ -336,9 +336,9 @@ trivy:
createConfig: true
image:
# -- registry of the Trivy image
registry: ghcr.io
registry: mirror.gcr.io
# -- repository of the Trivy image
repository: aquasecurity/trivy
repository: aquasec/trivy
# -- tag version of the Trivy image
tag: 0.57.1
# -- imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret
Expand Down Expand Up @@ -536,7 +536,7 @@ trivy:
#
dbRepositoryInsecure: "false"

# -- The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from ghcr.io/aquasecurity/trivy-checks
# -- The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from mirror.gcr.io/aquasec/trivy-checks
#
useBuiltinRegoPolicies: "false"
# -- The Flag to enable the usage of external rego policies config-map, this should be used when the user wants to use their own rego policies
Expand Down
2 changes: 1 addition & 1 deletion deploy/static/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,6 @@ kind: Kustomization
resources:
- trivy-operator.yaml
images:
- name: ghcr.io/aquasecurity/trivy-operator
- name: mirror.gcr.io/aquasec/trivy-operator
newName: aquasecurity/trivy-operator
newTag: dev
4 changes: 2 additions & 2 deletions deploy/static/trivy-operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3044,7 +3044,7 @@ metadata:
app.kubernetes.io/version: "0.23.0"
app.kubernetes.io/managed-by: kubectl
data:
trivy.repository: "ghcr.io/aquasecurity/trivy"
trivy.repository: "mirror.gcr.io/aquasec/trivy"
trivy.tag: "0.57.1"
trivy.imagePullPolicy: "IfNotPresent"
trivy.additionalVulnerabilityReportFields: ""
Expand Down Expand Up @@ -3124,7 +3124,7 @@ spec:
automountServiceAccountToken: true
containers:
- name: "trivy-operator"
image: "ghcr.io/aquasecurity/trivy-operator:0.23.0"
image: "mirror.gcr.io/aquasec/trivy-operator:0.23.0"
imagePullPolicy: IfNotPresent
env:
- name: OPERATOR_NAMESPACE
Expand Down
Loading

0 comments on commit 72ac532

Please sign in to comment.