feat(harbor): Add trivy adapter image (#2446)

* feat(harbor): Add trivy adapter image Signed-off-by: RJ Sampson <[email protected]> * chore(harbor): Drop busybox Signed-off-by: RJ Sampson <[email protected]> --------- Signed-off-by: RJ Sampson <[email protected]>
chainguard-images · Apr 4, 2024 · d7872c4 · d7872c4
1 parent 4953eb0
commit d7872c4
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 10 deletions.
diff --git a/images/harbor/README.md b/images/harbor/README.md
@@ -44,7 +44,8 @@ helm install harbor harbor/harbor \
   --set jobservice.image.repository=cgr.dev/chainguard/harbor-jobservice,jobservice.image.tag=latest \
   --set portal.image.repository=cgr.dev/chainguard/harbor-portal,portal.image.tag=latest \
   --set registry.registry.image.repository=cgr.dev/chainguard/harbor-registry,registry.registry.image.tag=latest \
-  --set registry.registryctl.image.repository=cgr.dev/chainguard/harbor-registryctl,registry.registryctl.image.tag=latest
+  --set registry.registryctl.image.repository=cgr.dev/chainguard/harbor-registryctl,registry.registryctl.image.tag=latest \
+  --set trivy.image.repository=cgr.dev/chainguard/harbor-trivy-adapter,trivy.image.tag=latest
 ```
 
 You will need to override the `image` and `tag` values for each image like we've done here to point to Chainguard's Harbor images and tags.

diff --git a/images/harbor/config/main.tf b/images/harbor/config/main.tf
@@ -15,6 +15,7 @@ locals {
     "portal" : "nginx -g 'daemon off;'"
     "registry" : "/usr/bin/registry_DO_NOT_USE_GC serve /etc/registry/config.yml"
     "registryctl" : "/harbor/harbor_registryctl -c /etc/registryctl/config.yml",
+    "trivy-adapter" : "/usr/bin/scanner-trivy",
   }
 
   certs_path = {
@@ -139,6 +140,18 @@ locals {
       local.harbor_path,
       local.registry_conf_path,
     ]
+    "trivy-adapter" : [
+      local.certs_path,
+    ]
+  }
+
+  users = {
+    "core" : "harbor",
+    "jobservice" : "harbor",
+    "portal" : "nginx",
+    "registry" : "harbor",
+    "registryctl" : "harbor",
+    "trivy-adapter" : "scanner",
   }
 
   work-dirs = {
@@ -147,6 +160,7 @@ locals {
     "portal" : "/",
     "registry" : "/",
     "registryctl" : "/",
+    "trivy-adapter" : "/",
   }
 }
 
@@ -165,7 +179,7 @@ module "accts" {
   run-as = 65532
   uid    = 65532
   gid    = 65532
-  name   = var.component == "portal" ? "nginx" : "harbor"
+  name   = local.users[var.component]
 }
 
 output "config" {

diff --git a/images/harbor/main.tf b/images/harbor/main.tf
@@ -15,12 +15,15 @@ locals {
     "portal",
     "registry",
     "registryctl",
+    "trivy-adapter",
   ])
 
   packages = merge({
-    for k, v in local.components : k => "harbor-${k}"
+    for k, v in local.components : k => ["harbor-${k}"]
     }, {
-    "core" : "harbor"
+    "core" : ["harbor"]
+    }, {
+    "trivy-adapter" : ["harbor-scanner-trivy", "trivy"]
   })
 
   repositories = {
@@ -32,7 +35,7 @@ module "latest-config" {
   for_each       = local.components
   source         = "./config"
   component      = each.key
-  extra_packages = [local.packages[each.key], "busybox"]
+  extra_packages = local.packages[each.key]
 }
 
 module "latest" {

diff --git a/images/harbor/tests/main.tf b/images/harbor/tests/main.tf
@@ -8,11 +8,12 @@ terraform {
 variable "digests" {
   description = "The image digests to run tests over."
   type = object({
-    core        = string
-    jobservice  = string
-    portal      = string
-    registry    = string
-    registryctl = string
+    core          = string
+    jobservice    = string
+    portal        = string
+    registry      = string
+    registryctl   = string
+    trivy-adapter = string
   })
 }
 
@@ -77,6 +78,12 @@ module "helm" {
           tag        = data.oci_string.ref["registryctl"].pseudo_tag
         }
       }
+      trivy = {
+        image = {
+          repository = data.oci_string.ref["trivy-adapter"].registry_repo
+          tag        = data.oci_string.ref["trivy-adapter"].pseudo_tag
+        }
+      }
     }
   }
 }