# Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
# **Talos:** **nodeCollector** omits **/etc/systemd** and **/lib/systemd** mounts (RO **/etc** in the image → mkdir fails for any mount there). See trivy-operator#1326.
# Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
#
# Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard**
# after the operator — values in **dashboard-values.yaml** (host **trivy.apps.noble.lab.pcenicni.dev**).
#
# Manual Helm (if not using Argo):
#   helm repo add aqua https://aquasecurity.github.io/helm-charts/ && helm repo update
#   kubectl apply -f clusters/noble/apps/trivy/namespace.yaml
#   helm upgrade --install trivy-operator aqua/trivy-operator -n trivy-system \
#     --version 0.32.1 -f clusters/noble/apps/trivy/values.yaml --wait --timeout 15m
#
# Inspect: kubectl get vulnerabilityreports,configauditreports -A
# Docs: https://aquasecurity.github.io/trivy-operator/

# Skip platform/system namespaces (mirrors Kyverno excludes; reduces scan load).
excludeNamespaces: "argocd,cert-manager,headlamp,kyverno,local-path-storage,logging,longhorn-system,loki,metallb-system,monitoring,newt,traefik,trivy-system,velero,kube-node-lease,kube-public,kube-system"

operator:
  scanJobsConcurrentLimit: 5
  # SBOM / cluster compliance add CPU and CR volume; keep vulnerability + config audit.
  sbomGenerationEnabled: false
  clusterSbomCacheEnabled: false
  clusterComplianceEnabled: false

trivyOperator:
  # Run scan Jobs on every node (Talos / mixed taints).
  scanJobTolerations:
    - operator: Exists

# Talos: exclude **etc-systemd** / **lib-systemd** mounts entirely — mounting under **/etc** still triggers
# `mkdir /etc/systemd: read-only file system` (container **/etc** is RO). Upstream: override volumes/mounts (#1326).
nodeCollector:
  tolerations:
    - operator: Exists
  volumeMounts:
    - name: var-lib-etcd
      mountPath: /var/lib/etcd
      readOnly: true
    - name: var-lib-kubelet
      mountPath: /var/lib/kubelet
      readOnly: true
    - name: var-lib-kube-scheduler
      mountPath: /var/lib/kube-scheduler
      readOnly: true
    - name: var-lib-kube-controller-manager
      mountPath: /var/lib/kube-controller-manager
      readOnly: true
    - name: etc-kubernetes
      mountPath: /etc/kubernetes
      readOnly: true
    - name: etc-cni-netd
      mountPath: /etc/cni/net.d/
      readOnly: true
  volumes:
    - name: var-lib-etcd
      hostPath:
        path: /var/lib/etcd
    - name: var-lib-kubelet
      hostPath:
        path: /var/lib/kubelet
    - name: var-lib-kube-scheduler
      hostPath:
        path: /var/lib/kube-scheduler
    - name: var-lib-kube-controller-manager
      hostPath:
        path: /var/lib/kube-controller-manager
    - name: etc-kubernetes
      hostPath:
        path: /etc/kubernetes
    - name: etc-cni-netd
      hostPath:
        path: /etc/cni/net.d/

serviceMonitor:
  enabled: true
  namespace: monitoring