85 lines
3.4 KiB
YAML
85 lines
3.4 KiB
YAML
---
|
|
# Argo CD (Helm source + SSA) or raw kubectl can leave Trivy objects without **meta.helm.sh/** ownership.
|
|
# Namespace-scoped resources go away when **trivy-system** is deleted; **ClusterRole** / **ClusterRoleBinding** /
|
|
# **ClusterComplianceReport** do not. If there is no Helm release **trivy-operator**, reset namespace + cluster scope
|
|
# so **helm upgrade --install** can adopt cleanly.
|
|
- name: Check whether trivy-operator Helm release exists in trivy-system
|
|
ansible.builtin.command:
|
|
argv:
|
|
- helm
|
|
- status
|
|
- trivy-operator
|
|
- -n
|
|
- trivy-system
|
|
environment:
|
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
|
register: noble_trivy_helm_release_status
|
|
failed_when: false
|
|
changed_when: false
|
|
|
|
- name: Remove trivy-system namespace when Helm release is absent (orphan SSA / kubectl vs Ansible Helm)
|
|
ansible.builtin.command:
|
|
argv:
|
|
- kubectl
|
|
- delete
|
|
- namespace
|
|
- trivy-system
|
|
- --ignore-not-found=true
|
|
- --wait=true
|
|
environment:
|
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
|
when: noble_trivy_helm_release_status.rc != 0
|
|
register: noble_trivy_ns_reset
|
|
changed_when: "'deleted' in (noble_trivy_ns_reset.stdout | default(''))"
|
|
|
|
- name: Remove orphan Trivy cluster-scoped resources when Helm release is absent
|
|
ansible.builtin.shell: |
|
|
set -euo pipefail
|
|
# Prefer label selector (matches chart); then explicit names for objects Argo may have created without labels.
|
|
kubectl delete clusterrolebinding -l app.kubernetes.io/instance=trivy-operator --ignore-not-found=true --wait=true 2>/dev/null || true
|
|
kubectl delete clusterrolebinding trivy-operator --ignore-not-found=true --wait=true
|
|
kubectl delete clusterrole -l app.kubernetes.io/instance=trivy-operator --ignore-not-found=true --wait=true 2>/dev/null || true
|
|
kubectl delete clusterrole trivy-operator aggregate-config-audit-reports-view aggregate-exposed-secret-reports-view aggregate-vulnerability-reports-view --ignore-not-found=true --wait=true
|
|
if kubectl api-resources --api-group=aquasecurity.github.io -o name 2>/dev/null | grep -q '^clustercompliancereports\.'; then
|
|
kubectl delete clustercompliancereports.aquasecurity.github.io -l app.kubernetes.io/instance=trivy-operator --ignore-not-found=true --wait=true 2>/dev/null || true
|
|
kubectl delete clustercompliancereports.aquasecurity.github.io k8s-cis-1.23 k8s-nsa-1.0 k8s-pss-baseline-0.1 k8s-pss-restricted-0.1 --ignore-not-found=true --wait=true 2>/dev/null || true
|
|
fi
|
|
environment:
|
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
|
when: noble_trivy_helm_release_status.rc != 0
|
|
register: noble_trivy_cluster_reset
|
|
changed_when: "'deleted' in (noble_trivy_cluster_reset.stdout | default(''))"
|
|
|
|
- name: Apply trivy-system namespace (PSA)
|
|
ansible.builtin.command:
|
|
argv:
|
|
- kubectl
|
|
- apply
|
|
- -f
|
|
- "{{ noble_repo_root }}/clusters/noble/bootstrap/trivy/namespace.yaml"
|
|
environment:
|
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
|
changed_when: true
|
|
|
|
- name: Install Trivy Operator
|
|
ansible.builtin.command:
|
|
argv:
|
|
- helm
|
|
- upgrade
|
|
- --install
|
|
- trivy-operator
|
|
- aqua/trivy-operator
|
|
- -n
|
|
- trivy-system
|
|
- --version
|
|
- "{{ noble_trivy_chart_version }}"
|
|
- -f
|
|
- "{{ noble_repo_root }}/clusters/noble/bootstrap/trivy/values.yaml"
|
|
- --force-conflicts
|
|
- --wait
|
|
- --timeout
|
|
- "{{ noble_helm_trivy_wait_timeout }}"
|
|
environment:
|
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
|
changed_when: true
|