Helm doesn't support custom container commands and args and setting automountServiceAccountToken

[chen-keinan]

Discussed in #5319

^{Originally posted by meDracula October 3, 2023}

Description

I have stumbled on a couple of use cases that the current helm/trivy templates do not support. I hope that you developer reading this will realize the suggested changes are good and can be added to the helm templates.

NOTE This is my first time trying to contribute to a open source project so if I'm breaking some unspoken rules or doing it the wrong order. I'm sorry then, first try 😅

Use-cases

Let's start with my problem. I don't inject secrets throw the Kubernetes Operator and instead use the Vault Agent Injector.
The secrets I am trying to inject from Vault are:

TRIVY_USERNAME
TRIVY_PASSWORD
GITHUB_TOKEN
TRIVY_TOKEN

The plan is to have the vault agent injector run as an init container that fetches the secrets and the Trivy container then needs to override the image entrypoint first source file that the agent injector volume shares with the Trivy container and then run the command trivy server.

My expectation of change to the helm/trivy values.yaml file was to perform a:

trivy:
    command: ["/bin/sh"]
    args: ["-c", "source /credentials/secrets && trivy server"]

However, the helm template does not support command or args overriding.
But the template does support changing the trivy image to any custom image reference and repository.
By this use case of supporting custom images, I would argue the command and args should be able to be overwritten. In a use-case like mine or if the custom image is being used and the entrypoint isn't the same as the original
trivy image i.e:

ENTRYPOINT ["trivy"]

And the argument from the custom image isn't helm/trivy/templates/statefulset.yaml#L74:

args:
  - server

Finally. To use the vault agent injector with your Statefulset it can't be a hardcode value on the automountServiceAccountToken since I need to control the boolean to set it to true. Currently in the helm/trivy/templates/statefulset.yaml#L45:

spec:
    automountServiceAccountToken: false

Required changes

• Control the Statefulset automountServiceAccountToken boolean logic
• Override the default Trivy container command (useful when using custom images)
• Override the default Trivy container args (useful when using custom images)

Suggested Solutions

1. Modify the automountServiceAccountToken in the templates/statefulset.yaml file to:

automountServiceAccountToken: {{ default false .Values.automountServiceAccountToken }}

2. If values.yaml file contains the command option exists then set the command:

{{- if .Values.trivy.command }}
command: {{ .Values.trivy.command | toJson }}
{{- end }}

3. For the Args, modify the templates/statefulset.yaml file to:

args: {{ .Values.trivy.args | toJson }}

And introduce a default in the values.yaml file by adding

trivy:
  # args trivy container args
  args:
    - server

I have already developed this possible solution in this fork My Trivy forked solution.

Final

I hope my suggestion is to follow the aquasec/trivy way because I really enjoy what you guys have built 🥳 ❤️ and I
want to use it for the work I am doing but...
To use it I need the following required changes to take place.

I tried to find as much information about how to contribute but it did just from my reading it says to create a discussion.
If my suggested changes look decent please tell me the next steps in the process to get this into your helm chart 😄

Target

Helm

Scanner

None