fix: policies bundle insecure

Signed-off-by: chenk <hen.keinan@gmail.com>

deploy/helm/README.md

@@ -93,6 +93,7 @@ Keeps security report resources updated
 | podAnnotations | object | `{}` | podAnnotations annotations added to the operator's pod |
 | podSecurityContext | object | `{}` |  |
 | policiesBundle.existingSecret | bool | `false` | existingSecret if a secret containing registry credentials that have been created outside the chart (e.g external-secrets, sops, etc...). Keys must be at least one of the following: policies.bundle.oci.user, policies.bundle.oci.password Overrides policiesBundle.registryUser, policiesBundle.registryPassword values. Note: The secret has to be named "trivy-operator". |
+| policiesBundle.insecure | bool | `false` | insecure is the flag to enable insecure connection to the policy bundle registry |
 | policiesBundle.registry | string | `"ghcr.io"` | registry of the policies bundle |
 | policiesBundle.registryPassword | string | `nil` | registryPassword is the password for the registry |
 | policiesBundle.registryUser | string | `nil` | registryUser is the user for the registry |

deploy/helm/templates/configmaps/operator.yaml

@@ -87,7 +87,9 @@ data:
   {{- end }}
   node.collector.imageRef: "{{ include "global.imageRegistry" . | default .Values.nodeCollector.registry }}/{{ .Values.nodeCollector.repository }}:{{ .Values.nodeCollector.tag }}"
   policies.bundle.oci.ref: "{{ .Values.policiesBundle.registry }}/{{ .Values.policiesBundle.repository }}:{{ .Values.policiesBundle.tag }}"
+  policies.bundle.insecure: {{ .Values.policiesBundle.insecure | quote }}
   {{- with .Values.nodeCollector.imagePullSecret }}
   node.collector.imagePullSecret: "{{ . }}"
   {{- end }}
+
   node.collector.nodeSelector: {{ .Values.nodeCollector.useNodeSelector | quote }}

deploy/helm/values.yaml

@@ -678,6 +678,8 @@ policiesBundle:
   # Overrides policiesBundle.registryUser, policiesBundle.registryPassword values.
   # Note: The secret has to be named "trivy-operator".
   existingSecret: false
+  # -- insecure is the flag to enable insecure connection to the policy bundle registry
+  insecure: false
 
 
 nodeCollector:

deploy/static/trivy-operator.yaml

@@ -2944,6 +2944,8 @@ data:
   report.recordFailedChecksOnly: "true"
   node.collector.imageRef: "ghcr.io/aquasecurity/node-collector:0.2.1"
   policies.bundle.oci.ref: "ghcr.io/aquasecurity/trivy-checks:0"
+  policies.bundle.insecure: "false"
+
   node.collector.nodeSelector: "true"
 ---
 # Source: trivy-operator/templates/configmaps/policies.yaml

pkg/operator/operator.go

@@ -440,6 +440,7 @@ func buildPolicyLoader(tc trivyoperator.ConfigData) (policy.Loader, error) {
 					Password: registryPassword,
 				},
 			},
+			Insecure: tc.PolicyBundleInsecure(),
 		}
 		artifact.RegistryOptions = ro
 	}

pkg/trivyoperator/config.go

@@ -87,6 +87,7 @@ const (
 	KeyTrivyServerURL                      = "trivy.serverURL"
 	KeyNodeCollectorImageRef               = "node.collector.imageRef"
 	KeyPoliciesBundleOciRef                = "policies.bundle.oci.ref"
+	KeyPoliciesBundleInsecure              = "policies.bundle.insecure"
 	KeyPoliciesBundleOciUser               = "policies.bundle.oci.user"
 	KeyPoliciesBundleOciPassword           = "policies.bundle.oci.password"
 	KeyNodeCollectorImagePullSecret        = "node.collector.imagePullSecret"
@@ -440,6 +441,9 @@ func (c ConfigData) NodeCollectorImageRef() string {
 func (c ConfigData) PolicyBundleOciRef() string {
 	return c[KeyPoliciesBundleOciRef]
 }
+func (c ConfigData) PolicyBundleInsecure() bool {
+	return c.getBoolKey(KeyPoliciesBundleInsecure)
+}
 
 func (c ConfigData) PolicyBundleOciUser() string {
 	return c[KeyPoliciesBundleOciUser]