From 13969481d587ce9e54e9ee7734a3704206417cbb Mon Sep 17 00:00:00 2001
From: chenk <hen.keinan@gmail.com>
Date: Sun, 26 May 2024 11:56:05 +0300
Subject: [PATCH] fix: policies bundle insecure

Signed-off-by: chenk <hen.keinan@gmail.com>
---
 deploy/helm/README.md                          | 1 +
 deploy/helm/templates/configmaps/operator.yaml | 2 ++
 deploy/helm/values.yaml                        | 2 ++
 deploy/static/trivy-operator.yaml              | 2 ++
 pkg/operator/operator.go                       | 1 +
 pkg/trivyoperator/config.go                    | 4 ++++
 6 files changed, 12 insertions(+)

diff --git a/deploy/helm/README.md b/deploy/helm/README.md
index 85d21414f..e823ae9cd 100644
--- a/deploy/helm/README.md
+++ b/deploy/helm/README.md
@@ -93,6 +93,7 @@ Keeps security report resources updated
 | podAnnotations | object | `{}` | podAnnotations annotations added to the operator's pod |
 | podSecurityContext | object | `{}` |  |
 | policiesBundle.existingSecret | bool | `false` | existingSecret if a secret containing registry credentials that have been created outside the chart (e.g external-secrets, sops, etc...). Keys must be at least one of the following: policies.bundle.oci.user, policies.bundle.oci.password Overrides policiesBundle.registryUser, policiesBundle.registryPassword values. Note: The secret has to be named "trivy-operator". |
+| policiesBundle.insecure | bool | `false` | insecure is the flag to enable insecure connection to the policy bundle registry |
 | policiesBundle.registry | string | `"ghcr.io"` | registry of the policies bundle |
 | policiesBundle.registryPassword | string | `nil` | registryPassword is the password for the registry |
 | policiesBundle.registryUser | string | `nil` | registryUser is the user for the registry |
diff --git a/deploy/helm/templates/configmaps/operator.yaml b/deploy/helm/templates/configmaps/operator.yaml
index 47acf9140..4684a34d8 100644
--- a/deploy/helm/templates/configmaps/operator.yaml
+++ b/deploy/helm/templates/configmaps/operator.yaml
@@ -87,7 +87,9 @@ data:
   {{- end }}
   node.collector.imageRef: "{{ include "global.imageRegistry" . | default .Values.nodeCollector.registry }}/{{ .Values.nodeCollector.repository }}:{{ .Values.nodeCollector.tag }}"
   policies.bundle.oci.ref: "{{ .Values.policiesBundle.registry }}/{{ .Values.policiesBundle.repository }}:{{ .Values.policiesBundle.tag }}"
+  policies.bundle.insecure: {{ .Values.policiesBundle.insecure | quote }}
   {{- with .Values.nodeCollector.imagePullSecret }}
   node.collector.imagePullSecret: "{{ . }}"
   {{- end }}
+
   node.collector.nodeSelector: {{ .Values.nodeCollector.useNodeSelector | quote }}
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
index 399cd6355..bf138d658 100644
--- a/deploy/helm/values.yaml
+++ b/deploy/helm/values.yaml
@@ -678,6 +678,8 @@ policiesBundle:
   # Overrides policiesBundle.registryUser, policiesBundle.registryPassword values.
   # Note: The secret has to be named "trivy-operator".
   existingSecret: false
+  # -- insecure is the flag to enable insecure connection to the policy bundle registry
+  insecure: false
 
 
 nodeCollector:
diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml
index d2fcdd004..bd0335f3c 100644
--- a/deploy/static/trivy-operator.yaml
+++ b/deploy/static/trivy-operator.yaml
@@ -2944,6 +2944,8 @@ data:
   report.recordFailedChecksOnly: "true"
   node.collector.imageRef: "ghcr.io/aquasecurity/node-collector:0.2.1"
   policies.bundle.oci.ref: "ghcr.io/aquasecurity/trivy-checks:0"
+  policies.bundle.insecure: "false"
+
   node.collector.nodeSelector: "true"
 ---
 # Source: trivy-operator/templates/configmaps/policies.yaml
diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go
index ad0aada1b..c3721d563 100644
--- a/pkg/operator/operator.go
+++ b/pkg/operator/operator.go
@@ -440,6 +440,7 @@ func buildPolicyLoader(tc trivyoperator.ConfigData) (policy.Loader, error) {
 					Password: registryPassword,
 				},
 			},
+			Insecure: tc.PolicyBundleInsecure(),
 		}
 		artifact.RegistryOptions = ro
 	}
diff --git a/pkg/trivyoperator/config.go b/pkg/trivyoperator/config.go
index 4429d22d6..7439d5d8d 100644
--- a/pkg/trivyoperator/config.go
+++ b/pkg/trivyoperator/config.go
@@ -87,6 +87,7 @@ const (
 	KeyTrivyServerURL                      = "trivy.serverURL"
 	KeyNodeCollectorImageRef               = "node.collector.imageRef"
 	KeyPoliciesBundleOciRef                = "policies.bundle.oci.ref"
+	KeyPoliciesBundleInsecure              = "policies.bundle.insecure"
 	KeyPoliciesBundleOciUser               = "policies.bundle.oci.user"
 	KeyPoliciesBundleOciPassword           = "policies.bundle.oci.password"
 	KeyNodeCollectorImagePullSecret        = "node.collector.imagePullSecret"
@@ -440,6 +441,9 @@ func (c ConfigData) NodeCollectorImageRef() string {
 func (c ConfigData) PolicyBundleOciRef() string {
 	return c[KeyPoliciesBundleOciRef]
 }
+func (c ConfigData) PolicyBundleInsecure() bool {
+	return c.getBoolKey(KeyPoliciesBundleInsecure)
+}
 
 func (c ConfigData) PolicyBundleOciUser() string {
 	return c[KeyPoliciesBundleOciUser]