Chart: Harbor Scanner Adapter for Sysdig Secure

This chart deploys the Harbor Scanner Adapter for Sysdig Secure on your Kubernetes cluster.

Prerequisites

Installation

To install the chart:

helm repo add sysdig https://charts.sysdig.com
helm repo update
helm install harbor-scanner-sysdig-secure --namespace harbor-scanner-sysdig-secure --create-namespace -f values.yaml sysdig/harbor-scanner-sysdig-secure

Verify the integrity and origin

Sysdig Helm Charts are signed so users can verify the integrity and origin of each chart, the steps are as follows:

Import the Public Key

$ curl -o "/tmp/sysdig_public.gpg" "https://charts.sysdig.com/public.gpg"
$ gpg --import /tmp/sysdig_public.gpg

Verify the chart

To check the integrity and the origin of the charts you can now append the --verify flag to the install, upgrade and pull helm commands.

Configuration

You can use the Helm chart to update the default agent configurations by using either of the following:

Using the Key-Value Pair

Specify each parameter using the --set key=value[,key=value] argument to the helm installcommand.

For example:

helm install harborscanner-release \
    --set sysdig.secure.apiToken=<SECURE-API-TOKEN> \
    sysdig/harbor-scanner-sysdig-secure

Using values.yaml

The values.yaml file specifies the values for the configuration parameters. You can add the configuration to the values.yaml file, then use it in the helm install command.

$ helm install harborscanner-release -f values.yaml sysdig/harbor-scanner-sysdig-secure

Configuration Parameters

The following table lists the configurable parameters of the Harbor Scanner Sysdig Secure chart and their default values:

Parameter Description Default
customEntryPoint Overrides the container entrypoint. []
replicaCount Specifies the number of replicas for the Scanner Adapter. 1
image.repository Specifies the image repository to pull the image from. sysdiglabs/harbor-scanner-sysdig-secure
image.tag Specifies the image tag to pull. ``
image.pullPolicy Specifies the image pull policy. IfNotPresent
imagePullSecrets Specifies the image pull secrets. []
nameOverride Specifies the chart name override. ` `
fullnameOverride Specifies the chart full name override ` `
serviceAccount.create Creates the service account. true
serviceAccount.annotations Specifies the extra annotations for serviceAccount. {}
serviceAccount.name Specifies the serviceAccount name. ` `
rbac.create Creates and uses RBAC resources. true
podAnnotations Specifies the custom pod annotations. {}
podSecurityContext Enables deployment PSPs. {}
securityContext Enables securityContext. {}
service.type Specifies the service type. ClusterIP
service.port Specifies the port for the service. 5000
nodeSelector Specifies the nodeSelector for scheduling. {}
tolerations Specifies the tolerations for scheduling. []
affinity Enables affinity rules {}
sysdig.secure.apiToken Specifies the API Token to access Sysdig Secure. This value is mandatory. ` `
sysdig.secure.existingSecureAPITokenSecret Specifies the existing secret name with API Token to access Sysdig Secure
Alternatively, you can specify the name of a Kubernetes secret containing sysdig_secure_api_token entry.

If both are not configured, you must provide the deployment with the SECURE_API_TOKEN environment variables.
` `
sysdig.secure.url Specifies the Sysdig Secure endpoint. https://secure.sysdig.com
sysdig.secure.verifySSL Verifies whether SSL certificate when connecting to Sysdig Secure endpoint. true
proxy.httpProxy Specifies the URL of the proxy for HTTP connections. Leave empty if not using proxy. It sets the http_proxy environment variable. ` `
proxy.httpsProxy Specifies the URL of the proxy for HTTPS connections. Leave empty if not using proxy. It sets the https_proxy environment variable. ` `
proxy.noProxy Specifies the comma-separated list of domain extensions proxy should not be used for. Includes the internal IP of the kube API server. ` `
cliScanning.enabled Enables the CLI Scanning feature. true
cliScanning.image Specifies the pullstring for the CLI Scanner Image. alpine:latest
asyncMode.enabled Enables the Async-Mode feature. false