feat(starboard): Add starboard operator

This patch adds the starboard operator along with a trivy-server deployment to the cluster, which should provide insights into the current situation of vulernerablities and CVEs in the cluster. References: https://aquasecurity.github.io/starboard/v0.15.4/ https://aquasecurity.github.io/trivy/v0.25.4/

feat(starboard): Add starboard operator
6aa80dfb · Sheogorath · c01a57bb · 6aa80dfb · 6aa80dfb · 6aa80dfb
Verified Commit 6aa80dfb authored 3 years ago by Sheogorath
--- a/infrastructure/kustomization.yaml
+++ b/infrastructure/kustomization.yaml
@@ -14,3 +14,4 @@ resources:
  - k8up
  - postgres
  - kubenav
+  - starboard
--- a/infrastructure/starboard/README.md
+++ b/infrastructure/starboard/README.md
+Starboard
+===
+
+Operator to create and manage automated container image scans for all containers deployed in the cluster, this helps to provide visibility for potential security issues and makes it easy to identify containers and deployments affected by CVEs.
+
+This particular installation utilises a trivy-server setup, that reduces the times to download the vulnerability database, making it API limit friendlier.
+
+Links
+---
+
+- [Starboard Docs](https://aquasecurity.github.io/starboard/v0.15.4/)
+- [Starboard Helm Chart](https://github.com/aquasecurity/starboard/tree/main/deploy/helm)
+- [Starboard Source Code](https://github.com/aquasecurity/starboard/)
+- [Starboard Help Forum](https://github.com/aquasecurity/starboard//discussions)
+- [Trivy Docs](https://aquasecurity.github.io/trivy/v0.25.4/)
+- [Trivy Helm Chart](https://github.com/aquasecurity/trivy/tree/main/helm/trivy)
+- [Trivy Source Code](https://github.com/aquasecurity/trivy/)
+- [Trivy Help Forum](https://github.com/aquasecurity/trivy/discussions)
--- a/infrastructure/starboard/kustomization.yaml
+++ b/infrastructure/starboard/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: longhorn-system
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+  - monitoring.yaml
+  - ../../shared/networkpolicies/allow-from-ingress.yaml
+  - ../../shared/networkpolicies/allow-from-monitoring.yaml
+patchesStrategicMerge:
+  - networkpolicy.yaml
+configMapGenerator:
+  - name: longhorn-grafana-dashboards
+    files:
+      - ./dashboards/longhorn.json
+    options:
+      labels:
+        grafana_dashboard: longhorn-system
--- a/infrastructure/starboard/monitoring.yaml
+++ b/infrastructure/starboard/monitoring.yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: giantswarm
+  namespace: starboard-system
+spec:
+  interval: 30m
+  url: https://giantswarm.github.io/giantswarm-catalog
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: starboard-exporter
+  namespace: starboard-system
+spec:
+  releaseName: starboard-exporter
+  chart:
+    spec:
+      chart: starboard-exporter
+      sourceRef:
+        kind: HelmRepository
+        name: giantswarm
+        namespace: starboard-system
+      version: 0.3.3
+  interval: 5m
--- a/infrastructure/starboard/namespace.yaml
+++ b/infrastructure/starboard/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: starboard-system
+  labels:
+    name: starboard-system
+    kyverno.shivering-isles.com/class: "system"
--- a/infrastructure/starboard/networkpolicy.yaml
+++ b/infrastructure/starboard/networkpolicy.yaml
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-ingress
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+          - starboard-exporter
--- a/infrastructure/starboard/release.yaml
+++ b/infrastructure/starboard/release.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: starboard-operator
+  namespace: starboard-system
+spec:
+  releaseName: starboard-operator
+  chart:
+    spec:
+      chart: starboard-operator
+      sourceRef:
+        kind: HelmRepository
+        name: aqua
+        namespace: starboard-system
+      version: 0.10.4
+  interval: 5m
+  install:
+    crds: CreateReplace
+  upgrade:
+    crds: CreateReplace
+  values:
+    operator:
+      vulnerabilityScannerScanOnlyCurrentRevisions: true
+      clusterComplianceEnabled: false
+      kubernetesBenchmarkEnabled: false
+    trivy:
+      mode: ClientServer
+      ignoreUnfixed: false
+      serverURL: "http://trivy:4954"
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: trivy
+  namespace: starboard-system
+spec:
+  releaseName: trivy
+  chart:
+    spec:
+      chart: trivy
+      sourceRef:
+        kind: HelmRepository
+        name: aqua
+        namespace: starboard-system
+      version: 0.4.13
+  interval: 5m
--- a/infrastructure/starboard/repository.yaml
+++ b/infrastructure/starboard/repository.yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: longhorn
+  namespace: longhorn-system
+spec:
+  interval: 30m
+  url: https://aquasecurity.github.io/helm-charts/