# Trivy Operator Helm Values
# Chart: https://github.com/aquasecurity/trivy-operator

# Namespace 설정
targetNamespaces: ""
excludeNamespaces: "kube-system,kube-public,kube-node-lease"

# Operator 설정
operator:
  replicas: 1

  # Operator 리소스
  resources:
    requests:
      cpu: 50m
      memory: 256Mi
    limits:
      memory: 384Mi

  # 스캔 설정
  scanJobTimeout: 10m
  scanJobsConcurrentLimit: 2  # Reduced from 3 to save resources
  scannerReportTTL: "24h"

  # 스캐너 활성화
  vulnerabilityScannerEnabled: true
  sbomGenerationEnabled: true
  configAuditScannerEnabled: true
  rbacAssessmentScannerEnabled: true
  infraAssessmentScannerEnabled: true
  clusterComplianceEnabled: true
  exposedSecretScannerEnabled: true

  # 메트릭 설정
  metricsFindingsEnabled: true
  metricsVulnIdEnabled: false  # 카디널리티 증가 방지

# Trivy 스캐너 설정
trivy:
  # Standalone 모드 (ClientServer보다 간단)
  mode: Standalone

  # 취약점 심각도
  severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL

  # 리소스 절약 모드
  slow: true

  # 스캔 타임아웃
  timeout: "10m0s"

  # 스토리지 설정 (Longhorn 사용)
  storageClassEnabled: true
  storageClassName: "longhorn"
  storageSize: "2Gi"

  # 스캔 작업 리소스 제한
  resources:
    requests:
      cpu: 50m
      memory: 256Mi
    limits:
      memory: 384Mi

# 스캔 작업 설정
trivyOperator:
  scanJobCompressLogs: true
  reportRecordFailedChecksOnly: true

  # 스캔 작업 보안 컨텍스트
  scanJobPodTemplateContainerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    privileged: false
    readOnlyRootFilesystem: true

# ServiceMonitor 설정 (Prometheus 연동)
serviceMonitor:
  enabled: true
  namespace: prometheus
  interval: 60s
  labels:
    release: prometheus
  honorLabels: true

# 서비스 설정
service:
  headless: true
  metricsPort: 80