From 879e4fca12b53010e3b6a22fcb9c6e2b8eefad96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9lian=20Saint-Bonnet?= <kelian.saintbonnet@gmail.com>
Date: Tue, 9 Dec 2025 23:15:31 +0000
Subject: [PATCH] feat(helm): add sslCertDir parameter (#9697)

---
 helm/trivy/README.md                  |  1 +
 helm/trivy/templates/configmap.yaml   |  3 +++
 helm/trivy/templates/statefulset.yaml | 10 ++++++++++
 helm/trivy/values.yaml                |  2 ++
 4 files changed, 16 insertions(+)

diff --git a/helm/trivy/README.md b/helm/trivy/README.md
index 348f56bb6a..92f96a8dae 100644
--- a/helm/trivy/README.md
+++ b/helm/trivy/README.md
@@ -78,6 +78,7 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `trivy.existingSecret`                | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
 | `trivy.podAnnotations`                | Annotations for pods created by statefulset                             | `{}` |
 | `trivy.extraEnvVars`                  | extraEnvVars to be set on the container                                 | `{}` |
+| `trivy.sslCertDir`                    | Can be used to override the system default locations for SSL certificate files directory, example: `/ssl/certs` | `` |
 | `service.name`                        | If specified, the name used for the Trivy service                       |     |
 | `service.type`                        | Kubernetes service type                                                 | `ClusterIP` |
 | `service.port`                        | Kubernetes service port                                                 | `4954`      |
diff --git a/helm/trivy/templates/configmap.yaml b/helm/trivy/templates/configmap.yaml
index a4629144b0..75dfb35d04 100644
--- a/helm/trivy/templates/configmap.yaml
+++ b/helm/trivy/templates/configmap.yaml
@@ -27,3 +27,6 @@ data:
 {{- with .Values.trivy.extraEnvVars }}
   {{- . | toYaml | nindent 2 }}
 {{- end }}
+{{- if .Values.trivy.sslCertDir }}
+  SSL_CERT_DIR: {{ .Values.trivy.sslCertDir | quote }}
+{{- end }}
diff --git a/helm/trivy/templates/statefulset.yaml b/helm/trivy/templates/statefulset.yaml
index 32c64e810c..7d7211c399 100644
--- a/helm/trivy/templates/statefulset.yaml
+++ b/helm/trivy/templates/statefulset.yaml
@@ -125,6 +125,11 @@ spec:
             - mountPath: /home/scanner/.cache
               name: data
               readOnly: false
+          {{- with .Values.trivy.sslCertDir }}
+            - mountPath: {{ . }}
+              name: ssl-cert-dir
+              readOnly: true
+          {{- end }}
           {{- if .Values.resources }}
           resources:
 {{ toYaml .Values.resources | indent 12 }}
@@ -136,3 +141,8 @@ spec:
         - name: data
           emptyDir: {}
         {{- end }}
+        {{- with .Values.trivy.sslCertDir }}
+        - name: ssl-cert-dir
+          hostPath:
+            path: {{ . }}
+        {{- end }}
diff --git a/helm/trivy/values.yaml b/helm/trivy/values.yaml
index 5d8aff36d5..1046cc9cbd 100644
--- a/helm/trivy/values.yaml
+++ b/helm/trivy/values.yaml
@@ -128,6 +128,8 @@ trivy:
   existingSecret: ""
   # extraEnvVars to be set on the container
   extraEnvVars: {}
+  # sslCertDir can be used to override the system default locations for SSL certificate files directory, example: /ssl/certs
+  sslCertDir: ""
 
 service:
   # If specified, the name used for the Trivy service.