Container Security Report

Trivy vulnerability scan for the operator, console plugin, and all ephemeral worker images — synced from Artifact Hub.

Artifact Hub ↗
Loading vulnerability data…

How scanning works

Artifact Hub runs Trivy daily on container images declared in the Helm chart (artifacthub.io/images in Chart.yaml). The dashboard below groups findings by image tier so you can assess platform vs worker exposure before deploying ephemeral flows.

  • Platform — operator and console plugin (always running).
  • Ephemeral workers — tiered Camel images selected by route components; only the matching worker runs per flow.
  • Testingcamel-test-runner for CAMEL_TEST IntegrationFlows.

Artifact Hub scans up to 15 images per chart version. This project lists 11 Quay images under the release tag. After a new Helm release, allow up to ~1 hour for Artifact Hub to index and generate the first report.

Secrets Management

Credentials for Git push, Tekton builds, and ephemeral workers never belong in Git or Helm values in production. The platform supports three patterns — pick one per environment.

1. Kubernetes Secret (dev / per-flow)

Create Secrets in the flow namespace and reference them from the IntegrationFlow CR. Properties use ${ENV_VAR} placeholders; the operator injects Secrets as env vars or volume mounts. 

oc create secret generic openai-credentials -n openshift-integration \
  --from-literal=OPENAI_API_KEY=sk-proj-REPLACE_ME

# In IntegrationFlow CR
spec:
  secrets:
    - name: openai-credentials
      envFrom: true
  ephemeral:
    properties:
      quarkus.langchain4j.openai.api-key: "${OPENAI_API_KEY}"

GitOps operator credentials (dev only): --set gitea.password=... creates integration-git-basic-auth.

2. External Secrets Operator + Vault

Recommended for production GitOps. ESO syncs Vault (or AWS Secrets Manager / Azure Key Vault) into Kubernetes Secrets on a refresh interval. The Helm chart renders ExternalSecret integration-git-basic-auth when secrets.provider: external-secrets. 

secrets:
  provider: external-secrets
  externalSecrets:
    enabled: true
    secretStoreRef: cluster-secret-store
    refreshInterval: 1h

Vault paths: integration-platform/git, optional GitHub/GitLab tokens. Full setup: Operations — Vault & ESO and Quick Start Track B.2a.

For ephemeral SaaS integrations (Slack, Stripe, etc.), create namespace-scoped ExternalSecret resources that target the same Secret names referenced in spec.secrets.

3. Camel Vault components (runtime fetch)

Routes can read secrets at runtime without mounting them as env vars — useful for rotation handled by the vault backend:

  • hashicorp-vault: — HashiCorp Vault KV secrets (VAULT_ADDR, VAULT_TOKEN)
  • aws-secrets-manager: — AWS Secrets Manager
  • azure-key-vault: — Azure Key Vault
- to:
    uri: "hashicorp-vault:secret/data/my-app/credentials"
    parameters:
      operation: getSecret

The ComponentPropertiesRegistry auto-injects base URL properties when these components are detected. Prefer ESO for static credentials needed at Quarkus startup; use Camel vault components for secrets fetched inside the route.