mirror of https://github.com/artifacthub/hub.git
Fix issue with registry credentials in scanner (#875)
Signed-off-by: Sergio Castaño Arteaga <tegioz@icloud.com>
This commit is contained in:
Sergio C. Arteaga
GitHub
parent
994e89b2c9
commit
ae79ab9240
|
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||
name: artifact-hub
|
||||
description: Artifact Hub is a web-based application that enables finding, installing, and publishing Kubernetes packages.
|
||||
type: application
|
||||
version: 0.10.0
|
||||
version: 0.10.1
|
||||
appVersion: 0.10.0
|
||||
home: https://artifacthub.io
|
||||
icon: https://artifacthub.github.io/hub/chart/logo.png
|
||||
|
|
|
|||
|
|
@ -17,3 +17,5 @@ stringData:
|
|||
scanner:
|
||||
concurrency: {{ .Values.scanner.concurrency }}
|
||||
trivyURL: {{ .Values.scanner.trivyURL }}
|
||||
dockerUsername: {{ .Values.scanner.dockerUsername }}
|
||||
dockerPassword: {{ .Values.scanner.dockerPassword }}
|
||||
|
|
|
|||
|
|
@ -23,21 +23,6 @@ spec:
|
|||
- name: trivy
|
||||
image: {{ .Values.trivy.deploy.image }}
|
||||
command: ['trivy', 'server', '--debug', '--cache-dir', '/trivy', '--listen', '0.0.0.0:8081']
|
||||
{{- if and .Values.trivy.authURL .Values.trivy.username .Values.trivy.password }}
|
||||
env:
|
||||
- name: TRIVY_AUTH_URL
|
||||
value: {{ .Values.trivy.authURL }}
|
||||
- name: TRIVY_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: trivy
|
||||
key: username
|
||||
- name: TRIVY_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: trivy
|
||||
key: password
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: trivy
|
||||
mountPath: "/trivy"
|
||||
|
|
|
|||
|
|
@ -1,7 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: trivy
|
||||
data:
|
||||
username: {{ .Values.trivy.username | b64enc | quote }}
|
||||
password: {{ .Values.trivy.password | b64enc | quote }}
|
||||
|
|
@ -421,6 +421,16 @@
|
|||
"title": "Trivy server url",
|
||||
"type": "string",
|
||||
"default": "http://trivy:8081"
|
||||
},
|
||||
"dockerUsername": {
|
||||
"title": "Docker registry username",
|
||||
"type": "string",
|
||||
"default": ""
|
||||
},
|
||||
"dockerPassword": {
|
||||
"title": "Docker registry password",
|
||||
"type": "string",
|
||||
"default": ""
|
||||
}
|
||||
},
|
||||
"required": ["concurrency", "cronjob", "trivyURL"]
|
||||
|
|
@ -505,11 +515,6 @@
|
|||
"title": "Trivy configuration",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"authURL": {
|
||||
"title": "Trivy authentication URL",
|
||||
"type": "string",
|
||||
"default": ""
|
||||
},
|
||||
"deploy": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
|
|
@ -526,11 +531,6 @@
|
|||
},
|
||||
"required": ["image", "resources"]
|
||||
},
|
||||
"password": {
|
||||
"title": "Trivy authentication password",
|
||||
"type": "string",
|
||||
"default": ""
|
||||
},
|
||||
"persistence": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
|
|
@ -551,11 +551,6 @@
|
|||
}
|
||||
},
|
||||
"required": ["enabled"]
|
||||
},
|
||||
"username": {
|
||||
"title": "Trivy authentication username",
|
||||
"type": "string",
|
||||
"default": ""
|
||||
}
|
||||
},
|
||||
"required": ["deploy", "persistence"]
|
||||
|
|
|
|||
|
|
@ -82,6 +82,8 @@ scanner:
|
|||
resources: {}
|
||||
concurrency: 10
|
||||
trivyURL: http://trivy:8081
|
||||
dockerUsername: ""
|
||||
dockerPassword: ""
|
||||
|
||||
tracker:
|
||||
cronjob:
|
||||
|
|
@ -103,9 +105,6 @@ trivy:
|
|||
persistence:
|
||||
enabled: false
|
||||
size: 10Gi
|
||||
authURL: ""
|
||||
username: ""
|
||||
password: ""
|
||||
|
||||
# Values for postgresql chart dependency
|
||||
postgresql:
|
||||
|
|
|
|||
|
|
@ -56,6 +56,7 @@ func main() {
|
|||
}
|
||||
trivyScanner := &scanner.TrivyScanner{
|
||||
Ctx: ctx,
|
||||
Cfg: cfg,
|
||||
URL: trivyURL,
|
||||
}
|
||||
snapshots, err := pm.GetSnapshotsToScan(ctx)
|
||||
|
|
|
|||
|
|
@ -10,3 +10,5 @@ db:
|
|||
scanner:
|
||||
concurrency: 10
|
||||
trivyURL: http://trivy:8081
|
||||
dockerUsername: ""
|
||||
dockerPassword: ""
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ import (
|
|||
"fmt"
|
||||
"os/exec"
|
||||
"strings"
|
||||
|
||||
"github.com/google/go-containerregistry/pkg/name"
|
||||
"github.com/spf13/viper"
|
||||
)
|
||||
|
||||
// ErrImageNotFound represents that the image provided was not found in the
|
||||
|
|
@ -16,15 +19,33 @@ var ErrImageNotFound = errors.New("image not found")
|
|||
// TrivyScanner is an implementation of the Scanner interface that uses Trivy.
|
||||
type TrivyScanner struct {
|
||||
Ctx context.Context
|
||||
Cfg *viper.Viper
|
||||
URL string
|
||||
}
|
||||
|
||||
// Scan implements the Scanner interface.
|
||||
func (s *TrivyScanner) Scan(image string) ([]byte, error) {
|
||||
// Setup trivy command
|
||||
cmd := exec.CommandContext(s.Ctx, "trivy", "client", "--quiet", "--remote", s.URL, "-f", "json", image) // #nosec
|
||||
var stdout, stderr bytes.Buffer
|
||||
cmd.Stdout = &stdout
|
||||
cmd.Stderr = &stderr
|
||||
|
||||
// If the registry is the Docker Hub, include credentials to avoid rate
|
||||
// limiting issues. Empty registry names will also match this check as the
|
||||
// registry name will be set to index.docker.io when parsing the reference.
|
||||
ref, err := name.ParseReference(image)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error parsing image %s ref: %w", image, err)
|
||||
}
|
||||
if strings.HasSuffix(ref.Context().Registry.Name(), "docker.io") {
|
||||
cmd.Env = []string{
|
||||
fmt.Sprintf("TRIVY_USERNAME=%s", s.Cfg.GetString("scanner.dockerUsername")),
|
||||
fmt.Sprintf("TRIVY_PASSWORD=%s", s.Cfg.GetString("scanner.dockerPassword")),
|
||||
}
|
||||
}
|
||||
|
||||
// Run trivy command
|
||||
if err := cmd.Run(); err != nil {
|
||||
if strings.Contains(stderr.String(), "Cannot connect to the Docker daemon") {
|
||||
return nil, ErrImageNotFound
|
||||
|
|
|
|||
Loading…
Reference in New Issue