artifacthub
/
hub
mirror of https://github.com/artifacthub/hub.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix issue with registry credentials in scanner (#875) 

Signed-off-by: Sergio Castaño Arteaga <tegioz@icloud.com>
This commit is contained in:
Sergio C. Arteaga 2020-11-19 18:44:38 +01:00 committed by GitHub
parent 994e89b2c9
commit ae79ab9240
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 39 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/artifact-hub/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: artifact-hub name: artifact-hub
description: Artifact Hub is a web-based application that enables finding, installing, and publishing Kubernetes packages. description: Artifact Hub is a web-based application that enables finding, installing, and publishing Kubernetes packages.
type: application type: application
version: 0.10.0 version: 0.10.1
appVersion: 0.10.0 appVersion: 0.10.0
home: https://artifacthub.io home: https://artifacthub.io
icon: https://artifacthub.github.io/hub/chart/logo.png icon: https://artifacthub.github.io/hub/chart/logo.png

2
charts/artifact-hub/templates/scanner_secret.yaml
View File

@ -17,3 +17,5 @@ stringData:
scanner: scanner:
concurrency: {{ .Values.scanner.concurrency }} concurrency: {{ .Values.scanner.concurrency }}
trivyURL: {{ .Values.scanner.trivyURL }} trivyURL: {{ .Values.scanner.trivyURL }}
dockerUsername: {{ .Values.scanner.dockerUsername }}
dockerPassword: {{ .Values.scanner.dockerPassword }}

15
charts/artifact-hub/templates/trivy_deployment.yaml
View File

@ -23,21 +23,6 @@ spec:
- name: trivy - name: trivy
image: {{ .Values.trivy.deploy.image }} image: {{ .Values.trivy.deploy.image }}
command: ['trivy', 'server', '--debug', '--cache-dir', '/trivy', '--listen', '0.0.0.0:8081'] command: ['trivy', 'server', '--debug', '--cache-dir', '/trivy', '--listen', '0.0.0.0:8081']
{{- if and .Values.trivy.authURL .Values.trivy.username .Values.trivy.password }}
env:
- name: TRIVY_AUTH_URL
value: {{ .Values.trivy.authURL }}
- name: TRIVY_USERNAME
valueFrom:
secretKeyRef:
name: trivy
key: username
- name: TRIVY_PASSWORD
valueFrom:
secretKeyRef:
name: trivy
key: password
{{- end }}
volumeMounts: volumeMounts:
- name: trivy - name: trivy
mountPath: "/trivy" mountPath: "/trivy"

7
charts/artifact-hub/templates/trivy_secret.yaml
View File

@ -1,7 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: trivy
data:
username: {{ .Values.trivy.username | b64enc | quote }}
password: {{ .Values.trivy.password | b64enc | quote }}

25
charts/artifact-hub/values.schema.json
View File

@ -421,6 +421,16 @@
"title": "Trivy server url", "title": "Trivy server url",
"type": "string", "type": "string",
"default": "http://trivy:8081" "default": "http://trivy:8081"
},
"dockerUsername": {
"title": "Docker registry username",
"type": "string",
"default": ""
},
"dockerPassword": {
"title": "Docker registry password",
"type": "string",
"default": ""
} }
}, },
"required": ["concurrency", "cronjob", "trivyURL"] "required": ["concurrency", "cronjob", "trivyURL"]
@ -505,11 +515,6 @@
"title": "Trivy configuration", "title": "Trivy configuration",
"type": "object", "type": "object",
"properties": { "properties": {
"authURL": {
"title": "Trivy authentication URL",
"type": "string",
"default": ""
},
"deploy": { "deploy": {
"type": "object", "type": "object",
"properties": { "properties": {
@ -526,11 +531,6 @@
}, },
"required": ["image", "resources"] "required": ["image", "resources"]
}, },
"password": {
"title": "Trivy authentication password",
"type": "string",
"default": ""
},
"persistence": { "persistence": {
"type": "object", "type": "object",
"properties": { "properties": {
@ -551,11 +551,6 @@
} }
}, },
"required": ["enabled"] "required": ["enabled"]
},
"username": {
"title": "Trivy authentication username",
"type": "string",
"default": ""
} }
}, },
"required": ["deploy", "persistence"] "required": ["deploy", "persistence"]

5
charts/artifact-hub/values.yaml
View File

@ -82,6 +82,8 @@ scanner:
resources: {} resources: {}
concurrency: 10 concurrency: 10
trivyURL: http://trivy:8081 trivyURL: http://trivy:8081
dockerUsername: ""
dockerPassword: ""
tracker: tracker:
cronjob: cronjob:
@ -103,9 +105,6 @@ trivy:
persistence: persistence:
enabled: false enabled: false
size: 10Gi size: 10Gi
authURL: ""
username: ""
password: ""
# Values for postgresql chart dependency # Values for postgresql chart dependency
postgresql: postgresql:

1
cmd/scanner/main.go
View File

@ -56,6 +56,7 @@ func main() {
} }
trivyScanner := &scanner.TrivyScanner{ trivyScanner := &scanner.TrivyScanner{
Ctx: ctx, Ctx: ctx,
Cfg: cfg,
URL: trivyURL, URL: trivyURL,
} }
snapshots, err := pm.GetSnapshotsToScan(ctx) snapshots, err := pm.GetSnapshotsToScan(ctx)

2
configs/scanner.yaml
View File

@ -10,3 +10,5 @@ db:
scanner: scanner:
concurrency: 10 concurrency: 10
trivyURL: http://trivy:8081 trivyURL: http://trivy:8081
dockerUsername: ""
dockerPassword: ""

21
internal/scanner/trivy.go
View File

@ -7,6 +7,9 @@ import (
"fmt" "fmt"
"os/exec" "os/exec"
"strings" "strings"
"github.com/google/go-containerregistry/pkg/name"
"github.com/spf13/viper"
) )
// ErrImageNotFound represents that the image provided was not found in the // ErrImageNotFound represents that the image provided was not found in the
@ -16,15 +19,33 @@ var ErrImageNotFound = errors.New("image not found")
// TrivyScanner is an implementation of the Scanner interface that uses Trivy. // TrivyScanner is an implementation of the Scanner interface that uses Trivy.
type TrivyScanner struct { type TrivyScanner struct {
Ctx context.Context Ctx context.Context
Cfg *viper.Viper
URL string URL string
} }
// Scan implements the Scanner interface. // Scan implements the Scanner interface.
func (s *TrivyScanner) Scan(image string) ([]byte, error) { func (s *TrivyScanner) Scan(image string) ([]byte, error) {
// Setup trivy command
cmd := exec.CommandContext(s.Ctx, "trivy", "client", "--quiet", "--remote", s.URL, "-f", "json", image) // #nosec cmd := exec.CommandContext(s.Ctx, "trivy", "client", "--quiet", "--remote", s.URL, "-f", "json", image) // #nosec
var stdout, stderr bytes.Buffer var stdout, stderr bytes.Buffer
cmd.Stdout = &stdout cmd.Stdout = &stdout
cmd.Stderr = &stderr cmd.Stderr = &stderr
// If the registry is the Docker Hub, include credentials to avoid rate
// limiting issues. Empty registry names will also match this check as the
// registry name will be set to index.docker.io when parsing the reference.
ref, err := name.ParseReference(image)
if err != nil {
return nil, fmt.Errorf("error parsing image %s ref: %w", image, err)
}
if strings.HasSuffix(ref.Context().Registry.Name(), "docker.io") {
cmd.Env = []string{
fmt.Sprintf("TRIVY_USERNAME=%s", s.Cfg.GetString("scanner.dockerUsername")),
fmt.Sprintf("TRIVY_PASSWORD=%s", s.Cfg.GetString("scanner.dockerPassword")),
}
}
// Run trivy command
if err := cmd.Run(); err != nil { if err := cmd.Run(); err != nil {
if strings.Contains(stderr.String(), "Cannot connect to the Docker daemon") { if strings.Contains(stderr.String(), "Cannot connect to the Docker daemon") {
return nil, ErrImageNotFound return nil, ErrImageNotFound