quay / clair-jwt Goto Github PK

View Code? Open in Web Editor NEW

8.0 20.0 16.0 3.08 MB

clair behind jwtproxy in one container

License: Apache License 2.0

Shell 57.86% Makefile 42.14%

clair jwtproxy quay dockerfile

clair-jwt's Introduction

clair-jwt

This repository houses a Dockerfile for building the official clair-jwt container image.

This image executes clair behind jwtproxy, which is how secure Quay Enterprise installations are configured. cfssl is used to generate certificates internal certificates used with jwtproxy.

For more information, see the documentation for setting up Clair with Quay.

Building the image

By providing the build-arg GIT_TAG, you can specify what branch/tag of Clair you wish to build.

alpine:

make alpine GIT_TAG=v2.0.9

It produces quay.io/coreos/clair-jwt:v2.0.9-alpine

centOS:

make centos7-build-env centos7 GIT_TAG=v2.0.9

It produces quay.io/coreos/clair-jwt:v2.0.9-centos7

For RHEL image a subscription key is needed, please refer to Registration Assistant to get it.

The RHEL Dockerfile is temporary AND The subscription key may be included in the layer blob, and therefore DO NOT expose the built image to external world.

rhel:

make centos7-build-env rhel7 GIT_TAG=v2.0.9 SUBSCRIPTION_KEY=<your key name>.pem

It produces quay.io/coreos/clair-jwt:v2.0.9-rhel7

The command make centos7-build-env produces a build environment, tagged as quay.io/coreos/clair-jwt:<version>-centos7-build-env for the centos and rhel based images.

clair-jwt's People

Contributors

Stargazers

Watchers

Forkers

ericchiang alexxnica kryndex liuyusen peterducai thomasmckay keyboardnerd pombredanne kalatabe lukeb2e pawelwiecaszek cgiraldo samm-git ekmixon frankfanslc isabella232

clair-jwt's Issues

Clair Integration with Quay Fails with 403 During Key Creation on OCP

Hey Guys,

We're trying to integrate Clair as the secure_scanner for Quay, but getting 403 errors during the auto-generated private key creation. We're following the Red Hat doc but running the containers as pods on OCP rather than directly on the Docker host: https://access.redhat.com/documentation/en-us/red_hat_quay/2.9/html-single/manage_red_hat_quay/index#quay-security-scanner

We're running both containers within the same project on OCP. This is with the "Security Scanner" config from the Super User settings panel "Waiting for service to connect" during auto-generated private key creation:

Please start the security_scanner service now, configured for autogenerated private key. The key approval process will continue automatically once the service connects to Quay.
Waiting for service to connect

Here's the debug output:

2019-05-08 16:48:25,073 INFO spawned: 'jwtproxy' with pid 252
time="2019-05-08T16:48:25Z" level=debug msg="Initializing in-memory key cache." 
time="2019-05-08T16:48:25Z" level=debug msg="Unable to load private key: open /home/security_scanner.jwk: no such file or directory" 
time="2019-05-08T16:48:25Z" level=debug msg="Boostrapping publication with a new key" 
time="2019-05-08T16:48:25Z" level=info msg="No claims verifiers specified, upstream should be configured to verify authorization" 
time="2019-05-08T16:48:25Z" level=info msg="Starting reverse proxy (Listening on ':6060')" 
time="2019-05-08T16:48:25Z" level=debug msg="Adding rotation policy: 12h0m0s" 
time="2019-05-08T16:48:25Z" level=debug msg="Adding expiration time: 2019-05-09 16:48:25.543279389 +0000 UTC m=+86400.463104704" 
time="2019-05-08T16:48:25Z" level=debug msg="Adding rotation time: 12h0m0s" 
time="2019-05-08T16:48:25Z" level=info msg="Starting forward proxy (Listening on ':6063')" 
time="2019-05-08T16:48:25Z" level=fatal msg="Error publishing key" activeKey=<nil> error="Unexpected response code when publishing key: 403 " pendingKey=EcKD5-6Hhh 
2019-05-08 16:48:25,557 INFO exited: jwtproxy (exit status 1; not expected)

Creation of build env fails

Currently, creation of builld environments fail due to cfssl requiring Go version 1.12+ and not 1.11.5 which is currently being used:

Step 15/24 : RUN go get -u github.com/cloudflare/cfssl/cmd/cfssl
 ---> Running in 8aab323e28fb
# github.com/cloudflare/cfssl/vendor/github.com/zmap/zlint/lints
go/src/github.com/cloudflare/cfssl/vendor/github.com/zmap/zlint/lints/result.go:75:9: undefined: strings.ReplaceAll

CFSSL readme file: https://github.com/cloudflare/cfssl
Related issue: cloudflare/cfssl#1028

Update Vulnerabilietes: Error 404 downloading RHEL3.xml on "quay.io/redhat/clair-jwt:v3.2.1"

If the Clair Scanner started and ran the update script little bit later - an error was displayed.

{"Event":"an error occured when fetching update","Level":"error","Location":"updater.go:246","Time":"2020-04-20 13:24:25.204396","error":"received 404 code downloading https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL3.xml","updater name":"rhel"}

FYI: The file does not exists on the page: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL3.xml. What can I do?

quay / clair-jwt Goto Github PK

clair-jwt's Introduction

clair-jwt

Building the image

clair-jwt's People

Contributors

Stargazers

Watchers

Forkers

clair-jwt's Issues

Clair Integration with Quay Fails with 403 During Key Creation on OCP

Creation of build env fails

Update Vulnerabilietes: Error 404 downloading RHEL3.xml on "quay.io/redhat/clair-jwt:v3.2.1"

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent