target / portauthority Goto Github PK

We use a private Gitlab Docker registry which uses a JWT authentication service to issue auth tokens for the registry API. Instead of authenticating with a username and password for the registry crawler, is it possible to support the use of an authentication token?

For example we use https://gitlab.xxx/jwt/auth?service=container_registry&scope=repository:xxx/xxx:pull which gives us the token we need to authenticate with the registry.

Is it possible to either just use that token directly or to make an auth request to our JWT service?

This repository will be archived in 30 days in accordance with Target's internal retention policy.

Archived projects become read-only and will remain accessible to the public.
If you have questions or concerns, reach out here or internally to the OSPO team.

The token retrieved via docker.AuthRegistry isn't threaded into the call to docker.GetRegistry:

https://github.com/target/portauthority/blob/master/api/v1/routes.go#L388-L405

I hacked a fix that I'll try to polish up tomorrow; making an issue in case anyone runs into this problem in the meantime. Also useful to know that the way to make the request is as follows:

$ curl -XPOST -H 'content-type: application/json' localhost:31700/v1/images -d <<<EOF
{"Image":{
  "Registry":"https://gcr.io",
  "Repo":"<project-id>/<image-name>",
  "Tag":"<image-tag>",
  "RegistryPassword":"$(cat credentials.json | jq tostring)"
}} 
EOF

First off, this project is awesome, I really look forward to giving it a try, and seeing it grow.

However, I noticed some of the code in this project uses code from github.com/coreos/clair, this is awesome! That being said, it would be great if you could include the original copyright since you're re-using some of the code. If you've made changes, to the original file you can definitely add your copyright after the original. Additionally, the original project contains a NOTICE file (https://github.com/coreos/clair/blob/master/NOTICE) which you must include as well.

I noticed when looking at c12f84e#diff-604f4192deea5adf9c159e5f88f64630R1 and comparing it to https://github.com/coreos/clair/blob/release-2.0/api/api.go

Thanks!

The deployment image used in the minikube deployment is unpublished. I manually edited it to target/portauthority:dockerbuilder, but I doubt that that tag is meant to be consumed.

A policy with AllowedRiskSeverity as a list fails to create:

$ curl -XPOST -H'content-type: application/json' -d '{"Policy":{"Name":"High","AllowedRiskSeverity":"[\"Negligible\",\"Low\",\"Medium\"]"}}' localhost:31700/v1/policies
{"Error":{"Message":"error upserting policy: pq: malformed array literal: \"{[\"Negligible\",\"Low\",\"Medium\"]}\""}}

The value is treated as a list when listing an image's vulnerabilities:

Maybe there's some marshaling required here: https://github.com/target/portauthority/blob/master/pkg/datastore/pgsql/policy.go#L60 ? My golang isn't too strong. Will try to look more into this tomorrow.

It would be great if PA could store credentials for private registries so we wouldn't have to send them every time we run a scan.

Similar to what K8 Crawler.

It would be perfect if we could use environment variables to pull parts of the configuration, e.g. DB or registry credentials.