Details
-
Task
-
Resolution: Done
-
Critical
-
None
-
None
Description
If security scanning is enabled in config-tool, user must enter pre-shared key (PSK) string (eg. "secret"). This value would be saved to quay config.yaml. In addition, the string should be simultaneously displayed in UI base64-encoded with note that the encoded value must be specified in clair's config.yaml. This flow replaced the clair-v2 security_scanner.pem generation.
diff --git a/local-dev/clair/config.yaml b/local-dev/clair/config.yaml
index 3e95629..e8d636b 100644
--- a/local-dev/clair/config.yaml
+++ b/local-dev/clair/config.yaml
@@ -3,6 +3,12 @@ log_level: debug-color
introspection_addr: ""
http_listen_addr: ":6000"
updaters: {}
+auth:
+ psk:
+ key: |
+ c2VjcmV0
+ iss:
+ - quay
indexer:
connstring: host=clair-db port=5432 user=clair dbname=clair sslmode=disable
scanlock_retry: 10
diff --git a/local-dev/quay/config.yaml b/local-dev/quay/config.yaml
index a43530e..6ec092a 100644
--- a/local-dev/quay/config.yaml
+++ b/local-dev/quay/config.yaml
@@ -48,6 +48,8 @@ REGISTRY_TITLE: Red Hat Quay
REGISTRY_TITLE_SHORT: Red Hat Quay
REPO_MIRROR_SERVER_HOSTNAME: null
REPO_MIRROR_TLS_VERIFY: true
+SECURITY_SCANNER_V4_SIGN_JWT: true
+SECURITY_SCANNER_V4_PSK: secret
SECURITY_SCANNER_V4_ENDPOINT: http://clair-traefik:6060
SECURITY_SCANNER_V4_NAMESPACE_WHITELIST:
- "clairv4-org"