-
Bug
-
Resolution: Done
-
Major
-
quay-v3.3.0
Description:
This is an issue found when following the Quay official docs to install Quay 3.2.1 on Openshift, at the step of "4.2. Add Clair image scanning to Red Hat Quay", there're some doc issues, see the list:
1. At 5.Modify clair-config.yaml->private_key_path, the correct path should be "/clair/config/security_scanner.pem", not the full path that user saved at previous step.
2. At 6.Create the Clair config secret and service, the clair-config.yaml miss some key configurations, "clair.notifier.http.endpoint" and "jwtproxy.verifier.registry", see the highlighted section from the attached file for reference.
ENV:
Quay imge: quay.io/quay/quay:3.2.1-1
Steps:
1. Deploy Quay ENV on Openshift following steps at "deploy_red_hat_quay_on_openshift".
2. Follow the the steps on 4.2. Add Clair image scanning to Red Hat Quay
Expected Result:
Quay Clair POD will be deployed successfully following the docs.
Actual Results:
Quay Clair POD deployment was failed to deploy.
Correct clair-config.yaml(highlight the section that need to be fixed):
lizhang@lzha-mac Quay_basic_setup % cat clair-config.yaml
clair:
database:
type: pgsql
options:
source: host=172.30.87.93 port=5432 dbname=clair user=clair password=test123 sslmode=disable
cachesize: 16384
api:
- The port at which Clair will report its health status. For example, if Clair is running at
- https://clair.mycompany.com, the health will be reported at
- http://clair.mycompany.com:6061/health.
healthport: 6061
port: 6062
timeout: 900s
- paginationkey can be any random set of characters. *Must be the same across all Clair
- instances*.
paginationkey: "XxoPtCUzrUv4JV5dS+yQ+MdW7yLEJnRMwigVY/bpgtQ="
updater:
- interval defines how often Clair will check for updates from its upstream vulnerability databases.
interval: 6h
notifier:
attempts: 3
renotifyinterval: 1h
http: - QUAY_ENDPOINT defines the endpoint at which Quay Enterprise is running.
- For example: https://myregistry.mycompany.com
endpoint: https://quay-enterprise.apps.lzha0413.qe.devcluster.openshift.com/secscan/notify
proxy: http://localhost:6063
jwtproxy:
signer_proxy:
enabled: true
listen_addr: :6063
ca_key_file: /certificates/mitm.key # Generated internally, do not change.
ca_crt_file: /certificates/mitm.crt # Generated internally, do not change.
signer:
issuer: security_scanner
expiration_time: 5m
max_skew: 1m
nonce_length: 32
private_key:
type: preshared
options:
- The ID of the service key generated for Clair. The ID is returned when setting up
- the key in [Quay Enterprise Setup](security-scanning.md)
key_id: fc6c2b02c495c9b8fc674fcdbfdd2058f2f559d6bdd19d0ba70af26c0cb66a48
private_key_path: /clair/config/security_scanner.pem
verifier_proxies:
- enabled: true
- The port at which Clair will listen.
listen_addr: :6060
- If Clair is to be served via TLS, uncomment these lines. See the "Running Clair under TLS"
- section below for more information.
- key_file: /config/clair.key
- crt_file: /config/clair.crt
verifier:
- CLAIR_ENDPOINT is the endpoint at which this Clair will be accessible. Note that the port
- specified here must match the listen_addr port a few lines above this.
- Example: https://myclair.mycompany.com:6060
audience: http://clair-service:6060
upstream: http://localhost:6062
key_server:
type: keyregistry
options:
- QUAY_ENDPOINT defines the endpoint at which Quay Enterprise is running.
- Example: https://myregistry.mycompany.com
registry: https://quay-enterprise.apps.lzha0413.qe.devcluster.openshift.com/keys/