Goal: Reduce the administrative burden for disconnected Quay deployment running Clair for keeping Clairs vulnerability databases and auxiliary data files up to date.

Background: As outlined in RFE-6861, the process to configure and maintain a disconnected Clair deployment, especially when managed by the Quay operator, is lengthy and manual. There is a risk that this causes customer frustration and leads to a lower frequency of CVE data updates, in turn exposing customer to potentially undiscovered vulnerabilities in their container images.
ACS on the other hand, which is also using Clair, has wrapped most of the Clair disconnected maintenance.

Requirements:

• a runnable container image will be produced regularly by Red Hat, that contains both offline vulnerability data and the necessary software (clairctl) to load it into Clair
  • in case licensing terms prohibit us from re-distributing non-Red Hat vulnerability feeds this way, the bundle will only contain Red Hat's CSAF/VEX feeds
  • the data also needs to include the offline Maven index (see CLAIRDEV-102) and Red Hat CPE data (CLAIRDEV-99)
  • the location should be in a repository on registry.redhat.io
• we provide instructions in how to refresh the offline bundle based on the published image described above in the form of a simple Containerfile / Dockerfile
  • in case licensing terms prohibit us from re-distributing non-Red Hat vulnerability feeds this way, this will also be the way to create an offline bundle that contains non-Red Hat vuln data by the hand of the customer
• Quay operator can refer to this offline bundle via a pull spec as part of configuring Clair to run in offline mode, see also PROJQUAY-8109
• once given the pull spec of the offline bundle, Quay operator schedules CronJob that regularly runs the bundle image with the same Clair config that it uses for the Clair deployment
  • the interval of the job needs to be configurable and should default to Clair's default value of online CVE data updates of 6 hours
  • the mounted Clair config needs to include the user-provided customizations for Clair's config bundle
  • the job should be configured in a way so that it automatically picks up any new image managed the pull spec refers to (imagePullPolicy: Always)
• this ultimately replaces PROJQUAY-8108

Dependencies:

• investigation on potential licensing barriers for redistributing non-Red Hat CVE data
• investigation on reasonable time intervals in which the Red Hat-hosted container image containing the offline bundle can be refreshed