config

package
v4.3.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 5, 2021 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// Run this mode to create receive Manifests and create IndexReports.
	IndexerMode = "indexer"
	// Run this mode to retrieve IndexReports and create VulnerabilityReports.
	MatcherMode = "matcher"
	// Run this mode to run all modes in a single Clair instance.
	ComboMode = "combo"
	// Run this mode to listen for Updates and send notifications when they occur.
	NotifierMode = "notifier"
)

Clair Modes

View Source
const DefaultAddress = ":6060"

DefaultAddress is used if an http_listen_addr is not provided in the config.

Variables

This section is empty.

Functions

func Validate

func Validate(conf *Config) error

Validate confirms the necessary values to support the desired Clair mode exist.

Types

type Auth

type Auth struct {
	PSK       *AuthPSK       `yaml:"psk,omitempty" json:"psk,omitempty"`
	Keyserver *AuthKeyserver `yaml:"keyserver,omitempty" json:"keyserver,omitempty"`
}

Auth holds the specific configs for different authentication methods.

These should be pointers to structs, so that it's possible to distinguish between "absent" and "present and misconfigured."

func (Auth) Any

func (a Auth) Any() bool

Any reports whether any sort of authentication is configured.

type AuthKeyserver

type AuthKeyserver struct {
	API          string `yaml:"api" json:"api"`
	Intraservice []byte `yaml:"intraservice" json:"intraservice"`
}

AuthKeyserver is the configuration for doing authentication with the Quay keyserver protocol.

The "Intraservice" key is only needed when the overall config mode is not "combo".

func (*AuthKeyserver) MarshalYAML

func (a *AuthKeyserver) MarshalYAML() (interface{}, error)

MarshalYAML implements yaml.Marshaler.

func (*AuthKeyserver) UnmarshalYAML

func (a *AuthKeyserver) UnmarshalYAML(f func(interface{}) error) error

UnmarshalYAML implements yaml.Unmarshaler.

type AuthPSK

type AuthPSK struct {
	Key    []byte   `yaml:"key" json:"key"`
	Issuer []string `yaml:"iss" json:"iss"`
}

AuthPSK is the configuration for doing pre-shared key based authentication.

The "Issuer" key is what the service expects to verify as the "issuer" claim.

func (*AuthPSK) MarshalYAML

func (a *AuthPSK) MarshalYAML() (interface{}, error)

MarshalYAML implements yaml.Marshaler.

func (*AuthPSK) UnmarshalYAML

func (a *AuthPSK) UnmarshalYAML(f func(interface{}) error) error

UnmarshalYAML implements yaml.Unmarshaler.

type Config

type Config struct {
	// One of the following strings
	// Sets which mode the clair instances will run in
	//
	// "indexer": runs just the indexer node
	// "matcher": runs just the matcher node
	// "combo":	will run both indexer and matcher on the same node.
	Mode string `yaml:"-" json:"-"`
	// A string in <host>:<port> format where <host> can be an empty string.
	//
	// exposes Clair node's functionality to the network.
	// see /openapi/v1 for api spec.
	HTTPListenAddr string `yaml:"http_listen_addr" json:"http_listen_addr"`
	// A string in <host>:<port> format where <host> can be an empty string.
	//
	// exposes Clair's metrics and health endpoints.
	IntrospectionAddr string `yaml:"introspection_addr" json:"introspection_addr"`
	// Set the logging level.
	//
	// One of the following strings:
	// "debug-color"
	// "debug"
	// "info"
	// "warn"
	// "error"
	// "fatal"
	// "panic"
	LogLevel string   `yaml:"log_level" json:"log_level"`
	Indexer  Indexer  `yaml:"indexer" json:"indexer"`
	Matcher  Matcher  `yaml:"matcher" json:"matcher"`
	Matchers Matchers `yaml:"matchers" json:"matchers"`
	Updaters Updaters `yaml:"updaters,omitempty" json:"updaters,omitempty"`
	Notifier Notifier `yaml:"notifier" json:"notifier"`
	Auth     Auth     `yaml:"auth" json:"auth"`
	Trace    Trace    `yaml:"trace" json:"trace"`
	Metrics  Metrics  `yaml:"metrics" json:"metrics"`
}

func (*Config) Client

func (cfg *Config) Client(next http.RoundTripper, cl *jwt.Claims) (c *http.Client, authed bool, err error)

Client returns an http.Client configured according to the supplied configuration.

If nil is passed for a claim, the returned client does no signing.

It returns an *http.Client and a boolean indicating whether the client is configured for authentication, or an error that occurred during construction.

type Indexer

type Indexer struct {
	// A Postgres connection string.
	//
	// formats
	// url: "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full"
	// or
	// string: "user=pqgotest dbname=pqgotest sslmode=verify-full"
	ConnString string `yaml:"connstring" json:"connstring"`
	// A positive value representing seconds.
	//
	// Concurrent Indexers lock on manifest scans to avoid clobbering.
	// This value tunes how often a waiting Indexer will poll for the lock.
	// TODO: Move to async operating mode
	ScanLockRetry int `yaml:"scanlock_retry" json:"scanlock_retry"`
	// A positive values represeting quantity.
	//
	// Indexers will index a Manifest's layers concurrently.
	// This value tunes the number of layers an Indexer will scan in parallel.
	LayerScanConcurrency int `yaml:"layer_scan_concurrency" json:"layer_scan_concurrency"`
	// Rate limits the number if index report creation requests.
	//
	// Any value below 1 is considered unlimited.
	// The API will return a 429 status code if concurrency is exceeded.
	IndexReportRequestConcurrency int `yaml:"index_report_request_concurrency" json:"index_report_request_concurrency"`
	// A "true" or "false" value
	//
	// Whether Indexer nodes handle migrations to their database.
	Migrations bool `yaml:"migrations" json:"migrations"`
	// Scanner allows for passing configuration options to layer scanners.
	Scanner ScannerConfig `yaml:"scanner" json:"scanner"`
	// Airgap disables scanners that have signaled they expect to talk to the
	// Internet.
	Airgap bool `yaml:"airgap" json:"airgap"`
}

Indexer provides Clair Indexer node configuration

func (*Indexer) Validate added in v4.1.0

func (i *Indexer) Validate(combo bool) error

type Jaeger

type Jaeger struct {
	Agent struct {
		Endpoint string `yaml:"endpoint" json:"endpoint"`
	} `yaml:"agent" json:"agent"`
	Collector struct {
		Endpoint string  `yaml:"endpoint" json:"endpoint"`
		Username *string `yaml:"username" json:"username"`
		Password *string `yaml:"password" json:"password"`
	} `yaml:"collector" json:"collector"`
	ServiceName string            `yaml:"service_name" json:"service_name"`
	Tags        map[string]string `yaml:"tags" json:"tags"`
	BufferMax   int               `yaml:"buffer_max" json:"buffer_max"`
}

Jager specific distributed tracing configuration.

type Matcher

type Matcher struct {
	// A Postgres connection string.
	//
	// Formats:
	// url: "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full"
	// or
	// string: "user=pqgotest dbname=pqgotest sslmode=verify-full"
	ConnString string `yaml:"connstring" json:"connstring"`
	// A positive integer
	//
	// Clair allows for a custom connection pool size.
	// This number will directly set how many active sql
	// connections are allowed concurrently.
	MaxConnPool int `yaml:"max_conn_pool" json:"max_conn_pool"`
	// A string in <host>:<port> format where <host> can be an empty string.
	//
	// A Matcher contacts an Indexer to create a VulnerabilityReport.
	// The location of this Indexer is required.
	IndexerAddr string `yaml:"indexer_addr" json:"indexer_addr"`
	// A "true" or "false" value
	//
	// Whether Matcher nodes handle migrations to their databases.
	Migrations bool `yaml:"migrations" json:"migrations"`
	// Period controls how often updaters are run.
	//
	// The default is 30 minutes.
	Period time.Duration `yaml:"period" json:"period"`
	// DisableUpdaters disables the updater's running of matchers.
	//
	// This should be toggled on if vulnerabilities are being provided by
	// another mechanism.
	DisableUpdaters bool `yaml:"disable_updaters" json:"disable_updaters"`
	// UpdateRetention controls the number of updates to retain between
	// garbage collection periods.
	//
	// The lowest possible value is 2 in order to compare updates for notification
	// purposes.
	//
	// A value of 0 disables GC.
	UpdateRetention int `yaml:"update_retention" json:"update_retention"`
	// CacheAge controls how long clients should be hinted to cache responses
	// for.
	//
	// If empty, the duration set in "Period" will be used. This means client
	// may cache "stale" results for 2(Period) - 1 seconds.
	CacheAge time.Duration `yaml:"cache_age,omitempty" json:"cache_age,omitempty"`
}

func (*Matcher) Validate added in v4.1.0

func (m *Matcher) Validate(combo bool) error

type Matchers added in v4.1.0

type Matchers struct {
	// A slice of strings representing which
	// matchers will be used.
	//
	// If nil all default Matchers will be used
	//
	// The following names are supported by default:
	// "alpine"
	// "aws"
	// "debian"
	// "oracle"
	// "photon"
	// "python"
	// "rhel"
	// "suse"
	// "ubuntu"
	// "crda" - remotematcher calls hosted api via RPC.
	Names []string `yaml:"names" json:"names"`
	// Config holds configuration blocks for MatcherFactories and Matchers,
	// keyed by name.
	Config map[string]yaml.Node `yaml:"config" json:"config"`
}

type Metrics

type Metrics struct {
	Name       string     `yaml:"name" json:"name"`
	Prometheus Prometheus `yaml:"prometheus" json:"prometheus"`
}

Configure Metrics.

type Notifier

type Notifier struct {
	// A Postgres connection string.
	//
	// Formats:
	// url: "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full"
	// or
	// string: "user=pqgotest dbname=pqgotest sslmode=verify-full"
	ConnString string `yaml:"connstring" json:"connstring"`
	// A "true" or "false" value
	//
	// Whether Notifier nodes handle migrations to their database.
	Migrations bool `yaml:"migrations" json:"migrations"`
	// A string in <host>:<port> format where <host> can be an empty string.
	//
	// A Notifier contacts an Indexer to create obtain manifests affected by vulnerabilities.
	// The location of this Indexer is required.
	IndexerAddr string `yaml:"indexer_addr" json:"indexer_addr"`
	// A string in <host>:<port> format where <host> can be an empty string.
	//
	// A Notifier contacts a Matcher to list update operations and acquire diffs.
	// The location of this Indexer is required.
	MatcherAddr string `yaml:"matcher_addr" json:"matcher_addr"`
	// A time.ParseDuration parsable string
	//
	// The frequency at which the notifier will query at Matcher for Update Operations.
	// If a value smaller then 1 second is provided it will be replaced with the
	// default 5 second poll interval.
	PollInterval time.Duration `yaml:"poll_interval" json:"poll_interval"`
	// A time.ParseDuration parsable string
	//
	// The frequency at which the notifier attempt delivery of created or previously failed
	// notifications
	// If a value smaller then 1 second is provided it will be replaced with the
	// default 5 second delivery interval.
	DeliveryInterval time.Duration `yaml:"delivery_interval" json:"delivery_interval"`
	// DisableSummary disables summarizing vulnerabilities per-manifest.
	//
	// The default is to summarize any new vulnerabilities to the most severe
	// one, in the thought that any additional processing for end-user
	// notifications can have policies around severity and fetch a complete
	// VulnerabilityReport if it'd like.
	//
	// For a machine-consumption use case, it may be easier to instead have the
	// notifier push all the data.
	DisableSummary bool `yaml:"disable_summary" json:"disable_summary"`
	// Only one of the following should be provided in the configuration
	//
	// Configures the notifier for webhook delivery
	Webhook *webhook.Config `yaml:"webhook" json:"webhook"`
	// Configures the notifier for AMQP delivery.
	AMQP *amqp.Config `yaml:"amqp" json:"amqp"`
	// Configures the notifier for STOMP delivery.
	STOMP *stomp.Config `yaml:"stomp" json:"stomp"`
}

Notifier provides Clair Notifier node configuration

func (*Notifier) Validate added in v4.1.0

func (n *Notifier) Validate(combo bool) error

type Prometheus

type Prometheus struct {
	// Endpoint is a URL path where
	// Prometheus metrics will be hosted.
	Endpoint *string `yaml:"endpoint" json:"endpoint"`
}

Prometheus specific metrics configuration

type ScannerConfig

type ScannerConfig struct {
	Package map[string]yaml.Node `yaml:"package" json:"package"`
	Dist    map[string]yaml.Node `yaml:"dist" json:"dist"`
	Repo    map[string]yaml.Node `yaml:"repo" json:"repo"`
}

type Trace

type Trace struct {
	Name        string   `yaml:"name" json:"name"`
	Probability *float64 `yaml:"probability" json:"probability"`
	Jaeger      Jaeger   `yaml:"jaeger" json:"jaeger"`
}

Configure distributed tracing via OTEL

type Updaters

type Updaters struct {
	// A slice of strings representing which
	// updaters will be used.
	//
	// If nil all default UpdaterSets will be used
	//
	// The following sets are supported by default:
	// "alpine"
	// "aws"
	// "debian"
	// "oracle"
	// "photon"
	// "pyupio"
	// "rhel"
	// "suse"
	// "ubuntu"
	Sets []string `yaml:"sets,omitempty" json:"sets,omitempty"`
	// Config holds configuration blocks for UpdaterFactories and Updaters,
	// keyed by name.
	//
	// These are defined by the updater implementation and can't be documented
	// here. Improving the documentation for these is an open issue.
	Config map[string]yaml.Node `yaml:"config" json:"config"`
	// Filter is a regexp that disallows updaters that do not match from
	// running.
	// TODO(louis): this is only used in clairctl, should we keep this?
	// it may offer an escape hatch for a particular updater name
	// from running, vs disabling the updater set completely.
	Filter string `yaml:"filter" json:"filter"`
}

Updaters configures updater behavior.

func (*Updaters) FilterSets

func (u *Updaters) FilterSets(m map[string]driver.UpdaterSetFactory)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL