Custom artifact repository path ignored

bobbled commented 2 months ago

What happened: Overriding the repository for falco-rules in the index doesn't appear to have any effect. Falcoctl uses an overridden registry, but continues to use the default repository path.

What you expected to happen: Falcoctl would use the custom registry and repository path to find the artifact.

How to reproduce it (as minimally and precisely as possible):

- name: falco-rules
  type: rulesfile
  registry: registry.example.com
  repository: ghcr/falcosecurity/rules/falco-rules
  description: Falco rules that are loaded by default
  home: https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml
  keywords:
    - falco-rules
  license: apache-2.0
  maintainers:
    - email: cncf-falco-dev@lists.cncf.io
      name: The Falco Authors
  sources:
    - https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml

falcoctl container errors:

falcoctl-artifact-install {"level":"INFO","msg":"Resolving dependencies ...","timestamp":"2024-04-21 22:15:26"}
falcoctl-artifact-install {"level":"ERROR","msg":"unable to get manifest: unable to fetch reference \"registry.example.com/falcosecurity/rules/falco-rules:3\": GET \"https://registry.example.com/v2/falcosecurity/rules/falco-rules/manifests/3\": response status code 401: unauthorized: project falcosecurity not found: project falcosecurity not found","timestamp":"2024-04-21 22:15:26"}

I assumed the above should have tried accessing registry.example.com/ghcr/falcosecurity/rules/falco-rules instead of registry.example.com/falcosecurity/rules/falco-rules

Anything else we need to know?: registry.example.com is a harbor registry. Using falcoctl:0.7.2.

alacuku commented 1 month ago

Hi @bobbled, falcoctl uses the registry + repository to build the reference for the artifact. In your case, falcoctl does not find an artifact with reference registry.example.com/falcosecurity/rules/falco-rules:3. Make sure that a repository named:falcosecurity/rules/falco-rules:3 exists in your registry.

bobbled commented 1 month ago

Hi @bobbled, falcoctl uses the registry + repository to build the reference for the artifact. In your case, falcoctl does not find an artifact with reference registry.example.com/falcosecurity/rules/falco-rules:3. Make sure that a repository named:falcosecurity/rules/falco-rules:3 exists in your registry.

Hi @alacuku , thanks for the response.

If registry is registry.example.com and repository is ghcr/falcosecurity/rules/falco-rules, then shouldn't registry + repository = registry.example.com/ghcr/falcosecurity/rules/falco-rules?

What falcoctl is trying is registry.example.com/falcosecurity/rules/falco-rules.

alacuku commented 1 month ago

I'll have a look at it in the coming days.

alacuku commented 1 month ago

Hi @bobbled, i'm trying to reproduce your issue but no luck so far. It works correctly for me. The following snippets show my env:

index.yaml:

...
- name: falco-rules
  type: rulesfile
  registry: localhost:5000
  repository: ghcr/falcosecurity/rules/falco-rules
  description: Falco rules that are loaded by default
  home: https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml
  keywords:
    - falco-rules
  license: apache-2.0
  maintainers:
    - email: cncf-falco-dev@lists.cncf.io
      name: The Falco Authors
  sources:
    - https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml
...

❯ falcoctl artifact list
INDEX           ARTIFACT                TYPE        REGISTRY        REPOSITORY
falcosecurity   application-rules       rulesfile   ghcr.io         falcosecurity/rules/application-rules
falcosecurity   cloudtrail              plugin      ghcr.io         falcosecurity/plugins/plugin/cloudtrail
falcosecurity   cloudtrail-rules        rulesfile   ghcr.io         falcosecurity/plugins/ruleset/cloudtrail
falcosecurity   dummy                   plugin      ghcr.io         falcosecurity/plugins/plugin/dummy
falcosecurity   dummy_c                 plugin      ghcr.io         falcosecurity/plugins/plugin/dummy_c
falcosecurity   falco-incubating-rules  rulesfile   ghcr.io         falcosecurity/rules/falco-incubating-rules
falcosecurity   falco-rules             rulesfile   localhost:5000  ghcr/falcosecurity/rules/falco-rules
falcosecurity   falco-sandbox-rules     rulesfile   ghcr.io         falcosecurity/rules/falco-sandbox-rules
falcosecurity   gcpaudit                plugin      ghcr.io         falcosecurity/plugins/plugin/gcpaudit
falcosecurity   gcpaudit-rules          rulesfile   ghcr.io         falcosecurity/plugins/ruleset/gcpaudit
falcosecurity   github                  plugin      ghcr.io         falcosecurity/plugins/plugin/github
falcosecurity   github-rules            rulesfile   ghcr.io         falcosecurity/plugins/ruleset/github
falcosecurity   json                    plugin      ghcr.io         falcosecurity/plugins/plugin/json
falcosecurity   k8saudit                plugin      ghcr.io         falcosecurity/plugins/plugin/k8saudit
falcosecurity   k8saudit-eks            plugin      ghcr.io         falcosecurity/plugins/plugin/k8saudit-eks
falcosecurity   k8saudit-gke            plugin      ghcr.io         falcosecurity/plugins/plugin/k8saudit-gke
falcosecurity   k8saudit-gke-rules      rulesfile   ghcr.io         falcosecurity/plugins/ruleset/k8saudit-gke
falcosecurity   k8saudit-rules          rulesfile   ghcr.io         falcosecurity/plugins/ruleset/k8saudit
falcosecurity   k8smeta                 plugin      ghcr.io         falcosecurity/plugins/plugin/k8smeta
falcosecurity   okta                    plugin      ghcr.io         falcosecurity/plugins/plugin/okta
falcosecurity   okta-rules              rulesfile   ghcr.io         falcosecurity/plugins/ruleset/okta

❯ falcoctl artifact install falco-rules --plain-http
2024-05-06 09:28:28 INFO  Resolving dependencies ... 
2024-05-06 09:28:28 INFO  Installing artifacts refs: [localhost:5000/ghcr/falcosecurity/rules/falco-rules:latest]
2024-05-06 09:28:28 INFO  Preparing to pull artifact ref: localhost:5000/ghcr/falcosecurity/rules/falco-rules:latest
2024-05-06 09:28:28 INFO  Pulling layer b1cdd273595d 
2024-05-06 09:28:28 INFO  Pulling layer 2e91799fee49                                                                 
2024-05-06 09:28:28 INFO  Pulling layer 4939911ad901                                                                 
2024-05-06 09:28:28 INFO  Extracting and installing artifact type: rulesfile file: falco_rules.tar.gz                
2024-05-06 09:28:28 INFO  Artifact successfully installed                                                            
                      ├ name: localhost:5000/ghcr/falcosecurity/rules/falco-rules:latest
                      ├ type: rulesfile
                      ├ digest: sha256:4939911ad90194e2fc3aaa66f0bd90cbd3979fead9058a7bbc09b4abe9225eb7
                      └ directory: /etc/falco

alacuku commented 1 month ago

Hey @bobbled, is this still an issue?

falcosecurity / falcoctl

Custom artifact repository path ignored #524