search

target / portauthority

API that leverages Clair to scan Docker Registries and Kubernetes Clusters for vulnerabilities
Other
151 stars 21 forks source link

Authentication to gcr.io registries is broken #11

Closed caipre closed 2 months ago

caipre commented 6 years ago

The token retrieved via docker.AuthRegistry isn't threaded into the call to docker.GetRegistry:

https://github.com/target/portauthority/blob/master/api/v1/routes.go#L388-L405

I hacked a fix that I'll try to polish up tomorrow; making an issue in case anyone runs into this problem in the meantime. Also useful to know that the way to make the request is as follows:

$ curl -XPOST -H 'content-type: application/json' localhost:31700/v1/images -d <<<EOF
{"Image":{
  "Registry":"https://gcr.io",
  "Repo":"<project-id>/<image-name>",
  "Tag":"<image-tag>",
  "RegistryPassword":"$(cat credentials.json | jq tostring)"
}} 
EOF
ErikThoreson commented 6 years ago

@caipre can you share the error you are getting?

One thing you will need if you are using a gcr service account. Is to set the RegistryUser like so: "RegistryUser":"_json_key" then like in your example you can pass in the json credentials file as a string.

ErikThoreson commented 6 years ago

Also to share context. on post image request we auth twice because I needed a custom/hacky way to pull out the bearer token to pass to Clair.. which is used here:

https://github.com/target/portauthority/blob/master/api/v1/routes.go#L414

The second auth uses an internal auth to pull manifests and repo data.

Long term I'd like to collapse things into a single auth.