Don't use Trivy auth helpers when using Azure #14
Conversation
and user has provider username and pass in pull secret
| @@ -42,6 +42,23 @@ func NewFromRemote(ctx context.Context, imageName string, option types.ImageOpti | |||
| return img, nil | |||
| } | |||
|
|
|||
| func getToken(ctx context.Context, domain string, opt types.RegistryOptions) (auth authn.Basic) { | |||
| // if the registry is Azure AND the user configured a pull secret with username and password | |||
| // just return them as basic auth and don't user trivy's GetToken function | |||
|
By looking at the code, I guess this issue is not just ACR specific, you have the same thing with GCR/ECR. You mentioned in your discord message, that in order to use azure workload identity, we need to specify a special label on the scanner pod. In my opinion the better fix would be to extend kvisor-controller to make the scanner labels configurable. |
For GCP - probably yes, need to investigate. For sure, we cannot use username/pass there, but maybe workload identity works out of the box for GCP. |
|
What you can do in AWS ECR is to use a login password (see here), but iMHO we should discourage this. One thing we should be thinking about is, if we want to support cases where you haven an EKS cluster and e.g. pull images from GCR, as in such cases you can not use any of the workload identity solutions (I guess in theory you can setup OIDC to assume identities in other cloud providers via the identity from your kubernetes cluster, but I have no idea if this is actually supported 😅). |
| } | ||
| } | ||
|
|
||
| return registry.GetToken(ctx, domain, opt) |
There was a problem hiding this comment.
This could be due to upgrade https://github.com/castai/image-analyzer/pull/11/files
Before it would use token.GetToken and under the hood it handled this case.
|
Closing this, because we opted to go the Workload ID way, and these changes are not needed for now |
and user has provider username and pass in pull secret