fix(clair) Add Clair adapter

Signed-off-by: Pierre Péronnet <pierre.peronnet@corp.ovh.com>

api/v1alpha1/harbor_secret_format.go

@@ -37,3 +37,8 @@ const (
 	HarborClairDatabasePasswordKey = "password"
 	HarborClairDatabaseSSLKey      = "ssl"
 )
+
+const (
+	HarborClairAdapterBrokerURLKey       = "url"
+	HarborClairAdapterBrokerNamespaceKey = "namespace"
+)

api/v1alpha1/harbor_types.go

@@ -162,6 +162,14 @@ type JobServiceComponent struct {
 	WorkerCount int32 `json:"workerCount"`
 }
 
+type ClairAdapterComponent struct {
+	// +optional
+	Image string `json:"image,omitempty"`
+
+	// +kubebuilder:validation:Required
+	RedisSecret string `json:"redisSecret"`
+}
+
 type ClairComponent struct {
 	HarborDeployment `json:",inline"`
 	// +optional
@@ -171,6 +179,8 @@ type ClairComponent struct {
 	DatabaseSecret string `json:"databaseSecret"`
 
 	VulnerabilitySources []string `json:"vulnerabilitySources"`
+
+	Adapter ClairAdapterComponent `json:"adapter"`
 }
 
 type ChartMuseumComponent struct {

api/v1alpha1/harbor_version_compatibility.go

@@ -7,14 +7,15 @@ import (
 )
 
 type Images struct {
-	Core        string
-	Registry    string
-	RegistryCtl string
-	Portal      string
-	JobService  string
-	ChartMuseum string
-	Clair       string
-	Notary      string
+	Core         string
+	Registry     string
+	RegistryCtl  string
+	Portal       string
+	JobService   string
+	ChartMuseum  string
+	Clair        string
+	ClairAdapter string
+	Notary       string
 }
 
 var (
@@ -41,57 +42,63 @@ func GetImages(version string) (*Images, error) {
 
 func RegisterDefaultVersion() {
 	_ = RegisterVersion("1.9.0", &Images{
-		Core:        "goharbor/harbor-core:v1.9.0",
-		Registry:    "goharbor/registry-photon:v2.7.1-patch-2819-v1.9.0",
-		RegistryCtl: "goharbor/harbor-registryctl:v1.9.0",
-		Portal:      "goharbor/harbor-portal:v1.9.0",
-		JobService:  "goharbor/harbor-jobservice:v1.9.0",
-		ChartMuseum: "goharbor/chartmuseum-photon:v0.9.0-v1.9.0",
-		Clair:       "goharbor/clair-photon:v2.0.9-v1.9.0",
+		Core:         "goharbor/harbor-core:v1.9.0",
+		Registry:     "goharbor/registry-photon:v2.7.1-patch-2819-v1.9.0",
+		RegistryCtl:  "goharbor/harbor-registryctl:v1.9.0",
+		Portal:       "goharbor/harbor-portal:v1.9.0",
+		JobService:   "goharbor/harbor-jobservice:v1.9.0",
+		ChartMuseum:  "goharbor/chartmuseum-photon:v0.9.0-v1.9.0",
+		Clair:        "goharbor/clair-photon:v2.0.9-v1.9.0",
+		ClairAdapter: "holyhope/clair-adapter-with-config:v1.10.0", // Use "goharbor/clair-adapter-photon:v1.0.1-v1.10.0" when possible
 	})
 	_ = RegisterVersion("1.9.1", &Images{
-		Core:        "goharbor/harbor-core:v1.9.1",
-		Registry:    "goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.1",
-		RegistryCtl: "goharbor/harbor-registryctl:v1.9.1",
-		Portal:      "goharbor/harbor-portal:v1.9.1",
-		JobService:  "goharbor/harbor-jobservice:v1.9.1",
-		ChartMuseum: "goharbor/chartmuseum-photon:v0.9.0-v1.9.1",
-		Clair:       "goharbor/clair-photon:v2.0.9-v1.9.1",
+		Core:         "goharbor/harbor-core:v1.9.1",
+		Registry:     "goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.1",
+		RegistryCtl:  "goharbor/harbor-registryctl:v1.9.1",
+		Portal:       "goharbor/harbor-portal:v1.9.1",
+		JobService:   "goharbor/harbor-jobservice:v1.9.1",
+		ChartMuseum:  "goharbor/chartmuseum-photon:v0.9.0-v1.9.1",
+		Clair:        "goharbor/clair-photon:v2.0.9-v1.9.1",
+		ClairAdapter: "holyhope/clair-adapter-with-config:v1.10.0", // Use "goharbor/clair-adapter-photon:v1.0.1-v1.10.0" when possible
 	})
 	_ = RegisterVersion("1.9.2", &Images{
-		Core:        "goharbor/harbor-core:v1.9.2",
-		Registry:    "goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.2",
-		RegistryCtl: "goharbor/harbor-registryctl:v1.9.2",
-		Portal:      "goharbor/harbor-portal:v1.9.2",
-		JobService:  "goharbor/harbor-jobservice:v1.9.2",
-		ChartMuseum: "goharbor/chartmuseum-photon:v0.9.0-v1.9.2",
-		Clair:       "goharbor/clair-photon:v2.0.9-v1.9.2",
+		Core:         "goharbor/harbor-core:v1.9.2",
+		Registry:     "goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.2",
+		RegistryCtl:  "goharbor/harbor-registryctl:v1.9.2",
+		Portal:       "goharbor/harbor-portal:v1.9.2",
+		JobService:   "goharbor/harbor-jobservice:v1.9.2",
+		ChartMuseum:  "goharbor/chartmuseum-photon:v0.9.0-v1.9.2",
+		Clair:        "goharbor/clair-photon:v2.0.9-v1.9.2",
+		ClairAdapter: "holyhope/clair-adapter-with-config:v1.10.0", // Use "goharbor/clair-adapter-photon:v1.0.1-v1.10.0" when possible
 	})
 	_ = RegisterVersion("1.9.3", &Images{
-		Core:        "goharbor/harbor-core:v1.9.3",
-		Registry:    "goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.3",
-		RegistryCtl: "goharbor/harbor-registryctl:v1.9.3",
-		Portal:      "goharbor/harbor-portal:v1.9.3",
-		JobService:  "goharbor/harbor-jobservice:v1.9.3",
-		ChartMuseum: "goharbor/chartmuseum-photon:v0.9.0-v1.9.3",
-		Clair:       "goharbor/clair-photon:v2.1.0-v1.9.3",
+		Core:         "goharbor/harbor-core:v1.9.3",
+		Registry:     "goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.3",
+		RegistryCtl:  "goharbor/harbor-registryctl:v1.9.3",
+		Portal:       "goharbor/harbor-portal:v1.9.3",
+		JobService:   "goharbor/harbor-jobservice:v1.9.3",
+		ChartMuseum:  "goharbor/chartmuseum-photon:v0.9.0-v1.9.3",
+		Clair:        "goharbor/clair-photon:v2.1.0-v1.9.3",
+		ClairAdapter: "holyhope/clair-adapter-with-config:v1.10.0", // Use "goharbor/clair-adapter-photon:v1.0.1-v1.10.0" when possible
 	})
 	_ = RegisterVersion("1.9.4", &Images{
-		Core:        "goharbor/harbor-core:v1.9.4",
-		Registry:    "goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.4",
-		RegistryCtl: "goharbor/harbor-registryctl:v1.9.4",
-		Portal:      "goharbor/harbor-portal:v1.9.4",
-		JobService:  "goharbor/harbor-jobservice:v1.9.4",
-		ChartMuseum: "goharbor/chartmuseum-photon:v0.9.0-v1.9.4",
-		Clair:       "goharbor/clair-photon:v2.1.0-v1.9.4",
+		Core:         "goharbor/harbor-core:v1.9.4",
+		Registry:     "goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.4",
+		RegistryCtl:  "goharbor/harbor-registryctl:v1.9.4",
+		Portal:       "goharbor/harbor-portal:v1.9.4",
+		JobService:   "goharbor/harbor-jobservice:v1.9.4",
+		ChartMuseum:  "goharbor/chartmuseum-photon:v0.9.0-v1.9.4",
+		Clair:        "goharbor/clair-photon:v2.1.0-v1.9.4",
+		ClairAdapter: "holyhope/clair-adapter-with-config:v1.10.0", // Use "goharbor/clair-adapter-photon:v1.0.1-v1.10.0" when possible
 	})
 	_ = RegisterVersion("1.10.0", &Images{
-		Core:        "goharbor/harbor-core:v1.10.0",
-		Registry:    "goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.10.0",
-		RegistryCtl: "goharbor/harbor-registryctl:v1.10.0",
-		Portal:      "goharbor/harbor-portal:v1.10.0",
-		JobService:  "goharbor/harbor-jobservice:v1.10.0",
-		ChartMuseum: "goharbor/chartmuseum-photon:v0.9.0-v1.10.0",
-		Clair:       "goharbor/clair-photon:v2.1.1-v1.10.0",
+		Core:         "goharbor/harbor-core:v1.10.0",
+		Registry:     "goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.10.0",
+		RegistryCtl:  "goharbor/harbor-registryctl:v1.10.0",
+		Portal:       "goharbor/harbor-portal:v1.10.0",
+		JobService:   "goharbor/harbor-jobservice:v1.10.0",
+		ChartMuseum:  "goharbor/chartmuseum-photon:v0.9.0-v1.10.0",
+		Clair:        "goharbor/clair-photon:v2.1.1-v1.10.0",
+		ClairAdapter: "holyhope/clair-adapter-with-config:v1.10.0", // Use "goharbor/clair-adapter-photon:v1.0.1-v1.10.0" when possible
 	})
 }

config/samples/containerregistry_v1alpha1_harbor.yaml

@@ -30,6 +30,9 @@ spec:
       - oracle
       - alpine
       - suse
+      adapter:
+        image: holyhope/clair-adapter-wih-config:latest
+        redisSecret: clair-adapter-redis
     portal:
       image: goharbor/harbor-portal:v1.10.0
     chartMuseum:

config/samples/kustomization.yaml

@@ -18,6 +18,10 @@ secretGenerator:
     literals:
       - url=redis://jobservice-broker-redis-ha-announce-0:6379/0
       - namespace=
+  - name: clair-adapter-redis
+    literals:
+      - url=redis://clair-adapter-broker-redis-ha-announce-0:6379/0
+      - namespace=harbor.scanner.clair:store
 
 resources:
   - containerregistry_v1alpha1_harbor.yaml

controllers/harbor/components/clair/configs.go

@@ -58,6 +58,16 @@ func (c *Clair) GetConfigMaps(ctx context.Context) []*corev1.ConfigMap {
 			BinaryData: map[string][]byte{
 				configKey: config,
 			},
+			// https://github.com/goharbor/harbor-scanner-clair#configuration
+			// https://github.com/goharbor/harbor/blob/master/make/photon/prepare/templates/clair/clair_env.jinja
+			Data: map[string]string{
+				"SCANNER_CLAIR_URL":                   fmt.Sprintf("http://%s", c.harbor.NormalizeComponentName(containerregistryv1alpha1.ClairName)),
+				"SCANNER_LOG_LEVEL":                   "debug",
+				"SCANNER_STORE_REDIS_POOL_MAX_ACTIVE": "5",
+				"SCANNER_STORE_REDIS_POOL_MAX_IDLE":   "5",
+				"SCANNER_STORE_REDIS_SCAN_JOB_TTL":    "1h",
+				"SCANNER_API_SERVER_ADDR":             fmt.Sprintf(":%d", adapterPort),
+			},
 		},
 	}
 }

controllers/harbor/components/clair/deployments.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"path"
+	"time"
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -16,9 +17,12 @@ import (
 )
 
 const (
-	initImage  = "hairyhenderson/gomplate"
-	apiPort    = 6060 // https://github.com/quay/clair/blob/c39101e9b8206401d8b9cb631f3aee47a24ab889/cmd/clair/config.go#L64
-	healthPort = 6061 // https://github.com/quay/clair/blob/c39101e9b8206401d8b9cb631f3aee47a24ab889/cmd/clair/config.go#L63
+	initImage   = "hairyhenderson/gomplate"
+	apiPort     = 6060 // https://github.com/quay/clair/blob/c39101e9b8206401d8b9cb631f3aee47a24ab889/cmd/clair/config.go#L64
+	healthPort  = 6061 // https://github.com/quay/clair/blob/c39101e9b8206401d8b9cb631f3aee47a24ab889/cmd/clair/config.go#L63
+	adapterPort = 8080
+
+	livenessProbeInitialDelay = 300 * time.Second
 )
 
 var (
@@ -184,6 +188,78 @@ func (c *Clair) GetDeployments(ctx context.Context) []*appsv1.Deployment { // no
 										SubPath:   configKey,
 									},
 								},
+							}, {
+								Name:  "clair-adapter",
+								Image: c.harbor.Spec.Components.Clair.Adapter.Image,
+								Ports: []corev1.ContainerPort{
+									{
+										ContainerPort: adapterPort,
+									},
+								},
+
+								Env: []corev1.EnvVar{
+									{
+										Name: "SCANNER_STORE_REDIS_URL",
+										ValueFrom: &corev1.EnvVarSource{
+											SecretKeyRef: &corev1.SecretKeySelector{
+												Key:      containerregistryv1alpha1.HarborClairAdapterBrokerURLKey,
+												Optional: &varFalse,
+												LocalObjectReference: corev1.LocalObjectReference{
+													Name: c.harbor.Spec.Components.Clair.Adapter.RedisSecret,
+												},
+											},
+										},
+									}, {
+										Name: "SCANNER_STORE_REDIS_NAMESPACE",
+										ValueFrom: &corev1.EnvVarSource{
+											SecretKeyRef: &corev1.SecretKeySelector{
+												Key:      containerregistryv1alpha1.HarborClairAdapterBrokerNamespaceKey,
+												Optional: &varFalse,
+												LocalObjectReference: corev1.LocalObjectReference{
+													Name: c.harbor.Spec.Components.Clair.Adapter.RedisSecret,
+												},
+											},
+										},
+									},
+								},
+
+								EnvFrom: []corev1.EnvFromSource{
+									{
+										Prefix: "clair_db_",
+										SecretRef: &corev1.SecretEnvSource{
+											Optional: &varFalse,
+											LocalObjectReference: corev1.LocalObjectReference{
+												Name: c.harbor.Spec.Components.Clair.DatabaseSecret,
+											},
+										},
+									},
+								},
+
+								ImagePullPolicy: corev1.PullAlways,
+								LivenessProbe: &corev1.Probe{
+									Handler: corev1.Handler{
+										HTTPGet: &corev1.HTTPGetAction{
+											Path: "/probe/healthy",
+											Port: intstr.FromInt(adapterPort),
+										},
+									},
+									InitialDelaySeconds: int32(livenessProbeInitialDelay.Seconds()),
+								},
+								ReadinessProbe: &corev1.Probe{
+									Handler: corev1.Handler{
+										HTTPGet: &corev1.HTTPGetAction{
+											Path: "/probe/healthy",
+											Port: intstr.FromInt(adapterPort),
+										},
+									},
+								},
+								VolumeMounts: []corev1.VolumeMount{
+									{
+										MountPath: path.Join("/etc/clair", configKey),
+										Name:      "config",
+										SubPath:   configKey,
+									},
+								},
 							},
 						},
 						Priority: c.Option.Priority,

controllers/harbor/components/clair/services.go

@@ -12,7 +12,8 @@ import (
 )
 
 const (
-	PublicPort = 80
+	PublicPort        = 80
+	AdapterPublicPort = 8080
 )
 
 func (c *Clair) GetServices(ctx context.Context) []*corev1.Service {
@@ -40,6 +41,10 @@ func (c *Clair) GetServices(ctx context.Context) []*corev1.Service {
 					}, {
 						Name: "healthcheck",
 						Port: healthPort,
+					}, {
+						Name:       "adapter",
+						Port:       AdapterPublicPort,
+						TargetPort: intstr.FromInt(adapterPort),
 					},
 				},
 				Selector: map[string]string{

controllers/harbor/components/harbor-core/configs.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/markbates/pkger"
 	containerregistryv1alpha1 "github.com/ovh/harbor-operator/api/v1alpha1"
+	"github.com/ovh/harbor-operator/controllers/harbor/components/clair"
 	"github.com/ovh/harbor-operator/pkg/factories/application"
 	"github.com/pkg/errors"
 )
@@ -83,6 +84,7 @@ func (c *HarborCore) GetConfigMaps(ctx context.Context) []*corev1.ConfigMap { //
 				"CHART_REPOSITORY_URL":          fmt.Sprintf("http://%s", c.harbor.NormalizeComponentName(containerregistryv1alpha1.ChartMuseumName)),
 				"CLAIR_HEALTH_CHECK_SERVER_URL": fmt.Sprintf("http://%s:6061", c.harbor.NormalizeComponentName(containerregistryv1alpha1.ClairName)),
 				"CLAIR_URL":                     fmt.Sprintf("http://%s", c.harbor.NormalizeComponentName(containerregistryv1alpha1.ClairName)),
+				"CLAIR_URL_ADAPTER":             fmt.Sprintf("http://%s:%d", c.harbor.NormalizeComponentName(containerregistryv1alpha1.ClairName), clair.AdapterPublicPort),
 				"CORE_LOCAL_URL":                fmt.Sprintf("http://%s", c.harbor.NormalizeComponentName(containerregistryv1alpha1.CoreName)),
 				"CORE_URL":                      fmt.Sprintf("http://%s", c.harbor.NormalizeComponentName(containerregistryv1alpha1.CoreName)),
 				"JOBSERVICE_URL":                fmt.Sprintf("http://%s", c.harbor.NormalizeComponentName(containerregistryv1alpha1.JobServiceName)),