Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pulling from private container registries? #30

Open
reschex opened this issue Nov 18, 2019 · 2 comments
Open

pulling from private container registries? #30

reschex opened this issue Nov 18, 2019 · 2 comments

Comments

@reschex
Copy link

reschex commented Nov 18, 2019

Hi

I'm trying to run the plugin against a helm chart using containers hosted on quay.io in a private registry.
I've looked at --help and the README, but it wasn't obvious how I can provide credentials for this scenario.

I can docker pull the images myself without problems, but snyk fails like so:

helm snyk test <chartdir>/
failed pulling image
err.statusCode: 500
err.message: (HTTP code 500) server error - unauthorized: access to the requested resource is not authorized 
Error caught: (HTTP code 500) server error - unauthorized: access to the requested resource is not authorized

Thank you!

PS: in the readme, you're using stable/redis as an example chart, except the command doesn't really work like that - you need to run a helm fetch stable/redis --untar first, in which case the chart dir is just redis, or you need to run helm fetch stable/redis --untar --untardir stable :)
@maxjeffos
Copy link
Contributor

Hi @reschex. The plugin doesn't currently have a way to accept credentials for private image registries...

I can see a couple ways of getting around this...

  1. we could have an option like --no-pull or something which would skip trying to pull the images before we test them; that way you could just pull the images yourself and then test the plugin wouldn't fail upon trying to pull them.
  2. We could allow you to pass credentials into the plugin and then pass through to the registry when we go to pull the images.

What do you think @reschex and also @garethr ?

@reschex
Copy link
Author

reschex commented Dec 3, 2019

Hi @jeff-snyk Thanks for looking into this!

Tbh, either way would work for me, but option 1. feels like the less complicated option to implement.

I guess, you could argue that the image in our remote repository could be very different from the image that I have locally tagged with the same name.
In that scenario, running the plugin with --no-pull would show results which don't reflect what ends up running in kubernetes.

Obviously this becomes a moot point when we're talking about integrating this in CI etc and also a developer would have to maliciously tag a clean image with the wrong name & run the plugin to achieve what..? They'd fool the plugin and at the same time shoot themselves in the foot, so if they want to do that.. ¯_(ツ)_/¯

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@reschex @maxjeffos