The Harbor Scanner Adapter for Clair is a service that translates the Harbor scanning API into Clair API calls and allows Harbor to use Clair for providing vulnerability reports on images stored in Harbor registry as part of its vulnerability scan feature.
See Proposal: Pluggable Image Vulnerability Scanning for more details.
Configuration of the adapter is done via environment variables at startup.
Name | Default Value | Description |
---|---|---|
SCANNER_LOG_LEVEL |
info |
The log level of trace , debug , info , warn , warning , error , fatal or panic . The standard logger logs entries with that level or anything above it. |
SCANNER_API_SERVER_ADDR |
:8080 |
Binding address for the API HTTP server. |
SCANNER_API_SERVER_TLS_CERTIFICATE |
The absolute path to the x509 certificate file. | |
SCANNER_API_SERVER_TLS_KEY |
The absolute path to the x509 private key file. | |
SCANNER_TLS_INSECURE_SKIP_VERIFY |
false |
Controls whether an HTTP client verifies the server's certificate chain and host name. |
SCANNER_TLS_CLIENTCAS |
An array of absolute paths to x509 CA files that will be added to host's root CA set. | |
SCANNER_API_SERVER_READ_TIMEOUT |
15s |
The maximum duration for reading the entire request, including the body. |
SCANNER_API_SERVER_WRITE_TIMEOUT |
15s |
The maximum duration before timing out writes of the response. |
SCANNER_API_SERVER_IDLE_TIMEOUT |
60s |
The maximum amount of time to wait for the next request when keep-alives are enabled. |
SCANNER_CLAIR_URL |
http://harbor-harbor-clair:6060 |
Clair URL |
SCANNER_CLAIR_DATABASE_URL |
The Clair database URL, it is used to fetch vulnerability database updated time of the Clair. Its format is postgresql://user:password@host/db?sslmode=disable |
|
SCANNER_STORE_REDIS_URL |
redis://harbor-harbor-redis:6379 |
Redis server URI for a Redis store. The URI supports schemas to connect to a standalone Redis server, i.e. redis://user:password@standalone_host:port/db-number and Redis Sentinel deployment, i.e. redis+sentinel://user:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number . |
SCANNER_STORE_REDIS_POOL_MAX_ACTIVE |
5 |
The max number of connections allocated by the pool for a Redis store. |
SCANNER_STORE_REDIS_POOL_MAX_IDLE |
5 |
The max number of idle connections in the pool for a Redis store. |
SCANNER_STORE_REDIS_POOL_IDLE_TIMEOUT |
5m |
Close connections after remaining idle for this duration. |
SCANNER_STORE_REDIS_POOL_CONNECTION_TIMEOUT |
1s |
The timeout for connecting to the Redis server. |
SCANNER_STORE_REDIS_POOL_READ_TIMEOUT |
1s |
The timeout for reading a single Redis command reply. |
SCANNER_STORE_REDIS_POOL_WRITE_TIMEOUT |
1s |
The timeout for writing a single Redis command. |
SCANNER_STORE_REDIS_NAMESPACE |
harbor.scanner.clair:store |
A namespace for keys in a redis store. |
SCANNER_STORE_REDIS_SCAN_JOB_TTL |
1h |
The time to live for persisting scan jobs and associated scan reports. |
- Configure Docker client with Docker Engine in minikube:
eval $(minikube docker-env -p harbor)
- Build Docker container:
make container
- Configure adapter to handle TLS traffic:
- Generate certificate and private key files:
$ openssl genrsa -out tls.key 2048 $ openssl req -new -x509 \ -key tls.key \ -out tls.crt \ -days 365 \ -subj /CN=harbor-scanner-clair
- Create a
tls
secret from the two generated files:$ kubectl create secret tls harbor-scanner-clair-tls \ --cert=tls.crt \ --key=tls.key
- Generate certificate and private key files:
- Create
harbor-scanner-clair
deployment and service:kubectl apply -f kube/harbor-scanner-clair.yaml
- If everything is fine you should be able to get scanner's metadata:
kubectl port-forward service/harbor-scanner-clair 8443:8443 &> /dev/null & curl -vk https://localhost:8443/api/v1/metadata | jq