Documentation
¶
Index ¶
Constants ¶
View Source
const ( // Run this mode to create receive Manifests and create IndexReports. IndexerMode = "indexer" // Run this mode to retrieve IndexReports and create VulnerabilityReports. MatcherMode = "matcher" // Run this mode to run all modes in a single Clair instance. ComboMode = "combo" // Run this mode to listen for Updates and send notifications when they occur. NotifierMode = "notifier" )
Clair Modes
View Source
const DefaultAddress = ":6060"
DefaultAddress is used if an http_listen_addr is not provided in the config.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Auth ¶
type Auth struct {
PSK *AuthPSK `yaml:"psk,omitempty" json:"psk,omitempty"`
Keyserver *AuthKeyserver `yaml:"keyserver,omitempty" json:"keyserver,omitempty"`
}
Auth holds the specific configs for different authentication methods.
These should be pointers to structs, so that it's possible to distinguish between "absent" and "present and misconfigured."
type AuthKeyserver ¶
type AuthKeyserver struct {
API string `yaml:"api" json:"api"`
Intraservice []byte `yaml:"intraservice" json:"intraservice"`
}
AuthKeyserver is the configuration for doing authentication with the Quay keyserver protocol.
The "Intraservice" key is only needed when the overall config mode is not "combo".
func (*AuthKeyserver) MarshalYAML ¶
func (a *AuthKeyserver) MarshalYAML() (interface{}, error)
MarshalYAML implements yaml.Marshaler.
func (*AuthKeyserver) UnmarshalYAML ¶
func (a *AuthKeyserver) UnmarshalYAML(f func(interface{}) error) error
UnmarshalYAML implements yaml.Unmarshaler.
type AuthPSK ¶
AuthPSK is the configuration for doing pre-shared key based authentication.
The "Issuer" key is what the service expects to verify as the "issuer" claim.
func (*AuthPSK) MarshalYAML ¶
MarshalYAML implements yaml.Marshaler.
func (*AuthPSK) UnmarshalYAML ¶
UnmarshalYAML implements yaml.Unmarshaler.
type Config ¶
type Config struct {
// One of the following strings
// Sets which mode the clair instances will run in
//
// "indexer": runs just the indexer node
// "matcher": runs just the matcher node
// "combo": will run both indexer and matcher on the same node.
Mode string `yaml:"-" json:"-"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// exposes Clair node's functionality to the network.
// see /openapi/v1 for api spec.
HTTPListenAddr string `yaml:"http_listen_addr" json:"http_listen_addr"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// exposes Clair's metrics and health endpoints.
IntrospectionAddr string `yaml:"introspection_addr" json:"introspection_addr"`
// Set the logging level.
//
// One of the following strings:
// "debug-color"
// "debug"
// "info"
// "warn"
// "error"
// "fatal"
// "panic"
LogLevel string `yaml:"log_level" json:"log_level"`
Indexer Indexer `yaml:"indexer" json:"indexer"`
Matcher Matcher `yaml:"matcher" json:"matcher"`
Matchers Matchers `yaml:"matchers" json:"matchers"`
Updaters Updaters `yaml:"updaters,omitempty" json:"updaters,omitempty"`
Notifier Notifier `yaml:"notifier" json:"notifier"`
Auth Auth `yaml:"auth" json:"auth"`
Trace Trace `yaml:"trace" json:"trace"`
Metrics Metrics `yaml:"metrics" json:"metrics"`
}
func (*Config) Client ¶
func (cfg *Config) Client(next http.RoundTripper, cl *jwt.Claims) (c *http.Client, authed bool, err error)
Client returns an http.Client configured according to the supplied configuration.
If nil is passed for a claim, the returned client does no signing.
It returns an *http.Client and a boolean indicating whether the client is configured for authentication, or an error that occurred during construction.
type Indexer ¶
type Indexer struct {
// A Postgres connection string.
//
// formats
// url: "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full"
// or
// string: "user=pqgotest dbname=pqgotest sslmode=verify-full"
ConnString string `yaml:"connstring" json:"connstring"`
// A positive value representing seconds.
//
// Concurrent Indexers lock on manifest scans to avoid clobbering.
// This value tunes how often a waiting Indexer will poll for the lock.
// TODO: Move to async operating mode
ScanLockRetry int `yaml:"scanlock_retry" json:"scanlock_retry"`
// A positive values represeting quantity.
//
// Indexers will index a Manifest's layers concurrently.
// This value tunes the number of layers an Indexer will scan in parallel.
LayerScanConcurrency int `yaml:"layer_scan_concurrency" json:"layer_scan_concurrency"`
// A "true" or "false" value
//
// Whether Indexer nodes handle migrations to their database.
Migrations bool `yaml:"migrations" json:"migrations"`
// Scanner allows for passing configuration options to layer scanners.
Scanner ScannerConfig `yaml:"scanner" json:"scanner"`
// Airgap disables scanners that have signaled they expect to talk to the
// Internet.
Airgap bool `yaml:"airgap" json:"airgap"`
}
Indexer provides Clair Indexer node configuration
type Jaeger ¶
type Jaeger struct {
Agent struct {
Endpoint string `yaml:"endpoint" json:"endpoint"`
} `yaml:"agent" json:"agent"`
Collector struct {
Endpoint string `yaml:"endpoint" json:"endpoint"`
Username *string `yaml:"username" json:"username"`
Password *string `yaml:"password" json:"password"`
} `yaml:"collector" json:"collector"`
ServiceName string `yaml:"service_name" json:"service_name"`
Tags map[string]string `yaml:"tags" json:"tags"`
BufferMax int `yaml:"buffer_max" json:"buffer_max"`
}
Jager specific distributed tracing configuration.
type Matcher ¶
type Matcher struct {
// A Postgres connection string.
//
// Formats:
// url: "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full"
// or
// string: "user=pqgotest dbname=pqgotest sslmode=verify-full"
ConnString string `yaml:"connstring" json:"connstring"`
// A positive integer
//
// Clair allows for a custom connection pool size.
// This number will directly set how many active sql
// connections are allowed concurrently.
MaxConnPool int `yaml:"max_conn_pool" json:"max_conn_pool"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// A Matcher contacts an Indexer to create a VulnerabilityReport.
// The location of this Indexer is required.
IndexerAddr string `yaml:"indexer_addr" json:"indexer_addr"`
// A "true" or "false" value
//
// Whether Matcher nodes handle migrations to their databases.
Migrations bool `yaml:"migrations" json:"migrations"`
// Period controls how often updaters are run.
//
// The default is 30 minutes.
Period time.Duration `yaml:"period" json:"period"`
// DisableUpdaters disables the updater's running of matchers.
//
// This should be toggled on if vulnerabilities are being provided by
// another mechanism.
DisableUpdaters bool `yaml:"disable_updaters" json:"disable_updaters"`
// UpdateRetention controls the number of updates to retain between
// garbage collection periods.
//
// The lowest possible value is 2 in order to compare updates for notification
// purposes.
//
// A value of 0 disables GC.
UpdateRetention int `yaml:"update_retention" json:"update_retention"`
}
type Matchers ¶
type Matchers struct {
// A slice of strings representing which
// matchers will be used.
//
// If nil all default Matchers will be used
//
// The following names are supported by default:
// "alpine"
// "aws"
// "debian"
// "oracle"
// "photon"
// "python"
// "rhel"
// "suse"
// "ubuntu"
// "crda" - remotematcher calls hosted api via RPC.
Names []string `yaml:"names" json:"names"`
// Config holds configuration blocks for MatcherFactories and Matchers,
// keyed by name.
Config map[string]yaml.Node `yaml:"config" json:"config"`
}
type Metrics ¶
type Metrics struct {
Name string `yaml:"name" json:"name"`
Prometheus Prometheus `yaml:"prometheus" json:"prometheus"`
}
Configure Metrics.
type Notifier ¶
type Notifier struct {
// A Postgres connection string.
//
// Formats:
// url: "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full"
// or
// string: "user=pqgotest dbname=pqgotest sslmode=verify-full"
ConnString string `yaml:"connstring" json:"connstring"`
// A "true" or "false" value
//
// Whether Notifier nodes handle migrations to their database.
Migrations bool `yaml:"migrations" json:"migrations"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// A Notifier contacts an Indexer to create obtain manifests affected by vulnerabilities.
// The location of this Indexer is required.
IndexerAddr string `yaml:"indexer_addr" json:"indexer_addr"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// A Notifier contacts a Matcher to list update operations and acquire diffs.
// The location of this Indexer is required.
MatcherAddr string `yaml:"matcher_addr" json:"matcher_addr"`
// A time.ParseDuration parsable string
//
// The frequency at which the notifier will query at Matcher for Update Operations.
// If a value smaller then 1 second is provided it will be replaced with the
// default 5 second poll interval.
PollInterval time.Duration `yaml:"poll_interval" json:"poll_interval"`
// A time.ParseDuration parsable string
//
// The frequency at which the notifier attempt delivery of created or previously failed
// notifications
// If a value smaller then 1 second is provided it will be replaced with the
// default 5 second delivery interval.
DeliveryInterval time.Duration `yaml:"delivery_interval" json:"delivery_interval"`
// DisableSummary disables summarizing vulnerabilities per-manifest.
//
// The default is to summarize any new vulnerabilities to the most severe
// one, in the thought that any additional processing for end-user
// notifications can have policies around severity and fetch a complete
// VulnerabilityReport if it'd like.
//
// For a machine-consumption use case, it may be easier to instead have the
// notifier push all the data.
DisableSummary bool `yaml:"disable_summary" json:"disable_summary"`
// Only one of the following should be provided in the configuration
//
// Configures the notifier for webhook delivery
Webhook *webhook.Config `yaml:"webhook" json:"webhook"`
// Configures the notifier for AMQP delivery.
AMQP *amqp.Config `yaml:"amqp" json:"amqp"`
// Configures the notifier for STOMP delivery.
STOMP *stomp.Config `yaml:"stomp" json:"stomp"`
}
Notifier provides Clair Notifier node configuration
type Prometheus ¶
type Prometheus struct {
// Endpoint is a URL path where
// Prometheus metrics will be hosted.
Endpoint *string `yaml:"endpoint" json:"endpoint"`
}
Prometheus specific metrics configuration
type ScannerConfig ¶
type Trace ¶
type Trace struct {
Name string `yaml:"name" json:"name"`
Probability *float64 `yaml:"probability" json:"probability"`
Jaeger Jaeger `yaml:"jaeger" json:"jaeger"`
}
Configure distributed tracing via OTEL
type Updaters ¶
type Updaters struct {
// A slice of strings representing which
// updaters will be used.
//
// If nil all default UpdaterSets will be used
//
// The following sets are supported by default:
// "alpine"
// "aws"
// "debian"
// "oracle"
// "photon"
// "pyupio"
// "rhel"
// "suse"
// "ubuntu"
Sets []string `yaml:"sets,omitempty" json:"sets,omitempty"`
// Config holds configuration blocks for UpdaterFactories and Updaters,
// keyed by name.
//
// These are defined by the updater implementation and can't be documented
// here. Improving the documentation for these is an open issue.
Config map[string]yaml.Node `yaml:"config" json:"config"`
// Filter is a regexp that disallows updaters that do not match from
// running.
// TODO(louis): this is only used in clairctl, should we keep this?
// it may offer an escape hatch for a particular updater name
// from running, vs disabling the updater set completely.
Filter string `yaml:"filter" json:"filter"`
}
Updaters configures updater behavior.
func (*Updaters) FilterSets ¶
func (u *Updaters) FilterSets(m map[string]driver.UpdaterSetFactory)
Source Files
Click to show internal directories.
Click to hide internal directories.