trivy-operator icon indicating copy to clipboard operation
trivy-operator copied to clipboard
verified publisher icon aquasecurity

fix: use login to private registry

Open afdesk opened this issue 10 months ago • 10 comments

Description

This PR updates the authorization method for accessing the private repository containing JavaDB instead of download this one.

This change eliminates unnecessary downloads of the heavy JavaDB image in scenarios where it is not needed, improving efficiency and reducing overhead.

It fixes next similar bugs for ClientServer modes, which were updated for Standalone:

  • #2353
  • #2073

NOTE: By design, the operator does not allow setting different usernames and passwords for multiple registries. Therefore, when downloading trivy-db and trivy-java-db from repositories that require authentication, you must use the same registry for both. Authentication will use the registry specified in the trivy.dbRepository field.

How it was tested

  1. There was created a demo image - afdesk/trivy-operator:login:
$ mage build:binary
...
$ docker build --no-cache -t afdesk/trivy-operator:login -f ./build/trivy-operator/Dockerfile ./bin
...
$ docker push afdesk/trivy-operator:login
...
  1. Prepare a private registry with Trivy DB/JavaDB
$ oras pull ghcr.io/aquasecurity/trivy-java-db:1
...
$ oras push --artifact-type application/vnd.aquasec.trivy.config.v1+json docker.io/afdesk/private:1 javadb.tar.gz:application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip
...
$ oras pull ghcr.io/aquasecurity/trivy-db:2
...
$ oras push --artifact-type application/vnd.aquasec.trivy.config.v1+json \
"docker.io/afdesk/private:2" \
db.tar.gz:application/vnd.aquasec.trivy.db.layer.v1.tar+gzip
...
  1. install a helm chart with custom params (https://github.com/afdesk/to-values/blob/main/private-registry.yaml):
$ minikube stop && minikube delete && minikube start && kubectl wait --for=condition=Ready nodes --all
...
$ helm install trivy-operator aquasecurity/trivy-operator 
   --create-namespace --namespace trivy-system \
    --values private-registry.yaml --set trivy.dbRepositoryPassword=MySuperPassword
  1. Run tomcat:9 pod with Java artifacts
$ kubectl run my-tomcat --image tomcat:9
  1. Get a report:
$ kubectl get vulnerabilityreports.aquasecurity.github.io -o wide
NAME                      REPOSITORY       TAG   SCANNER   AGE   CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN
pod-my-tomcat-my-tomcat   library/tomcat   9     Trivy     17s   0          0      11       28    0...

Related issues

  • Close #2510
  • Close #1836

References:

  • https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#log-in-to-docker-hub

Checklist

  • [ ] I've read the guidelines for contributing to this repository.
  • [ ] I've added tests that prove my fix is effective or that my feature works.
  • [ ] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

afdesk avatar Jun 06 '25 07:06 afdesk

NOTE: By design, the operator does not allow setting different usernames and passwords for multiple registries. Therefore, when downloading trivy-db and trivy-java-db from repositories that require authentication, you must use the same registry for both. Authentication will use the registry specified in the trivy.dbRepository field.

Is this documented somewhere? If not, we should as it's a limitation today which may impact users.

simar7 avatar Jun 09 '25 16:06 simar7

Is this documented somewhere? If not, we should as it's a limitation today which may impact users.

sure, I've added the next block here https://aquasecurity.github.io/trivy-operator/latest/docs/vulnerability-scanning/private-registries/

afdesk avatar Jun 10 '25 16:06 afdesk

@simar7 I finally re-tested this PR and it's ready for your review.

afdesk avatar Jul 14 '25 10:07 afdesk

@simar7 rebased the main branch and tested on Minikube

afdesk avatar Sep 09 '25 09:09 afdesk

@simar7 could you pls take another look? thanks

afdesk avatar Sep 18 '25 10:09 afdesk

@simar7 could you please prioritize this PR?

The key change here is the removal of duplicate logic shared between the server and standalone modes.

This will simplify maintenance, reduce the risk of inconsistencies, and make future changes much easier to implement.

afdesk avatar Oct 17 '25 05:10 afdesk

@simar7 could you please prioritize this PR?

The key change here is the removal of duplicate logic shared between the server and standalone modes.

This will simplify maintenance, reduce the risk of inconsistencies, and make future changes much easier to implement.

I'll take a look at once I'm back. So we could aim it for the November end release.

simar7 avatar Oct 17 '25 14:10 simar7

I'll take a look at once I'm back. So we could aim it for the November end release.

@simar7 sure! have a good vacation!

afdesk avatar Oct 18 '25 01:10 afdesk

@afdesk could you rebase this PR?

simar7 avatar Dec 05 '25 06:12 simar7

@afdesk could you rebase this PR?

done

afdesk avatar Dec 10 '25 13:12 afdesk