stackrox icon indicating copy to clipboard operation
stackrox copied to clipboard

Published 20 hours ago verified publisher icon stackrox

fix(scanner): Scanner V4 client makes unnecessary connections

Open RTann opened this issue 7 months ago • 4 comments

Description

Followup to https://github.com/stackrox/stackrox/pull/11161 which actually failed to fix the problem.

The Scanner V4 client now requires users to specify the address(es) for the Indexer and/or Matcher. This way, the user must explicitly tell the client library which one (or both) of the components to reach out to. For example, only specifying the Indexer's address means the client will only reach out to the Indexer, and not the matcher.

While I was already updating the clients, I also took the time to fix the certificate verification errors we were running into when running scanner and scannerctl locally (opposed to deployed to k8s).

This is done by making it clear Scanner V4 is a StackRox service, so it will verify the certificate in that context. See here for more information. This PR now makes isServiceCert(leaf, v.subject) == true.

Caveat: this currently only works when running in combo mode locally (as in, --insecure-skip-tls-verify is still required for non-combo mode), but I think that's ok at this time. The main use cases for scannerctl are for running combo-mode locally or running against non-combo-mode scanners in k8s/openshift clusters. The latter was already supported, so we now support the former, too.

User-facing documentation

  • [x] CHANGELOG update is not needed
  • [x] Documentation is not needed

Testing

  • [x] inspected CI results

Automated testing

  • [x] contributed no automated tests

How I validated my change

All from the scanner/ directory

In one Terminal window, run Scanner V4 in combo-mode:

go run ./cmd/scanner -conf config.yaml

where config.yaml is (note: this is individual work setup specific):

indexer:
  enable: true
  database:
    conn_string: "host=127.0.0.1 port=5432 sslmode=disable"
  get_layer_timeout: 1m
matcher:
  enable: true
  database:
    conn_string: "host=127.0.0.1 port=5432 sslmode=disable"
mtls:
  certs_dir: certs/scanner-v4
log_level: debug

Note: You will also need to be running Postgres at 127.0.0.1:5432 (I'm using PostgreSQL 15)

In another window, run:

make certs

to create the certificates. Then, run:

go run ./cmd/scannerctl --indexer-address ":8443" --matcher-address ":8443" --certs "certs/scannerctl/" scan https://quay.io/stackrox-io/scanner:4.4.4

You'll see:

2024/07/11 13:37:01 auth unspecified: using anonymous auth (use ROX_SCANNERCTL_BASIC_AUTH to set auth)
2024/07/11 13:37:02 image digest: sha256:c6417707b9b3d082e86ceb91f8d3a8bcaa2726105ea2f4035ca13285137627ea
Error: scanning: get vulns: rpc error: code = FailedPrecondition desc = the matcher is not initialized: initial load for the vulnerability store is in progress
2024/07/11 13:37:02 scanning: get vulns: rpc error: code = FailedPrecondition desc = the matcher is not initialized: initial load for the vulnerability store is in progress
exit status 1

This error is ok and expected. The main point is to notice we successfully reached out to both the Indexer and Matcher (can only get this error if this is true).

Also, note this no longer has cert errors. This is opposed to what we used to see:

2024/07/11 11:39:20 auth unspecified: using anonymous auth (use ROX_SCANNERCTL_BASIC_AUTH to set auth)
2024/07/11 11:39:20 image digest: sha256:c6417707b9b3d082e86ceb91f8d3a8bcaa2726105ea2f4035ca13285137627ea
{"level":"debug","component":"scanner/client","image":"quay.io/stackrox-io/scanner@sha256:c6417707b9b3d082e86ceb91f8d3a8bcaa2726105ea2f4035ca13285137627ea","rpc":"indexer.GetOrCreateIndexReport","method":"GetOrCreateImageIndex","error":"rpc error: code = Unavailable desc = last connection error: connection error: desc = \"transport: authentication handshake failed: x509: “scanner-v4.stackrox” certificate is not trusted\"","duration":903.79152,"time":"2024-07-11T11:39:20-04:00","message":"retrying gRPC call"}

Next, run the following to connect to the indexer, only:

go run ./cmd/scannerctl --indexer-address ":8443" --certs "certs/scannerctl/" --insecure-skip-tls-verify scan https://quay.io/stackrox-io/scanner:4.4.4

You'll see the following output:

2024/07/11 13:34:44 auth unspecified: using anonymous auth (use ROX_SCANNERCTL_BASIC_AUTH to set auth)
2024/07/11 13:34:44 image digest: sha256:c6417707b9b3d082e86ceb91f8d3a8bcaa2726105ea2f4035ca13285137627ea
Error: scanning: matcher not configured
2024/07/11 13:34:44 scanning: matcher not configured
exit status 1

This failure is ok and expected. The main point is to notice the matcher client was not configured.

Now run it again but with --index-only

go run ./cmd/scannerctl --indexer-address ":8443" --certs "certs/scannerctl/" --insecure-skip-tls-verify scan --index-only https://quay.io/stackrox-io/scanner:4.4.4

You'll find we get the index report, no problem.

RTann avatar Jul 11 '24 14:07 RTann