fix(cli): Handle registries with basic authentication mechanism (aqua…

…security#265) Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
cnwaldron · Dec 5, 2020 · 7805e21 · 7805e21
1 parent 1e2e23e
commit 7805e21
Show file tree

Hide file tree

Showing 30 changed files with 1,766 additions and 450 deletions.
diff --git a/cmd/scanner-aqua/main.go b/cmd/scanner-aqua/main.go
@@ -5,12 +5,11 @@ import (
 	"log"
 	"os"
 
-	"github.com/spf13/cobra"
-
 	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
 	"github.com/aquasecurity/starboard/pkg/operator/aqua/client"
 	"github.com/aquasecurity/starboard/pkg/operator/aqua/scanner/api"
 	"github.com/aquasecurity/starboard/pkg/operator/aqua/scanner/cli"
+	"github.com/spf13/cobra"
 )
 
 const (

diff --git a/cmd/starboard-operator/main.go b/cmd/starboard-operator/main.go
@@ -4,23 +4,18 @@ import (
 	"fmt"
 
 	"github.com/aquasecurity/starboard/pkg/operator"
-
-	"github.com/aquasecurity/starboard/pkg/starboard"
-
-	"sigs.k8s.io/controller-runtime/pkg/log/zap"
-
 	"github.com/aquasecurity/starboard/pkg/operator/etc"
+	"github.com/aquasecurity/starboard/pkg/starboard"
 	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 )
 
 var (
-	// GoReleaser sets three ldflags:
+	// These variables are populated by GoReleaser via ldflags
 	version = "dev"
 	commit  = "none"
 	date    = "unknown"
-)
 
-var (
 	buildInfo = starboard.BuildInfo{
 		Version: version,
 		Commit:  commit,
@@ -32,9 +27,10 @@ var (
 	setupLog = log.Log.WithName("main")
 )
 
+// main is the entrypoint of the Starboard Operator executable command.
 func main() {
 	if err := run(); err != nil {
-		setupLog.Error(err, "Unable to run manager")
+		setupLog.Error(err, "Unable to run starboard operator")
 	}
 }
 

diff --git a/cmd/starboard/main.go b/cmd/starboard/main.go
@@ -4,29 +4,33 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/aquasecurity/starboard/pkg/cmd"
 	"github.com/aquasecurity/starboard/pkg/starboard"
-
 	"k8s.io/klog"
 
-	"github.com/aquasecurity/starboard/pkg/cmd"
-
 	// Load all known auth plugins
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 )
 
 var (
-	// These variables are populated by GoReleases via ldflags
+	// These variables are populated by GoReleaser via ldflags
 	version = "dev"
 	commit  = "none"
 	date    = "unknown"
+
+	buildInfo = starboard.BuildInfo{
+		Version: version,
+		Commit:  commit,
+		Date:    date,
+	}
 )
 
+// main is the entrypoint of the Starboard CLI executable command.
 func main() {
 	defer klog.Flush()
 	klog.InitFlags(nil)
 
-	version := starboard.BuildInfo{Version: version, Commit: commit, Date: date}
-	if err := cmd.Run(version, os.Args, os.Stdout, os.Stderr); err != nil {
+	if err := cmd.Run(buildInfo, os.Args, os.Stdout, os.Stderr); err != nil {
 		_, _ = fmt.Fprintf(os.Stderr, "error: %v\n", err)
 		os.Exit(1)
 	}

diff --git a/docs/design/NOTES.md b/docs/design/NOTES.md
@@ -0,0 +1,11 @@
+# NOTES
+
+## Starboard CLI and Private Registry Credentials
+
+![](starboard-cli-private-container-registries.png)
+
+- Find references to image pull secrets (direct and service account)
+- Create a temporary secret with basic credentials for each container of the scanned workload
+- Create a scan job that references the temporary secret. The secret has the ownerReference property set to point to the job.
+- Watch the job for the completion status
+- Delete the job. The secret will be deleted by the Kubernetes garbage collector