Conversation
|
Images are ready for the commit at a188490. To use with deploy scripts, first |
abdc276 to
ff10ff8
Compare
dhaus67
left a comment
There was a problem hiding this comment.
I'd like to additionally ask you to change the following:
Currently, the logic within pkg/scanners/clairify/clairify.go relies on the GetGrpcEndpoint to be unset for the default scanner that we configure. However it would be nice to set the GrpcEndpoint when creating the default integration, i.e. this part within central/imageintegration/store/default.go.
Note, however, that we do not update existing integrations when starting central. We also cannot write a migration for it, since the value for the grpc endpoint is dynamic and depends on the env.Namespace.Setting. So the code path within pkg/scanners/clarify/clairify.go is still required.
| - ROX-11592: Support to Get / Update / Mutate / Remove of groups via the `props` field and without the `props.id` field | ||
| being set in the `/v1/groups` endpoint have been removed. | ||
| - The unused "ComplianceRunSchedule" resource has been removed. | ||
| - ROX-13034: Central reaches out to scanner `scanner.<namespace>.svc` now to respect OpenShift's `NO_PROXY` configuration. |
There was a problem hiding this comment.
We should make sure this gets enough visibility for customers, as this one has impact on existing proxy settings and requires updates for them (e.g. imagine people having scanner.<namespace> in their NO_PROXY).
There was a problem hiding this comment.
+1. Just be sure to add the training and docs labels to the Jira
There was a problem hiding this comment.
Good question.
I assume the changelog is published to customers and is sufficient.
+1 on the training label that support is aware.
What exactly does the docs label do?
I think mentioning it in the docs is overkill, if it adds to changelog sure, this must be there.
There was a problem hiding this comment.
@gaurav-nelson can you share your opinion?
There was a problem hiding this comment.
We can mention it in the release notes and also add a note in the proxy configuration section.
@SimonBaeumer related to @dhaus67's comment, if someone have scanner.<namespace> in their NO_PROXY settings:
- What issues they will face if they don't change anything?
- How can they fix those issues? I guess its by updating their
NO_PROXYsettings, so how to update those settings? - Can they run a command to fix it? or do they have to manually change things?
There was a problem hiding this comment.
- Only if a
NO_PROXYwas configured to use all stackrox routes explicitly, and not configured to*.svc, scanner is not be reachable because the traffic will be routed through the proxy. - Add
*.svcorscanner.<namespace>.svcto theNO_PROXYsetting - They can configure the NO_PROXY in the cluster-wide proxy settings in OpenShift here: https://docs.openshift.com/container-platform/4.11/networking/enable-cluster-wide-proxy.html
There was a problem hiding this comment.
@gaurav-nelson Are there any action items I should follow up with?
Is my understanding correct that you are suggesting to configure the |
3c9a2fb to
9283dfb
Compare
|
@SimonBaeumer Essentially, the code would be extended to the following (code lines as reference): IntegrationConfig: &storage.ImageIntegration_Clairify{
Clairify: &storage.ClairifyConfig{
Endpoint: fmt.Sprintf("https://%s:8080", scannerEndpoint),
GrpcEndpoint: fmt.Sprintf("%s:8080", scannerEndpoint),
},
},It would still be "hardcoded", so no substantial changes IMO. |
@dhaus67 Documented the behaviour of the default that it is added to the image integration's database entry and loaded the namespace dynamically to setup gRPC endpoints. I did not set the gRPC endpoint on struct creation because the call is a constructor call which sets a default gRPC endpoint automatically already. |
|
@SimonBaeumer: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| scannerEndpoint = fmt.Sprintf("scanner.%s.svc", env.Namespace.Setting()) | ||
| ) | ||
|
|
||
| // GetScannerEndpoint returns the scanner endpoint with a configured namespace. env.ScannerGRPCEndpoint is only used by Sensor. |
There was a problem hiding this comment.
env.ScannerGRPCEndpoint should probably also be scanner.<namespace>.svc:8443, right? or perhaps we should not use that at all and just use this instead. Otherwise, wouldn't OpenShifts using non-stackrox namespaces has "local scanning" issues?
There was a problem hiding this comment.
The default for the scanner endpoint is set by Helm in Sensor's deployment spec. The ROX_NAMESPACE env var which the function depends on is never set on Sensor, thus has no effect.
We can align this behaviour but would prefer to do it in a different PR to merge this one first.
d317d2f to
a188490
Compare
Description
Add
.svcendpoint to be respected byNO_PROXYenv configuration.Checklist
If any of these don't apply, please comment below.
Testing Performed