Use the following procedure to configure Clair on a {productname} {ocp} deployment.
-
Your {productname} Operator has been upgraded to 3.4.0 or greater.
-
Enter the following command to set your current project to the name of the project that is running {productname}:
$ oc project quay-enterprise -
Create a Postgres deployment file for Clair, for example,
clairv4-postgres.yaml:--- apiVersion: apps/v1 kind: Deployment metadata: name: clairv4-postgres namespace: quay-enterprise labels: quay-component: clairv4-postgres spec: replicas: 1 selector: matchLabels: quay-component: clairv4-postgres template: metadata: labels: quay-component: clairv4-postgres spec: volumes: - name: postgres-data persistentVolumeClaim: claimName: clairv4-postgres containers: - name: postgres image: postgres:11.5 imagePullPolicy: "IfNotPresent" ports: - containerPort: 5432 env: - name: POSTGRES_USER value: "postgres" - name: POSTGRES_DB value: "clair" - name: POSTGRES_PASSWORD value: "postgres" - name: PGDATA value: "/etc/postgres/data" volumeMounts: - name: postgres-data mountPath: "/etc/postgres" --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: clairv4-postgres labels: quay-component: clairv4-postgres spec: accessModes: - "ReadWriteOnce" resources: requests: storage: "5Gi" volumeName: "clairv4-postgres" storageClassName: (1) --- apiVersion: v1 kind: Service metadata: name: clairv4-postgres labels: quay-component: clairv4-postgres spec: type: ClusterIP ports: - port: 5432 protocol: TCP name: postgres targetPort: 5432 selector: quay-component: clairv4-postgres
-
If left unspecified, defaults to
quay-storageclass.
-
-
Enter the following command to the deploy the Postgres database:
$ oc create -f ./clairv4-postgres.yaml -
Create a
config.yamlfile for Clair, for example:introspection_addr: :8089 http_listen_addr: :8081 log_level: debug indexer: connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable scanlock_retry: 10 layer_scan_concurrency: 5 migrations: true matcher: connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable max_conn_pool: 100 migrations: true indexer_addr: clair-indexer notifier: connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable delivery: 1m poll_interval: 5m migrations: true auth: psk: key: MTU5YzA4Y2ZkNzJoMQ== (1) iss: ["quay"] # tracing and metrics trace: name: "jaeger" probability: 1 jaeger: agent: endpoint: "localhost:6831" service_name: "clair" metrics: name: "prometheus"
-
To generate a Clair pre-shared key (PSK), enable
scanningin the Security Scanner section of the User Interface and clickGenerate PSK.More information about Clair’s configuration format can be found in upstream Clair documentation.
-
-
Enter the following command to create a secret from the Clair
config.yamlfile:$ oc create secret generic clairv4-config-secret --from-file=./config.yaml
-
Create a deployment file for Clair, for example,
clair-combo.yaml:--- apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: quay-component: clair-combo name: clair-combo spec: replicas: 1 selector: matchLabels: quay-component: clair-combo template: metadata: labels: quay-component: clair-combo spec: containers: - image: {productrepo}/{clairimage}:{productminv} (1) imagePullPolicy: IfNotPresent name: clair-combo env: - name: CLAIR_CONF value: /clair/config.yaml - name: CLAIR_MODE value: combo ports: - containerPort: 8080 name: clair-http protocol: TCP - containerPort: 8089 name: clair-intro protocol: TCP volumeMounts: - mountPath: /clair/ name: config imagePullSecrets: - name: redhat-pull-secret restartPolicy: Always volumes: - name: config secret: secretName: clairv4-config-secret --- apiVersion: v1 kind: Service metadata: name: clairv4 (2) labels: quay-component: clair-combo spec: ports: - name: clair-http port: 80 protocol: TCP targetPort: 8080 - name: clair-introspection port: 8089 protocol: TCP targetPort: 8089 selector: quay-component: clair-combo type: ClusterIP
-
Use the latest Clair image name and version.
-
With the
Serviceset toclairv4, the scanner endpoint for Clair v4 is entered into the {productname}config.yamlfile in theSECURITY_SCANNER_V4_ENDPOINTashttp://clairv4.
-
-
Enter the following command to create the Clair deployment:
$ oc create -f ./clair-combo.yaml
-
Add the following entries to your
config.yamlfile for your {productname} deployment.FEATURE_SECURITY_NOTIFICATIONS: true FEATURE_SECURITY_SCANNER: true FEATURE_SECURITY_SCANNER_NOTIFY_ON_NEW_INDEX: true SECURITY_SCANNER_V4_ENDPOINT: (1) SECURITY_SCANNER_V4_PSK: (2)
-
Obtained through the {productname} configuration tool. This parameter must be manually added if you do not use the {productname} configuration tool.
-
Obtained through the {productname} configuration tool. This parameter must be manually added if you do not use the {productname} configuration tool.
-
-
Enter the following command to delete the original configuration secret for your
quay-enterpriseproject:$ oc delete secret quay-enterprise-config-secret -
Deploy the modified
config.yamlto the secret containing that file:$ oc create secret generic quay-enterprise-config-secret --from-file=./config.yaml -
Restart your {productname} pods.
NoteDeleting the
quay-apppods causes pods with the updated configuration to be deployed.