๐ [bug] - Stackrox fails on first scan - missing container registry integration
Closed this issue ยท 1 comments
๐ Description
Stackrox sets up its own integrations through discovery when installing:
However .. the "Autogenerated https://image-registry.openshift-image-registry.svc:5000 for cluster tl500" does not have the right permissions as the first pipeline run fails with a scan image access error:
[image-scan : rox-image-scan] Getting roxctl
[image-scan : rox-image-scan] ERROR: Scanning image failed: rpc error: code = Internal desc = image enrichment error: error getting metadata for image: image-registry.openshift-image-registry.svc:5000/ateam-ci-cd/pet-battle-api@sha256:8927bb6a992e16c569d4b8aa9d6df979c8779bcb029be9f3ea27a7d8c80af1e8 error: error getting metadata from registry: "Autogenerated https://image-registry.openshift-image-registry.svc:5000 for cluster tl500": Failed to get the manifest digest : Head "https://image-registry.openshift-image-registry.svc:5000/v2/ateam-ci-cd/pet-battle-api/manifests/sha256:8927bb6a992e16c569d4b8aa9d6df979c8779bcb029be9f3ea27a7d8c80af1e8": http: non-successful response (status=401 body=""). Retrying after 3 seconds...
[image-scan : rox-image-scan] ERROR: Scanning image failed: rpc error: code = Internal desc = image enrichment error: error getting metadata for image: image-registry.openshift-image-registry.svc:5000/ateam-ci-cd/pet-battle-api@sha256:8927bb6a992e16c569d4b8aa9d6df979c8779bcb029be9f3ea27a7d8c80af1e8 error: error getting metadata from registry: "Autogenerated https://image-registry.openshift-image-registry.svc:5000 for cluster tl500": Failed to get the manifest digest : Head "https://image-registry.openshift-image-registry.svc:5000/v2/ateam-ci-cd/pet-battle-api/manifests/sha256:8927bb6a992e16c569d4b8aa9d6df979c8779bcb029be9f3ea27a7d8c80af1e8": http: non-successfu
๐ถ Steps to reproduce
Run an image scan as per - https://rht-labs.com/tech-exercise/#/3-revenge-of-the-automated-testing/7b-tekton?id=scan-images
๐งโโ๏ธ Suggested solution
A work around is to add a service account with privilege. Login into Stackrox, add Generic Docker Registry Integrations:
I use the pipeline token for the password - which is long lived. This works for all teams as the pipeline SA is privileged.
oc serviceaccounts get-token pipeline -n ateam-ci-cd
I'm raising the bug in this repo, but the ultimate fix may related to the Stackrox chart .. not sure yet.
https://github.com/redhat-cop/helm-charts/tree/master/charts/stackrox