As per lacework documentation:
https://docs.lacework.net/onboarding/integrate-proxy-scanner-with-jfrog-registry-auto-polling
scan_public_registries: false
static_cache_location: /opt/lacework
lacework:
account_name: <my-lacework-account-name>
integration_access_token: <my-lacework-access-token>
registries:
- domain: <my-jfrog-artifactory-domain>>
name: <name-for-registry-integration>
ssl: true
auto_poll: true
credentials:
user_name: "jfrog-user-name"
password: "jfrog-user-password"
poll_frequency_minutes: 20
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
whereas,
domain: Adjust the domain to your JFrog environment. Do not include the http(s):// portion in the domain.
Use the same domain that you use for Docker login. For example:
If you log into Docker using dockerHost:Port, use domain: dockerHost:Port.
If you log into Docker using dockerHost, use domain: dockerHost.
From JFROG documentation:
https://jfrog.com/help/r/jfrog-artifactory-documentation/docker-registries-and-repositories
Both Artifactory and Docker use the term "repository", but each uses it in a different way.
A Docker repository is a hosted collection of tagged images that, together, create the file system for a container
A Docker registry is a host that stores Docker repositories
An Artifactory repository is a hosted collection of Docker repositories, effectively, a Docker registry in every way, and one that you can access transparently with the Docker client.
So my domian name for my jfrog artifactory is " artifactory.mgmt.aws.uk.org "
When i use config file as below : ( note that registries are given under config.registries as per documentation )
helm upgrade --install --values lacework-values.yaml lacework-proxy-scanner lacework/proxy-scanner
where lacework-values.yaml are below
config:
scan_public_registries: false
static_cache_location: /opt/lacework
lacework:
account_name: xxx
integration_access_token: xxxxxxxxxxx
registries :
- auto_poll: true
credentials:
password: "xxxxxx"
user_name: "xxxxxxx"
domain: artifactory.mgmt.aws.uk.org
go_binary_scanning:
enable: false
scan_directory_path: ""
is_public: false
name: docker-local
poll_frequency_minutes: 20
ssl: false
and pod fails running
errors:
[WARNING]: 2024-01-24 19:06:09 - Error while loading cache file. Scanner will start with bootstap mode: open /opt/lacework/lacework_proxy_scanner_state.json.gz: no such file or directory
[ERROR]: 2024-01-24 19:06:09 - Error while loading cache. Running in bootstrap mode. open /opt/lacework/lacework_proxy_scanner_state.json.gz: no such file or directory
[INFO]: 2024-01-24 19:06:09 - Response headers: {"Connection":"keep-alive","Content-Length":"87","Content-Type":"application/json;charset=ISO-8859-1","Date":"Wed, 24 Jan 2024 19:06:09 GMT","Docker-Distribution-Api-Version":"registry/2.0","Strict-Transport-Security":"max-age=31536000","Www-Authenticate":"Bearer realm=\"https://artifactory.mgmt.aws.uk.org/v2/token\",service=\"artifactory.mgmt.aws.uk.org\""}
[INFO]: 2024-01-24 19:06:09 - registry (https://artifactory.mgmt.aws.uk.org) - got response status: 401 Unauthorized
[INFO]: 2024-01-24 19:06:09 - request url: https://artifactory.mgmt.aws.uk.org/v2/
[INFO]: 2024-01-24 19:06:09 - registry (https://artifactory.mgmt.aws.uk.org) - got wwwAuthenticateHeader: Bearer realm="https://artifactory.mgmt.aws.uk.org/v2/token",service="artifactory.mgmt.aws.uk.org"
[INFO]: 2024-01-24 19:06:09 - Using authentication method: Bearer
[INFO]: 2024-01-24 19:06:09 - Requesting bearerAccessToken from https://artifactory.mgmt.aws.uk.org/v2/token?service=artifactory.mgmt.aws.uk.org&account=lacework&scope=registry:catalog:*
[ERROR]: 2024-01-24 19:06:09 - registry(https://artifactory.mgmt.aws.uk.org): Error wile parsing catalog response: EOF
[FATAL]: 2024-01-24 19:06:09 - Invalid credentials found for registry(https://artifactory.mgmt.aws.uk.org). Please correct credentials. Can not validate credential for registry
- note that Secret named "lacework-proxy-scanner-registry-secrets" gets auto created as expected .
But the same work good if I add registries under ( config.lacework.registries ) instead of ( config.registries ) as below
helm upgrade --install --values lacework-values.yaml lacework-proxy-scanner lacework/proxy-scanner
where lacework-values.yaml are below
config:
scan_public_registries: false
static_cache_location: /opt/lacework
lacework:
account_name: xxx
integration_access_token: xxxxxxxxxxx
registries :
- auto_poll: true
credentials:
password: "xxxxxx"
user_name: "xxxxxxx"
domain: artifactory.mgmt.aws.uk.org
go_binary_scanning:
enable: false
scan_directory_path: ""
is_public: false
name: docker-local
poll_frequency_minutes: 20
ssl: false
and and pod running good now
- Note that No Secret named "lacework-proxy-scanner-registry-secrets" gets created this time .
logs :
[WARNING]: 2024-01-25 11:01:09 - Error while loading cache file. Scanner will start with bootstap mode: open /opt/lacework/lacework_proxy_scanner_state.json.gz: no such file or directory
[ERROR]: 2024-01-25 11:01:09 - Error while loading cache. Running in bootstrap mode. open /opt/lacework/lacework_proxy_scanner_state.json.gz: no such file or directory
[INFO]: 2024-01-25 11:01:09 - Starting server..
[INFO]: 2024-01-25 11:01:09 - ScanDataHandlerWorker #1: Starting..
[INFO]: 2024-01-25 11:01:09 - Listener started
[INFO]: 2024-01-25 11:01:09 - server started successfully on port 8080
Also able to get all docker based registires scanned succesfully in lacework console this time and all 10 docker type registries in my jfrog artifactory are displayed in console .
Questions:
- What is the domain value to give here ? domain of jfrog artifactory i.e artifactory.mgmt.aws.uk.org ? or path of docker registry inside jfrog artifactory i.e artifactory.mgmt.aws.uk.org/artifactory/api/docker/
Since the naming convection differ for word "registry" for lacework and jfrog
https://jfrog.com/help/r/jfrog-artifactory-documentation/docker-registries-and-repositories
https://jfrog.com/help/r/jfrog-artifactory-documentation/local-docker-repositories
https://docs.lacework.net/onboarding/integrate-proxy-scanner-with-jfrog-registry-auto-polling
- How does values and setup work good for added registries under ( config.lacework.registries ) instead of ( config.registries ) ? BUG ? or it the right way to use under config.lacework.registries and the documentation is the issue here ?
Looking for faster response!
Thank you
As per lacework documentation:
https://docs.lacework.net/onboarding/integrate-proxy-scanner-with-jfrog-registry-auto-polling
whereas,
domain: Adjust the domain to your JFrog environment. Do not include the http(s):// portion in the domain.
From JFROG documentation:
https://jfrog.com/help/r/jfrog-artifactory-documentation/docker-registries-and-repositories
Both Artifactory and Docker use the term "repository", but each uses it in a different way.
A Docker repository is a hosted collection of tagged images that, together, create the file system for a container
A Docker registry is a host that stores Docker repositories
An Artifactory repository is a hosted collection of Docker repositories, effectively, a Docker registry in every way, and one that you can access transparently with the Docker client.
So my domian name for my jfrog artifactory is " artifactory.mgmt.aws.uk.org "
When i use config file as below : ( note that registries are given under config.registries as per documentation )
helm upgrade --install --values lacework-values.yaml lacework-proxy-scanner lacework/proxy-scanner
where lacework-values.yaml are below
and pod fails running
errors:
But the same work good if I add registries under ( config.lacework.registries ) instead of ( config.registries ) as below
helm upgrade --install --values lacework-values.yaml lacework-proxy-scanner lacework/proxy-scanner
where lacework-values.yaml are below
and and pod running good now
logs :
Also able to get all docker based registires scanned succesfully in lacework console this time and all 10 docker type registries in my jfrog artifactory are displayed in console .
Questions:
Since the naming convection differ for word "registry" for lacework and jfrog
https://jfrog.com/help/r/jfrog-artifactory-documentation/docker-registries-and-repositories
https://jfrog.com/help/r/jfrog-artifactory-documentation/local-docker-repositories
https://docs.lacework.net/onboarding/integrate-proxy-scanner-with-jfrog-registry-auto-polling
Looking for faster response!
Thank you