Documentation
¶
Overview ¶
Package config is the configuration package for Clair's binaries. See the Config type for the main entry point.
It's currently meant for reading configurations and tested against YAML and JSON.
Version Scheme ¶
This package uses an idiosyncratic versioning scheme:
- The major version tracks the input format.
- The minor version tracks the Go source API.
- The patch version increases with fixes and additions.
This means that any valid configuration accepted by `v1.0.0` should continue to be accepted for all revisions of the v1 module, but `v1.1.0` may force changes on a program importing the module.
Index ¶
- Constants
- Variables
- type AMQP
- type Auth
- type AuthKeyserverdeprecated
- type AuthPSK
- type Base64
- type Config
- type Duration
- type Exchange
- type Indexer
- type Jaegerdeprecated
- type LogLevel
- type Login
- type Matcher
- type Matchers
- type MetricOTLP
- type MetricOTLPHTTP
- type MetricOTLPgRPC
- type Metrics
- type Mode
- type Notifier
- type OTLPCommon
- type OTLPCompressor
- type OTLPHTTPCommon
- type OTLPgRPCCommon
- type Prometheus
- type STOMP
- type ScannerConfig
- type Sentry
- type TLS
- type Trace
- type TraceOTLP
- type TraceOTLPHTTP
- type TraceOTLPgRPC
- type Updaters
- type Warning
- type Webhook
- Bugs
Examples ¶
Constants ¶
View Source
const ( // DefaultAddress is used if an "http_listen_addr" is not provided in the config. DefaultAddress = ":6060" // DefaultScanLockRetry is the default retry period for attempting locks // during the indexing process. Its name is a historical accident. DefaultScanLockRetry = 1 // DefaultMatcherPeriod is the default interval for running updaters. DefaultMatcherPeriod = 6 * time.Hour // DefaultUpdateRetention is the number of updates per vulnerability // database to retain. DefaultUpdateRetention = 10 // DefaultNotifierPollInterval is the default (and minimum) interval for the // notifier's change poll interval. The notifier will poll the database for // updated vulnerability databases at this rate. DefaultNotifierPollInterval = 5 * time.Second // DefaultNotifierDeliveryInterval is the default (and minimum) interval for // the notifier's delivery interval. The notifier will attempt to deliver // outstanding notifications at this rate. DefaultNotifierDeliveryInterval = 5 * time.Second )
These are defaults, used in the documented spots.
Variables ¶
View Source
var (
ErrDeprecated = errors.New("setting will be removed in a future release")
)
These are some common kinds of Warnings.
Functions ¶
This section is empty.
Types ¶
type AMQP ¶
type AMQP struct {
TLS *TLS `yaml:"tls,omitempty" json:"tls,omitempty"`
// The AMQP exchange notifications will be delivered to.
// A passive declare is performed and if the exchange does not exist
// the declare will fail.
Exchange Exchange `yaml:"exchange" json:"exchange"`
// The routing key used to route notifications to the desired queue.
RoutingKey string `yaml:"routing_key" json:"routing_key"`
// The callback url where notifications are retrieved.
Callback string `yaml:"callback" json:"callback"`
// A list of AMQP compliant URI scheme. see: https://www.rabbitmq.com/uri-spec.html
// example: "amqp://user:pass@host:10000/vhost"
//
// The first successful connection will be used by the amqp deliverer.
//
// If "amqps://" broker URI schemas are provided the TLS configuration below is required.
URIs []string `yaml:"uris" json:"uris"`
// Specifies the number of notifications delivered in single AMQP message
// when Direct is true.
//
// Ignored if Direct is not true
// If 0 or 1 is provided no rollup occurs and each notification is delivered
// separately.
Rollup int `yaml:"rollup,omitempty" json:"rollup,omitempty"`
// AMQPConfigures the AMQP delivery to deliver notifications directly to
// the configured Exchange.
//
// If true "Callback" is ignored.
// If false a notifier.Callback is delivered to the queue and clients
// utilize the pagination API to retrieve.
Direct bool `yaml:"direct,omitempty" json:"direct,omitempty"`
}
AMQP configures the AMQP notification mechanism.
type Auth ¶
type Auth struct {
PSK *AuthPSK `yaml:"psk,omitempty" json:"psk,omitempty"`
Keyserver *AuthKeyserver `yaml:"keyserver,omitempty" json:"keyserver,omitempty"`
}
Auth holds the specific configs for different authentication methods.
These should be pointers to structs, so that it's possible to distinguish between "absent" and "present and misconfigured."
type AuthKeyserver
deprecated
type AuthKeyserver struct {
API string `yaml:"api" json:"api"`
Intraservice Base64 `yaml:"intraservice" json:"intraservice"`
}
AuthKeyserver is the configuration for doing authentication with the Quay keyserver protocol.
The "Intraservice" key is only needed when the overall config mode is not "combo".
Deprecated: This authentication method was never used. It was planned for integration with Quay, but ultimately the Quay team decided to remove the keyserver feature altogether.
type AuthPSK ¶
AuthPSK is the configuration for doing pre-shared key based authentication.
The "Issuer" key is what the service expects to verify as the "issuer" claim.
type Base64 ¶
type Base64 []byte
Base64 is a byte slice that encodes to and from base64-encoded strings.
func (Base64) MarshalText ¶
MarshalText implements encoding.TextMarshaler.
func (*Base64) UnmarshalText ¶
UnmarshalText implements encoding.TextUnmarshaler.
type Config ¶
type Config struct {
// TLS configures HTTPS support.
//
// Note that any non-trivial deployment means the certificate provided here
// will need to be for the name the load balancer uses to connect to a given
// Clair instance.
//
// This is not used for outgoing requests; setting the SSL_CERT_DIR
// environment variable is the recommended way to do that. The release
// container has `/var/run/certs` added to the list already.
TLS *TLS `yaml:"tls,omitempty" json:"tls,omitempty"`
// Sets which mode the clair instance will run.
Mode Mode `yaml:"-" json:"-"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// exposes Clair node's functionality to the network.
// see /openapi/v1 for api spec.
HTTPListenAddr string `yaml:"http_listen_addr" json:"http_listen_addr"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// exposes Clair's metrics and health endpoints.
IntrospectionAddr string `yaml:"introspection_addr" json:"introspection_addr"`
// Set the logging level.
LogLevel LogLevel `yaml:"log_level" json:"log_level"`
Indexer Indexer `yaml:"indexer,omitempty" json:"indexer,omitempty"`
Matcher Matcher `yaml:"matcher,omitempty" json:"matcher,omitempty"`
Matchers Matchers `yaml:"matchers,omitempty" json:"matchers,omitempty"`
Updaters Updaters `yaml:"updaters,omitempty" json:"updaters,omitempty"`
Notifier Notifier `yaml:"notifier,omitempty" json:"notifier,omitempty"`
Auth Auth `yaml:"auth,omitempty" json:"auth,omitempty"`
Trace Trace `yaml:"trace,omitempty" json:"trace,omitempty"`
Metrics Metrics `yaml:"metrics,omitempty" json:"metrics,omitempty"`
}
Config is the configuration object for the commands in github.com/quay/clair/v4/cmd/...
type Duration ¶ added in v1.3.0
Duration is a serializeable time.Duration.
func (*Duration) MarshalText ¶ added in v1.3.0
MarshalText implements encoding.TextMarshaler.
func (*Duration) UnmarshalText ¶ added in v1.3.0
UnmarshalText implements encoding.TextUnmarshaler.
type Exchange ¶
type Exchange struct {
// The name of the exchange
Name string `yaml:"name" json:"name"`
// The type of the exchange. Typically:
// "direct"
// "fanout"
// "topic"
// "headers"
Type string `yaml:"type" json:"type"`
// Whether the exchange survives server restarts
Durable bool `yaml:"durability,omitempty" json:"durability,omitempty"`
// Whether bound consumers define the lifecycle of the Exchange.
AutoDelete bool `yaml:"auto_delete,omitempty" json:"auto_delete,omitempty"`
}
Exchange are the required fields necessary to check the existence of an Exchange
For more details see: https://godoc.org/github.com/streadway/amqp#Channel.ExchangeDeclarePassive
type Indexer ¶
type Indexer struct {
// Scanner allows for passing configuration options to layer scanners.
Scanner ScannerConfig `yaml:"scanner,omitempty" json:"scanner,omitempty"`
// A Postgres connection string.
//
// formats
// url: "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full"
// or
// string: "user=pqgotest dbname=pqgotest sslmode=verify-full"
ConnString string `yaml:"connstring" json:"connstring"`
// A positive value representing seconds.
//
// Concurrent Indexers lock on manifest scans to avoid clobbering.
// This value tunes how often a waiting Indexer will poll for the lock.
ScanLockRetry int `yaml:"scanlock_retry,omitempty" json:"scanlock_retry,omitempty"`
// A positive values representing quantity.
//
// Indexers will index a Manifest's layers concurrently.
// This value tunes the number of layers an Indexer will scan in parallel.
LayerScanConcurrency int `yaml:"layer_scan_concurrency,omitempty" json:"layer_scan_concurrency,omitempty"`
// Rate limits the number of index report creation requests.
//
// Setting this to 0 will attempt to auto-size this value. Setting a
// negative value means "unlimited." The auto-sizing is a multiple of the
// number of available cores.
//
// The API will return a 429 status code if concurrency is exceeded.
IndexReportRequestConcurrency int `yaml:"index_report_request_concurrency,omitempty" json:"index_report_request_concurrency,omitempty"`
// A "true" or "false" value
//
// Whether Indexer nodes handle migrations to their database.
Migrations bool `yaml:"migrations,omitempty" json:"migrations,omitempty"`
// Airgap disables HTTP access to the Internet. This affects both indexers and
// the layer fetcher. Database connections are unaffected.
//
// "Airgap" is a bit of a misnomer, as [RFC 4193] and [RFC 1918] addresses
// are always allowed. This means that setting this flag and also
// configuring a proxy on a private network does not prevent contact with
// the Internet.
//
// [RFC 1918]: https://datatracker.ietf.org/doc/html/rfc1918
// [RFC 4193]: https://datatracker.ietf.org/doc/html/rfc4193
Airgap bool `yaml:"airgap,omitempty" json:"airgap,omitempty"`
}
Indexer provides Clair Indexer node configuration
type Jaeger
deprecated
type Jaeger struct {
Tags map[string]string `yaml:"tags,omitempty" json:"tags,omitempty"`
Agent struct {
Endpoint string `yaml:"endpoint" json:"endpoint"`
} `yaml:"agent,omitempty" json:"agent,omitempty"`
Collector struct {
Username *string `yaml:"username,omitempty" json:"username,omitempty"`
Password *string `yaml:"password,omitempty" json:"password,omitempty"`
Endpoint string `yaml:"endpoint" json:"endpoint"`
} `yaml:"collector,omitempty" json:"collector,omitempty"`
ServiceName string `yaml:"service_name,omitempty" json:"service_name,omitempty"`
BufferMax int `yaml:"buffer_max,omitempty" json:"buffer_max,omitempty"`
}
Jaeger specific distributed tracing configuration.
Deprecated: The Jaeger project recommends using their OTLP ingestion support and the OpenTelemetry exporter for Jaeger has since been removed. Users should migrate to OTLP. Clair may refuse to start when configured to emit Jaeger traces.
type LogLevel ¶
type LogLevel int
A LogLevel is a log level recognized by Clair.
The zero value is "info".
const ( InfoLog LogLevel = iota // info DebugColorLog // debug-color DebugLog // debug WarnLog // warn ErrorLog // error FatalLog // fatal PanicLog // panic )
The recognized log levels, with their string representations as the comments.
NB "Fatal" and "Panic" are not used in clair or claircore, and will result in almost no logging.
func ParseLogLevel ¶
ParseLogLevel returns the log lever for the given string.
The passed string is case-insensitive.
func (*LogLevel) MarshalText ¶ added in v1.1.3
MarshalText implements encoding.TextMarshaler.
func (*LogLevel) UnmarshalText ¶
UnmarshalText implements encoding.TextUnmarshaler.
type Login ¶
type Login struct {
Login string `yaml:"login" json:"login"`
Passcode string `yaml:"passcode" json:"passcode"`
}
Login is the login details for a STOMP broker.
type Matcher ¶
type Matcher struct {
// A Postgres connection string.
//
// Formats:
// url: "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full"
// or
// string: "user=pqgotest dbname=pqgotest sslmode=verify-full"
ConnString string `yaml:"connstring" json:"connstring"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// A Matcher contacts an Indexer to create a VulnerabilityReport.
// The location of this Indexer is required.
IndexerAddr string `yaml:"indexer_addr" json:"indexer_addr"`
// Period controls how often updaters are run.
//
// The default is 6 hours.
Period Duration `yaml:"period,omitempty" json:"period,omitempty"`
// UpdateRetention controls the number of updates to retain between
// garbage collection periods.
//
// The lowest possible value is 2 in order to compare updates for notification
// purposes.
//
// A value of 0 disables GC.
UpdateRetention int `yaml:"update_retention" json:"update_retention"`
// A positive integer
//
// Clair allows for a custom connection pool size. This number will
// directly set how many active sql connections are allowed concurrently.
//
// Deprecated: Pool size should be set through the ConnString member.
// Currently, Clair only uses the "pgxpool" package to connect to the
// database, so see
// https://pkg.go.dev/github.com/jackc/pgx/v4/pgxpool#ParseConfig for more
// information.
MaxConnPool int `yaml:"max_conn_pool,omitempty" json:"max_conn_pool,omitempty"`
// CacheAge controls how long clients should be hinted to cache responses
// for.
//
// If empty, the duration set in "Period" will be used. This means client
// may cache "stale" results for 2(Period) - 1 seconds.
CacheAge Duration `yaml:"cache_age,omitempty" json:"cache_age,omitempty"`
// A "true" or "false" value
//
// Whether Matcher nodes handle migrations to their databases.
Migrations bool `yaml:"migrations,omitempty" json:"migrations,omitempty"`
// DisableUpdaters disables the updater's running of matchers.
//
// This should be toggled on if vulnerabilities are being provided by
// another mechanism.
DisableUpdaters bool `yaml:"disable_updaters,omitempty" json:"disable_updaters,omitempty"`
}
Matcher is the configuration for the matcher service.
type Matchers ¶
type Matchers struct {
// Config holds configuration blocks for MatcherFactories and Matchers,
// keyed by name.
Config map[string]interface{} `yaml:"config,omitempty" json:"config,omitempty"`
// A slice of strings representing which matchers will be used.
//
// If nil all default Matchers will be used
//
// The following names are supported by default:
// "alpine"
// "aws"
// "debian"
// "oracle"
// "photon"
// "python"
// "rhel"
// "suse"
// "ubuntu"
// "crda" - remotematcher calls hosted api via RPC.
Names []string `yaml:"names,omitempty" json:"names,omitempty"`
}
Matchers configures the individual matchers run by the matcher system.
type MetricOTLP ¶ added in v1.4.0
type MetricOTLP struct {
// HTTP configures OTLP via HTTP.
HTTP *MetricOTLPHTTP `yaml:"http,omitempty" json:"http,omitempty"`
// GRPC configures OTLP via gRPC.
GRPC *MetricOTLPgRPC `yaml:"grpc,omitempty" json:"grpc,omitempty"`
}
MetricOTLP is the configuration for an OTLP metrics client.
See the OpenTelemetry docs for more information on metrics. See the Clair docs for the current status of of the instrumentation.
type MetricOTLPHTTP ¶ added in v1.4.0
type MetricOTLPHTTP struct {
OTLPHTTPCommon
}
MetricOTLPHTTP is the configuration for an OTLP metrics HTTP client.
type MetricOTLPgRPC ¶ added in v1.4.0
type MetricOTLPgRPC struct {
OTLPgRPCCommon
}
MetricOTLPgRPC is the configuration for an OTLP metrics gRPC client.
type Metrics ¶
type Metrics struct {
Name string `yaml:"name" json:"name"`
Prometheus Prometheus `yaml:"prometheus,omitempty" json:"prometheus,omitempty"`
OTLP MetricOTLP `yaml:"otlp,omitempty" json:"otlp,omitempty"`
}
Metrics specifies how to configure Clair's metrics exporting.
The "Name" key must match the provider to use.
type Mode ¶
type Mode int
A Mode is an operating mode recognized by Clair.
This is not directly settable by serializing into a Config object.
const ( ComboMode Mode = iota // combo IndexerMode // indexer MatcherMode // matcher NotifierMode // notifier )
Clair modes, with their string representations as the comments.
type Notifier ¶
type Notifier struct {
// Only one of the following should be provided in the configuration
//
// Configures the notifier for webhook delivery
Webhook *Webhook `yaml:"webhook,omitempty" json:"webhook,omitempty"`
// Configures the notifier for AMQP delivery.
AMQP *AMQP `yaml:"amqp,omitempty" json:"amqp,omitempty"`
// Configures the notifier for STOMP delivery.
STOMP *STOMP `yaml:"stomp,omitempty" json:"stomp,omitempty"`
// A Postgres connection string.
//
// Formats:
// url: "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full"
// or
// string: "user=pqgotest dbname=pqgotest sslmode=verify-full"
ConnString string `yaml:"connstring" json:"connstring"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// A Notifier contacts an Indexer to create obtain manifests affected by vulnerabilities.
// The location of this Indexer is required.
IndexerAddr string `yaml:"indexer_addr" json:"indexer_addr"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// A Notifier contacts a Matcher to list update operations and acquire diffs.
// The location of this Indexer is required.
MatcherAddr string `yaml:"matcher_addr" json:"matcher_addr"`
// A time.ParseDuration parsable string
//
// The frequency at which the notifier will query at Matcher for Update Operations.
// If a value smaller then 1 second is provided it will be replaced with the
// default 5 second poll interval.
PollInterval Duration `yaml:"poll_interval,omitempty" json:"poll_interval,omitempty"`
// A time.ParseDuration parsable string
//
// The frequency at which the notifier attempt delivery of created or previously failed
// notifications
// If a value smaller then 1 second is provided it will be replaced with the
// default 5 second delivery interval.
DeliveryInterval Duration `yaml:"delivery_interval,omitempty" json:"delivery_interval,omitempty"`
// DisableSummary disables summarizing vulnerabilities per-manifest.
//
// The default is to summarize any new vulnerabilities to the most severe
// one, in the thought that any additional processing for end-user
// notifications can have policies around severity and fetch a complete
// VulnerabilityReport if it'd like.
//
// For a machine-consumption use case, it may be easier to instead have the
// notifier push all the data.
DisableSummary bool `yaml:"disable_summary,omitempty" json:"disable_summary,omitempty"`
// A "true" or "false" value
//
// Whether Notifier nodes handle migrations to their database.
Migrations bool `yaml:"migrations,omitempty" json:"migrations,omitempty"`
}
Notifier provides Clair Notifier node configuration
type OTLPCommon ¶ added in v1.4.0
type OTLPCommon struct {
// Compression configures payload compression.
//
// Only "gzip" is guaranteed to exist for both HTTP and gRPC.
Compression OTLPCompressor `yaml:"compression,omitempty" json:"compression,omitempty"`
// Endpoint is the host and port pair that the client should connect to.
// This is not a URL and must not have a scheme or trailing slashes.
//
// The default is "localhost:4317" for gRPC and "localhost:4318" for HTTP.
Endpoint string `yaml:"endpoint,omitempty" json:"endpoint,omitempty"`
// Headers adds additional headers to requests.
Headers map[string]string `yaml:"headers,omitempty" json:"headers,omitempty"`
// Insecure allows using an unsecured connection to the collector.
//
// For gRPC, this means certificate validation is not done.
// For HTTP, this means HTTP is used instead of HTTPS.
Insecure bool `yaml:"insecure,omitempty" json:"insecure,omitempty"`
// Timeout is the maximum amount of time for a submission.
//
// The default is 10 seconds.
Timeout *Duration `yaml:"timeout,omitempty" json:"timeout,omitempty"`
// ClientTLS configures client TLS certificates, meaning a user should
// ignore the "RootCA" member and look only at the "Cert" and "Key" members.
//
// See the documentation for the TLS struct for recommendations on
// configuring certificate authorities.
ClientTLS *TLS `yaml:"client_tls,omitempty" json:"client_tls,omitempty"`
}
OTLPCommon is common configuration options for an OTLP client.
type OTLPCompressor ¶ added in v1.4.0
type OTLPCompressor int
OTLPCompressor is the valid options for compressing OTLP payloads.
const ( OTLPCompressUnset OTLPCompressor = iota // OTLPCompressNone // none OTLPCompressGzip // gzip )
OTLPCompressor values
func (OTLPCompressor) String ¶ added in v1.4.0
func (i OTLPCompressor) String() string
type OTLPHTTPCommon ¶ added in v1.4.0
type OTLPHTTPCommon struct {
OTLPCommon
// URLPath overrides the URL path for sending traces. If unset, the default
// is "/v1/traces".
URLPath string `yaml:"url_path,omitempty" json:"url_path,omitempty"`
}
OTLPHTTPCommon is common configuration options for an OTLP HTTP client.
type OTLPgRPCCommon ¶ added in v1.4.0
type OTLPgRPCCommon struct {
OTLPCommon
// Reconnect sets the minimum amount of time between connection attempts.
Reconnect *Duration `yaml:"reconnect,omitempty" json:"reconnect,omitempty"`
// ServiceConfig specifies a gRPC service config as a string containing JSON.
// See the [doc] for the format and possibilities.
//
// [doc]: https://github.com/grpc/grpc/blob/master/doc/service_config.md
ServiceConfig string `yaml:"service_config,omitempty" json:"service_config,omitempty"`
}
OTLPgRPCCommon is common configuration options for an OTLP gRPC client.
type Prometheus ¶
type Prometheus struct {
// Endpoint is a URL path where Prometheus metrics will be hosted.
Endpoint *string `yaml:"endpoint,omitempty" json:"endpoint,omitempty"`
}
Prometheus specific metrics configuration.
type STOMP ¶
type STOMP struct {
// optional tls portion of config
TLS *TLS `yaml:"tls,omitempty" json:"tls,omitempty"`
// optional user login portion of config
Login *Login `yaml:"user,omitempty" json:"user,omitempty"`
// The callback url where notifications are retrieved.
Callback string `yaml:"callback" json:"callback"`
// the destination messages will be delivered to
Destination string `yaml:"destination" json:"destination"`
// a list of URIs to send messages to.
// a linear search of this list is always performed.
//
// Note that "URI" is a misnomer, this must be host:port pairs.
URIs []string `yaml:"uris" json:"uris"`
// Specifies the number of notifications delivered in single STOMP message
// when Direct is true.
//
// Ignored if Direct is not true
// If 0 or 1 is provided no rollup occurs and each notification is delivered
// separately.
Rollup int `yaml:"rollup,omitempty" json:"rollup,omitempty"`
// Configures the STOMP delivery to deliver notifications directly to
// the configured Destination.
//
// If true "Callback" is ignored.
// If false a notifier.Callback is delivered to the queue and clients
// utilize the pagination API to retrieve.
Direct bool `yaml:"direct,omitempty" json:"direct,omitempty"`
}
STOMP configures the STOMP notification mechanism.
type ScannerConfig ¶
type ScannerConfig struct {
Package map[string]interface{} `yaml:"package,omitempty" json:"package,omitempty"`
Dist map[string]interface{} `yaml:"dist,omitempty" json:"dist,omitempty"`
Repo map[string]interface{} `yaml:"repo,omitempty" json:"repo,omitempty"`
}
ScannerConfig is the object consulted for configuring the various types of scanners.
type Sentry ¶ added in v1.4.0
type Sentry struct {
// DSN to be passed to [github.com/getsentry/sentry-go.ClientOptions.Dsn].
DSN string `yaml:"dsn" json:"dsn"`
// Environment to be passed to
// [github.com/getsentry/sentry-go.ClientOptions.Environment].
Environment string `yaml:"environment,omitempty" json:"environment,omitempty"`
}
Sentry is the Sentry specific tracing configuration.
type TLS ¶
type TLS struct {
// The filesystem path where a root CA can be read.
//
// This can also be controlled by the SSL_CERT_FILE and SSL_CERT_DIR
// environment variables, or adding the relevant certs to the system trust
// store.
RootCA string `yaml:"root_ca" json:"root_ca"`
// The filesystem path where a TLS certificate can be read.
Cert string `yaml:"cert" json:"cert"`
// The filesystem path where a TLS private key can be read.
Key string `yaml:"key" json:"key"`
}
TLS describes some TLS settings.
Some uses of this type ignore the RootCA member; see the documentation at the use site to determine if that's the case.
Using the environment variables "SSL_CERT_DIR" or "SSL_CERT_FILE" or modifying the system's trust store are the ways to modify root CAs for all outgoing TLS connections.
type Trace ¶
type Trace struct {
Name string `yaml:"name" json:"name"`
Probability *float64 `yaml:"probability,omitempty" json:"probability,omitempty"`
Jaeger Jaeger `yaml:"jaeger,omitempty" json:"jaeger,omitempty"`
OTLP TraceOTLP `yaml:"otlp,omitempty" json:"otlp,omitempty"`
Sentry Sentry `yaml:"sentry,omitempty" json:"sentry,omitempty"`
}
Trace specifies how to configure Clair's tracing support.
The "Name" key must match the provider to use.
type TraceOTLP ¶ added in v1.4.0
type TraceOTLP struct {
// HTTP configures OTLP via HTTP.
HTTP *TraceOTLPHTTP `yaml:"http,omitempty" json:"http,omitempty"`
// GRPC configures OTLP via gRPC.
GRPC *TraceOTLPgRPC `yaml:"grpc,omitempty" json:"grpc,omitempty"`
}
TraceOTLP is the configuration for an OTLP traces client.
See the OpenTelemetry docs for more information on traces. See the Clair docs for the current status of of the instrumentation.
type TraceOTLPHTTP ¶ added in v1.4.0
type TraceOTLPHTTP struct {
OTLPHTTPCommon
}
TraceOTLPHTTP is the configuration for an OTLP traces HTTP client.
type TraceOTLPgRPC ¶ added in v1.4.0
type TraceOTLPgRPC struct {
OTLPgRPCCommon
}
TraceOTLPgRPC is the configuration for an OTLP traces gRPC client.
type Updaters ¶
type Updaters struct {
// Filter is a regexp that disallows updaters that do not match from
// running.
// TODO(louis): this is only used in clairctl, should we keep this?
// it may offer an escape hatch for a particular updater name
// from running, vs disabling the updater set completely.
Filter string `yaml:"filter,omitempty" json:"filter,omitempty"`
// Config holds configuration blocks for UpdaterFactories and Updaters,
// keyed by name.
//
// These are defined by the updater implementation and can't be documented
// here. Improving the documentation for these is an open issue.
Config map[string]interface{} `yaml:"config,omitempty" json:"config,omitempty"`
// A slice of strings representing which updaters will be used.
//
// If nil all default UpdaterSets will be used
//
// The following sets are supported by default:
// "alpine"
// "aws"
// "debian"
// "oracle"
// "photon"
// "pyupio"
// "rhel"
// "suse"
// "ubuntu"
Sets []string `yaml:"sets,omitempty" json:"sets,omitempty"`
}
Updaters configures updater behavior.
type Warning ¶
type Warning struct {
// contains filtered or unexported fields
}
Warning is a linter warning.
Users can treat them like errors and use the sentinel values exported by this package.
func Lint ¶
Lint runs lints on the provided Config.
An error is reported only if an error occurred while running the lints. An invalid Config may still report a nil error along with a slice of Warnings.
Most validation steps run by Validate will also run lints.
Example ¶
var c Config
c.Auth.PSK = &AuthPSK{}
ws, err := Lint(&c)
fmt.Println("error:", err)
for _, w := range ws {
fmt.Printf("warning: %v\n", &w)
}
Output: error: <nil> warning: http listen address not provided, default will be used (at $.http_listen_addr) warning: introspection address not provided, default will be used (at $.introspection_addr) warning: connection string is empty and no relevant environment variables found (at $.indexer.connstring) warning: connection string is empty and no relevant environment variables found (at $.matcher.connstring) warning: updater period is very aggressive: most sources are updated daily (at $.matcher.period) warning: update garbage collection is off (at $.matcher.update_retention) warning: connection string is empty and no relevant environment variables found (at $.notifier.connstring) warning: interval is very fast: may result in increased workload (at $.notifier.poll_interval) warning: interval is very fast: may result in increased workload (at $.notifier.delivery_interval)
type Webhook ¶
type Webhook struct {
// any HTTP headers necessary for the request to Target
Headers http.Header `yaml:"headers,omitempty" json:"headers,omitempty"`
// the URL where our webhook will be delivered
Target string `yaml:"target" json:"target"`
// the callback url where notifications can be received
// the notification will be appended to this url
Callback string `yaml:"callback" json:"callback"`
// whether the webhook deliverer will sign out going.
// if true webhooks will be sent with a jwt signed by
// the notifier's private key.
Signed bool `yaml:"signed,omitempty" json:"signed,omitempty"`
}
Webhook configures the "webhook" notification mechanism.
Notes ¶
Bugs ¶
The DefaultNotifierPollInterval is absurdly low.
The DefaultNotifierDeliveryInterval is absurdly low.
Source Files
Click to show internal directories.
Click to hide internal directories.