diff --git a/api/api.go b/api/api.go index ff73c13e..960235b7 100644 --- a/api/api.go +++ b/api/api.go @@ -20,7 +20,6 @@ import ( "io/ioutil" "net" "net/http" - "strconv" "time" log "github.com/sirupsen/logrus" @@ -35,13 +34,13 @@ const timeoutResponse = `{"Error":{"Message":"Clair failed to respond within the // Config is the configuration for the API service. type Config struct { - GrpcPort int - HealthPort int + Addr string + HealthAddr string Timeout time.Duration CertFile, KeyFile, CAFile string } -func RunV2(cfg *Config, store database.Datastore) { +func Run(cfg *Config, store database.Datastore) { tlsConfig, err := tlsClientConfig(cfg.CAFile) if err != nil { log.WithError(err).Fatal("could not initialize client cert authentication") @@ -49,7 +48,7 @@ func RunV2(cfg *Config, store database.Datastore) { if tlsConfig != nil { log.Info("main API configured with client certificate authentication") } - v3.Run(cfg.GrpcPort, tlsConfig, cfg.CertFile, cfg.KeyFile, store) + v3.Run(cfg.Addr, tlsConfig, cfg.CertFile, cfg.KeyFile, store) } func RunHealth(cfg *Config, store database.Datastore, st *stopper.Stopper) { @@ -60,13 +59,13 @@ func RunHealth(cfg *Config, store database.Datastore, st *stopper.Stopper) { log.Info("health API service is disabled.") return } - log.WithField("port", cfg.HealthPort).Info("starting health API") + log.WithField("addr", cfg.HealthAddr).Info("starting health API") srv := &graceful.Server{ Timeout: 10 * time.Second, // Interrupt health checks when stopping NoSignalHandling: true, // We want to use our own Stopper Server: &http.Server{ - Addr: ":" + strconv.Itoa(cfg.HealthPort), + Addr: cfg.HealthAddr, Handler: http.TimeoutHandler(newHealthHandler(store), cfg.Timeout, timeoutResponse), }, } diff --git a/api/v3/server.go b/api/v3/server.go index e9267eb0..01037080 100644 --- a/api/v3/server.go +++ b/api/v3/server.go @@ -17,7 +17,6 @@ package v3 import ( "context" "crypto/tls" - "fmt" "net" "net/http" "strconv" @@ -147,11 +146,11 @@ func servePrometheus(mux *http.ServeMux) { mux.Handle("/metrics", prometheus.Handler()) } -// Run initializes grpc and grpc gateway api services on the same port -func Run(GrpcPort int, tlsConfig *tls.Config, CertFile, KeyFile string, store database.Datastore) { - l, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", GrpcPort)) +// Run initializes grpc and grpc gateway api services on the same address +func Run(Addr string, tlsConfig *tls.Config, CertFile, KeyFile string, store database.Datastore) { + l, err := net.Listen("tcp", Addr) if err != nil { - log.WithError(err).Fatalf("could not bind to port %d", GrpcPort) + log.WithError(err).Fatalf("could not listen to address" + Addr) } log.WithField("addr", l.Addr().String()).Info("starting grpc server") diff --git a/cmd/clair/config.go b/cmd/clair/config.go index e1628f05..08f26066 100644 --- a/cmd/clair/config.go +++ b/cmd/clair/config.go @@ -67,8 +67,8 @@ func DefaultConfig() Config { EnabledListers: featurefmt.ListListers(), }, API: &api.Config{ - HealthPort: 6061, - GrpcPort: 6060, + HealthAddr: "0.0.0.0:6061", + Addr: "0.0.0.0:6060", Timeout: 900 * time.Second, }, Notifier: ¬ification.Config{ diff --git a/cmd/clair/main.go b/cmd/clair/main.go index fbf5d256..23d33a48 100644 --- a/cmd/clair/main.go +++ b/cmd/clair/main.go @@ -143,7 +143,7 @@ func Boot(config *Config) { go clair.RunNotifier(config.Notifier, db, st) // Start API - go api.RunV2(config.API, db) + go api.Run(config.API, db) st.Begin() go api.RunHealth(config.API, db, st) diff --git a/config.example.yaml b/config.yaml.sample similarity index 95% rename from config.example.yaml rename to config.yaml.sample index 63714bab..d228f248 100644 --- a/config.example.yaml +++ b/config.yaml.sample @@ -25,18 +25,19 @@ clair: # Number of elements kept in the cache # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. cachesize: 16384 + # 32-bit URL-safe base64 key used to encrypt pagination tokens # If one is not provided, it will be generated. # Multiple clair instances in the same cluster need the same value. paginationkey: api: - # v3 grpc/RESTful API server port - grpcport : 6060 + # v3 grpc/RESTful API server address + addr: "127.0.0.1:6060" - # Health server port + # Health server address # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server. - healthport: 6061 + healthaddr: "0.0.0.0:6061" # Deadline before an API request will respond with a 503 timeout: 900s diff --git a/contrib/k8s/config.yaml b/contrib/k8s/config.yaml index 13c48e90..93f9ed7e 100644 --- a/contrib/k8s/config.yaml +++ b/contrib/k8s/config.yaml @@ -25,23 +25,23 @@ clair: # Number of elements kept in the cache # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. cachesize: 16384 + + # 32-bit URL-safe base64 key used to encrypt pagination tokens + # If one is not provided, it will be generated. + # Multiple clair instances in the same cluster need the same value. + paginationkey: api: - # API server port - port: 6060 + # v3 grpc/RESTful API server address + addr: "0.0.0.0:6060" - # Health server port + # Health server address # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server. - healthport: 6061 + healthaddr: "0.0.0.0:6061" # Deadline before an API request will respond with a 503 timeout: 900s - # 32-bit URL-safe base64 key used to encrypt pagination tokens - # If one is not provided, it will be generated. - # Multiple clair instances in the same cluster need the same value. - paginationkey: - # Optional PKI configuration # If you want to easily generate client certificates and CAs, try the following projects: # https://github.com/coreos/etcd-ca @@ -51,10 +51,29 @@ clair: keyfile: certfile: + worker: + namespace_detectors: + - os-release + - lsb-release + - apt-sources + - alpine-release + - redhat-release + + feature_listers: + - apk + - dpkg + - rpm + updater: # Frequency the database will be updated with vulnerabilities from the default data sources # The value 0 disables the updater entirely. interval: 2h + enabledupdaters: + - debian + - ubuntu + - rhel + - oracle + - alpine notifier: # Number of attempts before the notification is marked as failed to be sent @@ -72,9 +91,9 @@ clair: # https://github.com/cloudflare/cfssl # https://github.com/coreos/etcd-ca servername: - cafile: - keyfile: - certfile: + cafile: + keyfile: + certfile: # Optional HTTP Proxy: must be a valid URL (including the scheme). proxy: