-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(central): defs: Switch to multi bundle definitions #11167
Conversation
Images are ready for the commit at 0dfeb7d. To use with deploy scripts, first |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look OK to me, could you fill in the description and how it was tested?
Also, what drove the decision to use a header vs. a query string to define the response 'format'? I've seen APIs use the query string to define format, ie ?format=json
as well as headers Accept: application/json
, since this is not a standard mime type, perhaps a query string would be more conventional? ?multi=true
or ?format=multi-bundle
, etc.
Absolutely, we could use My original approach was to make things non-standard but simple. Using request headers is generally a standard approach for specifying the desired format. Headers are designed for such metadata about the request. But, using a well-known header could make some endpoints not accept the request because the MIME type is vendor-specific is not supported. Using a non-standard header gives us more flexibility because they are supposed to be ignored. Also, just so you know, my goal is to decommission the single bundle eventually. |
0d0b669
to
9ba7fd3
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #11167 +/- ##
==========================================
+ Coverage 47.90% 47.91% +0.01%
==========================================
Files 2330 2330
Lines 166491 166500 +9
==========================================
+ Hits 79752 79780 +28
+ Misses 80411 80383 -28
- Partials 6328 6337 +9
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
@jvdm: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Signed-off-by: J. Victor Martins <jvdm@sdf.org>
9ba7fd3
to
0dfeb7d
Compare
|
||
// Request multi-bundle if multi-bundle is enabled. | ||
if features.ScannerV4MultiBundle.Enabled() { | ||
req.Header.Set("X-Scanner-V4-Accept", "application/vnd.stackrox.scanner-v4.multi-bundle+zip") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only found out about this due to another PR, but it looks like the X-
prefix is not recommended for private purposes. Seems like X.
is preferred https://datatracker.ietf.org/doc/html/rfc6838#section-3.4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apologies that RFC is for the media type. This one deprecates the the X-
convention: https://datatracker.ietf.org/doc/html/rfc6648
That being said, I'm sure this is fine as-is, but I think the community (ie whoever wrote this RFC) may prefer something like StackRox-Scanner-V4-Accept
(makes it clear this is for StackRox purposes and can't be confused for some other Scanner V4. https://datatracker.ietf.org/doc/html/rfc6648#section-3)
Description
This will modify Central to serve multi-bundle vulnerabilities upon the client passing
X-Scanner-V4-Accept
headers with a specific application-specific content type. It will modify Scanner V4 to pass such header if the multi-bundle feature is set to "true", which is now the default. A test was added for the multi-bundle updater.Checklist
If any of these don't apply, please comment below.
Testing Performed
Here I tell how I validated my change
Deploy the image and observe Scanner V4 requesting multi-bundle vulnerabilities, and Central granting them.
This can be confirmed by observing the two Matchers running updates concurrently.
Reminder for reviewers
In addition to reviewing code here, reviewers must also review testing and request further testing in case the
performed one does not seem sufficient. As a reviewer, you must not approve the change until you understand the
performed testing and you are satisfied with it.