Allow container scanning to work with self signed SSL certificates

Problem to solve

Container scanning currently allows the following methods of operation with regards to registries and SSL connectivity:

1. Insecurely, by using the REGISTRY_INSECURE environment variable
2. Securely, which requires a valid SSL certificate

However, if a client wants to use a self-signed SSL certificate, container scanning will not work properly.

Intended users

• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Sam (Security Analyst)

Further details

This change will make container scanning more flexible for self hosted and air-gapped instances

Proposal

In order to allow the use of self-signed certificates, we need to make the following changes:

1. Expose the DOCKER_INSECURE option from klar as one of the configurableEnvVarValues in the GitLab container scanning project.
2. If the DOCKER_INSECURE=true value is set, we'll need to add a new -insecure-tls flag to the clair binary as part of the clairServerArgs

The above two changes will allow a user to pass DOCKER_INSECURE=true and have the GitLab Container Scanning tool function correctly with registries using a self-signed certificate.

Documentation

• Update the Available variables section to include the new DOCKER_INSECURE environment variable
  • !25223 (merged)
• Update the Running Container Scanning in an offline air-gapped installation section to explain how to use this DOCKER_INSECURE environment variable with a registry using a self signed SSL certificate.
  • !25223 (merged)
• Add comments to Add support for self signed docker registry requesting to update the Running container scanning on a local docker image created by a build step in your pipeline section of the Registry Howto to explain how to run a container scan on a local registry with authentication enabled and a self signed SSL certificate using DOCKER_INSECURE=true
• Update the Environment Variables section of the GitLab Container Scanning README file Not necessary, as we'll be removing this section in the future. Update: This section has now been removed as part of gitlab-org/security-products/analyzers/klar!28 (merged)

What does success look like, and how can we measure that?

GitLab Container Scanning Tool can be used on a locally hosted GitLab instance using a self-signed SSL certificate.

What is the type of buyer?

Enterprise Edition