Add authentication to the Trivy wrapper image
Introduction
The purpose of this issue is to add an authentication mechanism to the HTTPs calls between the Trivy wrapper image and the gitlab-agent. To simplify things, we do not need to have the gitlab-agent HTTPs server implemented. We can always use the http_listener
described in this experiment.
Related links
Proposal
Option 1: Auth with JWT using asymmetric key
The agent generates an asymmetric key pair. Provides the private key to the scanning job and keep the public key. Then it can verify the JWT signature using the public key.
Option 2
We can implement an HTTP basic authentication mechanism which is a perfect fit since we have SSL encryption in place and is a simple solution. The gitlab-agent
can pass with an env var the username and the password to the scanning pod. Then the scanning pod will add a header Authorization: Basic userid:password
encrypted in base64 in each request.
The HTTPs server in the gitlab agent will most probably be a separate package than the scanner package. That means that it will be the one providing the username and password.
Option 3: Auth with JWT using symmetric key
We can change the agent chart to generate a Secret
with some random key material that can be shared by all agent Pods and injected into whatever workloads agent spawns. Then this key can be used to generate JWTs that can be validated by any agent Pod.
Option 4: Use EdDSA JWT keys
Similar to Option 2 but with EdDSA keys. We can create a pub/prv key pair and provide the private key as a secret to the scanning pod while the gitlab-agent can verify the signature of the JWT using the public key.
Implementation Plan
We decided to choose Option 4. In this issue we will only work on the Trivy wrapper image.
-
Update the Trivy Wrapper repo to do the following - Read the EdSDA private key from disk (will be mounted as a file by gitlab-agent)
- Create a JWT token payload containing header and payload claims: namespace, workloads, exp, iat.
- Sign the JWT using the private key
- Make an HTTPs request and send the report. In the
Authorization
header it should contain the JWT token.
-
Updateso that the agent can read and write and get secrets. We need to add a Role and a RoleBinding for this purpose. Similar to thisgitlab-agent helm chart.example