Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Implement Image Rescanning using Harbor Webhook API #3116

Open
wants to merge 105 commits into
base: topic/11-13-feat_implement_management_api_for_controlling_harbor_per-project_quota
Choose a base branch
from
Open

feat: Implement Image Rescanning using Harbor Webhook API #3116

wants to merge 105 commits into from
+133 −2

Conversation

jopemachine
Copy link
Member

@jopemachine jopemachine commented Nov 19, 2024
edited by jira bot
Loading

Resolves #1913 (BA-143).

Important

Currently, the Image Rescanning through Webhook API implemented in this PR is only available for the HarborV2 registry.

Details

  • Since the Harbor Webhook's request header cannot be customized, it was implemented in a way that bypasses the auth_middleware. It would be great to generalize this approach or find a better solution in the following works.

Implementation details

Events to Monitor

We will need to pay attention to the following events to ensure the image table is updated automatically.

Events to ignore

We won't need to care about the following events in this PR.

  • PULL_ARTIFACT
  • UPLOAD_CHART
  • DOWNLOAD_CHART
  • DELETE_CHART
  • SCANNING_COMPLETED
  • SCANNING_FAILED
  • QUOTA_EXCEED
  • QUOTA_WARNING
  • REPLICATION

How to setup webhook

  1. Configure registry webhook referring to Harbor webhook API documentation.

webhooks2

  1. Add auth header configured in step 1 as webhook_auth_header to the ContainerRegistry row's extra column. Event handler is executed only when the webhook_auth_header equals the auth header value set in the webhook policy. If the auth header in the webhook policy is empty, the event handler will still be executed even if the webhook_auth_header is not set.

Tip

We don't need to subscribe to events for which event handlers are not implemented.

Checklist: (if applicable)

  • Milestone metadata specifying the target backport version
  • Mention to the original issue

📚 Documentation preview 📚: https://sorna--3116.org.readthedocs.build/en/3116/

📚 Documentation preview 📚: https://sorna-ko--3116.org.readthedocs.build/ko/3116/

@github-actions github-actions bot added area:docs Documentations comp:manager Related to Manager component size:M 30~100 LoC labels Nov 19, 2024
This was referenced Nov 19, 2024
Open
Draft
Open
@jopemachine Graphite App
Copy link
Member Author

jopemachine commented Nov 19, 2024
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

This was referenced Nov 19, 2024
Open
Open
@jopemachine jopemachine added this to the 24.12 milestone Nov 19, 2024
@jopemachine jopemachine added the type:feature Add new features label Nov 19, 2024
@jopemachine jopemachine force-pushed the topic/11-19-feat_implement_image_rescan_based_on_harbor_webhook branch 2 times, most recently from bb8a301 to 8b4b017 Compare November 19, 2024 06:17
@jopemachine jopemachine changed the title feat: Implement image rescan based on Harbor webhook feat: Implement image rescan using Harbor webhook API Nov 19, 2024
@jopemachine jopemachine changed the title feat: Implement image rescan using Harbor webhook API feat: Implement image rescan using Harbor Webhook API Nov 19, 2024
@jopemachine jopemachine linked an issue Nov 19, 2024 that may be closed by this pull request
Revamp image scanning process #1913
Open
@jopemachine
Copy link
Member Author

I tried to implement logic to remove the ImageRow upon receiving a DELETE_ARTIFACT event, but the webhook event does not include the architecture information of the image.

In the case of the PUSH_ARTIFACT event, the issue doesn't matter because the architecture information can be scanned via the Harbor artifact API before adding the ImageRow.

However, for DELETE_ARTIFACT, the event occurs after the image has already been deleted, so there is no way to retrieve the architecture information.

@jopemachine jopemachine changed the title feat: Implement image rescan using Harbor Webhook API feat: Implement image rescanning using Harbor Webhook API Nov 20, 2024
@jopemachine jopemachine changed the title feat: Implement image rescanning using Harbor Webhook API feat: Implement Image Rescanning using Harbor Webhook API Nov 20, 2024
@jopemachine jopemachine force-pushed the topic/11-19-feat_implement_image_rescan_based_on_harbor_webhook branch from 5c30e46 to 6e92403 Compare November 20, 2024 05:34
@jopemachine jopemachine force-pushed the topic/11-13-feat_implement_management_api_for_controlling_harbor_per-project_quota branch from 573457b to 2d4af78 Compare November 20, 2024 06:45
@jopemachine jopemachine force-pushed the topic/11-19-feat_implement_image_rescan_based_on_harbor_webhook branch from 6e92403 to b7773cc Compare November 20, 2024 06:45
jopemachine
jopemachine commented Nov 20, 2024
View reviewed changes
src/ai/backend/manager/api/container_registry.py Outdated

query = sa.select(ContainerRegistryRow).where(
(ContainerRegistryRow.type == ContainerRegistryType.HARBOR2)
& (ContainerRegistryRow.url.like(f"%{registry_url}%"))
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be ideal to check using registry_name, but the Harbor webhook request does not include registry_name information.

@jopemachine jopemachine marked this pull request as ready for review November 20, 2024 07:52
HyeockJinKim
HyeockJinKim reviewed Nov 20, 2024
View reviewed changes
src/ai/backend/manager/api/auth.py
@@ -428,6 +428,16 @@ async def auth_middleware(request: web.Request, handler) -> web.StreamResponse:
Fetches user information and sets up keypair, user, and is_authorized
attributes.
"""
allow_list = request.app["auth_middleware_allowlist"]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see a lot of other code accessing the RootContext field stored in request.app[“_root.context”], is there a reason why you stored it directly in the app here?
I'd like to know what separates the cases that access app directly from those that access RootContext. @achimnol

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RootContext contains mutable configurations such as local_config and shared_config, as well as many objects that are frequently accessed throughout the codebase.

So I thought it might be better to inject hardcoded values into the app instead.
(But this is just my personal opinion.)

HyeockJinKim
HyeockJinKim approved these changes Nov 20, 2024
View reviewed changes
Copy link

@HyeockJinKim HyeockJinKim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be fine if the API was only used for harbor webhooks.

@jopemachine
Copy link
Member Author

This would be fine if the API was only used for harbor webhooks.

The API currently supports only Harbor webhooks, but it could be expanded to accommodate other container registries's webhook in the future.

@jopemachine
fix: Add test_harbor_update_project_quota test
f7a516b
@jopemachine
chore: Hoist the variable
6b69815
@jopemachine
feat: Add test_harbor_delete_project_quota test
50ef00e
@jopemachine
feat: Add test_harbor_create_project_quota test
b561d7f
@jopemachine
fix: Change the test_harbor_read_project_quota test location
8779af5
@jopemachine
fix: Change test code location
841167c
@jopemachine
fix: Reuse FIXTURES_FOR_HARBOR_CRUD_TEST
858fccf
@jopemachine
fix: Broken CI
1e909ea
@jopemachine
refactor: Add test_case parametrize annotation
c601c27
@jopemachine
chore: Remove unused variable
2e83bad
@jopemachine
refactor: test_group test cases using test_case
628d41a
@jopemachine
feat: Implement image rescan based on Harbor webhook
7049305
@jopemachine
fix: Bypass middlewares in webhook handler
e2e5294
@jopemachine
feat: Add PUSH_ARTIFACT event handler
27f4149
@jopemachine
chore: Add news fragment
43cac42
@jopemachine
fix: Update harbor_webhook_handler
555fc94
@jopemachine
fix: Improve exception handling logic
c11a0e5
@jopemachine
fix: Add valid type checker
35926ce
@jopemachine
fix: Add AUTH_MIDDLEWARE_ALLOW_LIST
4edef6a
@jopemachine
chore: Update news fragment
a1de07c
@jopemachine
chore: Remove useless comment
6466542
@jopemachine
fix: Inject auth_middleware_allowlist to app in build_root_app()
2d009a9
@jopemachine
fix: Change log level to debug
49b5ccf
@jopemachine
refactor: harbor_webhook_handler *(Reflect feedback)
e2ebacc
@jopemachine
fix: Improve exception handling
f4a60c4
@jopemachine jopemachine force-pushed the topic/11-13-feat_implement_management_api_for_controlling_harbor_per-project_quota branch from b4b1ee6 to 628d41a Compare December 10, 2024 01:48
@jopemachine jopemachine force-pushed the topic/11-19-feat_implement_image_rescan_based_on_harbor_webhook branch from d0186e5 to f4a60c4 Compare December 10, 2024 01:48
@jopemachine jopemachine force-pushed the topic/11-13-feat_implement_management_api_for_controlling_harbor_per-project_quota branch from 628d41a to e6dfa69 Compare December 13, 2024 01:05
@jopemachine
Merge branch 'topic/11-13-feat_implement_management_api_for_controlli…
cb2fd90 
…ng_harbor_per-project_quota' into topic/11-19-feat_implement_image_rescan_based_on_harbor_webhook
HyeockJinKim
HyeockJinKim approved these changes Dec 16, 2024
View reviewed changes
Copy link

@HyeockJinKim HyeockJinKim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this can be merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HyeockJinKim HyeockJinKim HyeockJinKim approved these changes

@fregataa fregataa Awaiting requested review from fregataa

Assignees

@jopemachine jopemachine

Labels
area:docs Documentations comp:manager Related to Manager component size:M 30~100 LoC type:feature Add new features
Projects
None yet
Milestone
24.12
Development

Successfully merging this pull request may close these issues.

Revamp image scanning process
2 participants
@jopemachine @HyeockJinKim