From 6a25f8bc794d42a744082ae09d7fc4bbbaa5e5a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Lafoucrie=CC=80re?= <plafoucriere@gitlab.com>
Date: Sat, 30 Mar 2019 12:05:13 -0400
Subject: [PATCH] Fix Container Scanning for Kubernetes Runners

closes https://gitlab.com/gitlab-org/gitlab-ee/issues/6636
closes https://gitlab.com/gitlab-org/gitlab-ee/issues/5763
---
 .../unreleased/fix-container-scanning-on-k8s.yml  |  5 +++++
 lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml |  9 +++++++--
 .../Security/Container-Scanning.gitlab-ci.yml     | 15 +++++++++++----
 3 files changed, 23 insertions(+), 6 deletions(-)
 create mode 100644 changelogs/unreleased/fix-container-scanning-on-k8s.yml

diff --git a/changelogs/unreleased/fix-container-scanning-on-k8s.yml b/changelogs/unreleased/fix-container-scanning-on-k8s.yml
new file mode 100644
index 00000000000..f4500370a0b
--- /dev/null
+++ b/changelogs/unreleased/fix-container-scanning-on-k8s.yml
@@ -0,0 +1,5 @@
+---
+title: Fix Container Scanning in Kubernetes Runners
+merge_request: 26793
+author:
+type: changed
diff --git a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
index 78872b3bbe3..3116f1a136b 100644
--- a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
@@ -531,8 +531,8 @@ rollout 100%:
     touch clair-whitelist.yml
     retries=0
     echo "Waiting for clair daemon to start"
-    while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
-    ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
+    while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
+    ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
   }
 
   function code_quality() {
@@ -800,10 +800,15 @@ rollout 100%:
     kubectl version --client
   }
 
+  # With the Kubernetes executor, 'localhost' must be used instead
+  # https://docs.gitlab.com/runner/executors/kubernetes.html
   function setup_docker() {
     if ! docker info &>/dev/null; then
       if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
         export DOCKER_HOST='tcp://localhost:2375'
+        export DOCKER_SERVICE="localhost"
+      else
+        export DOCKER_SERVICE="docker"
       fi
     fi
   }
diff --git a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
index ea1e6ae5fdc..0b7a531682b 100644
--- a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
@@ -17,23 +17,30 @@ container_scanning:
     #
     # Container Scanning deals with Docker images only so no need to import the project's Git repository:
     GIT_STRATEGY: none
+    # Services and containers running in the same Kubernetes pod are all sharing the same localhost address
+    # https://docs.gitlab.com/runner/executors/kubernetes.html
+    DOCKER_SERVICE: docker
+    DOCKER_HOST: tcp://${DOCKER_SERVICE}:2375/
+    # https://hub.docker.com/r/arminc/clair-local-scan/tags
+    CLAIR_LOCAL_SCAN_VERSION: v2.0.6
   allow_failure: true
   services:
     - docker:stable-dind
   script:
+    - if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then { export DOCKER_SERVICE="localhost" ; export DOCKER_HOST="tcp://${DOCKER_SERVICE}:2375" ; } fi
     - docker run -d --name db arminc/clair-db:latest
-    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.6
+    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION}
     - apk add -U wget ca-certificates
     - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
     - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
     - mv clair-scanner_linux_amd64 clair-scanner
     - chmod +x clair-scanner
     - touch clair-whitelist.yml
-    - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
+    - while( ! wget -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; done
     - retries=0
     - echo "Waiting for clair daemon to start"
-    - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
-    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
+    - while( ! wget -T 10 -q -O /dev/null http://${DOCKER_SERVICE}:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
+    - ./clair-scanner -c http://${DOCKER_SERVICE}:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
   artifacts:
     reports:
       container_scanning: gl-container-scanning-report.json