Container registry
CI Sense uses a container registry to store fuzz tests in form of Fuzz Container images.
The container registry needs to be accessible by CI Fuzz users that want to
execute fuzz tests in CI Sense. In a cifuzz container remote-run
invocation
CI Fuzz will query CI Sense for credentials for the default configured
container registry and push Fuzz Container images there. This behavior can be
overridden by passing the --registry
flag if required.
On-prem container registry
The CI Sense on-prem installation comes with a dedicated container registry to store Fuzz Container images. If enabled, this container registry is used by default when CI Fuzz pushes fuzz tests to execute in CI Sense.
It is also possible to use an existing container registry to store Fuzz
Container images. This is possible by either configuring a different default
container registry or by manually overriding in CI Fuzz with the --registry
flag.
Note: Cleanup of no longer used Fuzz Container images is only handled with the container registry included in the CI Sense installation. When using an external registry it is advised to have some cleanup policy in place to limit disk space usage.
Using the included container registry
The CI Sense helm charts include a distribution
container registry. To enable the deployment of the included registry add the
following to your custom-values.yaml
:
registry:
enabled: true
ingress:
host: registry.<your-domain>
tlsSecretName: <tls-secret-name>
# Storage for the container registry.
minio:
enabled: true
persistence:
storageclass: <storage-class>
size: 20gi
resources:
requests:
memory: 500mi
global:
fuzzContainerRegistry:
address: registry.<your-domain>
externalCredentials:
username: <username>
password: <password>
clusterCredentials:
username: <username2>
password: <password2>
The externalCredentials
will be sent to CI Fuzz to push fuzz container
images to the registry. The clusterCredentials
are used to pull from the
registry from within the kubernetes cluster. Both usernames and passwords
can be set arbitrarily and the registry will be configured with the requested
credentials automatically.
See Kind cluster registry setup for additional setup required when running with a local Kind cluster.
Using an external container registry
It possible to use any existing container registry by configuring pull access from the registry in CI Sense.
global:
fuzzContainerRegistry:
address: <your-container-registry>
externalCredentials:
username: <username-with-push-access>
password: <password>
clusterCredentials:
username: <username-with-pull-access>
password: <password2>
Note, that the externalCredentials
will be used by CI Fuzz to push fuzz
container images by anyone with CI Sense API access. Since the credentials are
not user scoped this exposes the registry credentials to users with CI Sense
access. In cases where this is not desirable it is possible to leave the
externalCredentials
empty and ensure that the client does an appropriate
docker login
and specifies the registry with
cifuzz remote-run --registry <your-container-registry>
.
Instead of configuring username and password in clusterCredentials
it is also
possible to add an existing pull secret via
global:
imagePullSecrets:
- your-registry-pull-secret-name
If your cluster is already configured with pull access to the registry even this step is not required.
Container Registry storage requirements
CI Sense application recommends at least 256 GB of storage available for the Container Registry. Fuzz Containers stored in the embedded Container Registry are periodically pruned to keep the storage usage in check.
Manually configure container registry during upload
Start a remote run and specify the registry directly in the CI Fuzz invocation:
cifuzz container remote-run --registry my-private-registry.example.com/fuzz-containers/my-project
This requires that the user is locally authenticated with the registry.
SaaS container registry
When running fuzz tests in app.code-intelligence.com a dedicated container registry for fuzz container images is used by CI Fuzz. Note: The registry used by the CI Sense SAAS-Offering is not user- or project-scoped - basically everyone with access to the CI Sense SAAS has read- and write access to the Registry.
It is possible to push Fuzz Container images to a different repository by
passing the --registry
flag in CI Fuzz. The only restriction is that CI Sense
must be able to pull from the registry without credentials.