Skip to main content

Container registry

CI Sense uses a container registry to store fuzz tests in form of Fuzz Container images.

The container registry needs to be accessible by CI Fuzz users that want to execute fuzz tests in CI Sense. In a cifuzz container remote-run invocation CI Fuzz will query CI Sense for credentials for the default configured container registry and push Fuzz Container images there. This behavior can be overridden by passing the --registry flag if required.

On-prem container registry

The CI Sense on-prem installation comes with a dedicated container registry to store Fuzz Container images. If enabled, this container registry is used by default when CI Fuzz pushes fuzz tests to execute in CI Sense.

It is also possible to use an existing container registry to store Fuzz Container images. This is possible by either configuring a different default container registry or by manually overriding in CI Fuzz with the --registry flag.

Note: Cleanup of no longer used Fuzz Container images is only handled with the container registry included in the CI Sense installation. When using an external registry it is advised to have some cleanup policy in place to limit disk space usage.

Using the included container registry

The CI Sense helm charts include a distribution container registry. To enable the deployment of the included registry add the following to your custom-values.yaml:

registry:
  enabled: true
  ingress:
    host: registry.<your-domain>
    tlsSecretName: <tls-secret-name>

# Storage for the container registry.
minio:
  enabled: true
  persistence:
    storageclass: <storage-class>
    size: 20gi
  resources:
    requests:
      memory: 500mi

global:
  fuzzContainerRegistry:
    address: registry.<your-domain>
    externalCredentials:
      username: <username>
      password: <password>
    clusterCredentials:
      username: <username2>
      password: <password2>

The externalCredentials will be sent to CI Fuzz to push fuzz container images to the registry. The clusterCredentials are used to pull from the registry from within the kubernetes cluster. Both usernames and passwords can be set arbitrarily and the registry will be configured with the requested credentials automatically.

See Kind cluster registry setup for additional setup required when running with a local Kind cluster.

Using an external container registry

It possible to use any existing container registry by configuring pull access from the registry in CI Sense.

global:
  fuzzContainerRegistry:
    address: <your-container-registry>
    externalCredentials:
      username: <username-with-push-access>
      password: <password>
    clusterCredentials:
      username: <username-with-pull-access>
      password: <password2>

Note, that the externalCredentials will be used by CI Fuzz to push fuzz container images by anyone with CI Sense API access. Since the credentials are not user scoped this exposes the registry credentials to users with CI Sense access. In cases where this is not desirable it is possible to leave the externalCredentials empty and ensure that the client does an appropriate docker login and specifies the registry with cifuzz remote-run --registry <your-container-registry>.

Instead of configuring username and password in clusterCredentials it is also possible to add an existing pull secret via

global:
  imagePullSecrets:
    - your-registry-pull-secret-name

If your cluster is already configured with pull access to the registry even this step is not required.

Container Registry storage requirements

CI Sense application recommends at least 256 GB of storage available for the Container Registry. Fuzz Containers stored in the embedded Container Registry are periodically pruned to keep the storage usage in check.

Manually configure container registry during upload

Start a remote run and specify the registry directly in the CI Fuzz invocation:

cifuzz container remote-run --registry my-private-registry.example.com/fuzz-containers/my-project

This requires that the user is locally authenticated with the registry.

SaaS container registry

When running fuzz tests in app.code-intelligence.com a dedicated container registry for fuzz container images is used by CI Fuzz. Note: The registry used by the CI Sense SAAS-Offering is not user- or project-scoped - basically everyone with access to the CI Sense SAAS has read- and write access to the Registry.

It is possible to push Fuzz Container images to a different repository by passing the --registry flag in CI Fuzz. The only restriction is that CI Sense must be able to pull from the registry without credentials.