clairctl with issuer flag leads to 401 after successful scan

[flomickl]

I am a little bit confused about how clairctl works together with the -iss flag and how clair is working general with the psk auth.

My clair config.yml part with the auth part looks like this currently

# ===== AUTH
...
auth:                                   # Defines ClairV4's external and intra-service JWT based authentication.
  psk:                                  # Defines preshared key authentication.
    key: 'MTU5Y34563ZkNzJoMQ=='
    iss:
      - 'scan'                         # A list of JWT issuers to verify. An empty list will accept any issuer in a JWT claim.
...

Clair is running successful under https://clair.example.com.

I was able to scan the clair container with the following command, as you can see

clairctl --iss scan -D report -host https://clair.example.com quay.io/projectquay/clair:4.7.4

2024-07-28T16:35:44+02:00 DBG fetching ref=quay.io/projectquay/clair:4.7.4
2024-07-28T16:35:44+02:00 DBG using text output
2024-07-28T16:35:45+02:00 DBG found manifest digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4
2024-07-28T16:35:45+02:00 DBG requesting index_report attempt=1 digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4
2024-07-28T16:35:45+02:00 DBG digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 method=GET path=/indexer/api/v1/index_report/sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4 status="404 Not Found"
2024-07-28T16:35:45+02:00 DBG don't have needed manifest digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 manifest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4
2024-07-28T16:35:46+02:00 DBG found manifest digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4
2024-07-28T16:35:46+02:00 DBG found layers count=4 digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4
2024-07-28T16:35:48+02:00 DBG requesting index_report attempt=2 digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4
2024-07-28T16:35:48+02:00 DBG digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 method=GET path=/indexer/api/v1/index_report/sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4 status="404 Not Found"
2024-07-28T16:35:54+02:00 DBG digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 method=POST path=/indexer/api/v1/index_report ref=quay.io/projectquay/clair:4.7.4 status="201 Created"
2024-07-28T16:35:54+02:00 DBG setting validator digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 path=/indexer/api/v1/index_report/sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4 validator="\"ee552dad37417b077db06adae1bc83b5\""
2024-07-28T16:35:54+02:00 DBG digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 method=GET path=/matcher/api/v1/vulnerability_report/sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4 status="200 OK"
clair:4.7.4 found go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp                v0.42.0                       GO-2023-2113        (fixed: 0.44.0)
...

but the next day from the same terminal and same command, I got a 401

clairctl --iss scan -D report -host https://clair.example.com quay.io/projectquay/clair:4.7.4
2024-07-30T20:46:49+02:00 DBG fetching ref=quay.io/projectquay/clair:4.7.4
2024-07-30T20:46:49+02:00 DBG using text output
2024-07-30T20:46:50+02:00 DBG found manifest digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4
2024-07-30T20:46:50+02:00 DBG requesting index_report attempt=1 digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4
2024-07-30T20:46:50+02:00 DBG digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 method=GET path=/indexer/api/v1/index_report/sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4 status="401 Unauthorized"
2024-07-30T20:46:50+02:00 DBG index error error="unexpected return status: 401" digest=sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973 ref=quay.io/projectquay/clair:4.7.4
2024-07-30T20:46:50+02:00 ERR error="unexpected return status: 401"

As is it visible in my access logs

{"ClientAddr":"10.89.0.6:60474","ClientHost":"10.89.0.6","ClientPort":"60474","DownstreamContentSize":0,"DownstreamStatus":401,"Duration":551782,"OriginContentSize":0,"OriginDuration":294468,"OriginStatus":401,"Overhead":257314,"RequestAddr":"clair.example.com","RequestContentSize":0,"RequestCount":6744,"RequestHost":"clair.example.com","RequestMethod":"GET","RequestPath":"/indexer/api/v1/index_report/sha256:6e5a7dedbeee18cf6603c6cb1adabf866f536cec60e2061f7c66bd4917f74973","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"clair-external@file","ServiceAddr":"clair:6000","ServiceName":"clair@file","ServiceURL":"http://clair:6000","StartLocal":"2024-07-30T20:52:45.051863905+02:00","StartUTC":"2024-07-30T18:52:45.051863905Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_Alt-Svc":"h3=\":10443\"; ma=2592000","downstream_Content-Length":"0","downstream_Content-Type":"","downstream_Date":"Tue, 30 Jul 2024 18:52:45 GMT","entryPointName":"websecure","level":"info","msg":"","origin_Alt-Svc":"h3=\":10443\"; ma=2592000","origin_Content-Length":"0","origin_Content-Type":"","origin_Date":"Tue, 30 Jul 2024 18:52:45 GMT","request_Accept-Encoding":"gzip","request_User-Agent":"REDACTED","request_X-Forwarded-Host":"clair.example.com","request_X-Forwarded-Port":"443","request_X-Forwarded-Proto":"https","request_X-Forwarded-Server":"2f2daca990ba","request_X-Real-Ip":"10.89.0.6","time":"2024-07-30T20:52:45+02:00"}

Even more.
At the same time, while executing the first scan, the same command from another computer is raising a HTTP 401 Unauthorized.

So at this point I am lost. Why does the scan work at first? Then later it doesn't and from another computer it doesn't work at all?
Is there a misunderstanding how the psk key is working or do I have to change something in the clair config.yml?

Even more. If I take a look at my quay config.yml I don't address the issuer name. Instead, I am using successful the PSK key directly.

SECURITY_SCANNER_INDEXING_INTERVAL: 30
SECURITY_SCANNER_V4_ENDPOINT: http://clair:6000
SECURITY_SCANNER_V4_PSK: MTU5Y34563ZkNzJoMQ==

This kind of option is not mentioned with the issuer flag.

   --issuer value, --iss value  jwt "issuer" to use when making authenticated requests (default: "clairctl")

I hope I'm not mixing up too much stuff.
Kind regards

[hdonnay]

w/r/t Quay, I believe it unconditionally uses the issuer quay