This feature is not Generally Available yet. You can refer to this document only if your Aqua environment is enabled with the Ability to uniquely identify Cloud Foundry appa based on Org/Space/App name feature.


TABLE OF CONTENTS

Overview

This document explains Aqua's ability to scan and register Cloud Foundry apps with the same name from different organizations and spaces in Aqua and how to enable this feature.


Changes to the existing Aqua feature

You can now scan and register Cloud Foundry apps with the same name from different organizations and spaces in Aqua. In the Images General tab, Aqua uniquely identifies the images scanned and registered based on the Organization, Space, and App Name associated with the Cloud Foundry application. 

When exporting data from the Images and Vulnerability pages, the image name attribute includes the org/space/appname value. 


How to Enable this feature?

This enhancement has been released with a feature flag to enable its functionality.


To enable it:

1. Upgrade to Aqua 2022.4 Update 21 (2022.4.348).

2. Enable feature flag for server and gateway by running the following commands:

    a. Login to Aqua Deployment Id and Aqua instance id:

bosh vms

    b. SSH to aquasec instance:

bosh ssh -d <aqua deployment id> <aqua-instanace>

    c. Change to superuser:

sudo su

    For Server:

        i. Change directory to:

cd /var/vcap/jobs/docker-bosh-server/config

        ii. Edit the server.env to add:

AQUA_FF_OVERRIDES={"SLK-66315": true}

        iii. Restart the service:

docker stop <server container>

    For Gateway:

        i. Change directory to:

cd /var/vcap/jobs/docker-bosh-gateway/

        ii. To create folder:

mkdir config

        iii. Add gateway.env file:

AQUA_FF_OVERRIDES={"SLK-66315": true}

        iv: Restart the service: 

docker stop <gateway container>


Migration of existing data to new format (optional)

Optionally, Run the following SQL script to update existing records of scanned apps in DB to a new format of storing app names in Aqua DB:

do
$$
    declare
        registry_ids varchar[]; 
        err_context text;
        repository_ids numeric;
        image_ids numeric;
    begin
	execute 'select array(select name from registries where detected_type=11)' into registry_ids;
	if ARRAY_LENGTH(registry_ids, 1) > 0 then
		CREATE TEMPORARY TABLE images_to_be_updated(
   			repository_id serial4,
   			id serial4,
   			image_id serial4,
   			org varchar(30),
   			space varchar(30)
		);
		FOR idx IN array_lower(registry_ids, 1) .. array_upper(registry_ids, 1)
		loop
			RAISE INFO '%. Migrating registry: %', idx, registry_ids[idx];
			insert into images_to_be_updated (
  				select 
					ri.repository_id, 
					ri.id,
					im.image_id,
					im.custom_info->>'cf_org' as org,
					im.custom_info->>'cf_space' as space
				from 
					registry_images ri 
					join registry_repositories rr on ri.repository_id = rr.id 
					join image_metadata im on ri.id = im.image_id 
					join registries r on ri.registry_id = r."name" 
				where 
					r."name" = registry_ids[idx]
					and im.custom_info->>'cf_org' is not null 
					and im.custom_info->>'cf_space' is not null
					and not starts_with(ri.name, CONCAT(im.custom_info->>'cf_org','/',im.custom_info->>'cf_space','/'))
					and im.custom_info->>'is_cf_prefix_migrated' is null
			);
			select count(distinct(repository_id)) into repository_ids from images_to_be_updated;
			RAISE INFO '--> Migrating % repositories', repository_ids;		
			with _repositories as (select *, row_number() over (partition by repository_id order by id) as row_number from images_to_be_updated)
			update registry_repositories rr set name = CONCAT(img.org,'/',img.space,'/',name) from _repositories img where rr.id = img.repository_id and img.row_number = 1;
			select count(distinct(id)) into image_ids from images_to_be_updated;
			RAISE INFO '--> Migrating % images', image_ids;
			update registry_images ri set name = CONCAT(img.org,'/',img.space,'/',name) from images_to_be_updated img where ri.id = img.id;
			RAISE INFO '--> Flagging image metadata post migration';
			update image_metadata im set custom_info = custom_info || '{"is_cf_prefix_migrated":true}' from images_to_be_updated img where im.image_id = img.image_id;
			truncate table images_to_be_updated;
		END loop;
		RAISE INFO 'Clearing temporary space';
	  	DROP TABLE IF EXISTS images_to_be_updated;
	else
		RAISE INFO 'No migration needed';
  	END if;
  	return;
    EXCEPTION WHEN OTHERS then
	GET STACKED DIAGNOSTICS err_context = PG_EXCEPTION_CONTEXT;
	RAISE INFO 'Error Name:%',SQLERRM;
	RAISE INFO 'Error State:%', SQLSTATE;
	RAISE INFO 'Error Context:%', err_context;
	RAISE INFO 'Clearing temporary space';
	DROP TABLE IF EXISTS images_to_be_updated;
	return;
    end;
$$