Registry mirror for docker.io does not work

[bh-tt]

What steps did you take and what happened:

I've configured trivy.registry.mirror.docker.io: docker-io,example.com (anonimzed URL) in the trivy-operator-trivy-config configmap and restarted the operator. The operator still does not replace docker.io/ in the scan jobs with docker.io.example.com/.

Additionally, the current mirror configuration does not allow specifying a 'default' mirror for images like library/mariadb. The scan job dutifully attempts to pull from docker.io, but this is not directly accessible to prevent rate limit issues. We updated most images without a registry to include docker.io/ prefix.

What did you expect to happen:
I expected the mirror registry settings to work for all possible registry URLs.
Anything else you would like to add:

I know the cause: https://github.com/google/go-containerregistry/blob/59a4b85930392a30c39462519adc8a2026d47181/pkg/name/registry.go#L136 rewrites docker.io to index.docker.io. The result is that specifying a mirror for docker.io does nothing, since the parsed reference ends up as index.docker.io/library/mariadb.

Environment:

• Trivy-Operator version (use trivy-operator version):0.27.3
• Kubernetes version (use kubectl version):1.32.7
• OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): linux

[bh-tt]

I just realised adding an index.docker.io mirror likely also works for the images that do not specify a registry, since I'm no longer seeing any slow jobs at all.

[afdesk]

@bh-tt thanks for the report!
there is a way to set up mirrors in a trivy config file for the scan jobs: https://trivy.dev/latest/docs/references/configuration/config-file/#registry-options
it looks like it's your case
do you experience any issues with it too?

[simar7]

I just realised adding an index.docker.io mirror likely also works for the images that do not specify a registry, since I'm no longer seeing any slow jobs at all.

@bh-tt - do you still have an issue with this? If so, is your issue regarding not being able to use mirror within the operator?

[bh-tt]

We no longer have the issue, after adding trivy.registry.mirror.index.docker.io: docker-io.example.com to the trivy-operator-trivy-config ConfigMap. At this point this is more of a documentation issue, to add this information in the docs:

trivy-operator/docs/docs/vulnerability-scanning/trivy.md

Line 126 in 1a89446

| `trivy.registry.mirror.<registry>` | N/A | Mirror for the registry `<registry>`, e.g. `trivy.registry.mirror.index.docker.io: mirror.io` would use `mirror.io` to get images originated from `index.docker.io` |

Something like 'If you wish to mirror docker.io and/or images without a registry defined, add a mirror for index.docker.io, not docker.io' should be enough to prevent future confusion.