Describe the bug
There does not appear to be a proper Helm Chart template for creating the cosign certificates like existed previously.
Expected behavior
There should be secret that gets created within the namespace for the certificates needed for self-signed certs of a cosign validator, and one is not getting created in the newest versions.
Optional: To reproduce
Optional: Versions (please complete the following information as relevant):
- OS: Openshift-Linux
- Kubernetes Cluster: OpenShift: 4.14.23 / Kubernetes Version: v1.27
- Container registry: Quay
- Connaisseur: 3.4.0/3.5.0
- Other: Have had this working in older version 2 and just got it working in 3.3.4 (there was an issue in 3.3.0 as well that was slightly different)
Optional: Additional context
have run several different tests to try and fix the bug myself, I wasn't able to successfully deploy my own secret with the cert and add as a volume to the deployment, that didn't seem to help.
The error message being received was just in regards to the certificate authority not be able to be verified:
{
"level": "debug",
"msg": "2024/05/30 18:44:54 --\u003e GET https://quay.prod-openshift.com/v2/\n",
"time": "2024-05-30T18:44:54Z"
}
{
"level": "debug",
"msg": "2024/05/30 18:44:54 GET /v2/ HTTP/1.1\r\nHost: quay.prod-openshift.com\r\nUser-Agent: cosign/devel (linux; amd64) go-containerregistry/v0.19.1\r\nAccept-Encoding: gzip\r\n\r\n\n",
"time": "2024-05-30T18:44:54Z"
}
{
"level": "debug",
"msg": "2024/05/30 18:44:54 \u003c-- tls: failed to verify certificate: x509: certificate signed by unknown authority GET https://quay.prod-openshift.com/v2/ (40.667768ms)\n",
"time": "2024-05-30T18:44:54Z"
}
{
"level": "debug",
"msg": "error verifying signatures with verifier for trust root default: Get \"https://quay.prod-openshift.com/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority",
"time": "2024-05-30T18:44:54Z"
}
{
"level": "debug",
"msg": "num signatures: 0/1 by validating trust root names: []",
"time": "2024-05-30T18:44:54Z"
}
here is a sample of the values file used in both 3.4 and 3.5:
kubernetes:
deployment:
envs: {}
image:
repository: quay.prod-openshift.com/images/connaisseur
tag: v3.5.0
replicasCount: 1
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 500m
memory: 512Mi
securityContext:
runAsGroup: null
runAsUser: null
service:
type: ClusterIP
port: 443
ingress:
className: nginx-ingress1
webhook:
failurePolicy: Fail
reinvocationPolicy: Never
application:
logLevel: DEBUG
validators:
- name: quayprod
type: cosign
trustRoots:
- name: default
key: |
-----BEGIN PUBLIC KEY-----
....
-----END PUBLIC KEY-----
cert: |
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
policy:
- pattern: "quay.prod-openshift.com/*"
validator: quayprod
with:
verifyInTransparencyLog: false
features:
detectionMode: false
automaticChildApproval: true
automaticUnchangedApproval: false
namespacedValidation:
mode: validate
cache:
expirySeconds: 0
cacheErrors: false
Describe the bug
There does not appear to be a proper Helm Chart template for creating the cosign certificates like existed previously.
Expected behavior
There should be secret that gets created within the namespace for the certificates needed for self-signed certs of a cosign validator, and one is not getting created in the newest versions.
Optional: To reproduce
Optional: Versions (please complete the following information as relevant):
Optional: Additional context
have run several different tests to try and fix the bug myself, I wasn't able to successfully deploy my own secret with the cert and add as a volume to the deployment, that didn't seem to help.
The error message being received was just in regards to the certificate authority not be able to be verified:
here is a sample of the values file used in both 3.4 and 3.5: