search

kubewarden / kwctl

Go-to CLI tool for Kubewarden users
https://kubewarden.io
Apache License 2.0
73 stars 15 forks source link

kwctl push is failing in v1.17.0 #944

Open ferhatguneri opened 1 week ago

ferhatguneri commented 1 week ago

Is there an existing issue for this?

Current Behavior

kwctl push --docker-config-json-path /tmp annotated-policy.wasm registry.com/kubewarden-policies/disallow-automount-default-sa-token-policy:1.11.3 Error: Fail to interact with OCI registry: error sending request for url (https://registry.com/v2/kubewarden-policies/disallow-automount-default-sa-token-policy/blobs/uploads/)

Caused by: 0: error sending request for url (https://registry.com/v2/kubewarden-policies/disallow-automount-default-sa-token-policy/blobs/uploads/) 1: client error (Connect) 2: invalid peer certificate: UnknownIssuer

Expected Behavior

Policy successfully pushed: registry.com/kubewarden-policies/disallow-default-namespace-policy@sha256:c40a3fbca4de08ab6942121212121211214dac34d086a

Steps To Reproduce

Just try to push kubewarden policy with kwctl v1.17.0

Environment

- OS:
- Architecture:

Anything else?

It is working in v1.16.1

viccuad commented 2 days ago

Hi, I can't reproduce this here with kwctl v1.17:

$ docker pull ghcr.io/viccuad/test/user-group-psp:config-test
config-test: Pulling from viccuad/test/user-group-psp
unsupported media type application/vnd.wasm.config.v1+json
$ kwctl-1.17 pull registry://ghcr.io/viccuad/test/user-group-psp:config-test
$ kwctl-1.17 policies
+-----------------------------------------------------------------------+----------+---------------+--------------+-----------+
| Policy                                                                | Mutating | Context aware | SHA-256      | Size      |
+-----------------------------------------------------------------------+----------+---------------+--------------+-----------+
| registry://ghcr.io/viccuad/test/user-group-psp:config-test            | yes      | no            | f6e0bf76af86 | 1.35 MB   |
+-----------------------------------------------------------------------+----------+---------------+--------------+-----------+
$ kwctl-1.17 push registry://ghcr.io/viccuad/test/user-group-psp:config-test registry://ghcr.io/viccuad/test/user-group-psp:config-test2
Policy successfully pushed: ghcr.io/viccuad/test/user-group-psp@sha256:a11a39b6bc4dc5c047d2d6aa0d33f7208085515d49977ae3c8129fc3706dc9ce

(and the new tag config-test2 was published).

Maybe the ~/docker/config.json is not correctly set up, or the credentials you are using for that repository are expired. Could you check if you can pull or push an image with crane, docker , etc?

From the error invalid peer certificate: UnknownIssuer, I'm inclined to think that either the local CA certs are incorrectly set up, or kwctl fails to make use of them. Could you please run kwctl with increased verbosity kwctl -v to see from where the error comes?

As a workaround, you could use crane to push the policy to the registry.

Thanks in advance.