Under certain configurations policy-server/kwctl are not able to execute the verify-image-signatures policy.
The policy execution causes a runtime error.
More details about the failure matrix below
Expected Behavior
Policy execution doesn't cause issues
Steps To Reproduce
To keep things simple, these steps rely on kwctl
Use kwcl (see below for details about the version to use)
Checkout verify-image-signature source code
Switch to the appropriate version of verify-signature-images (see below for details)
make clean && make e2e-tests
Environment
This table describes the current state of working/non-working combinations.
Notes:
VFI stands for verify-image-signatures
Latest release of VFI is 0.2.8
Kubewarden version
VFI <= 0.2.8
VFI main
<= 1.6, 1.7.0-rc1
✅
❌
main
❌
✅
Anything else?
The issue is caused by a change done inside of the policy-sdk-rust repository, more specifically this commit.
The commit changes how the CertificateEncoding enum handles the certificate encoding used by the host capability v1/is_certificate_trusted.
A certificate object is defined in this way:
{
# **mandatory**: Which encoding is used by the certificate
# Either the string "Pem" or "Der".
"encoding": string,
# Actual certificate
# The certificate is UTF-8 encoded.
# It's an array of bytes of the unicode code pointers of a PEM/DER encoded
# certificate string.
"data": [byte(int), ..., byte(int)]
}
The change done to the rust SDK crate causes the code to expect the certificate encoding to be either pem or der (both lowercase). Older releases of this crate expected the values to be either Pem or Der.
The rust SDK crate is used both by policy authors and by policy-server/kwctl (it's a transitive dependency of policy-evaluator).
The issue has been introduced starting from the 0.9.5 release of the Rust SDK, which is not yet consumed by any tagged release of policy-server/kwcl
Is there an existing issue for this?
Current Behavior
Under certain configurations policy-server/kwctl are not able to execute the verify-image-signatures policy.
The policy execution causes a runtime error.
More details about the failure matrix below
Expected Behavior
Policy execution doesn't cause issues
Steps To Reproduce
To keep things simple, these steps rely on kwctl
verify-image-signaturesource codeverify-signature-images(see below for details)make clean&&make e2e-testsEnvironment
This table describes the current state of working/non-working combinations.
Notes:
VFIstands forverify-image-signaturesmain1.6,1.7.0-rc1mainAnything else?
The issue is caused by a change done inside of the policy-sdk-rust repository, more specifically this commit.
The commit changes how the
CertificateEncodingenum handles the certificate encoding used by the host capabilityv1/is_certificate_trusted.A certificate object is defined in this way:
The change done to the rust SDK crate causes the code to expect the certificate encoding to be either
pemorder(both lowercase). Older releases of this crate expected the values to be eitherPemorDer. The rust SDK crate is used both by policy authors and by policy-server/kwctl (it's a transitive dependency ofpolicy-evaluator).The issue has been introduced starting from the 0.9.5 release of the Rust SDK, which is not yet consumed by any tagged release of policy-server/kwcl