Closed ereslibre closed 2 years ago
chrisns
commented
2 years ago temp workaround:
apiVersion: policies.kubewarden.io/v1alpha2
kind: PolicyServer
metadata:
name: default
spec:
image: ghcr.io/kubewarden/policy-server:latest@sha256:682b9f9c6f86b62b0673b695897ca834d415d9ad24736edcee8c4bfa7adf2dcato force the use of the amd64 image
ereslibre
commented
2 years ago This is caused by how we are building the container images. I have to check more in detail in order to report the issue in case there is some binary compatibility issue. I will follow up about that here.
In terms of moving forward, I have taken the opportunity to move away from openssl to rustls. The following changes support this move in different parts of the project and dependencies:
rustls backend does not support accept_invalid_hostnames concept implemented in the openssl backend.rustls instead of openssl. Keep openssl as the default, so no change by default. Also, when https://github.com/krustlet/oci-distribution/pull/8 is merged, https://github.com/sigstore/sigstore-rs/pull/14 has to be applied.openssl with rustls. Perform some minor API adaptations.kube dependency (used for context aware policies) to use rustls.openssl with rustls. Update the way we build the container image. Perform some API adaptations so we don't depend on openssl for reading certificates and keys and depend on rustls_pemfile instead.openssl with rustls. Perform some minor API adaptations.ereslibre
commented
2 years ago I just verified that the new locally build with rustls works as expected and does not crash.
ereslibre
commented
2 years ago This is implemented.
https://github.com/kubewarden/docs/issues/75 describes how to make the Policy Server crash under arm64, but just trying to follow the quick start makes it crash on every request.