search

kubewarden / verify-image-signatures

A Kubewarden Policy that verifies all the signatures of the container images referenced by a Pod
https://kubewarden.io
Apache License 2.0
12 stars 9 forks source link

Can't verify signatures on our private quay based registry. #19

Closed spielkind closed 2 years ago

spielkind commented 2 years ago

Is there an existing issue for this?

Current Behavior

Signature couldn't be verified.

Expected Behavior

Verify signature. :)

Steps To Reproduce

Test policy:

apiVersion: policies.kubewarden.io/v1alpha2
kind: AdmissionPolicy
metadata:
  name: verify-image-signatures
spec:
  module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.1.4
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    operations:
    - CREATE
    - UPDATE
  mutating: true
  settings:
    signatures:
      - image: mtr.devops.telekom.de/reik_keutterling/*
        pubKeys:
        - |
          -----BEGIN PUBLIC KEY-----
          MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVfjPXZbGFQBVPfIj9oRTea4MV7em
          Ds54Jc1NSfduu22RW3pcSQQAzcWHdNUwlP0GkcYWOFdWhVmdgCdBSk/ihg==
          -----END PUBLIC KEY-----

Test Image: mtr.devops.telekom.de/reik_keutterling/mytest:signed

Environment

- Rancher 2.6.5
- K8s 1.22.9

Anything else?

Debug output:

2022-06-15T12:11:06.682895Z DEBUG reqwest::async_impl::client: response '403 Forbidden' for https://mtr.devops.telekom.de/v2/    
2022-06-15T12:11:06.682989Z DEBUG oci_distribution::client: HEAD image manifest from https://mtr.devops.telekom.de/v2/reik_keutterling/mytest/manifests/signed
2022-06-15T12:11:06.683456Z DEBUG oci_distribution::token_cache: Fetching token registry=mtr.devops.telekom.de repository=reik_keutterling/mytest op=Pull miss=true
2022-06-15T12:11:06.755126Z DEBUG reqwest::async_impl::client: response '200 OK' for https://mtr.devops.telekom.de/v2/reik_keutterling/mytest/manifests/signed    
2022-06-15T12:11:06.755258Z DEBUG sigstore::registry::oci_caching_client: Got image digest by querying remote registry image=Reference { registry: "mtr.devops.telekom.de", repository: "reik_keutterling/mytest", tag: Some("signed"), digest: None }
2022-06-15T12:11:06.756035Z DEBUG oci_distribution::token_cache: Fetching token registry=mtr.devops.telekom.de repository=reik_keutterling/mytest op=Pull miss=true
2022-06-15T12:11:06.756100Z DEBUG oci_distribution::client: Authorizing for image: Reference { registry: "mtr.devops.telekom.de", repository: "reik_keutterling/mytest", tag: Some("sha256-4998620d0c06810f7e021e789ebbdc145bf6e5c774ddd4f4c05f64f85bd40fc2.sig"), digest: None }
2022-06-15T12:11:06.756123Z DEBUG oci_distribution::client: url="https://mtr.devops.telekom.de/v2/"
2022-06-15T12:11:06.770097Z DEBUG reqwest::async_impl::client: response '403 Forbidden' for https://mtr.devops.telekom.de/v2/    
2022-06-15T12:11:06.771621Z DEBUG oci_distribution::client: Pulling image manifest from https://mtr.devops.telekom.de/v2/reik_keutterling/mytest/manifests/sha256-4998620d0c06810f7e021e789ebbdc145bf6e5c774ddd4f4c05f64f85bd40fc2.sig
2022-06-15T12:11:06.772929Z DEBUG oci_distribution::token_cache: Fetching token registry=mtr.devops.telekom.de repository=reik_keutterling/mytest op=Pull miss=true
2022-06-15T12:11:06.838714Z DEBUG reqwest::async_impl::client: response '200 OK' for https://mtr.devops.telekom.de/v2/reik_keutterling/mytest/manifests/sha256-4998620d0c06810f7e021e789ebbdc145bf6e5c774ddd4f4c05f64f85bd40fc2.sig    
2022-06-15T12:11:06.838872Z DEBUG oci_distribution::client: validating manifest: {"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:2f51aad9ad42e0788893eabe3422d13e97a2e656c17da1ef7eb5cc9b2ca154f6"},"layers":[{"mediaType":"application/vnd.dev.cosign.simplesigning.v1+json","size":261,"digest":"sha256:aaacf9ca8ff700583587bd7fb6e9ab971a688a1c6146de2bea105b5a848f2521","annotations":{"dev.cosignproject.cosign/signature":"MEUCIFQk4AHTX3T/i/Uty77dvlxQ2wczLAnno2HTgCtKgke3AiEAihMBsF2jkZaHtMFc1NwVd23BamUaMoLGgCCVcBL1p78="}}]}
2022-06-15T12:11:06.839134Z DEBUG oci_distribution::client: Parsing response as Manifest: {"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:2f51aad9ad42e0788893eabe3422d13e97a2e656c17da1ef7eb5cc9b2ca154f6"},"layers":[{"mediaType":"application/vnd.dev.cosign.simplesigning.v1+json","size":261,"digest":"sha256:aaacf9ca8ff700583587bd7fb6e9ab971a688a1c6146de2bea105b5a848f2521","annotations":{"dev.cosignproject.cosign/signature":"MEUCIFQk4AHTX3T/i/Uty77dvlxQ2wczLAnno2HTgCtKgke3AiEAihMBsF2jkZaHtMFc1NwVd23BamUaMoLGgCCVcBL1p78="}}]}
2022-06-15T12:11:06.839244Z DEBUG sigstore::registry::oci_caching_client: Got image manifest by querying remote registry image=Reference { registry: "mtr.devops.telekom.de", repository: "reik_keutterling/mytest", tag: Some("sha256-4998620d0c06810f7e021e789ebbdc145bf6e5c774ddd4f4c05f64f85bd40fc2.sig"), digest: None }
2022-06-15T12:11:06.839559Z DEBUG oci_distribution::client: Pulling image: Reference { registry: "mtr.devops.telekom.de", repository: "reik_keutterling/mytest", tag: Some("sha256-4998620d0c06810f7e021e789ebbdc145bf6e5c774ddd4f4c05f64f85bd40fc2.sig"), digest: None }
2022-06-15T12:11:06.839592Z DEBUG oci_distribution::token_cache: Fetching token registry=mtr.devops.telekom.de repository=reik_keutterling/mytest op=Pull miss=true
2022-06-15T12:11:06.839612Z DEBUG oci_distribution::client: Authorizing for image: Reference { registry: "mtr.devops.telekom.de", repository: "reik_keutterling/mytest", tag: Some("sha256-4998620d0c06810f7e021e789ebbdc145bf6e5c774ddd4f4c05f64f85bd40fc2.sig"), digest: None }
2022-06-15T12:11:06.839629Z DEBUG oci_distribution::client: url="https://mtr.devops.telekom.de/v2/"
2022-06-15T12:11:06.849140Z DEBUG reqwest::async_impl::client: response '403 Forbidden' for https://mtr.devops.telekom.de/v2/    
2022-06-15T12:11:06.849176Z DEBUG oci_distribution::client: Pulling image manifest from https://mtr.devops.telekom.de/v2/reik_keutterling/mytest/manifests/sha256-4998620d0c06810f7e021e789ebbdc145bf6e5c774ddd4f4c05f64f85bd40fc2.sig
2022-06-15T12:11:06.849231Z DEBUG oci_distribution::token_cache: Fetching token registry=mtr.devops.telekom.de repository=reik_keutterling/mytest op=Pull miss=true
2022-06-15T12:11:06.874479Z DEBUG rustls::server::hs: decided upon suite TLS13_AES_128_GCM_SHA256    
2022-06-15T12:11:06.874514Z DEBUG rustls::server::tls13::client_hello: Client unwilling to resume, DHE_KE not offered    
2022-06-15T12:11:06.881478Z DEBUG rustls::conn: Sending warning alert CloseNotify    
2022-06-15T12:11:06.916389Z DEBUG reqwest::async_impl::client: response '200 OK' for https://mtr.devops.telekom.de/v2/reik_keutterling/mytest/manifests/sha256-4998620d0c06810f7e021e789ebbdc145bf6e5c774ddd4f4c05f64f85bd40fc2.sig    
2022-06-15T12:11:06.916635Z DEBUG oci_distribution::client: validating manifest: {"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:2f51aad9ad42e0788893eabe3422d13e97a2e656c17da1ef7eb5cc9b2ca154f6"},"layers":[{"mediaType":"application/vnd.dev.cosign.simplesigning.v1+json","size":261,"digest":"sha256:aaacf9ca8ff700583587bd7fb6e9ab971a688a1c6146de2bea105b5a848f2521","annotations":{"dev.cosignproject.cosign/signature":"MEUCIFQk4AHTX3T/i/Uty77dvlxQ2wczLAnno2HTgCtKgke3AiEAihMBsF2jkZaHtMFc1NwVd23BamUaMoLGgCCVcBL1p78="}}]}
2022-06-15T12:11:06.916750Z DEBUG oci_distribution::client: Parsing response as Manifest: {"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:2f51aad9ad42e0788893eabe3422d13e97a2e656c17da1ef7eb5cc9b2ca154f6"},"layers":[{"mediaType":"application/vnd.dev.cosign.simplesigning.v1+json","size":261,"digest":"sha256:aaacf9ca8ff700583587bd7fb6e9ab971a688a1c6146de2bea105b5a848f2521","annotations":{"dev.cosignproject.cosign/signature":"MEUCIFQk4AHTX3T/i/Uty77dvlxQ2wczLAnno2HTgCtKgke3AiEAihMBsF2jkZaHtMFc1NwVd23BamUaMoLGgCCVcBL1p78="}}]}
2022-06-15T12:11:06.916829Z DEBUG oci_distribution::client: Pulling config layer
2022-06-15T12:11:06.916924Z DEBUG oci_distribution::token_cache: Fetching token registry=mtr.devops.telekom.de repository=reik_keutterling/mytest op=Pull miss=true
2022-06-15T12:11:06.926783Z DEBUG reqwest::async_impl::client: response '403 Forbidden' for https://mtr.devops.telekom.de/v2/reik_keutterling/mytest/blobs/sha256:2f51aad9ad42e0788893eabe3422d13e97a2e656c17da1ef7eb5cc9b2ca154f6    
2022-06-15T12:11:06.926825Z DEBUG oci_distribution::client: Pulling image layer
2022-06-15T12:11:06.926972Z DEBUG oci_distribution::token_cache: Fetching token registry=mtr.devops.telekom.de repository=reik_keutterling/mytest op=Pull miss=true
2022-06-15T12:11:06.937020Z DEBUG reqwest::async_impl::client: response '403 Forbidden' for https://mtr.devops.telekom.de/v2/reik_keutterling/mytest/blobs/sha256:aaacf9ca8ff700583587bd7fb6e9ab971a688a1c6146de2bea105b5a848f2521    
2022-06-15T12:11:06.937069Z DEBUG sigstore::registry::oci_caching_client: Got image data by querying remote registry image=Reference { registry: "mtr.devops.telekom.de", repository: "reik_keutterling/mytest", tag: Some("sha256-4998620d0c06810f7e021e789ebbdc145bf6e5c774ddd4f4c05f64f85bd40fc2.sig"), digest: None }

Seems like he can't fetch the layer: 2022-06-15T12:11:06.926783Z DEBUG reqwest::async_impl::client: response '403 Forbidden' for https://mtr.devops.telekom.de/v2/reik_keutterling/mytest/blobs/sha256:2f51aad9ad42e0788893eabe3422d13e97a2e656c17da1ef7eb5cc9b2ca154f6

But as this a public image this should work:

❯ curl  -i https://mtr.devops.telekom.de/v2/reik_keutterling/mytest/blobs/sha256:2f51aad9ad42e0788893eabe3422d13e97a2e656c17da1ef7eb5cc9b2ca154f6
HTTP/2 302 
date: Wed, 15 Jun 2022 12:36:21 GMT
content-type: text/html; charset=utf-8
content-length: 4501
location: https://mtr.devops.telekom.de/_storage_proxy/ZXlKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJbmR5VTFSd2NWVmlTekpFU25WeGJrd3hOSFF3UkhKUU5uWkRlV3M1YURFM1JUZ3lSRGxZU2pSMFVYY2lmUS5leUpwYzNNaU9pSnhkV0Y1SWl3aVlYVmtJam9pYlhSeUxtUmxkbTl3Y3k1MFpXeGxhMjl0TG1SbElpd2libUptSWpveE5qVTFNamsyTlRneExDSnBZWFFpT2pFMk5UVXlPVFkxT0RFc0ltVjRjQ0k2TVRZMU5USTVOall4TVN3aWMzVmlJam9pYzNSdmNtRm5aWEJ5YjNoNUlpd2lZV05qWlhOeklqcGJleUowZVhCbElqb2ljM1J2Y21GblpYQnliM2g1SWl3aWRYSnBJam9pYlhSeUxYQnliMlF2WkdGMFlYTjBiM0poWjJVdmNtVm5hWE4wY25rdmMyaGhNalUyTHpKbUx6Sm1OVEZoWVdRNVlXUTBNbVV3TnpnNE9Ea3paV0ZpWlRNME1qSmtNVE5sT1RkaE1tVTJOVFpqTVRka1lURmxaamRsWWpWall6bGlNbU5oTVRVMFpqWV9XQzFCYlhvdFFXeG5iM0pwZEdodFBVRlhVelF0U0UxQlF5MVRTRUV5TlRZbVdDMUJiWG90UTNKbFpHVnVkR2xoYkQxQlMwbEJWVlJSVlRWUldrTTNObHBHVEZkT1RDVXlSakl3TWpJd05qRTFKVEpHWlhVdFkyVnVkSEpoYkMweEpUSkdjek1sTWtaaGQzTTBYM0psY1hWbGMzUW1XQzFCYlhvdFJHRjBaVDB5TURJeU1EWXhOVlF4TWpNMk1qRmFKbGd0UVcxNkxVVjRjR2x5WlhNOU5qQXdKbGd0UVcxNkxWTnBaMjVsWkVobFlXUmxjbk05YUc5emRDWllMVUZ0ZWkxVGFXZHVZWFIxY21VOU1EZGxOR1k0Tm1VeE5EaGhaalZpWTJZNVpHTXhOV0l5Tm1ZNE5XTTJaVGM0Wm1FMVkyVTFOV1ppT1daa05EWmtaV1JoTnpka04ySTRaamsxTW1VNE1TSXNJbWh2YzNRaU9pSnpNeTVsZFMxalpXNTBjbUZzTFRFdVlXMWhlbTl1WVhkekxtTnZiU0lzSW5OamFHVnRaU0k2SW1oMGRIQnpJbjFkTENKamIyNTBaWGgwSWpwN2ZYMC54d09OUm1PekI4S2hfTU83eXhObUdrSmFzZGV6R1dGWkVKSFU0VUtlNXhFU1JUa1RvbWY3VzhmREU4YmhYNjhOQmE1SVFCNHBUa1FmVTlzT0dPckpZWjBVWkl0X0dPR1duWl9kSEZiczFlMTNoNlJISS12QldPRXBWV0tkWGRqZkZSdW5McmFWeHBicjd2TjhUajU0RVJLSWdKQVFEYm5nZzl3dUczb2ZHNW52RjVhckhyT0RrSkxScHNLQm1LOEVVbEJkTGZRWTY0WHRsYkhpeEQ2OFFfYlZwWWZNbnMyLTl4VElrLVBDRGdTVDd4cVlJYmVwZnA3aWhzS2hrRmstRXUzTTRaUDdjQ1NFUWNzX1p3S21MeHlVcFM0cWZYUmJnRUp0dkxMRmpsOUI4WVY2V2RnQ0QwR3dEUElZVVlwMTFlVDRUVGRqVlJVa0hkWHpwX3B0Ync=/https/s3.eu-central-1.amazonaws.com/mtr-prod/datastorage/registry/sha256/2f/2f51aad9ad42e0788893eabe3422d13e97a2e656c17da1ef7eb5cc9b2ca154f6?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAUTQU5QZC76ZFLWNL%2F20220615%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-Date=20220615T123621Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host&X-Amz-Signature=07e4f86e148af5bcf9dc15b26f85c6e78fa5ce55fb9fd46deda77d7b8f952e81
set-cookie: quay.session=7369c196574ceedb8de14a0bdc0ceec6|c791a42e6919ba98c33df5b8367872d1; Path=/; Secure; HttpOnly
docker-content-digest: sha256:2f51aad9ad42e0788893eabe3422d13e97a2e656c17da1ef7eb5cc9b2ca154f6
accept-ranges: bytes
cache-control: max-age=31536000
x-frame-options: DENY
strict-transport-security: max-age=15724800; includeSubDomains

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="https://mtr.devops.telekom.de/_storage_proxy/ZXlKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJbmR5VTFSd2NWVmlTekpFU25WeGJrd3hOSFF3UkhKUU5uWkRlV3M1YURFM1JUZ3lSRGxZU2pSMFVYY2lmUS5leUpwYzNNaU9pSnhkV0Y1SWl3aVlYVmtJam9pYlhSeUxtUmxkbTl3Y3k1MFpXeGxhMjl0TG1SbElpd2libUptSWpveE5qVTFNamsyTlRneExDSnBZWFFpT2pFMk5UVXlPVFkxT0RFc0ltVjRjQ0k2TVRZMU5USTVOall4TVN3aWMzVmlJam9pYzNSdmNtRm5aWEJ5YjNoNUlpd2lZV05qWlhOeklqcGJleUowZVhCbElqb2ljM1J2Y21GblpYQnliM2g1SWl3aWRYSnBJam9pYlhSeUxYQnliMlF2WkdGMFlYTjBiM0poWjJVdmNtVm5hWE4wY25rdmMyaGhNalUyTHpKbUx6Sm1OVEZoWVdRNVlXUTBNbVV3TnpnNE9Ea3paV0ZpWlRNME1qSmtNVE5sT1RkaE1tVTJOVFpqTVRka1lURmxaamRsWWpWall6bGlNbU5oTVRVMFpqWV9XQzFCYlhvdFFXeG5iM0pwZEdodFBVRlhVelF0U0UxQlF5MVRTRUV5TlRZbVdDMUJiWG90UTNKbFpHVnVkR2xoYkQxQlMwbEJWVlJSVlRWUldrTTNObHBHVEZkT1RDVXlSakl3TWpJd05qRTFKVEpHWlhVdFkyVnVkSEpoYkMweEpUSkdjek1sTWtaaGQzTTBYM0psY1hWbGMzUW1XQzFCYlhvdFJHRjBaVDB5TURJeU1EWXhOVlF4TWpNMk1qRmFKbGd0UVcxNkxVVjRjR2x5WlhNOU5qQXdKbGd0UVcxNkxWTnBaMjVsWkVobFlXUmxjbk05YUc5emRDWllMVUZ0ZWkxVGFXZHVZWFIxY21VOU1EZGxOR1k0Tm1VeE5EaGhaalZpWTJZNVpHTXhOV0l5Tm1ZNE5XTTJaVGM0Wm1FMVkyVTFOV1ppT1daa05EWmtaV1JoTnpka04ySTRaamsxTW1VNE1TSXNJbWh2YzNRaU9pSnpNeTVsZFMxalpXNTBjbUZzTFRFdVlXMWhlbTl1WVhkekxtTnZiU0lzSW5OamFHVnRaU0k2SW1oMGRIQnpJbjFkTENKamIyNTBaWGgwSWpwN2ZYMC54d09OUm1PekI4S2hfTU83eXhObUdrSmFzZGV6R1dGWkVKSFU0VUtlNXhFU1JUa1RvbWY3VzhmREU4YmhYNjhOQmE1SVFCNHBUa1FmVTlzT0dPckpZWjBVWkl0X0dPR1duWl9kSEZiczFlMTNoNlJISS12QldPRXBWV0tkWGRqZkZSdW5McmFWeHBicjd2TjhUajU0RVJLSWdKQVFEYm5nZzl3dUczb2ZHNW52RjVhckhyT0RrSkxScHNLQm1LOEVVbEJkTGZRWTY0WHRsYkhpeEQ2OFFfYlZwWWZNbnMyLTl4VElrLVBDRGdTVDd4cVlJYmVwZnA3aWhzS2hrRmstRXUzTTRaUDdjQ1NFUWNzX1p3S21MeHlVcFM0cWZYUmJnRUp0dkxMRmpsOUI4WVY2V2RnQ0QwR3dEUElZVVlwMTFlVDRUVGRqVlJVa0hkWHpwX3B0Ync=/https/s3.eu-central-1.amazonaws.com/mtr-prod/datastorage/registry/sha256/2f/2f51aad9ad42e0788893eabe3422d13e97a2e656c17da1ef7eb5cc9b2ca154f6?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAUTQU5QZC76ZFLWNL%2F20220615%2Feu-central-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20220615T123621Z&amp;X-Amz-Expires=600&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Signature=07e4f86e148af5bcf9dc15b26f85c6e78fa5ce55fb9fd46deda77d7b8f952e81">https://mtr.devops.telekom.de/_storage_proxy/ZXlKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJbmR5VTFSd2NWVmlTekpFU25WeGJrd3hOSFF3UkhKUU5uWkRlV3M1YURFM1JUZ3lSRGxZU2pSMFVYY2lmUS5leUpwYzNNaU9pSnhkV0Y1SWl3aVlYVmtJam9pYlhSeUxtUmxkbTl3Y3k1MFpXeGxhMjl0TG1SbElpd2libUptSWpveE5qVTFNamsyTlRneExDSnBZWFFpT2pFMk5UVXlPVFkxT0RFc0ltVjRjQ0k2TVRZMU5USTVOall4TVN3aWMzVmlJam9pYzNSdmNtRm5aWEJ5YjNoNUlpd2lZV05qWlhOeklqcGJleUowZVhCbElqb2ljM1J2Y21GblpYQnliM2g1SWl3aWRYSnBJam9pYlhSeUxYQnliMlF2WkdGMFlYTjBiM0poWjJVdmNtVm5hWE4wY25rdmMyaGhNalUyTHpKbUx6Sm1OVEZoWVdRNVlXUTBNbVV3TnpnNE9Ea3paV0ZpWlRNME1qSmtNVE5sT1RkaE1tVTJOVFpqTVRka1lURmxaamRsWWpWall6bGlNbU5oTVRVMFpqWV9XQzFCYlhvdFFXeG5iM0pwZEdodFBVRlhVelF0U0UxQlF5MVRTRUV5TlRZbVdDMUJiWG90UTNKbFpHVnVkR2xoYkQxQlMwbEJWVlJSVlRWUldrTTNObHBHVEZkT1RDVXlSakl3TWpJd05qRTFKVEpHWlhVdFkyVnVkSEpoYkMweEpUSkdjek1sTWtaaGQzTTBYM0psY1hWbGMzUW1XQzFCYlhvdFJHRjBaVDB5TURJeU1EWXhOVlF4TWpNMk1qRmFKbGd0UVcxNkxVVjRjR2x5WlhNOU5qQXdKbGd0UVcxNkxWTnBaMjVsWkVobFlXUmxjbk05YUc5emRDWllMVUZ0ZWkxVGFXZHVZWFIxY21VOU1EZGxOR1k0Tm1VeE5EaGhaalZpWTJZNVpHTXhOV0l5Tm1ZNE5XTTJaVGM0Wm1FMVkyVTFOV1ppT1daa05EWmtaV1JoTnpka04ySTRaamsxTW1VNE1TSXNJbWh2YzNRaU9pSnpNeTVsZFMxalpXNTBjbUZzTFRFdVlXMWhlbTl1WVhkekxtTnZiU0lzSW5OamFHVnRaU0k2SW1oMGRIQnpJbjFkTENKamIyNTBaWGgwSWpwN2ZYMC54d09OUm1PekI4S2hfTU83eXhObUdrSmFzZGV6R1dGWkVKSFU0VUtlNXhFU1JUa1RvbWY3VzhmREU4YmhYNjhOQmE1SVFCNHBUa1FmVTlzT0dPckpZWjBVWkl0X0dPR1duWl9kSEZiczFlMTNoNlJISS12QldPRXBWV0tkWGRqZkZSdW5McmFWeHBicjd2TjhUajU0RVJLSWdKQVFEYm5nZzl3dUczb2ZHNW52RjVhckhyT0RrSkxScHNLQm1LOEVVbEJkTGZRWTY0WHRsYkhpeEQ2OFFfYlZwWWZNbnMyLTl4VElrLVBDRGdTVDd4cVlJYmVwZnA3aWhzS2hrRmstRXUzTTRaUDdjQ1NFUWNzX1p3S21MeHlVcFM0cWZYUmJnRUp0dkxMRmpsOUI4WVY2V2RnQ0QwR3dEUElZVVlwMTFlVDRUVGRqVlJVa0hkWHpwX3B0Ync=/https/s3.eu-central-1.amazonaws.com/mtr-prod/datastorage/registry/sha256/2f/2f51aad9ad42e0788893eabe3422d13e97a2e656c17da1ef7eb5cc9b2ca154f6?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAUTQU5QZC76ZFLWNL%2F20220615%2Feu-central-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20220615T123621Z&amp;X-Amz-Expires=600&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Signature=07e4f86e148af5bcf9dc15b26f85c6e78fa5ce55fb9fd46deda77d7b8f952e81</a>.  If not click the link.%

❯ curl -L https://mtr.devops.telekom.de/v2/reik_keutterling/mytest/blobs/sha256:2f51aad9ad42e0788893eabe3422d13e97a2e656c17da1ef7eb5cc9b2ca154f6
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:aaacf9ca8ff700583587bd7fb6e9ab971a688a1c6146de2bea105b5a848f2521"]},"config":{}}

I guess it's related to the redirect & session cookie.

Bonus question: Is it possible to verify private images which require specific pull secerts? Couldn't find any informations on that.

jvanz commented 2 years ago

I'm doing some tests and the issue seems to be with the oci-distribution. Even the example program from the library fail to pull the manifest from the repo. You can see the error with the following command:

 cargo run --no-default-features  --features "rustls-tls" --example get-manifest --verbose mtr.devops.telekom.de/reik_keutterling/mytest:signed

I'll continue the investigation and fix the issue.

spielkind commented 2 years ago

Thx, for looking into it. I just tried it with cosign, also kyverno had no issues with it. But it's probably because of how quay was configured / setup, just let me know if this a "issue on the server side". Afaik the colleagues run some kind of WAF in front of the registry, which may also can cause some issues.

As you mentioned I got the same issue when running the example get-manifest from the library.

❯ cosign triangulate mtr.devops.telekom.de/reik_keutterling/mytest:signed
mtr.devops.telekom.de/reik_keutterling/mytest:sha256-4998620d0c06810f7e021e789ebbdc145bf6e5c774ddd4f4c05f64f85bd40fc2.sig
❯ cosign verify --key cosign.pub mtr.devops.telekom.de/reik_keutterling/mytest:signed

Verification for mtr.devops.telekom.de/reik_keutterling/mytest:signed --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"mtr.devops.telekom.de/reik_keutterling/mytest"},"image":{"docker-manifest-digest":"sha256:4998620d0c06810f7e021e789ebbdc145bf6e5c774ddd4f4c05f64f85bd40fc2"},"type":"cosign container image signature"},"optional":null}]
jvanz commented 2 years ago

Okay, one more update. The oci-distribution is failing because it trys to authenticate before requesting the manifest. So, when it trys to access https://mtr.devops.telekom.de/v2/auth the response is http status code 403.

Failed to authenticate for image 'Reference { registry: "mtr.devops.telekom.de", repository: "reik_keutterling/mytest", tag: Some("signed"), digest: None }': <html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
</body>
</html>

If I remove the code calling the authentication method, I can fetch the manifest:

OCI Image Manifest( schema-version: '2', media-type: 'application/vnd.docker.distribution.manifest.v2+json', config: '( media-type: 'application/vnd.docker.container.image.v1+json', digest: 'sha256:2724067da075182f23aa386e0f62aeada1e0abf0a04e1cc421ff5f4086bf3e1e', size: '1632', urls: '[]', annotations: '{}' )', layers: '["( media-type: 'application/vnd.docker.image.rootfs.diff.tar.gzip', digest: 'sha256:2408cc74d12b6cd092bb8b516ba7d5e290f485d3eb9672efc00f0583730179e8', size: '2798889', urls: '[]', annotations: '{}' )"]', annotations: '{}' )

Can you check if the FAW is blocking the auth endpoint?

Furthermore, about your question:

Bonus question: Is it possible to verify private images which require specific pull secerts? Couldn't find any informations on that.

You can define the pull secrets in the policy server definition

spielkind commented 2 years ago

I asked the colleagues about the configuration for the WAF, they told me that they currently work on it. But I also think its related to the WAF. When I curled the URL through my local workstation it worked for me. While using an online tool like https://reqbin.com/ I also get the 403 forbidden.

curl -i https://mtr.devops.telekom.de/v2/auth
HTTP/2 401 
date: Mon, 20 Jun 2022 14:54:15 GMT
content-type: application/json
content-length: 112
set-cookie: quay.session=599d2b1b0cd63c723045fe08892a60d9|c791a42e6919ba98c33df5b8367872d1; Path=/; Secure; HttpOnly
www-authenticate: Bearer realm="https://mtr.devops.telekom.de/v2/auth",service="mtr.devops.telekom.de"
docker-distribution-api-version: registry/2.0
strict-transport-security: max-age=15724800; includeSubDomains

{"errors":[{"code":"UNAUTHORIZED","detail":{},"message":"access to the requested resource is not authorized"}]}

Regarding private images, thanks for feedback is there a solution for having multiple pull secrets handled by different persons, distributed through the whole cluster? - See also Slack for details.

jvanz commented 2 years ago

I asked the colleagues about the configuration for the WAF, they told me that they currently work on it. But I also think its related to the WAF. When I curled the URL through my local workstation it worked for me. While using an online tool like https://reqbin.com/ I also get the 403 forbidden.

@flavio what do you think on changing the oci-distribution adding a configuration/flag to skip the auth even if the request is not authenticated? I understand that we firewall should be fixed. But I'm wondering if make sense to force oci-distribution authenticate every time it is not authenticated. Is this a OCI requirement in the OCI spec? (I'll try to figure out that as well)

Regarding private images, thanks for feedback is there a solution for having multiple pull secrets handled by different persons, distributed through the whole cluster? - See also Slack for details.

For future readers, let me document here what I just sent to you in the Slack channel:

unfortunately, there is no other way to define the pull secrets. You can deploy multiple policy servers with different pull secret. I understand that is not the best solution. But it is a possible solution for now. Let me take this opportunity to ask you, what do you like to have? Secrets defined in cluster? Thus, multiple policy servers can refer to the same secret? Let us know what do you think. I cannot guarantee that we can do that now, but your feedback, as user, is very important.

spielkind commented 2 years ago

@jvanz the colleagues applied yesterday a change at the WAF, while cargo still fails with "403 forbidden" for me curl (as before) and https://reqbin.com/ now work for https://mtr.devops.telekom.de/v2/auth

Edit: Seems they, changed sth. else, as the cargo get-manifest seems to work now for me.

jvanz commented 2 years ago

@jvanz the colleagues applied yesterday a change at the WAF, while cargo still fails with "403 forbidden" for me curl (as before) and https://reqbin.com/ now work for https://mtr.devops.telekom.de/v2/auth

Edit: Seems they, changed sth. else, as the cargo get-manifest seems to work now for me.

Nice! I can also see here that the example program is working. Is the policy server working as well?

spielkind commented 2 years ago

Yes, also the policy server is working now.

Thanks for your support!