search

sigstore / cosign-gatekeeper-provider

🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures
Apache License 2.0
75 stars 23 forks source link

use panic-free logic #17

Closed Dentrax closed 1 year ago

Dentrax commented 2 years ago

Signed-off-by: Furkan furkan.turkal@trendyol.com

Related issue: https://github.com/sigstore/cosign-gatekeeper-provider/issues/16 (This is not a fix PR)

Bump cosign to use panic free fulcio during getting root certs: https://github.com/sigstore/cosign/pull/1965

PTAL @developer-guy

Summary

Ticket Link

Fixes

Release Note

* Bump cosign to v1.9.1
* Use panic-free logic
* Get root certs during initialization
Dentrax commented 2 years ago

No idea why pipeline throws the following error:

verifying github.com/docker/distribution@v2.8.0+incompatible: checksum mismatch
    downloaded: h1:l9EaZDICImO1ngI+uTifW+ZYvvz7fKISBAKpg+MbWbY=
    go.sum:     h1:u9vuu6qqG7nN9a735Noed0ahoUm30iipVRlhgh72N0M=
mathieu-benoit commented 1 year ago

Getting this error indeed: k apply -f policy/examples/error.yaml:

Error from server (Forbidden): error when creating "policy/examples/error.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [cosign-gatekeeper-provider] invalid response: {"errors": null, "responses": null, "status_code": 500, "system_error": "failed to send external data request: Post \"http://cosign-gatekeeper-provider.cosign-gatekeeper-provider:8090/validate\": EOF"}

k logs pod/cosign-gatekeeper-provider-585fdcbb74-64w22 -n cosign-gatekeeper-provider:

starting server...
verify signature for: devopps/alpine:notsigned
2023/02/05 21:22:50 http: panic serving 10.84.1.8:49576: creating root cert pool: retrieving trusted root; local cache may be corrupt: initializing root client: tuf: failed to decode root.json: encoding/hex: invalid byte: U+002D '-'
goroutine 19 [running]:
net/http.(*conn).serve.func1()
        /usr/local/go/src/net/http/server.go:1801 +0xb9
panic({0x1b9fa40, 0xc000cd6120})
        /usr/local/go/src/runtime/panic.go:1047 +0x266
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.initRoots()
        /go/pkg/mod/github.com/sigstore/cosign@v1.3.1/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:67 +0x235
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get.func1()
        /go/pkg/mod/github.com/sigstore/cosign@v1.3.1/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:45 +0x17
sync.(*Once).doSlow(0xc0005e0420, 0x18)
        /usr/local/go/src/sync/once.go:68 +0xd2
sync.(*Once).Do(...)
        /usr/local/go/src/sync/once.go:59
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get()
        /go/pkg/mod/github.com/sigstore/cosign@v1.3.1/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:44 +0x31
github.com/sigstore/cosign/cmd/cosign/cli/fulcio.GetRoots(...)
        /go/pkg/mod/github.com/sigstore/cosign@v1.3.1/cmd/cosign/cli/fulcio/fulcio.go:197
main.validate({0x218ee50, 0xc00063a2a0}, 0xc0000d2700)
        /go/src/github.com/developer-guy/cosign-gatekeeper-provider/provider.go:72 +0x408
net/http.HandlerFunc.ServeHTTP(0x7f06a1473d18, {0x218ee50, 0xc00063a2a0}, 0xc00063a2a0)
        /usr/local/go/src/net/http/server.go:2046 +0x2f
net/http.(*ServeMux).ServeHTTP(0x0, {0x218ee50, 0xc00063a2a0}, 0xc0000d2700)
        /usr/local/go/src/net/http/server.go:2424 +0x149
net/http.serverHandler.ServeHTTP({0x2182d08}, {0x218ee50, 0xc00063a2a0}, 0xc0000d2700)
        /usr/local/go/src/net/http/server.go:2878 +0x43b
net/http.(*conn).serve(0xc0002a2140, {0x2199b40, 0xc00068b8f0})
        /usr/local/go/src/net/http/server.go:1929 +0xb08
created by net/http.(*Server).Serve
        /usr/local/go/src/net/http/server.go:3033 +0x4e8

Out of curiosity @Dentrax @developer-guy, any update on this PR?

Dentrax commented 1 year ago

any update on this PR?

I almost forgot this one. 🙈 So no updates. Do you want to take it over? Let's merge yours #26. Have dropped some reviews.