search

sigstore / k8s-manifest-sigstore

kubectl plugin for signing Kubernetes manifest YAML files with sigstore
Apache License 2.0
79 stars 21 forks source link

bump up cosign version to v1.5.1 #59

Closed Namanl2001 closed 2 years ago

Namanl2001 commented 2 years ago

Signed-off-by: Naman Lakhwani namanlakhwani@gmail.com

Summary

Additional context

We were facing an issue while importing this pkg in kyverno: github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest

error log:

go: finding module for package github.com/sigstore/fulcio/pkg/client
github.com/kyverno/kyverno/pkg/engine imports
        github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest imports
        github.com/sigstore/k8s-manifest-sigstore/pkg/cosign imports
        github.com/sigstore/fulcio/pkg/client: package github.com/sigstore/fulcio/pkg/client provided by github.com/sigstore/fulcio at latest version v0.1.1 but not at required version v0.1.2-0.20220114150912-86a2036f9bc7
hirokuni-kitahara commented 2 years ago

Thank you very much @Namanl2001 ! This is really helpful! Could you please check some failing CI checks? I think main reasons of them are just these 2,

I triggered the CI checks with the latest main branch codes for testing them today (https://github.com/sigstore/k8s-manifest-sigstore/pull/60), but no checks failed at that time.

Namanl2001 commented 2 years ago

@hirokuni-kitahara - Then I think we'll have to wait for the next release of the in-toto/in-toto-golang as our current issue is resolved here (it's related to a different version of go-securesystemslib)

lint issue of pkcs11key package

I'm not sure why we are seeing this in the check failure as we are using it in the file but the linter says imported but not used.

hirokuni-kitahara commented 2 years ago

@Namanl2001 I'm sorry for late response, and thank you very much for checking them. Could you try changing the version of in-toto/in-toto-golang to v0.3.4-0.20211211042327-af1f9fb822bf in your go.mod? At least I confirmed it worked to solve the build error in my env, so let's check if CI check pass after that change.

Also, the lint issue looks a kind of false alarm as you mentioned, so let's ignore it even if it happens again. Thank you.

Namanl2001 commented 2 years ago

Thanks, @hirokuni-kitahara, for the suggestion; it seems to be fine in my IDE. Can you please approve the workflow again so that we can check if CI check pass

Namanl2001 commented 2 years ago

Thanks @hirokuni-kitahara for merging this pr.

Is there a way to use these latest changes in kyverno? Or would we have to wait for the next release of this project?

hirokuni-kitahara commented 2 years ago

Thank you very much @Namanl2001 !

For now, you can use the following version in kyverno's go.mod.

github.com/sigstore/k8s-manifest-sigstore v0.1.1-0.20220221005059-7d663276f8f6

This version contains the changes in this PR.

Namanl2001 commented 2 years ago

Hey @hirokuni-kitahara - Now I'm able to import and use the pkg, also after the changes kyverno builds successfully but while deploying I'm getting the following error 

$ kubectl logs kyverno-5449ff98c-gq47t -n kyverno
/kyverno flag redefined: log_dir
panic: /kyverno flag redefined: log_dir

goroutine 1 [running]:
flag.(*FlagSet).Var(0xc000138120, {0x35fd780, 0x4df2db0}, {0x2b0938b, 0x7}, {0x2b82722, 0x2f})
        /usr/local/go/src/flag/flag.go:879 +0x2f4
flag.(*FlagSet).StringVar(...)
        /usr/local/go/src/flag/flag.go:762
k8s.io/klog/v2.InitFlags(0x6)
        /home/naman/go/pkg/mod/k8s.io/klog/v2@v2.40.1/klog.go:429 +0x55
main.main()
        /mnt/g/kyverno/kyverno/cmd/kyverno/main.go:75 +0x47

kyverno/kyverno/cmd/kyverno/main.go:75: https://github.com/kyverno/kyverno/blob/HEAD/cmd/kyverno/main.go#L75

I found similar ques here: https://stackoverflow.com/questions/37284423/glog-flag-redefined-error and to me, it seems like there are some issues while using both glog and klog but not sure why they are only visible in kyverno and not in sigstore/k8s-manifest-sigstore. Are you aware of any work around for this?

Help needed! Thanks

hirokuni-kitahara commented 2 years ago

Hi @Namanl2001 , I tried building the latest kyverno codes with k8s-manifest-sigstore, and the issue above reproduced in my env too. Actually it looks like some issues around klog, and I found out this issue happens when klog.InitFlags(nil) is invoked twice (e.g. from some dependency package of k8s-manifest-sigstore and from kyverno). I am digging into this to identify the root cause. Thank you.

Namanl2001 commented 2 years ago

@hirokuni-kitahara - lemme know if I can help you with this :)

hirokuni-kitahara commented 2 years ago

Hi @Namanl2001, The root cause of the issue is a conflict between two different dependent packages.

Both try to set the same command line flags "log_dir" (defined here and here ), and it causes the runtime error you saw. This issue can be work-around by adding the following code to kyverno. I confirmed no error reported with the change.

if flag.CommandLine.Lookup("log_dir") != nil {
    flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
}
klog.InitFlags(nil)  // add the block above before invoking klog.InitFlags()

I hope this helps your case. Thank you.

Namanl2001 commented 2 years ago

Thanks a lot, @hirokuni-kitahara - your suggestion worked like a charm