search

smallstep / helm-charts

Helm packages for Kubernetes
Apache License 2.0
49 stars 73 forks source link

[security] default registry image not available - step.sm - strange domain? #143

Closed rdxmb closed 1 year ago

rdxmb commented 1 year ago

Subject of the issue

The default container registry repository defined in https://github.com/smallstep/helm-charts/blob/master/step-certificates/values.yaml#L18 and https://github.com/smallstep/helm-charts/blob/master/step-issuer/values.yaml#L8 is not available anymore. It seems there is not registry at cr.step.sm anymore. What I wonder: Who's registry is/was that?

http://step.sm seems to be at domgate.com , which seems to be a domain reseller to me.

Steps to reproduce

docker pull cr.step.sm/smallstep/step-ca:0.23.2

Expected behaviour

Having the same registry and image when using https://smallstep.com/docs/step-ca/installation/#docker or https://smallstep.com/docs/step-ca/installation/#kubernetes

Actual behaviour

404 - with a strange domain name in the background.

Additional context

As step.sm does not seem to be owned by smallstep. Is that correct? So this could be a security issue. Let me grab that domain, create a registry on top an build my own image to distribute. It would even be possible to read all the CA-certificates and keys mounted into the container...

rdxmb commented 1 year ago

relates to : https://github.com/smallstep/certificates/issues/1393

hslatman commented 1 year ago

@rdxmb step.sm is owned by Smallstep, but there are some other parties involved that sit in the middle in terms of domain registration (e.g. registrar, reseller, etc.). That's why the domain registration may look different than what you would expect. The registry was there and operated by us. We had some issues with our step.sm domain because of something happening with one of the other parties involved. I don't know yet what the exact cause was, but step.sm is now correctly resolving again.

The registry at cr.smallstep.com should now work, though.

I'll need to check what's up with the cr.step.sm domain at the moment.

dopey commented 1 year ago

Hey @rdxmb, thanks for opening the issue!

The cr.step.sm domain should be working again. The TLD operator had an outage and we're still waiting to hear back with details about a postmortem. In the mean time, the helm-charts should be operational again. Please let us know if you see any other issues.

Cheers 🍻