The Tanzu Core CLI project provides the core functionality of the Tanzu CLI. The CLI is based on a plugin architecture where CLI command functionality can be delivered through independently developed plugin binaries
Apache License 2.0
33
stars
21
forks
source link
Fix cosign verification issue for the Authenticated registry #751
Before this change, when using the authenticated registry we were getting an error in a step where we do signature verification of the plugin-inventory image.
The issue was mainly because when we provide our own RegistryClientOpts to the cosign client, it overrides the default values assigned to theo.ROpt of an underneath client which includes WithAuthFromKeychain(authn.DefaultKeychain).
So, as part of this PR we are adding that option manually only for the registries that require authentication. For other use cases, cosign with behave in the same way and use Anonymous access to fetch images.
Which issue(s) this PR fixes
Fixes #
Describe testing done for PR
Before this change:
~ $ tz config set env.TANZU_CLI_AUTHENTICATED_REGISTRY tap-tanzu-cli-docker-virtual.usw1.packages.broadcom.com
~ $ tz plugin source list
NAME IMAGE
default projects.registry.vmware.com/tanzu_cli/plugins/plugin-inventory:latest
~ $ rm -rf ~/.cache/tanzu/plugin_inventory/
~ $ tz plugin source update default --uri tap-tanzu-cli-docker-virtual.usw1.packages.broadcom.com/tanzu_cli/plugins/plugin-inventory:latest
Some initialization of the CLI is required.
Let's set things up for you. This will just take a few seconds.
[i] Refreshing plugin inventory cache for "tap-tanzu-cli-docker-virtual.usw1.packages.broadcom.com/tanzu_cli/plugins/plugin-inventory:latest", this will take a few seconds.
[i] Reading plugin inventory for "tap-tanzu-cli-docker-virtual.usw1.packages.broadcom.com/tanzu_cli/plugins/plugin-inventory:latest", this will take a few seconds.
[!] Unable to verify the plugins discovery image signature: failed validating the signature of the image tap-tanzu-cli-docker-virtual.usw1.packages.broadcom.com/tanzu_cli/plugins/plugin-inventory:latest :GET https://tap-tanzu-cli-docker-virtual.usw1.packages.broadcom.com/artifactory/api/docker/tap-tanzu-cli-docker-virtual/v2/token?scope=repository%3Atanzu_cli%2Fplugins%2Fplugin-inventory%3Apull&service=tap-tanzu-cli-docker-virtual.usw1.packages.broadcom.com: : Authentication is required
[x] Fatal, plugins discovery image signature verification failed. The `tanzu` CLI can not ensure the integrity of the plugins to be installed. To ignore this validation please append "tap-tanzu-cli-docker-virtual.usw1.packages.broadcom.com/tanzu_cli/plugins/plugin-inventory:latest" to the comma-separated list in the environment variable "TANZU_CLI_PLUGIN_DISCOVERY_IMAGE_SIGNATURE_VERIFICATION_SKIP_LIST". This is NOT RECOMMENDED and could put your environment at risk!
After this change:
~ $ tz config set env.TANZU_CLI_AUTHENTICATED_REGISTRY tap-tanzu-cli-docker-virtual.usw1.packages.broadcom.com
~ $ tz plugin source list
NAME IMAGE
default projects.registry.vmware.com/tanzu_cli/plugins/plugin-inventory:latest
~ $ rm -rf ~/.cache/tanzu/plugin_inventory/
~ $ tz plugin source update default --uri tap-tanzu-cli-docker-virtual.usw1.packages.broadcom.com/tanzu_cli/plugins/plugin-inventory:latest
Some initialization of the CLI is required.
Let's set things up for you. This will just take a few seconds.
[i] Refreshing plugin inventory cache for "projects.registry.vmware.com/tanzu_cli/plugins/plugin-inventory:latest", this will take a few seconds.
[i] Reading plugin inventory for "projects.registry.vmware.com/tanzu_cli/plugins/plugin-inventory:latest", this will take a few seconds.
Initialization done!
==
[i] Refreshing plugin inventory cache for "tap-tanzu-cli-docker-virtual.usw1.packages.broadcom.com/tanzu_cli/plugins/plugin-inventory:latest", this will take a few seconds.
[ok] updated discovery source default
What this PR does / why we need it
plugin-inventory
image.RegistryClientOpts
to the cosign client, it overrides the default values assigned to theo.ROpt
of an underneath client which includesWithAuthFromKeychain(authn.DefaultKeychain)
.Which issue(s) this PR fixes
Fixes #
Describe testing done for PR
Before this change:
After this change:
Release note
Additional information
Special notes for your reviewer