Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When enabling trust portieris errors "no valid ImagePullSecret defined for image" #428

Open
mikednight opened this issue Feb 23, 2023 · 3 comments
Open

When enabling trust portieris errors "no valid ImagePullSecret defined for image" #428

mikednight opened this issue Feb 23, 2023 · 3 comments

Comments

@mikednight
Copy link

mikednight commented Feb 23, 2023
edited
Loading

What commit ID of Portieris did you experience the problem with?

e4b12c2

What went wrong?

When enabling trust on private repo and private notary portieris returns "no valid ImagePullSecret defined"

What should have happened differently?

Portieris should allow the image when trust, secret and repository are correctly configured

How can it be reproduced?

using jfrog for docker repo and private notary.

Any other relevant information

I am attempting to set up portieris with a private notary and jfrog. It works as expected, both allowing and denying images from the repository if trust is set.
However, when i attempt to enforce trust, the logs complain about imagePullSecret not being found. The same imagePullSecret is defined in both the deployment that portieris is using and the deployment that portieris is blocking. I tried both types of docker secrets, auth and uname/password and could not work around the issue.

Setup:

  • 2 separate namespaces, portieris and deployment
  • same secret in each namespace, mounted by portieris serviceaccount and directly in the deployment
  • clusterimagepolicy with trust set for private docker repo on jfrog and private notary
  • works as expected without setting trust

i've obfuscated our internal names for below
clusterimage policy example:

  - name: docker-hub-internal/*
    policy:
      mutateImage: false
      trust:
        enabled: true
        trustServer: https://signing.internal

log outputs:

I0223 22:18:29.702292       1 controller.go:64] Processing admission request for CREATE on deployment
I0223 22:18:29.703909       1 controller.go:176] Getting policy for container image: docker-hub-internal/image:latest   namespace: provision
E0223 22:18:30.171868       1 controller.go:253] secret regcred not defined for registry: docker-hub-internal
I0223 22:18:30.177669       1 enforcer.go:95] policy.Trust {0xc00079369a [] https://signing.internal}
I0223 22:18:30.564048       1 responder.go:93] trust: policy denied the request: Deny "docker-hub-internal/image:latest", no valid ImagePullSecret defined for docker-hub-internal/image:latest
I0223 22:18:30.564073       1 controller.go:125] Deny for images:  [docker-hub-internal/image:latest]
@mikednight mikednight changed the title When enabling trust portieis logs "no valid ImagePullSecret defined for $image" When enabling trust portieris erros "no valid ImagePullSecret defined for image" Feb 23, 2023
@mikednight mikednight changed the title When enabling trust portieris erros "no valid ImagePullSecret defined for image" When enabling trust portieris errors "no valid ImagePullSecret defined for image" Feb 23, 2023
@molepigeon
Copy link
Member

Hi there. Thanks for your report. This line from your log is interesting:

secret regcred not defined for registry: docker-hub-internal

That is the only line that looks like that, which means it's the only secret that Portieris is seeing as in scope (ie either in the serviceaccount or directly mentioned in the resource spec).

Is regcred the secret that contains credentials for your registry? If so, I'm curious what the server part of the secret is. If you get the secret and decode the base64 content of the dockerconfigjson key, you should get a json object with a mapping of server names to user/passwords. Please share only the server name from that json object.

What's happening under the covers is that Portieris derives the server name from the image name (in this case docker-hub-internal) and is looking for a username/password for that specific server. If it doesn't find one it'll post the above log message. So for some reason it's not matching the server name in the secret. Does the server name in the secret have a DNS suffix that isn't in the image, for example?

@mikednight
Copy link
Author

thanks for such quick feedback, i've double-checked everything here and it looks like it is correct. Obviously i have to remove some things for security reasons, but this is the config

k get secret regcred -o json | jq -r '.data.".dockerconfigjson"' | base64 -D | jq '.'
{
  "auths": {
    "https://docker-hub-internal": {
      "username": "username",
      "password": "password",
      "email": "test@email.com",
      "auth": "dXNlcm5hbWU6cGFzc3dvcmQK"
    }
  }
}

k get sa portieris -o yaml
apiVersion: v1
imagePullSecrets:
- name: regcred
kind: ServiceAccount
metadata:
  creationTimestamp: "2023-02-23T22:10:44Z"
  labels:
    app: portieris
    argocd.argoproj.io/instance: portieris
    chart: portieris-v0.13.2
    heritage: Helm
    release: portieris
  name: portieris
  namespace: security
  resourceVersion: "284384856"
  uid: 4811e8bc-ed77-4216-9062-48f8b3567595
secrets:
- name: portieris-token-r86fj

i've double checked that the secrets in both namespaces match, and likewise the deployment will rollout as expected if i don't have trust. I also tried removing "https" from the secret, but did not have an effect.

@pre
Copy link
Contributor

pre commented Mar 28, 2024

Possibly related

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pre @molepigeon @mikednight