Namespaced Store did not work unless cluster-wide store was installed
Opened this issue · 1 comments
What happened in your environment?
I am testing namespace multi-tenancy using dev build. After I applied resources contstraintemplate and constrains, I applied namespaced resources KMP, Store and Verifier in namespace team-a
. The resources were in all good status. However, when I ran an image signed with key configured in KMP in namespace team-a
, the following error showed:
Error from server: admission webhook "mutation.gatekeeper.sh" denied the request: failed to resolve external data placeholders: failed to retrieve external data item from provider ratify-mutation-provider: Error: config invalid, Code: CONFIG_INVALID, Component Type: referrerStore, Detail: referrer store config should have at least one store
To mitigate this, I need to set up a cluster-wide store resource.
What did you expect to happen?
Namespaced Store resources should not depend on cluster-wide store resource.
What version of Kubernetes are you running?
AKS
What version of Ratify are you running?
0-dev (dev.20240505.6163b7e)
Anything else you would like to add?
No response
Are you willing to submit PRs to contribute to this bug fix?
- Yes, I am willing to implement it.
thanks for reporting the issue! It happened at mutation stage since the mutation request only contains the image without namespace. This would be a limitation on Ratify to support multi-tenancy. We would require users to always have a cluster-wide oras store to resolve image tag to digest if the mutation enabled. I also created a feature request in GK: open-policy-agent/gatekeeper#3376