🐛 [bug] - Image signing/Jenkins fails with unknown cert signer issue

Question

🐛 [bug] - Image signing/Jenkins fails with unknown cert signer issue

Closed this issue 3 years ago · 11 comments

📝 Description

Image signing/Jenkins fails with unknown cert signer issue

🚶 Steps to reproduce

https://rht-labs.com/tech-exercise/#/3-revenge-of-the-automated-testing/8a-jenkins

, the Jenkins pipeline fails oc registry login cosign sign -key k8s://${TEAM_NAME}-ci-cd/${TEAM_NAME}-cosignoc registry info/${DESTINATION_NAMESPACE}/${APP_NAME}:${VERSION} :

sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)

+ oc registry login

info: Using internal registry hostname image-registry.openshift-image-registry.svc:5000

Saved credentials for image-registry.openshift-image-registry.svc:5000

++ oc registry info

+ cosign sign -key k8s://fulanitos-ci-cd/fulanitos-cosign image-registry.openshift-image-registry.svc:5000/fulanitos-test/pet-battle:1.3.1

error: signing image-registry.openshift-image-registry.svc:5000/fulanitos-test/pet-battle:1.3.1: getting remote image: Get "https://image-registry.openshift-image-registry.svc:5000/v2/": x509: certificate signed by unknown authority

script returned exit code 1

ckavili commented 3 years ago

merged :)

Answer 1 · 2021-12-17T12:28:11.000Z

The Tekton process looks pretty similar, so skipping that one for speed.

Answer 2 · 2021-12-20T07:26:31.000Z

Looks like the registry was not exposed in this cluster deployment.

oc patch config.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge

and the external login needed adjustment. PTAL and try agin @alexpdp7

Answer 3 · 2021-12-20T16:32:01.000Z

OK, the Jenkins step fails with:

$ cosign verify -key cosign.pub default-route-openshift-image-registry.apps.tl500-1.ls-eu.ole.redhat.com/fulanitos-test/pet-battle:1.3.1
error: no matching signatures:
failed to verify signature

even though I think the image is signed:

and my key is there:

$ cat cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOZRDial+hwif1Ch4AVJgVrzx1oeD
HqObdnYieO/PMWue5SUz97Tn67AB8VganEKlc1BNL9US+7RSo7omO/lchA==
-----END PUBLIC KEY-----

Checking the Tekton version now.

Answer 4 · 2021-12-20T16:36:18.000Z

Ahh good catch Alex, we need to update the verify step. It should work when you run the following command. Can you please verify it?

cosign verify --key k8s://${TEAM_NAME}-ci-cd/${TEAM_NAME}-cosign default-route-openshift-image-registry.apps.tl500-1.ls-eu.ole.redhat.com/fulanitos-test/pet-battle:1.3.1

Answer 5 · 2021-12-20T16:37:44.000Z

@ckavili that works, yes

Answer 6 · 2021-12-20T16:42:02.000Z

The Tekton version works. Leaving this open in case:

#73 (comment)

needs further action.

Answer 7 · 2021-12-20T21:05:57.000Z

documentation updated - e9103f3

Answer 8 · 2021-12-20T21:16:30.000Z

Looks like the registry was not exposed in this cluster deployment.
oc patch config.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
and the external login needed adjustment. PTAL and try agin @alexpdp7

@jfilipcz @eformat should we include this to Lodestar deployment or add to enablement-framework?

Answer 9 · 2021-12-20T23:25:04.000Z

@ckavili @jfilipcz - added this into enablement framework repo. PTAL

rht-labs/enablement-framework#75

Answer 10 · 2021-12-22T01:16:49.000Z

Cool, closing this for now .. LGTM