Trivy operator flag insecure not working - failed to verify certificate: x509 #2212
Labels
kind/bug
Categorizes issue or PR as related to a bug.
Comments
|
I have the same error, but I am testing with the main branch because I saw a commit that fixes the behavior of the insecure flag, can you help @chen-keinan ? |
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What steps did you take and what happened:
Im using trivy operator behind a proxy that has its own certificate and needs to run with the insecure flag in order to download the policy bundles ignoring the ssl check. I tried the flag policiesBundle.insecure: "true" and it is not working.
Also, the trivy operator is not generating any vulnerability report:
However, trivy operator pod and trivy server are both running and the trivy server succesfully downloads the db
What did you expect to happen:
I expected to ignore the ssl check when downloading the policy bundles and create a vulnerability report for each pod but instead it didn't.
Anything else you would like to add:
Environment variables from trivy-operator pod:
BB_ASH_VERSION='1.36.1'
CONTROLLER_CACHE_SYNC_TIMEOUT='5m'
FUNCNAME=''
HISTFILE='/home/trivyoperator/.ash_history'
HOME='/home/trivyoperator'
HOSTNAME='trivy-operator-67dddb6db-765tx'
HTTPS_PROXY='http://obfuscated:obfuscated'
HTTP_PROXY='http://obfuscated:obfuscated'
IFS='
'
KUBERNETES_PORT='tcp://10.43.0.1:443'
KUBERNETES_PORT_443_TCP='tcp://10.43.0.1:443'
KUBERNETES_PORT_443_TCP_ADDR='10.43.0.1'
KUBERNETES_PORT_443_TCP_PORT='443'
KUBERNETES_PORT_443_TCP_PROTO='tcp'
KUBERNETES_SERVICE_HOST='10.43.0.1'
KUBERNETES_SERVICE_PORT='443'
KUBERNETES_SERVICE_PORT_HTTPS='443'
LINENO=''
NO_PROXY='obfuscated'
OLDPWD='/'
OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS='true'
OPERATOR_BATCH_DELETE_DELAY='10s'
OPERATOR_BATCH_DELETE_LIMIT='10'
OPERATOR_BUILT_IN_TRIVY_SERVER='true'
OPERATOR_CACHE_REPORT_TTL='120h'
OPERATOR_CLUSTER_COMPLIANCE_ENABLED='true'
OPERATOR_CLUSTER_SBOM_CACHE_ENABLED='false'
OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT='1'
OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT='10'
OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED='true'
OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS='true'
OPERATOR_EXCLUDE_NAMESPACES=''
OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED='true'
OPERATOR_HEALTH_PROBE_BIND_ADDRESS=':9090'
OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED='true'
OPERATOR_LOG_DEV_MODE='false'
OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT='false'
OPERATOR_METRICS_BIND_ADDRESS=':8080'
OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED='false'
OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED='false'
OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED='false'
OPERATOR_METRICS_FINDINGS_ENABLED='true'
OPERATOR_METRICS_IMAGE_INFO_ENABLED='false'
OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED='false'
OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED='false'
OPERATOR_METRICS_VULN_ID_ENABLED='false'
OPERATOR_NAMESPACE='trivy-system'
OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES='{}'
OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED='true'
OPERATOR_SBOM_GENERATION_ENABLED='true'
OPERATOR_SCANNER_REPORT_TTL='1h'
OPERATOR_SCAN_JOB_RETRY_AFTER='30s'
OPERATOR_SCAN_JOB_TIMEOUT='5m'
OPERATOR_SCAN_JOB_TTL=''
OPERATOR_SEND_DELETED_REPORTS='false'
OPERATOR_SERVICE_ACCOUNT='trivy-operator'
OPERATOR_TARGET_NAMESPACES=''
OPERATOR_TARGET_WORKLOADS='pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job'
OPERATOR_VULNERABILITY_SCANNER_ENABLED='true'
OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS='true'
OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS=''
OPERATOR_WEBHOOK_BROADCAST_TIMEOUT='30s'
OPERATOR_WEBHOOK_BROADCAST_URL=''
OPTIND='1'
PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
PPID='0'
PS1='\w $ '
PS2='> '
PS4='+ '
PWD='/home/trivyoperator'
SHLVL='1'
TERM='xterm'
TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION='10h'
TRIVY_SERVICE_PORT='tcp://10.43.109.224:4954'
TRIVY_SERVICE_PORT_4954_TCP='tcp://10.43.109.224:4954'
TRIVY_SERVICE_PORT_4954_TCP_ADDR='10.43.109.224'
TRIVY_SERVICE_PORT_4954_TCP_PORT='4954'
TRIVY_SERVICE_PORT_4954_TCP_PROTO='tcp'
TRIVY_SERVICE_SERVICE_HOST='10.43.109.224'
TRIVY_SERVICE_SERVICE_PORT='4954'
TRIVY_SERVICE_SERVICE_PORT_TRIVY_HTTP='4954'
Logs:
{"level":"error","ts":"2024-08-01T18:53:34Z","logger":"policyLoader.Get misconfig bundle policies","msg":"failed to load policies","error":"failed to download policies: failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* Get "https://ghcr.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority\n\n","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/policy.(*policyLoader).GetPoliciesAndBundlePath\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/loader.go:63\ngithub.com/aquasecurity/trivy-operator/pkg/configauditreport/controller.(*NodeReconciler).SetupWithManager.(*NodeReconciler).reconcileNodes.func5\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/configauditreport/controller/node.go:169\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/reconcile/reconcile.go:113\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222"}
{"level":"error","ts":"2024-08-01T18:53:34Z","msg":"Reconciler error","controller":"node","controllerGroup":"","controllerKind":"Node","Node":{"name":"rhel1"},"namespace":"","name":"rhel1","reconcileID":"176498a2-1a4d-4767-a975-a44f49779732","error":"creating job: no compliance commands found","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222"}
Environment:
trivy-operator version): 0.22.0kubectl version): -The text was updated successfully, but these errors were encountered: