Unauthorized error with registry even after configuring secret for cosign validator

[mathuvenkat]

Hi
I'm getting unauthorized error when I configure connaisseur for a particular namespace. The same secret is used by the deployment and that works, but connaisseur fails. Any ideas on what configuration has to be done ?

I created the secret using k apply -f secret.yaml, the secret is
quay-secret kubernetes.io/dockerconfigjson 1 154m

configured in validator using this

policy:
- pattern: quay.io/xxx/xxx:*
   validator: cosignvalidator
   with:
       threshold: 1
       trust_root: pubkey
validators:
    - name: cosignvalidator
      trust_roots:
      - auth:
          secret_name: quay-secret
        key: |
          -----BEGIN PUBLIC KEY-----
          -----END PUBLIC KEY-----
        name: pubkey
      type: cosign

Version used - installed using helm operator
securesystemsengineering/connaisseur:v2.6.0

'Unexpected Cosign exception for image "quay.io/xxx/xxx:master-fcf1d0b": Error: GET https://quay.io/v2/xxx/xxx/manifests/master-fcf1d0b: UNAUTHORIZED: access to the requested resource is not authorized; map[]\nmain.go:52: error during command execution: GET https://quay.io/v2/xxx/xxx/manifests/master-fcf1d0b: UNAUTHORIZED: access to the requested resource is not authorized; map[]\n.', 'context': {'trust_data_type': 'dev.cosignproject.cosign/signature', 'stderr': 'Error: GET https://quay.io/v2/xxx/xxx/manifests/master-fcf1d0b: UNAUTHORIZED: access to the requested resource is not authorized; map[]\nmain.go:52: error during command execution: GET https://quay.io/v2/xxx/xxx/manifests/master-fcf1d0b: UNAUTHORIZED: access to the requested resource is not authorized; map[]\n', 'image': 'quay.io/xxx/xxx:master-fcf1d0b', 'trust_root': 'pubkey', 'detection_mode': True}}

I'm not able to exec into the container using below command but was able to get the above logs from below container
k exec -it connaisseur-deployment-7f697f99d-d26xq -n connaisseur /bin/bash
but I do see the secret configured in the namespace , any other debugging tips to get past this

 % k get secrets -n connaisseur | grep "quay"
quay-secret                              kubernetes.io/dockerconfigjson        1      163m

[mathuvenkat]

Sorry, found the issue. The auth.secrets is a property under validators, but indent was incorrect and it was under trusted_roots. It works with that fix. It would be useful to point to the validator py file that we can run the yaml through for static validations and if that can catch these errors

        name: cosignvalidator
        type: cosign
        trust_roots:
          -
            key: |
                -----BEGIN PUBLIC KEY-----
                -----END PUBLIC KEY-----
            name: pubkey
        auth:
          secret_name: quay-secret

[xopham]

we were also considering to add helm json schema for finding configuration bugs. It has just been a bit complicated to get it to work and up-to-date

[xopham]

but happy to hear the issue was fixed 🙂