This repository was archived by the owner on Mar 16, 2024. It is now read-only.
This repository was archived by the owner on Mar 16, 2024. It is now read-only.
Not able to deploy images from private registry with imageAllowRules. #1412
Description
acorn version - acorn version v0.6.0-93-gd9de8c30+d9de8c30
Steps to reproduce the problem:
Created ImageAllowRule for project testp2.
apiVersion: api.acorn.io/v1
kind: ImageAllowRules
metadata:
name: rule1
namespace: testp2
signatures:
rules:
- signedBy:
allOf:
- |
-----BEGIN PUBLIC KEY-----
<key>
-----END PUBLIC KEY-----
annotations:
match:
qatag: ok
Signed and annotated the image - test1:V0.0.1
cosign sign --key santest2.key -a qatag=ok registry-myreg-d935ce13.a-sangee2004-mytestnew-27b4c9fb-paul1.stg-on-acorn.io/test1:v0.0.1
...
...
Pushing signature to: registry-myreg-d935ce13.a-sangee2004-mytestnew-27b4c9fb-paul1.stg-on-acorn.io/test1
Deploying app with this image fails:
sangeethahariharan@Sangeethas-MBP imagecosign % acorn project use testp2
sangeethahariharan@Sangeethas-MBP imagecosign % acorn credentials
SERVER USERNAME LOCAL
registry-myreg-d935ce13.a-sangee2004-mytestnew-27b4c9fb-paul1.stg-on-acorn.io t82l8g4v
sangeethahariharan@Sangeethas-MBP imagecosign % acorn run -n mytest1 registry-myreg-d935ce13.a-sangee2004-mytestnew-27b4c9fb-paul1.stg-on-acorn.io/test1:v0.0.1
✗ ERROR: App.api.acorn.io "mytest1" is invalid: spec.image: Invalid value: "registry-myreg-d935ce13.a-sangee2004-mytestnew-27b4c9fb-paul1.stg-on-acorn.io/test1:v0.0.1": disallowed by imageAllowRules: error verifying image registry-myreg-d935ce13.a-sangee2004-mytestnew-27b4c9fb-paul1.stg-on-acorn.io/test1:v0.0.1 against testp2/rule1.signatures.allOf.0: failed to get signature digest: GET https://registry-myreg-d935ce13.a-sangee2004-mytestnew-27b4c9fb-paul1.stg-on-acorn.io/v2/test1/manifests/sha256-07b027e660d98db7636eedb3fc12506485db55f0f1a09f1395f1483264e8ac39.sig: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:test1 Type:repository]]