-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
same certificateStore name in different namespace #1061
Comments
Immediate action item: Update doc to state namespace is not supported |
Currently ratify CRD controller will process CR regardless of namespace. In th certStore example, if CR "myAkv" exist in both namespaces, Verifier would consume which ever is defined last. Options:
|
for 1, what if i have one verifier cr that wants cluster wide shared? |
For backward compatibility we have 3 options when certStore namespace is not provided in the verifier CR. Idea 1: look in the ratify installed namespace If customer uses the ratify charts as basis for their installation step, their custom verifier is likely to be in the ratify installed namespace. Ratify maybe installed in the gatekeeper namespace, but it makes sense for customer to install verifier and certStore in a different namespace. ( Future multi tenant scenario) Idea 2: look in the default namespace If customer verifier was installed in a separate namespace to Ratify, it is our best guess it is in the non default namespace. It is difficult for us to guess which namespace CRs are installed in, the customer will have to update the CR to include namespace of the certSTore. ( this would be considered a breaking change RC8 -> GA ? ) Note: Installing ratify CR in a different namespace to ratify may also be a confusing experience. Idea 3: Look for certStore in the verifier namespace. I personally prefer Idea 3, but still need to confirm the feasibility. let me know what you think @binbin-li , @fseldow , @yizha1 |
@susanshi thanks for the investigation. I think it makes sense to assume verifier and certStore are defined in the same namespace. Does that mean in Ratify controllers we would need to keep a mapping from namesapce to verifier/certStore? |
about idea 3 i have oen question. Currenlty, verifier is not one namespaced resource. Will we make the verifier change first? |
thanks for the discussion @binbin-li and @fseldow. Verifier doesn't have include namespace in the ymal spec, however the CR it self will need to be applied to a specific k8 namespace, is that correct? We will need to add namespace information to Verifier and pipe that through to trust store, so that at the time of GetCertficiate, we have the information needed to find the certStore.
Timeline considerations: |
What happened in your environment?
crd certificateStore is namespaced resource, which means it could exist multiple certificateStore with the same name. However, in verifier crd, the
verificationCertStores/certs
does not support to input namespace.My repro:
curl -L https://raw.githubusercontent.com/deislabs/ratify/main/helmfile.yaml | helmfile sync -f -
kubectl run demo --image=ghcr.io/deislabs/ratify/notary-image:signed
it will reports failed. error:signature is not produced by a trusted signer
error while loading the trust store, unable to fetch certificates for namedStore: certs
What did you expect to happen?
No response
What version of Kubernetes are you running?
1.26.4
What version of Ratify are you running?
v1.0.0-rc.7
Anything else you would like to add?
No response
Are you willing to submit PRs to contribute to this bug fix?
The text was updated successfully, but these errors were encountered: