Ratify(latest:v1.0.0-rc.5) installed with helm even with --set cosignEnabled=true fails to load cosign plugin

[suganyas]

What happened in your environment?

Ratify installed helm using helm install ratify ratify/ratify --atomic
--namespace gatekeeper-system
--set cosign.enabled=true --set-file cosign.key=cosign.pub --set-file dockerConfig=docker.json

Installed fine

helm install ratify ratify/ratify --atomic \
    --namespace gatekeeper-system \
 --set cosign.enabled=true   --set-file cosign.key=cosign.pub --set-file dockerConfig=docker.json
NAME: ratify
LAST DEPLOYED: Tue Jul  4 15:40:25 2023
NAMESPACE: gatekeeper-system
STATUS: deployed
REVISION: 1

When trying to deploy a pod and Gatekeeper trying to do admission control using Ratify external data provider the Ratify fails validation failing to load cosign plugin

time="2023-07-04T05:41:36Z" level=info msg="Resolve of the image completed successfully the digest is sha256:d2b2f2980e9ccc570e5726b56b54580f23a018b7b7314c9eaff7e5e479c78657"
{
  "isSuccess": false,
  "verifierReports": [
    {
      "isSuccess": false,
      "name": "cosign",
      "message": "an error thrown by the verifier: failed to find plugin \"cosign\" in paths [/.ratify/plugins]",
      "artifactType": "application/vnd.dev.cosign.artifact.sig.v1+json"
    }
  ]
}

The logs of Ratify does say that it loaded the verifier though

time="2023-07-04T05:30:24Z" level=info msg="Address was empty, setting to default path: /.ratify/plugins"
time="2023-07-04T05:30:24Z" level=info msg="verifier 'cosign' added to verifier map"

What did you expect to happen?

The Ratify should load the plugin fine and verify the signature of the container image tried to be deployed

What version of Kubernetes are you running?

1.25.6

What version of Ratify are you running?

v1.0.0-rc.5

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this bug fix?

• Yes, I am willing to implement it.

[susanshi]

We updated the build step to optionally build the plugin, see PR 860.
The immdiate fix , we need to update our publish workflow to build ratify image with the plugin. We also need to think about if we need to provide a flag in helm chart for user to specify which image in install.

[susanshi]

thanks for reporting this issue, this also reveals a gap in our test coverage. Please see PR fix: publish ratify image with plugin by susanshi · Pull Request #916 · deislabs/ratify (github.com) for the fix. As a workaround, if you build a local image with the flags enabled, you should be unblocked.

[susanshi]

This has been resolved RC6 release, please let us know if you are unblocked. thanks!

[yizha1]

@suganyas Could you verify whether this issue is fixed in RC6 release? Thanks.

[akashsinghal]

closing for now as previous release fixed this. Please open again if you still see issues.