[cosigned] Read-only filesystem when deploying cosigned with Helm chart
oliviergaumond opened this issue · comments
Olivier Gaumond commented
Description
When deploying cosigned with the current version of the Helm chart (0.1.13) the filesystem is readonly and no volumes are mounted. Therefore errors are generated at run-time when the webhook tries to download artifacts and store them in a local cache
Sample error output
http: panic serving 192.168.172.222:43852: creating root cert pool: retrieving trusted root; local cache may be corrupt: creating cached local store: mkdir /.sigstore: read-only file system\n
http: panic serving 192.168.172.222:44176: initializing tuf: updating local metadata and targets: creating targets dir: mkdir /.sigstore: read-only file system
level=info msg=\"Could not save cache\" error=\"open /.ecr/.config.json.tmp1353667686: no such file or directory
Expected behavior
The Helm chart should mount emptyDir volumes to allow writing to the local cache folders
- /.sigstore
- /.ecr
Note: the /.ecr
folder is specific to retrieving images from ECR, we should check if other repositories need different directories.
Hector Fernandez commented
I am closing this issue, it is no longer affecting us. Please, feel free to re-open it.