sigstore / helm-charts

Helm charts for sigstore project

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[error retrieving webhook] Error occurred in cosigned-webhook-pods

shawnho1018 opened this issue · comments


  • GKE v1.21.10
  • Helm CLI: v3.6.2
  • cosigned helm chart version v1.8.0
  1. Deploy GKE standard cluster v1.21.10-gke.2000
  2. Deploy Cosigned's helm chart with the following script:
kubectl create namespace cosign-system

kubectl create secret generic mysecret -n cosign-system \ \
--from-file=cosign.key=./cosign.key \

helm install cosigned -n cosign-system sigstore/cosigned --devel \
  1. Running logs command to check cosigned-webhook and we'll see repeated errors below.
kubectl logs -n cosign-system cosigned-webhook-6c68bfb587-6c7hb

{"level":"error","ts":"2022-05-08T17:18:08.942Z","logger":"cosigned.DefaultingWebhook","caller":"controller/controller.go:566","msg":"Reconcile error","commit":"9ef6b20","":"00a8cb0b-180f-45a6-847c-6421a9eaa7b8","":"cosign-system/webhook-certs","duration":0.000132104,"error":"error retrieving webhook: \"\\\"\\\"\" not found","stacktrace":"*Impl).handleErr\n\\*Impl).processNextWorkItem\n\\*Impl).RunContext.func3\n\"}
{"level":"error","ts":"2022-05-08T17:18:08.944Z","logger":"cosigned.ValidationWebhook","caller":"controller/controller.go:566","msg":"Reconcile error","commit":"9ef6b20","":"76a39714-c3f6-4491-a99f-5548e0a50d38","":"cosign-system/webhook-certs","duration":0.000152002,"error":"error retrieving webhook: \"\\\"\\\"\" not found","stacktrace":"*Impl).handleErr\n\\*Impl).processNextWorkItem\n\\*Impl).RunContext.func3\n\"}

I tested under such error, even I enable cosign policy in my namespace. It is not working as expected. Any comment is highly appreciated.

@hectorj2f thanks for taking the issue. My colleague and I worked together and found the possible root cause. Once we removed the quote mark in the arg:
The pod could start correctly. Just a quick update for this issue.

          - podAffinityTerm:
                  control-plane: cosigned-webhook
            weight: 100
      - args:
        - -secret-name=mysecret

@shawnho1018 Question: Does the policy webhook work too ? It also contains double quotes for the names.

Policy webhook wored. However, I checked its template but I don't see this yaml file contains any quote.
If you check deployment-webhook.yaml, you would find the quote in this line:

        - --webhook-name={{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName | quote }}