Not able to deploy policy controller in Disable TUF mode

Question

Not able to deploy policy controller in Disable TUF mode

Mukuls77 opened this issue a year ago · comments

Description
I want to use the --Disable-tuf Exta Argument flag as introduced before to fix the issues mentioned in
#354
sigstore/helm-charts#405

so i used the helm install command as below
helm install policy-controller -n cosign-system --set extraArgs.disable-tuf=true sigstore/policy-controller --devel

policy-controller-policy-webhook-5985d96f75-m6z2m 1/1 Running 1 (4m58s ago) 9m21s
policy-controller-webhook-69dc7d6b4b-4wh84 0/1 Running 2 (2m17s ago) 9m21s

but still the webhook process is not coming up

Please suggest the command to be used for enabling the "disable-tuf" option.

/home/mukul/Desktop>kubectl logs -n cosign-system policy-controller-webhook-69dc7d6b4b-4wh84
{"level":"info","ts":1683623042.9509282,"logger":"fallback","caller":"webhook/main.go:94","msg":"Initializing TUF root from => https://sigstore-tuf-root.storage.googleapis.com/"}
{"level":"panic","ts":1683623076.5629852,"logger":"fallback","caller":"webhook/main.go:96","msg":"Failed to initialize TUF client from : updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 8.root.json: Get "[https://sigstore-tuf-root.storage.googleapis.com/8.root.json](https://sigstore-tuf-root.storage.googleapis.com/8.root.json%5C)": dial tcp 142.250.194.16:443: i/o timeout\nremote status:{\n\t"mirror": "https://sigstore-tuf-root.storage.googleapis.com/",\n\t"metadata": {\n\t\t"root.json": {\n\t\t\t"version": 7,\n\t\t\t"len": 5404,\n\t\t\t"expiration": "04 Oct 23 13:08 UTC",\n\t\t\t"error": ""\n\t\t},\n\t\t"snapshot.json": {\n\t\t\t"version": 84,\n\t\t\t"len": 2301,\n\t\t\t"expiration": "22 May 23 00:07 UTC",\n\t\t\t"error": ""\n\t\t},\n\t\t"targets.json": {\n\t\t\t"version": 7,\n\t\t\t"len": 5252,\n\t\t\t"expiration": "04 Oct 23 13:26 UTC",\n\t\t\t"error": ""\n\t\t},\n\t\t"timestamp.json": {\n\t\t\t"version": 84,\n\t\t\t"len": 719,\n\t\t\t"expiration": "15 May 23 00:07 UTC",\n\t\t\t"error": ""\n\t\t}\n\t}\n}","stacktrace":"main.main\n[tgithub.com/sigstore/policy-controller/cmd/webhook/main.go:96\nruntime.main\n\truntime/proc.go:250](http://tgithub.com/sigstore/policy-controller/cmd/webhook/main.go:96%5Cnruntime.main%5Cn%5Ctruntime/proc.go:250)"}
panic: Failed to initialize TUF client from : updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 8.root.json: Get "https://sigstore-tuf-root.storage.googleapis.com/8.root.json": dial tcp 142.250.194.16:443: i/o timeout
remote status:{
"mirror": "https://sigstore-tuf-root.storage.googleapis.com/",
"metadata": {
"root.json": {
"version": 7,
"len": 5404,
"expiration": "04 Oct 23 13:08 UTC",
"error": ""
},
"snapshot.json": {
"version": 84,
"len": 2301,
"expiration": "22 May 23 00:07 UTC",
"error": ""
},
"targets.json": {
"version": 7,
"len": 5252,
"expiration": "04 Oct 23 13:26 UTC",
"error": ""
},
"timestamp.json": {
"version": 84,
"len": 719,
"expiration": "15 May 23 00:07 UTC",
"error": ""
}
}
}

Hector Fernandez · Answer 1 · Tue May 09 2023 17:59:08 GMT+0800 (China Standard Time)

@Mukuls77 This is a duplicate of sigstore/helm-charts#528, closing this issue now!
Also I commented in the other issue that your flag was invalid.

Mukuls77 · Answer 2 · Tue May 09 2023 21:26:57 GMT+0800 (China Standard Time)

Hi Hector thanks for the update with the command suggestion i was able to deploy the policy controller without TUF.
but i am now facing an issue as i am using a keyless CIP in which i am using a Trustroot in which i have configured my cert chain. now with disable-tuf deployment the policy controller is not working and giving the issue.

/home/mukul/tarballTest>kubectl run -n pc-demo testimage --image=$demoimage
Error from server (BadRequest): admission webhook "policy.sigstore.dev" denied the request: validation failed: failed policy: demo: spec.containers[0].image
ttl.sh/cosign-ci/tarball/bddb9faf@sha256:1d4b70ca7693a3357edb48d492bee7c4aedeb6e7a74557fd47871a81d507bfdc constructing checkOpts for keyless: getting Fulcio certs: keyless: trustRootRef my-sigstore-keys not found
/home/mukul/tarballTest>kubectl get cip
NAME AGE
demo 31m
/home/mukul/tarballTest>kubectl get trustroot
NAME AGE
my-sigstore-keys 30m

As i understood TUF is needed to get the root cert for Fulico CA server, in my case i am not using any thing from Fulcio server as i am hosting my trust root which has my own certchain. so ideally this should work with disable TUF mode also. can you pls guide what i am missing here.
attached the logs for your reference
without_tuf.tar.gz

Hector Fernandez · Answer 3 · Tue May 09 2023 22:26:19 GMT+0800 (China Standard Time)

I am not sure how you deployed but the logs of the policy-controller are reporting issues patching the configMap config-sigstore-keys from which the trustRoot are consumed. The helm chart has the patching permissions to do so that sounds like a problem on your installation.