-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using cosign validation works for about 6 hours and then we start getting validation errors for Connaisseur application version 3.6.1 and chart version 2.6.1 #1765
Comments
@phbelitz @chrysogonus , another way this could be fixed with less effort is to allow the Connaisseur deployment to add custom annotations from the Currently the annotations that can be added on a deployment are restricted If we can allow custom annotations here
Then we can use something like https://github.com/stakater/Reloader
I see that the ecr-credentials secret ends up being included in the deployment as a volume mount, which makes it a perfect candidate for Reloader to restart the deployment
I have played around with this idea further by manually editing the Connaisseur deployment to add Reloader annotations There were 2 outcomes.
So this is to just share ideas on one way token refresh could be achieved when using the |
@edison-vflow yikes, thank you for that very thorough digging into the problem. if i understand correctly this whole ordeal needn't to be done when using the |
Hi @phbelitz Connaisseur supports multiple mechanisms to login to your repositories when it is doing cosign validation We tried 2 of them:
The issue raised here is for 2. Using When using the Connaisseur then keeps the authentication details it read from the secret in memory for as long as its pods are running. The interesting thing is that, on our side, we have a mechanism where we fetch new credentials before they expire, so that the secret is repopulated. In Kubernetes clusters, this is a common issue that a deployment may need to restart when its associated configMaps or secrets are updated. -- |
@edison-vflow ok, I see three options:
so i guess i'll prepare a PR with customizable annotations. |
Added the option to define costume annotation to the Connaisseur deployment. fixes #1765 credits to @edison-vflow
Added the option to define costume annotation to the Connaisseur deployment. fixes #1765 credits to @edison-vflow
@phbelitz , first prize is really to have Connaisseur be self contained. We explored this route of customizable annotations when I propose that we can enable customizable annotations as a temporary solution to help people who go the |
Describe the bug
When using Connaisseur application version 3.6.1 and chart version 2.6.1 on EKS v1.30, using cosign validators where auth.secretName is used and ECR is the image registry, Connaisseur can validate images correctly and after about 6 hrs, validation starts failing with
The validator section is defined as
The issue happens for the
awsvalidator
that needs ECR credentials provided via the secretecr-credentials
On initial run , validation works for about 6 hrs.This time sometimes varies.
After the 6 or so hours, we start getting the error highlighted above.
At the moment that validation starts failing, various operations in the cluster are blocked, like rollout of deployments.
What we notice is that if we restart Connaisseur, then validation starts working again, until the next expiration.
We have a cronjob that runs every 6 hrs, this is to cater for the fact that the ECR token expires after 12 hrs.
This refresh ecr cronjob refreshes the ecr-credentials secret that Connaisseur validator is using.
For refreshing the token every 6 hrs before expiration, we are using https://github.com/nabsul/k8s-ecr-login-renew
The refreshing seems to be working, as the restart of Connaisseur always works and the restart will be using this refreshed token.
Its looking like the Connaisseur validator that uses the auth.secret mechanisms reads the token in once at startup but does not have a way of reading the token when it is refreshed in the ecr-credentials secret, the same secret it is reading from at start-up.
Would this explain why a restart of Connaisseur seems to always fix the issue ?
Another test we did is to explicitly run the token renewal job at the time Connaisseur validation fails to force token refresh.
The credentials are renewed but they are not picked up by a running instance of Connaisseur
Could you give guidance on how best to solve this issue or perhaps what other clients that are using the auth.secret for cosign are doing to always have Connaisseur use the latest token
Expected behavior
Optional: To reproduce
To reproduce, install Connaisseur application version 3.6.1 and chart version 2.6.1 on AWS EKS v1.30
Configure your validators section as shown above.
This is a setup where the trust roots are taken from KMS and the cosign is using auth.secret where the secret is using the dockerconfigjson mechanism
Optional: Versions (please complete the following information as relevant):
Optional: Additional context
Not sure if this affects the validation somehow but just worth mentioning
The redis issue was raised separately as its own issue
Redis logs have errors using the default values.yaml from application version 3.6.0 chart version 2.6.0 #1764
The text was updated successfully, but these errors were encountered: