trivy-operator: Error x509: certificate signed by unknown authority when trying to download vulnerability DB from private Registry
What steps did you take and what happened:
I installed the trivy-operator via kubectl in version 0.0.5 and made the necessary changes to pull all images from our internal registry (JFrog Artifactory). The operator is running fine and starts the scanning pods. Except for the changes to the image sources, the operator is running with the default config.
However, the logs show the following error: failed to download vulnerability DB: OCI artifact error: OCI artifact error: OCI repository error: Get \"https://packages.repo.internal.com/v2/\": x509: certificate signed by unknown authority\n"
This repository uses a self-signed certificate, so this error is expected.
In the documentation I found a parameter to set registries to unsecure: trivy.insecureRegistry.<id>
So I added this to the trivy-operator-trivy-config
configmap:
data:
trivy.insecureRegistry.artifactory: "packages.repo.internal.com"
This seems to have no effect, the error is unchanged.
What did you expect to happen:
I would expect trivy to skip the certificate validation with this setting.
Anything else you would like to add:
Environment:
- Trivy-Operator version (use
trivy-operator version
): 0.0.5 - Kubernetes version (use
kubectl version
): v1.22.6 - OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): Ubuntu 20.04
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 23 (11 by maintainers)
@nfsouzaj trivy-operator v0.1.0 has been released checkout the fixes in notes
@chen-keinan Hi, I am also having the same issue. In my case the SSL Inspection of Palo Alto messes up with the certificate which causes it to become “insecure”. I am very much looking for the insecure flag so that I can set it in the config map and use the operator seamless. Thanks!
@mauricewittek @erikgb I found the root cause, trivy operator scan job download the vuln-db on initContainer and the insecure env variable did not get their , I have raised a new PR which introduce a new insecure flag for this purpose to be populated with init container #169 dbRepositoryInsecure
@mauricewittek join our slack channel to discuss in details
Trivy has added support for it trivy#240, once it will be released we will update trivy version in trivy-operator