bank-vaults: Webhook cannot access private registry

Hello, I’m trying to use the webhook with my private registry, but it complains that it cannot access it due to missing certifacte:

time="2020-02-14T15:32:49Z" level=info msg="I'm using registry https://docker-repo.banana.xyz"
2020/02/14 15:32:49 registry.manifest.get url=https://docker-repo.banana.xyz/v2/skaffold-python-example:508954f-dirty/manifests/sha256:2a6982d3d463658a74db478bdac71379fd2e5bdfc6da6581033103e558374e07 repository=skaffold-python-example:508954f-dirty reference=sha256:2a6982d3d463658a74db478bdac71379fd2e5bdfc6da6581033103e558374e07
time="2020-02-14T15:32:49Z" level=error msg="admission webhook error: cannot download manifest for image: Get https://docker-repo.banana.xyz/v2/skaffold-python-example:508954f-dirty/manifests/sha256:2a6982d3d463658a74db478bdac71379fd2e5bdfc6da6581033103e558374e07: x509: certificate signed by unknown authority" app=vault-secrets-webhook

Is there an webhook parameter to pass a Root CA cert of my docker-repo or at least to skip TLS verification?

PS. I’ve installed the webhook with Helm:

helm upgrade --namespace ${VAULT_INFRA_NAMESPACE} \
     --install vault-secrets-webhook              \
     --wait                                       \
     --version "0.7.1"                            \
     banzaicloud-stable/vault-secrets-webhook

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 22 (8 by maintainers)

Most upvoted comments

Just submitted #882 to resolve this.

+1
bonifaido on Feb 19, 2020

Great investigation @TomaszKlosinski, I think if Kubernetes understands this image naming format we should do it too, so I will leave this open to have a workaround and a tracking issue for this. Thanks for reporting!

+1
bonifaido on Feb 17, 2020

I found it!

I’ve skipped the tag in the image name in Skaffold config:

  tagPolicy:
    envTemplate:
      template: "{{.IMAGE_NAME}}"

This produced following Image:

Image:         docker-repo.banana.xyz/testing/skaffold-python-example@sha256:96b77fc06c9cbd5227eb8538020c6e458a259d17ccb2ec1aea5fe8261a61fff7

And it finally worked:

time="2020-02-17T16:32:39Z" level=info msg="found no credentials for registry https://docker-repo.banana.xyz, assuming it is public"
time="2020-02-17T16:32:39Z" level=info msg="I'm using registry https://docker-repo.banana.xyz"
2020/02/17 16:32:39 registry.manifest.get url=https://docker-repo.banana.xyz/v2/testing/skaffold-python-example/manifests/sha256:96b77fc06c9cbd5227eb8538020c6e458a259d17ccb2ec1aea5fe8261a61fff7 repository=testing/skaffold-python-example reference=sha256:96b77fc06c9cbd5227eb8538020c6e458a259d17ccb2ec1aea5fe8261a61fff7
2020/02/17 16:32:39 registry.blob.download url=https://docker-repo.banana.xyz/v2/testing/skaffold-python-example/blobs/sha256:efad0e10a1a5ab6e99607e733802f15867753231685ff0eafbab6401a7bef241 repository=testing/skaffold-python-example digest=sha256:efad0e10a1a5ab6e99607e733802f15867753231685ff0eafbab6401a7bef241
+1
TomaszKlosinski on Feb 17, 2020

I think it’s some skaffold magic. I’m not exactly sure how this works. I’ll try it to deploy the manifest without skaffold and see if it works then.

+1
TomaszKlosinski on Feb 17, 2020

Viper handles environment variables as well.

+1
bonifaido on Feb 17, 2020
Read more comments on GitHub
← bank-vaults: [vault-secrets-webhook] Webhook don't mutate pods
tdl: Napi::Error →