registry-image-resource icon indicating copy to clipboard operation
registry-image-resource copied to clipboard
verified publisher icon concourse

How to debug content_trust?

Open funkypenguin opened this issue 5 years ago • 1 comments

Hi all,

I've tried to enable content_trust towards my Harbor Notary server. I'm still a little confused about how it's all going to work, but I thought I'd start by creating a notary root key/passphrase using notary init offline, and then transfer them into concourse secrets.

So with the addition of the content_trust section, my resource looks like this:

  - name: image
    type: registry-image
    source:
      repository: ((registry.url))/retort/((component))
      username: ((registry.username))
      password: ((registry.password))
      content_trust:
        server: ((notary.server))
        repository_key_id: ((notary.repository_key_id))
        repository_key: ((notary.repository_key))
        repository_passphrase: ((notary.repository_passphrase))

When concourse puts the image, I see the following in the logs:

2020/12/04 03:05:11 existing blob: sha256:9729d2b0a1589709492eea2868ceaf71e35831394b582ebec19891cb0a135c6f
2020/12/04 03:05:11 existing blob: sha256:e6b0cf9c0882fb079c9d35361d12ff4691f916b6d825061247d1bd0b26d7cf3f
2020/12/04 03:05:11 registry.elpenguino.net/retort/mailhog:latest: digest: sha256:811996c517506361ad85792217d44b9bfadb08317cc9f0dd020c79ec6179a061 size: 1725
INFO[0001] pushed                                       
INFO[0001] reading certificate directory: /tmp/notary-config696560483/tls/notary.elpenguino.net  
ERRO[0001] failed to get notary repository tls: failed to find any PEM data in certificate input 
ERRO[0001] failed to sign image: tls: failed to find any PEM data in certificate input 
ERRO[0001] failed to sign image: tls: failed to find any PEM data in certificate input 
INFO[0001] pushing as tag 0.0.0-dev.219                 
2020/12/04 03:05:11 existing blob: sha256:3c0fed94060062d5bcee768a7d795e25a915446862d84f03608981244cacd26b
2020/12/04 03:05:11 existing blob: sha256:a74c1dbd609a5dbb366506d25973c22a31ae4bb91a7a290b34965e00df723b7c

The put succeeds, but the signing fails. I've not specified tls_key or tls_cert, since the docs say that they're optional, and notary is behind an ingress with a valid public cert.

How can I debug the error here? Is the resource complaining about being unable to combine my passphrase with my key, or is it something else?

While debugging, I ran the pipeline and monitored any ingress traffic to notary. Running the pipeline resulted in no traffic towards notary, so my assumption is that the issue is with the key/passphrase I've provided.

Any debugging pointers would be welcome ;)

D

funkypenguin avatar Dec 04 '20 03:12 funkypenguin

@funkypenguin I had a similar problem, you need to pass the key / crt generate by helm from the notary secret (probably harbor-harbor-notary-secret).

The GCR library doesn't handle missing PEM data at all, I think this resource should be changed to reflect that actually.

Note, you might then get a 401 issue, which I'm still trying to fix myself... I think I know the problem, but I'm still investigating.,

DandyDeveloper avatar Jan 18 '21 03:01 DandyDeveloper