cosign-gatekeeper-provider icon indicating copy to clipboard operation
cosign-gatekeeper-provider copied to clipboard

Published 20 hours ago verified publisher icon sigstore

How to set a public key to provider cache?

Open jacckyyy opened this issue 1 year ago • 9 comments

When I have deployed the provider, template and constraint, but I encounter an error (response: {"errors": null, "responses": null, "status_code": 400, "system_error": "key is not found in provider cache"}) when trying to deploy the example yaml file. How can I set the public key in the cache? thanks..

jacckyyy avatar Apr 10 '23 03:04 jacckyyy

Hi @jacckyyy,

Actually I have no idea where is key is not found in provider cache throwing from. Could please share the steps you have followed, full logs, HTTP response, and some kind of other stuff to reproduce this? Thanks.

Dentrax avatar Apr 10 '23 06:04 Dentrax

Hi @Dentrax, I'm sorry, my previous description was too brief. My steps were based on the article in the following link.

https://github.com/sigstore/cosign-gatekeeper-provider

Starting with the installation of gatekeeper, and installed cosign-gatekeeper-provider, image

image

finally confirmed the deployment of ConstraintTemplate and Contraint policy. image

image

However, at the last step, when I verified the signature using the example in the policy/example, I got the following error message regardless of whether I signed with cosign or not. image

image

It seems that the provider did not set the public key. I don't know what the problem is with this part? Did I miss anything? Thanks... Orz

jacckyyy avatar Apr 10 '23 11:04 jacckyyy

+1 getting the same error response

mjramer avatar Apr 10 '23 14:04 mjramer

Hitting the same issue with gatekeeper 3.14.0. @Dentrax Could it be something not working with Gatekeeper internal cache? I tried disabling it and still getting the same error. It seems gatekeeper is not even calling the external provider when printing that error.

etiennegrignon-intuit avatar Mar 21 '24 05:03 etiennegrignon-intuit

The error comes from this line https://github.com/open-policy-agent/frameworks/blob/359cf1b785c9f630f61f58366e685918153c5357/constraint/pkg/externaldata/cache.go#L103

etiennegrignon-intuit avatar Mar 21 '24 05:03 etiennegrignon-intuit

https://github.com/open-policy-agent/frameworks/commits?author=nilekhc @nilekhc @jacckyyy I am also facing the same issue "key is not found in provider response cache" could you please guide us how to resolve it. Thanks

bsher21 avatar Mar 21 '24 07:03 bsher21

UP + 1

houdini91 avatar Mar 21 '24 13:03 houdini91

Maybe related to https://github.com/open-policy-agent/gatekeeper/pull/3132 Maybe Upgrade to >3.15 https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.0 will fix

houdini91 avatar Mar 21 '24 13:03 houdini91

@houdini91 Thank you! Upgrading Gatekeeper to 3.15 and setting --external-data-provider-response-cache-ttl=0 seems to help address the issue. Not sure why cache needs to be disabled for the provider to work.

etiennegrignon-intuit avatar Mar 26 '24 18:03 etiennegrignon-intuit