-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't use ratify with private ECR repository #1478
Comments
@jlbutler Would you mind helping troubleshoot this issue with ECR? Thanks |
@FeynmanZhou |
chart version-1.11.0 chart version-1.12.0 (latest) Ratify v1.1.0-v1.0.0 diff: v1.0.0...v1.1.0 The error seems to be thrown from
|
I can back this, this is the exact error on our side too when trying to use a private ECR repo with the latest chart version.
My implementation is through the helm chart. IAM access is given from both sides and proper service account is created and attached from the values.yaml file. I've double checked and triple checked to make sure nothing is missing while deploying this. I've followed the steps from the Ratify docs here and double checked the config matches mine too. Potential Solution?I don't know if this is related, however looking at the Ratify debug logs about |
Thanks for the investigation @emalprokt. @priteshbandi would it be possible to send a PR to update the Should just involve updating the package: |
PR for package upgrade was merged last week, the dev build is available here @roeishuster, would you be able to help with validation? Many thanks! Sample install command for dev build.. helm install ratify |
The ECR change seems to be working if deployed through its own helm chart as referred to by @susanshi
I created the service-account If I try to deploy an image without an SBOM artifact attached, I get
This means that authentication to ECR is successful. Potential PitfallsUsing the dev image with v1.1.1 chart does not work as there seem to be breaking changes between v1.1.1 and the latest changes. Best to update the whole helm chart to the dev's one. Update: This dev image also works with the v1.2.0-rc.1 release. You'll just need to replace the image and tag values. |
What happened in your environment?
I tried to run ratify in a new EKS cluster, using the guide in this URL: https://ratify.dev/docs/quickstarts/ratify-with-aws-signer
I got to the final step of actually deploying a pod with an image, but I get an error from Ratify:
time=2024-05-15T13:35:40.271102033Z level=info msg=mutating image {myaccountid}.dkr.ecr.us-east-1.amazonaws.com/test/ratify/server:main-latest component-type=server go.version=go1.21.9 trace-id=73fe066c-4975-4b4e-a56d-f490890dd671 │
│ time=2024-05-15T13:35:40.271377639Z level=warning msg=auth provider failed with err, could not get ECR auth token for {myaccountid}.dkr.ecr.us-east-1.amazonaws.com/test/ratify/server:main-latest: could not retrieve ECR auth token collection: not found, ResolveEndpointV2 component-type=referrerStore go.version=go1.21.9 trace-id=73fe066c-4975-4b4e-a56d-f490890dd671
My helm install command:
helm install ratify
ratify/ratify --atomic
--namespace gatekeeper-system
--set-file notationCerts={./aws-signer-notation-root.cert}
--set featureFlags.RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS=true
--set serviceAccount.create=false
--set oras.authProviders.awsEcrBasicEnabled=true
--set featureFlags.RATIFY_CERT_ROTATION=true
What did you expect to happen?
Ratify should have checked if the image I provided is singed with notation.
What version of Kubernetes are you running?
1.29
What version of Ratify are you running?
1.1.1
Anything else you would like to add?
I used a private ECR repository in my AWS organization, I gave access both on Role side and ECR Repo side.
Are you willing to submit PRs to contribute to this bug fix?
The text was updated successfully, but these errors were encountered: