Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kwctl push is failing in v1.17.0 #944

Open
1 task done
ferhatguneri opened this issue Oct 17, 2024 · 1 comment
Open
1 task done

kwctl push is failing in v1.17.0 #944

ferhatguneri opened this issue Oct 17, 2024 · 1 comment
Labels
kind/bug
Milestone
1.18

Comments

@ferhatguneri
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

kwctl push --docker-config-json-path /tmp annotated-policy.wasm registry.com/kubewarden-policies/disallow-automount-default-sa-token-policy:1.11.3
Error: Fail to interact with OCI registry: error sending request for url (https://registry.com/v2/kubewarden-policies/disallow-automount-default-sa-token-policy/blobs/uploads/)

Caused by:
0: error sending request for url (https://registry.com/v2/kubewarden-policies/disallow-automount-default-sa-token-policy/blobs/uploads/)
1: client error (Connect)
2: invalid peer certificate: UnknownIssuer

Expected Behavior

Policy successfully pushed: registry.com/kubewarden-policies/disallow-default-namespace-policy@sha256:c40a3fbca4de08ab6942121212121211214dac34d086a

Steps To Reproduce

Just try to push kubewarden policy with kwctl v1.17.0

Environment

- OS:
- Architecture:

Anything else?

It is working in v1.16.1
@kkaempf kkaempf added this to the 1.18 milestone Oct 21, 2024
@viccuad
Copy link
Member

viccuad commented Oct 22, 2024
edited
Loading

Hi, I can't reproduce this here with kwctl v1.17:

$ docker pull ghcr.io/viccuad/test/user-group-psp:config-test
config-test: Pulling from viccuad/test/user-group-psp
unsupported media type application/vnd.wasm.config.v1+json
$ kwctl-1.17 pull registry://ghcr.io/viccuad/test/user-group-psp:config-test
$ kwctl-1.17 policies
+-----------------------------------------------------------------------+----------+---------------+--------------+-----------+
| Policy                                                                | Mutating | Context aware | SHA-256      | Size      |
+-----------------------------------------------------------------------+----------+---------------+--------------+-----------+
| registry://ghcr.io/viccuad/test/user-group-psp:config-test            | yes      | no            | f6e0bf76af86 | 1.35 MB   |
+-----------------------------------------------------------------------+----------+---------------+--------------+-----------+
$ kwctl-1.17 push registry://ghcr.io/viccuad/test/user-group-psp:config-test registry://ghcr.io/viccuad/test/user-group-psp:config-test2
Policy successfully pushed: ghcr.io/viccuad/test/user-group-psp@sha256:a11a39b6bc4dc5c047d2d6aa0d33f7208085515d49977ae3c8129fc3706dc9ce

(and the new tag config-test2 was published).

Maybe the ~/docker/config.json is not correctly set up, or the credentials you are using for that repository are expired. Could you check if you can pull or push an image with crane, docker , etc?

From the error invalid peer certificate: UnknownIssuer, I'm inclined to think that either the local CA certs are incorrectly set up, or kwctl fails to make use of them. Could you please run kwctl with increased verbosity kwctl -v to see from where the error comes?

As a workaround, you could use crane to push the policy to the registry.

Thanks in advance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
Kubewarden
Status: Blocked
Milestone
1.18
Development

No branches or pull requests
3 participants
@kkaempf @viccuad @ferhatguneri