Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Credentials for policiesBundle not used by the operator #2351

Open
banh-gao opened this issue Dec 6, 2024 · 0 comments
Open

Credentials for policiesBundle not used by the operator #2351

banh-gao opened this issue Dec 6, 2024 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@banh-gao
Copy link

banh-gao commented Dec 6, 2024

What steps did you take and what happened:

  1. Create a secret with the credentials to authenticate to an private image registry where to download the trivy-checks image. Something like:
    kubectl create secret generic trivy-operator -n trivy-system --from-literal=policies.bundle.oci.user=<registryuser> --from-literal=policies.bundle.oci.password=<registrypass>
  2. Install helm operator, setting policiesBundle.existingSecret: true
  3. Check operator logs. I get something like:
{"level":"error","ts":"2024-12-06T15:13:16Z","logger":"policyLoader.Get misconfig bundle policies","msg":"failed to load policies","error":"failed to download policies: failed to download built-in policies: download error: OCI repository error: 3 errors occurred:\n\t* GET https://REDACTED/aquasecurity/trivy-checks/manifests/0: MANIFEST_UNKNOWN: Failed to fetch \"0\"\n\t* GET https://REDACTED/aquasecurity/trivy-checks/manifests/0: MANIFEST_UNKNOWN: Failed to fetch \"0\"\n\t* GET https://REDACTED: DENIED: Unauthenticated request. Unauthenticated requests do not have permission \"artifactregistry.repositories.downloadArtifacts\" on resource \"REDACTED\" (or it may not exist)\n\n", ...

What did you expect to happen:
It seems the request is not authenticated. I expect the request to use the configured credentials.

Anything else you would like to add:
I checked if the trivy-operator secret is mounted by the trivy-operator pod but its not the case. I also tried to mount the trivy-operator secret as env on the pod but the issue persist.

I verified the credentials locally (with docker login) and I can confirm they work.

Environment:

  • Trivy-Operator version: 0.24.1
  • Kubernetes version: 1.29.2 (GKE)
  • Registry is GCP artifact registry
@banh-gao banh-gao added the kind/bug Categorizes issue or PR as related to a bug. label Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

No branches or pull requests

1 participant