Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Deployment of signed images fails with Error: /app/connaisseur-config/v3g-beamman-val/.docker/config.json: illegal base64 data at input byte 72

See original GitHub issue

Describe the bug

The auth secret_name in connaisseur values.yaml is configured to be the same secret used to pull the images, which works when connaisseur is not installed. Also, this secret was accepted by Kubernetes apiserver, implying it is properly formatted.

The format of this secret (obtained by getting the secret using kubectl and then base64 decoding the .dockerconfigjson value) is:

{
    "auths": {
        "registry.docker.artifactory.sativa.com": {
            "auth": "xxxxx",
            "username": "user"
        }
    }
}

The full error is:

Error from server: error when creating "bandslotmgr.yaml": admission webhook "connaisseur-svc.connaisseur.svc" denied the request: Unexpected Cosign exception for image "registry.docker.artifactory.sativa.com/repo/app:tag": Error: /app/connaisseur-config/validator/.docker/config.json: illegal base64 data at input byte 72
main.go:46: error during command execution: /app/connaisseur-config/validator/.docker/config.json: illegal base64 data at input byte 72

Expected behavior

Expected the image to be pulled and signature verified to be correct.

Optional: To reproduce <Stepwise guide or instructions or minimal example to reproduce.>

Optional: Versions (please complete the following information as relevant):

OS: Ubuntu 18.04
Kubernetes Cluster: GKE kubernetes v1.21
Notary Server: N/A
Container registry: JFrog artifactory Enterprise Plus 7.19.12
Connaisseur: securesystemsengineering/connaisseur:v2.4.1
Other: <other relevant tools and versions>

Optional: Additional context <Add any other context or screenshots about the bug here.>

Issue Analytics

State:
Created 2 years ago
Comments:10

Top GitHub Comments

1reaction

QWERTY92009commented, Mar 10, 2022

Hi @xopham. I now seem to be past the base64 issue. Am blocked with another problem, will create another issue. Thanks for your help!

0reactions

QWERTY92009commented, Mar 7, 2022

Thanks @xopham. The auth json is created by docker, and accepted by k8s, but I think you are suggesting more closely examing its structure in case there is another incompatibility. I’ll look into this. This is only an API key, so I can send you the original and reset the API key on my side if you are amenable to that.