cosigned should use k8schain to support imagePullSecrets
#801
Labels
bug
Something isn't working
Comments
mattmoor
added a commit
to mattmoor/cosign
that referenced
this issue
Sep 26, 2021
`k8schain` implements a GGCR keychain that attempts to replicate the authentication done by the kubelet when pulling container images. It supports ambient credentials (e.g. GCE/AWS's `http://metadata`) as well as `imagePullSecret` resolution, and is also currently used by Tekton and Knative for similar purposes. Fixes: sigstore#801 Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor
added a commit
that referenced
this issue
Sep 27, 2021
`k8schain` implements a GGCR keychain that attempts to replicate the authentication done by the kubelet when pulling container images. It supports ambient credentials (e.g. GCE/AWS's `http://metadata`) as well as `imagePullSecret` resolution, and is also currently used by Tekton and Knative for similar purposes. Fixes: #801 Signed-off-by: Matt Moore <mattomata@gmail.com>
mrjoelkamp
pushed a commit
to mrjoelkamp/cosign
that referenced
this issue
Sep 27, 2021
`k8schain` implements a GGCR keychain that attempts to replicate the authentication done by the kubelet when pulling container images. It supports ambient credentials (e.g. GCE/AWS's `http://metadata`) as well as `imagePullSecret` resolution, and is also currently used by Tekton and Knative for similar purposes. Fixes: sigstore#801 Signed-off-by: Matt Moore <mattomata@gmail.com> Signed-off-by: Joel Kamp <joel.kamp@invitae.com>
mrjoelkamp
pushed a commit
to mrjoelkamp/cosign
that referenced
this issue
Sep 28, 2021
`k8schain` implements a GGCR keychain that attempts to replicate the authentication done by the kubelet when pulling container images. It supports ambient credentials (e.g. GCE/AWS's `http://metadata`) as well as `imagePullSecret` resolution, and is also currently used by Tekton and Knative for similar purposes. Fixes: sigstore#801 Signed-off-by: Matt Moore <mattomata@gmail.com> Signed-off-by: Joel Kamp <joel.kamp@invitae.com>
mrjoelkamp
pushed a commit
to mrjoelkamp/cosign
that referenced
this issue
Sep 28, 2021
`k8schain` implements a GGCR keychain that attempts to replicate the authentication done by the kubelet when pulling container images. It supports ambient credentials (e.g. GCE/AWS's `http://metadata`) as well as `imagePullSecret` resolution, and is also currently used by Tekton and Knative for similar purposes. Fixes: sigstore#801 Signed-off-by: Matt Moore <mattomata@gmail.com> Signed-off-by: Joel Kamp <joel.kamp@invitae.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
cosignedneeds to be able to access the container images stored on registries, and one of the common forms of authentication is to useimagePullSecrets(possibly attached to the workload's service account), which isn't currently supported bycosigned.There is a library for supporting this with GGCR, which is used by Tekton and Knative called
k8schain, whichcosignedshould probably adopt (until something better comes along).The text was updated successfully, but these errors were encountered: