Grafeas Project Integration

[judavi]

Hello Kritis team,

I have been following the installation instructions and I notice at this point Kritis is only compatible GCP (https://github.com/grafeas/kritis/blob/master/docs/install.md) so I'm wondering what are the plans for the integration with Grafeas?
In case some work needs to be done I'll be happy to help, but first I want to have an idea of the current status and plans for this integration. Thanks!

CC
@aysylu @ooq @vtsao

[aysylu]

Hi @judavi,

Thanks for expressing interest and offering your help! To clarify: there's also a standalone Kritis with standalone Grafeas integration. The documents referenced in this link use the k8s cluster on GCP. It'd be great to have someone contribute instructions on how to run Kritis and Grafeas on another k8s platform, e.g. minikube.

Cheers,
Aysylu

[dgptamayo]

Hi @aysylu,

I've been trying to deploy Grafeas + Kritis in minikube following the standalone guide for several weeks now but I've been blocked because of these issues:

1. the create_attestation.go script bug as described in panic: interface conversion: interface is nil, not crypto.Signer #384
2. because of the issue#1, i tried creating attestation via Grafeas API but still encountered problems as I've reported in https://groups.google.com/forum/#!topic/kritis-users/atVVPZmzs24

We are really interested in these projects but unfortunately it has been challenging putting the pieces together.

Can I follow this guide (https://cloud.google.com/binary-authorization/docs/making-attestations) on the standalone setup?

Thanks.

[aysylu]

Hi @dgptamayo,

Sorry that you've been having issues with the standalone setup.

1. Unfortunately, none of the people who're on the project internally have been able to reproduce this issue. If anybody figures this out, happy to review the PR with the fix.

2. Yes, Base64 signature #429 is PR in review, and hopefully it'll address the issue once merged. Would you need a binary release as well to unblock you?

The guide you linked won't work for the standalone, sadly, as it connects to the GCP version of Grafeas, not the standalone kind.

Thanks,
Aysylu

[judavi]

Thanks @aysylu for your response!
Now I'm wondering if there is a restriction on the K8s/Helm version?
I'm executing the Helm chart and I'm getting the next error:

azureuser@Azure:~/kritis/docs/standalone$ helm install  kritis https://storage.googleapis.com/kritis-charts/repository/kritis-charts-0.2.0.tgz --set certificates.ca="$(cat ca.crt)" --set certificates.cert="$(cat kritis.crt)" --set certificates.key="$(cat kritis.key)" --debug

install.go:148: [debug] Original chart version: ""

install.go:165: [debug] CHART PATH: /home/azureuser/.cache/helm/repository/kritis-charts-0.2.0.tgz

Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: ValidationError(ClusterRole.metadata): unknown field "kritis.grafeas.io/install" in io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta

helm.go:76: [debug] error validating "": error validating data: ValidationError(ClusterRole.metadata): unknown field "kritis.grafeas.io/install" in io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta

I sorted commenting the label in https://github.com/grafeas/kritis/blob/master/kritis-charts/templates/rbac.yaml#L30

But after that the kritis-preinstall pod is failing :

azureuser@Azure:~$ kubectl logs kritis-preinstall
time="2020-01-03T11:43:31Z" level=info msg="contents of /var/run/secrets/kubernetes.io/serviceaccount/namespace: default"
time="2020-01-03T11:43:31Z" level=info msg="running preinstall\nversion v0.2.0\ncommit: 78748a211e58d778f80fa8d116909e8425114913"
Error from server (NotFound): certificatesigningrequests.certificates.k8s.io "tls-webhook-secret-cert" not found
Error from server (NotFound): secrets "tls-webhook-secret" not found
time="2020-01-03T11:43:33Z" level=info msg="[cfssl genkey -]"
time="2020-01-03T11:43:33Z" level=info msg="{\"csr\":\"-----BEGIN CERTIFICATE REQUEST-----\\nMIICFjCCAbwCAQAwADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABM7WJghLeHVP\\nObzhyq+bGi+6C9wKgGesX1I4nTUijrQHb4lmPMW1UxabGbzd0iFJXnqYvb1c9KG5\\n/pDa0lAAFt6gggFYMIIBVAYJKoZIhvcNAQkOMYIBRTCCAUEwggE9BgNVHREEggE0\\nMIIBMIIWa3JpdGlzLXZhbGlkYXRpb24taG9va4Iia3JpdGlzLXZhbGlkYXRpb24t\\naG9vay5rdWJlLXN5c3RlbYIea3JpdGlzLXZhbGlkYXRpb24taG9vay5kZWZhdWx0\\ngiJrcml0aXMtdmFsaWRhdGlvbi1ob29rLmRlZmF1bHQuc3ZjgiJrcml0aXMtdmFs\\naWRhdGlvbi1ob29rLWRlcGxveW1lbnRzgi5rcml0aXMtdmFsaWRhdGlvbi1ob29r\\nLWRlcGxveW1lbnRzLmt1YmUtc3lzdGVtgiprcml0aXMtdmFsaWRhdGlvbi1ob29r\\nLWRlcGxveW1lbnRzLmRlZmF1bHSCLmtyaXRpcy12YWxpZGF0aW9uLWhvb2stZGVw\\nbG95bWVudHMuZGVmYXVsdC5zdmMwCgYIKoZIzj0EAwIDSAAwRQIgIU12J5JFoYMp\\n7dqltlHh4dF5pjNzz2/GTih+mkW8StUCIQDILY9p+2ar7f2gByx+vDF9rN3AHWJ6\\nOfDQajRrBWN+WQ==\\n-----END CERTIFICATE REQUEST-----\\n\",\"key\":\"-----BEGIN EC PRIVATE KEY-----\\nMHcCAQEEIAQYeS/+Dr/F7k5HJF0k9/imHO1GitKZ0O7lKfsMz9xMoAoGCCqGSM49\\nAwEHoUQDQgAEztYmCEt4dU85vOHKr5saL7oL3AqAZ6xfUjidNSKOtAdviWY8xbVT\\nFpsZvN3SIUleepi9vVz0obn+kNrSUAAW3g==\\n-----END EC PRIVATE KEY-----\\n\"}\n"
time="2020-01-03T11:43:33Z" level=info msg="[cfssljson -bare server]"
time="2020-01-03T11:43:33Z" level=info
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
    name: tls-webhook-secret-cert
    labels:
        kritis.grafeas.io/install: ""
spec:
    groups:
    - system:authenticated
    request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ0ZqQ0NBYndDQVFBd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNN1dKZ2hMZUhWUApPYnpoeXErYkdpKzZDOXdLZ0dlc1gxSTRuVFVpanJRSGI0bG1QTVcxVXhhYkdiemQwaUZKWG5xWXZiMWM5S0c1Ci9wRGEwbEFBRnQ2Z2dnRllNSUlCVkFZSktvWklodmNOQVFrT01ZSUJSVENDQVVFd2dnRTlCZ05WSFJFRWdnRTAKTUlJQk1JSVdhM0pwZEdsekxYWmhiR2xrWVhScGIyNHRhRzl2YTRJaWEzSnBkR2x6TFhaaGJHbGtZWFJwYjI0dAphRzl2YXk1cmRXSmxMWE41YzNSbGJZSWVhM0pwZEdsekxYWmhiR2xrWVhScGIyNHRhRzl2YXk1a1pXWmhkV3gwCmdpSnJjbWwwYVhNdGRtRnNhV1JoZEdsdmJpMW9iMjlyTG1SbFptRjFiSFF1YzNaamdpSnJjbWwwYVhNdGRtRnMKYVdSaGRHbHZiaTFvYjI5ckxXUmxjR3h2ZVcxbGJuUnpnaTVyY21sMGFYTXRkbUZzYVdSaGRHbHZiaTFvYjI5cgpMV1JsY0d4dmVXMWxiblJ6TG10MVltVXRjM2x6ZEdWdGdpcHJjbWwwYVhNdGRtRnNhV1JoZEdsdmJpMW9iMjlyCkxXUmxjR3h2ZVcxbGJuUnpMbVJsWm1GMWJIU0NMbXR5YVhScGN5MTJZV3hwWkdGMGFXOXVMV2h2YjJzdFpHVncKYkc5NWJXVnVkSE11WkdWbVlYVnNkQzV6ZG1Nd0NnWUlLb1pJemowRUF3SURTQUF3UlFJZ0lVMTJKNUpGb1lNcAo3ZHFsdGxIaDRkRjVwak56ejIvR1RpaCtta1c4U3RVQ0lRRElMWTlwKzJhcjdmMmdCeXgrdkRGOXJOM0FIV0o2Ck9mRFFhalJyQldOK1dRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
    usages:
    - digital signature
    - key encipherment
    - server auth
time="2020-01-03T11:43:33Z" level=info msg="[kubectl apply -f -]"
time="2020-01-03T11:43:33Z" level=info
time="2020-01-03T11:43:33Z" level=error msg="error: SchemaError(io.k8s.api.core.v1.PodDNSConfig): invalid object doesn't have additional properties\n"
time="2020-01-03T11:43:33Z" level=fatal msg="exit status 1"

So my assumption is that I need to pass something additional because :

Error from server (NotFound): certificatesigningrequests.certificates.k8s.io "tls-webhook-secret-cert" not found

I will appreciate any advice. Thanks!

[nenaddedic]

As I commented in issue #434 I think that we need to bump the kubectl version in https://github.com/grafeas/kritis/blob/master/helm-hooks/Dockerfile, and do a release.

[judavi]

@nenaddedic that sounds promising! I'll try that and I'll post my updates. Thanks for the clue!

[judavi]

Using the last helm chart (0.2.1) I'm getting better results. Now, there is only one thing that is not clear for me and it's the role of gac.json.
In an installation out of GC what should be that secret? for what should be replaced?
cc @aysylu @nenaddedic

[aysylu]

Hi @judavi: please see my response on the mailing list thread.

[judavi]

Thanks @aysylu so basically is a service account :)
For future reference, this is the link to the message: https://groups.google.com/d/msg/grafeas-users/VLNVZOlZQ7Y/c-DnKBLJDAAJ

[aysylu]

Thanks, @judavi! If the issue has been resolved, would you mind closing it? If not, happy to help!

[judavi]

Has been resolved! Thanks! :)

[jsbah]

Hello Aysylu,
Thanks for the response above. I am having the same problem as @judavi . Could it be because my kubectl version is 1.19 or am missing something that I should have done? Below is my kubectl version and error output:
josunmi@C02F31XXMD6V standalone % kubectl version Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:23:52Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"darwin/amd64"} Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.8-eks-96780e", GitCommit:"96780e1b30acbf0a52c38b6030d7853e575bcdf3", GitTreeState:"clean", BuildDate:"2021-03-10T21:32:29Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"} josunmi@C02F31XXMD6V standalone % kubectl logs kritis-preinstall -n default time="2021-07-19T15:56:48Z" level=info msg="contents of /var/run/secrets/kubernetes.io/serviceaccount/namespace: default" time="2021-07-19T15:56:48Z" level=info msg="running preinstall\nversion v0.2.2\ncommit: bea073f2a2f299af94363dc399b7780fde8f2afc" Error from server (NotFound): certificatesigningrequests.certificates.k8s.io "tls-webhook-secret-cert" not found Error from server (NotFound): secrets "tls-webhook-secret" not found time="2021-07-19T15:56:48Z" level=info msg="[cfssl genkey -]" time="2021-07-19T15:56:48Z" level=info msg="{\"csr\":\"-----BEGIN CERTIFICATE REQUEST-----\\nMIICFjCCAbwCAQAwADBZMBMGByqGSzxyXnDDUJlcqKs\\nhMB/QttFuTqvUw==\\n-----END CERTIFICATE REQUEST-----\\n\",\"key\":\"-----BEGIN EC PRIVATE KEY-----\\nMHcCAQEEIP5e4wX2Jylq4L7wZeF/EJecTYo3thYA06ZzWzng==\\n-----END EC PRIVATE KEY-----\\n\"}\n" time="2021-07-19T15:56:48Z" level=info msg="[cfssljson -bare server]" time="2021-07-19T15:56:48Z" level=info apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: name: tls-webhook-secret-cert labels: kritis.grafeas.io/install: "" spec: groups: - system:authenticated request: LS0tLS1CRUsdmJpMW9iMjlyCkxXUmxjR3h2ZVcxbGJuUnpMbVJsWm1GMWJIU0NMbXR5YVhScGN5M usages: - digital signature - key encipherment - server auth time="2021-07-19T15:56:48Z" level=info msg="[kubectl apply -f -]" time="2021-07-19T15:56:48Z" level=info msg="certificatesigningrequest.certificates.k8s.io/tls-webhook-secret-cert created\n" time="2021-07-19T15:56:48Z" level=info msg="[kubectl certificate approve tls-webhook-secret-cert]" time="2021-07-19T15:56:48Z" level=info msg="No resources found\n" time="2021-07-19T15:56:48Z" level=error msg="error: no kind \"CertificateSigningRequest\" is registered for version \"certificates.k8s.io/v1\" in scheme \"k8s.io/kubectl/pkg/scheme/scheme.go:28\"\n" time="2021-07-19T15:56:48Z" level=fatal msg="exit status 1"

[aysylu]

@jsbah: is the issue you've encountered same as #583?

[jsbah]

Yes, @aysylu , this is the same issue #583 .
As I said, I'ld love to help and contribute to this space. I am already working on it but can't get past this point.

[aysylu]

@jsbah thanks for confirming! I know we spoke on Twitter, but wasn't sure what your GH handle is.

[Jayakumar6]

Thanks @aysylu for your response! Now I'm wondering if there is a restriction on the K8s/Helm version? I'm executing the Helm chart and I'm getting the next error:

azureuser@Azure:~/kritis/docs/standalone$ helm install  kritis https://storage.googleapis.com/kritis-charts/repository/kritis-charts-0.2.0.tgz --set certificates.ca="$(cat ca.crt)" --set certificates.cert="$(cat kritis.crt)" --set certificates.key="$(cat kritis.key)" --debug

install.go:148: [debug] Original chart version: ""

install.go:165: [debug] CHART PATH: /home/azureuser/.cache/helm/repository/kritis-charts-0.2.0.tgz

Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: ValidationError(ClusterRole.metadata): unknown field "kritis.grafeas.io/install" in io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta

helm.go:76: [debug] error validating "": error validating data: ValidationError(ClusterRole.metadata): unknown field "kritis.grafeas.io/install" in io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta

I sorted commenting the label in https://github.com/grafeas/kritis/blob/master/kritis-charts/templates/rbac.yaml#L30

But after that the kritis-preinstall pod is failing :

azureuser@Azure:~$ kubectl logs kritis-preinstall
time="2020-01-03T11:43:31Z" level=info msg="contents of /var/run/secrets/kubernetes.io/serviceaccount/namespace: default"
time="2020-01-03T11:43:31Z" level=info msg="running preinstall\nversion v0.2.0\ncommit: 78748a211e58d778f80fa8d116909e8425114913"
Error from server (NotFound): certificatesigningrequests.certificates.k8s.io "tls-webhook-secret-cert" not found
Error from server (NotFound): secrets "tls-webhook-secret" not found
time="2020-01-03T11:43:33Z" level=info msg="[cfssl genkey -]"
time="2020-01-03T11:43:33Z" level=info msg="{\"csr\":\"-----BEGIN CERTIFICATE REQUEST-----\\nMIICFjCCAbwCAQAwADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABM7WJghLeHVP\\nObzhyq+bGi+6C9wKgGesX1I4nTUijrQHb4lmPMW1UxabGbzd0iFJXnqYvb1c9KG5\\n/pDa0lAAFt6gggFYMIIBVAYJKoZIhvcNAQkOMYIBRTCCAUEwggE9BgNVHREEggE0\\nMIIBMIIWa3JpdGlzLXZhbGlkYXRpb24taG9va4Iia3JpdGlzLXZhbGlkYXRpb24t\\naG9vay5rdWJlLXN5c3RlbYIea3JpdGlzLXZhbGlkYXRpb24taG9vay5kZWZhdWx0\\ngiJrcml0aXMtdmFsaWRhdGlvbi1ob29rLmRlZmF1bHQuc3ZjgiJrcml0aXMtdmFs\\naWRhdGlvbi1ob29rLWRlcGxveW1lbnRzgi5rcml0aXMtdmFsaWRhdGlvbi1ob29r\\nLWRlcGxveW1lbnRzLmt1YmUtc3lzdGVtgiprcml0aXMtdmFsaWRhdGlvbi1ob29r\\nLWRlcGxveW1lbnRzLmRlZmF1bHSCLmtyaXRpcy12YWxpZGF0aW9uLWhvb2stZGVw\\nbG95bWVudHMuZGVmYXVsdC5zdmMwCgYIKoZIzj0EAwIDSAAwRQIgIU12J5JFoYMp\\n7dqltlHh4dF5pjNzz2/GTih+mkW8StUCIQDILY9p+2ar7f2gByx+vDF9rN3AHWJ6\\nOfDQajRrBWN+WQ==\\n-----END CERTIFICATE REQUEST-----\\n\",\"key\":\"-----BEGIN EC PRIVATE KEY-----\\nMHcCAQEEIAQYeS/+Dr/F7k5HJF0k9/imHO1GitKZ0O7lKfsMz9xMoAoGCCqGSM49\\nAwEHoUQDQgAEztYmCEt4dU85vOHKr5saL7oL3AqAZ6xfUjidNSKOtAdviWY8xbVT\\nFpsZvN3SIUleepi9vVz0obn+kNrSUAAW3g==\\n-----END EC PRIVATE KEY-----\\n\"}\n"
time="2020-01-03T11:43:33Z" level=info msg="[cfssljson -bare server]"
time="2020-01-03T11:43:33Z" level=info
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
    name: tls-webhook-secret-cert
    labels:
        kritis.grafeas.io/install: ""
spec:
    groups:
    - system:authenticated
    request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ0ZqQ0NBYndDQVFBd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNN1dKZ2hMZUhWUApPYnpoeXErYkdpKzZDOXdLZ0dlc1gxSTRuVFVpanJRSGI0bG1QTVcxVXhhYkdiemQwaUZKWG5xWXZiMWM5S0c1Ci9wRGEwbEFBRnQ2Z2dnRllNSUlCVkFZSktvWklodmNOQVFrT01ZSUJSVENDQVVFd2dnRTlCZ05WSFJFRWdnRTAKTUlJQk1JSVdhM0pwZEdsekxYWmhiR2xrWVhScGIyNHRhRzl2YTRJaWEzSnBkR2x6TFhaaGJHbGtZWFJwYjI0dAphRzl2YXk1cmRXSmxMWE41YzNSbGJZSWVhM0pwZEdsekxYWmhiR2xrWVhScGIyNHRhRzl2YXk1a1pXWmhkV3gwCmdpSnJjbWwwYVhNdGRtRnNhV1JoZEdsdmJpMW9iMjlyTG1SbFptRjFiSFF1YzNaamdpSnJjbWwwYVhNdGRtRnMKYVdSaGRHbHZiaTFvYjI5ckxXUmxjR3h2ZVcxbGJuUnpnaTVyY21sMGFYTXRkbUZzYVdSaGRHbHZiaTFvYjI5cgpMV1JsY0d4dmVXMWxiblJ6TG10MVltVXRjM2x6ZEdWdGdpcHJjbWwwYVhNdGRtRnNhV1JoZEdsdmJpMW9iMjlyCkxXUmxjR3h2ZVcxbGJuUnpMbVJsWm1GMWJIU0NMbXR5YVhScGN5MTJZV3hwWkdGMGFXOXVMV2h2YjJzdFpHVncKYkc5NWJXVnVkSE11WkdWbVlYVnNkQzV6ZG1Nd0NnWUlLb1pJemowRUF3SURTQUF3UlFJZ0lVMTJKNUpGb1lNcAo3ZHFsdGxIaDRkRjVwak56ejIvR1RpaCtta1c4U3RVQ0lRRElMWTlwKzJhcjdmMmdCeXgrdkRGOXJOM0FIV0o2Ck9mRFFhalJyQldOK1dRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
    usages:
    - digital signature
    - key encipherment
    - server auth
time="2020-01-03T11:43:33Z" level=info msg="[kubectl apply -f -]"
time="2020-01-03T11:43:33Z" level=info
time="2020-01-03T11:43:33Z" level=error msg="error: SchemaError(io.k8s.api.core.v1.PodDNSConfig): invalid object doesn't have additional properties\n"
time="2020-01-03T11:43:33Z" level=fatal msg="exit status 1"

So my assumption is that I need to pass something additional because :

Error from server (NotFound): certificatesigningrequests.certificates.k8s.io "tls-webhook-secret-cert" not found

I will appreciate any advice. Thanks!

@aysylu @judavi I would like to know how this certificate issue has resolved for you