Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SHA1 algorithm make failed tls handshake #24

Open
mesaglio opened this issue Jun 13, 2023 · 0 comments
Open

SHA1 algorithm make failed tls handshake #24

mesaglio opened this issue Jun 13, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@mesaglio
Copy link

mesaglio commented Jun 13, 2023
edited
Loading

What steps did you take and what happened:
Steps:

> helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
> helm install gatekeeper/gatekeeper \
    --set enableExternalData=true \
    --name-template=gatekeeper \
    --namespace gatekeeper-system \
    --create-namespace
> git clone https://github.com/open-policy-agent/gatekeeper-external-data-provider.git
> cd external-data-provider
> export NAMESPACE=provider-system
> ./scripts/generate-tls-cert.sh
> make docker-buildx
> make kind-load-image
> helm install external-data-provider charts/external-data-provider \
    --set clientCAFile="" \
    --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
    --namespace "${NAMESPACE:-gatekeeper-system}" \
    --create-namespace
> kubectl apply -f validation/external-data-provider-constraint-template.yaml
> kubectl apply -f validation/external-data-provider-constraint.yaml
> kubectl run nginx --image=error_nginx --dry-run=server -ojson

And got the error:
Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [deny-images-with-invalid-suffix] invalid response: {"errors": null, "responses": null, "status_code": 500, "system_error": "failed to send external data request: Post \"https://external-data-provider.gatekeeper-system:8090\": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of \"x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)\" while trying to verify candidate authority certificate \"Gatekeeper Root CA\")"}

What did you expect to happen:
Correct evaluation from the image.

Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [deny-images-with-invalid-suffix] invalid response: {"errors": [["error_nginx", "error_nginx_invalid"]], "responses": [], "status_code": 200, "system_error": ""}

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

  • Gatekeeper version: v3.13.0-beta.1
  • External Data API version:
  • Kubernetes version: (use kubectl version):
Client Version: version.Info{
   Major:"1", Minor:"23", GitVersion:"v1.23.6", GitCommit:"ad3338546da947756e8a88aa6822e9c11e7eac22", 
   GitTreeState:"clean", BuildDate:"2022-04-14T08:49:13Z", GoVersion:"go1.17.9", Compiler:"gc", 
   Platform:"darwin/amd64"}
Server Version: version.Info{
   Major:"1", Minor:"27", GitVersion:"v1.27.1", GitCommit:"4c9411232e10168d7b050c49a1b59f6df9d7ea4b", 
   GitTreeState:"clean", BuildDate:"2023-05-12T19:03:40Z", GoVersion:"go1.20.3", Compiler:"gc", 
   Platform:"linux/amd64"}
@mesaglio mesaglio added the bug Something isn't working label Jun 13, 2023
@mesaglio mesaglio mentioned this issue Jun 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mesaglio