Image Tag such as "v1...35.0.6"

[novasolei]

Hello folks,
We have installed connaisseur in our environment , everything works perfect except for the time that we have few dots in our image tag. I trid different pattern configuration but seems this tag gets denied by connaisseur. what is the right patter to access this sort of tags?
for: ".": admission webhook "connaisseur-svc.dev-whs-connaisseur-ns.svc" denied the request: registeryurl/myorg/hello-servlet:v1...35.0.6 is not a valid image reference.

[xopham]

@novasolei thanks for reaching out and the positive feedback! Much appreciated 🙂

Unfortunately, I was not able to reproduce your problem. Could you share a redacted helm/values.yaml and exact commands used to install the image?

Here is what I did: I created an image docker.io/xoph/hello-servlet:v1...35.0.6 (which should be exactly what you have and signed with the private key corresponding to the public key:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEl1vBgXFEwT+sH2fArBaaukqQjO6p
qZa6cEozTWn/In7eW9KsCCsSobJeNQXa1dvraLHc9mNJB8Xxn050qmNI9w==
-----END PUBLIC KEY-----

I upgrade my current Connaisseur deployment (Chart version 1.5.0, Application version 2.7.0) to use the cosign public key as default key via:

helm upgrade -n connaisseur connaisseur helm -f test/values.yaml

Here test/values.yaml is:

# configure Connaisseur deployment
deployment:
  replicasCount: 1
  image: securesystemsengineering/connaisseur:v2.7.0

### VALIDATORS ###
validators:
  - name: default
    type: cosign  # or other supported validator (e.g. "cosign")
    trust_roots:
      - name: default
        key: |
          -----BEGIN PUBLIC KEY-----
          MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEl1vBgXFEwT+sH2fArBaaukqQjO6p
          qZa6cEozTWn/In7eW9KsCCsSobJeNQXa1dvraLHc9mNJB8Xxn050qmNI9w==
          -----END PUBLIC KEY-----
  - name: dockerhub-basics
    type: notaryv1
    host: notary.docker.io
    trust_roots:
      - name: docker-official
        key: |
          -----BEGIN PUBLIC KEY-----
          MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOXYta5TgdCwXTCnLU09W5T4M4r9f
          QQrqJuADP6U7g5r9ICgPSmZuRHP/1AYUfOQW3baveKsT969EfELKj1lfCA==
          -----END PUBLIC KEY-----
      - name: securesystemsengineering-official
        key: |
          -----BEGIN PUBLIC KEY-----
          MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsx28WV7BsQfnHF1kZmpdCTTLJaWe
          d0CA+JOi8H4REuBaWSZ5zPDe468WuOJ6f71E7WFg3CVEVYHuoZt2UYbN/Q==
          -----END PUBLIC KEY-----

### IMAGE POLICY ###
policy:
  - pattern: "*:*"
  - pattern: "docker.io/library/*:*"
    validator: dockerhub-basics
    with:
      trust_root: docker-official
  - pattern: "k8s.gcr.io/*:*"
    validator: allow
  - pattern: "docker.io/securesystemsengineering/*:*"
    validator: dockerhub-basics
    with:
      trust_root: securesystemsengineering-official

Finally, I run:

kubectl run hello-servlet --image=docker.io/xoph/hello-servlet:v1...35.0.6

This causes a successful deployment of the pod.

Technically, you should be able to reproduce that with my image to see if you still get the error. Please let me know!

[xopham]

if possible, you could extend by my config and check whether that works. However, I'd be surprised if the difference in version was the reason. How do you deploy the pods?

[phbelitz]

You are absolutely correct @novasolei, it is the version. In version v.2.7.0 we changed the image format validation to closer match the OCI specification. With that you can use quay.dev.com/mytest/hello-servlet:v1...35.0.6 as an image without any errors.

[novasolei]

Thank you very very much for confirming. I will upgrade and will let you know the result.

[novasolei]

Thank you, upgrading to the new version did the trick. I am able to deploy my app now. thanks for you help.

[xopham]

@novasolei happy to hear that it worked!