Is there a build/compile flag for kubernetes v1.14 to only build for signature verification and not signing? I have an embedded system acting as a kubelet that justs needs to verify a signature. I'm getting error saying, kubelet[289]: remote_image.go:113] PullImage "quay.registry/reponame/podman-test:latest" from image service failed: rpc error: code = Unknown desc = Source image rejected: Invalid crypto engine
which indicates that kubernetes is missing external dependencies for signing.
I've tried adding: -tags "containers_image_openpgp "
similar to related issue here: https://github.com/containers/skopeo/issues/660
My current build command is make generated_files KUBE_BUILD_PLATFORMS="${HOST_GOOS}/${BUILD_GOARCH}"; make cross KUBE_BUILD_PLATFORMS=${GOOS}/${GOARCH}
The error is coming from GPG. Make sure your device has gpg
or gpgv
command in PATH
and that signature verification with gpg command works. gpgv
is a stripped-down verification-only command that you could use, and Kubernetes supports it. Also, GPG has a ton of compile-time parameters to enable/disable parts of it, you can strip it down once you get it working. If you find GPG too bloated or have a hard time getting it to work, you can try using https://sequoia-pgp.org/ which compiles to a statically linked binary without external dependencies. You will have to translate calls to gpg
command into calls to sqv
, but their CLI interfaces are really similar so it should be easy to do with a shell script, or whatever language your embedded platform supports.