Namespaced Store did not work unless cluster-wide store was installed

[yizha1]

What happened in your environment?

I am testing namespace multi-tenancy using dev build. After I applied resources contstraintemplate and constrains, I applied namespaced resources KMP, Store and Verifier in namespace team-a. The resources were in all good status. However, when I ran an image signed with key configured in KMP in namespace team-a, the following error showed:

Error from server: admission webhook "mutation.gatekeeper.sh" denied the request: failed to resolve external data placeholders: failed to retrieve external data item from provider ratify-mutation-provider: Error: config invalid, Code: CONFIG_INVALID, Component Type: referrerStore, Detail: referrer store config should have at least one store

To mitigate this, I need to set up a cluster-wide store resource.

What did you expect to happen?

Namespaced Store resources should not depend on cluster-wide store resource.

What version of Kubernetes are you running?

AKS

What version of Ratify are you running?

0-dev (dev.20240505.6163b7e)

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this bug fix?

• Yes, I am willing to implement it.

[binbin-li]

thanks for reporting the issue! It happened at mutation stage since the mutation request only contains the image without namespace. This would be a limitation on Ratify to support multi-tenancy. We would require users to always have a cluster-wide oras store to resolve image tag to digest if the mutation enabled. I also created a feature request in GK: open-policy-agent/gatekeeper#3376