Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Polling from private repository with token authentication fails with 401 UNAUTHORIZED #472

Closed
dennismeissel opened this issue Jan 24, 2020 · 4 comments
Closed

Polling from private repository with token authentication fails with 401 UNAUTHORIZED #472

dennismeissel opened this issue Jan 24, 2020 · 4 comments

Comments

@dennismeissel
Copy link
Contributor

dennismeissel commented Jan 24, 2020
edited
Loading

Provider: Kubernetes.
Registry: Private docker registry with token authentication (cesanta/docker_auth)

The secret with a name dockerregistry was created with kubectl create secret then added to Pod spec:

spec:
  containers:
  - image: dockerregistry.mysite.com/myprivateimage:0.1.1
  imagePullSecrets:
    - name: dockerregistry

kubectl apply -f filename pulls images and installs everything correctly

But if I'm trying to add keel, I'm getting 401 UNAUTHORIZED in keel logs:

time="2020-01-24T11:26:37Z" level=error msg="trigger.poll.RepositoryWatcher.Watch: failed to add image watch job" error="Get https://dockerregistry.mysite.com/v2/myprivateimage/manifests/0.1.1: http: non-successful response (status=401 body="{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"myprivateimage","Action":"pull"}]}]}")" image="namespace:default,image:dockerregistry.mysite.com/myprivateimage:0.1.1,provider:kubernetes,trigger:poll,sched:@every 1m,secrets:[dockerregistry]"
time="2020-01-24T11:26:37Z" level=error msg="trigger.poll.manager: got error(-s) while watching images" error="encountered errors while adding images: Get https://dockerregistry.mysite.com/v2/myprivateimage/manifests/0.1.1: http: non-successful response (status=401 body="{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"myprivateimage","Action":"pull"}]}]}")"
time="2020-01-24T11:26:40Z" level=error msg="trigger.poll.RepositoryWatcher.addJob: failed to get image digest" error="Get https://dockerregistry.mysite.com/v2/myprivateimage/manifests/0.1.1: http: non-successful response (status=401 body="{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"myprivateimage","Action":"pull"}]}]}")" image="myprivateimage:0.1.1" password="**********" username=testuser

As you can see, keel gets the secret and username/password. But it doesn't work.

Also, if I find these requests in logs of the docker-registry, I see these errors:

error authorizing context: authorization token required
...
error authorizing context: malformed token
@dennismeissel
Copy link
Contributor Author

dennismeissel commented Feb 10, 2020
edited
Loading

I found out, why it fails.

Docker-Registry-Client used in this project accepts only token field.
Howewer it should also accept access_token field (according to Token Authentication Specification)

I created a pull-request that solves this problem

@rusenask
Copy link
Collaborator

yeah it does explain the failures :) good job! :)

@dennismeissel
Copy link
Contributor Author

dennismeissel commented Feb 11, 2020
edited
Loading

@rusenask,
Thanks for merging.
When will these changes affect the dockerhub image of keel?

@dennismeissel
Copy link
Contributor Author

As I see, it's already there. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rusenask @dennismeissel