Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kp secret create with --registry index.docker.io generates invalid secret #155

Open
micahyoung opened this issue Feb 11, 2021 · 0 comments
Open

kp secret create with --registry index.docker.io generates invalid secret #155

micahyoung opened this issue Feb 11, 2021 · 0 comments

Comments

@micahyoung
Copy link

Expected:

Equivalent secrets for DockerHub accounts should be able to be created with --registry instead of --dockerhub

REGISTRY_PASSWORD=foobar kp secret create image-secret-registry  --registry index.docker.io --registry-user testuser
DOCKER_PASSWORD=foobar   kp secret create image-secret-dockerhub --dockerhub testuser

kubectl get secret image-secret-registry  -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d
kubectl get secret image-secret-dockerhub -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d

# Output
{"auths":{"https://index.docker.io/v1/":{"username":"testuser","password":"foobar"}}}
{"auths":{"https://index.docker.io/v1/":{"username":"testuser","password":"foobar"}}}

Observed:

# Example with index.docker.io
REGISTRY_PASSWORD=foobar kp secret create image-secret-1  --registry index.docker.io --registry-user testuser

kubectl get secret image-secret-1  -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d

# Output (note missing protocol)
{"auths":{"index.docker.io":{"username":"testuser","password":"foobar"}}}

# Example with https://index.docker.io/v1/
REGISTRY_PASSWORD=foobar kp secret create image-secret-2  --registry https://index.docker.io/v1/ --registry-user testuser

kubectl get secret image-secret-2  -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d

# Output (note invalid URL)
{"auths":{"https:":{"username":"testuser","password":"foobar"}}}

Result:

Images do not build with --registry generated secrets because no registry secret matches the output tag.

kp secret create image-secret-registry  --registry index.docker.io --registry-user micahyoung
# entered DockerHub token

kp image create go-test-linux --tag index.docker.io/micahyoung/kpack-test-linux:latest --cluster-builder go-multios-linux --git https://github.com/pivotal/kpack

kp build logs go-test-linux

# Output
...
Loading secret for "index.docker.io" from secret "image-secret-registry" at location "\\var\\build-secrets\\image-secret-registry"
Error verifying write access to "index.docker.io/micahyoung/kpack-test-windows:latest": POST https://index.docker.io/v2/micahyoung/kpack-test-windows/blobs/uploads/: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:micahyoung/kpack-test-windows Type:repository] map[Action:push Class: Name:micahyoung/kpack-test-windows Type:repository]]

Workaround

Creating the secret with --dockerhub works but does not allow arbitrary registries. Using this workaround, I was able to use the --registry syntax then clobber the dockerconfig value with a valid one.

REGISTRY_PASSWORD=<password> kp secret create image-secret-registry  --registry index.docker.io --registry-user micahyoung

kubectl delete secret image-secret
kubectl create secret docker-registry \
  image-secret \
  --docker-username=micahyoung \
  --docker-password=<password> \
  --docker-server=https://index.docker.io/v1/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@micahyoung