runtime icon indicating copy to clipboard operation
runtime copied to clipboard
verified publisher icon acorn-io

Manual Certificates Break Image Pulling on Fresh Install

Open jrodonnell opened this issue 2 years ago • 2 comments

Summary

Acorn client for pulling images seems to automatically try and use any manual certs that have been added to the cluster as part of its connection to whatever registry it is trying to reach, causing image pulls to fail if the cert is not the same domain as the registry. Deleting that manual cert, running certain commands in a particular order, then adding the cert back in can get things working, but this is not expected behavior.

Setup

I pushed my own TLS secret into the acorn namespace according to the docs and installed Acorn:

kubectl create secret tls tls-ingress --cert=tls.crt –key=tls.key -n acorn
acorn install --image jrodonnell/acorn:v0.6.0 --acorn-dns disabled --cluster-domain apps.thegizmodojo.com

I also have a very simple Acornfile for basic testing:

containers: {
    nginx: {
        image: "nginx"
        ports: publish: "80/http"
    }
}

Result

acorn run -f nginx.aml produces the following output:

[+] Building 1.8s (3/3) FINISHED                                                                                                         
 => [internal] load build definition from Dockerfile                                                                                1.3s
 => => transferring dockerfile: 48B                                                                                                 0.0s
 => [internal] load .dockerignore                                                                                                   1.5s
 => => transferring context: 2B                                                                                                     0.0s
 => ERROR [internal] load metadata for docker.io/library/nginx:latest                                                               0.2s
------
 > [internal] load metadata for docker.io/library/nginx:latest:
------
  ✗  ERROR:  failed to solve: nginx: failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/latest": x509: certificate is valid for *.thegizmodojo.com, thegizmodojo.com, not registry-1.docker.io

acorn login docker.io also gets a similar error:

? Username jrodonnell
? Password ********************************
  ✗  ERROR:  Credential.api.acorn.io "index.docker.io" is invalid: username/password: Forbidden: Get "https://auth.docker.io/token?service=registry.docker.io": x509: certificate is valid for *.thegizmodojo.com, thegizmodojo.com, not auth.docker.io

Interestingly, if I delete my certificate and run acorn login again, it tries to use a different manual cert in a different namespace in my cluster:

? Username jrodonnell
? Password ********************
  ✗  ERROR:  Credential.api.acorn.io "index.docker.io" is invalid: username/password: Forbidden: Get "https://auth.docker.io/token?service=registry.docker.io": x509: certificate is valid for ee1d3333b3ccd704152b102d90cd573f.49b90e7082ab2e79c2e5919c57eb0277.traefik.default, not auth.docker.io

If I rerun my install command, acorn login docker.io still does not work but now acorn run -f nginx.aml will deploy my application. And after the successful acorn run command, acorn login now works too, even after I manually add my cert back in.

jrodonnell avatar Mar 03 '23 00:03 jrodonnell

weird one. we'll investigate.

@jrodonnell - weird request: can you open another test issue? I have a github workflow that should automatically add issues to our project board, but it didnt do it for this one. I think it might be because you're an "outside contributor" maybe, so I tweaked a setting and want to see what happens

cjellick avatar Mar 03 '23 13:03 cjellick

@cjellick No problem, test issue is here.

jrodonnell avatar Mar 03 '23 18:03 jrodonnell