argocd-image-updater
argocd-image-updater copied to clipboard
argoproj-labs
I can't use credentials with docker.hub
Describe the bug I can't use credentials with docker.hub Due to API limitations I'm not able to send frequent requests to docker.hub API and I need to use credential if I work with private repo.
To Reproduce
- Create k8s secret with type kubernetes.io/dockerconfigjson like
kubectl -n argocd-image-updater create secret generic docker-pull \
--from-file=.dockerconfigjson=$(echo $HOME)/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
- Create conf file for registries
registries:
- name: Docker Hub
api_url: https://registry-1.docker.io
ping: yes
credentials: secret:argocd-image-updater/docker-pull#.dockerconfigjson
defaultns: library
Execute test command in command line (not in the container)
argocd-image-updater test --update-strategy latest --registries-conf ./argocd-image-updater.conf nginx
INFO[0000] getting image image_name=nginx registry=
DEBU[0000] rate limiting is disabled prefix= registry="https://registry-1.docker.io"
INFO[0000] Loaded 1 registry configurations from ./argocd-image-updater.conf
WARN[0000] cannot user K8s credentials without Kubernetes client registry="https://registry-1.docker.io"
FATA[0000] could not set registry credentials: could not fetch image tags
Expected behavior argocd-image-updater test provides the founded image name
Additional context argocd-image-updater test provides the founded image name if the parameter with path to registries is excluded. But it doesn't work with private docker.hub repos.
Version argocd-image-updater: v0.11.3+f62b7d7
Ok. I see my mistakes. I forgot to specify path to my kubeconfig and I should use pullsecret with dockerconfigjson Another try
registries:
- name: Docker Hub
api_url: https://registry-1.docker.io
ping: yes
credentials: pullsecret:argocd-image-updater/docker-pull
defaultns: library
argocd-image-updater test --update-strategy latest --kubeconfig ~/.kube/config --registries-conf ./argocd-image-updater.conf nginx
DEBU[0000] Creating Kubernetes client from /home/m1xa/.kube/config
INFO[0000] getting image image_name=nginx registry=
DEBU[0000] rate limiting is disabled prefix= registry="https://registry-1.docker.io"
INFO[0000] Loaded 1 registry configurations from ./argocd-image-updater.conf
FATA[0000] could not set registry credentials: no valid auth entry for registry https://registry-1.docker.io found in image pull secret
Hi, that's kind of peculiarity with Docker Hub, which uses docker.io as prefix, but there are several APIs associated with it (e.g. at registry-1.docker.io or index.docker.io).
Your ~/.docker/config.json probably has an entry for https://index.docker.io/v1/, which Docker knows is associated with Docker Hub. Image Updater requires an entry for https://registry-1.docker.io, however. Once you have an auth entry for this URL, it should work.
Hello @jannfis, thank you.
Yes, It works.
Maybe it should be mentioned in the docs? The documentation of the plugin says that it has built-in integration with several registries.
What I mean.
- You login in your account on Docker Hub
- You create a pull secret based on ~/.docker/config.json
- You specify this secret in annotations.
- All works fine.
But I have to add another record for https://registry-1.docker.io in ~/.docker/config.json before I create the pull secret.
Maybe I'm not right :)
Yes, I agree, probably we should mimic the peculiarities of Docker here and look for the same URLs in the pull secret.
Hi, that's kind of peculiarity with Docker Hub, which uses
docker.ioas prefix, but there are several APIs associated with it (e.g. atregistry-1.docker.ioorindex.docker.io).Your
~/.docker/config.jsonprobably has an entry forhttps://index.docker.io/v1/, which Docker knows is associated with Docker Hub. Image Updater requires an entry forhttps://registry-1.docker.io, however. Once you have an auth entry for this URL, it should work.
Having the same issue, how do i get an auth entry for that other url?
Also is just adding the annotation for pull secret enough or I have to modify configMap as well?
