argocd-image-updater icon indicating copy to clipboard operation
argocd-image-updater copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

dockerhub official registry

Open hawkesn opened this issue 2 years ago • 4 comments

Describe the bug

When creating a docker-registry secret for DockerHub, the default URL is: https://index.docker.io/v1/ if no --docker-server flag is passed. However, argocd-image-updater uses https://registry-1.docker.io as the default.

To Reproduce

  1. Create a new docker-registry secret using kubectl:
kubectl create secret docker-registry regcred 
--docker-username=<your-name> 
--docker-password=<your-pword> 
--docker-email=<your-email>
  1. Get the secret and decode the secret on the cluster: kubectl get secret regcred -o jsonpath='{.data.*}' | base64 -d
  2. Note the URL: "https://index.docker.io/v1/"

Expected behavior The default behaviour for using dockerhub should not require a user to specify the registry using the --docker-server flag. Argocd image updater should use the "https://index.docker.io/v1/" url instead of: "https://registry-1.docker.io"

Additional context Kubernetes official documentation here also states the following:

<your-registry-server> is your Private Docker Registry FQDN. Use https://index.docker.io/v1/ for DockerHub.

Version v0.12.0

Logs level=warning msg="Could not fetch credentials: no valid auth entry for registry https://registry-1.docker.io found in image pull secret"

hawkesn avatar Jun 04 '22 17:06 hawkesn

Weird, we don't seem to see this error message but we have the same config:

$ k get secrets -n argocd image-pull-docker-hub -ojson | jq -r '.data[".dockerconfigjson"]' | base64 -d
{"auths":{"https://index.docker.io/v1/":{"username":"my-username","password":"my-password","auth":"my-auth"}}}

apiVersion: v1
kind: ConfigMap
data:
  argocd.grpc_web: "true"
  argocd.insecure: "false"
  argocd.plaintext: "false"
  kube.events: "false"
  log.level: info
  registries.conf: |
    registries:
    - api_url: https://registry-1.docker.io
      credentials: pullsecret:argocd/image-pull-docker-hub
      defaultns: library
      name: Docker Hub

Is there any way to check that the image pull secret is definitely being (or trying to be) used by the image updater?

bcbrockway avatar Jul 14 '22 08:07 bcbrockway

Hi @bcbrockway , sorry forgot to mention the log that I put above did come from the image updater. I found the line here: https://github.com/argoproj-labs/argocd-image-updater/blob/master/pkg/image/credentials.go#L260. So I think it is trying to be used by the image updater

Hope that helps

hawkesn avatar Jul 20 '22 15:07 hawkesn

I think it might be this line that could potentially be the culprit but I'm not sure: https://github.com/argoproj-labs/argocd-image-updater/blob/master/pkg/registry/endpoints.go#L101

hawkesn avatar Jul 20 '22 15:07 hawkesn

I'm encountering same issue on v0.12.2 This works:

registries:
    - name: Docker Hub
      api_url: https://index.docker.io
      prefix: docker.io
      credentials: pullsecret:argocd/dockerhub-secret
      ping: yes
      default: true

Zuzuske avatar Mar 13 '24 15:03 Zuzuske