argocd-image-updater
argocd-image-updater copied to clipboard
argoproj-labs
Cannot able to use Google Container Registry
Describe the bug I want to use the new GCR registry "gcr.io" but I get a strange error message "Could not get tags from registry: denied: Failed to read tags for host 'gcr.io"
Note:- Secret is having "owner" permission
To Reproduce My config map contains:
kind: ConfigMap
metadata:
name: argocd-image-updater-config
labels:
app.kubernetes.io/name: argocd-image-updater-config
app.kubernetes.io/part-of: argocd-image-updater
data:
registries.conf: |
registries:
- name: Google Container Registry
prefix: gcr.io
api_url: https://gcr.io/
default: true
ping: no
credentials: secret:argocd/gcr-json-key#.dockercfg
my Application.yaml >
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: ms-echoserver-imageupdate-test
namespace: argocd
annotations:
argocd-image-updater.argoproj.io/image-list: myimage=gcr.io/xxxx/argo-image-test #Write repository name
argocd-image-updater.argoproj.io/myimage.allow-tags: regexp:^[0-9a-f]{7}$
finalizers:
- resources-finalizer.argocd.argoproj.io
labels:
name: ms-echoserver-imageupdate
spec:
project: default
source:
repoURL: [email protected]:xyz.git
targetRevision: HEAD
path: ms-echoserver/overlays/dev
destination:
server: https://kubernetes.default.svc/
namespace: ms-echoserver-test
syncPolicy:
syncOptions:
- CreateNamespace=true
automated:
selfHeal: true
prune: true
Additional context
Version v0.12.0 (latest as of now)
Logs
time="2022-07-28T14:12:26Z" level=info msg="Starting image update cycle, considering 1 annotated application(s) for update"
time="2022-07-28T14:12:26Z" level=error msg="Could not get tags from registry: denied: Failed to read tags for host 'gcr.io', repository '/v2/xyz/argo-imageupdater-test/tags/list'" alias= application=ms-echoserver-imageupdate-test image_name=xyz/arso-imageupdater-test image_tag=0.1 registry=gcr.io
time="2022-07-28T14:12:26Z" level=info msg="Processing results: applications=1 images_considered=1 images_skipped=0 images_updated=0 errors=1"
time="2022-07-28T14:14:26Z" level=info msg="Starting image update cycle, considering 1 annotated application(s) for update"
time="2022-07-28T14:14:26Z" level=error msg="Could not get tags from registry: denied: Failed to read tags for host 'gcr.io', repository '/v2/xyz/argo-imageupdater-test/tags/list'" alias= application=ms-echoserver-imageupdate-test image_name=xyz/argo-imageupdater-test image_tag=0.1 registry=gcr.io
time="2022-07-28T14:14:26Z" level=info msg="Processing results: applications=1 images_considered=1 images_skipped=0 images_updated=0 errors=1"
Same here!
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-image-updater-config
data:
registries.conf: |
registries:
- name: Google Container Registry
api_url: https://us-docker.pkg.dev
prefix: us-docker.pkg.dev
credentials: pullsecret:argocd/docker-cfg
I have a working configuration with Google Artifact Registry (new GCR). The configuration is about the same so no need to share here.
If the permissions are right, then I believe this has to do the url you're using for image-list annotations. i.e argocd-image-updater.argoproj.io/image-list: myimage=gcr.io/xxxx/argo-image-test
GCP responds with a 403 also when the requested image was not found, ensure that the url is right and that the image being requested is already published. Valid Google Artifact Registry URLs are in the format $LOCATION-$REPO_FORMAT.pkg.dev/$PROJECT/$REPOSITORY/$IMAGE ...e.g us-central1-docker.pkg.dev/example-project/example-repo/example-image .
You can test this locally with curl. eg:
curl -s -D - \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://us-central1-docker.pkg.dev/v2/example-project/example-repo/example-image/tags/list"
