bottlerocket icon indicating copy to clipboard operation
bottlerocket copied to clipboard
verified publisher icon bottlerocket-os

Mirroring a repository to private ECR results in image pull failure (401 unauthorized)

Open plaisted opened this issue 3 years ago • 3 comments

Image I'm using: eks 1.23 bottlerocket 1.9.2-b8074d44

What I expected to happen: Adding a repository mirror pointing to private ECR registry should successfully pull images.

What actually happened: Images fail to pull with 401 unauthorized.

How to reproduce the problem:

  1. Add registry mirror to user data for bottlerocket instance template pointing an external registry to the appropriate ECR endpoint.
[[settings.container-registry.mirrors]]
  registry = "example.external.com"
  endpoint = [ "https://AWSACCOUNTID.dkr.ecr.us-east-1.amazonaws.com/example.external.com" ]
  1. Attempt to run an image from using ECR image referenced directly eg kubectl -n default run -it --image AWSACCOUNTID.dkr.ecr.us-east-1.amazonaws.com/example.external.com/image:TAG test-run -> SUCCESS
  2. Attempt to run an image from using the external URL mirrored internally eg kubectl -n default run -it --image example.external.com/image:TAG test-run -> FAILURE, note error message is correctly using the mirrored URL, just failing authentication.
...pulling from host AWSACCOUNTID.dkr.ecr.us-east-1.amazonaws.com failed with status code [manifests TAG]: 401 Unauthorized

Is there a way to get the node to authenticate with ECR properly when using a registry mirror?

plaisted avatar Sep 15 '22 19:09 plaisted

Hi @plaisted, thanks for reaching out. Do you still see the same behavior if endpoint is set to:

 endpoint = [ "https://AWSACCOUNTID.dkr.ecr.us-east-1.amazonaws.com" ]

?

jpculp avatar Sep 15 '22 21:09 jpculp

Updated to test but still same error.

From apiclient get, rebooted node for good measure as well:

    "container-registry": {
      "mirrors": [
        {
          "endpoint": [
            "https://AWSACCOUNTID.dkr.ecr.us-east-1.amazonaws.com"
          ],
          "registry": "registry.external.com"
        }
      ]
    },

Then kubectl -n default run -it --image registry.external.com/example:TAG test-registry and still seeing

failed to resolve reference ""registry.external.com/example:TAG": pulling from host AWSACCOUNTID.dkr.ecr.us-east-1.amazonaws.com failed with status code [manifests TAG]: 401 Unauthorized

plaisted avatar Sep 15 '22 22:09 plaisted

Since pulling from AWSACCOUNTID.dkr.ecr.us-east-1.amazonaws.com/example.external.com/image:TAG is working, but the mirrored registry.external.com is not, I wonder if some ECR-specific logic is being skipped when the registry is parsed. Credentials may need to be set manually as a result. We'll have to dig into this a bit more.

jpculp avatar Sep 16 '22 20:09 jpculp

Yes I want to use my private ECR as a mirror to avoid traffic though nat gateway

I have here but don't seen to be using my private registry.


[[settings.container-registry.mirrors]]
  registry = "*"
  endpoint = [ "https://AWSACCOUNTID.dkr.ecr.us-east-2.amazonaws.com" ]

I have even used ecr mirror to have images in my private manually but it seems bottlerocket doesn't try to pull from it

ecr-mirror --registry-id AWSACCOUNTID copy "istio/proxyv2:1.16.*" "AWSACCOUNTID.dkr.ecr.us-east-2.amazonaws.com/istio/proxyv2"

What I think would be the desired behavior

rafilkmp3 avatar Feb 16 '23 12:02 rafilkmp3

@etungsten did you have some experience with this type of configuration or some context? If so, would you be able to add any notes here?

stmcginnis avatar Apr 06 '23 20:04 stmcginnis