imagePullSecret used as fallback, not as first-class sitizen

[evgkrsk]

We observe bunch of such messages in k8s-iae log:

time="2020-11-03T06:30:23Z" level=error msg="GET https://eu.gcr.io/v2/giftery-ci/evotor-api-v3/manifests/v-c170103c: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication" availability_mode=authentication_failure image_name="eu.gcr.io/giftery-ci/evotor-api-v3:v-c170103c"

when use private gcr.io registry. But all metrics for such projects is in normal state (all images available). We use "imagePullSecrets" in yaml manifests to indicate auth data for grc.io, but seems like k8s-iae dont use it right from start, only as fallback.

Maybe it is right thing to use imagePullSecrets right away (especially when it contains one secret) to check registry?

[usefree]

Hello! Thanks for tool) seems like fix not help or i have wrong configuration.. get error availability_mode=authorization_failure while checking image from private registry. In serviceaccount for iae i have

kind: ServiceAccount
metadata:
  name: image-availability-exporter
  namespace: monitoring
imagePullSecrets:
- name: deploy-token

and deploy-token is used in other deployments without auth errors using 0.1.16 iae version Thanks!

[zuzzas]

What's in the logs?