kube-image-keeper
kube-image-keeper copied to clipboard
enix
GCR Example
Hello
Do you have an example of how to authenticate the controller to access gcr.io from GCP (google cloud, gcloud, GAR google artifact registry) registries?
Here are my logs when attempting to access these registries:
2024-02-06T19:22:46.893Z ERROR failed to cache image {"controller": "cachedimage", "controllerGroup":
"kuik.enix.io", "controllerKind": "CachedImage", "CachedImage": {"name":"gcr.io-asdf-2.4.2"}, "namespace": "",
"name": "gcr.io-asdf-2.4.2", "reconcileID": "9296ce4f-2ade-45af-b77b-bc023406aa7a", "sourceImage":
"gcr.io/asdf:2.4.2", "error": "GET https://gcr.io/v2/asdf/2.4.2: UNAUTHORIZED: You don't have the needed permissions
to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in:
https://cloud.google.com/container-registry/docs/advanced-authentication", "errorCauses": [{"error": "GET
https://gcr.io/v2/asdf/2.4.2: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and
you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-
registry/docs/advanced-authentication"}]}
2024-02-06T19:22:46.893Z ERROR Reconciler error {"controller": "cachedimage", "controllerGroup":
"kuik.enix.io", "controllerKind": "CachedImage", "CachedImage": {"name":"gcr.io-asdf-2.4.2"}, "namespace": "",
"name": "gcr.io-asdf-2.4.2", "reconcileID": "9296ce4f-2ade-45af-b77b-bc023406aa7a", "error": "GET
https://gcr.io/v2/asdf/2.4.2: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and
you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-
registry/docs/advanced-authentication", "errorCauses": [{"error": "GET https://gcr.io/v2/asdf/2.4.2: UNAUTHORIZED:
You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate
your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"}]}
time="2024-02-06T19:23:16Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can
only be used with Amazon Elastic Container Registry." serverURL=gcr.io
Is this a feature request?
I solved this by using our secret provider to inject a secret file to the controller deployments at this path:
/.docker/config.json
which contained a manually configured GCR configuration with an embedded base64 of a valid JSON service account.
The work around doesn't seem to work any more - and I am having this same issue. The only way I can get it to pull from GCR is by setting the secrets manually in each repository, of which we have hundreds. This is not such a bad thing but if I pre-create the repositories when a new pod is onboarded the repository gets overridden removing my added secrets config.
Seems like I'm missing something simple. My GKE cluster can pull images from GCR without needing imagePullSecrets or such - yet KUIK cannot.
Ideally if I do need to provide imagePullSecrets I would do so in one place for every matching repository, or for repositories not to override pullSecretsNamesapce and pullSecretNames when synced with the controller
As for Amazon ECR (see #113), we need to implement automatic retrieval of pull secrets. Maybe we could use https://github.com/GoogleCloudPlatform/docker-credential-gcr to do so.
Ah makes sense - thanks for the update. Be interested if that gets onto your roadmap / you need someone to test it out
:tada: This issue has been resolved in version 1.11.0-beta.1 :tada:
The release is available on GitHub release
Your semantic-release bot :package::rocket:
