chart-testing-action
chart-testing-action copied to clipboard
helm
getting error while pulling the image from private ECR repository
>>> helm install charts/noon-backend --name noon-backend-mx5w1vvaju --namespace noon-backend-mx5w1vvaju --wait --timeout 600
Error: release noon-backend-mx5w1vvaju failed: timed out waiting for the condition
======================================================================================
........................................................................................................................
==> Events of namespace noon-backend-mx5w1vvaju
........................................................................................................................
...
8m10s Warning Failed pod/prod-users-srv-8b68fc77d-ktkdn spec.containers{prod-users-srv} kubelet, chart-testing-control-plane Failed to pull image "***.dkr.ecr.eu-central-1.amazonaws.com/prod-users-repository:latest": rpc error: code = Unknown desc = failed to pull and unpack image "***.dkr.ecr.eu-central-1.amazonaws.com/prod-users-repository:latest": failed to resolve reference "***.dkr.ecr.eu-central-1.amazonaws.com/prod-users-repository:latest": unexpected status code [manifests latest]: 401 Unauthorized 9m44s 4 prod-users-srv-8b68fc77d-ktkdn.163b54d61c26c5b5
8m10s Warning Failed pod/prod-users-srv-8b68fc77d-ktkdn spec.containers{prod-users-srv} kubelet, chart-testing-control-plane Error: ErrImagePull 9m44s 4 prod-users-srv-8b68fc77d-ktkdn.163b54d61c270c05
4m40s Normal BackOff pod/prod-users-srv-8b68fc77d-ktkdn spec.containers{prod-users-srv} kubelet, chart-testing-control-plane Back-off pulling image "***.dkr.ecr.eu-central-1.amazonaws.com/prod-users-repository:latest" 9m44s 20 prod-users-srv-8b68fc77d-ktkdn.163b54d61d37a9cb
7m44s Warning Failed pod/prod-users-srv-8b68fc77d-ktkdn spec.containers{prod-users-srv} kubelet, chart-testing-control-plane Error: ImagePullBackOff
what's the workaround? I have tried to get login to ECR as the step before chart install step but it seems to be not working.
ECR has some quirks where you exchange an IAM user/creds into docker creds which are valid for 6hrs. https://github.com/evryfs/helm-charts/tree/master/charts/ecr-proxy is one solution. There are also other variants which create pullsecrets for ECR out there. I think this is related to ECR more than the action itself.
https://kind.sigs.k8s.io/docs/user/private-registries/ We followed the guide here and got access to our private images repo just fine.
@shukla2112 @tuananhnguyen-ct How did you integrate the credentials into the GitHub workflow? It fails to pull the image from the private repo on this step.
- name: Run chart-testing (install)
run: ct install
@jdstone I added a step to execute this script https://kind.sigs.k8s.io/docs/user/private-registries/#use-an-access-token before running ct install
@tuananhnguyen-ct I did that too; it looks like the problem is that the docker command does not exist. Did you have to find an action to install the docker command?
@jdstone no, I started with an ubuntu-18.04 image, then used helm/[email protected] and helm/[email protected] with node_image: kindest/node:v1.16.15 so all required commands are available.
@tuananhnguyen-ct I misspoke; doesn't seem to be a problem with the docker command missing. Thank you. Will keep looking at it.
@tuananhnguyen-ct How did you get the service account JSON key into the Ubuntu image -- did you copy the JSON key file contents and paste it into a GitHub secret?
@tuananhnguyen-ct I have something like this:
echo "Creating temporary GCP SA Key directory ..."
GCP_SA_KEY=$(mktemp -d)
echo ${{ secrets.GCP_SA_KEY }} >"${GCP_SA_KEY}/gcp_sa_key.json"
echo "Logging in to GCR in temporary docker client config directory ..."
cat ${GCP_SA_KEY}/gcp_sa_key.json | docker login -u _json_key --password-stdin https://gcr.io
@jdstone yes we copy the json key to a github secret, but our setup is slightly different so I can't share the workflow and related script here.
