keel
keel copied to clipboard
keel-hq
Trouble with image pull
Hello, I'm having some trouble getting Keel to automatically update the images on Openshift. I have a deployment with these annotations:
keel.sh/approvals: "0"
keel.sh/policy: all
keel.sh/pollSchedule: '@every 1m'
keel.sh/trigger: poll
Accessing Keel's web console reports the deployment as monitored by Keel as expected.
First deployment is executed correctly by Openshift, but then I find this on the Keel's log:
time="2021-09-14T15:23:54Z" level=error msg="trigger.poll.RepositoryWatcher.Watch: failed to add image watch job" error="Get \"https://ghcr.io/v2/<image>/manifests/1.0.0\": http: non-successful response (status=403 body=\"{\\\"errors\\\":[{\\\"code\\\":\\\"DENIED\\\",\\\"message\\\":\\\"invalid token\\\"}]}\\n\")" image="namespace:cloudbeaver,image:ghcr.io/<image>,provider:kubernetes,trigger:poll,sched:@every 1m,secrets:[<secret>]"
time="2021-09-14T15:23:54Z" level=error msg="trigger.poll.manager: got error(-s) while watching images" error="encountered errors while adding images: Get \"https://ghcr.io/v2/<image>/manifests/1.0.0\": http: non-successful response (status=403 body=\"{\\\"errors\\\":[{\\\"code\\\":\\\"DENIED\\\",\\\"message\\\":\\\"invalid token\\\"}]}\\n\")"
time="2021-09-14T15:23:57Z" level=error msg="trigger.poll.RepositoryWatcher.addJob: failed to get image digest" error="Get \"https://ghcr.io/v2/<image>/manifests/1.0.0\": http: non-successful response (status=403 body=\"{\\\"errors\\\":[{\\\"code\\\":\\\"DENIED\\\",\\\"message\\\":\\\"invalid token\\\"}]}\\n\")" image="<image>" password="****************************************" username=<username>
The error looks like GitHub authentication error, but as mentioned above the first pull works correctly. Could this be related to the fact that Keel's pod is in different namespace and somehow can't access the correct pull secret?
