devsecops-demo icon indicating copy to clipboard operation
devsecops-demo copied to clipboard

Published 20 hours ago verified publisher icon rcarrata

image-check issue for internal registry

Open gitmedur opened this issue 1 year ago • 5 comments

Hi, Getting this in image-check task on OCP 4.10 during pipelinerun. oc -n cicd logs petclinic-build-dev-75x4fy-image-check-pod -c step-rox-image-check % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 65.2M 100 65.2M 0 0 247M 0 --:--:-- --:--:-- --:--:-- 247M Getting roxctl ERROR: Checking image failed: could not check build-time alerts: rpc error: code = Internal desc = image enrichment error: error getting metadata for image: image-registry.openshift-image-registry.svc:5000/cicd/spring-petclinic@sha256:4b6e957cb83f6e5687b71c012343308fb15ac0bce23c1be85d9e2a29d340b29c error: getting metadata from registry: "Autogenerated https://image-registry.openshift-image-registry.svc:5000 for cluster development": Failed to get the manifest digest : Head "https://image-registry.openshift-image-registry.svc:5000/v2/cicd/spring-petclinic/manifests/sha256:4b6e957cb83f6e5687b71c012343308fb15ac0bce23c1be85d9e2a29d340b29c": http: non-successful response (status=401 body=""). Retrying after 3 seconds...

I found this: https://access.redhat.com/solutions/6993372 So wondering how this is working on your side.. Thanks

gitmedur avatar Jun 01 '23 06:06 gitmedur

have you checked that the roxctl pod step have the proper permissions to access to the internal registry? I'm using the internal registry (even though it's not supported OOTB, but it's a PoC/demo, in prod other registries such as Quay, ACR, etc can be used) and therefore the ACS needs to have the proper permissions to access (check the guide in https://redhat-scholars.github.io/acs-workshop/acs-workshop/11-integrations.html#integrate_with_internal_openshift_registry for more information)

Which version of OCP are you using? and the version of ACS is installed?

rcarrata avatar Jun 01 '23 11:06 rcarrata

Hi, This is a 4.10.59 OCP with v3.74.3 ACS. What is see is it's the same case for image-scan step. As suggested, created the integration with the internal registry. Now it's ok. Thank you..

gitmedur avatar Jun 01 '23 11:06 gitmedur

Sorry to inform the problem still exists in image-scan and image-check after creating the docker registry integration.. step-rox-image-check % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 65.2M 100 65.2M 0 0 232M 0 --:--:-- --:--:-- --:--:-- 232M Getting roxctl ERROR: Checking image failed: could not check build-time alerts: rpc error: code = Internal desc = image enrichment error: error getting metadata for image: image-registry.openshift-image-registry.svc:5000/cicd/spring-petclinic@sha256:8e6f73cf74a137e1a3f2f0d357b5266b2a19a91df5e13ca502ec9640f487b005 errors: [getting metadata from registry: "ocp-registry": Failed to get the manifest digest : Head "https://image-registry.openshift-image-registry.svc:5000/v2/cicd/spring-petclinic/manifests/sha256:8e6f73cf74a137e1a3f2f0d357b5266b2a19a91df5e13ca502ec9640f487b005": http: non-successful response (status=401 body=""), getting metadata from registry: "Autogenerated https://image-registry.openshift-image-registry.svc:5000 for cluster development": Failed to get the manifest digest : Head "https://image-registry.openshift-image-registry.svc:5000/v2/cicd/spring-petclinic/manifests/sha256:8e6f73cf74a137e1a3f2f0d357b5266b2a19a91df5e13ca502ec9640f487b005": http: non-successful response (status=401 body="")]. Retrying after 3 seconds... ERROR: Checking image failed: could not check build-time alerts: rpc error: code = Internal desc = image enrichment error: error getting metadata for image: image-registry.openshift-image-registry.svc:5000/cicd/spring-petclinic@sha256:8e6f73cf74a137e1a3f2f0d357b5266b2a19a91df5e13ca502ec9640f487b005 errors: [getting metadata from registry: "ocp-registry": Failed to get the manifest digest : Head "https://image-registry.openshift-image-registry.svc:5000/v2/cicd/spring-petclinic/manifests/sha256:8e6f73cf74a137e1a3f2f0d357b5266b2a19a91df5e13ca502ec9640f487b005": http: non-successful response (status=401 body=""), getting metadata from registry: "Autogenerated https://image-registry.openshift-image-registry.svc:5000 for cluster development": Failed to get the manifest digest : Head "https://image-registry.openshift-image-registry.svc:5000/v2/cicd/spring-petclinic/manifests/sha256:8e6f73cf74a137e1a3f2f0d357b5266b2a19a91df5e13ca502ec9640f487b005": http: non-successful response (status=401 body="")]. Retrying after 3 seconds... ERROR: Checking image failed: could not check build-time alerts: rpc error: code = Internal desc = image enrichment error: error getting metadata for image: image-registry.openshift-image-registry.svc:5000/cicd/spring-petclinic@sha256:8e6f73cf74a137e1a3f2f0d357b5266b2a19a91df5e13ca502ec9640f487b005 errors: [getting metadata from registry: "ocp-registry": Failed to get the manifest digest : Head "https://image-registry.openshift-image-registry.svc:5000/v2/cicd/spring-petclinic/manifests/sha256:8e6f73cf74a137e1a3f2f0d357b5266b2a19a91df5e13ca502ec9640f487b005": http: non-successful response (status=401 body=""), getting metadata from registry: "Autogenerated https://image-registry.openshift-image-registry.svc:5000 for cluster development": Failed to get the manifest digest : Head "https://image-registry.openshift-image-registry.svc:5000/v2/cicd/spring-petclinic/manifests/sha256:8e6f73cf74a137e1a3f2f0d357b5266b2a19a91df5e13ca502ec9640f487b005": http: non-successful response (status=401 body="")]. Retrying after 3 seconds... ERROR: checking image failed after 3 retries: could not check build-time alerts: rpc error: code = Internal desc = image enrichment error: error getting metadata for image: image-registry.openshift-image-registry.svc:5000/cicd/spring-petclinic@sha256:8e6f73cf74a137e1a3f2f0d357b5266b2a19a91df5e13ca502ec9640f487b005 errors: [getting metadata from registry: "ocp-registry": Failed to get the manifest digest : Head "https://image-registry.openshift-image-registry.svc:5000/v2/cicd/spring-petclinic/manifests/sha256:8e6f73cf74a137e1a3f2f0d357b5266b2a19a91df5e13ca502ec9640f487b005": http: non-successful response (status=401 body=""), getting metadata from registry: "Autogenerated https://image-registry.openshift-image-registry.svc:5000 for cluster development": Failed to get the manifest digest : Head "https://image-registry.openshift-image-registry.svc:5000/v2/cicd/spring-petclinic/manifests/sha256:8e6f73cf74a137e1a3f2f0d357b5266b2a19a91df5e13ca502ec9640f487b005": http: non-successful response (status=401 body="")]

gitmedur avatar Jun 01 '23 12:06 gitmedur

Lemme try to reproduce it in a 4.10 env and I'll let you know. Thanks for opening the request!

rcarrata avatar Jun 02 '23 11:06 rcarrata

Screenshot 2023-07-19 at 16 59 58 Tested and worked as expected in 4.10+ (tested also in 4.13).

Can you check this if it still happening? Can you please try in another cluster?

rcarrata avatar Jul 19 '23 15:07 rcarrata