chains icon indicating copy to clipboard operation
chains copied to clipboard
verified publisher icon tektoncd

Chain Authenticating to an OCI Registry documentation is not consistent and potentially missing

Open Alex2357 opened this issue 5 months ago • 2 comments

Expected Behavior

The documentation should be consistent in the way chains authenticate to OCI registry

Actual Behavior

Page https://tekton.dev/docs/chains/authentication/ says create secret using secret value as .dockerconfigjson

kubectl create secret generic docker-registry \
    --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
    --type=kubernetes.io/dockerconfigjson \
    -n $NAMESPACE

While this page https://tekton.dev/docs/chains/signed-provenance-tutorial/

kubectl create secret generic [DOCKERCONFIG_SECRET_NAME] --from-file [PATH TO CONFIG.JSON]

In the 2nd option it creates secret with value named config.json.

It could not push to the registry for me when I created secret with .dockerconfigjson and started to work with config.json.

But that's not all I still have issues in the controller when it attempts to push attestations. Seems documentation need provide some more details how to add credentials for pushing attestations.

Steps to Reproduce the Problem

date; tkn task start --param IMAGE=$REGISTRY/kaniko-chains-20250724-1203 --use-param-defaults --workspace name=source,emptyDir="" --workspace name=dockerconfig,secret=$DOCKERCONFIG_SECRET_NAME kaniko-chains
Thu 24 Jul 2025 12:03:40 AEST
TaskRun started: kaniko-chains-run-64ldt

In order to track the TaskRun progress run:
tkn taskrun logs kaniko-chains-run-64ldt -f -n tekton-chains
  1. Pay attention to chains.tekton.dev/signed=failed
tkn tr describe --last
Name:              kaniko-chains-run-64ldt
Namespace:         tekton-chains
Task Ref:          kaniko-chains
Service Account:   default
Timeout:           1h0m0s
Labels:
 app.kubernetes.io/managed-by=tekton-pipelines
 tekton.dev/task=kaniko-chains
Annotations:
 chains.tekton.dev/retries=3
 chains.tekton.dev/signed=failed
 chains.tekton.dev/transparency=http://rekor-server.rekor-system.svc.cluster.local/api/v1/log/entries?logIndex=41
 pipeline.tekton.dev/release=18736c3

🌡️  Status

STARTED      DURATION    STATUS
1 hour ago   22s         Succeeded

⚓ Params

 NAME      VALUE
 ∙ IMAGE   gitopsdemo42.azurecr.io/kaniko-chains-20250724-1203

📝 Results

 NAME             VALUE
 ∙ IMAGE_DIGEST   sha256:a27f7dcf9b92f5305b6e023509dd025c6061700b789f0b83ee2eb0d081dab165
 ∙ IMAGE_URL      gitopsdemo42.azurecr.io/kaniko-chains-20250724-1203

📂 Workspaces

 NAME             SUB PATH   WORKSPACE BINDING
 ∙ source         ---        EmptyDir (emptyDir=)
 ∙ dockerconfig   ---        Secret (secret=acr-credentials)

🦶 Steps

 NAME               STATUS
 ∙ add-dockerfile   Completed
 ∙ build-and-push   Completed
 ∙ write-url        Completed
  1. It seems it is not using credentials details as it seems it does plain GET request: GET https://gitopsdemo42.azurecr.io/oauth2/token?scope=repository...
kubectl logs -n tekton-chains -l app=tekton-chains-controller | grep 64ldt
{"level":"info","ts":"2025-07-24T02:07:05.568Z","logger":"watcher","caller":"oci/legacy.go:160","msg":"Starting attestation upload to OCI for gitopsdemo42.azurecr.io/kaniko-chains-20250724-1203@sha256:a27f7dcf9b92f5305b6e023509dd025c6061700b789f0b83ee2eb0d081dab165...","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"a7fe815b-ba13-49da-93d3-01d101abe1fd","knative.dev/key":"tekton-chains/kaniko-chains-run-64ldt"}
{"level":"error","ts":"2025-07-24T02:07:35.609Z","logger":"watcher","caller":"chains/signing.go:206","msg":"getting signed image: GET https://gitopsdemo42.azurecr.io/oauth2/token?scope=repository%3Akaniko-chains-20250724-1203%3Apull&service=gitopsdemo42.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. CorrelationId: 180b4117-f243-4abd-889f-29c86f03f7a0","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"a7fe815b-ba13-49da-93d3-01d101abe1fd","knative.dev/key":"tekton-chains/kaniko-chains-run-64ldt","stacktrace":"github.com/tektoncd/chains/pkg/chains.(*ObjectSigner).Sign\n\tgithub.com/tektoncd/chains/pkg/chains/signing.go:206\ngithub.com/tektoncd/chains/pkg/reconciler/taskrun.(*Reconciler).FinalizeKind\n\tgithub.com/tektoncd/chains/pkg/reconciler/taskrun/taskrun.go:67\ngithub.com/tektoncd/chains/pkg/reconciler/taskrun.(*Reconciler).ReconcileKind\n\tgithub.com/tektoncd/chains/pkg/reconciler/taskrun/taskrun.go:45\ngithub.com/tektoncd/chains/vendor/github.com/tektoncd/pipeline/pkg/client/injection/reconciler/pipeline/v1/taskrun.(*reconcilerImpl).Reconcile\n\tgithub.com/tektoncd/chains/vendor/github.com/tektoncd/pipeline/pkg/client/injection/reconciler/pipeline/v1/taskrun/reconciler.go:236\ngithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller.(*Impl).processNextWorkItem\n\tgithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:540\ngithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller.(*Impl).RunContext.func3\n\tgithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:489"}
{"level":"info","ts":"2025-07-24T02:07:35.770Z","logger":"watcher","caller":"chains/signing.go:224","msg":"Uploaded entry to http://rekor-server.rekor-system.svc.cluster.local with index 41","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"a7fe815b-ba13-49da-93d3-01d101abe1fd","knative.dev/key":"tekton-chains/kaniko-chains-run-64ldt"}
{"level":"error","ts":"2025-07-24T02:07:35.816Z","logger":"watcher","caller":"taskrun/reconciler.go:295","msg":"Returned an error","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"a7fe815b-ba13-49da-93d3-01d101abe1fd","knative.dev/key":"tekton-chains/kaniko-chains-run-64ldt","targetMethod":"ReconcileKind","error":"1 error occurred:\n\t* getting signed image: GET https://gitopsdemo42.azurecr.io/oauth2/token?scope=repository%3Akaniko-chains-20250724-1203%3Apull&service=gitopsdemo42.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. CorrelationId: 180b4117-f243-4abd-889f-29c86f03f7a0\n\n","stacktrace":"github.com/tektoncd/chains/vendor/github.com/tektoncd/pipeline/pkg/client/injection/reconciler/pipeline/v1/taskrun.(*reconcilerImpl).Reconcile\n\tgithub.com/tektoncd/chains/vendor/github.com/tektoncd/pipeline/pkg/client/injection/reconciler/pipeline/v1/taskrun/reconciler.go:295\ngithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller.(*Impl).processNextWorkItem\n\tgithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:540\ngithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller.(*Impl).RunContext.func3\n\tgithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:489"}
{"level":"error","ts":"2025-07-24T02:07:35.817Z","logger":"watcher","caller":"controller/controller.go:564","msg":"Reconcile error","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"a7fe815b-ba13-49da-93d3-01d101abe1fd","knative.dev/key":"tekton-chains/kaniko-chains-run-64ldt","duration":30.354959674,"error":"1 error occurred:\n\t* getting signed image: GET https://gitopsdemo42.azurecr.io/oauth2/token?scope=repository%3Akaniko-chains-20250724-1203%3Apull&service=gitopsdemo42.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. CorrelationId: 180b4117-f243-4abd-889f-29c86f03f7a0\n\n","stacktrace":"github.com/tektoncd/chains/vendor/knative.dev/pkg/controller.(*Impl).handleErr\n\tgithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:564\ngithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller.(*Impl).processNextWorkItem\n\tgithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:541\ngithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller.(*Impl).RunContext.func3\n\tgithub.com/tektoncd/chains/vendor/knative.dev/pkg/controller/controller.go:489"}
{"level":"info","ts":"2025-07-24T02:07:35.817Z","logger":"watcher.event-broadcaster","caller":"record/event.go:377","msg":"Event(v1.ObjectReference{Kind:\"TaskRun\", Namespace:\"tekton-chains\", Name:\"kaniko-chains-run-64ldt\", UID:\"9cbfa072-595d-4225-9a89-fb3ebfda592a\", APIVersion:\"tekton.dev/v1\", ResourceVersion:\"317326\", FieldPath:\"\"}): type: 'Warning' reason: 'InternalError' 1 error occurred:\n\t* getting signed image: GET https://gitopsdemo42.azurecr.io/oauth2/token?scope=repository%3Akaniko-chains-20250724-1203%3Apull&service=gitopsdemo42.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. CorrelationId: 180b4117-f243-4abd-889f-29c86f03f7a0\n\n"}
{"level":"info","ts":"2025-07-24T02:07:35.819Z","logger":"watcher","caller":"taskrun/taskrun.go:63","msg":"taskrun tekton-chains/kaniko-chains-run-64ldt has been reconciled","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"67fdc448-e0f2-4c29-be7f-e7b5af8d8022","knative.dev/key":"tekton-chains/kaniko-chains-run-64ldt"}
{"level":"info","ts":"2025-07-24T02:07:35.819Z","logger":"watcher","caller":"controller/controller.go:548","msg":"Reconcile succeeded","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"67fdc448-e0f2-4c29-be7f-e7b5af8d8022","knative.dev/key":"tekton-chains/kaniko-chains-run-64ldt","duration":0.000065035}
{"level":"info","ts":"2025-07-24T02:07:36.140Z","logger":"watcher","caller":"taskrun/taskrun.go:63","msg":"taskrun tekton-chains/kaniko-chains-run-64ldt has been reconciled","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"60341b98-d969-44c5-83d6-cb1ace5d5a1b","knative.dev/key":"tekton-chains/kaniko-chains-run-64ldt"}
{"level":"info","ts":"2025-07-24T02:07:36.141Z","logger":"watcher","caller":"controller/controller.go:548","msg":"Reconcile succeeded","knative.dev/controller":"github.com.tektoncd.chains.pkg.reconciler.taskrun.Reconciler","knative.dev/kind":"tekton.dev.TaskRun","knative.dev/traceid":"60341b98-d969-44c5-83d6-cb1ace5d5a1b","knative.dev/key":"tekton-chains/kaniko-chains-run-64ldt","duration":0.000295892}

Additional Info

  • Kubernetes version:

    Output of kubectl version:

kubectl version Client Version: v1.30.2 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.33.1 WARNING: version difference between client (1.30) and server (1.33) exceeds the supported minor version skew of +/-1


- Tekton Pipeline version:

```bash
tkn version
Client version: 0.41.1
Chains version: v0.25.1
Pipeline version: v1.2.0

Alex2357 avatar Jul 24 '25 03:07 Alex2357

I think you're missing the ServiceAccount linking: https://tekton.dev/docs/chains/authentication/#setup-credentials-using-the-service-account.

The docs here are talking about the file that is usually found in your local system at ~/.docker/config.json. config.json is its name, but its format is often referred to as .dockerconfigjson.

lcarva avatar Jul 24 '25 13:07 lcarva

I think you're missing the ServiceAccount linking: https://tekton.dev/docs/chains/authentication/#setup-credentials-using-the-service-account.

The docs here are talking about the file that is usually found in your local system at ~/.docker/config.json. config.json is its name, but its format is often referred to as .dockerconfigjson.

Thanks. I will test it.

Alex2357 avatar Jul 28 '25 02:07 Alex2357