kpack-cli icon indicating copy to clipboard operation
kpack-cli copied to clipboard

Published 20 hours ago verified publisher icon vmware-tanzu

kp secret create with --registry index.docker.io generates invalid secret

Open micahyoung opened this issue 4 years ago • 0 comments

Expected:

Equivalent secrets for DockerHub accounts should be able to be created with --registry instead of --dockerhub

REGISTRY_PASSWORD=foobar kp secret create image-secret-registry  --registry index.docker.io --registry-user testuser
DOCKER_PASSWORD=foobar   kp secret create image-secret-dockerhub --dockerhub testuser

kubectl get secret image-secret-registry  -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d
kubectl get secret image-secret-dockerhub -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d

# Output
{"auths":{"https://index.docker.io/v1/":{"username":"testuser","password":"foobar"}}}
{"auths":{"https://index.docker.io/v1/":{"username":"testuser","password":"foobar"}}}

Observed:

# Example with index.docker.io
REGISTRY_PASSWORD=foobar kp secret create image-secret-1  --registry index.docker.io --registry-user testuser

kubectl get secret image-secret-1  -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d

# Output (note missing protocol)
{"auths":{"index.docker.io":{"username":"testuser","password":"foobar"}}}

# Example with https://index.docker.io/v1/
REGISTRY_PASSWORD=foobar kp secret create image-secret-2  --registry https://index.docker.io/v1/ --registry-user testuser

kubectl get secret image-secret-2  -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d

# Output (note invalid URL)
{"auths":{"https:":{"username":"testuser","password":"foobar"}}}

Result:

Images do not build with --registry generated secrets because no registry secret matches the output tag.

kp secret create image-secret-registry  --registry index.docker.io --registry-user micahyoung
# entered DockerHub token

kp image create go-test-linux --tag index.docker.io/micahyoung/kpack-test-linux:latest --cluster-builder go-multios-linux --git https://github.com/pivotal/kpack

kp build logs go-test-linux

# Output
...
Loading secret for "index.docker.io" from secret "image-secret-registry" at location "\\var\\build-secrets\\image-secret-registry"
Error verifying write access to "index.docker.io/micahyoung/kpack-test-windows:latest": POST https://index.docker.io/v2/micahyoung/kpack-test-windows/blobs/uploads/: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:micahyoung/kpack-test-windows Type:repository] map[Action:push Class: Name:micahyoung/kpack-test-windows Type:repository]]

Workaround

Creating the secret with --dockerhub works but does not allow arbitrary registries. Using this workaround, I was able to use the --registry syntax then clobber the dockerconfig value with a valid one.

REGISTRY_PASSWORD=<password> kp secret create image-secret-registry  --registry index.docker.io --registry-user micahyoung

kubectl delete secret image-secret
kubectl create secret docker-registry \
  image-secret \
  --docker-username=micahyoung \
  --docker-password=<password> \
  --docker-server=https://index.docker.io/v1/

micahyoung avatar Feb 11 '21 15:02 micahyoung