Container-agent, incorrect kubernetes.io/dockerconfigjson

jpi · September 29, 2022, 3:52pm

While using the container-agent and specifying an image from an internal repo (shown below in my executor block) I get ImagePullBackOff errors failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized.

docker:
  - image: myrepo.com/engineering/cicd-terraform:latest
    auth:
      username: $myrepo_API_ACCOUNT
      password: $myrepo_API_KEY

When digging into the secrets created in the container-agent k8s namespace I see one named ccicred-removed-0-removed. This secret is of the type kubernetes.io/dockerconfigjson. The .dockerconfigjson key when decoded is as follows. The username and password match the values I’d expect via the supplied environment variables in my executor block. However, the docker-server (e.g. https://index.docker.io/) is incorrect. I’d expect that to be myrepo.com. Is this a bug? cc @sebastian-lerner

{
  "auths": {
    "https://index.docker.io/": {
      "username": "removed",
      "password": "removed",
      "auth": "removed"
    }
  }
}

sebastian-lerner · September 29, 2022, 5:02pm

Interesting. Can you share the container-agent version where you’re seeing this?

jpi · September 29, 2022, 5:04pm

oops, sorry about that. It is 1.0.15380. Thanks for taking a look.

sebastian-lerner · September 29, 2022, 5:07pm

jpi:

While using the container-agent and specifying an image from an internal repo (shown below in my executor block) I get ImagePullBackOff errors failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized.
docker:
  - image: myrepo.com/engineering/cicd-terraform:latest
    auth:
      username: $myrepo_API_ACCOUNT
      password: $myrepo_API_KEY
When digging into the secrets created in the container-agent k8s namespace I see one named ccicred-removed-0-removed. This secret is of the type kubernetes.io/dockerconfigjson. The .dockerconfigjson key when decoded is as follows. The username and password match the values I’d expect via the supplied environment variables in my executor block. However, the docker-server (e.g. https://index.docker.io/) is incorrect. I’d expect that to be myrepo.com. Is this a bug? cc @sebastian-lerner
{
  "auths": {
    "https://index.docker.io/": {
      "username": "removed",
      "password": "removed",
      "auth": "removed"
    }
  }
}

Thanks. Looks like a bug. Having my team take a look at it, I’ll update when i have more.

sebastian-lerner · September 30, 2022, 12:40pm

We’ve got a fix identified and checked in. I’ll update when we have a new helm version out to pull down so you can confirm that it is fixed on your end.

sebastian-lerner · October 3, 2022, 2:04pm

@jpi We merged a fix earlier today. Can you try this again and let us know if you’re still seeing this issue?

jpi · October 3, 2022, 3:04pm

@sebastian-lerner works great, thank you! fixed in 1.0.15989.

system · October 13, 2022, 3:05pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.