Comments (7)
Oh wow. I don't know how I didn't see that! Everything is working after re-bootstrapping.
Thank you for your help!
from image-reflector-controller.
It means you dont have the right Docker server(ghcr.io
) in the secret.
Can you paste the command you use to create the secret?
from image-reflector-controller.
I've the same issue using ECR repository.
Probably the registry is not matched by the controller if there is https://
in the secret.
Message: auth for "XXXXXXXXXX.dkr.ecr.eu-west-1.amazonaws.com" not found in secret mynamespace/ecr-docker-login
In the same namespace there is the ecr-docker-login secret. The same secret it works to pull the container.
My .dockerconfigjson base64 decoded starts with {"auths":{"https://XXXXXXXXXX.dkr.ecr.eu-west-1.amazonaws.com":{"auth": ...
Following this guide https://toolkit.fluxcd.io/guides/image-update/#using-access-token-short-lived there isn't https://
in the generated secret: {"auths":{"XXXXXXXXXX.dkr.ecr.eu-west-1.amazonaws.com":{"username":"AWS" ...
I think is related to ref.Context().RegistryStr()
parameter: https://github.com/fluxcd/image-reflector-controller/blob/main/controllers/imagerepository_controller.go#L191
from image-reflector-controller.
here is the base64 decoded version of the secret (redacted of course)
{"auths":{"https://ghcr.io":{"username":"xxxxxxx","password":"xxxxxx","auth":"xxxxxxx"}}}
and here is the entire command I ran (also redacted)
kubectl create secret -o yaml -n flux-system docker-registry github --dry-run --docker-server=https://ghcr.io --docker-username=xxxxxx --docker-password=xxxxxxx | kubeseal --format=yaml --controller-name=kubeseal-sealed-secrets --controller-namespace=kubeseal --context=xxxx > ./clusters/local/flux-system/docker-secret.yaml
I'm realizing I might need to try without the schema in the server? for some reason this works just fine to help kubernetes download docker containers.
from image-reflector-controller.
OK I think that got me farther. It looks like the issue now is this error on the image-automation-controller. unknown error: ERROR: The key you are authenticating with has been marked as read only.
I believe that is github responding to a request that the pod is making. Is it using the ssh key from bootstrapping? How would it get access to the repo through a read only key when the github PAT used to bootstrap had full repo permissions? It's possbile that I initially bootstraped the cluster with a read only PAT but I've since rebootstrapped with a new PAT that has full repo permissions.
from image-reflector-controller.
@from-nibly did you happen to bootstrap flux using --token-auth
? Otherwise, flux will create a deploy key in your git repository settings which is read-only by default. You can check this under https://github.com/<org>/<repo>/settings/keys
. You can read about that in the docs. As you can see in the guide, the example there uses --token-auth
.
If you do use a deploy key and it is read-only you will not be able to convert it to a read-write key, instead, you will have to delete and re-create the key, the value of which you can get from the secret flux created during bootstrap.
from image-reflector-controller.
Sounds like you are good to go @from-nibly -- I'll close this issue. For posterity, here's some detailed instructions on how to replace the read-only git secret at https://toolkit.fluxcd.io/guides/flux-v1-automation-migration/#replacing-the-git-credentials-secret.
from image-reflector-controller.
Related Issues (20)
- [RFC-004] Add `.spec.insecure` to `ImageRepository`
- Higher CPU usage without load
- ImagePolicy not able to correctly parse the image tags HOT 2
- Image repository port pruned from reflection request after 1000+ images HOT 3
- image-reflector-controller 0.40.0 breaking change gives no room for upgrading transparently HOT 2
- Confusing error message about successful image scan HOT 3
- ImageRepository fails to authenticate with Gitlab Repository HOT 5
- Add reconciler sharding capability based on label selector
- Feature request: Add policy for selecting as latest any alias tag that matches the `latest` tag HOT 5
- Failed to authenticate to ACR HOT 5
- unexpected status code 401 Unauthorized: Not Authorized HOT 2
- Unauthorized 401 for ImageRepository resources for ECR HOT 2
- Flux image reflector is not able to use Jfrog artifactroy HOT 1
- ImageRepository status.lastScanResult.latestTags not sorted acc. to semver HOT 4
- Add integration tests for ImagePolicy
- Add reconciliation interval to ImagePolicy
- Success reported on ImagePolicy when ImageRepository stalled
- One thing about my family 000jpkid HOT 1
- bug(helm/aws): unknown build error: failed to get credential from 'aws': not found, ResolveEndpointV2
- Controller shutdown doesn't wait for reconciles to finish HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from image-reflector-controller.