Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Socialise with Flux image reconciliation #134

Open
ab77 opened this issue Oct 27, 2023 · 7 comments
Open

Socialise with Flux image reconciliation #134

ab77 opened this issue Oct 27, 2023 · 7 comments

Comments

@ab77
Copy link
Contributor

ab77 commented Oct 27, 2023

Flux will make the following request to a registry to get the latest tags for an image is is managing (e.g.):

GET https://registry-proxy.balena-cloud.com/v2/balena/logs-to-vector-amd64/tags/list?n=1000

Current behaviour is results in:

scan failed: GET https://registry-proxy.balena-cloud.com/v2/balena/logs-to-vector-amd64/tags/list?n=1000: DENIED: requested access to the resource is denied;
@klutchell
Copy link
Contributor

Is Flux logged into the balena registry when performing these requests?

@ab77
Copy link
Contributor Author

ab77 commented Oct 27, 2023
edited
Loading

Is Flux logged into the balena registry when performing these requests?

No, these requests are currently unauthenticated (though they can be, if required).

@klutchell
Copy link
Contributor

klutchell commented Oct 27, 2023
edited
Loading

I expect if they authenticate it will work, the balena registry and API do not support unauthenticated requests of any kind, including scraping tags.

In your example the Flux context would need to docker login registry-proxy.balena-cloud.com with a balena API key that has developer(?) access to that fleet and it's releases. Otherwise the API will reject the request.

@ab77
Copy link
Contributor Author

ab77 commented Oct 27, 2023

This is the registry auth it's configured with (docker login with the same credentials works):

{
  "auths": {
    "registry-proxy.balena-cloud.com": {
      "username": "u",
      "password": "<<BALENA_API_KEY>>",
      "email": "[email protected]",
      "auth": "$(echo -n u:<<BALENA_API_KEY>> | base64)"
    },
    "bh.cr": {
      "username": "u",
      "password": "<<BALENA_API_KEY>>",
      "email": "[email protected]",
      "auth": "$(echo -n u:<<BALENA_API_KEY>> | base64)"
    }
  }
}

Same issue for getting tags for bh.cr/balena/logs-to-vector-{amd64,aarch64}, Flux always gets back:

scan failed: GET https://registry-proxy.balena-cloud.com/v2/balena/logs-to-vector-aarch64/tags/list?n=1000: DENIED: requested access to the resource is denied;

@klutchell
Copy link
Contributor

I guess public blocks should be allowed without auth, so my original comment may be innacurate.

Based on the error above, it seems to be trying to use a public registry REST API, and I don't think our registry has such a thing as that's usually hosted out-of-band to registry2 IIRC?

Though I was able to get it working with skopeo so I'm not sure exactly what calls Flux is making without looking at the code.

Though maybe skopeo list-tags has the same problem which would make reproducability easier.

@ab77
Copy link
Contributor Author

ab77 commented Oct 27, 2023

According to my understanding from reading the code, our regex doesn't cover this specific request URL (getting a tags list for an image).

Same for scopeio, (basic) authenticated or not:

$ skopeo list-tags docker://bh.cr/balena/logs-to-vector-amd64
FATA[0007] Error listing repository tags: fetching tags list: requested access to the resource is denied

@klutchell
Copy link
Contributor

klutchell commented Oct 27, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ab77 @klutchell