Resolve-tags gives UNAUTHORIZED

[steakunderscore]

Expected Behaviour

I have an image in a private registry gcr.io/some-project/foo:v1.0.0, how can I get resolve-tags to resolve the image tag to digest?

There's reference to this issue in docs/tutorial.md. But it has been left as a TODO.

Actual Behavior

Currently trying to call resolve-tags with a k8s config including the provate image fails giving the error:

Error: unable to resolve: Digest(gcr.io/private-project/foo:v1.0.0): UNAUTHORIZED: "You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"

Steps to Reproduce the Problem

Where gcr.io/private-project/foo:v1.0.0 is an image in a registry which is private.

1. cat /tmp/test.yaml

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: test
spec:
  containers:
  - image: gcr.io/private-project/foo:v1.0.0
    name: foo

2. make ./out/resolve-tags

mkdir -p ./out
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "" -tags "" -o out/resolve-tags-linux-amd64 github.com/grafeas/kritis/cmd/kritis/kubectl/plugins/resolve
cp ./out/resolve-tags-linux-amd64 out/resolve-tags

3. ./out/resolve-tags -f /tmp/test.yaml

Error: unable to resolve: Digest(gcr.io/private-project/foo:v1.0.0): UNAUTHORIZED: "You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"

Additional info

Note that I have replaced my actual project and image name.

[aysylu]

Hi @steakunderscore, thanks for filing the issue. Would you be interested in driving the fix? Happy to review the PR and discuss any questions that might come up.

[steakunderscore]

Hi @aysylu, sure thing. I should have time to get to this coming week. I was looking at how crane works in the same regard. I think I'll use it as inspiration.

[aysylu]

@steakunderscore perfect, looking forward to your contribution! Could you please clarify which part of crane you're specifically interested in adopting?

[steakunderscore]

I was specifically thinking about crane digest which does almost exactly what resolve-tags does, however seems to try using the ~/.docker/config before falling back to unauthenticated access to the registry. Should be a couple of lines of code changed, plus some better docs.

[sharkannon]

Do you guys know a work around for this? I'm working on implementing Kritis/BinAuthz in GCP and w/out this tool it makes things a lot more difficult (Having the same problem)

[andyroyle]

I stumbled across this recently when trying to get the plugin to work using a private registry. According to the docs for the authn package in go-containerregistry it should be pretty simple, but y'know, famous last words.

I'll be poking about this week to see if I can get it working

[ooq]

That would be great! @andyroyle