Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to pull kaniko image from private repo #3604

Closed
zeromsi opened this issue Dec 6, 2020 · 15 comments
Closed

Failed to pull kaniko image from private repo #3604

zeromsi opened this issue Dec 6, 2020 · 15 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@zeromsi
Copy link

zeromsi commented Dec 6, 2020

Service account

apiVersion: v1
imagePullSecrets:
- name: basic-user-pass
kind: ServiceAccount
metadata:
  name: 5f7ac2569596510001b034b7-sa
  namespace: tekton

Task

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: app-builder5fc89e3fdbf91600010d0012-task-run
  namespace: tekton
spec:
  serviceAccountName: 5f7ac2569596510001b034b7-sa
  taskRef:
    kind: Task
    name: app-builder5fc89e3fdbf91600010d0012

Task

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: app-builder5fc89e3fdbf91600010d0012
  namespace: tekton
spec:
  steps:
  - image: <url>
    imagePullPolicy: Always
    name: app
@zeromsi
Copy link
Author

zeromsi commented Dec 6, 2020

The error is like following,

failed to create task run pod "app-builder5fc89e3fdbf91600010d0012-task-run": translating TaskSpec to Pod: error getting image manifest: GET https://container-registry.console.klovercloud.io/v2/superapp-dxi1zsmt-c12u4ujw/repo/manifests/bf28cf28b5463f51e67c8ab951b41a19c6bf6029: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:superapp-dxi1zsmt-c12u4ujw/repo Type:repository]]. Maybe missing or invalid Task tekton/app-builder5fc89e3fdbf91600010d0012

@vdemeester
Copy link
Member

/kind bug
Sounds like the controller didn't take into account the imagePullSecret from the attached service account.

@tekton-robot tekton-robot added the kind/bug Categorizes issue or PR as related to a bug. label Dec 7, 2020
@vdemeester
Copy link
Member

My guess is that it only looks into the podTemplate imagePullSecret (https://github.com/tektoncd/pipeline/blob/ab723e9e79d358b6397cc62a199ba4c489ee3480/docs/podtemplates.md)

@tekton-robot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 7, 2021
@tekton-robot
Copy link
Collaborator

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Apr 6, 2021
@tekton-robot
Copy link
Collaborator

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

@tekton-robot
Copy link
Collaborator

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@drriguz
Copy link

drriguz commented Nov 2, 2021

Any response to this issue? I got the same error today, while using custom image as task image.

apiVersion: v1
kind: Secret
metadata:
  name: registry-secret
  namespace: dev
  annotations:
    tekton.dev/docker-0: https://registry.example.com:8443
type: kubernetes.io/basic-auth
stringData:
    username: testuser
    password: testpassword
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: kubectl-deploy
  namespace: dev
spec:
  params:
    - name: deploy-config-path
      type: string
    - name: image-tag
      type: string
  resources:
    inputs:
      - name: git-src
        type: git
      - name: image-repo
        type: image
  steps:
    - name: kubectl-deploy
      image: registry.example.com:8443/kubectl:r1
      workingDir: /workspace/git-src
      script: |
        export IMAGE=$(resources.inputs.image-repo.url):$(params.image-tag)
        echo "Deploying ${IMAGE} by $(params.deploy-config-path)"
        envsubst < $(params.deploy-config-path) | kubectl apply -f -
Normal   Pulling    24s (x2 over 40s)  kubelet            Pulling image "registry.example.com:8443/kubectl:r1"
  Warning  Failed     24s (x2 over 40s)  kubelet            Failed to pull image "registry.example.com:8443/kubectl:r1": rpc error: code = Unknown desc = failed to pull and unpack image "registry.example.com:8443/kubectl:r1": failed to resolve reference "registry.example.com:8443/kubectl:r1": pulling from host registry.example.com:8443 failed with status code [manifests r1]: 401 Unauthorized

However, images could be successfully pushed into the registry. So I believe the configuration is correct, is this a bug?

@adelmoradian
Copy link
Contributor

adelmoradian commented Feb 2, 2023
edited
Loading

The suggestion from @vdemeester did work... Just had to add the following to my PipelineRun

spec:
  podTemplate:
    imagePullSecrets: 
      - name: secret-1
      - name: secret-2

I did try a few other things which didn't work:

  • Adding secrets to PipelineRun
  • Adding secrets to tekton controller service account
  • Adding secrets as imagePullSecrets to tekton controller deployment

tekton-pipeline v0.42.0
Kubelet Version: v1.24.9
arch: amd64
OS Image: Flatcar Container Linux by Kinvolk 3374.2.3

@afrittoli afrittoli reopened this Feb 2, 2023
@afrittoli
Copy link
Member

Thanks, @adelmoradian.
It sounds like at least we should better document how to achieve this. @vdemeester wdyt?

@vdemeester
Copy link
Member

Thanks, @adelmoradian. It sounds like at least we should better document how to achieve this. @vdemeester wdyt?

Agreed !

@adelmoradian
Copy link
Contributor

Should i add this to defining steps sections of documentation?

@afrittoli
Copy link
Member

@adelmoradian that would be great. I wonder if this could be a good how-to guide too https://tekton.dev/docs/how-to-guides/ @geriom

@afrittoli afrittoli mentioned this issue Mar 3, 2023
Closed
@iainsproat iainsproat mentioned this issue Mar 15, 2023
Closed
adelmoradian pushed a commit to adelmoradian/pipeline that referenced this issue Mar 26, 2023
doc: added a note on pulling task image from private repo
6502ea8 
Prior to this, docs were not clear on how to use a private image
for a task - issue tektoncd#3604

If a task uses an image from a private repo, then `imagePullSecrets`
must be provided at runtime via `podTemplate` - added note to the tasks docs
adelmoradian pushed a commit to adelmoradian/pipeline that referenced this issue Mar 26, 2023
@adelmoradian
doc: added a note on pulling task image from private repo
5cb77b9 
prior to this, docs were not clear on how to use a private image
for a task - issue tektoncd#3604

if a task uses an image from a private repo, then `imagePullSecrets`
must be provided at runtime via `podTemplate` - added note to the tasks docs
adelmoradian added a commit to adelmoradian/pipeline that referenced this issue Mar 26, 2023
@adelmoradian
doc: added a note on pulling task image from private repo
f0a3b3f 
prior to this, docs were not clear on how to use a private image
for a task - issue tektoncd#3604

if a task uses an image from a private repo, then `imagePullSecrets`
must be provided at runtime via `podTemplate` - added note to the tasks docs
@tekton-robot
Copy link
Collaborator

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

@tekton-robot
Copy link
Collaborator

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@lbernick lbernick mentioned this issue Apr 10, 2023
Open
tekton-robot pushed a commit that referenced this issue Apr 21, 2023
@adelmoradian @tekton-robot
doc: added a note on pulling task image from private repo
8fb5999 
prior to this, docs were not clear on how to use a private image
for a task - issue #3604

if a task uses an image from a private repo, then `imagePullSecrets`
must be provided at runtime via `podTemplate` - added note to the tasks docs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@vdemeester @afrittoli @drriguz @zeromsi @tekton-robot @adelmoradian