Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there a way to authenticate with an image resource's registry? #1106

Closed
lance opened this issue Jul 20, 2019 · 5 comments
Closed

Is there a way to authenticate with an image resource's registry? #1106

lance opened this issue Jul 20, 2019 · 5 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@lance
Copy link

lance commented Jul 20, 2019

Expected Behavior

I am attempting to use an image as an input resource, and it actually seems as though it might work, however I am running into problems due to the fact that the registry requires authentication.

My use case is that I have another process outside of the Tekton pipeline purview which creates an image and pushes it to a registry. My Task then needs to access this image from the registry and copy some data from the running container to a volume mount.

Here is a simple example showing just the input.

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: deploy-webapp
spec:
  inputs:
    resources:
      - name: source-image
        type: image
    params:
      - name: SOURCE_PATH
        description: The location of the build output
        default: build
  steps:
    - name: copy-source
      image: ${inputs.resources.source-image.url}
      workingdir: /opt/app-root/source
      command: ['cp', '-Rp', '${inputs.params.SOURCE_PATH}', '/gen-source/']
      volumeMounts:
        - name: gen-source
          mountPath: /gen-source
      securityContext:
        privileged: true

I would like a way to specify authentication credentials for the pipeline when accessing the source-image in this example. Is this possible?

Actual Behavior

When running a Task for this I get an error message on the deploy-webapp-task-run container.

Failed to pull image "example-webapp": rpc error: code = Unknown desc = Error reading manifest latest in docker.io/library/example-webapp: errors: denied: requested access to the resource is denied unauthorized: authentication required

Steps to Reproduce the Problem

  1. Apply the above Task to a cluster
  2. Create a TaskRun that specifies a source-image on a registry requiring authentication
  3. Apply the TaskRun to a cluster

Additional Info

While looking for a way to achieve this, I stumbled on this issue #260 which is related. Given that I am getting authentication errors when the TaskRun executes, I think maybe that issue is resolved, but it is not clear since I have never made it past the authentication requirement.
@vdemeester
Copy link
Member

hey @lance

Did you try with what's described in auth.md](https://github.com/tektoncd/pipeline/blob/master/docs/auth.md) : here and here (preferred imho).

@lance
Copy link
Author

lance commented Jul 22, 2019
edited
Loading

@vdemeester so I have been trying to get this to work for a while now, but am still not successful. Let me provide a little more detail and perhaps you can tell me if I'm trying to do something that's just not possible yet.

A process external to pipelines (nodeshift) generates an ImageStream using s2i, resulting in an image in the internal repository at image-registry.openshift-image-registry.svc:5000/example-webapp. I would like to use a TaskRun which uses this image as input. My TaskRun looks like this.

apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
  name: deploy-webapp-taskrun
spec:
  # Use service account with git and image repo credentials
  serviceAccount: pipeline
  taskRef:
    name: deploy-webapp
  inputs:
    resources:
      - name: source-image
        resourceSpec:
          type: image
          params:
            - name: url
              value: image-registry.openshift-image-registry.svc:5000/example-webapp
  outputs:
    resources:
      - name: runtime-image
        resourceSpec:
          type: image
          params:
            - name: url
              value: quay.io/lanceball/example-webapp-runtime

The pipelines service account has been grated the proper roles for accessing the registry per the documentation, and I have added the login secret per the instructions here. Do you think that this is possible and I have just done something wrong? Or am I pushing the boundaries of what pipelines can do at the moment?

@lance
Copy link
Author

lance commented Jul 23, 2019

Just a little more info - here is the log file from the deploy-webapp-taskrun-pod-nnnnnn.

  Warning  Failed     7m12s                 kubelet, crc-cvgnz-master-0  Failed to pull image "image-registry.openshift-image-registry.svc:5000/example-webapp": rpc error: code = Unknown desc = unable to retrieve auth token: invalid username/password
  Warning  Failed     7m12s                 kubelet, crc-cvgnz-master-0  Error: ErrImagePull
  Normal   Pulling    7m12s                 kubelet, crc-cvgnz-master-0  Pulling image "image-registry.openshift-image-registry.svc:5000/example-webapp"
  Normal   Created    7m12s                 kubelet, crc-cvgnz-master-0  Created container build-step-image-digest-exporter-copy-source-ms2nq
  Normal   Started    7m12s                 kubelet, crc-cvgnz-master-0  Started container build-step-image-digest-exporter-copy-source-ms2nq

And this is a little snipped of output showing that the authentication has been set up.

Init Containers:
  build-step-credential-initializer-x65rz:
    Container ID:  cri-o://1889ca244af0ae2db6298e7bd40b821a30e87f6e50bff65587125beeb4346d45
    Image:         quay.io/openshift-pipeline/tektoncd-pipeline-creds-init:v0.4.0
    Image ID:      quay.io/openshift-pipeline/tektoncd-pipeline-creds-init@sha256:9f60f7e1ea7c6f293c5297b46aa716264ab7dc02be13eb23f964c6b7f2212872
    Port:          <none>
    Host Port:     <none>
    Command:
      /ko-app/creds-init
    Args:
      -docker-cfg=pipeline-dockercfg-76v8c
      -basic-docker=basic-user-pass=image-registry.openshift-image-registry.svc:5000
    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Mon, 22 Jul 2019 22:49:52 -0400
      Finished:     Mon, 22 Jul 2019 22:49:52 -0400
    Ready:          True

The error message is unable to retrieve auth token: invalid username/password which makes me think my secret is wrong. Hmmm.

@vdemeester
Copy link
Member

It just struck me that you are using the image resource url in the image, so our creds-init magic doesn't work in there. This is something we need to tackle somehow.

/kind feature

@tekton-robot tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Jul 23, 2019
@lance
Copy link
Author

lance commented Jul 23, 2019

@vdemeester so I managed to get this to work. The resources, tasks and pipelines are here, if you are interested. It's actually not as complicated as I thought - mostly it was misconfiguration on my part. But the long and short is that I am able to specify an image from the internal repository as an input resource on a task and it works as I expect. I'm closing this. Thanks for your help.

@lance lance closed this as completed Jul 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vdemeester @lance @tekton-robot