Closed
Description
When passing in a docker config secret using the following format:
{
"auths": {
"https://registry.jfrog.io": {
"auth": "anV.....5Ug=="
}
}
}
authentication against my private image registry fails when trying to pull some image.
I verified that the base64 value is correct such that when decoded, it comes in a <username>:<JFrog_Docker_PAT> format. However, when passing the same value as an environment variable, envbox fails with the following:
{"ts":"2024-09-25T22:35:23.636465215Z","level":"ERROR","msg":"child log","caller":"/home/runner/work/envbox/envbox/background/process.go:248","func":"github.com/coder/envbox/background.scanIntoLog","logger_names":["dockerd"],"fields":{"process":"dockerd","content":"time=\"2024-09-25T22:35:23.636366939Z\" level=error msg=\"Handler for POST /v1.42/images/create returned error: Head \\\"https://registry.jfrog.io/v2/docker/coder/coder-demo/coder-demo-node/manifests/latest\\\": unknown: Authentication is required\""}}
{"ts":"2024-09-25T22:35:26.638400449Z","level":"DEBUG","msg":"child log","caller":"/home/runner/work/envbox/envbox/background/process.go:248","func":"github.com/coder/envbox/background.scanIntoLog","logger_names":["dockerd"],"fields":{"process":"dockerd","content":"time=\"2024-09-25T22:35:26.638319435Z\" level=debug msg=\"Calling POST /v1.42/images/create?fromImage=registry.jfrog.io%2Fdocker%2Fcoder%2Fcoder-demo%2Fcoder-demo-node\u0026tag=latest\""}}
{"ts":"2024-09-25T22:35:26.649533892Z","level":"DEBUG","msg":"child log","caller":"/home/runner/work/envbox/envbox/background/process.go:248","func":"github.com/coder/envbox/background.scanIntoLog","logger_names":["dockerd"],"fields":{"process":"dockerd","content":"time=\"2024-09-25T22:35:26.649442818Z\" level=debug msg=\"hostDir: /etc/docker/certs.d/registry.jfrog.io\""}}
{"ts":"2024-09-25T22:35:26.649629378Z","level":"DEBUG","msg":"child log","caller":"/home/runner/work/envbox/envbox/background/process.go:248","func":"github.com/coder/envbox/background.scanIntoLog","logger_names":["dockerd"],"fields":{"process":"dockerd","content":"time=\"2024-09-25T22:35:26.649499866Z\" level=debug msg=\"Trying to pull registry.jfrog.io/docker/coder/coder-demo/coder-demo-node from https://registry.jfrog.io\""}}
{"ts":"2024-09-25T22:35:27.178910802Z","level":"INFO","msg":"child log","caller":"/home/runner/work/envbox/envbox/background/process.go:248","func":"github.com/coder/envbox/background.scanIntoLog","logger_names":["dockerd"],"fields":{"process":"dockerd","content":"time=\"2024-09-25T22:35:27.178825359Z\" level=info msg=\"Attempting next endpoint for pull after error: Head \\\"https://registry.jfrog.io/v2/docker/coder/coder-demo/coder-demo-node/manifests/latest\\\": unknown: Authentication is required\""}}
{"ts":"2024-09-25T22:35:27.181578796Z","level":"ERROR","msg":"child log","caller":"/home/runner/work/envbox/envbox/background/process.go:248","func":"github.com/coder/envbox/background.scanIntoLog","logger_names":["dockerd"],"fields":{"process":"dockerd","content":"time=\"2024-09-25T22:35:27.181484801Z\" level=error msg=\"Handler for POST /v1.42/images/create returned error: Head \\\"https://registry.jfrog.io/v2/docker/coder/coder-demo/coder-demo-node/manifests/latest\\\": unknown: Authentication is required\""}}
{"output":"Failed to run envbox: pull image: pull image: pull image: Error response from daemon: Head \"https://registry.jfrog.io/v2/docker/coder/coder-demo/coder-demo-node/manifests/latest\": unknown: Authentication is required","time":"2024-09-25T22:35:30.182568947Z","type":"error"}
{"output":"Failed to run envbox: run: pull image: pull image: pull image: Error response from daemon: Head \"https://registry.jfrog.io/v2/docker/coder/coder-demo/coder-demo-node/manifests/latest\": unknown: Authentication is required","time":"2024-09-25T22:35:30.182797806Z","type":"error"}
{"output":"","time":"2024-09-25T22:35:30.182809563Z","type":"done"}
This should be a valid approach as manually embedding the config.json in the base-container image with the /envbox
binary (not to be confused with the inner-image), I'm able to run dockerd &, authenticate against my private JFrog image repository, and pull my image successfully.
As reference, I used/did the following:
AWS EKS Kubernetes v1.30
Coder Template: https://github.com/coder/coder/tree/main/examples/templates/envbox
My Modifications:
//main.tf
env {
name = "CODER_INNER_IMAGE"
value = "registry.jfrog.io/docker/coder/coder-demo/coder-demo-node:latest"
}
...
env {
name = "CODER_IMAGE_PULL_SECRET"
value_from {
secret_key_ref {
name = "jfrog-secret"
key = ".dockerconfigjson"
}
}
}Docker Kubernetes Secret (jfrog-secret):
apiVersion: v1
data:
.dockerconfigjson: eyJhdX...fX19
kind: Secret
metadata:
name: jfrog-secret
namespace: coder
type: kubernetes.io/dockerconfigjsonMetadata
Metadata
Assignees
Labels
No labels