Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker Feeds throwing "401 - Unauthorized. Please check credentials" when creating releases/searching feeds. #8126

Closed
IsaacCalligeros95 opened this issue Apr 27, 2023 · 2 comments
Closed

Docker Feeds throwing "401 - Unauthorized. Please check credentials" when creating releases/searching feeds. #8126

IsaacCalligeros95 opened this issue Apr 27, 2023 · 2 comments
Assignees
@IsaacCalligeros95
Labels
area/core kind/bug This issue represents a verified problem we are committed to solving

Comments

@IsaacCalligeros95
Copy link

Severity

All, blocking DockerHub feeds. Impacts release creation and search

Version

All, Latest

Latest Version

I could reproduce the problem in the latest build

What happened?

DockerHub has changed requirements on scopes, this has broken DockerHub feeds when searching and creating releases.
Error message: 401 - Unauthorized. Please check credentials.

  • Create a DockerHub feed, hit save and test and search for images -> 💥
  • Add a package to a deployment step using a docker feed. Create a release -> 💥

Reproduction

  • Create a DockerHub feed, hit save and test and search for images -> 💥
  • Add a package to a deployment step using a docker feed. Create a release -> 💥

Error and Stacktrace

401 - Unauthorized. Please check credentials.

Underlying error message

Request to Docker registry located at `https://auth.docker.io/token?service=registry.docker.io&scope=registry:catalog:*` failed with BadRequest:Bad Request. {"details":"request scopes must be of the same resource type"}

More Information

DockerHub has made an upstream change on required permission scopes that have impacted authentication. This has broken release creation and search for both V1 and V2 feeds.

For V2 feeds we make a request to DockerHub, if that's UnAuthorized, we'll pull the auth details such as service and scope out of the header, make a token request and re-issue the original request. The scope that's being returned for this request is registry:catalog:* which is also hardcoded for out V1 endpoints. Tokens using this scope are facing permission issues across all endpoints. Updating this from registry:catalog:* to registry:* resolves this issue.

Workaround

NA
@IsaacCalligeros95 IsaacCalligeros95 added kind/bug This issue represents a verified problem we are committed to solving area/core labels Apr 27, 2023
@octoreleasebot
Copy link

Release Note: Fixes an issue with upstream DockerHub auth where tokens requested with "registry:catalog:" no longer grant access. Updated to use "registry:"

@IsaacCalligeros95 IsaacCalligeros95 mentioned this issue May 3, 2023
Closed
@Octobob
Copy link
Member

Octobob commented May 19, 2023

🎉 The fix for this issue has been released in:

Release stream Release
2022.4 2022.4.8625
2023.1 2023.1.9886
2023.2 2023.2.9126
2023.3+ all releases

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IsaacCalligeros95 IsaacCalligeros95

Labels
area/core kind/bug This issue represents a verified problem we are committed to solving
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Octobob @octoreleasebot @IsaacCalligeros95