Skip to content
This repository has been archived by the owner on Jun 18, 2020. It is now read-only.

Authentication fails when pack+lifecycle tries to work with images from two different registries #42

Closed
jchesterpivotal opened this issue Jan 25, 2019 · 0 comments
Closed

Authentication fails when pack+lifecycle tries to work with images from two different registries #42

jchesterpivotal opened this issue Jan 25, 2019 · 0 comments
Assignees
@matthewmcnew @ekcasey
Labels
blocks-downstream bug Something isn't working

Comments

@jchesterpivotal
Copy link

Originally reported by @scothis on behalf of @projectriff.

Expected behaviour

Given that I am able to docker push to both Dockerhub and a second registry (eg, GCR)
When I run pack build gcr.io/example/image/reference --path path/to/app/ --publish
Then I see that my image is built and published to GCR.

Observed behaviour

An error like this one is seen:

[exporter] 2019/01/24 15:34:01 Error: connect to repo store 'packs/run:v3alpha2': notoken in bearer response:
[exporter] {"details":"incorrect username or password"}

This error is not observed when the pack build image parameter is pushed to Dockerhub.

Description

Project riff consumes pack as a library, but the path through the pack and lifecycle code is the same as the CLI recreation above.

We currently believe that this is because pack authenticates to the registry where the application image belongs and collects a bearer token usable in Authorization headers. This token is injected into lifecycle containers via a PACK_REGISTRY_AUTH environment variable. But when the application image is intended for one registry (eg, GCR) and the run image is found in a different registry (eg, Dockerhub), this scheme won't work, as the second registry will reject the token provided by the first registry.
@jchesterpivotal jchesterpivotal added the bug Something isn't working label Jan 25, 2019
@jchesterpivotal jchesterpivotal added this to Icebox in Planning Board via automation Jan 25, 2019
@jchesterpivotal jchesterpivotal self-assigned this Jan 25, 2019
@scothis scothis mentioned this issue Jan 25, 2019
Closed
@sclevine sclevine moved this from Icebox to Discussion Needed in Planning Board Jan 27, 2019
@sclevine sclevine moved this from Discussion Needed to Backlog in Planning Board Jan 28, 2019
@ekcasey ekcasey moved this from Backlog to In Progress in Planning Board Jan 29, 2019
ekcasey added a commit to buildpacks/lifecycle that referenced this issue Jan 29, 2019
@ekcasey @matthewmcnew
Allow multiple image Authentication Headers to be passed to lifecycle
62da27f 
* CNB_REGISTRY_AUTH provides a json map of registry to auth header
* PACK_REGISTRY_AUTH provides a single auth header (deprecated)

[buildpacks/roadmap#42]

Signed-off-by: Emily Casey <ecasey@pivotal.io>
Signed-off-by: Matthew McNew <mmcnew@pivotal.io>
@ekcasey ekcasey mentioned this issue Jan 29, 2019
Merged
ekcasey pushed a commit to buildpacks/lifecycle that referenced this issue Jan 29, 2019
@matthewmcnew @ekcasey
Allow multiple image Authentication Headers to be passed to lifecycle
44f8c72 
* CNB_REGISTRY_AUTH provides a json map of registry to auth header
* PACK_REGISTRY_AUTH provides a single auth header (deprecated)

[buildpacks/roadmap#42]

Signed-off-by: Matthew McNew <mmcnew@pivotal.io>
Signed-off-by: Emily Casey <ecasey@pivotal.io>
matthewmcnew added a commit to buildpacks/pack that referenced this issue Feb 1, 2019
@matthewmcnew @ekcasey
Support authentication for multiple registries
b08a876 
+ This allows the runImage to be in a different registry than the app image

[buildpacks/roadmap#42]

Signed-off-by: Emily Casey <ecasey@pivotal.io>
matthewmcnew added a commit to buildpacks/pack that referenced this issue Feb 1, 2019
@matthewmcnew
Support authentication for multiple registries
0dd4e85 
+ This allows the runImage to be in a different registry than the app image

[buildpacks/roadmap#42]

Signed-off-by: Emily Casey <ecasey@pivotal.io>
Signed-off-by: Matthew McNew <mmcnew@pivotal.io>
@matthewmcnew matthewmcnew moved this from In Progress to Done in Planning Board Feb 1, 2019
@sclevine sclevine moved this from Done to Release v0.1.0 in Planning Board Feb 3, 2019
@trisberg trisberg mentioned this issue Mar 6, 2019
Closed
@sclevine sclevine closed this as completed Apr 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@matthewmcnew matthewmcnew

@ekcasey ekcasey

Labels
blocks-downstream bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@matthewmcnew @sclevine @ekcasey @jchesterpivotal