Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker credentials fails for secrets created with kubectl v1.13.0 #1596

Closed
squaremo opened this issue Dec 11, 2018 · 5 comments

Comments

@squaremo
Copy link
Member

@squaremo squaremo commented Dec 11, 2018

If you create a dockerconfigjson secret for use as an imagePullSecret, using kubectl v.1.13.0, fluxd is not able to parse it when it comes to scanning the image registry.

The reason is that the format generated by v1.13.0 is different to that prior: using v.1.12,

$ kubectl create secret docker-registry docker-reg-secret --docker-server=private.dockerrepo.com --docker-username=xxxxx --docker-password="xxxxx" --docker-email="xxx@xyz.cim" --dry-run -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d
{"auths":{"private.dockerrepo.com":{"username":"xxxxx","password":"xxxxx","email":"xxx@xyz.cim","auth":"eHh4eHg6eHh4eHg="}}}

Using v1.13.0:

$ kubectl create secret docker-registry docker-reg-secret --docker-server=private.dockerrepo.com --docker-username=xxxxx --docker-password="xxxxx" --docker-email="xxx@xyz.cim" --dry-run -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d
{"auths":{"private.dockerrepo.com":{"Username":"xxxxx","Password":"xxxxx","Email":"xxx@xyz.cim"}}}

It's the lack of an auth field that trips fluxd up; but the capitalisation might also cause a problem. It's unclear whether this was an entirely deliberate change; we can probably work around it by looking for Username and Password fields (in preference to decoding auth, even).

@squaremo squaremo added the size/small label Dec 11, 2018
@squaremo

This comment has been minimized.

Copy link
Member Author

@squaremo squaremo commented Dec 11, 2018

@awh tracked this down to kubernetes/kubernetes@9f5c2ae, which redefines DockerConfigEntry without the Auth field and without the JSON struct annotations.

Unclear whether it was deliberate or not ...

@dananichev

This comment has been minimized.

Copy link

@dananichev dananichev commented Jan 14, 2019

So... any ETA on fixing this?

@squaremo

This comment has been minimized.

Copy link
Member Author

@squaremo squaremo commented Jan 14, 2019

Looks like it's been fixed in kubectl, in time for 1.14: kubernetes/kubernetes#72344

I am inclined to add an entry to troubleshooting.md advising people to create secrets with a kubectl either side of 1.13.

@dananichev

This comment has been minimized.

Copy link

@dananichev dananichev commented Jan 14, 2019

@squaremo thanks, updated kubectl to 1.13.2 on the client side and generated manifests with secrets.

@squaremo

This comment has been minimized.

Copy link
Member Author

@squaremo squaremo commented Jan 14, 2019

@dananichev Oh, so it's fixed in 1.13.2? Hurrah!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.