err pull image from private image registry(harbor)

[wangeDear]

Expected Behavior

pull image sucess

Actual Behavior

Failed to pull image "hub.docker.dev.": rpc error: code = Unknown desc = Error response from daemon: pull access denied for hub.docker.dev. repository does not exist or may require 'docker login'

Steps to Reproduce the Problem

1. TaskRun yaml
2. config image: hub.docker.dev.**** (private registry)

Additional Info

• Kubernetes version:

• 0.16.0

  Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.0", GitCommit:"2bd9643cee5b3b3a5ecbd3af49d09018f0773c77", GitTreeState:"clean", BuildDate:"2019-09-18T14:36:53Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.0", GitCommit:"2bd9643cee5b3b3a5ecbd3af49d09018f0773c77", GitTreeState:"clean", BuildDate:"2019-09-18T14:27:17Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}

• Tekton Pipeline version:

  Output of tkn version or kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'

v0.18.0

err pull image from private image registry

[NEUerYZY]

I think this is not kind of bug. We met the same problem when using it.
step1.create an serviceaccount in the namespace that your task runs.
step2.create an secret that save the username and password to the private image registry
step3.patch the secret to the serviceaccount using command like "kubectl patch serviceaccount serviceaccountname -p "{"imagePullSecrets":["name":"secretname"]}" -n namespace"
with the step1-3 the serviceaccount have the authority to pull image from your private image registry
step4 .add the "serviceaccount" property in the TASK YAML

Hope this solution can help.

[Yongxuanzhang]

This doc might also be helpful https://github.com/tektoncd/pipeline/blob/main/DEVELOPMENT.md#configure-container-registry

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[tekton-robot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[tekton-robot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[288milan]

same issue here.
not able to pull image from private harbor registry.
I already created secret and attached it to the service account.
is there any additional settings need to be done for harbor registry?
Its working with normal pod by using imagepullsecret. which means my password is correct.
i am also able to use public images in the task from the same registry.so my url is also correct.

this is the error i got while try to pull image by the task.

ErrImagePull (rpc error: code = Unknown desc = failed to pull and unpack image "harbor.xxxxx.com/tekton-test/tekton-test:gitclone": failed to resolve reference "harbor.xxxxx.com/tekton-test/tekton-test:gitclone": pulling from host harbor.xxxxx.com failed with status code [manifests gitclone]: 401 Unauthorized)

do u guys have any idea about this error?
is there any change need to be done to the secret's annotation "tekton.dev/docker-0" ?
is there any way to directly attach the imagepullsecret in task itself ?

[crossRT]

I had the same problem even if I followed the official documentation: https://tekton.dev/docs/pipelines/auth/#configuring-docker-authentication-for-docker

In the end, I found out that in serviceaccount.yaml, we should use imagePullSecrets instead of secrets.
here's the correct serviceaccount.yaml to make it works.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
imagePullSecrets:
  - name: YOUR_SECRET_NAME_HOLD_DOCKER_CONFIG

you may refer to kubernetes documentation: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-image-pull-secret-to-service-account

[ashugcet]

I had the same problem even if I followed the official documentation: https://tekton.dev/docs/pipelines/auth/#configuring-docker-authentication-for-docker

In the end, I found out that in serviceaccount.yaml, we should use imagePullSecrets instead of secrets. here's the correct serviceaccount.yaml to make it works.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
imagePullSecrets:
  - name: YOUR_SECRET_NAME_HOLD_DOCKER_CONFIG

you may refer to kubernetes documentation: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-image-pull-secret-to-service-account

It worked for me.
How strange!! How can they write such a big mistake in the Tekton docs. It wasted lots of my time.
Many thanks @crossRT for your help.

[vdemeester]

@crossRT @ashugcet 👋🏼 . As commented on the pull-request you sent, it's not a mistake, it is a different "feature" altogether. In your case, you want the node where the Pod created by the TaskRun to be able to pull from a private registry — and for this, the usual kubernetes way applies (because, it's kubernetes, we build on top).

The documentation you linked (https://tekton.dev/docs/pipelines/auth/#configuring-docker-authentication-for-docker), is not about that, but how to give the process in the Pod created by the TaskRun the docker configuration/credentials it will need to communicate with a private registry (to pull images using podman, or to push to a registry with kaniko, or to do other oci image manipulation with skopeo or something). Reading the doc, there is the following:

In the example below, before executing any Steps in the Run, Tekton creates a ~/.docker/config.json file containing the credentials specified in the Secret.

It's probably clear enough that it creates the file in the Pod and has nothing to do with the Node.

On that note, one of the reason why those are 2 differents reasons/feature/mechanisms, is because, in kubernetes there is a clear separation between the Node and the Pod. Allowing the Node to pull from a private registry, doesn't give any permission/credentials/… to a Pod running on it, to also pull the same thing — it's "isolated", it needs its own configuration.
We probably should make sure we make this explicit on that documentation, and we refer to the kubernetes documentation for the "pull image from private registry on node".

[ashugcet]

It's probably clear enough that it creates the file in the Pod and has nothing to do with the Node.

@vdemeester
Understood. Thanks for the clarification.