-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Entrypoint cannot be found in private repository image #7698
Comments
Thanks @wilstdu for reporting this. |
Essentially, the pipeline controller pod doesn't have the rights to fetch the images — really the image configuration — not the entrypoint. @wilstdu what previous version was it working ? 0.54, or even previously ? Also, does it still not work with 0.56 or 0.57 ? |
@vdemeester, I was upgrading Tekton pipelines from v0.44.0 to v0.56.1. It doesn't work with 0.56, nor with 0.57. |
@wilstdu interesting 🤔 So, they way the pipeline controller work (in that part) is that it's taking we are taking the imagePullSecrets from the service account attached to the pipelinerun and the imagePullSecrets from the podTemplate ( |
I also thought that maybe it was
|
@afrittoli yeah, that's what make me wonder what the hell is happening here 🙃 There is changes in the "indirect" dependencies from aws/ecr.
But not on |
@wilstdu if you're familiar with the process of building Tekton, you could try building a v0.55 with |
@afrittoli if I did no mistakes when building the controller image - result is the same. |
I have the same bug discovered when trying to upgrade to the newest version v0.56.1 with the Operator. Same error message and behaviour. One thing I managed to get working was, creating a imagePullSecret attaching to a ServiceAccount and using this ServiceAccount in the PipelineRun. This seems to work and the Task started at least. But this is no solution since AWS is resetting the credentials every 12 hours. More of a "POC" if there is a permission problem. Any progress for this topic or something I can help with to get that fixed? |
@afrittoli I investigated the bug a little bit further in the past few days. I found out updating All in all every module/package used of the replace (
github.com/aws/aws-sdk-go-v2/service/ecr => github.com/aws/aws-sdk-go-v2/service/ecr v1.27.3
github.com/aws/aws-sdk-go-v2/service/ecrpublic => github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.3
) I would open a PR with updated dependencies to get that out ASAP and would try to hunt down where the indirect dependency is coming from to patch that directly there (if possible). |
@afrittoli I tracked down the dependencies. It seems that the dependency
This leads to the problem that the indirect dependencies of I would create a PR to fix this with a |
Ideally yes 👼🏼 🙏🏼 |
Expected Behavior
Task without command and script arguments can resolve entrypoint from image manifest laying in a private repository.
Actual Behavior
PodCreationFailed.
Tekton Pipelines controller receives this error:
Failed to create task run pod for taskrun \"tester-17\": failed to create task run pod \"tester-17\": translating TaskSpec to Pod: GET https://<redacted-account-id>.dkr.ecr.<redacted-region>.[amazonaws.com/v2/](http://amazonaws.com/v2/)<redacted-repo>/<redacted>/manifests/<redacted-sha>: unexpected status code 401 Unauthorized: Not Authorized\n. Maybe missing or invalid Task default/resolve-dependencies
Issue started occurring since v0.55.0. With exactly the same system setup and older Tekton Pipelines version is was still working.
Steps to Reproduce the Problem
Additional Info
Discussion on Slack: https://tektoncd.slack.com/archives/CJ62C1555/p1708526794010999
Tekton is installed via Tekton Operator with this configuration, but operator doesn't seem to have impact for this error:
The text was updated successfully, but these errors were encountered: