Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error checking push permissions to Harbor registry #1415

Open
Morride opened this issue Sep 3, 2020 · 8 comments
Open

Error checking push permissions to Harbor registry #1415

Morride opened this issue Sep 3, 2020 · 8 comments
Labels
area/registry For all bugs having to do with pushing/pulling into registries kind/question Further information is requested

Comments

@Morride
Copy link

Morride commented Sep 3, 2020

Actual behavior
A clear and concise description of what the bug is.
An error occurred when I created the kaniko pod

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "harbor.vkdata.com/library/test-kaniko": creating push check transport for harbor.vkdata.com failed: Get "https://harbor.data.com/v2/": dial tcp 18.211.9.206:443: connect: connection refused

First of all, my harbor registry is installed using helm and only has an intranet. I added his domain name resolution for all servers in the cluster. This is my config.json

cat /root/.docker/config.json 
{
	"auths": {
		"harbor.data.com": {
			"auth": "xxxxx"
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/18.09.6 (linux)"
	}

https://github.com/GoogleContainerTools/kaniko#pushing-to-docker-hub
I created /kaniko/.docker/config.json according to this step, and created a secret ↑

{
        "auths": {
                "http://harbor.data.com/v1/": {
                        "auth": "xxxxx"
                }
        }
}
---
kubectl  create secret generic kaniko-secret --from-file=/kaniko/.docker/config.json

This is my pod yaml

apiVersion: v1
kind: Pod
metadata:
  name: kaniko
spec:
  containers:
  - name: kaniko
    image: gcr.io/kaniko-project/executor:latest  
    args: ["--dockerfile=/workspace/dockerfile",
            "--context=dir://workspace",
            "--destination=harbor.data.com/library/test-kaniko"]
    volumeMounts:
      - name: kaniko-secret
        mountPath: /kaniko/.docker
      - name: dockerfile-storage
        mountPath: /workspace
  restartPolicy: Never
  volumes:
    - name: kaniko-secret
      secret:
        secretName: kaniko-secret
    - name: dockerfile-storage
      persistentVolumeClaim:
        claimName: dockerfile-pvc

Expected behavior
A clear and concise description of what you expected to happen.
So I want to know why the pod will access the ip in the error.Does kaniko not support access to the Harbor registry of the LAN.
Did I make a mistake in one step? I'm a novice.
To Reproduce
Steps to reproduce the behavior:

Additional Information

  • Dockerfile
    Please provide either the Dockerfile you're trying to build or one that can reproduce this error.
  • Build Context
    Please provide or clearly describe any files needed to build the Dockerfile (ADD/COPY commands)
  • Kaniko Image (fully qualified with digest)
    gcr.io/kaniko-project/executor:latest 50388657b978

Triage Notes for the Maintainers

Description Yes/No
Please check if this a new feature you are proposing
  • - [No]
Please check if the build works in docker but not in kaniko
  • - [Yes]
Please check if this error is seen when you use --cache flag
  • - [No]
Please check if your dockerfile is a multistage dockerfile
  • - [Yes]
@Morride
Copy link
Author

Morride commented Sep 7, 2020

I corrected some configurations
config.json

{auths:{harbor.vkdata.com:{username:admin,password:Harbor12345,email:admin@harbor.com,auth:YWRtaW46SGFyYm9yMTIzNDU=}}}

pod.yaml
I refer to #685 And added Additional Flags --insecure and --skip-tls-verify

spec:
  containers:
  - name: kaniko
    image: harbor.vkdata.com/library/executor:v0.1
    args: ["--dockerfile=/workspace/dockerfile",
            "--context=dir://workspace",
            "--destination=harbor.vkdata.com/library/test-kaniko:v1",
            "--skip-tls-verify=true",
            "--insecure=true"]

I switched https to http. but I still encountered the error connect: connection refused.

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "harbor.vkdata.com/library/test-kaniko:v1": creating push check transport for harbor.vkdata.com failed: Get "http://harbor.vkdata.com/v2/": dial tcp 18.211.9.206:80: connect: connection refused

So i can't find another way.

@tejal29
Copy link
Member

tejal29 commented Sep 9, 2020
edited
Loading

Thanks @Morride . I have never worked with harbor registry.
Few things to try,

  1. Can you pull and push images via docker cli to harbor registry.
  2. If yes, kaniko uses gocontainer registry to push images. you can use the crane tool to see if you call push an image to harbor registry.
crane push tarball <registry>

If you are able to pull and push via docker and crane, please let us know.

@tejal29 tejal29 added area/registry For all bugs having to do with pushing/pulling into registries kind/question Further information is requested labels Sep 9, 2020
@gcalmettes
Copy link
Contributor

gcalmettes commented Sep 16, 2020
edited
Loading

Hi @Morride ,

We are successfully using our harbor docker registry with kaniko.

Below are the relevant templates we are using:

  • Kaniko pod:
apiVersion: v1
kind: Pod
metadata:
  name: kaniko-app
  namespace: kaniko
spec:
  containers:
  - name: kaniko-app
    image: gcr.io/kaniko-project/executor:latest
    args: ["--dockerfile=Dockerfile",
            "--context=git://auth:password@gitlab.domainname.com/group/repo.git",
            "--context-sub-path=examples/demo/",
            "--destination=harbor.domainname.com/project/image:0.1"]
    volumeMounts:
      - name: kaniko-secret
        mountPath: .docker/
  volumes:
    - name: kaniko-secret
      secret:
        secretName: kaniko-secret
        items:
          - key: .dockerconfigjson
            path: config.json
  • Kaniko secret:
apiVersion: v1
data:
  .dockerconfigjson: somebase64encodeddatalll8hkljhkjhuiejhkjh==
kind: Secret
metadata:
  name: kaniko-secret
  namespace: kaniko
type: kubernetes.io/dockerconfigjson

and the credentials encoded in base64 (above) are in the form:

{"auths":{"https://harbor.domainname.com/":{"username":"someusername","password":"somepassword","email":"some@email.com","auth":"sometoken=="}}}

@ilyesAj
Copy link

ilyesAj commented Dec 6, 2022

Hi @Morride ,

We are successfully using our harbor docker registry with kaniko.

Below are the relevant templates we are using:

  • Kaniko pod:
apiVersion: v1
kind: Pod
metadata:
  name: kaniko-app
  namespace: kaniko
spec:
  containers:
  - name: kaniko-app
    image: gcr.io/kaniko-project/executor:latest
    args: ["--dockerfile=Dockerfile",
            "--context=git://auth:password@gitlab.domainname.com/group/repo.git",
            "--context-sub-path=examples/demo/",
            "--destination=harbor.domainname.com/project/image:0.1"]
    volumeMounts:
      - name: kaniko-secret
        mountPath: .docker/
  volumes:
    - name: kaniko-secret
      secret:
        secretName: kaniko-secret
        items:
          - key: .dockerconfigjson
            path: config.json
  • Kaniko secret:
apiVersion: v1
data:
  .dockerconfigjson: somebase64encodeddatalll8hkljhkjhuiejhkjh==
kind: Secret
metadata:
  name: kaniko-secret
  namespace: kaniko
type: kubernetes.io/dockerconfigjson

and the credentials encoded in base64 (above) are in the form:

{"auths":{"https://harbor.domainname.com/":{"username":"someusername","password":"somepassword","email":"some@email.com","auth":"sometoken=="}}}

This pod template did not work for me, i used instead the official example with volume mount here

@ilyesAj
Copy link

ilyesAj commented Dec 6, 2022

@tejal29 @Morride i think the issue can be closed since everthing is documented.

@sambonbonne
Copy link

This issue is stilled opened so I want to share a potentiel fix: my pipeline was running the Kaniko image with the root user so instead of mounting the configuration (with the auths informations) to /kaniko/.docker/config.json, you should try to mount it on /root/.docker/config.json.

@Misterixmax
Copy link

I found a working example of kaniko pod temlate for Jenkins which builds up simple node.js application and pushes to Harbor
Template looks like that:

apiVersion: v1
kind: Pod
metadata:
  labels:
    some-label: some-label-value
spec:
  containers:
  - name: kaniko
    image: gcr.io/kaniko-project/executor:debug // <- this part should be changed
    imagePullPolicy: IfNotPresent // <- choose your own strategy
    command:
    - /busybox/cat
    tty: true
    volumeMounts:
      - name: dockercred
        mountPath: /kaniko/.docker // <- this is a right path
  volumes:
  - name: dockercred
    secret:
      secretName: docker-credentials
      items:
        - key: .dockerconfigjson
          path: config.json

And the secret have to look like:

{"auths":{"http://your-harbor-address/v2/":{"auth":"cm9ib3QtamVua2luczpqTHl2QlhJQnJYSFJvTEtma2FjSVNKUGQ5dVlFNm91Zg=="}}}

Auth field from upper json is a base64 encoded username and password by next scheme:
"username:password"

@HemantPattnaik
Copy link

@Morride were you able to solve this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/registry For all bugs having to do with pushing/pulling into registries kind/question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@gcalmettes @tejal29 @sambonbonne @Misterixmax @ilyesAj @Morride @HemantPattnaik