envbox icon indicating copy to clipboard operation
envbox copied to clipboard
verified publisher icon coder

envbox "CODER_IMAGE_PULL_SECRET" should allow the "auth" field on it's own

Open jatcod3r opened this issue 1 year ago • 0 comments

When passing in a docker config secret using the following format:

{
  "auths": {
    "https://registry.jfrog.io": {
      "auth": "anV.....5Ug=="
    }
  }
}

authentication against my private image registry fails when trying to pull some image.

I verified that the base64 value is correct such that when decoded, it comes in a <username>:<JFrog_Docker_PAT> format. However, when passing the same value as an environment variable, envbox fails with the following:

{"ts":"2024-09-25T22:35:23.636465215Z","level":"ERROR","msg":"child log","caller":"/home/runner/work/envbox/envbox/background/process.go:248","func":"github.com/coder/envbox/background.scanIntoLog","logger_names":["dockerd"],"fields":{"process":"dockerd","content":"time=\"2024-09-25T22:35:23.636366939Z\" level=error msg=\"Handler for POST /v1.42/images/create returned error: Head \\\"https://registry.jfrog.io/v2/docker/coder/coder-demo/coder-demo-node/manifests/latest\\\": unknown: Authentication is required\""}}
{"ts":"2024-09-25T22:35:26.638400449Z","level":"DEBUG","msg":"child log","caller":"/home/runner/work/envbox/envbox/background/process.go:248","func":"github.com/coder/envbox/background.scanIntoLog","logger_names":["dockerd"],"fields":{"process":"dockerd","content":"time=\"2024-09-25T22:35:26.638319435Z\" level=debug msg=\"Calling POST /v1.42/images/create?fromImage=registry.jfrog.io%2Fdocker%2Fcoder%2Fcoder-demo%2Fcoder-demo-node\u0026tag=latest\""}}
{"ts":"2024-09-25T22:35:26.649533892Z","level":"DEBUG","msg":"child log","caller":"/home/runner/work/envbox/envbox/background/process.go:248","func":"github.com/coder/envbox/background.scanIntoLog","logger_names":["dockerd"],"fields":{"process":"dockerd","content":"time=\"2024-09-25T22:35:26.649442818Z\" level=debug msg=\"hostDir: /etc/docker/certs.d/registry.jfrog.io\""}}
{"ts":"2024-09-25T22:35:26.649629378Z","level":"DEBUG","msg":"child log","caller":"/home/runner/work/envbox/envbox/background/process.go:248","func":"github.com/coder/envbox/background.scanIntoLog","logger_names":["dockerd"],"fields":{"process":"dockerd","content":"time=\"2024-09-25T22:35:26.649499866Z\" level=debug msg=\"Trying to pull registry.jfrog.io/docker/coder/coder-demo/coder-demo-node from https://registry.jfrog.io\""}}
{"ts":"2024-09-25T22:35:27.178910802Z","level":"INFO","msg":"child log","caller":"/home/runner/work/envbox/envbox/background/process.go:248","func":"github.com/coder/envbox/background.scanIntoLog","logger_names":["dockerd"],"fields":{"process":"dockerd","content":"time=\"2024-09-25T22:35:27.178825359Z\" level=info msg=\"Attempting next endpoint for pull after error: Head \\\"https://registry.jfrog.io/v2/docker/coder/coder-demo/coder-demo-node/manifests/latest\\\": unknown: Authentication is required\""}}
{"ts":"2024-09-25T22:35:27.181578796Z","level":"ERROR","msg":"child log","caller":"/home/runner/work/envbox/envbox/background/process.go:248","func":"github.com/coder/envbox/background.scanIntoLog","logger_names":["dockerd"],"fields":{"process":"dockerd","content":"time=\"2024-09-25T22:35:27.181484801Z\" level=error msg=\"Handler for POST /v1.42/images/create returned error: Head \\\"https://registry.jfrog.io/v2/docker/coder/coder-demo/coder-demo-node/manifests/latest\\\": unknown: Authentication is required\""}}
{"output":"Failed to run envbox: pull image: pull image: pull image: Error response from daemon: Head \"https://registry.jfrog.io/v2/docker/coder/coder-demo/coder-demo-node/manifests/latest\": unknown: Authentication is required","time":"2024-09-25T22:35:30.182568947Z","type":"error"}
{"output":"Failed to run envbox: run: pull image: pull image: pull image: Error response from daemon: Head \"https://registry.jfrog.io/v2/docker/coder/coder-demo/coder-demo-node/manifests/latest\": unknown: Authentication is required","time":"2024-09-25T22:35:30.182797806Z","type":"error"}
{"output":"","time":"2024-09-25T22:35:30.182809563Z","type":"done"}

This should be a valid approach as manually embedding the config.json in the base-container image with the /envbox binary (not to be confused with the inner-image), I'm able to run dockerd &, authenticate against my private JFrog image repository, and pull my image successfully.

As reference, I used/did the following:

AWS EKS Kubernetes v1.30 Coder Template: https://github.com/coder/coder/tree/main/examples/templates/envbox My Modifications:

      //main.tf
     env {
        name  = "CODER_INNER_IMAGE"
        value = "registry.jfrog.io/docker/coder/coder-demo/coder-demo-node:latest"
      }
      ...
      env {
        name = "CODER_IMAGE_PULL_SECRET"
        value_from {
          secret_key_ref {
            name = "jfrog-secret"
            key = ".dockerconfigjson"
          }
        }
      }

Docker Kubernetes Secret (jfrog-secret):

apiVersion: v1
data:
  .dockerconfigjson: eyJhdX...fX19
kind: Secret
metadata:
  name: jfrog-secret
  namespace: coder
type: kubernetes.io/dockerconfigjson

jatcod3r avatar Sep 25 '24 23:09 jatcod3r