Pulling from hard-coded "quay.io/kiegroup/" for custom KogitoService image?

[0xc1c4da]

I am following along this KIE Foundation tutorial on deploying a custom kogito service with kogito-cloud-operator.

Deploying via either the following, my Ansible playbook or by the command line, results in the following error during deployment, despite my image being tagged as quay.io/status-im/process-business-rules-quarkus:latest

Failed to pull image "quay.io/kiegroup/process-business-rules-quarkus:latest": rpc error: code = Unknown desc = Error response from daemon: unauthorized: access to the requested resource is not authorized

It is not clear to me how to override the DefaultImageRegistry or DefaultImageNamespace and if that would solve it ?

I've tried the following

cat <<EOF | kubectl -n kogito-operator-system apply -f -
apiVersion: app.kiegroup.org/v1beta1
kind: KogitoRuntime
metadata:
  name: process-business-rules-quarkus
spec:
  replicas: 1
  image: quay.io/status-im/process-business-rules-quarkus:latest
EOF

and

  - name: Create a Deployment for process-business-rules-quarkus.
    k8s:
      state: present
      definition:
        apiVersion: app.kiegroup.org/v1beta1
        kind: KogitoRuntime
        metadata:
          name: process-business-rules-quarkus
          namespace: kogito-operator-system
        spec:
          replicas: 1
          spec:
            containers:
            - name: process-business-rules-quarkus
              image: "{{ image_name }}"
              imagePullPolicy: IfNotPresent
              ports:
              - containerPort: 8080
              imagePullSecrets:
              - name: quay-cred

where image_name is quay.io/status-im/process-business-rules-quarkus

Edit: I've also tried the default namespace to no avail

The quay.io repository is private

[sutaakar]

Hi @jarradh It looks like the image entry wasn't processed properly. I have tried it locally with the KogitoRuntime CR you provided and pod is properly trying to pull quay.io/status-im/process-business-rules-quarkus:latest. I have used Kogito operator 1.2.0.

Can you please check and possibly share Kogito operator log? There may be some hint of such behaviour.

Also it could be caused by using old CRDs: Can you please check the CustomResourceDefinition for KogitoRuntime (kubectl get crd kogitoruntimes.app.kiegroup.org -o yaml) and check image: property. Some long time ago this property was an object with subproperties, then we switched it to string, for 1.2.0 it looks like this: https://github.com/kiegroup/kogito-cloud-operator/blob/1.2.x/config/crd/bases/app.kiegroup.org_kogitoruntimes.yaml#L174-L178 In case you have old outdated CRD then the image entry may not be processes well. In such case please replace all the CRDs with newest version.

[aramashkan]

Hi @sutaakar Have issue similar like this. Can't find example with pulling image from private repo. I use example as @jarradh above, like this :

apiVersion: app.kiegroup.org/v1beta1
kind: KogitoRuntime
metadata:
  name: blankprocess-v34
  labels:
    app.kubernetes.io/name: blankprocess-v34
    app.kubernetes.io/version: v34
    app.kubernetes.io/component: bpm
spec:
  replicas: 1
  containers:
    - name: blankprocess-v34-image
      image: dreg.citc.ru/kogito/blankprocess:5d6891
      imagePullPolicy: IfNotPresent
      imagePullSecrets:
        - name: registry-auth
---
apiVersion: v1
kind: Secret
metadata:
  name: registry-auth
data:
  .dockerconfigjson: eyJhdXRocyI6eyJkcmVn..........FvPSJ9fX0K
type: kubernetes.io/dockerconfigjson

But i see error during pod init : Failed to pull image "quay.io/kiegroup/blankprocess-v34:latest": rpc error: code = Unknown desc = Error response from daemon: unauthorized: access to the requested resource is not authorized Why there is again quay.io host ? Am i missing something ? using version 1.1.0

[ricardozanini]

Hi @sutaakar Have issue similar like this. Can't find example with pulling image from private repo. I use example as @jarradh above, like this :

apiVersion: app.kiegroup.org/v1beta1
kind: KogitoRuntime
metadata:
  name: blankprocess-v34
  labels:
    app.kubernetes.io/name: blankprocess-v34
    app.kubernetes.io/version: v34
    app.kubernetes.io/component: bpm
spec:
  replicas: 1
  containers:
    - name: blankprocess-v34-image
      image: dreg.citc.ru/kogito/blankprocess:5d6891
      imagePullPolicy: IfNotPresent
      imagePullSecrets:
        - name: registry-auth
---
apiVersion: v1
kind: Secret
metadata:
  name: registry-auth
data:
  .dockerconfigjson: eyJhdXRocyI6eyJkcmVn..........FvPSJ9fX0K
type: kubernetes.io/dockerconfigjson

But i see error during pod init : Failed to pull image "quay.io/kiegroup/blankprocess-v34:latest": rpc error: code = Unknown desc = Error response from daemon: unauthorized: access to the requested resource is not authorized Why there is again quay.io host ? Am i missing something ? using version 1.1.0

Hi @aramashkan

The KogitoRuntime spec does not have a containers interface. You must define the image as follows:

apiVersion: app.kiegroup.org/v1beta1
kind: KogitoRuntime
metadata:
  name: blankprocess-v34
  labels:
    app.kubernetes.io/name: blankprocess-v34
    app.kubernetes.io/version: v34
    app.kubernetes.io/component: bpm
spec:
  replicas: 1
  image: dreg.citc.ru/kogito/blankprocess:5d6891

Kogito operator will generate an ImageStream based on your image. You can then configure it to meet your needs if required.

[aramashkan]

@sutaakar, i tried this but it is private repo so i got: Failed to pull image "dreg.citc.ru/kogito/blankprocess: 5d6891": rpc error: code = Unknown desc = Error response from daemon: Get https://dreg.citc.ru/v2/kogito/blankprocess/manifests/5d6891: no basic auth credentials How can i set up basic auth for image pulling?

[ricardozanini]

We don't support this feature just yet from our interface. I recommend configuring your platform instead. I opened KOGITO-4706 to track this down in the next sprint to support setting pulling secrets from our interface.

@sutaakar can you confirm? 'Cause I remember we having a similar issue in the past.

[sutaakar]

AFAIK we don't support it for now.