argoproj-labs / argocd-image-updater

Automatic container image update for Argo CD
https://argocd-image-updater.readthedocs.io/en/stable/
Apache License 2.0
1.3k stars 265 forks source link

dockerhub official registry #443

Open hawkesn opened 2 years ago

hawkesn commented 2 years ago

Describe the bug

When creating a docker-registry secret for DockerHub, the default URL is: https://index.docker.io/v1/ if no --docker-server flag is passed. However, argocd-image-updater uses https://registry-1.docker.io as the default.

To Reproduce

  1. Create a new docker-registry secret using kubectl:
    kubectl create secret docker-registry regcred 
    --docker-username=<your-name> 
    --docker-password=<your-pword> 
    --docker-email=<your-email>
  2. Get the secret and decode the secret on the cluster: kubectl get secret regcred -o jsonpath='{.data.*}' | base64 -d
  3. Note the URL: "https://index.docker.io/v1/"

Expected behavior The default behaviour for using dockerhub should not require a user to specify the registry using the --docker-server flag. Argocd image updater should use the "https://index.docker.io/v1/" url instead of: "https://registry-1.docker.io"

Additional context Kubernetes official documentation here also states the following:

<your-registry-server> is your Private Docker Registry FQDN. Use https://index.docker.io/v1/ for DockerHub.

Version v0.12.0

Logs level=warning msg="Could not fetch credentials: no valid auth entry for registry https://registry-1.docker.io found in image pull secret"

bcbrockway commented 2 years ago

Weird, we don't seem to see this error message but we have the same config:

$ k get secrets -n argocd image-pull-docker-hub -ojson | jq -r '.data[".dockerconfigjson"]' | base64 -d
{"auths":{"https://index.docker.io/v1/":{"username":"my-username","password":"my-password","auth":"my-auth"}}}
apiVersion: v1
kind: ConfigMap
data:
  argocd.grpc_web: "true"
  argocd.insecure: "false"
  argocd.plaintext: "false"
  kube.events: "false"
  log.level: info
  registries.conf: |
    registries:
    - api_url: https://registry-1.docker.io
      credentials: pullsecret:argocd/image-pull-docker-hub
      defaultns: library
      name: Docker Hub

Is there any way to check that the image pull secret is definitely being (or trying to be) used by the image updater?

hawkesn commented 2 years ago

Hi @bcbrockway , sorry forgot to mention the log that I put above did come from the image updater. I found the line here: https://github.com/argoproj-labs/argocd-image-updater/blob/master/pkg/image/credentials.go#L260. So I think it is trying to be used by the image updater

Hope that helps

hawkesn commented 2 years ago

I think it might be this line that could potentially be the culprit but I'm not sure: https://github.com/argoproj-labs/argocd-image-updater/blob/master/pkg/registry/endpoints.go#L101

Zuzuske commented 8 months ago

I'm encountering same issue on v0.12.2 This works:

registries:
    - name: Docker Hub
      api_url: https://index.docker.io
      prefix: docker.io
      credentials: pullsecret:argocd/dockerhub-secret
      ping: yes
      default: true