argoproj-labs / argocd-image-updater

Automatic container image update for Argo CD
https://argocd-image-updater.readthedocs.io/en/stable/
Apache License 2.0
1.28k stars 265 forks source link

argocd: doesnt pull image metadata from dockerhub private registries #662

Open pratapaprasanna opened 10 months ago

pratapaprasanna commented 10 months ago

Describe the bug

/ $ argocd-image-updater test gouthamappsmith/tests-argocd:release --update-strategy latest
DEBU[0000] Creating in-cluster Kubernetes client
INFO[0000] retrieving information about image            image_alias= image_digest= image_name=gouthamappsmith/tests-argocd image_tag=release registry_url=
INFO[0000] Fetching available tags and metadata from registry  application=test image_alias= image_digest= image_name=gouthamappsmith/tests-argocd image_tag=release registry_url=
FATA[0001] could not get tags: errors:
denied: requested access to the resource is denied
unauthorized: authentication required  application=test image_alias= image_digest= image_name=gouthamappsmith/tests-argocd image_tag=release registry_url=

My registries configmap look as follows

apiVersion: v1
data:
  registries.conf: |
    registries:
    - name: Docker Hub
      api_url: none
      credentials: pullsecret:argocd/appsmith
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"argocd-image-updater-config","app.kubernetes.io/part-of":"argocd-image-updater"},"name":"argocd-image-updater-config","namespace":"argocd"}}
  creationTimestamp: "2024-01-01T07:26:36Z"
  labels:
    app.kubernetes.io/name: argocd-image-updater-config
    app.kubernetes.io/part-of: argocd-image-updater
  name: argocd-image-updater-config
  namespace: argocd
  resourceVersion: "225812617"
  uid: a27b5695-06eb-424e-bbe7-60db4b32d2f6

Same creds work when i do a docker login

(base) ➜  Pictures docker login --username xxxxx --password xxxxxxx
WARNING! Using --password via the CLI is insecure. Use --password-stdin.

Login Succeeded
(base) ➜  Pictures docker pull index.docker.io/gouthamappsmith/test-argocd:release
release: Pulling from gouthamappsmith/test-argocd
c926b61bad3b: Downloading [=========================>                         ]   1.71MB/3.402MB
e5820a814e8c: Downloading [=====>                                             ]  1.453MB/13.14MB
7b4bda58fd3f: Downloading [=>                                                 ]  947.1kB/46.85MB

I created the secret as follows

kubectl create -n argocd secret docker-registry appsmith --docker-username=xxxx --docker-password=xxx

and it is working in the same cluster as imagePullSecrets. Also, occasionally i see Too many pull Requests despite providing my credentials and authenticating myself

Am i missing anything? anyhelp would be off great use Thankyou

Version

/ $ argocd-image-updater version
argocd-image-updater: v0.12.0+aee153d
  BuildDate: 2022-03-14T12:45:27Z
  GitCommit: aee153dabeb8b592e4d091c933ae4f77181db653
  GoVersion: go1.17.8
  GoCompiler: gc
  Platform: linux/amd64
pratapaprasanna commented 10 months ago

I tried the following and it worked.

Create a secret using dockerhub PAT using the following link

cat docker-secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
  name: dockerhub
  namespace: argocd
type: Opaque
stringData:
  token: gouthamappsmith:xxxxxxxxxx

argocd-image-updater.yaml as the following

---
image:
  tag: "latest"

metrics:
  enabled: true

config:
  registries:
    - name: Docker Hub
      credentials: secret:argocd/dockerhub#token
      api_url: https://registry-1.docker.io
      ping: yes
      default: true

Installed argcd-image-updater using the following

helm upgrade -i updater -n argocd argo/argocd-image-updater -f argocd-image-updater.yaml

However, upon deploying i see these logs

time="2024-01-02T08:54:12Z" level=info msg="Successfully updated the live application spec" application=appsmith
time="2024-01-02T08:54:12Z" level=info msg="Processing results: applications=1 images_considered=2 images_skipped=0 images_updated=2 errors=0"

But, I don't see the image not getting updated. Anything i am missing ? I deliberately , didn't go with git commits ?

stefan-oconnell commented 8 months ago

Just wanted to add some traffic to this, we have a similar situation.

We use Azure Container Registry, and when I tried to configure a registry-wide pull secret, it wouldn't auth (but I could curl the same /tag/list endpoint with the same creds).

When I set each image in the image list to use the same pull secret individually, it works.

So I think there's a disconnect somewhere between the registry-wide config (which uses https://????.azurecr.io for it's api url), and the image list which omits the https when defining images.

I'm guessing when it goes to compare to decide if it needs to use that specific registry, it doesn't consider it a match? Just a stab in the dark.