search

argoproj-labs / argocd-image-updater

Automatic container image update for Argo CD
https://argocd-image-updater.readthedocs.io/en/stable/
Apache License 2.0
1.29k stars 265 forks source link

after adding registries, checking pod, i still don't get no basic auth credentials: #929

Open UriZafrir opened 2 weeks ago

UriZafrir commented 2 weeks ago

Describe the bug for argocd image updater usage with ecr, after adding registries, checking pod, i still don't get no basic auth credentials:

./argocd-image-updater-linux_amd64 test 12345678.dkr.ecr.il-central-1.amazonaws.com/tekes/ovd
DEBU[0000] Creating in-cluster Kubernetes client
INFO[0000] retrieving information about image            image_alias= image_name=12345678.dkr.ecr.il-central-1.amazonaws.com/tekes/ovd registry_url=12345678.dkr.ecr.il-central-1.amazonaws.com
DEBU[0000] setting rate limit to 20 requests per second  prefix=12345678.dkr.ecr.il-central-1.amazonaws.com registry="https://12345678.dkr.ecr.il-central-1.amazonaws.com"
DEBU[0000] Inferred registry from prefix 12345678.dkr.ecr.il-central-1.amazonaws.com to use API https://12345678.dkr.ecr.il-central-1.amazonaws.com
INFO[0000] Fetching available tags and metadata from registry  application=test image_alias= image_name=12345678.dkr.ecr.il-central-1.amazonaws.com/tekes/ovd registry_url=12345678.dkr.ecr.il-central-1.amazonaws.com
FATA[0000] could not get tags: Get "https://12345678.dkr.ecr.il-central-1.amazonaws.com/v2/tekes/ovd/tags/list": no basic auth credentials  application=test image_alias= image_name=12345678.dkr.ecr.il-central-1.amazonaws.com/tekes/ovd registry_url=12345678.dkr.ecr.il-central-1.amazonaws.com

│ time="2024-11-10T00:08:52Z" level=debug msg="Image  seems not to be live in this application, skipping" application=dev-microservices             │
│ time="2024-11-10T00:08:52Z" level=info msg="Processing results: applications=1 images_considered=0 images_skipped=1 images_updated=0 errors=0"                     │

To Reproduce I'm following this guide: https://medium.com/@tomas94depi/argo-image-updater-with-aws-ecr-ddb661abb332 this is my registries:

  registries: #[]
    - name: ECR
      api_url: https://12345678.dkr.ecr.il-central-1.amazonaws.com
      prefix: 12345678.dkr.ecr.il-central-1.amazonaws.com
      ping: yes
      insecure: no
      credentials: ext:/scripts/ecr-login.sh
      credsexpire: 10h
authScripts:
  # -- Whether to mount the defined scripts that can be used to authenticate with a registry, the scripts will be mounted at `/scripts`
  enabled: true
  # -- Map of key-value pairs where the key consists of the name of the script and the value the contents
  scripts:

    ecr-login.sh: |
      #!/bin/sh
      aws ecr --region il-central-1 get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d

i've disabled the securityContext to not get error in the argocd image updater pod, I've checked the argocd image updater pod that it correctly gets the token:

kubectl exec -it -n argocd argocd-image-updater-6fff9445d9-dm98n -- sh
/ $ cd /scripts/
/scripts $ ./
..2024_11_09_23_38_59.3453340715/  ..data/                            ecr-login.sh
/scripts $ ./ecr-login.sh
AWS:<token>

but still i get: time="2024-11-09T23:47:00Z" level=info msg="Starting image update cycle, considering 1 annotated application(s) for update" time="2024-11-09T23:47:00Z" level=info msg="Processing results: applications=1 images_considered=0 images_skipped=1 images_updated=0 errors=0"

Expected behavior succeed in test

Version v0.14.0

mconigliaro commented 4 days ago

I had to add this to my helm chart config:

securityContext:
  readOnlyRootFilesystem: false