Open ab77 opened 1 year ago
Is Flux logged into the balena registry when performing these requests?
Is Flux logged into the balena registry when performing these requests?
No, these requests are currently unauthenticated (though they can be, if required).
I expect if they authenticate it will work, the balena registry and API do not support unauthenticated requests of any kind, including scraping tags.
In your example the Flux context would need to docker login registry-proxy.balena-cloud.com
with a balena API key that has developer(?) access to that fleet and it's releases. Otherwise the API will reject the request.
This is the registry auth it's configured with (docker login with the same credentials works):
{
"auths": {
"registry-proxy.balena-cloud.com": {
"username": "u",
"password": "<<BALENA_API_KEY>>",
"email": "someone@balena.io",
"auth": "$(echo -n u:<<BALENA_API_KEY>> | base64)"
},
"bh.cr": {
"username": "u",
"password": "<<BALENA_API_KEY>>",
"email": "someone@balena.io",
"auth": "$(echo -n u:<<BALENA_API_KEY>> | base64)"
}
}
}
Same issue for getting tags for bh.cr/balena/logs-to-vector-{amd64,aarch64}
, Flux always gets back:
scan failed: GET https://registry-proxy.balena-cloud.com/v2/balena/logs-to-vector-aarch64/tags/list?n=1000: DENIED: requested access to the resource is denied;
I guess public blocks should be allowed without auth, so my original comment may be innacurate.
Based on the error above, it seems to be trying to use a public registry REST API, and I don't think our registry has such a thing as that's usually hosted out-of-band to registry2 IIRC?
Though I was able to get it working with skopeo so I'm not sure exactly what calls Flux is making without looking at the code.
Though maybe skopeo list-tags
has the same problem which would make reproducability easier.
According to my understanding from reading the code, our regex doesn't cover this specific request URL (getting a tags list for an image).
Same for scopeio
, (basic) authenticated or not:
$ skopeo list-tags docker://bh.cr/balena/logs-to-vector-amd64
FATA[0007] Error listing repository tags: fetching tags list: requested access to the resource is denied
I don’t think fixing this reflex will yield the results you are hoping for.
Every app release has its own repository and only a single tag, all managed by the API. This is why we need the semver/commit to be part of the registry path when using bh.cr. Everything after : is ignored.
Flux won’t be able to list the next available tag in our registry via any traditional methods. The workaround we use for Renovate is to look at GitHub release tags and apply them to the registry path.
On Fri, Oct 27, 2023 at 7:06 PM Anton Belodedenko @.***> wrote:
According to my understanding from reading the code https://github.com/balena-io/open-balena-registry-proxy/blob/master/src/app.ts#L32C1-L35C3, our regex doesn't cover this specific request URL (getting a tags list for an image).
Same for scopeio, (basic) authenticated or not:
$ skopeo list-tags docker://bh.cr/balena/logs-to-vector-amd64 FATA[0007 http://bh.cr/balena/logs-to-vector-amd64FATA%5B0007] Error listing repository tags: fetching tags list: requested access to the resource is denied
— Reply to this email directly, view it on GitHub https://github.com/balena-io/open-balena-registry-proxy/issues/134#issuecomment-1783599308, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE4CWIH7JZ3PBCIXWGLSI7DYBQ47VAVCNFSM6AAAAAA6TJLENKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBTGU4TSMZQHA . You are receiving this because you commented.Message ID: @.***>
Flux will make the following request to a registry to get the latest tags for an image is is managing (e.g.):
Current behaviour is results in: