balena-io / open-balena-registry-proxy

Pull images from balenaCloud container registry with fleet slugs!
Apache License 2.0
5 stars 1 forks source link

Socialise with Flux image reconciliation #134

Open ab77 opened 1 year ago

ab77 commented 1 year ago

Flux will make the following request to a registry to get the latest tags for an image is is managing (e.g.):

GET https://registry-proxy.balena-cloud.com/v2/balena/logs-to-vector-amd64/tags/list?n=1000

Current behaviour is results in:

scan failed: GET https://registry-proxy.balena-cloud.com/v2/balena/logs-to-vector-amd64/tags/list?n=1000: DENIED: requested access to the resource is denied;
klutchell commented 1 year ago

Is Flux logged into the balena registry when performing these requests?

ab77 commented 1 year ago

Is Flux logged into the balena registry when performing these requests?

No, these requests are currently unauthenticated (though they can be, if required).

klutchell commented 1 year ago

I expect if they authenticate it will work, the balena registry and API do not support unauthenticated requests of any kind, including scraping tags.

In your example the Flux context would need to docker login registry-proxy.balena-cloud.com with a balena API key that has developer(?) access to that fleet and it's releases. Otherwise the API will reject the request.

ab77 commented 1 year ago

This is the registry auth it's configured with (docker login with the same credentials works):

{
  "auths": {
    "registry-proxy.balena-cloud.com": {
      "username": "u",
      "password": "<<BALENA_API_KEY>>",
      "email": "someone@balena.io",
      "auth": "$(echo -n u:<<BALENA_API_KEY>> | base64)"
    },
    "bh.cr": {
      "username": "u",
      "password": "<<BALENA_API_KEY>>",
      "email": "someone@balena.io",
      "auth": "$(echo -n u:<<BALENA_API_KEY>> | base64)"
    }
  }
}

Same issue for getting tags for bh.cr/balena/logs-to-vector-{amd64,aarch64}, Flux always gets back:

scan failed: GET https://registry-proxy.balena-cloud.com/v2/balena/logs-to-vector-aarch64/tags/list?n=1000: DENIED: requested access to the resource is denied;
klutchell commented 1 year ago

I guess public blocks should be allowed without auth, so my original comment may be innacurate.

Based on the error above, it seems to be trying to use a public registry REST API, and I don't think our registry has such a thing as that's usually hosted out-of-band to registry2 IIRC?

Though I was able to get it working with skopeo so I'm not sure exactly what calls Flux is making without looking at the code.

Though maybe skopeo list-tags has the same problem which would make reproducability easier.

ab77 commented 1 year ago

According to my understanding from reading the code, our regex doesn't cover this specific request URL (getting a tags list for an image).

Same for scopeio, (basic) authenticated or not:

$ skopeo list-tags docker://bh.cr/balena/logs-to-vector-amd64
FATA[0007] Error listing repository tags: fetching tags list: requested access to the resource is denied 
klutchell commented 1 year ago

I don’t think fixing this reflex will yield the results you are hoping for.

Every app release has its own repository and only a single tag, all managed by the API. This is why we need the semver/commit to be part of the registry path when using bh.cr. Everything after : is ignored.

Flux won’t be able to list the next available tag in our registry via any traditional methods. The workaround we use for Renovate is to look at GitHub release tags and apply them to the registry path.

On Fri, Oct 27, 2023 at 7:06 PM Anton Belodedenko @.***> wrote:

According to my understanding from reading the code https://github.com/balena-io/open-balena-registry-proxy/blob/master/src/app.ts#L32C1-L35C3, our regex doesn't cover this specific request URL (getting a tags list for an image).

Same for scopeio, (basic) authenticated or not:

$ skopeo list-tags docker://bh.cr/balena/logs-to-vector-amd64 FATA[0007 http://bh.cr/balena/logs-to-vector-amd64FATA%5B0007] Error listing repository tags: fetching tags list: requested access to the resource is denied

— Reply to this email directly, view it on GitHub https://github.com/balena-io/open-balena-registry-proxy/issues/134#issuecomment-1783599308, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE4CWIH7JZ3PBCIXWGLSI7DYBQ47VAVCNFSM6AAAAAA6TJLENKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBTGU4TSMZQHA . You are receiving this because you commented.Message ID: @.***>