kpack pod controller cannot fetch an image from a private docker register due to lack of dockerjsoncfg

[cmoulliard]

Issue

When the kpack pod controller must fetch an image from a private docker register, then we got this error

https://registry.local:5000/v2/redhat-buildpacks/quarkus-java/manifests/latest:
        UNAUTHORIZED: authentication required; [map[Action:pull Class:
        Name:redhat-buildpacks/quarkus-java Type:repository]]
...
{"severity":"ERROR","timestamp":"2021-10-04T09:04:20.529191712Z","logger":"controller","caller":"controller/controller.go:548","message":"Reconcile error","commit":"121ba5c","duration":"54.053116ms","error":"GET https://registry.local:5000/v2/redhat-buildpacks/quarkus-java/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:redhat-buildpacks/quarkus-java Type:repository]]",
"stacktrace":"knative.dev/pkg/controller.(*Impl).handleErr\n\t/home/cnb/go/pkg/mod/knative.dev/pkg@v0.0.0-20210331065221-952fdd90dbb0/controller/controller.go:548
\nknative.dev/pkg/controller.(*Impl).processNextWorkItem
\n\t/home/cnb/go/pkg/mod/knative.dev/pkg@v0.0.0-20210331065221-952fdd90dbb0/controller/controller.go:531
\nknative.dev/pkg/controller.(*Impl).RunContext.func3
\n\t/home/cnb/go/pkg/mod/knative.dev/pkg@v0.0.0-20210331065221-952fdd90dbb0/controller/controller.go:468"}

The problem is due to the fact that the dockerjsoncfg is not mounted within the pod

Solution

Hack the Deployment section of the release yaml file to include the missing bits

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kpack-controller
  namespace: kpack
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kpack-controller
  template:
    metadata:
      labels:
        app: kpack-controller
        ## FIX: Add another label to allow the cert injection webhook to inject the self signed CA cert of the
        # container registry
        kpack.k14s.io/app: kpack-controller
        version: 0.3.1-rc.3
    spec:
      ## FIX: Create a volume to mount the secret containing the credentials
      volumes:
        - name: credentials
          secret:
            secretName: reg-creds
            defaultMode: 420
      serviceAccountName: controller
      nodeSelector:
        kubernetes.io/os: linux
      containers:
      - name: controller
        image: gcr.io/cf-build-service-public/kpack/controller@sha256:4b3c825d6fb656f137706738058aab59051d753312e75404fc5cdaf49c352867
        env:
        - name: CONFIG_LOGGING_NAME
          value: config-logging
        - name: CONFIG_OBSERVABILITY_NAME
          value: config-observability
        - name: METRICS_DOMAIN
          value: kpack.io
        - name: SYSTEM_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: BUILD_INIT_IMAGE
          valueFrom:
            configMapKeyRef:
              name: build-init-image
              key: image
        - name: BUILD_INIT_WINDOWS_IMAGE
          valueFrom:
            configMapKeyRef:
              name: build-init-windows-image
              key: image
        - name: REBASE_IMAGE
          valueFrom:
            configMapKeyRef:
              name: rebase-image
              key: image
        - name: COMPLETION_IMAGE
          valueFrom:
            configMapKeyRef:
              name: completion-image
              key: image
        - name: COMPLETION_WINDOWS_IMAGE
          valueFrom:
            configMapKeyRef:
              name: completion-windows-image
              key: image
        - name: LIFECYCLE_IMAGE
          valueFrom:
            configMapKeyRef:
              name: lifecycle-image
              key: image
        ## FIX: Add the missing EN VAR to allow docker registry auth
        - name: CREDENTIAL_PROVIDER_SECRET_PATH
          value: /var/kpack/credentials
        resources:
          requests:
            cpu: 20m
            memory: 100Mi
          limits:
            cpu: 100m
            memory: 500Mi
        ## Needed otherwise the image cannot be pulled (e.g setup-ca-cert) when the pod is created to inject the ca cert
        imagePullSecrets:
          - name: reg-creds
        ## FIX: Mount the volume containing the secret dockerjson credentials
        volumeMounts:
         - name: credentials
           readOnly: true
           mountPath: /var/kpack/credentials

NOTES##:

• The kpack documentation should document how to configure kpack when it will work against secured and TLS container registry
• The release YAML file should be converted into a helm chart or ytt files in order to enable/disable some properties and add the missing config when the resources are deployed

[cmoulliard]

This problem is also related to : #844

[matthewmcnew]

ClusterStores and ClusterStack's now support providing credentials via the serviceAccountRef.