search

carvel-dev / kbld

kbld seamlessly incorporates image building and image pushing into your development and deployment workflows
https://carvel.dev/kbld
Apache License 2.0
293 stars 39 forks source link

Authentication failure when using credstore secretservice on Linux #26

Closed chrisjs closed 4 years ago

chrisjs commented 4 years ago

On linux, I am seeing auth failures when using the following docker config. This works fine authing against dockerhub, etc:

$ cat config.json 
{
    "auths": {
        "https://index.docker.io/v1/": {}
    },
    "HttpHeaders": {
        "User-Agent": "Docker-Client/18.09.6 (linux)"
    },
    "credsStore": "secretservice"
}

When running the following command:

kbld unpkg -f resolved-manifest.yaml --input data-flow-image.tar --repository chrisjs/spring-cloud-dataflow-server

It fails with:

unpackage | importing 1 images...
unpackage | importing index.docker.io/springcloud/spring-cloud-dataflow-server@sha256:64807655037fa1dd90f4841e9bff0994bfe37edeaf473fbac722a2412ccfbe89 -> index.docker.io/chrisjs/spring-cloud-dataflow-server@sha256:64807655037fa1dd90f4841e9bff0994bfe37edeaf473fbac722a2412ccfbe89...
unpackage | imported 0 images
kbld: Error: Importing image index.docker.io/springcloud/spring-cloud-dataflow-server@sha256:64807655037fa1dd90f4841e9bff0994bfe37edeaf473fbac722a2412ccfbe89: Importing image as index.docker.io/chrisjs/spring-cloud-dataflow-server@sha256:64807655037fa1dd90f4841e9bff0994bfe37edeaf473fbac722a2412ccfbe89: Writing image: Retried 5 times: unsupported status code 401; body:

docker-credential-secretservice is on my $PATH and can see my proper credentials in it

When changing my docker config.json to use base64 encoded user:pass, ie:

    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "<base64 encoded user:pass>"
        }
    },

It then auths and relocates properly and I can see the image in dockerhub:

$ kbld unpkg -f resolved-manifest.yaml --input data-flow-image.tar --repository chrisjs/spring-cloud-dataflow-server
unpackage | importing 1 images...
unpackage | importing index.docker.io/springcloud/spring-cloud-dataflow-server@sha256:64807655037fa1dd90f4841e9bff0994bfe37edeaf473fbac722a2412ccfbe89 -> index.docker.io/chrisjs/spring-cloud-dataflow-server@sha256:64807655037fa1dd90f4841e9bff0994bfe37edeaf473fbac722a2412ccfbe89...
unpackage | imported 1 images
---
..
..
cppforlife commented 4 years ago

hmm, kbld uses google/go-containerregistry. so far i see that https://github.com/google/go-containerregistry/tree/master/pkg/authn mentions that it is supported. according to https://docs.docker.com/engine/reference/commandline/login/#credentials-store, https://github.com/docker/docker-credential-helpers is the repo responsible for providing these cred helper binaries. looking at this: https://github.com/docker/docker-credential-helpers#with-the-docker-engine, it seems that it's expected that docker-credential-osxkeychain binary is available on the path. is that the case for you?

chrisjs commented 4 years ago

no i only have docker-credential-gcloud and docker-credential-secretservice. i had used the sheaf tool with this configuration which i believe uses the same lib and i didn't have the same issue.

wouldn't docker-credential-osxkeychain be for mac?

cppforlife commented 4 years ago

oops, i dont know why i thought you were using osxkeychain cred store. re-reading the issue clearly shows you are not. if docker-credential-secretservice is present, next step for me is to take a look at the exact usage of go-containerregistry's auth methods. will report back.

cppforlife commented 4 years ago

try out this new version: https://github.com/k14s/kbld/releases/tag/v0.22.0

chrisjs commented 4 years ago

using that version, things appear to work. thanks!

cppforlife commented 4 years ago

perfect. that means fix was correct.