[X] ... the documentation does not mention anything about my problem
[X] ... there are no open or closed issues that are related to my problem
Description
I can not get diun to pull image manifests from Google Artifact Registry.
Expected behaviour
I should be able to login with username _json_key and key.json as password to Google Artifact Registry, in my case us-east1-docker.pkg.dev
Actual behaviour
Actual behavior is that I get 403 error with USERNAME=_json_key and PASSWORDFILE=/etc/secret/key.json
Steps to reproduce
Create Google SA
Create and download Google SA JSON key file
Add roles/regisry.reader and roles/iam.serviceAccountTokenCreator to the SA
Create GKE/k8s Opaque secret with key.json key and data content of key.json
Apply k8s configuration with sample app of your choice
Diun version
4.26.0
Docker info
v1.27.7-gke.1121000
containerd://1.7.7
Docker Compose config
No response
Logs
Tue, 30 Jan 2024 14:26:24 CET INF Starting Diun version=v4.26.0
Tue, 30 Jan 2024 14:26:24 CET DBG No configuration file found
Tue, 30 Jan 2024 14:26:24 CET INF Configuration loaded from 10 environment variable(s)
Tue, 30 Jan 2024 14:26:24 CET DBG {
"db": {
"path": "/data/diun.db"
},
"watch": {
"workers": 20,
"schedule": "0 */6 * * *",
"jitter": 30000000000,
"firstCheckNotif": false,
"runOnStartup": true,
"compareDigest": true
},
"defaults": {
"watchRepo": false,
"notifyOn": [
"new",
"update"
],
"sortTags": "reverse"
},
"regopts": [
{
"name": "us-east1-docker.pkg.dev",
"selector": "name",
"username": "_json_key",
"passwordFile": "/etc/secret/key.json",
"insecureTLS": false,
"timeout": 0
}
],
"providers": {
"kubernetes": {
"tlsInsecure": false,
"namespaces": [
"my-app"
],
"watchByDefault": false
}
}
}
Tue, 30 Jan 2024 14:26:24 CET WRN No notifier available
Tue, 30 Jan 2024 14:26:24 CET DBG 0 entries found in manifest bucket
Tue, 30 Jan 2024 14:26:24 CET DBG Current database version: 1
Tue, 30 Jan 2024 14:26:24 CET INF Database migration v2...
Tue, 30 Jan 2024 14:26:24 CET INF Cron triggered
Tue, 30 Jan 2024 14:26:24 CET DBG Creating in-cluster Kubernetes provider client
Tue, 30 Jan 2024 14:26:24 CET DBG Validate image ctn_image=haproxy:1.7-alpine ctn_name=haproxy pod_annot=null pod_name=db-proxy-port-fwd-8579bc6886-zt5wg provider=kubernetes
Tue, 30 Jan 2024 14:26:24 CET DBG Watch disabled ctn_image=haproxy:1.7-alpine ctn_name=haproxy pod_annot=null pod_name=db-proxy-port-fwd-8579bc6886-zt5wg provider=kubernetes
Tue, 30 Jan 2024 14:26:24 CET DBG Validate image ctn_image=us-east1-docker.pkg.dev/reducted-project-id/my-app-backend/my-app-backend:latest ctn_name=my-app pod_annot=null pod_name=my-app-portal-backend-584f565668-gd9pq provider=kubernetes
Tue, 30 Jan 2024 14:26:24 CET DBG Watch disabled ctn_image=us-east1-docker.pkg.dev/reducted-project-id/my-app-backend/my-app-backend:latest ctn_name=my-app pod_annot=null pod_name=my-app-portal-backend-584f565668-gd9pq provider=kubernetes
Tue, 30 Jan 2024 14:26:24 CET DBG Validate image ctn_image=us-east1-docker.pkg.dev/reducted-project-id/my-app-frontend/my-app-frontend:latest ctn_name=my-app pod_annot=null pod_name=my-app-portal-frontend-77d8f7dcc4-97tlc provider=kubernetes
Tue, 30 Jan 2024 14:26:24 CET DBG Watch disabled ctn_image=us-east1-docker.pkg.dev/reducted-project-id/my-app-frontend/my-app-frontend:latest ctn_name=my-app pod_annot=null pod_name=my-app-portal-frontend-77d8f7dcc4-97tlc provider=kubernetes
Tue, 30 Jan 2024 14:26:24 CET DBG Validate image ctn_image=us-east1-docker.pkg.dev/reducted-project-id/my-app-frontend2/my-app-frontend2:latest ctn_name=my-app pod_annot=null pod_name=my-app-portal-frontend2-5b7c987ffb-6mzd8 provider=kubernetes
Tue, 30 Jan 2024 14:26:24 CET DBG Watch disabled ctn_image=us-east1-docker.pkg.dev/reducted-project-id/my-app-frontend2/my-app-frontend2:latest ctn_name=my-app pod_annot=null pod_name=my-app-portal-frontend2-5b7c987ffb-6mzd8 provider=kubernetes
Tue, 30 Jan 2024 14:26:24 CET DBG Validate image ctn_image=us-east1-docker.pkg.dev/reducted-project-id/my-app-db/my-app-db:latest ctn_name=my-app pod_annot={"diun.enable":"true"} pod_name=my-app-portal-db-58976bbcf4-cs2rr provider=kubernetes
Tue, 30 Jan 2024 14:26:24 CET INF Found 1 image(s) to analyze provider=kubernetes
Tue, 30 Jan 2024 14:26:24 CET DBG [containers/image] Loading registries configuration "/etc/containers/registries.conf"
Tue, 30 Jan 2024 14:26:24 CET DBG [containers/image] No credentials matching us-east1-docker.pkg.dev found in /run/containers/0/auth.json
Tue, 30 Jan 2024 14:26:24 CET DBG [containers/image] No credentials matching us-east1-docker.pkg.dev found in /root/.config/containers/auth.json
Tue, 30 Jan 2024 14:26:24 CET DBG [containers/image] No credentials matching us-east1-docker.pkg.dev found in /root/.docker/config.json
Tue, 30 Jan 2024 14:26:24 CET DBG [containers/image] No credentials matching us-east1-docker.pkg.dev found in /root/.dockercfg
Tue, 30 Jan 2024 14:26:24 CET DBG [containers/image] No credentials for us-east1-docker.pkg.dev found
Tue, 30 Jan 2024 14:26:24 CET DBG [containers/image] Using registries.d directory /etc/containers/registries.d
Tue, 30 Jan 2024 14:26:24 CET DBG [containers/image] Returning credentials for us-east1-docker.pkg.dev/reducted-project-id/my-app-db/my-app-db from DockerAuthConfig
Tue, 30 Jan 2024 14:26:24 CET DBG [containers/image] No signature storage configuration found for us-east1-docker.pkg.dev/reducted-project-id/my-app-db/my-app-db:latest, using built-in default file:///var/lib/containers/sigstore
Tue, 30 Jan 2024 14:26:24 CET DBG [containers/image] Looking for TLS certificates and private keys in /etc/docker/certs.d/us-east1-docker.pkg.dev
Tue, 30 Jan 2024 14:26:24 CET DBG [containers/image] GET https://us-east1-docker.pkg.dev/v2/
Tue, 30 Jan 2024 14:26:24 CET DBG [containers/image] Ping https://us-east1-docker.pkg.dev/v2/ status 401
Tue, 30 Jan 2024 14:26:24 CET DBG [containers/image] GET https://us-east1-docker.pkg.dev/v2/token?scope=repository%3Areducted-project-id%2Fmy-app-db%2Fmy-app-db%3Apull
Tue, 30 Jan 2024 14:26:24 CET WRN Cannot get remote manifest error="cannot get image digest from HEAD request: Requesting bearer token: invalid status code from registry 403 (Forbidden)" image=us-east1-docker.pkg.dev/reducted-project-id/my-app-db/my-app-db:latest provider=kubernetes
Tue, 30 Jan 2024 14:26:24 CET INF Jobs completed added=0 failed=1 skipped=0 unchanged=0 updated=0
Tue, 30 Jan 2024 14:26:24 CET INF Cron initialized with schedule 0 */6 * * *
Tue, 30 Jan 2024 14:26:24 CET INF Next run in 3 hours 33 minutes (2024-01-30 18:00:07.219993394 +0100 CET)
Support guidelines
I've found a bug and checked that ...
Description
I can not get diun to pull image manifests from Google Artifact Registry.
Expected behaviour
I should be able to login with username
_json_key
and key.json as password to Google Artifact Registry, in my caseus-east1-docker.pkg.dev
Actual behaviour
Actual behavior is that I get 403 error with
USERNAME=_json_key
andPASSWORDFILE=/etc/secret/key.json
Steps to reproduce
roles/regisry.reader
androles/iam.serviceAccountTokenCreator
to the SAkey.json
key and data content of key.jsonDiun version
4.26.0
Docker info
Docker Compose config
No response
Logs
Additional info
Kubernetes diun configuration: