myitcv
commented
2 months ago @rogpeppe
Closed ekarlso closed 2 months ago
myitcv
commented
2 months ago @rogpeppe
rogpeppe
commented
2 months ago @ekarlso
Thanks for the report. Could you provide the output you see when you run this command, please?
CUE_DEBUG=http cue mod publish v0.0.1It should have sensitive pieces redacted, but worth going through to check anyway.
ekarlso
commented
2 months ago It seems this might be happening due to cue mod publish wants to publish underheath a path that doesn't exist
{"time":"2024-04-22T12:48:46.939436589+02:00","level":"INFO","msg":"http client->","info":{"id":1,"method":"POST","url":"https://registry.foo.com/v2/config.foo.com/oci-util/blobs/uploads/","contentLength":0,"header":{"User-Agent":["Cue/v0.9.0-alpha.2 (cmd/cue) Go/go1.22.2 (linux/amd64)"]}}}
{"time":"2024-04-22T12:48:46.987912993+02:00","level":"INFO","msg":"http client<-","info":{"id":1,"method":"POST","url":"https://registry.foo.com/v2/config.foo.com/oci-util/blobs/uploads/","statusCode":401,"header":{"Content-Length":["282"],"Content-Type":["application/json"],"Date":["Mon, 22 Apr 2024 10:48:46 GMT"],"Docker-Distribution-Api-Version":["registry/2.0"],"Server":["nginx"],"Www-Authenticate":["Bearer realm=\"https://gitlab.foo.com//jwt/auth\",service=\"container_registry\",scope=\"repository:config.foo.com/oci-util:pull,push\""],"X-Content-Type-Options":["nosniff"]},"body":"{\"errors\":[{\"code\":\"UNAUTHORIZED\",\"message\":\"authentication required\",\"detail\":[{\"Type\":\"repository\",\"Class\":\"\",\"Name\":\"config.foo.com/oci-util\",\"ProjectPath\":\"\",\"Action\":\"pull\"},{\"Type\":\"repository\",\"Class\":\"\",\"Name\":\"config.foo.com/oci-util\",\"ProjectPath\":\"\",\"Action\":\"push\"}]}]}\n"}}
{"time":"2024-04-22T12:48:46.987990572+02:00","level":"INFO","msg":"http client->","info":{"id":2,"method":"GET","url":"https://gitlab.foo.com//jwt/auth?scope=repository%3Aconfig.foo.com%2Foci-util%3Apull%2Cpush&service=container_registry","contentLength":0,"header":{"Authorization":["Basic REDACTED"],"User-Agent":["Cue/v0.9.0-alpha.2 (cmd/cue) Go/go1.22.2 (linux/amd64)"]}}}
{"time":"2024-04-22T12:48:47.249162341+02:00","level":"INFO","msg":"http client<-","info":{"id":2,"method":"GET","url":"https://gitlab.foo.com//jwt/auth?scope=repository%3Aconfig.foo.com%2Foci-util%3Apull%2Cpush&service=container_registry","statusCode":200,"header":{"Cache-Control":["max-age=0, private, must-revalidate"],"Content-Security-Policy":[""],"Content-Type":["application/json; charset=utf-8"],"Date":["Mon, 22 Apr 2024 10:48:47 GMT"],"Etag":["W/\"c10096a2494dade49bad7a884dbfc8f3\""],"Permissions-Policy":["interest-cohort=()"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Server":["nginx"],"Strict-Transport-Security":["max-age=63072000"],"Vary":["Accept-Encoding"],"X-Content-Type-Options":["nosniff"],"X-Download-Options":["noopen"],"X-Frame-Options":["SAMEORIGIN"],"X-Gitlab-Meta":["{\"correlation_id\":\"01HW2PRBN6DWTTFFDXCA152V7X\",\"version\":\"1\"}"],"X-Permitted-Cross-Domain-Policies":["none"],"X-Request-Id":["01HW2PRBN6DWTTFFDXCA152V7X"],"X-Runtime":["0.230997"],"X-Ua-Compatible":["IE=edge"],"X-Xss-Protection":["1; mode=block"]},"body":"{\"token\":\"REDACTED","bodyTruncated":true}}
{"time":"2024-04-22T12:48:47.24929866+02:00","level":"INFO","msg":"http client->","info":{"id":3,"method":"POST","url":"https://registry.foo.com/v2/config.foo.com/oci-util/blobs/uploads/","contentLength":0,"header":{"Authorization":["Bearer REDACTED"],"User-Agent":["Cue/v0.9.0-alpha.2 (cmd/cue) Go/go1.22.2 (linux/amd64)"]}}}
{"time":"2024-04-22T12:48:47.251942207+02:00","level":"INFO","msg":"http client<-","info":{"id":3,"method":"POST","url":"https://registry.foo.com/v2/config.foo.com/oci-util/blobs/uploads/","statusCode":401,"header":{"Content-Length":["282"],"Content-Type":["application/json"],"Date":["Mon, 22 Apr 2024 10:48:47 GMT"],"Docker-Distribution-Api-Version":["registry/2.0"],"Server":["nginx"],"Www-Authenticate":["Bearer realm=\"https://gitlab.foo.com//jwt/auth\",service=\"container_registry\",scope=\"repository:config.foo.com/oci-util:push,pull\",error=\"insufficient_scope\""],"X-Content-Type-Options":["nosniff"]},"body":"{\"errors\":[{\"code\":\"UNAUTHORIZED\",\"message\":\"authentication required\",\"detail\":[{\"Type\":\"repository\",\"Class\":\"\",\"Name\":\"config.foo.com/oci-util\",\"ProjectPath\":\"\",\"Action\":\"pull\"},{\"Type\":\"repository\",\"Class\":\"\",\"Name\":\"config.foo.com/oci-util\",\"ProjectPath\":\"\",\"Action\":\"push\"}]}]}\n"}}
cannot put module: cannot make scratch config: 403 Forbidden: denied: unauthorized response with freshly acquired auth token@ekarlso By default, CUE assumes that it can create OCI repositories just by pushing to them. The right solution here depends somewhat on your setup:
If you have write/create access to any number of registries under some given path prefix, you can put that path prefix in your $CUE_REGISTRY
CUE_REGISTRY=gitlab.foo.com/path/prefixThis will cause a module M to be stored in the OCI repository gitlab.foo.com/path/prefix/M.
If you only have write access to a single repository in the registry, you'll need to use
a registry configuration file to specify that. See cue help registryconfig for details,
but you might be able to use something like:
CUE_REGISTRY=file:/home/me/my-registry-config-file
-- /home/me/my-registry-config-file --
defaultRegistry: {
registry: "gitlab.foo.com/some-repo-that-will-contain-all-modules"
pathEncoding: "hashAsTag"
}This will store all modules in that single repository.
Hope this helps!
myitcv
commented
2 months ago Note that this issue really belongs in https://github.com/cue-lang/cue/issues. Because of GitHub constraints we can't move it, but @ekarlso for CUE-related issues please use that repo in the future. Thanks
myitcv
commented
2 months ago @ekarlso I'm going to close this issue as resolved because it should be the case that the config suggested by @rogpeppe works. If you have any further issues, please can you raise an issue in the main CUE issue tracker? Thanks
I am trying to push to our internal gitlab where
docker pushworks fine butVersion