search

jetstack / version-checker

Kubernetes utility for exposing image versions in use, compared to latest available upstream, as metrics.
https://jetstack.io
Apache License 2.0
705 stars 79 forks source link

[BUG] Self Hosted Token authentication #261

Open paulwilljones opened 2 months ago

paulwilljones commented 2 months ago

Describe the bug When using a self hosted registry, credentials are provided which are used to retrieve a token. If the registry does not implement a token service, the endpoint returns a 404 and version-checker cannot authenticate to the registry.

$ k plogs -n version-checker -p version-checker-7db59c4996-8hj99 -c version-checker
...
error: failed to setup image registry clients: failed to create selfhosted client "http://docker-registry.registry.svc.cluster.local:5000": failed to setup token auth (404): 404 page not found
$ curl -i http://XXXXXX:XXXXXX@localhost:30000/v2/_catalog
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Thu, 29 Aug 2024 08:32:30 GMT
Content-Length: 37

{"repositories":["my-app"]}
$ curl -i http://XXXXXX:XXXXXX@localhost:30000/v2/token
HTTP/1.1 404 Not Found
Content-Type: text/plain; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Thu, 29 Aug 2024 08:33:26 GMT
Content-Length: 19

404 page not found

This could be an edge case, and there should be a token endpoint in which case a 404 is the right response and basic auth shouldn't be used.

To Reproduce Steps to reproduce the behavior:

  1. Deploy registry to kind
  2. Deploy version-checker with selfhosted values: 
    ...
selfhosted:
- name: registry
host: http://docker-registry.registry.svc.cluster.local:5000
username: XXXXXX
password: XXXXXX
  3. Push an image into registry using kaniko
  4. Create docker-registry secret and deploy image from local registry 
    apiVersion: v1
kind: Pod
metadata:
annotations:
enable.version-checker.io/test: "true"
name: image-from-reg
...
spec:
containers:
- image: docker-registry.registry.svc.cluster.local:5000/my-app:0.0.1
...

    Expected behavior Basic auth should be used when token endpoint returns 404 so version-checker can authenticate with the registry.

Environment (please complete the following information):