Image pull secrets containing colons causing registryImages collector to fail

[banjoh]

Bug Description

Assume you have a secret my-reg-creds which contains image registry credentials which you intend to use with the registry images collector for preflights or support bundles. If the basic authentication token is generated from a username or password containing colons (:), the collector will fail to fetch the image even if the image exists

Expected Behavior

Credentials with colons should not lead to errors

Steps To Reproduce

• Create an image pull secret using the command below

  kubectl create secret docker-registry my-reg-creds --docker-server=registry.k8s.io --docker-username="user:name" --docker-password="pass:word:with:colon"

• Create spec.yaml and drop this spec in the file

  apiVersion: troubleshoot.sh/v1beta2
  kind: Preflight
  spec:
  analyzers:
  - registryImages:
    checkName: Check images
    collectorName: ""
    outcomes:
    - fail:
        when: "errors > 0"
        message: Failed to check if images are present in registry
    - pass:
        message: All images are available
  collectors:
  - registryImages:
    imagePullSecret:
      name: my-reg-creds
      type: kubernetes.io/dockerconfigjson
    images:
    - registry.k8s.io/kube-scheduler:v1.29.5

• Run preflight --interactive=false spec.yaml and note that you get the output below

  --- FAIL: Check images
    --- Failed to check if images are present in registry
  --- FAIL
  FAILED

Additional Context

• The registry image collector assumes that credentials will be of the format username:password where neither of the parts separate parts contain a colon (:). This is not always the case. gcr.io for example contains a password that is a JSON object which looks like below

  {
  "type": "service_account",
  "project_id": "my-project",
  "private_key_id": "XXXXXXXXX",
  "private_key": "-----BEGIN PRIVATE KEY-----XXXXXXXX\n-----END PRIVATE KEY-----\n",
  "client_email": "john@doe.iam.gserviceaccount.com",
  "client_id": "XXXXXXXXX",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-project%40john@doe..iam.gserviceaccount.com"
  }

• When implementing this, ensure we klog.Error formatting errors such as this one. Here are some lines I've noted need to be logged
  • https://github.com/replicatedhq/troubleshoot/blob/ce155270c80d826a6e7c28c15b3461eb3ea9a8d5/pkg/collect/registry.go#L168

Include the following information.

• Troubleshoot version. If you built from source, note that including the version of Go you used to build with.
• Operating system
• Operating system version
• Other details that might be helpful in diagnosing the problem