ecr: secret not being generated

[Cryptophobia]

From @vdice on March 21, 2017 22:42

When setting up values for using ECR as the off-cluster registry option, a sample snippet of Workflow's global values.yaml would look something like:

...
registry-token-refresher:
...
  ecr:
    # Your AWS access key. Leave it empty if you want to use IAM credentials.
    accesskey: "ACCESS_KEY"
    # Your AWS secret key. Leave it empty if you want to use IAM credentials.
    secretkey: "SECRET_KEY"
    # Any S3 region
    region: "us-west-2"
    registryid: "myregistryid"
    hostname: "myhostname.amazonaws.com"
...

Yet, when the registryid and hostname values are non-empty as above, it seems a bug is hit and the necessary private-registry-ecr secret is not created correctly. When an attempt to build/deploy an example app, the following is hit:

Error running git receive hook [error getting private registry details secrets "private-registry-ecr" not found]`

Meanwhile, counterintuitively, if both registryid and hostname are just kept at "" then the aforementioned secret is created properly and build/deploys work as intended.

Copied from original issue: deis/registry-token-refresher#11

[Cryptophobia]

From @kwent on March 21, 2017 23:20

I would also update the documentation (https://deis.com/docs/workflow/installing-workflow/configuring-registry/) with one section for ECR and one section for GCR with samples.

[Cryptophobia]

From @vdice on March 23, 2017 21:29

https://github.com/deis/workflow/pull/779 represents the docs update

[Cryptophobia]

From @foxycoder on April 7, 2017 16:35

FWIW I ran into the same error all of a sudden

error getting private registry details secrets "private-registry-ecr" not found

So I deleted the token refresher pod to start a new one and everything worked again:

kubectl --namespace deis delete pod deis-registry-token-refresher-xxx-yyy

[Cryptophobia]

From @mariusmarais on May 30, 2017 13:23

I'm running into this same problem, but I'm not able to recover.

Originally I setup values with both registryid and hostname, eventually leading me here.

However, after removing them and running kubectl delete namespace deis and re-running helm install deis/workflow -f values.yml, I still have the same problem, even though both registryid and hostname are blank in the registry-secret secret:

Error running git receive hook [error getting private registry details secrets "private-registry-ecr" not found]

Restarting the pod has no effect and it isn't generating any log output, which is making debugging very difficult (quay.io/deis/registry-token-refresher:v1.1.2).

Please help :)

Update: Granting the follow access via IAM resolves the issue, since Deis needs to be able to create a repository for every app:

        {
            "Effect": "Allow",
            "Action": [
                "ecr:*"
            ],
            "Resource": [
                "*"
            ]
        }

Can this be limited further?

[ChillarAnand]

In the docs, it is mentioned not to set hostname & registryid for ecr. Without these, helm is failing to update values.

➜ helm install hephy/workflow --namespace deis --generate-name -f values.yml 
Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: [unknown object type "nil" in Secret.data.hostname, unknown object type "nil" in Secret.data.registryid]

[jayaprakash369]

From @mariusmarais on May 30, 2017 13:23

I'm running into this same problem, but I'm not able to recover.

Originally I setup values with both registryid and hostname, eventually leading me here.

However, after removing them and running kubectl delete namespace deis and re-running helm install deis/workflow -f values.yml, I still have the same problem, even though both registryid and hostname are blank in the registry-secret secret:

Error running git receive hook [error getting private registry details secrets "private-registry-ecr" not found]

Restarting the pod has no effect and it isn't generating any log output, which is making debugging very difficult (quay.io/deis/registry-token-refresher:v1.1.2).

Please help :)

Update: Granting the follow access via IAM resolves the issue, since Deis needs to be able to create a repository for every app:

        {
            "Effect": "Allow",
            "Action": [
                "ecr:*"
            ],
            "Resource": [
                "*"
            ]
        }

Can this be limited further?

where I have to update this config. did you mean to update in trust relationship policy?

[jayaprakash369]

hello i also tried to install deis workflow using hem chart. helm install deis hephy/workflow --create-namespace --namespace deis --set global.use_cni=true -f deis-install.yml and code is,

# This is the global configuration file for Workflow
global:
  # Change to s3
  storage: s3
  database_location: "on-cluster"
  logger_redis_location: "on-cluster"
  influxdb_location: "on-cluster"
  grafana_location: "on-cluster"

  # Change to ecr
  registry_location: "ecr"
  host_port: 5555
  secret_prefix: "private-registry"
  experimental_native_ingress: false
  use_rbac: true

  s3:
    # Add access key and secret to user with read/write access to buckets
    accesskey: "*******"
    secretkey: "********"
    region: "eu-west-1"
    # Buckets you already created
    database_bucket: "*********"
    builder_bucket: "***********"

  controller:
    app_pull_policy: "IfNotPresent"
    registration_mode: "admin_only"
    platform_domain: "********"

  database:
    username: "deis"
    password: "*******"
    postgres:
      name: "********"
      username: "deis"
      password: "*************"
      host: "*************"
      port: "5432"

  #redis:
  #  db: "0"
    # host: "redis host"
    # port: "redis port"
    # password: "redis password" # "" == no password

  # fluentd:
  #   syslog:
  #     host: ""
  #     port: ""

  monitor:
    grafana:
    user: "admin"
    password: "************"
    persistence:
      enabled: false # Set to true to enable persistence
      size: 5Gi # PVC size
    influxdb:
      url: "**************"
      database: "admin"
      user: "deis"
      password: "***********"
      persistence:
        enabled: true # Set to true to enable persistence
        size: 200Gi # PVC size

  registry-token-refresher:
    token_refresh_time: ""
    # off_cluster_registry:
    #   hostname: ""
    #   organization: ""
    #   username: ""
    #   password: ""
    ecr:
      # Access key and secret for user with access to ECR registry
     accesskey: "*******"
     secretkey: "**********"
      # Hostname of ECR registry
     hostname: "**********"
      # Region where registry is located
     region: eu-north-1
      # Registry id (same as start in hostname)
     registryid: "**********"

    # gcr:
    #   key_json: <base64-encoded JSON data>
    #   hostname: ""

  router:
    dhparam: ""
    deployment_annotations:
      # Max body of requests for router
      router.deis.io/nginx.bodySize: "50m"

  #   service_annotations:
  #   #<example-key>: <example-value>

    host_port:
      enabled: false

    workflow-manager:
      versions_api_url: https://versions.teamhephy.info
      doctor_api_url: https://doctor.teamhephy.info

but I am getting error like,

Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: [unknown object type "nil" in Secret.data.accesskey, unknown object type "nil" in Secret.data.hostname, unknown object type "nil" in Secret.data.registryid, unknown object type "nil" in Secret.data.secretkey]

I tried with empty string, and attached I am policy to user full access for ECR and changed kubeconfig file. but none of them helped me source link: https://github.com/deis/workflow/blob/master/charts/workflow/values.yaml can anyone tell me what could be wrong here?

[Cryptophobia]

@whitedevil-369 ,

Can you try setting these values below to blank strings "" in your values.yaml file?:

ecr:
   hostname: ""
   registryid: ""

https://docs.teamhephy.com/installing-workflow/configuring-registry/#ecr

NOTE: registryid and hostname should not be set. See this issue for more info.