search

teamhephy / workflow

Hephy Workflow - An open source fork of Deis Workflow - The open source PaaS for Kubernetes.
MIT License
404 stars 37 forks source link

Authenticated but cannot set the registry #17

Open Cryptophobia opened 6 years ago

Cryptophobia commented 6 years ago

From @Overdrivr on June 8, 2017 17:13

I'm trying to deploy Docker images to Deis from Gitlab CI, but fails to authenticate to a private docker registry. I created a specific user gitlab-ci, that authenticates successfully.

This is the output of the CI script

Running with gitlab-ci-multi-runner 9.2.0 (adfc387)
  on docker-auto-scale (e11ae361)
Using Docker executor with image felixbuenemann/deis-workflow-cli:latest ...
Starting service docker:dind ...
Pulling docker image docker:dind ...
Using docker image docker:dind ID=sha256:dee518b729774dca2b75e356b4e5d288f4abd00daea5a934c63c4a5a20fe6655 for docker service...
Waiting for services to be up and running...
Using docker image sha256:93836450ba09f3d8d835cf8da9bd33f5d283aca7b89a8410a8597e0a2b8ca79e for predefined container...
Pulling docker image felixbuenemann/deis-workflow-cli:latest ...
Using docker image felixbuenemann/deis-workflow-cli:latest ID=sha256:69f5967add43047a280852adca72ac7c16e9b25af0aab9537350a80db6af0aa1 for build container...
Running on runner-e11ae361-project-3003608-concurrent-0 via runner-e11ae361-machine-1496941443-0cbe3239-digital-ocean-2gb...
Cloning repository...
Cloning into '/builds/MYUSERNAME/MYPROJECT'...
Checking out f7c7d01f as push-to-deis...
Skipping Git submodules setup
$ deis version
Logged in as gitlab-ci
Configuration file written to /root/.deis/client.json
v2.13.0
$ deis login $DEIS_CONTROLLER --username=$DEIS_USERNAME --password=$DEIS_PASSWORD
Logged in as gitlab-ci
Configuration file written to /root/.deis/client.json
Logged in as gitlab-ci
Configuration file written to /root/.deis/client.json
$ deis whoami
Logged in as gitlab-ci
Configuration file written to /root/.deis/client.json
You are gitlab-ci at http://deis.XXX.XX.XXX.XXX.nip.io
$ deis registry:set username=$CI_REGISTRY_USER password=$CI_REGISTRY_PASSWORD -a $DEIS_APP_NAME
Logged in as gitlab-ci
Configuration file written to /root/.deis/client.json
Applying registry information... ...Error: You do not have permission to perform this action.
ERROR: Job failed: exit code 1

Authentication to the registry fails, although I am using the correct variables for username and password (I was using the exact same ones for connecting with docker to the registry), and $DEIS_APP_NAME is defined in Gitlab as secret, with value equal to my app name inside deis.

Any idea on why this action is not allowed, or how I can debug this further ? Error message is not very explicit.

Copied from original issue: deis/workflow#823

Cryptophobia commented 6 years ago

From @bacongobbler on June 8, 2017 18:46

ping @Bregor, does this seem like an RBAC issue? deis registry:set writes a secret in the application's namespace, if I recall correctly.

Which version of kubernetes are you running?

Cryptophobia commented 6 years ago

From @Bregor on June 8, 2017 18:56

@Overdrivr is this the only issue for now, or you did not try anything else yet? And yes, could you please show output of kubectl version --short?

Cryptophobia commented 6 years ago

From @Overdrivr on June 9, 2017 12:42

Thanks for the quick replies, I'm running k8s 1.6.4.

During cluster creation, I let the default value at former authentication method : enabled, don't know if it has an impact

image

$ kubectl version --short
Client Version: v1.6.4
Server Version: v1.6.4