Expected Behavior

Images be pulled when executing the tasks

Actual Behavior

Warning Failed 15s (x2 over 26s) kubelet Failed to pull image "10.96.3.53:443/chainguard/busybox": rpc error: code = Unknown desc = failed to pull and unpack image "10.96.3.53:443/chainguard/busybox:latest": failed to resolve reference "10.96.3.53:443/chainguard/busybox:latest": pulling from host 10.96.3.53:443 failed with status code [manifests latest]: 401 Unauthorized

Steps to Reproduce the Problem

vi hello-world.yaml

apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: hello spec: steps:

name: echo image: alpine script: |
!/bin/sh
```
echo "Hello World"
```

Apply the task :

kubectl apply --filename hello-world.yaml

Create a test task run

vi hello-world-run.yaml

apiVersion: tekton.dev/v1beta1 kind: TaskRun metadata: name: hello-task-run spec: taskRef: name: hello

Apply the task run :

kubectl apply --filename hello-world-run.yaml

Additional Info

Kubernetes version:

root@kurl-master2:/tmp/tekton-test# kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.3", GitCommit:"25b4e43193bcda6c7328a6d147b1fb73a33f1598", GitTreeState:"clean", BuildDate:"2023-06-14T09:53:42Z", GoVersion:"go1.20.5", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v5.0.1
Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.3", GitCommit:"25b4e43193bcda6c7328a6d147b1fb73a33f1598", GitTreeState:"clean", BuildDate:"2023-06-14T09:47:40Z", GoVersion:"go1.20.5", Compiler:"gc", Platform:"linux/amd64"}
root@kurl-master2:/tmp/tekton-test#

Tekton Pipeline version:

v0.49.0

Additional information :

We have already edited the release.yaml for the installation to use our private repo instead of gcr, and it works fine, but for the controller it includes images in the args , we don't know how to provide the pullSecret to those :

  containers:
    - name: tekton-pipelines-controller
      image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.49.0@sha256:cde0654aab99ea19e030eb269f28deba6cc550910586ee7a832cae3ee63ea565
      args: [
        # These images are built on-demand by `ko resolve` and are replaced
        # by image references by digest.
        "-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.49.0@sha256:0e43b6ae2d517df85aac356b411fe291057c2f12aef3a949be961cfc1d31c158", "-nop-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop:v0.49.0@sha256:91eb79439e756e557259da3c0823f29483863ed6b8a409da664f879279c95d59", "-sidecarlogresults-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/sidecarlogresults:v0.49.0@sha256:4055c213dbb60722432c87b80fb8e52ed6409e6cbb83e62ebb53f0c6d33056f6", "-workingdirinit-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/workingdirinit:v0.49.0@sha256:643cf8dbc46fbbfb9f333628c33bbdfb76d11b5005c2aaed28abdc20f739d0b8",
        # The shell image must allow root in order to create directories and copy files to PVCs.
        # cgr.dev/chainguard/busybox as of April 14 2022
        # image shall not contains tag, so it will be supported on a runtime like cri-o
        "-shell-image", "cgr.dev/chainguard/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791",
        # for script mode to work with windows we need a powershell image
        # pinning to nanoserver tag as of July 15 2021
        "-shell-image-win", "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6"]

We also tried to add the pullSecret to the Tekton-controller service account, still facing the same issue.

Thank you

tektoncd / pipeline

Tekton Airgap installation cannot pull images specified in args for tekton-controller #6926