Unable to Push AWS ECR Images in tekton pipeline - kubernetes

I created tekton pipeline on minikube as per this link (Basically I'm pulling the repo from github and generating image and pushing it to ECR)
But in my case, I'm pushing the image to AWS ECR.
I configured credentials of AWS ECR on my cluster as per this
When I'm running the pipeline I'm getting the following error.
Note: For testing if my AWS credentials were configured correctly or not, I created a simple deployment spec file and ran it. The image is pulled and the application is running. But with tekton I'm getting 401 issue. Can someone help me with this issue, please?
INFO[0000] GET KEYCHAIN
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "12345678910.dkr.ecr.us-east-1.amazonaws.com/test-api:latest": POST https://12345678910.dkr.ecr.us-east-1.amazonaws.com/v2/test-api/blobs/uploads/: unexpected status code 401 Unauthorized: Not Authorized

Related

How to pull ECR images to cross account access?

I've organizational/multi AWS accounts. The ECR images are available on one organizational account, needs to pull these ECR images to ECS of another organizational account. While attempting this getting an error
Cannotpullcontainererror: pull image manifest has been retried 1
time(s): failed to resolve ref
189426755769.dkr.ecr.eu-west-2.amazonaws.com/ecr-dev-apps:1.0.0: pulling from host 123456789.dkr.ecr.eu-west-2.amazonaws.com failed
with status code [manifests 1.0.0]: 403 Forbidden
I could not find any documentation or guidelines on how to achieve this requirement.

Auth error when pushing to Google Artifact Repository

I'm trying to push to GAR from my local machine, but I always get this error:
failed to authorize: failed to fetch anonymous token: unexpected status: 403 Forbidden
First, I've confirmed that my account has the Artifact Registry Writer role through IAM.
I have done the following locally:
# Login with my Google account
gcloud auth login --update-adc --force
# Configure docker to use the gcloud CLI auth helper
gcloud auth configure-docker us-west1-docker.pkg.dev
# docker login for good measure
docker login
# Tag my image (already built)
docker tag myimage us-west1-docker.pkg.dev/myproject/myrepo/myimage
# Push it
docker push us-west1-docker.pkg.dev/myproject/myrepo/myimage
On this final command I get the error above.
I have read all the Google documentation I could find but they all suggest the above steps:
https://cloud.google.com/artifact-registry/docs/docker/pushing-and-pulling
https://cloud.google.com/artifact-registry/docs/docker/troubleshoot
Note: I can't pull either, using the command provided directly from the GCP web UI.
I'm on M1 Mac.
So I was able to solve this problem by completely nuking Docker, specifically with these steps: https://stackoverflow.com/a/69437543/3846032. I couldn't uninstall it by normal means, it would just hang, implying that the problems I was getting were a result of my Docker installation being very broken. Indeed, I managed to follow the above steps on another machine and it worked, which led me to conclude the steps above and my credentials were totally fine.
The 403 was a red herring, it must have come from my local Docker being broken in such a way that it doesn't send properly authenticated requests.

Why is my GCP image failing to deploy to local kubernetes?

I am getting "can't be pulled" when I use Cloud Code plugin in VS code to build and deploy an image to a local Kubernetes cluster. There are no errors being logged on GCP, but locally I'm getting the following:
- deployment/<redacted> failed. Error: container <redacted> is waiting to start: gcr.io/<redacted>/<redacted>:latest#sha256:<redacted> can't be pulled.
If your GCR registry is a private registry then you need to configure your local Kubernetes cluster with an imagePullSecret to use to authenticate to GCR. The general process is to create a service account in your GCP project, and then configure the corresponding service account key file as the pull secret.
There are a variety of tutorials, and this one looks pretty good.
Can you try gcloud auth list and check if you are using the right account? To switch account use gcloud auth login <account>
Also make sure you have the right permission : gcloud permission to pull GCP image
Once these two things are in place then you should be able to pull the image for GCR.

Error response from daemon: unauthorized: authentication require

I'm getting this weird error in azure pipelines. We use a ACR to supply our base images and we connect to this using a service connection which works well most of the time. However occasionally we get an error:
/usr/bin/docker pull /base-images/python:3.7-buster-vanilla
Error response from daemon: Get https:///v2/base-images/python/manifests/3.7-buster-vanilla: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
There does not seem to be any clear explanation for this because when we perform a retry of the specific task this works fine.
We have no separate login to the acr and we only define the connection that needs to be used in the job itself:
container:
image: servers.azurecr.io/base-images/python:3.7-buster-vanilla
endpoint: server-Service-Connection
I have been looking at the build logs but was not able to get any usefull information from there. If any additional information is needed i would of course be happy to supply it.
I fixed this error using the Azure CLI az acr login --name *registry-name* Solution explained here at Azure Registry troubleshooting docs
I think you may be running into a Docker Hub issue. We're experiencing this intermittently in our CI (not Azure) during regular pulls for python images.
From https://status.docker.com/pages/history/533c6539221ae15e3f000031
February 3, 2021 5:21PM
UTC[Investigating] A number of users may experience problems logging into Docker Hub.

Github with opswork auto deployment using webhook help needed

Again i got stuck to achive the target to trigger deployment once code is pushed to repo, I search the net but i found only old information github is updated and as per there instruction i setup all values but still not working so its look i am missing something I tried to follow the instruction but it seems old http://bytes.babbel.com/en/articles/2014-01-22-github-service-hook-for-aws-ops-works.html
The interface is confusing and i am confused because there is no connection between repo name and opswork service , so what value webhook should send to opswork service ?
Below is what i understood
Setup webhook and it will trigger and send pay load to CI or services as needed once code is pushed to repo (this part is working and send payload to some where) : But this is failing because its Payload URL should i give the opswork service url generated by git hub ?
Opswork services : This is not working ,
App
Given from AWS opswork's app : opswork ID
Stack
Given from AWS opswork's stack: opswork ID
Branch name
Here is the confussion again as per github help i need to give the SHA configured for that app in the AWS OpsWorks Console ? Why should i give SHA not the Master or the link of repo ?
GitHub api url
This is optional what should i give here ?
Aws access key
No issues
Aws secret access key
No issues
GitHub token
Optional : Created token as instructed , Both with token and without token not working.
So If you check opswork is not getting triggered , I thought when i push the changes it may work internally but not.
So its seems web hook and opswork service need to be interact at some level but unable to figure it out :(
I checked git hub help also found nothing for new interface
I checked google and stackoverflow too , but not found any thing
Kindly anyone please answer .
One alternative way would be to set up AWS CodePipeline (CodeDeploy??) to deploy to your AWS Opsworks stack.
CodePipeline is a Continuous Delivery solution from Amazon. Mid 2016 they announced that CodePipeline works with OpsWorks - see their blog announcement: AWS CodePipeline Adds Integration with AWS OpsWorks. There's some walkthroughs there too, depending on what version of OpsWorks your stack is set up for.
(It does feel a bit weird to use a deployment service to deploy to a service that has an existing deployment service... but eh, thought this might help)
The problem is with the process of Github and opswork , if there is any error then both do not report user with error.
I contacted to Github support and luckily they responded me back with error message "The security token included in the request is invalid."
Then i recopied the access key and secret key removed "GitHub api url" as blank and branch name to "master" (so it will always deploy the latest version aka head)
Also make sure you need to set permission again in opswork this is separate to IAM permission ,
Steps -> Goto your stack - Permission and edit -> add user github with permission "IAM Policies Only".
There is no interaction between web hooks and integrations . so you can make use of integration services without web hook :) .
Thanks to Stack overflow , Git-hub both :)