Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Following the tutorial fails with "error checking push permissions" #2616

Closed
calvinpark opened this issue May 14, 2020 · 15 comments · Fixed by #2980
Closed

Following the tutorial fails with "error checking push permissions" #2616

calvinpark opened this issue May 14, 2020 · 15 comments · Fixed by #2980
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/documentation Categorizes issue or PR as related to documentation.

Comments

@calvinpark
Copy link

calvinpark commented May 14, 2020

Expected Behavior

A successful docker login followed by a docker push to my repo docker.io/calvinpark/leeroy-web

Actual Behavior

[build-and-push] error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "docker.io/calvinpark/leeroy-web": UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:calvinpark/leeroy-web Type:repository] map[Action:push Class: Name:calvinpark/leeroy-web Type:repository]]

Steps to Reproduce the Problem

  1. Follow the tutorial exactly
  2. pipelineresource.yml
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: skaffold-git
spec:
  type: git
  params:
    - name: revision
      value: master
    - name: url
      value: https://github.com/GoogleContainerTools/skaffold
---
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: skaffold-image-leeroy-web
spec:
  type: image
  params:
  - name: url
    value: docker.io/calvinpark/leeroy-web
  1. secret.yml
apiVersion: v1
kind: Secret
metadata:
  name: regcred
  annotations:
    tekton.dev/docker-0: docker.io
type: kubernetes.io/basic-auth
data:
  username: Y2FsdmlucGFyaw==
  password: aHVudGVyMg==
  1. cat /tekton/home/.docker/config.json correctly shows
{"auths":{"docker.io":{"username":"calvinpark","password":"*******","auth":"Y2FsdmlucGFyazpodW50ZXIy","email":"[email protected]"}}}

(password of course substituted with the real one)

Additional Info

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.2", GitCommit:"52c56ce7a8272c798dbc29846288d7cd9fbae032", GitTreeState:"clean", BuildDate:"2020-04-16T11:56:40Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.5", GitCommit:"e0fccafd69541e3750d460ba0f9743b90336f24f", GitTreeState:"clean", BuildDate:"2020-04-16T11:35:47Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
$ tkn version
Client version: 0.9.0
Pipeline version: v0.12.0
@dibyom dibyom added the kind/bug Categorizes issue or PR as related to a bug. label May 19, 2020
@dleurs
Copy link

dleurs commented Jul 17, 2020

Same issue, up

@vdemeester
Copy link
Member

So, if I remember correctly, it is index.docker.io/v1 or something like that. One thing that should work better is to use kubernetes.io/dockerconfigjson secret, see here

@Peaorl
Copy link
Contributor

Peaorl commented Jul 17, 2020

I've been trying this out and got it to work with the following settings:

  • In the image PipelineResource the spec.params.value should be index.docker.io/username/repo:tag
  • And when creating the regcred secret the docker-server flag should be set to index.docker.io

@dleurs
Copy link

dleurs commented Jul 17, 2020

Something I have noticed, my error is /index.docker.io/v2/

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "docker.io/dleurs/tekton-basic-nodejs-app": POST https://index.docker.io/v2/dleurs/tekton-basic-nodejs-app/blobs/uploads/: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:dleurs/tekton-basic-nodejs-app Type:repository] map[Action:push Class: Name:dleurs/tekton-basic-nodejs-app Type:repository]]

While if I cat the docker credentials, i got index.docker.io/v1/

cat /tekton/home/.docker/config.json
{"auths":{"https://index.docker.io/v1/":{"username":"XXX","password":"XXXXX","auth":"XXXXXX==","email":"XXXXX"}}}
I will try to find a way to make credentials /v2 and not /v1

@ghost
Copy link

ghost commented Jul 17, 2020

I think you can leave the version strings out completely as @Peaorl suggested - so just index.docker.io in your secret and index.docker.io/username/repo:tag in your Image PipelineResource.

If you're still having trouble it would be helpful to see your PipelineResource YAML and the kubectl create secret command that you're using. Leave out any sensitive info like usernames / passwords. Cheers!

@dleurs
Copy link

dleurs commented Jul 20, 2020

Thank you for your time ! Here are all informations :
I have Istio and Knative 0.14 serving installed, hoster on OVHcloud K8s managed

Install Tekton :

kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
cat <<EOF | kubectl apply -f -
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: skaffold-git
spec:
  type: git
  params:
    - name: revision
      value: master
    - name: url
      value: https://github.com/dleurs/tekton-basic-nodejs-app
EOF
cat <<EOF | kubectl apply -f -
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
  name: skaffold-image-leeroy-web
spec:
  type: image
  params:
    - name: url
      value: index.docker.io/dleurs/tekton-basic-nodejs-app:1.0.0
EOF
vim cicd-tekton/task.yaml;

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: build-docker-image-from-git-source
spec:
  params:
    - name: pathToDockerFile
      type: string
      description: The path to the dockerfile to build
      default: $(resources.inputs.docker-source.path)/Dockerfile
    - name: pathToContext
      type: string
      description: |
        The build context used by Kaniko
        (https://github.com/GoogleContainerTools/kaniko#kaniko-build-contexts)
      default: $(resources.inputs.docker-source.path)
  resources:
    inputs:
      - name: docker-source
        type: git
    outputs:
      - name: builtImage
        type: image
  steps:
    - name: build-and-push
      image: gcr.io/kaniko-project/executor:v0.17.1
      # specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
      env:
        - name: "DOCKER_CONFIG"
          value: "/tekton/home/.docker/"
      command:
        - /kaniko/executor
      args:
        - --dockerfile=$(params.pathToDockerFile)
        - --destination=$(resources.outputs.builtImage.url)
        - --context=$(params.pathToContext)

kubectl apply -f cicd-tekton/task.yaml
kubectl create secret docker-registry regcred \
                    --docker-server=index.docker.io \
                    --docker-username=dleurs \
                    --docker-password=<your-pword> \
                    --docker-email=<your-email>
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tutorial-service
secrets:
  - name: regcred
EOF
vim cicd-tekton/task-run.yaml

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: build-docker-image-from-git-source-task-run
spec:
  serviceAccountName: tutorial-service
  taskRef:
    name: build-docker-image-from-git-source
  params:
    - name: pathToDockerFile
      value: Dockerfile
  resources:
    inputs:
      - name: docker-source
        resourceRef:
          name: skaffold-git
    outputs:
      - name: builtImage
        resourceRef:
          name: skaffold-image-leeroy-web

kubectl apply -f cicd-tekton/task-run.yaml
tkn taskrun describe build-docker-image-from-git-source-task-run

🦶 Steps

 NAME                               STATUS
 ∙ create-dir-builtimage-r9x62      Completed
 ∙ git-source-docker-source-wlnfn   Completed
 ∙ build-and-push                   Error
 ∙ image-digest-exporter-b7c7h      Error
tkn taskrun logs build-docker-image-from-git-source-task-run

task build-docker-image-from-git-source has failed: "step-build-and-push" exited with code 1 (image: "docker-pullable://gcr.io/kaniko-project/executor@sha256:565d31516f9bb91763dcf8e23ee161144fd4e27624b257674136c71559ce4493"); for logs run: kubectl -n default logs build-docker-image-from-git-source-task-run-pod-xxkrc -c step-build-and-push

[git-source-docker-source-wlnfn] {"level":"info","ts":1595233969.1393487,"caller":"git/git.go:139","msg":"Successfully cloned https://github.com/dleurs/tekton-basic-nodejs-app @ d0e3c351f42acde390552210f23609e1584336e4 (grafted, HEAD, origin/master) in path /workspace/docker-source"}
[git-source-docker-source-wlnfn] {"level":"info","ts":1595233969.245682,"caller":"git/git.go:180","msg":"Successfully initialized and updated submodules in path /workspace/docker-source"}

[build-and-push] error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "index.docker.io/dleurs/tekton-basic-nodejs-app:1.0.0": UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:dleurs/tekton-basic-nodejs-app Type:repository] map[Action:push Class: Name:dleurs/tekton-basic-nodejs-app Type:repository]]

@Peaorl
Copy link
Contributor

Peaorl commented Jul 20, 2020

You're welcome!

Following your steps we had similar authentication errors even though the only things changed as compared to the tekton tutorial were the input repo you specified along with omitting a docker context.

In the end we tried a different Kaniko version, namely v0.16.0.
Which means specifying the following image under the build-and-push step in cicd-tekton/task.yaml:
image: gcr.io/kaniko-project/executor:v0.16.0

This allowed us to successfully push the image to a private docker repo.
We then tried the latest Kaniko version (v0.24.0) which also worked.
After that we tried v0.17.1 again which actually worked this time around.

At the moment we're not sure what is causing this issue but these steps should resolve the problem.
Perhaps you could try v0.24.0 right away and see whether that resolves the issue as well.

@dleurs
Copy link

dleurs commented Jul 21, 2020

Thank you very much, it is not working with gcr.io/kaniko-project/executor:v0.24.0 (as the only difference as my previous message) but it is working with gcr.io/kaniko-project/executor:v0.16.0

Step 1 : Testing with gcr.io/kaniko-project/executor:v0.24.0 (image tag 1.0.0) => fail
Step 2 : Testing with gcr.io/kaniko-project/executor:v0.16.0 (image tag 1.0.0) => success
Step 3 : Testing with gcr.io/kaniko-project/executor:v0.17.1 (image tag 1.0.1) => fail, same logs as step 1
Step 4 : Testing with gcr.io/kaniko-project/executor:v0.24.0 (image tag 1.0.1) => fail, same logs as step 1
Step 5 : Testing with gcr.io/kaniko-project/executor:v0.16.0 (image tag 1.0.1) => success, same logs as step 2

Only working with 0.16.0

Logs with gcr.io/kaniko-project/executor:v0.24.0, step 1

tkn taskrun describe build-docker-image-from-git-source-task-run

Name:              build-docker-image-from-git-source-task-run
Namespace:         default
Task Ref:          build-docker-image-from-git-source
Service Account:   tutorial-service
Timeout:           1h0m0s
Labels:
 app.kubernetes.io/managed-by=tekton-pipelines
 tekton.dev/task=build-docker-image-from-git-source

🌡️  Status

STARTED         DURATION     STATUS
2 minutes ago   33 seconds   Failed

Message

"step-build-and-push" exited with code 1 (image: "docker-pullable://gcr.io/kaniko-project/executor@sha256:d60705cb55460f32cee586570d7b14a0e8a5f23030a0532230aaf707ad05cecd"); for logs run: kubectl -n default logs build-docker-image-from-git-source-task-run-pod-gfkhm -c step-build-and-push


📨 Input Resources

 NAME              RESOURCE REF
 ∙ docker-source   skaffold-git

📡 Output Resources

 NAME           RESOURCE REF
 ∙ builtImage   skaffold-image-leeroy-web

⚓ Params

 NAME                 VALUE
 ∙ pathToDockerFile   Dockerfile

🦶 Steps

 NAME                               STATUS
 ∙ create-dir-builtimage-btg84      Completed
 ∙ git-source-docker-source-vb864   Completed
 ∙ build-and-push                   Error
 ∙ image-digest-exporter-zdgnk      Error

🚗 Sidecars

No sidecars
tkn taskrun logs build-docker-image-from-git-source-task-run

task build-docker-image-from-git-source has failed: "step-build-and-push" exited with code 1 (image: "docker-pullable://gcr.io/kaniko-project/executor@sha256:d60705cb55460f32cee586570d7b14a0e8a5f23030a0532230aaf707ad05cecd"); for logs run: kubectl -n default logs build-docker-image-from-git-source-task-run-pod-gfkhm -c step-build-and-push


[git-source-docker-source-vb864] {"level":"info","ts":1595320301.6838107,"caller":"git/git.go:139","msg":"Successfully cloned https://github.com/dleurs/tekton-basic-nodejs-app @ d0e3c351f42acde390552210f23609e1584336e4 (grafted, HEAD, origin/master) in path /workspace/docker-source"}
[git-source-docker-source-vb864] {"level":"info","ts":1595320301.7902503,"caller":"git/git.go:180","msg":"Successfully initialized and updated submodules in path /workspace/docker-source"}

[build-and-push] error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "index.docker.io/dleurs/tekton-basic-nodejs-app:1.0.0": POST https://index.docker.io/v2/dleurs/tekton-basic-nodejs-app/blobs/uploads/: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:dleurs/tekton-basic-nodejs-app Type:repository] map[Action:push Class: Name:dleurs/tekton-basic-nodejs-app Type:repository]]

container step-build-and-push has failed  : [{"key":"StartedAt","value":"2020-07-21T08:31:42.088Z","resourceRef":{}}]

Logs with gcr.io/kaniko-project/executor:v0.16.0, step 2

tkn taskrun describe build-docker-image-from-git-source-task-run

Name:              build-docker-image-from-git-source-task-run
Namespace:         default
Task Ref:          build-docker-image-from-git-source
Service Account:   tutorial-service
Timeout:           1h0m0s
Labels:
 app.kubernetes.io/managed-by=tekton-pipelines
 tekton.dev/task=build-docker-image-from-git-source

🌡️  Status

STARTED         DURATION    STATUS
2 minutes ago   1 minute    Succeeded

📨 Input Resources

 NAME              RESOURCE REF
 ∙ docker-source   skaffold-git

📡 Output Resources

 NAME           RESOURCE REF
 ∙ builtImage   skaffold-image-leeroy-web

⚓ Params

 NAME                 VALUE
 ∙ pathToDockerFile   Dockerfile

🦶 Steps

 NAME                               STATUS
 ∙ create-dir-builtimage-vd4wz      Completed
 ∙ git-source-docker-source-7fqjr   Completed
 ∙ build-and-push                   Completed
 ∙ image-digest-exporter-9mw69      Completed

🚗 Sidecars

No sidecars
tkn taskrun logs build-docker-image-from-git-source-task-run    


[git-source-docker-source-7fqjr] {"level":"info","ts":1595320573.9096239,"caller":"git/git.go:139","msg":"Successfully cloned https://github.com/dleurs/tekton-basic-nodejs-app @ d0e3c351f42acde390552210f23609e1584336e4 (grafted, HEAD, origin/master) in path /workspace/docker-source"}
[git-source-docker-source-7fqjr] {"level":"info","ts":1595320573.9887357,"caller":"git/git.go:180","msg":"Successfully initialized and updated submodules in path /workspace/docker-source"}

[build-and-push] INFO[0001] Resolved base name node:12 to node:12        
[build-and-push] INFO[0001] Using dockerignore file: /workspace/docker-source/.dockerignore 
[build-and-push] INFO[0001] Resolved base name node:12 to node:12        
[build-and-push] INFO[0001] Retrieving image manifest node:12            
[build-and-push] INFO[0002] Retrieving image manifest node:12            
[build-and-push] INFO[0003] Built cross stage deps: map[]                
[build-and-push] INFO[0003] Retrieving image manifest node:12            
[build-and-push] INFO[0004] Retrieving image manifest node:12            
[build-and-push] INFO[0005] Unpacking rootfs as cmd COPY package*.json ./ requires it. 
[build-and-push] INFO[0029] Taking snapshot of full filesystem...        
[build-and-push] INFO[0033] WORKDIR /usr/src                             
[build-and-push] INFO[0033] cmd: workdir                                 
[build-and-push] INFO[0033] Changed working directory to /usr/src        
[build-and-push] INFO[0033] Resolving srcs [package*.json]...            
[build-and-push] INFO[0033] COPY package*.json ./                        
[build-and-push] INFO[0033] Resolving srcs [package*.json]...            
[build-and-push] INFO[0033] Taking snapshot of files...                  
[build-and-push] INFO[0033] RUN npm install                              
[build-and-push] INFO[0033] cmd: /bin/sh                                 
[build-and-push] INFO[0033] args: [-c npm install]                       
[build-and-push] 
[build-and-push] > [email protected] postinstall /usr/src/node_modules/nodemon
[build-and-push] > node bin/postinstall || exit 0
[build-and-push] 
[build-and-push] Love nodemon? You can now support the project via the open collective:
[build-and-push]  > https://opencollective.com/nodemon/donate
[build-and-push] 
[build-and-push] added 186 packages from 202 contributors and audited 188 packages in 5.435s
[build-and-push] npm WARN [email protected] No description
[build-and-push] npm WARN [email protected] No repository field.
[build-and-push] npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules/fsevents):
[build-and-push] npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
[build-and-push] 
[build-and-push] 
[build-and-push] 8 packages are looking for funding
[build-and-push]   run `npm fund` for details
[build-and-push] 
[build-and-push] found 0 vulnerabilities
[build-and-push] 
[build-and-push] INFO[0039] Taking snapshot of full filesystem...        
[build-and-push] INFO[0044] COPY . .                                     
[build-and-push] INFO[0044] Taking snapshot of files...                  
[build-and-push] INFO[0044] EXPOSE ${PORT}                               
[build-and-push] INFO[0044] cmd: EXPOSE                                  
[build-and-push] INFO[0044] Adding exposed port: /tcp                    
[build-and-push] INFO[0044] CMD [ "npm", "start" ]                       

[image-digest-exporter-9mw69] {"level":"info","ts":1595320625.9330263,"logger":"fallback-logger","caller":"imagedigestexporter/main.go:59","msg":"No index.json found for: builtImage","commit":"9168151"}

@ghost
Copy link

ghost commented Jul 21, 2020

OK, sounds like an update to the tutorial to use kaniko 0.16.0 is a good next step in that case.

/kind documentation

@didier-durand
Copy link

Hi all,

I had the same issue with same message.

I used the recommendation of @Peaorl to get it to work: use 'index.docker.io' (instead of my initial 'docker.io' for docker-server) and then everything goes fine.

kubectl create secret docker-registry secret-docker-credentials
--docker-server='index.docker.io'
--docker-username=$DOCKER_USERID
--docker-password=$DOCKER_PASSWORD
--docker-email=$DOCKER_EMAIL

Maybe the tutorial doc should be updated accordingly: I opened #3298 for thhis purpose.

Best

Didier

@Shahard2
Copy link

Hi all,

I had the same issue with same message.

I used the recommendation of @Peaorl to get it to work: use 'index.docker.io' (instead of my initial 'docker.io' for docker-server) and then everything goes fine.

kubectl create secret docker-registry secret-docker-credentials
--docker-server='index.docker.io'
--docker-username=$DOCKER_USERID
--docker-password=$DOCKER_PASSWORD
--docker-email=$DOCKER_EMAIL

Maybe the tutorial doc should be updated accordingly: I opened #3298 for thhis purpose.

Best

Didier

Sounds good,
And if I'm using ECR?

@didier-durand
Copy link

didier-durand commented Sep 29, 2020

Didn't try yet: it is my next step.

@Shahard2
Copy link

Didn't try yet: it is my next step.

please keep us posted if you can

@viyancs
Copy link

viyancs commented Dec 9, 2021

I think you can leave the version strings out completely as @Peaorl suggested - so just index.docker.io in your secret and index.docker.io/username/repo:tag in your Image PipelineResource.

If you're still having trouble it would be helpful to see your PipelineResource YAML and the kubectl create secret command that you're using. Leave out any sensitive info like usernames / passwords. Cheers!

work for me , and tested with image from mgit/base:kaniko-executor-debug-stable

@kiaz-github
Copy link

I completed the tutorial successfully using Kaniko 0.16 to build, index.docker.io in my secret and index.docker.io/username/repo:tag in my Image PipelineResource.

But the latest Kaniko release is now 1.8.0, how can I use a Kaniko updated release without the permission error?

No version after 0.16 seems to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/documentation Categorizes issue or PR as related to documentation.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants