-
Notifications
You must be signed in to change notification settings - Fork 267
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot pull images from Azure Container Registry #550
Comments
I can confirm. I have the exact same setup. Got the same error. Seem to only work when specifiying
|
have you tried to repo this with a kubelet identity that has Acrpull against the ACR? |
Install azure-cli in Docker image in order to use the `az acr login` command. Can be used with Azure Managed Identities with the following script: ```yaml --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config namespace: argocd data: log.level: debug registries.conf: | registries: - name: acrexample api_url: https://acrexample.azurecr.io/ prefix: acrexample.azurecr.io ping: yes insecure: no credentials: ext:/app/scripts/acr-login.sh credsexpire: 10h --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config-acr namespace: argocd data: acr-login.sh: | #!/bin/sh LOGIN=$(az login --identity) REGISTRY="acrexample" TOKEN=$(az acr login --name $REGISTRY --expose-token --output tsv --query accessToken) echo "00000000-0000-0000-0000-000000000000:$TOKEN" ``` Closes argoproj-labs#550 and argoproj-labs#473
Install azure-cli in Docker image in order to use the `az acr login` command. Can be used with Azure Managed Identities with the following script: ```yaml --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config namespace: argocd data: log.level: debug registries.conf: | registries: - name: acrexample api_url: https://acrexample.azurecr.io/ prefix: acrexample.azurecr.io ping: yes insecure: no credentials: ext:/app/scripts/acr-login.sh credsexpire: 10h --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config-acr namespace: argocd data: acr-login.sh: | #!/bin/sh LOGIN=$(az login --identity) REGISTRY="acrexample" TOKEN=$(az acr login --name $REGISTRY --expose-token --output tsv --query accessToken) echo "00000000-0000-0000-0000-000000000000:$TOKEN" ``` Closes argoproj-labs#550 and argoproj-labs#473 Signed-off-by: Jarvis Yang <[email protected]>
Install azure-cli in Docker image in order to use the `az acr login` command. Can be used with Azure Managed Identities with the following script: ```yaml --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config namespace: argocd data: log.level: debug registries.conf: | registries: - name: acrexample api_url: https://acrexample.azurecr.io/ prefix: acrexample.azurecr.io ping: yes insecure: no credentials: ext:/app/scripts/acr-login.sh credsexpire: 10h --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config-acr namespace: argocd data: acr-login.sh: | #!/bin/sh LOGIN=$(az login --identity) REGISTRY="acrexample" TOKEN=$(az acr login --name $REGISTRY --expose-token --output tsv --query accessToken) echo "00000000-0000-0000-0000-000000000000:$TOKEN" ``` Closes argoproj-labs#550 and argoproj-labs#473 Signed-off-by: Jarvis Yang <[email protected]>
Install azure-cli in Docker image in order to use the `az acr login` command. Can be used with Azure Managed Identities with the following script: ```yaml --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config namespace: argocd data: log.level: debug registries.conf: | registries: - name: acrexample api_url: https://acrexample.azurecr.io/ prefix: acrexample.azurecr.io ping: yes insecure: no credentials: ext:/app/scripts/acr-login.sh credsexpire: 10h --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config-acr namespace: argocd data: acr-login.sh: | #!/bin/sh LOGIN=$(az login --identity) REGISTRY="acrexample" TOKEN=$(az acr login --name $REGISTRY --expose-token --output tsv --query accessToken) echo "00000000-0000-0000-0000-000000000000:$TOKEN" ``` Closes argoproj-labs#550 and argoproj-labs#473
Install azure-cli in Docker image in order to use the `az acr login` command. Can be used with Azure Managed Identities with the following script: ```yaml --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config namespace: argocd data: log.level: debug registries.conf: | registries: - name: acrexample api_url: https://acrexample.azurecr.io/ prefix: acrexample.azurecr.io ping: yes insecure: no credentials: ext:/app/scripts/acr-login.sh credsexpire: 10h --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config-acr namespace: argocd data: acr-login.sh: | #!/bin/sh LOGIN=$(az login --identity) REGISTRY="acrexample" TOKEN=$(az acr login --name $REGISTRY --expose-token --output tsv --query accessToken) echo "00000000-0000-0000-0000-000000000000:$TOKEN" ``` Closes argoproj-labs#550 and argoproj-labs#473 Signed-off-by: Francesc Arbona <[email protected]>
Install azure-cli in Docker image in order to use the `az acr login` command. Can be used with Azure Managed Identities with the following script: ```yaml --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config namespace: argocd data: log.level: debug registries.conf: | registries: - name: acrexample api_url: https://acrexample.azurecr.io/ prefix: acrexample.azurecr.io ping: yes insecure: no credentials: ext:/app/scripts/acr-login.sh credsexpire: 10h --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config-acr namespace: argocd data: acr-login.sh: | #!/bin/sh LOGIN=$(az login --identity) REGISTRY="acrexample" TOKEN=$(az acr login --name $REGISTRY --expose-token --output tsv --query accessToken) echo "00000000-0000-0000-0000-000000000000:$TOKEN" ``` Closes argoproj-labs#550 and argoproj-labs#473 Signed-off-by: Francesc Arbona <[email protected]>
Azure Container Registry currently works out of the box for azure kubernetes services. You just have to enable managed identity. Using azurecr when not using aks is probably not a good decision anyway. There is no need to specify any credentials if you are using managed identities. https://learn.microsoft.com/en-us/azure/aks/use-oidc-issuer |
First of all, if you force the
Secondly, in my humble opinion importing a script to perform all actions necessary for Workload Identity is far from "just have to enable managed identity". I'm a huge fan of Workload Identity and use it in almost all components, but in none of them such a script addition is necessary. Next to that, it just seems off that even though the credentials are correctly configured, they are only used when forced through the annotation. To me this is simply a bug. Edit (12-Apr):
So basically, the issue remains: the config in the |
Stumbled on this by chance. I remember taking a while to figure out but I made it work with acr without workload ids.
notice how the secret key is specified with the
notice the creds format is important too Hope it helps someone. This would be good to clarify in the docs @argoproj-labs |
Install azure-cli in Docker image in order to use the `az acr login` command. Can be used with Azure Managed Identities with the following script: ```yaml --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config namespace: argocd data: log.level: debug registries.conf: | registries: - name: acrexample api_url: https://acrexample.azurecr.io/ prefix: acrexample.azurecr.io ping: yes insecure: no credentials: ext:/app/scripts/acr-login.sh credsexpire: 10h --- apiVersion: v1 kind: ConfigMap metadata: name: argocd-image-updater-config-acr namespace: argocd data: acr-login.sh: | #!/bin/sh LOGIN=$(az login --identity) REGISTRY="acrexample" TOKEN=$(az acr login --name $REGISTRY --expose-token --output tsv --query accessToken) echo "00000000-0000-0000-0000-000000000000:$TOKEN" ``` Closes argoproj-labs#550 and argoproj-labs#473 Signed-off-by: Francesc Arbona <[email protected]>
Hey, have you had any update on this? I am experiencing the same issue. I have had it working for a while but it quit with authentication errors after I updated the token. I can login with the token through docker cli but the same token is erroring out with argocd image updater. |
@sysadminz refer to these setup instructions, it works for me: https://github.com/argoproj-labs/argocd-image-updater/blob/194a433f7207898132bd5865faa3556db55b210b/docs/configuration/registries.md#configuring-azure-container-registry-with Btw if any maintainer read this, there is a doc update PR waiting to be reviewed since February... it's a long time for just clarifying the doc on how to use Azure Container Registry with the argocd-image-updater... |
Those setup instructions work but only if there is a single ACR involved. It is not able to configure more than one ACR. Which is a step in the right direction, but ultimately we need a complete solution which can authenticate with more than one ACR. |
@etiennetremel thank you for the link to the setup instructions! In the |
Azure workload identity automatically inject these environment variable before the pod is created. |
Describe the bug
I cannot pull images that are stored in Azure Container Registry.
To Reproduce
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj-labs/argocd-image-updater/stable/manifests/install.yaml
)kubectl edit configmap argocd-image-updater-config -n argocd
) to include the section for custom registries:It is defined as
pullsecret
, because the secret created in step 3 has a field.dockerconfigjson
in the.data
section.Restart the deployment, to make sure the ConfigMap is reloaded (
kubectl -n argocd rollout restart deployment argocd-image-updater
)Create an empty Helm chart and an application to deploy a simple container from the container registry in Azure. It will fail with
Init:ImagePullBackOff
.Expected behavior
The image can be pulled successfully.
Additional context
Passing credentials to the CLI
test
command works fine.argocd-image-updater test <container-registry-name>.azurecr.io/<image>:<tag> --credentials pullsecret:argocd/acr
Version
Latest
Logs
argocd-image-updater test <container-registry-name>.azurecr.io/busybox:1.36
The text was updated successfully, but these errors were encountered: