GCR Example

[agates4]

Hello

Do you have an example of how to authenticate the controller to access gcr.io from GCP (google cloud, gcloud, GAR google artifact registry) registries?

Here are my logs when attempting to access these registries:

2024-02-06T19:22:46.893Z	ERROR	failed to cache image	{"controller": "cachedimage", "controllerGroup": 
"kuik.enix.io", "controllerKind": "CachedImage", "CachedImage": {"name":"gcr.io-asdf-2.4.2"}, "namespace": "", 
"name": "gcr.io-asdf-2.4.2", "reconcileID": "9296ce4f-2ade-45af-b77b-bc023406aa7a", "sourceImage": 
"gcr.io/asdf:2.4.2", "error": "GET https://gcr.io/v2/asdf/2.4.2: UNAUTHORIZED: You don't have the needed permissions 
to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: 
https://cloud.google.com/container-registry/docs/advanced-authentication", "errorCauses": [{"error": "GET 
https://gcr.io/v2/asdf/2.4.2: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and 
you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-
registry/docs/advanced-authentication"}]}

2024-02-06T19:22:46.893Z	ERROR	Reconciler error	{"controller": "cachedimage", "controllerGroup": 
"kuik.enix.io", "controllerKind": "CachedImage", "CachedImage": {"name":"gcr.io-asdf-2.4.2"}, "namespace": "", 
"name": "gcr.io-asdf-2.4.2", "reconcileID": "9296ce4f-2ade-45af-b77b-bc023406aa7a", "error": "GET 
https://gcr.io/v2/asdf/2.4.2: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and 
you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-
registry/docs/advanced-authentication", "errorCauses": [{"error": "GET https://gcr.io/v2/asdf/2.4.2: UNAUTHORIZED: 
You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate
 your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"}]}

time="2024-02-06T19:23:16Z" level=error msg="Error parsing the serverURL" error="docker-credential-ecr-login can 
only be used with Amazon Elastic Container Registry." serverURL=gcr.io

Is this a feature request?

[agates4]

I solved this by using our secret provider to inject a secret file to the controller deployments at this path:
/.docker/config.json
which contained a manually configured GCR configuration with an embedded base64 of a valid JSON service account.

[dudell-bud]

The work around doesn't seem to work any more - and I am having this same issue. The only way I can get it to pull from GCR is by setting the secrets manually in each repository, of which we have hundreds. This is not such a bad thing but if I pre-create the repositories when a new pod is onboarded the repository gets overridden removing my added secrets config.

Seems like I'm missing something simple. My GKE cluster can pull images from GCR without needing imagePullSecrets or such - yet KUIK cannot.

Ideally if I do need to provide imagePullSecrets I would do so in one place for every matching repository, or for repositories not to override pullSecretsNamesapce and pullSecretNames when synced with the controller

[paullaffitte]

As for Amazon ECR (see #113), we need to implement automatic retrieval of pull secrets. Maybe we could use https://github.com/GoogleCloudPlatform/docker-credential-gcr to do so.

[dudell-bud]

Ah makes sense - thanks for the update. Be interested if that gets onto your roadmap / you need someone to test it out