imagePullSecret used as fallback, not as first-class sitizen

[evgkrsk]

We observe bunch of such messages in k8s-iae log:

time="2020-11-03T06:30:23Z" level=error msg="GET https://eu.gcr.io/v2/giftery-ci/evotor-api-v3/manifests/v-c170103c: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication" availability_mode=authentication_failure image_name="eu.gcr.io/giftery-ci/evotor-api-v3:v-c170103c"

when use private gcr.io registry. But all metrics for such projects is in normal state (all images available). We use "imagePullSecrets" in yaml manifests to indicate auth data for grc.io, but seems like k8s-iae dont use it right from start, only as fallback.

Maybe it is right thing to use imagePullSecrets right away (especially when it contains one secret) to check registry?

[usefree]

Hello! Thanks for tool)
seems like fix not help or i have wrong configuration.. get error availability_mode=authorization_failure while checking image from private registry. In serviceaccount for iae i have

kind: ServiceAccount
metadata:
  name: image-availability-exporter
  namespace: monitoring
imagePullSecrets:
- name: deploy-token

and deploy-token is used in other deployments without auth errors
using 0.1.16 iae version
Thanks!

[zuzzas]

What's in the logs?

[arslanbekov]

The problem with the inaccessibility of private repositories remains.

I have imagePullSecrets configured with the correct secret (under which I can pull my images), but the exporter itself has some errors, such as availability_mode=authorization_failure:

time="2024-06-05T22:11:37Z" level=error msg="GET https://region-docker.pkg.dev/v2/token?scope=repository%3Aproject%2Fimage%2Fapp%3Apull&service=: DENIED: Unauthenticated request. Unauthenticated requests do not have permission \"artifactregistry.repositories.downloadArtifacts\" on resource \"projects/project/locations/region/repositories/linkerd\" (or it may not exist)" availability_mode=authorization_failure image_name="region-docker.pkg.dev/project-name/registry/app:0.1"

[nabokihms]

@arslanbekov could you please share your secret (and not to forget masking the sensitive data)?

[arslanbekov]

@nabokihms hey, no problem (hope this helps):

Secret:

apiVersion: v1
data:
  .dockerconfigjson: base64_encoded (content below)
kind: Secret
metadata:
  name: gcr-json-key
  namespace: monitoring
type: kubernetes.io/dockerconfigjson

Base64 decoded (In fact, this is a regular JSON key for a service account from Google Cloud):

{"auths":{"eu.gcr.io":{"username":"_json_key","password":"{\n  \"type\": \"service_account\",\n  \"project_id\": \"hidden\",\n  \"private_key_id\": \"***\",\n  \"private_key\": \"***",\n  \"client_email\": \"[email protected]\",\n  \"client_id\": \"hidden\",\n  \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n  \"token_uri\": \"https://oauth2.googleapis.com/token\",\n  \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n  \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/hidden%40project-name.iam.gserviceaccount.com\",\n  \"universe_domain\": \"googleapis.com\"\n}","email":"hidden","auth":"hidden"}}}