Support for fetching container manifests from private repositories

Question

Support for fetching container manifests from private repositories

Fumi-Nine opened this issue 10 months ago · 5 comments

Problem Statement: While the project currently handles public container image repositories effectively, it encounters issues when trying to work with private repositories. This limitation is highlighted by an inability to fetch container manifests from private repositories, as evidenced by a 401 Unauthorized status code error when attempting such operations. This issue significantly hampers the project's utility in environments where private repositories are a necessity for security and organizational reasons.

Error Encountered:
The specific error encountered when trying to fetch a manifest from a private repository is as follows:
{"Pod":{"name":"podinfo-blue-app-app-bf8bcc8cf-n9ggr","namespace":"podinfo-private"},"controller":"pod","controllerGroup":"","controllerKind":"Pod","error":"failed to get manifest list. Unexpected status code 401. Expecting 200","level":"error","msg":"Reconciler error","name":"podinfo-blue-app-app-bf8bcc8cf-n9ggr","namespace":"podinfo-private","reconcileID":"9caebb6e-2b9c-4987-9f90-4c8b40b8223f","time":"2024-03-18T02:27:46Z"}

Proposed Feature:
Introduce support for fetching container manifests from private container repositories, including but not limited to AWS Elastic Container Registry (ECR). This feature would ideally handle authentication seamlessly, allowing users to specify credentials in a secure manner that Noe can use to authenticate against private repositories.

Answer 1 · 2024-05-08T08:54:40.000Z

@Fumi-Nine can you bring more details here? we use Noe against private repositories and we don't find those errors unless credentials are not valid.

Answer 2 · 2024-05-09T17:33:23.000Z

Hi!
As @Fsero mentioned, noe supports authenticated to private registries.
It supports both the docker config style (include the kubelet style), the containerD style as well as the per-pod image pull secrets

We are working on adding support for the new Kubelet CredentialsProvider in #90, but we still lack a bit of work with this feature.

All Docker, containerD and kubelet CredentialsProvider rely on node files and are not necessarily mounted by default with the helm chart.

To add those, ensure you have include in your helm values:

containerdConfigPathCandidates:
- ${YourPathToContainerDConfiguration}
dockerConfigPathCandidates:
- ${YourPathToDockerCredentialsConfiguration}

Answer 3 · 2024-05-10T02:26:58.000Z

Chiming in here - I work with Fumi (separate teams, but related work).

Having tested the PR you've linked, I can confirm thats working for us (at least in minikube - EKS unverified), with a couple of minor changes which I've mentioned in the discussion there #90 (comment)

If theres particular things you need assistance with to speed that up (resolving merge conflicts?), happy to contribute there, with clarity as to what is needed.

I'm not sure what has been tried with respect to the containerd / docker config styles, so we'll follow that up internally in parallel.

Answer 4 · 2024-05-14T09:55:49.000Z

Thanks for your input @dackroyd .
We will check to get your suggestions in #90 and merge it.
I would expect to be able to do it in the first weeks of June.

Answer 5 · 2024-06-04T09:48:10.000Z

Hi @Fumi-Nine !
We have merged #90 that should provide the last authentication scheme supported by Kubernetes.

I would hence close this ticket. Please feel free to re-open it if you need any further help.