Image pull secrets containing colons causing registryImages collector to fail

[banjoh]

Bug Description

Assume you have a secret my-reg-creds which contains image registry credentials which you intend to use with the registry images collector for preflights or support bundles. If the basic authentication token is generated from a username or password containing colons (:), the collector will fail to fetch the image even if the image exists

Expected Behavior

Credentials with colons should not lead to errors

Steps To Reproduce

• Create an image pull secret using the command below

kubectl create secret docker-registry my-reg-creds --docker-server=registry.k8s.io --docker-username="user:name" --docker-password="pass:word:with:colon"

• Create spec.yaml and drop this spec in the file

apiVersion: troubleshoot.sh/v1beta2
kind: Preflight
spec:
  analyzers:
  - registryImages:
      checkName: Check images
      collectorName: ""
      outcomes:
      - fail:
          when: "errors > 0"
          message: Failed to check if images are present in registry
      - pass:
          message: All images are available
  collectors:
  - registryImages:
      imagePullSecret:
        name: my-reg-creds
        type: kubernetes.io/dockerconfigjson
      images:
      - registry.k8s.io/kube-scheduler:v1.29.5

• Run preflight --interactive=false spec.yaml and note that you get the output below

   --- FAIL: Check images
      --- Failed to check if images are present in registry
--- FAIL
FAILED

Additional Context

• The registry image collector assumes that credentials will be of the format username:password where neither of the parts separate parts contain a colon (:). This is not always the case. gcr.io for example contains a password that is a JSON object which looks like below

{
  "type": "service_account",
  "project_id": "my-project",
  "private_key_id": "XXXXXXXXX",
  "private_key": "-----BEGIN PRIVATE KEY-----XXXXXXXX\n-----END PRIVATE KEY-----\n",
  "client_email": "john@doe.iam.gserviceaccount.com",
  "client_id": "XXXXXXXXX",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-project%40john@doe..iam.gserviceaccount.com"
}

• When implementing this, ensure we klog.Error formatting errors such as this one. Here are some lines I've noted need to be logged

  • troubleshoot/pkg/collect/registry.go

    Line 168 in ce15527

    return nil, errors.Wrap(err, "failed to get auth from secret")

Include the following information.

• Troubleshoot version. If you built from source, note that including the version of Go you used to build with.
• Operating system
• Operating system version
• Other details that might be helpful in diagnosing the problem