Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting Unauthorized while pushing helm chart to OCI registry if repository name contains push #2419

Closed
rohanKanojia opened this issue Oct 11, 2023 · 0 comments · Fixed by #2420
Closed

Getting Unauthorized while pushing helm chart to OCI registry if repository name contains push #2419

rohanKanojia opened this issue Oct 11, 2023 · 0 comments · Fixed by #2420
Assignees
@rohanKanojia
Labels
bug Something isn't working
Milestone
1.15.0

Comments

@rohanKanojia
Copy link
Member

Describe the bug

For a valid registry requiring authentication, I kept getting Unauthorized error even if I provided the correct credentials. When I debugged the issue, I discovered it had to do with the repository name. My test project name was jkube-helm-push-oci which affected this statement:

https://github.com/eclipse/jkube/blob/cc6d239259aab437655a8bfdb76f0328f1170a95/jkube-kit/resource/helm/src/main/java/org/eclipse/jkube/kit/resource/helm/oci/OCIRegistryInterceptor.java#L98-L99

While requesting token we need to add scope of that token : whether it's for a read (pull) or write operation (push). By default in first request Www-Authenticate header contains pull for read only. We need to manually add push to this in order to fetch token for uploading chart. However, this condition turns false if the repository name already contains push substring.

Rather than comparing scope field in Www-Authenticate header as plain string, we should parse it and then compare only the last segment.

Eclipse JKube version

SNAPSHOT

Component

Kubernetes Maven Plugin

Apache Maven version

None

Gradle version

None

Steps to reproduce

Try pushing helm chart to some OCI registry with a chart name containing push keyword. Push would always fail

Expected behavior

Push should be successful when valid credentials are provided regardless of project name

Runtime

Kubernetes (vanilla)

Kubernetes API Server version

1.25.3

Environment

Linux

Eclipse JKube Logs

[ERROR] k8s: Error performing helm push: java.lang.IllegalStateException: Failure in initiating upload request: Unauthorized
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  6.903 s
[INFO] Finished at: 2023-10-11T12:02:04+05:30
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.eclipse.jkube:kubernetes-maven-plugin:1.15-SNAPSHOT:helm-push (default-cli) on project jkube-helm-push-testing: Failure in initiating upload request: Unauthorized -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

Sample Reproducer Project

No response

Additional context

No response
@rohanKanojia rohanKanojia added the bug Something isn't working label Oct 11, 2023
@rohanKanojia rohanKanojia self-assigned this Oct 11, 2023
rohanKanojia added a commit to rohanKanojia/jkube that referenced this issue Oct 11, 2023
@rohanKanojia
fix (jkube-kit) : Parse www-authenticate header then add scope while …
4aaa3d0 
…authenticating against OCI registries (eclipse-jkube#2419)

We try to add push scope to scope field extracted from Www-Authenticate
header if it doesn't already exist. At the moment we were doing a plain
string contains, which won't work in case repository name already
contains push keyword.

Parse scope and make sure it's added in the last segment.

Signed-off-by: Rohan Kumar <[email protected]>
@rohanKanojia rohanKanojia mentioned this issue Oct 11, 2023
Merged
17 tasks
@manusa manusa added this to the 1.15.0 milestone Oct 11, 2023
@manusa manusa moved this to In Progress in Eclipse JKube Oct 11, 2023
@rohanKanojia rohanKanojia moved this from In Progress to Review in Eclipse JKube Oct 12, 2023
@rohanKanojia rohanKanojia moved this from Review to In Progress in Eclipse JKube Oct 12, 2023
@rohanKanojia rohanKanojia moved this from In Progress to Review in Eclipse JKube Oct 13, 2023
@rohanKanojia rohanKanojia moved this from Review to In Progress in Eclipse JKube Oct 16, 2023
@rohanKanojia rohanKanojia moved this from In Progress to Review in Eclipse JKube Oct 18, 2023
@github-project-automation github-project-automation bot moved this from Review to Done in Eclipse JKube Nov 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rohanKanojia rohanKanojia

Labels
bug Something isn't working
Projects
None yet
Milestone
1.15.0
2 participants
@manusa @rohanKanojia