You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For a valid registry requiring authentication, I kept getting Unauthorized error even if I provided the correct credentials. When I debugged the issue, I discovered it had to do with the repository name. My test project name was jkube-helm-push-oci which affected this statement:
While requesting token we need to add scope of that token : whether it's for a read (pull) or write operation (push). By default in first request Www-Authenticate header contains pull for read only. We need to manually add push to this in order to fetch token for uploading chart. However, this condition turns false if the repository name already contains push substring.
Rather than comparing scope field in Www-Authenticate header as plain string, we should parse it and then compare only the last segment.
Eclipse JKube version
SNAPSHOT
Component
Kubernetes Maven Plugin
Apache Maven version
None
Gradle version
None
Steps to reproduce
Try pushing helm chart to some OCI registry with a chart name containing push keyword. Push would always fail
Expected behavior
Push should be successful when valid credentials are provided regardless of project name
Runtime
Kubernetes (vanilla)
Kubernetes API Server version
1.25.3
Environment
Linux
Eclipse JKube Logs
[ERROR] k8s: Error performing helm push: java.lang.IllegalStateException: Failure in initiating upload request: Unauthorized
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 6.903 s
[INFO] Finished at: 2023-10-11T12:02:04+05:30
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.eclipse.jkube:kubernetes-maven-plugin:1.15-SNAPSHOT:helm-push (default-cli) on project jkube-helm-push-testing: Failure in initiating upload request: Unauthorized -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Sample Reproducer Project
No response
Additional context
No response
The text was updated successfully, but these errors were encountered:
…authenticating against OCI registries (eclipse-jkube#2419)
We try to add push scope to scope field extracted from Www-Authenticate
header if it doesn't already exist. At the moment we were doing a plain
string contains, which won't work in case repository name already
contains push keyword.
Parse scope and make sure it's added in the last segment.
Signed-off-by: Rohan Kumar <rohaan@redhat.com>
Describe the bug
For a valid registry requiring authentication, I kept getting
Unauthorized
error even if I provided the correct credentials. When I debugged the issue, I discovered it had to do with the repository name. My test project name wasjkube-helm-push-oci
which affected this statement:https://github.com/eclipse/jkube/blob/cc6d239259aab437655a8bfdb76f0328f1170a95/jkube-kit/resource/helm/src/main/java/org/eclipse/jkube/kit/resource/helm/oci/OCIRegistryInterceptor.java#L98-L99
While requesting token we need to add scope of that token : whether it's for a read (
pull
) or write operation (push
). By default in first request Www-Authenticate header containspull
for read only. We need to manually addpush
to this in order to fetch token for uploading chart. However, this condition turnsfalse
if the repository name already containspush
substring.Rather than comparing scope field in Www-Authenticate header as plain string, we should parse it and then compare only the last segment.
Eclipse JKube version
SNAPSHOT
Component
Kubernetes Maven Plugin
Apache Maven version
None
Gradle version
None
Steps to reproduce
Try pushing helm chart to some OCI registry with a chart name containing
push
keyword. Push would always failExpected behavior
Push should be successful when valid credentials are provided regardless of project name
Runtime
Kubernetes (vanilla)
Kubernetes API Server version
1.25.3
Environment
Linux
Eclipse JKube Logs
Sample Reproducer Project
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: