ERROR: The key you are authenticating with has been marked as read only.

[timfpark]

I'm trying to use the new Image Update Automation, which I nearly have working but I'm one hurdle short.

I have a ImageRepository resource configured correctly to check a private container repo and it reports correctly that:

successful scan, found 3 tags

The ImagePolicy resource also determines the newest image, reporting:

Latest image tag for 'myrepo.azurecr.io/my-service' resolved to: 20210520T231410Z

So far so good - it even appears to have found my markup in the HelmRelease and updated it with this latest tag - but can't push it:

unknown error: ERROR: The key you are authenticating with has been marked as read only.

First off, which key is it referring to? Is it the credentials for interacting with the git repo? or the container registry?

Secondly, I'm assuming I'm missing some sort of secretRef or the like to configure this - is that right?

Many thanks in advance for what is highly likely to be a configuration error.

[kingdonb]

Is your helm chart hosted in an Azure Repo?

Please if possible provide a public reference that includes all of the artifacts about which you're talking.

To be clear, are you updating a HelmRelease with a latest image using ImageUpdateAutomation?

The key you are authenticating with has been marked as read only

This error reads to me like a deploy key secret has been configured in read-only mode. This is the default configuration when bootstrap is used without --token-auth, at least for GitHub. What git host are you using, and how did you bootstrap your flux?

If you can create a new deploy key that is read-only and replace it in the secretRef from your flux-system namespace, that may solve it. Flux does not create repo secrets in read-write mode anymore by default, since it can be surprising and the idea of a cluster agent that can write its own updates back to Git can be counter-intuitive to many ops people, may present obstacles for security reviews.