Okteto not able to use private image as base

Support
1

I can deploy the workloads just fine via okteto build --wait, but I get an error when I redeploy the application from within the GUI.

#4 ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

I have the correct pull secrets installed:

apiVersion: v1
data:
  .dockerconfigjson: {"auths":{"index.docker.io":{"password":"<password>","username":"<username>"}}} <-- decoded as example
kind: Secret
metadata:
  name: image-pull-secret
  namespace: okteto
type: kubernetes.io/dockerconfigjson
2

I believe @adripedriza ran into the same issue. Unable to use base image in okteto (requires authorization) - #8 by adripedriza

Is there a solution for this?

3

Hi @boedy,

You may be looking for how to configure private registries in Okteto, so take a look at privateRegistry configuration section (Configuration Settings | Okteto Documentation).

The process of pulling images from registries in Buildkit doesn’t use Kubernetes’ imagePullSecrets, but rather the credentials available in configuration files like .docker/config.json. When the deployment request is initiated from within the cluster (e.g., through the UI), that file is generated based on the configuration in the link I provided earlier.

4

Hi @provecho

Almost a year later I’m revisiting this topic. I’m still having issues. When I run okteto build, the Buildkit logs:

#3 ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

The acces token set in okteto-dockerconfig is valid and as you can see based on the Last Used, the key is being used.

image
image1027×187 13.2 KB

5

Hi @boedy,

I’d like to remind you that credentials saved in the Kubernetes ImagePullSecrets are not utilized within Okteto Builds. For those, you need to have credentials defined locally or utilize the feature Private Registries (renewed since 1.14).

If you’re using any of the above and still facing issues, please provide a redacted version of your Dockerfile and your Okteto manifest (okteto.yaml). I’m particularly interested in the FROM statements. Please also include complete redacted logs.

6

@provecho We are using the privateRegistries

image

Docker-compose:

version: "3.2"
services:
  main-api:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        - ENVIRONMENT=development
    command: ["serve"]
    environment:
      - DOPPLER_TOKEN=${DOPPLER_TOKEN}
    ports:
      - "8080:80"

Dockerfile:

FROM composer:2.1.6 as vendor

WORKDIR /tmp/

COPY composer.json composer.json
COPY composer.lock composer.lock
COPY database database
COPY tests tests

RUN composer install \
      --ignore-platform-reqs \
      --no-interaction \
      --no-plugins \
      --no-scripts \
      --prefer-dist

FROM **redacted**/example:base

WORKDIR /app
ARG ENVIRONMENT=production
COPY --from=composer /usr/bin/composer /usr/bin/composer

COPY . .

COPY docker-config/install.sh install.sh
RUN chmod u+x install.sh && ./install.sh

COPY --from=vendor /tmp/vendor vendor

Build logs:

Run
"Building service main-api"
1 hr ago
#1 [internal] load build definition from buildkit-498420913
#1 transferring dockerfile:
#1 transferring dockerfile: 1.38kB 1.0s done
#1 DONE 1.0s
#2 [internal] load .dockerignore
#2 transferring context: 440B 1.0s done
#2 DONE 1.0s
#3 [internal] load metadata for docker.io/**redacted**/example:base
#3 ...
#4 [internal] load metadata for docker.io/library/composer:latest
#4 DONE 1.2s#5 [internal] load metadata for docker.io/library/composer:2.1.6
#5 DONE 1.4s#3 [internal] load metadata for docker.io/**redacted**/example:base
#3 ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
7

Hi @boedy,

Thank you for providing your manifests and configuration.

I’ll pose additional questions to better understand your setup:

  1. Which version of Okteto Self Hosted are you running?
  2. Which version of the Okteto CLI are you using?
  3. Could you specify the action or command that triggers the error? I understand it occurs during the build phase, but I’m uncertain if you’re executing it from the web UI, locally with okteto build, or through another okteto command.

Regarding your mention of privateRegistries:

Since version 1.14, the notation displayed in the screenshot is no longer utilized. We have implemented a migration to ensure a smooth transition, but depending on your setup, your configuration might have been missed. The following article contains more information regarding the upgrade process and manual alternatives:

https://www.okteto.com/docs/self-hosted/manage/upgrade/#upgrading-to-okteto-114x

Lastly, if you have already reviewed the documentation provided and are executing okteto build or an equivalent locally, please attempt the following steps:

  1. Execute docker logout (for the default Docker Hub registry) or docker logout <registry> for any other registry.
  2. Retry your Okteto CLI command.

The rationale behind this suggestion is that Okteto prioritizes your local credentials over Okteto Self Hosted Private Registries when the CLI runs locally. Therefore, you may encounter the error due to outdated or expired local credentials.

I look forward to your response.

8

Hey @provecho

Thanks for the follow up. We are still on version 1.8 it seems

image

But I just tried you last suggestion and that worked! I apparently was not logged in, or maybe i was logged in as a different user. I’m a bit surprised that the local docker credentials override the remote ones. Is there a way to disable this?

9

Hi @boedy,

Currently, there isn’t a way to disable the override of remote credentials by local Docker credentials. I’ll bring up your concern to the product team, and I’ll keep you informed of any developments or updates regarding this matter.