Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ecr: secret not being generated #2

Open
Cryptophobia opened this issue Mar 13, 2018 · 8 comments
Open

ecr: secret not being generated #2

Cryptophobia opened this issue Mar 13, 2018 · 8 comments
Labels
bug

Comments

@Cryptophobia
Copy link
Member

From @vdice on March 21, 2017 22:42

When setting up values for using ECR as the off-cluster registry option, a sample snippet of Workflow's global values.yaml would look something like:

...
registry-token-refresher:
...
  ecr:
    # Your AWS access key. Leave it empty if you want to use IAM credentials.
    accesskey: "ACCESS_KEY"
    # Your AWS secret key. Leave it empty if you want to use IAM credentials.
    secretkey: "SECRET_KEY"
    # Any S3 region
    region: "us-west-2"
    registryid: "myregistryid"
    hostname: "myhostname.amazonaws.com"
...

Yet, when the registryid and hostname values are non-empty as above, it seems a bug is hit and the necessary private-registry-ecr secret is not created correctly. When an attempt to build/deploy an example app, the following is hit:

Error running git receive hook [error getting private registry details secrets "private-registry-ecr" not found]`

Meanwhile, counterintuitively, if both registryid and hostname are just kept at "" then the aforementioned secret is created properly and build/deploys work as intended.

Copied from original issue: deis/registry-token-refresher#11
@Cryptophobia
Copy link
Member Author

From @kwent on March 21, 2017 23:20

I would also update the documentation (https://deis.com/docs/workflow/installing-workflow/configuring-registry/) with one section for ECR and one section for GCR with samples.

@Cryptophobia
Copy link
Member Author

From @vdice on March 23, 2017 21:29

deis/workflow#779 represents the docs update

@Cryptophobia
Copy link
Member Author

From @foxycoder on April 7, 2017 16:35

FWIW I ran into the same error all of a sudden

error getting private registry details secrets "private-registry-ecr" not found

So I deleted the token refresher pod to start a new one and everything worked again:

kubectl --namespace deis delete pod deis-registry-token-refresher-xxx-yyy

@Cryptophobia
Copy link
Member Author

From @mariusmarais on May 30, 2017 13:23

I'm running into this same problem, but I'm not able to recover.

Originally I setup values with both registryid and hostname, eventually leading me here.

However, after removing them and running kubectl delete namespace deis and re-running helm install deis/workflow -f values.yml, I still have the same problem, even though both registryid and hostname are blank in the registry-secret secret:

Error running git receive hook [error getting private registry details secrets "private-registry-ecr" not found]

Restarting the pod has no effect and it isn't generating any log output, which is making debugging very difficult (quay.io/deis/registry-token-refresher:v1.1.2).

Please help :)

Update: Granting the follow access via IAM resolves the issue, since Deis needs to be able to create a repository for every app:

        {
            "Effect": "Allow",
            "Action": [
                "ecr:*"
            ],
            "Resource": [
                "*"
            ]
        }

Can this be limited further?

@Cryptophobia Cryptophobia mentioned this issue Mar 13, 2018
Open
@ChillarAnand
Copy link

In the docs, it is mentioned not to set hostname & registryid for ecr. Without these, helm is failing to update values.

➜ helm install hephy/workflow --namespace deis --generate-name -f values.yml 
Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: [unknown object type "nil" in Secret.data.hostname, unknown object type "nil" in Secret.data.registryid]

@jayaprakash369
Copy link

From @mariusmarais on May 30, 2017 13:23

I'm running into this same problem, but I'm not able to recover.

Originally I setup values with both registryid and hostname, eventually leading me here.

However, after removing them and running kubectl delete namespace deis and re-running helm install deis/workflow -f values.yml, I still have the same problem, even though both registryid and hostname are blank in the registry-secret secret:

Error running git receive hook [error getting private registry details secrets "private-registry-ecr" not found]

Restarting the pod has no effect and it isn't generating any log output, which is making debugging very difficult (quay.io/deis/registry-token-refresher:v1.1.2).

Please help :)

Update: Granting the follow access via IAM resolves the issue, since Deis needs to be able to create a repository for every app:

        {
            "Effect": "Allow",
            "Action": [
                "ecr:*"
            ],
            "Resource": [
                "*"
            ]
        }

Can this be limited further?

where I have to update this config. did you mean to update in trust relationship policy?

@jayaprakash369
Copy link

jayaprakash369 commented Nov 25, 2021
edited
Loading

hello i also tried to install deis workflow using hem chart.
helm install deis hephy/workflow --create-namespace --namespace deis --set global.use_cni=true -f deis-install.yml
and code is,

# This is the global configuration file for Workflow
global:
  # Change to s3
  storage: s3
  database_location: "on-cluster"
  logger_redis_location: "on-cluster"
  influxdb_location: "on-cluster"
  grafana_location: "on-cluster"
  
  # Change to ecr
  registry_location: "ecr"
  host_port: 5555
  secret_prefix: "private-registry"
  experimental_native_ingress: false
  use_rbac: true
  
  s3:
    # Add access key and secret to user with read/write access to buckets
    accesskey: "*******"
    secretkey: "********"
    region: "eu-west-1"
    # Buckets you already created
    database_bucket: "*********"
    builder_bucket: "***********"
  
  controller:
    app_pull_policy: "IfNotPresent"
    registration_mode: "admin_only"
    platform_domain: "********"
  
  database:
    username: "deis"
    password: "*******"
    postgres:
      name: "********"
      username: "deis"
      password: "*************"
      host: "*************"
      port: "5432"
  
  #redis:
  #  db: "0"
    # host: "redis host"
    # port: "redis port"
    # password: "redis password" # "" == no password

  # fluentd:
  #   syslog:
  #     host: ""
  #     port: ""

  monitor:
    grafana:
    user: "admin"
    password: "************"
    persistence:
      enabled: false # Set to true to enable persistence
      size: 5Gi # PVC size
    influxdb:
      url: "**************"
      database: "admin"
      user: "deis"
      password: "***********"
      persistence:
        enabled: true # Set to true to enable persistence
        size: 200Gi # PVC size

  registry-token-refresher:
    token_refresh_time: ""
    # off_cluster_registry:
    #   hostname: ""
    #   organization: ""
    #   username: ""
    #   password: ""
    ecr:
      # Access key and secret for user with access to ECR registry
     accesskey: "*******"
     secretkey: "**********"
      # Hostname of ECR registry
     hostname: "**********"
      # Region where registry is located
     region: eu-north-1
      # Registry id (same as start in hostname)
     registryid: "**********"
    
    # gcr:
    #   key_json: <base64-encoded JSON data>
    #   hostname: ""

  router:
    dhparam: ""
    deployment_annotations:
      # Max body of requests for router
      router.deis.io/nginx.bodySize: "50m"
    
  #   service_annotations:
  #   #<example-key>: <example-value>

    host_port:
      enabled: false

    workflow-manager:
      versions_api_url: https://versions.teamhephy.info
      doctor_api_url: https://doctor.teamhephy.info

but I am getting error like,

Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: [unknown object type "nil" in Secret.data.accesskey, unknown object type "nil" in Secret.data.hostname, unknown object type "nil" in Secret.data.registryid, unknown object type "nil" in Secret.data.secretkey]

I tried with empty string, and attached I am policy to user full access for ECR and changed kubeconfig file. but none of them helped me
source link: https://github.com/deis/workflow/blob/master/charts/workflow/values.yaml
can anyone tell me what could be wrong here?

@Cryptophobia
Copy link
Member Author

Cryptophobia commented Nov 26, 2021
edited
Loading

@whitedevil-369 ,

Can you try setting these values below to blank strings "" in your values.yaml file?:

ecr:
   hostname: ""
   registryid: ""

https://docs.teamhephy.com/installing-workflow/configuring-registry/#ecr

NOTE: registryid and hostname should not be set. See this issue for more info.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ChillarAnand @Cryptophobia @jayaprakash369