Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Zarf 0.28.0/0.28.1 unauthenticated OCI registry error #1881

Closed
mjnagel opened this issue Jul 5, 2023 · 0 comments · Fixed by #1893
Closed

Zarf 0.28.0/0.28.1 unauthenticated OCI registry error #1881

mjnagel opened this issue Jul 5, 2023 · 0 comments · Fixed by #1893

Comments

@mjnagel
Copy link
Contributor

mjnagel commented Jul 5, 2023

Environment

Device and OS: macOS
App version: 0.28.0, 0.28.1
Kubernetes distro being used: N/A, k3d

Steps to reproduce

Zarf 0.28.0/1 appear to be unable to pull/deploy from an OCI registry unless authenticated.

I am running into the exact same issue described in #1677 - I won't duplicate all the description but this is my way of reproducing:

❯ docker logout ghcr.io
Removing login credentials for ghcr.io
❯ zarf package pull oci://ghcr.io/defenseunicorns/packages/dubbd-aws:0.2.4-amd64

 NOTE  Saving log file to
       /var/folders/56/3lg0nwq57ld8_xv7cjm9zjgh0000gn/T/zarf-2023-07-05-10-56-07-3840190976.log
     ERROR:  Failed to pull package: unable to authenticate to ghcr.io: GET "https://ghcr.io/v2/": GET
             "https://ghcr.io/token?scope=repository%3Auser%2Fimage%3Apull&service=ghcr.io": response status code
             403: denied: requested access to the resource is denied
❯ zarf package deploy oci://ghcr.io/defenseunicorns/packages/dubbd-k3d:0.3.0-amd64 --confirm

 NOTE  Saving log file to
       /var/folders/56/3lg0nwq57ld8_xv7cjm9zjgh0000gn/T/zarf-2023-07-05-10-56-12-2399863613.log
     ERROR:  Failed to deploy package: unable to authenticate to ghcr.io: GET "https://ghcr.io/v2/": GET
             "https://ghcr.io/token?scope=repository%3Auser%2Fimage%3Apull&service=ghcr.io": response status code
             403: denied: requested access to the resource is denied

Expected result

Zarf should be able to pull unauthenticated, as oras is able to.

❯ oras logout ghcr.io
❯ oras pull ghcr.io/defenseunicorns/packages/dubbd-k3d:0.3.0-amd64
Downloading 58deff0b03fe checksums.txt
Downloading 67083ae15b86 components/download-flux.tar
Downloading ad4906b9d455 components/bigbang.tar
Downloaded  58deff0b03fe checksums.txt
Downloading 52cb8f6c9483 components/load-certs.tar
Downloaded  52cb8f6c9483 components/load-certs.tar
Downloading d3023a95e3be components/preflight.tar
Downloaded  d3023a95e3be components/preflight.tar
...

Actual Result

Zarf fails to pull unless authenticated.

@candreacchi candreacchi pinned this issue Jul 7, 2023
@Racer159 Racer159 unpinned this issue Jul 7, 2023
@Noxsios Noxsios linked a pull request Jul 7, 2023 that will close this issue
5 tasks
Racer159 pushed a commit that referenced this issue Jul 10, 2023
## Description

Fixes what I broke.

This does re-architect some portions of OrasRemote and locks it down
more. Everything in `*remote.Registry` is no longer exposed to outside
usage and users of this remote client are restricted to the public
receiver methods written in `pkg/oci`.

The context is now private as it really should not be edited outside of
private receivers within OrasRemote.

During the writing of this PR I found out that ORAs already handles
scopes at the request level and there is zero need to handle scopes
yourself. I have not checked if I never had to do this, or if ORAs
updated.

## Related Issue

Fixes #1881 
Fixes #1795 
Fixes #1821 

## Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow)
followed

---------

Signed-off-by: razzle <harry@razzle.cloud>
cmwylie19 pushed a commit that referenced this issue Jul 10, 2023
## Description

Fixes what I broke.

This does re-architect some portions of OrasRemote and locks it down
more. Everything in `*remote.Registry` is no longer exposed to outside
usage and users of this remote client are restricted to the public
receiver methods written in `pkg/oci`.

The context is now private as it really should not be edited outside of
private receivers within OrasRemote.

During the writing of this PR I found out that ORAs already handles
scopes at the request level and there is zero need to handle scopes
yourself. I have not checked if I never had to do this, or if ORAs
updated.

## Related Issue

Fixes #1881 
Fixes #1795 
Fixes #1821 

## Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow)
followed

---------

Signed-off-by: razzle <harry@razzle.cloud>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant