Improve logging information on failed to get manifest error (#126)

* Improve logging information on failed to get manifest error For better understanding of some issues with noe and authentication against some registries, we want to enrich the logging format for when a desired manifest cannot be retrieved. This small pull request improves that logline. * fixup! Merge branch 'main' into better-logging * fixup! fixup! Merge branch 'main' into better-logging * fixup! fixup! fixup! Merge branch 'main' into better-logging * fixup! fixup! fixup! fixup! Merge branch 'main' into better-logging * fixup! Merge branch 'main' into better-logging --------- Co-authored-by: Sebastian Caldarola <sebastian.caldarola@ådevinta.com>
adevinta · Jul 17, 2024 · ec066c1 · ec066c1
1 parent 667744f
commit ec066c1
Show file tree

Hide file tree

Showing 9 changed files with 35 additions and 6 deletions.
diff --git a/pkg/registry/anonymous_credentials.go b/pkg/registry/anonymous_credentials.go
@@ -18,7 +18,11 @@ func (r AnonymousAuthenticator) Authenticate(ctx context.Context, imagePullSecre
 		}
 	}
 	select {
-	case candidates <- AuthenticationToken{}:
+	case candidates <- AuthenticationToken{
+		Ref: AuthenticationSourceRef{
+			Provider: "anonymous",
+		},
+	}:
 	case <-ctx.Done():
 		return
 	}

diff --git a/pkg/registry/anonymous_credentials_test.go b/pkg/registry/anonymous_credentials_test.go
@@ -14,6 +14,7 @@ func TestAnonymousAuthenticator(t *testing.T) {
 	candidate := <-candidates
 	assert.Empty(t, candidate.Kind)
 	assert.Empty(t, candidate.Token)
+	assert.Equal(t, candidate.Ref.Provider, "anonymous")
 }
 
 func TestAnonymousAuthenticatorSkipsPrivateRegistries(t *testing.T) {

diff --git a/pkg/registry/containerd_credentials.go b/pkg/registry/containerd_credentials.go
@@ -48,6 +48,9 @@ func (r ContainerDAuthenticator) Authenticate(ctx context.Context, imagePullSecr
 		case candidates <- AuthenticationToken{
 			Kind:  "Basic",
 			Token: containerdAuth.Header,
+			Ref: AuthenticationSourceRef{
+				Provider: "containerD",
+			},
 		}:
 		case <-ctx.Done():
 			return

diff --git a/pkg/registry/containerd_credentials_test.go b/pkg/registry/containerd_credentials_test.go
@@ -49,6 +49,9 @@ func TestRegistryAuthenticator_GetHeaderOnContainerdFiles(t *testing.T) {
 	expectedToken := AuthenticationToken{
 		Kind:  "Basic",
 		Token: "dXNlcjpwYXNz",
+		Ref: AuthenticationSourceRef{
+			Provider: "containerD",
+		},
 	}
 
 	assert.Equal(t, expectedToken, receivedToken)

diff --git a/pkg/registry/docker_credentials.go b/pkg/registry/docker_credentials.go
@@ -32,6 +32,7 @@ type DockerConfig struct {
 type DockerConfigAuthenticator struct {
 	scheme               *runtime.Scheme
 	KubeletAuthenticator Authenticator
+	Provider             string
 }
 
 func (r DockerConfigAuthenticator) parseDockerConfig(reader io.ReadCloser) (DockerConfig, error) {
@@ -96,6 +97,9 @@ func (r DockerConfigAuthenticator) Authenticate(ctx context.Context, cfg DockerC
 		case candidates <- AuthenticationToken{
 			Kind:  "Basic",
 			Token: auth,
+			Ref: AuthenticationSourceRef{
+				Provider: r.Provider,
+			},
 		}:
 		case <-ctx.Done():
 			return

diff --git a/pkg/registry/docker_credentials_test.go b/pkg/registry/docker_credentials_test.go
@@ -14,7 +14,7 @@ func TestDockerAuthenticatorWithimagePullSecret(t *testing.T) {
 	image := "myimage"
 	tag := "latest"
 
-	authenticator := ImagePullSecretAuthenticator{} // Create an instance of the RegistryAuthenticator
+	authenticator := ImagePullSecretAuthenticator{DockerConfigAuthenticator{Provider: "ImagePullSecret"}} // Create an instance of the RegistryAuthenticator
 	candidates := make(chan AuthenticationToken)
 	go authenticator.Authenticate(context.Background(), imagePullSecret, registry, image, tag, candidates)
 
@@ -24,6 +24,9 @@ func TestDockerAuthenticatorWithimagePullSecret(t *testing.T) {
 	expectedToken := AuthenticationToken{
 		Kind:  "Basic",
 		Token: "YXV0aDp1c2VyOnBhc3M=",
+		Ref: AuthenticationSourceRef{
+			Provider: "ImagePullSecret",
+		},
 	}
 
 	assert.Equal(t, expectedToken, receivedToken)
@@ -39,7 +42,7 @@ func TestDockerConfigFileWithimagePullSecret(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	afero.WriteFile(fs, "/var/lib/kubelet/config.json", []byte(imagePullSecret), 0644)
 
-	authenticator := DockerConfigFileAuthenticator{fs: fs} // Create an instance of the RegistryAuthenticator
+	authenticator := DockerConfigFileAuthenticator{fs: fs, DockerConfigAuthenticator: DockerConfigAuthenticator{Provider: "docker-config"}} // Create an instance of the RegistryAuthenticator
 	candidates := make(chan AuthenticationToken)
 	go authenticator.Authenticate(context.Background(), imagePullSecret, registry, image, tag, candidates)
 
@@ -49,6 +52,9 @@ func TestDockerConfigFileWithimagePullSecret(t *testing.T) {
 	expectedToken := AuthenticationToken{
 		Kind:  "Basic",
 		Token: "YXV0aDp1c2VyOnBhc3M=",
+		Ref: AuthenticationSourceRef{
+			Provider: "docker-config",
+		},
 	}
 
 	assert.Equal(t, expectedToken, receivedToken)

diff --git a/pkg/registry/kubelet_credentials.go b/pkg/registry/kubelet_credentials.go
@@ -262,6 +262,9 @@ func (r KubeletAuthenticator) tryIndividualKubeletProvider(ctx context.Context,
 			candidates <- AuthenticationToken{
 				Kind:  "Basic",
 				Token: base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", value.Username, value.Password))),
+				Ref: AuthenticationSourceRef{
+					Provider: "kubelet",
+				},
 			}
 		} else {
 			log.DefaultLogger.WithContext(ctx).Info("image does not match kubelet credentials provider response, skipping it")

diff --git a/pkg/registry/login.go b/pkg/registry/login.go
@@ -11,6 +11,11 @@ import (
 type AuthenticationToken struct {
 	Kind  string
 	Token string
+	Ref   AuthenticationSourceRef
+}
+
+type AuthenticationSourceRef struct {
+	Provider string
 }
 
 type Authenticator interface {
@@ -37,7 +42,7 @@ func NewAuthenticator(kubeletConfigFile, kubeletBinDir string, privateRegistryPa
 
 	fs := afero.NewOsFs()
 	a := Authenticators{
-		ImagePullSecretAuthenticator{},
+		ImagePullSecretAuthenticator{DockerConfigAuthenticator: DockerConfigAuthenticator{Provider: "ImagePullSecret"}},
 	}
 	if kubeletConfigFile != "" && kubeletBinDir != "" {
 		a = append(a, KubeletAuthenticator{fs: fs, scheme: newScheme(), BinDir: kubeletBinDir, Config: kubeletConfigFile})
@@ -46,7 +51,7 @@ func NewAuthenticator(kubeletConfigFile, kubeletBinDir string, privateRegistryPa
 	}
 	a = append(a,
 		ContainerDAuthenticator{fs: fs},
-		DockerConfigFileAuthenticator{fs: fs},
+		DockerConfigFileAuthenticator{fs: fs, DockerConfigAuthenticator: DockerConfigAuthenticator{Provider: "docker-config"}},
 		AnonymousAuthenticator{
 			PrivateRegistryPatterns: cleanRegistryPatterns(privateRegistryPaterns),
 		},

diff --git a/pkg/registry/registry.go b/pkg/registry/registry.go
@@ -471,7 +471,7 @@ func (r *PlainRegistry) listArchsWithAuth(ctx context.Context, client http.Clien
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("failed to get manifest list. Unexpected status code %d. Expecting %d", resp.StatusCode, http.StatusOK)
+		return nil, fmt.Errorf("failed to get manifest list for image %s in registry %s using the provider %s. Unexpected status code %d. Expecting %d", image, registry, auth.Ref.Provider, resp.StatusCode, http.StatusOK)
 	}
 	r.updateRemaingRateLimits(ctx, registry, resp)