From ec066c1cdea530db7854fb7e92ec2660ccedf69b Mon Sep 17 00:00:00 2001 From: Sebastian Caldarola Date: Wed, 17 Jul 2024 11:54:15 +0200 Subject: [PATCH] Improve logging information on failed to get manifest error (#126) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Improve logging information on failed to get manifest error For better understanding of some issues with noe and authentication against some registries, we want to enrich the logging format for when a desired manifest cannot be retrieved. This small pull request improves that logline. * fixup! Merge branch 'main' into better-logging * fixup! fixup! Merge branch 'main' into better-logging * fixup! fixup! fixup! Merge branch 'main' into better-logging * fixup! fixup! fixup! fixup! Merge branch 'main' into better-logging * fixup! Merge branch 'main' into better-logging --------- Co-authored-by: Sebastian Caldarola --- pkg/registry/anonymous_credentials.go | 6 +++++- pkg/registry/anonymous_credentials_test.go | 1 + pkg/registry/containerd_credentials.go | 3 +++ pkg/registry/containerd_credentials_test.go | 3 +++ pkg/registry/docker_credentials.go | 4 ++++ pkg/registry/docker_credentials_test.go | 10 ++++++++-- pkg/registry/kubelet_credentials.go | 3 +++ pkg/registry/login.go | 9 +++++++-- pkg/registry/registry.go | 2 +- 9 files changed, 35 insertions(+), 6 deletions(-) diff --git a/pkg/registry/anonymous_credentials.go b/pkg/registry/anonymous_credentials.go index 132a226..f481054 100644 --- a/pkg/registry/anonymous_credentials.go +++ b/pkg/registry/anonymous_credentials.go @@ -18,7 +18,11 @@ func (r AnonymousAuthenticator) Authenticate(ctx context.Context, imagePullSecre } } select { - case candidates <- AuthenticationToken{}: + case candidates <- AuthenticationToken{ + Ref: AuthenticationSourceRef{ + Provider: "anonymous", + }, + }: case <-ctx.Done(): return } diff --git a/pkg/registry/anonymous_credentials_test.go b/pkg/registry/anonymous_credentials_test.go index 284d8b4..500916f 100644 --- a/pkg/registry/anonymous_credentials_test.go +++ b/pkg/registry/anonymous_credentials_test.go @@ -14,6 +14,7 @@ func TestAnonymousAuthenticator(t *testing.T) { candidate := <-candidates assert.Empty(t, candidate.Kind) assert.Empty(t, candidate.Token) + assert.Equal(t, candidate.Ref.Provider, "anonymous") } func TestAnonymousAuthenticatorSkipsPrivateRegistries(t *testing.T) { diff --git a/pkg/registry/containerd_credentials.go b/pkg/registry/containerd_credentials.go index 5ceb538..b841078 100644 --- a/pkg/registry/containerd_credentials.go +++ b/pkg/registry/containerd_credentials.go @@ -48,6 +48,9 @@ func (r ContainerDAuthenticator) Authenticate(ctx context.Context, imagePullSecr case candidates <- AuthenticationToken{ Kind: "Basic", Token: containerdAuth.Header, + Ref: AuthenticationSourceRef{ + Provider: "containerD", + }, }: case <-ctx.Done(): return diff --git a/pkg/registry/containerd_credentials_test.go b/pkg/registry/containerd_credentials_test.go index 6d7aa80..6595464 100644 --- a/pkg/registry/containerd_credentials_test.go +++ b/pkg/registry/containerd_credentials_test.go @@ -49,6 +49,9 @@ func TestRegistryAuthenticator_GetHeaderOnContainerdFiles(t *testing.T) { expectedToken := AuthenticationToken{ Kind: "Basic", Token: "dXNlcjpwYXNz", + Ref: AuthenticationSourceRef{ + Provider: "containerD", + }, } assert.Equal(t, expectedToken, receivedToken) diff --git a/pkg/registry/docker_credentials.go b/pkg/registry/docker_credentials.go index 85d0925..baec842 100644 --- a/pkg/registry/docker_credentials.go +++ b/pkg/registry/docker_credentials.go @@ -32,6 +32,7 @@ type DockerConfig struct { type DockerConfigAuthenticator struct { scheme *runtime.Scheme KubeletAuthenticator Authenticator + Provider string } func (r DockerConfigAuthenticator) parseDockerConfig(reader io.ReadCloser) (DockerConfig, error) { @@ -96,6 +97,9 @@ func (r DockerConfigAuthenticator) Authenticate(ctx context.Context, cfg DockerC case candidates <- AuthenticationToken{ Kind: "Basic", Token: auth, + Ref: AuthenticationSourceRef{ + Provider: r.Provider, + }, }: case <-ctx.Done(): return diff --git a/pkg/registry/docker_credentials_test.go b/pkg/registry/docker_credentials_test.go index 90348ca..fc2c9d6 100644 --- a/pkg/registry/docker_credentials_test.go +++ b/pkg/registry/docker_credentials_test.go @@ -14,7 +14,7 @@ func TestDockerAuthenticatorWithimagePullSecret(t *testing.T) { image := "myimage" tag := "latest" - authenticator := ImagePullSecretAuthenticator{} // Create an instance of the RegistryAuthenticator + authenticator := ImagePullSecretAuthenticator{DockerConfigAuthenticator{Provider: "ImagePullSecret"}} // Create an instance of the RegistryAuthenticator candidates := make(chan AuthenticationToken) go authenticator.Authenticate(context.Background(), imagePullSecret, registry, image, tag, candidates) @@ -24,6 +24,9 @@ func TestDockerAuthenticatorWithimagePullSecret(t *testing.T) { expectedToken := AuthenticationToken{ Kind: "Basic", Token: "YXV0aDp1c2VyOnBhc3M=", + Ref: AuthenticationSourceRef{ + Provider: "ImagePullSecret", + }, } assert.Equal(t, expectedToken, receivedToken) @@ -39,7 +42,7 @@ func TestDockerConfigFileWithimagePullSecret(t *testing.T) { fs := afero.NewMemMapFs() afero.WriteFile(fs, "/var/lib/kubelet/config.json", []byte(imagePullSecret), 0644) - authenticator := DockerConfigFileAuthenticator{fs: fs} // Create an instance of the RegistryAuthenticator + authenticator := DockerConfigFileAuthenticator{fs: fs, DockerConfigAuthenticator: DockerConfigAuthenticator{Provider: "docker-config"}} // Create an instance of the RegistryAuthenticator candidates := make(chan AuthenticationToken) go authenticator.Authenticate(context.Background(), imagePullSecret, registry, image, tag, candidates) @@ -49,6 +52,9 @@ func TestDockerConfigFileWithimagePullSecret(t *testing.T) { expectedToken := AuthenticationToken{ Kind: "Basic", Token: "YXV0aDp1c2VyOnBhc3M=", + Ref: AuthenticationSourceRef{ + Provider: "docker-config", + }, } assert.Equal(t, expectedToken, receivedToken) diff --git a/pkg/registry/kubelet_credentials.go b/pkg/registry/kubelet_credentials.go index 1377a0e..9111489 100644 --- a/pkg/registry/kubelet_credentials.go +++ b/pkg/registry/kubelet_credentials.go @@ -262,6 +262,9 @@ func (r KubeletAuthenticator) tryIndividualKubeletProvider(ctx context.Context, candidates <- AuthenticationToken{ Kind: "Basic", Token: base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", value.Username, value.Password))), + Ref: AuthenticationSourceRef{ + Provider: "kubelet", + }, } } else { log.DefaultLogger.WithContext(ctx).Info("image does not match kubelet credentials provider response, skipping it") diff --git a/pkg/registry/login.go b/pkg/registry/login.go index 96bba82..728c3d6 100644 --- a/pkg/registry/login.go +++ b/pkg/registry/login.go @@ -11,6 +11,11 @@ import ( type AuthenticationToken struct { Kind string Token string + Ref AuthenticationSourceRef +} + +type AuthenticationSourceRef struct { + Provider string } type Authenticator interface { @@ -37,7 +42,7 @@ func NewAuthenticator(kubeletConfigFile, kubeletBinDir string, privateRegistryPa fs := afero.NewOsFs() a := Authenticators{ - ImagePullSecretAuthenticator{}, + ImagePullSecretAuthenticator{DockerConfigAuthenticator: DockerConfigAuthenticator{Provider: "ImagePullSecret"}}, } if kubeletConfigFile != "" && kubeletBinDir != "" { a = append(a, KubeletAuthenticator{fs: fs, scheme: newScheme(), BinDir: kubeletBinDir, Config: kubeletConfigFile}) @@ -46,7 +51,7 @@ func NewAuthenticator(kubeletConfigFile, kubeletBinDir string, privateRegistryPa } a = append(a, ContainerDAuthenticator{fs: fs}, - DockerConfigFileAuthenticator{fs: fs}, + DockerConfigFileAuthenticator{fs: fs, DockerConfigAuthenticator: DockerConfigAuthenticator{Provider: "docker-config"}}, AnonymousAuthenticator{ PrivateRegistryPatterns: cleanRegistryPatterns(privateRegistryPaterns), }, diff --git a/pkg/registry/registry.go b/pkg/registry/registry.go index 793c712..e0f2fc8 100644 --- a/pkg/registry/registry.go +++ b/pkg/registry/registry.go @@ -471,7 +471,7 @@ func (r *PlainRegistry) listArchsWithAuth(ctx context.Context, client http.Clien } if resp.StatusCode != http.StatusOK { - return nil, fmt.Errorf("failed to get manifest list. Unexpected status code %d. Expecting %d", resp.StatusCode, http.StatusOK) + return nil, fmt.Errorf("failed to get manifest list for image %s in registry %s using the provider %s. Unexpected status code %d. Expecting %d", image, registry, auth.Ref.Provider, resp.StatusCode, http.StatusOK) } r.updateRemaingRateLimits(ctx, registry, resp)