Pull image from internal registry by GitLab runner pod

[JiriHusak-lab]

Hi,

I've CRC v4.10.3.
I've installed GitLab Runner operator (gitlab-runner-operator.v1.9.0). I've GitLab Runner v15.0.0. It is successfully registered to my GitLab.

Issue is that GitLab runner is not able to pull image from internal Openshift registry.
I've googled a lot, I tried a lot but I can't fix it.
Any hint please?

Image definition in GitLab .gitlab-ci.yml:
image: default-route-openshift-image-registry.apps-crc.testing/gitlab-runner/kubectl-tekton:latest

I've created image using podman build and I've pushed it into Openshift internal registry.

Image is in OpenShift internal registry:

	oc get images | grep kubectl
	sha256:2f2a865afb4c23730898849f535076169036f09229d1bf19150b62934498c357   image-registry.openshift-image-registry.svc:5000/demo-rds/kubectl-tekton@sha256:2f2a865afb4c23730898849f535076169036f09229d1bf19150b62934498c357

I can pull it as well using podman:

	podman pull default-route-openshift-image-registry.apps-crc.testing/gitlab-runner/kubectl-tekton:latest
	Trying to pull default-route-openshift-image-registry.apps-crc.testing/gitlab-runner/kubectl-tekton:latest...
	Getting image source signatures
	Copying blob f1d14c70018c skipped: already exists
	Copying blob 1ca7756d9368 skipped: already exists
	Copying blob ace6b2c6ef32 skipped: already exists
	Copying blob 8f36ed9610ff skipped: already exists
	Copying blob 7b9f834c474d skipped: already exists
	Copying blob 18ceb0a9cd0f skipped: already exists
	Copying blob b10f19f7dc92 skipped: already exists
	Copying config 407841e32a done
	Writing manifest to image destination
	Storing signatures
	407841e32a0eecaf6adfbd7888e6982ad8e9ae24db7fed9c7a566254a772bb74

But regardless all I tried I can't use it in gitlab runner:
Gitlab runner POD is initiated but it failed on pulling this image:
PodPrunner-usyutfvq-project-38-concurrent-05h8cwNamespaceNSgitlab-runner
Just now
Generated from kubelet on crc-jw57j-master-0 Failed to pull image "default-route-openshift-image-registry.apps-crc.testing/gitlab-runner/kubectl-tekton:latest": rpc error: code = Unknown desc = reading manifest latest in default-route-openshift-image-registry.apps-crc.testing/gitlab-runner/kubectl-tekton: unauthorized: authentication required
I tried to set proper rights for service account gitlab-runner-sa according what I've googled but nothing helped.

Thanks and Regards,
Jifri

[cfergeau]

Does your gitlab runner have access to this registry? I found https://docs.gitlab.com/ee/ci/docker/using_docker_images.html#access-an-image-from-a-private-container-registry but maybe there are openshift-specific or gitlab-operator-specific ways which can be used as well.

[praveenkumar]

Generated from kubelet on crc-jw57j-master-0 Failed to pull image "default-route-openshift-image-registry.apps-crc.testing/gitlab-runner/kubectl-tekton:latest": rpc error: code = Unknown desc = reading manifest latest in default-route-openshift-image-registry.apps-crc.testing/gitlab-runner/kubectl-tekton: unauthorized: authentication required

^^ This means your runner pod need to have default-route-openshift-image-registry.apps-crc.testing registry access which might be using a docker/container registry pull secret which have details around how to auth the registry. Can you create issue on this operator tracker to ask around how to pull an image from private repo?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[rossbrigoli]

Hello,

I have the same issue. The GitLab runner is unable to pull images from the internal registry. The same error. The service account used by the runner has the Cluster Admin role.

Ho do you create a DOCKER_AUTH_CONFIG using a pull secret instead of username:password?

[praveenkumar]

@rossbrigoli As per https://docs.gitlab.com/ee/ci/docker/using_docker_images.html#access-an-image-from-a-private-container-registry doc you all you need to set that DOCKER_AUTH_CONFIG and for that you can try something following to have the content.

$ oc whoami
kubeadmin
$ oc registry login --insecure=true -a my_registry.json