0

I are trying to run some Kubernetes pods in my Windows machine by using Docker-Desktop. I am trying to install them using HELM. I have created my Docker images and have pushed them into AWS ECR private repository.

When I try to run the HELM install command to spin up the container, they get created. However, when they try to pull the images from AWS ECR, it's throwing an error and the container are getting an 'ImagePullBackOff' error.

The error when describing a failed pod:

Failed to pull image "012345678900.dkr.ecr.ap-south-1.amazonaws.com/arjun-poc1/centos-test1:latest": rpc error: code = Unknown desc = Error response from daemon: Head "https://012345678900.dkr.ecr.ap-south-1.amazonaws.com/v2/arjun-poc1/centos-test1/manifests/latest": no basic auth credentials

I have done the 'aws configure' step and have run the 'aws ecr get-login-password' command. I am able to manually run 'docker pull' and get the image locally. However, it's not getting pulled automatically during container start up.

I have also tried to setup an 'imagePullSecret' by running the following command: kubectl create secret docker-registry aws-secret --docker-server=https://AWS@012345678900.dkr.ecr.ap-south-1.amazonaws.com --docker-username=AWS --docker-password=$(aws ecr get-login-password). Tried to include it within the values.yaml too.

charts\centos-test1\templates\deployment.yaml

spec:
  imagePullSecrets: {{- toYaml .Values.global.imagePullSecrets | nindent 12 }}

values.yaml

global:
  hub: 012345678900.dkr.ecr.ap-south-1.amazonaws.com/arjun-poc1
  imagePullSecrets:
  - name: aws-secret


  images:
    centos-test1:
        name: centos-test1
        tag: latest
        pullPolicy: Always

Still it's not working. I am getting the 'ImagePullBackOff' error every time. Does anyone know how to fix this issue?

arjunbnair
  • 25
  • 1
  • 2
  • 8
  • It looks like from the tiny snippet you posted that `global.imagePullSecrets:` is a **string** whereas [in the `PodSpec` it's a **list** of objects](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podspec-v1-core), as clearly shown in [the fine manual](https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod). I have no idea how your PodSpec would even pass validation but here you are – mdaniel May 01 '22 at 23:13
  • Sorry. I had made one change to that snippet and now it's updated in my question. This is how my code look now. – arjunbnair May 02 '22 at 06:50
  • Still I am facing the same issue. – arjunbnair May 02 '22 at 06:51
  • It sure is suspicious that you have `--docker-username` **and** an inline username in `https://AWS@`, since [the AWS docs don't do that](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html#get-login-password) – mdaniel May 02 '22 at 15:25
  • What about: `kubectl create secret docker-registry aws-secret --docker-server=https://AWS@012345678900.dkr.ecr.ap-south-1.amazonaws.com --username=AWS --password=$(aws ecr get-login-password --region ap-south-1)` ?? – arjunbnair May 02 '22 at 19:02
  • However, I am getting this error: **error: either --from-file or the combination of --docker-username, --docker-password and --docker-server is required** – arjunbnair May 02 '22 at 19:05
  • I don't know how to be more clear; omit the `https://AWS@` from your `--docker-server` parameter since `--docker-username` is the place where usernames go, not inline in the https URL – mdaniel May 02 '22 at 19:43

0 Answers0