I'm trying to install a crossplane package from a private registry in registry.gitlab.com but it doesn't seem to work if I set the packagePullSecret and add a username and password in there.
It gives me the following error:
cannot unpack package: failed to fetch package digest from remote: failed to fetch package descriptor with a GET request after a previous HEAD request failure: GET https://gitlab.com/jwt/auth?scope=repository%3Acrossplane%3Apull&service=container_registry: DENIED: access forbidden: GET https://gitlab.com/jwt/auth?scope=repository%3Acrossplane%3Apull&service=container_registry: DENIED: access forbidden
Do I maybe need to add other type of credentials? Like docker login would normally do, since crossplane xpkg login won't work on registry.gitlab.com anyway, even when setting the --domain parameter. (edited)
---
apiVersion: pkg.crossplane.io/v1
kind: Configuration
metadata:
name: some-package
spec:
package: registry.gitlab.com/some_group/some_repo:some_version
packagePullSecrets:
- name: registry-gitlab-com-repo-auth
Secret looks like this:
---
apiVersion: v1
kind: Secret
metadata:
name: registry-gitlab-com-repo-auth
namespace: crossplane-system
type: Opaque
data:
username: <base64-encoded-username> # username for gitlab deploy token
password: <base64-encoded-password> # password for gitlab deploy token (token has registry_read access)
Turns out you need a docker config json secret to make it work.
Which can be created like so:
kubectl create secret generic registry-gitlab-com-repo-auth \
--namespace crossplane-system \
--from-file=.dockerconfigjson=config.json \
--type=kubernetes.io/dockerconfigjson
The config.json file (refered to in the above statement) should look like this:
{
"auths": {
"registry.gitlab.com": {
"auth": "<base64_encoded_username_password_combination_like_in_basic_auth>"
}
}
}
To create the base64 encoded auth string on the command you could use:
USER=foo
PASS=bar
echo -n $USER:$PASS | base64 # should output the base64 encoded string