Externalsecrets not able to pull from ACR using ACRAccessToken kind #3178
Description
Describe the bug
I created a docker image pull secret using ACRAccessToken kind object of generators.external-secrets.io/v1alpha1. Later, I created an external secret of docker registry type that fetches token from the AcrAccessToken and pull the image from Azure container registry but the image is not pulled with the below error message
Failed to pull image "testkubeleteidentityacr.azurecr.io/ubuntu:2004": failed to pull and unpack image "testkubeleteidentityacr.azurecr.io/ubuntu:2004": failed to resolve reference "testkubeleteidentityacr.azurecr.io/ubuntu:2004": failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://testkubeleteidentityacr.azurecr.io/oauth2/token?scope=repository%3Aubuntu%3Apull&service=testkubeleteidentityacr.azurecr.io: 401 Unauthorized Warning Failed 42s (x4 over 2m10s) kubelet Error: ErrImagePull
To Reproduce
Steps to reproduce the behavior:
Manifests:
`apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
azure.workload.identity/client-id: "*****"
azure.workload.identity/tenant-id: "*******"
name: "azidentity"
namespace: "az-arc"
apiVersion: generators.external-secrets.io/v1alpha1
kind: ACRAccessToken
metadata:
name: my-azurecr
namespace: az-arc
spec:
tenantId: ********
registry: testkubeleteidentityacr.azurecr.io
scope: "repository:devopsagent/terraform:pull"
environmentType: "PublicCloud"
auth:
workloadIdentity:
serviceAccountRef:
name: "azidentity"
audiences: ["https://management.core.windows.net/"]
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: azurecr-credentials
namespace: az-arc
spec:
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: ACRAccessToken
name: my-azurecr
refreshInterval: 12h
target:
name: azurecr-credentials
template:
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: |
{
"auths": {
"testkubeleteidentityacr.azurecr.io": {
"username": "{{ .username }}",
"identitytoken": "{{ .password }}"
}
}
}
apiVersion: v1
kind: Pod
metadata:
name: curl-pod
spec:
serviceAccountName: azidentity
volumes:
- name: token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 3600
audience: api://AzureADTokenExchange
imagePullSecrets:
- name: azurecr-credentials
containers:
- name: curl-container
image: testkubeleteidentityacr.azurecr.io/ubuntu:2004
command: ["sleep", "infinity"]
volumeMounts:- mountPath: /home/ubuntu/secrets/tokens
name: token`
- mountPath: /home/ubuntu/secrets/tokens
- provide the Kubernetes and ESO version
Kubernetes version 1.28
Expected behavior
Expected to pull the image but getting below error
Events:
Type Reason Age From Message
Normal Scheduled 2m11s default-scheduler Successfully assigned az-arc/curl-pod to ip-10-23-4-165.ec2.internal
Normal Pulling 42s (x4 over 2m10s) kubelet Pulling image "testkubeleteidentityacr.azurecr.io/ubuntu:2004"
Warning Failed 42s (x4 over 2m10s) kubelet Failed to pull image "testkubeleteidentityacr.azurecr.io/ubuntu:2004": failed to pull and unpack image "testkubeleteidentityacr.azurecr.io/ubuntu:2004": failed to resolve reference "testkubeleteidentityacr.azurecr.io/ubuntu:2004": failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://testkubeleteidentityacr.azurecr.io/oauth2/token?scope=repository%3Aubuntu%3Apull&service=testkubeleteidentityacr.azurecr.io: 401 Unauthorized
Warning Failed 42s (x4 over 2m10s) kubelet Error: ErrImagePull
Warning Failed 30s (x6 over 2m10s) kubelet Error: ImagePullBackOff
Normal BackOff 17s (x7 over 2m10s) kubelet Back-off pulling image "testkubeleteidentityacr.azurecr.io/ubuntu:2004"