Skip to content

Commit 8c5ee96

Browse files
kylos101kylos101
committed
[image-builder-mk3] improve error logging for auth
This will help us troubleshoot: * credential reload via watch * potential ECR authN issues * potential additionalAuth issues
1 parent 5791909 commit 8c5ee96

File tree

1 file changed

+24
-4
lines changed
  • components/image-builder-mk3/pkg/auth

1 file changed

+24
-4
lines changed

components/image-builder-mk3/pkg/auth/auth.go

Lines changed: 24 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ func NewDockerConfigFileAuth(fn string) (*DockerConfigFileAuth, error) {
4646
res.loadFromFile(fn)
4747
})
4848
if err != nil {
49+
log.WithError(err).WithField("path", fn).Error("error watching file")
4950
return nil, err
5051
}
5152

@@ -64,6 +65,7 @@ func (a *DockerConfigFileAuth) loadFromFile(fn string) (err error) {
6465
defer func() {
6566
if err != nil {
6667
err = fmt.Errorf("error loading Docker config from %s: %w", fn, err)
68+
log.WithError(err).WithField("path", fn).Error("failed loading from file")
6769
}
6870
}()
6971

@@ -75,6 +77,7 @@ func (a *DockerConfigFileAuth) loadFromFile(fn string) (err error) {
7577
_, _ = hash.Write(cntnt)
7678
newHash := fmt.Sprintf("%x", hash.Sum(nil))
7779
if a.hash == newHash {
80+
log.Infof("nothing has changed: %s", fn)
7881
return nil
7982
}
8083

@@ -91,13 +94,15 @@ func (a *DockerConfigFileAuth) loadFromFile(fn string) (err error) {
9194
a.C = cfg
9295
a.hash = newHash
9396

97+
log.Infof("file has changed: %s", fn)
9498
return nil
9599
}
96100

97101
// Authenticate attempts to provide an encoded authentication string for Docker registry access
98102
func (a *DockerConfigFileAuth) Authenticate(ctx context.Context, registry string) (auth *Authentication, err error) {
99103
ac, err := a.C.GetAuthConfig(registry)
100104
if err != nil {
105+
log.WithError(err).WithField("registry", registry).Error("failed DockerConfigFileAuth Authenticate")
101106
return nil, err
102107
}
103108

@@ -119,6 +124,7 @@ func (ca CompositeAuth) Authenticate(ctx context.Context, registry string) (auth
119124
for _, ath := range ca {
120125
res, err := ath.Authenticate(ctx, registry)
121126
if err != nil {
127+
log.WithError(err).WithField("registry", registry).Errorf("failed CompositeAuth Authenticate")
122128
return nil, err
123129
}
124130
if !res.Empty() {
@@ -154,6 +160,13 @@ func (ath *ECRAuthenticator) Authenticate(ctx context.Context, registry string)
154160
return nil, nil
155161
}
156162

163+
defer func() {
164+
if err != nil {
165+
err = fmt.Errorf("error with ECR authenticate: %w", err)
166+
log.WithError(err).WithField("registry", registry).Error("failed ECR authenticate")
167+
}
168+
}()
169+
157170
ath.ecrAuthLock.Lock()
158171
defer ath.ecrAuthLock.Unlock()
159172
if time.Since(ath.ecrAuthLastRefreshTime) > ecrTokenRefreshTime {
@@ -162,7 +175,8 @@ func (ath *ECRAuthenticator) Authenticate(ctx context.Context, registry string)
162175
return nil, err
163176
}
164177
if len(tknout.AuthorizationData) == 0 {
165-
return nil, fmt.Errorf("no ECR authorization data received")
178+
err = fmt.Errorf("no ECR authorization data received")
179+
return nil, err
166180
}
167181

168182
pwd, err := base64.StdEncoding.DecodeString(aws.ToString(tknout.AuthorizationData[0].AuthorizationToken))
@@ -172,12 +186,15 @@ func (ath *ECRAuthenticator) Authenticate(ctx context.Context, registry string)
172186

173187
ath.ecrAuth = string(pwd)
174188
ath.ecrAuthLastRefreshTime = time.Now()
175-
log.Debug("refreshed ECR token")
189+
log.Info("refreshed ECR token")
190+
} else {
191+
log.Info("no ECR token refresh necessary")
176192
}
177193

178194
segs := strings.Split(ath.ecrAuth, ":")
179195
if len(segs) != 2 {
180-
return nil, fmt.Errorf("cannot understand ECR token. Expected 2 segments, got %d", len(segs))
196+
err = fmt.Errorf("cannot understand ECR token. Expected 2 segments, got %d", len(segs))
197+
return nil, err
181198
}
182199
return &Authentication{
183200
Username: segs[0],
@@ -299,6 +316,7 @@ func (a AllowedAuthFor) GetAuthFor(ctx context.Context, auth RegistryAuthenticat
299316

300317
ref, err := reference.ParseNormalizedNamed(refstr)
301318
if err != nil {
319+
log.WithError(err).Errorf("failed parsing normalized name")
302320
return nil, xerrors.Errorf("cannot parse image ref: %v", err)
303321
}
304322
reg := reference.Domain(ref)
@@ -359,6 +377,8 @@ func (a AllowedAuthFor) additionalAuth(domain string) *Authentication {
359377
res.Username = segs[0]
360378
res.Password = strings.Join(segs[1:], ":")
361379
}
380+
} else {
381+
log.Errorf("failed getting additional auth")
362382
}
363383
return res
364384
}
@@ -386,7 +406,7 @@ func (a AllowedAuthFor) GetImageBuildAuthFor(ctx context.Context, auth RegistryA
386406
for _, reg := range additionalRegistries {
387407
ath, err := auth.Authenticate(ctx, reg)
388408
if err != nil {
389-
log.WithError(err).WithField("registry", reg).Warn("cannot get authentication for additioanl registry for image build")
409+
log.WithError(err).WithField("registry", reg).Warn("cannot get authentication for additional registry for image build")
390410
continue
391411
}
392412
if ath.Empty() {

0 commit comments

Comments
 (0)