Skip to content

Commit e754fc6

Browse files
kylos101kylos101
authored
[image-builder-mk3] log errors for auth (#18611)
* [image-builder-mk3] improve error logging for auth This will help us troubleshoot: * credential reload via watch * potential ECR authN issues * potential additionalAuth issues * Warn when empty
1 parent ba9541d commit e754fc6

File tree

1 file changed

+26
-4
lines changed
  • components/image-builder-mk3/pkg/auth

1 file changed

+26
-4
lines changed

components/image-builder-mk3/pkg/auth/auth.go

Lines changed: 26 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ func NewDockerConfigFileAuth(fn string) (*DockerConfigFileAuth, error) {
4646
res.loadFromFile(fn)
4747
})
4848
if err != nil {
49+
log.WithError(err).WithField("path", fn).Error("error watching file")
4950
return nil, err
5051
}
5152

@@ -64,6 +65,7 @@ func (a *DockerConfigFileAuth) loadFromFile(fn string) (err error) {
6465
defer func() {
6566
if err != nil {
6667
err = fmt.Errorf("error loading Docker config from %s: %w", fn, err)
68+
log.WithError(err).WithField("path", fn).Error("failed loading from file")
6769
}
6870
}()
6971

@@ -75,6 +77,7 @@ func (a *DockerConfigFileAuth) loadFromFile(fn string) (err error) {
7577
_, _ = hash.Write(cntnt)
7678
newHash := fmt.Sprintf("%x", hash.Sum(nil))
7779
if a.hash == newHash {
80+
log.Infof("nothing has changed: %s", fn)
7881
return nil
7982
}
8083

@@ -91,13 +94,15 @@ func (a *DockerConfigFileAuth) loadFromFile(fn string) (err error) {
9194
a.C = cfg
9295
a.hash = newHash
9396

97+
log.Infof("file has changed: %s", fn)
9498
return nil
9599
}
96100

97101
// Authenticate attempts to provide an encoded authentication string for Docker registry access
98102
func (a *DockerConfigFileAuth) Authenticate(ctx context.Context, registry string) (auth *Authentication, err error) {
99103
ac, err := a.C.GetAuthConfig(registry)
100104
if err != nil {
105+
log.WithError(err).WithField("registry", registry).Error("failed DockerConfigFileAuth Authenticate")
101106
return nil, err
102107
}
103108

@@ -119,10 +124,13 @@ func (ca CompositeAuth) Authenticate(ctx context.Context, registry string) (auth
119124
for _, ath := range ca {
120125
res, err := ath.Authenticate(ctx, registry)
121126
if err != nil {
127+
log.WithError(err).WithField("registry", registry).Errorf("failed CompositeAuth Authenticate")
122128
return nil, err
123129
}
124130
if !res.Empty() {
125131
return res, nil
132+
} else {
133+
log.WithField("registry", registry).Warn("response was empty for CompositeAuth authenticate")
126134
}
127135
}
128136
return &Authentication{}, nil
@@ -154,6 +162,13 @@ func (ath *ECRAuthenticator) Authenticate(ctx context.Context, registry string)
154162
return nil, nil
155163
}
156164

165+
defer func() {
166+
if err != nil {
167+
err = fmt.Errorf("error with ECR authenticate: %w", err)
168+
log.WithError(err).WithField("registry", registry).Error("failed ECR authenticate")
169+
}
170+
}()
171+
157172
ath.ecrAuthLock.Lock()
158173
defer ath.ecrAuthLock.Unlock()
159174
if time.Since(ath.ecrAuthLastRefreshTime) > ecrTokenRefreshTime {
@@ -162,7 +177,8 @@ func (ath *ECRAuthenticator) Authenticate(ctx context.Context, registry string)
162177
return nil, err
163178
}
164179
if len(tknout.AuthorizationData) == 0 {
165-
return nil, fmt.Errorf("no ECR authorization data received")
180+
err = fmt.Errorf("no ECR authorization data received")
181+
return nil, err
166182
}
167183

168184
pwd, err := base64.StdEncoding.DecodeString(aws.ToString(tknout.AuthorizationData[0].AuthorizationToken))
@@ -172,12 +188,15 @@ func (ath *ECRAuthenticator) Authenticate(ctx context.Context, registry string)
172188

173189
ath.ecrAuth = string(pwd)
174190
ath.ecrAuthLastRefreshTime = time.Now()
175-
log.Debug("refreshed ECR token")
191+
log.Info("refreshed ECR token")
192+
} else {
193+
log.Info("no ECR token refresh necessary")
176194
}
177195

178196
segs := strings.Split(ath.ecrAuth, ":")
179197
if len(segs) != 2 {
180-
return nil, fmt.Errorf("cannot understand ECR token. Expected 2 segments, got %d", len(segs))
198+
err = fmt.Errorf("cannot understand ECR token. Expected 2 segments, got %d", len(segs))
199+
return nil, err
181200
}
182201
return &Authentication{
183202
Username: segs[0],
@@ -299,6 +318,7 @@ func (a AllowedAuthFor) GetAuthFor(ctx context.Context, auth RegistryAuthenticat
299318

300319
ref, err := reference.ParseNormalizedNamed(refstr)
301320
if err != nil {
321+
log.WithError(err).Errorf("failed parsing normalized name")
302322
return nil, xerrors.Errorf("cannot parse image ref: %v", err)
303323
}
304324
reg := reference.Domain(ref)
@@ -359,6 +379,8 @@ func (a AllowedAuthFor) additionalAuth(domain string) *Authentication {
359379
res.Username = segs[0]
360380
res.Password = strings.Join(segs[1:], ":")
361381
}
382+
} else {
383+
log.Errorf("failed getting additional auth")
362384
}
363385
return res
364386
}
@@ -386,7 +408,7 @@ func (a AllowedAuthFor) GetImageBuildAuthFor(ctx context.Context, auth RegistryA
386408
for _, reg := range additionalRegistries {
387409
ath, err := auth.Authenticate(ctx, reg)
388410
if err != nil {
389-
log.WithError(err).WithField("registry", reg).Warn("cannot get authentication for additioanl registry for image build")
411+
log.WithError(err).WithField("registry", reg).Warn("cannot get authentication for additional registry for image build")
390412
continue
391413
}
392414
if ath.Empty() {

0 commit comments

Comments
 (0)