Tekton jib-maven fails to push image to the internal docker registry

[cmoulliard]

Expected Behavior

Image built by jib maven plugin should be piushed to the internal docker registry -> docker-registry.default.svc:5000/test/sb-image

Actual Behavior

Error reported

[WARNING] Cannot verify server at https://docker-registry.default.svc:5000/v2/test/sb-
image/blobs/sha256:3a813abe0f1d7a01673bd2cd581a263ea4c3d1a4e1a994efe5bfa685eee2efba . 
Attempting again with no TLS verification.
--
  | [WARNING] Cannot verify server at https://docker-registry.default.svc:5000/v2/test/sb-image/blobs/sha256:305d73a95c8fece2b53a34e040df1c97eb6b7f7cc4e0a7933465f0b7325e3d72 . Attempting again with no TLS verification.
  | [WARNING] Failed to connect to https://docker-registry.default.svc:5000/v2/test/sb-image/blobs/sha256:3a813abe0f1d7a01673bd2cd581a263ea4c3d1a4e1a994efe5bfa685eee2efba  over HTTPS. Attempting again with HTTP.
  | [WARNING] Failed to connect to https://docker-registry.default.svc:5000/v2/test/sb-image/blobs/sha256:305d73a95c8fece2b53a34e040df1c97eb6b7f7cc4e0a7933465f0b7325e3d72  over HTTPS. Attempting again with HTTP.
  | [WARNING] Cannot verify server at https://docker-registry.default.svc:5000/v2/test/sb-image/blobs/sha256:00f17e0b37b0515380a4aece3cb72086c0356fc780ef4526f75476bea36a2c8b . Attempting again with no TLS verification.
  | [WARNING] Failed to connect to https://docker-registry.default.svc:5000/v2/test/sb-image/blobs/sha256:00f17e0b37b0515380a4aece3cb72086c0356fc780ef4526f75476bea36a2c8b  over HTTPS. Attempting again with HTTP.
  | [INFO]
  | [INFO] ------------------------------------------------------------------------
  | [INFO] BUILD FAILURE
  | [INFO] ------------------------------------------------------------------------
  | [INFO] Total time:  12.671 s
  | [INFO] Finished at: 2020-01-29T18:12:30Z
  | [INFO] ------------------------------------------------------------------------
  | [ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:2.0.0:build (default-cli) on 
project rest-http: Build image failed, perhaps you should use a registry that supports HTTPS so 
credentials can be sent safely, or set the 'sendCredentialsOverHttp' system property to true: Required 
credentials for docker-registry.default.svc:5000/test/sb-image were not sent because the connection 
was over HTTP -> [Help 1]
  | [ERROR]

Steps to Reproduce the Problem

1. Git clone https://github.com/halkyonio/container-images
2. cd container-images/tekton/jib
3. Deploy the resources as described here: https://github.com/halkyonio/container-images/tree/master/sandbox/tekton/jib

Additional Info

Task definition

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: jib-maven
spec:
  inputs:
    params:
      - name: DIRECTORY
        description: The directory containing the app, relative to the source repository root
        default: .
      - name: CACHE
        description: The name of the volume for caching Maven artifacts and base image layers
        default: m2-sb
    resources:
      - name: source
        type: git
  outputs:
    resources:
      - name: image
        type: image

  steps:
    - name: build-and-push
      image: gcr.io/cloud-builders/mvn
      command:
        - mvn
        - compile
        - com.google.cloud.tools:jib-maven-plugin:2.0.0:build
        - -Duser.home=/builder/home
        - -Djib.from.image=registry.redhat.io/redhat-openjdk-18/openjdk18-openshift
        - -Djib.allowInsecureRegistries=true
        - -Djib.from.auth.username=XXXXXX
        - -Djib.from.auth.password=YYYYYY
        - -Dimage=$(outputs.resources.image.url)
      env:
      - name: "DOCKER_CONFIG"
        value: "/builder/home/.docker/"
      workingDir: /workspace/source/$(inputs.params.DIRECTORY)
      volumeMounts:
        - name: $(inputs.params.CACHE)
          mountPath: /builder/home/.m2
          subPath: m2-cache
        - name: $(inputs.params.CACHE)
          mountPath: /builder/home/.cache
          subPath: jib-cache

  volumes:
  - name: m2-sb
    persistentVolumeClaim:
      claimName: m2-sb

[cmoulliard]

That will fail too if we pass this system property -DsendCredentialsOverHttp=true

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:2.0.0:build (default-cli) on
project rest-http: Build image failed: Failed to authenticate with registry docker-
registry.default.svc:5000/test/sb-image because: server did not return 'WWW-Authenticate: Bearer' 
header: Basic realm=openshift,error="access denied" -> [Help 1]

[chmouel]

Since this a platform specific issue with the tool (jib) and not the task and you seem to have taken the issue there I am going to close this here...

/close

[tekton-robot]

@chmouel: Closing this issue.

In response to this:

Since this a platform specific issue with the tool (jib) and not the task and you seem to have taken the issue there I am going to close this here...

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cmoulliard]

FYI and if your are interested about the issue which prevents to use for the moment JIB + Tekton with internal docker registry on ocp -> GoogleContainerTools/jib#2258 (comment)