Unable to use private registry in drone cli exec or in kubernetes

I’ve poured over the documentation and I can’t figure out what I have incorrect. I’m getting an unauthorized error from the CLI, but I can’t figure out if there is any debug option to enable that would show me more details or logs to help me troubleshoot, so I’m shooting blind.

kind: pipeline
name: default

  os: linux
  arch: amd64

- name: validate
  image: myprivateregistry.azurecr.io/build-images/kubeclient:1.3-alpine
  - kubeval --version

- dockerconfigjson

secrets.txt contents:

dockerconfigjson={"auths": {"myprivateregistry.azurecr.io": {"auth": "$( echo "<username>:<password>" | base64 )"}}}`

The username and password work to login using
docker login -u <username> -p <password> "myprivateregistry.azurecr.io"

Attempting to run drone exec, it will fail:

$ drone exec --secret-file secrets.txt 

2019/11/04 20:41:39 Error response from daemon: Get https://myprivateregistry.azurecr.io/v2/build-images/kubeclient/manifests/1.3-alpine:
unauthorized: authentication required

drone CLI 1.2.0

I’ve been pouring over all of the documents and old support threads I can find to figure out what I’ve missed, but I am at a complete loss. Mostly it would be helpful to figure out how to turn debugging or log level up a bit to give me some hint.


I would be happy to help provide a solution for pulling the image locally, as well as an alternate approach you can use.

Using the --registry flag

the first approach is to use the --registry flag which accepts the registry URL with the username and password inline in the URL.

drone exec --registry=https://<username>:<password>@docker.io

Alternative Option

an alternative approach is to pull the image prior to running drone exec. The local Docker cache is used when running your pipeline. The caveat is when your image uses the :latest tag we always check the remote registry for updates, which in this case requires authentication. We can alter this behavior and instruct Drone to only pull the image if it does not exist in the local cache, eliminating the need for registry credential configuration.

  - name: build
    image: private/registry
+   pull: if-not-exists

What about image_pull_secrets?

This is not currently implemented in the drone exec command. We made certain assumptions when we created the CLI, one of which being that private images would be pulled manually or would already exist in the local cache. As a result we left some features out of the CLI. You are not the first to hit this issue, so obviously this is something we need to revisit. Sorry for the confusion.

As an aside, I noticed your dockerconfig secret included bash syntax (below). Please note this is a string literal, so the bash command is not going to be evaluated. You will need to hard-code that base64 string.

$( echo "<username>:<password>" | base64 )
1 Like

Hi Ashwilliams,

That was really helpful thank you. Alternative option worked, although I didn’t need to specify the pull: if-not-exists flag, it worked immediately once I had the image pulled into the docker cache.

Side note: I don’t actually use bash syntax in my code for the docker secret, I was just creating pseudo code demonstrating its format.

I did find that pulling the image prior to running drone exec worked, so that was really helpful, and it’s good to know that we could use the --registry flag if we need to create some kind of automation.

As an aside, is there a way to enable more verbose or debug logging when running drone commands?

is there a way to enable more verbose or debug logging when running drone commands?

not at the moment, but I expect this to improve in the coming months.

the project is in a bit of a transition because the docker runner (agent) is using a new engine, and the drone exec command is using the old engine. The new engine has more verbose debug and trace logging. There is still room for improvement, but the foundation is much better.

1 Like