Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-3480

Mirror configuration throws a 500 when Google Artifact Registry backed by a service key is used as upstream registry

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • quay-v3.6.4
    • -area/repomirror, quay
    • False
    • None
    • False
    • Quay Enterprise

      The Google Artifact Registry uses a service key to connect to the registry. This key has the following form:

      {
  "type": "service_account",
  "project_id": "zippy-sublime-257718",
  "private_key_id": "11b0...",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBg...W17oy4Qgj7OLNB\n-----END PRIVATE KEY-----\n", notsecret
  "client_email": "docker@...",
  "client_id": "117485...",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/docker%40..."
}

      When encoded with base64, this key is 3104 characters long. The mirror config table on the other hand supports tokens and usernames of up to 2048 characters in length. When a longer key is tried, Quay errors out with a 500.

      Please check, thanks!

      More info: https://cloud.google.com/artifact-registry/docs/docker/authentication#json-key

              Unassigned Unassigned
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: