dockerkubernetesapache-kafkaapache-kafka-connectamazon-ecr

Strimzi loading container into aws ecr - error checking push permissions

I am running Apache Kafka on Kubernetes via Strimzi operator. I am trying to install Kafka Connect with mysql debezium connector.

This is the Connector configuration file:

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaConnect
metadata:
  name: my-connect-cluster
  annotations:
    strimzi.io/use-connector-resources: "true"
spec:
  version: 3.1.0
  replicas: 1
  bootstrapServers: <bootstrap-server>
  config:
    group.id: connect-cluster
    offset.storage.topic: connect-cluster-offsets
    config.storage.topic: connect-cluster-configs
    status.storage.topic: connect-cluster-status
    config.storage.replication.factor: -1
    offset.storage.replication.factor: -1
    status.storage.replication.factor: -1
  build: 
    output: 
      type: docker
      image: <my-repo-in-ecr>/my-connect-cluster:latest
      pushSecret: ecr-secret
    plugins: 
    - name: debezium-mysql-connector
      artifacts:
      - type: tgz
        url: https://repo1.maven.org/maven2/io/debezium/debezium-connector-mysql/1.9.0.Final/debezium-connector-mysql-1.9.0.Final-plugin.tar.gz

I created the ecr-secret in this way:

kubectl create secret docker-registry ecr-secret \
  --docker-server=${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com \
  --docker-username=AWS \
  --docker-password=$(aws ecr get-login-password) \
  --namespace=default

The error I get is the following:

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "/my-connect-cluster:latest": POST https:/ │ │ Stream closed EOF for default/my-connect-cluster-connect-build (my-connect-cluster-connect-build)

I am not sure what permission I should check. I already tried to use a configuration of the aws cli with a role with admin priviledge just to debug but I got the same error. Any guess?

Solution

  • I thought some role was missing from the node in the EKS cluster but that is not the case since the only thing needed to authenticate is the information contained in the secret.

    The error was actually in the secret creation: two details are very relevant:

    1. the --region flag in the aws ecr get-login-password command was missing and therefore a different password was generated.
    2. the https:// is needed in front of the docker-server

    Below the right command for the secret generation.

    kubectl create secret docker-registry ecr-secret \
  --docker-server=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com \
  --docker-username=AWS \
  --docker-password=$(aws ecr get-login-password --region eu-central-1) \
  --namespace=default