'UNAUTHORIZED' when verifying repo write access for images, but pushing builder image works fine

[Milkshak3s]

I'm running into an issue where supplying private repository credentials to an Image leads to UNAUTHORIZED , but supplying those same exact credentials in the same secret for a Builder leads to the builder image successfully being pushed to the repository.

Image build logs:

 Build reason(s): CONFIG

 CONFIG:

 	resources: {}

 	- source: {}

 	+ source:

 	+   git:

 	+     revision: 3be289517d320a47bb8f359acc1d1daf0829ed0b

 	+     url: https://github.com/spring-projects/spring-petclinic

 Loading registry credentials from service account secrets

 Loading secret for "harbor.example.com/project" from secret "kpack-reg-creds-2" at location "/var/build-secrets/kpack-reg-creds-2"

 Loading cluster credential helpers

 Error verifying write access to "harbor.example.com/project/test": UNAUTHORIZED

Builder exists:

milkshak3s@ubuntu:~/kpack$ kp builder list -n kpack-test
NAME               READY    STACK                         IMAGE
default-builder    true     io.buildpacks.stacks.jammy    harbor.example.com/project/builder:builder-kpack-test-default-builder@sha256:d8044d1e15edbb8f2e6619e401e5bfc225c9269b8e786586cc72b199b32119d2

[Milkshak3s]

My workaround has been to use a secret of type type: kubernetes.io/basic-auth rather than type: kubernetes.io/dockerconfigjson

[chenbh]

Just for sanity's sake:

1. The project test exists in harbor? In your example the Builder is pushing to builder project but the Image is pushing to test
2. Is your workaround that you switched the data from username/password to .dockerconfig.json, or did you use the same data and just changed the type?

[tomkennedy513]

The secret seems suspect to me. When the secret is loaded during prepare it should say harbor.example.com not harbor.example.com/project since the credential matching works on domains. Can you validate the secret is configured for harbor.example.com only?