Kaniko（GitLab CI，K8s）無法推送到 Nexus Repository Manager：UNAUTHORIZED：未授權訪問請求的資源

我的 GitLab CI 作業使用 Kaniko 在 K8s 上使用 GitLab 執行器建構範例容器映像。所有服務都在我的 LAN 中，位於靜態 IP 後面。建構過程從安全域 A 下的第一個 Nexus 系統資料庫服務中提取 ArchLinux 映像。然後我嘗試將其推送到同一個 Nexus 系統資料庫到第二個域 B 下的第二個快照儲存庫中。因此我使用相同的 Nexus 使用者。如果作業嘗試推送，則會導致以下錯誤：

$ /kaniko/executor  --context $CI_PROJECT_DIR  --dockerfile $CI_PROJECT_DIR/Dockerfile  --destination ${SNAPSHOT_CONTAINER_REGISTRY}/${IMAGE_NAME}

error checking push permissions -- make sure you entered the correct tag name, 
and that you are authenticated correctly, and try again: 
checking push permission for "B/example-app:dev-proto-kokosbot": 
POST https://B/v2/example-app/blobs/uploads/: 
UNAUTHORIZED: access to the requested resource is not authorized

即使我授予 cicd 使用者管理員權限，我也無法超越 kaniko。使用 docker CLI 推送沒有問題，我可以在瀏覽器中訪問錯誤的 URL，它可以工作……

我的 CI 配置：

stages:
 - build

variables:
 COMMIT_SHORT_SHA: ${CI_COMMIT_SHA} at ${CI_COMMIT_BRANCH}
 IMAGE_NAME: example-app:${CI_COMMIT_BRANCH}
 
build-job:
 stage: build
 image:
   name: gcr.io/kaniko-project/executor:debug
   entrypoint: [""]
 script:
   - echo [INFO] Start building container ${IMAGE_NAME}
   - echo [INFO] Target container registry ${SNAPSHOT_CONTAINER_REGISTRY}
   - mkdir -p /kaniko/.docker
   - |
     echo "{\"auths\":{
       \"${CONTAINER_REGISTRY}\":{
         \"auth\":\"${AUTH_REGISTRY}\"
         }
       },
       \"${SNAPSHOT_CONTAINER_REGISTRY}\":{
         \"auth\":\"${AUTH_REGISTRY}\"
         }
       }        
     }" > /kaniko/.docker/config.json
   - less /kaniko/.docker/config.json
   - >
     /kaniko/executor 
     --context $CI_PROJECT_DIR 
     --dockerfile $CI_PROJECT_DIR/Dockerfile 
     --destination ${SNAPSHOT_CONTAINER_REGISTRY}/${IMAGE_NAME}
     --no-push
   - >
     /kaniko/executor 
     --context $CI_PROJECT_DIR 
     --dockerfile $CI_PROJECT_DIR/Dockerfile 
     --destination ${SNAPSHOT_CONTAINER_REGISTRY}/${IMAGE_NAME} 

我不知道從哪裡開始理解這個問題，有沒有人有線索？

問候， Kokos Bot。

• GitLab CE
• Nexus Repository Manager：免費版

編輯：我是否正確理解只是無法辨識使用者？使用者被稱為 CICD 而不是 *UNKOWN。

連結日誌：

nexus_1  | 2021-02-11 06:48:20,719+0000 INFO  [qtp874955081-232] *UNKNOWN org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Enabling session validation scheduler...
nexus_1  | 2021-02-11 06:48:20,739+0000 INFO  [qtp874955081-232] *UNKNOWN org.sonatype.nexus.internal.security.anonymous.AnonymousManagerImpl - Loaded configuration: OrientAnonymousConfiguration{enabled=false, userId='anonymous', realmName='NexusAuthorizingRealm'}
nexus_1  | 2021-02-11 06:48:20,741+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Servicing: GET /repository/dio-container-snapshot/v2/ (https://snapshot.container.ABC.ABC/repository/dio-container-snapshot/v2/)
nexus_1  | 2021-02-11 06:48:20,742+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Parsed path: RepositoryPath{repositoryName='dio-container-snapshot', remainingPath='/v2/'}
nexus_1  | 2021-02-11 06:48:20,742+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Looking for repository: dio-container-snapshot
nexus_1  | 2021-02-11 06:48:20,743+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Repository: RepositoryImpl$$EnhancerByGuice$$765e645e{type=hosted, format=docker, name='dio-container-snapshot'}
nexus_1  | 2021-02-11 06:48:20,743+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Dispatching to view facet: org.sonatype.nexus.repository.view.ConfigurableViewFacet$$EnhancerByGuice$$d744b4fe@6a0c93a4
nexus_1  | 2021-02-11 06:48:20,745+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.HttpResponseSenderSelector - Looking for HTTP response sender: docker
nexus_1  | 2021-02-11 06:48:20,747+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Router - Request: Request{action='GET', path='/v2/', parameters={}, payload=HttpRequestPayloadAdapter{contentType='null', size=-1}, multipart=false}
nexus_1  | 2021-02-11 06:48:20,748+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@2503258 AND LiteralMatcher{literal='/v2/', ignoreCase=true}
nexus_1  | 2021-02-11 06:48:20,748+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.LiteralMatcher - Matching: /v2/=/v2/ ignore-case: true
nexus_1  | 2021-02-11 06:48:20,749+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Starting: Route{matcher=AndMatcher{matchers=[org.sonatype.nexus.repository.view.matchers.ActionMatcher@2503258, LiteralMatcher{literal='/v2/', ignoreCase=true}]}, handlers=[org.sonatype.nexus.repository.view.handlers.TimingHandler@38a76c9d, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure1@64b09cb9, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure18@60e34347, org.sonatype.nexus.repository.security.SecurityHandler@63226ff1, org.sonatype.nexus.repository.view.handlers.HandlerContributor@60e2348c, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure2@57297d]}
nexus_1  | 2021-02-11 06:48:20,749+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.view.handlers.TimingHandler@38a76c9d
nexus_1  | 2021-02-11 06:48:20,749+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure1@64b09cb9
nexus_1  | 2021-02-11 06:48:20,752+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure18@60e34347
nexus_1  | 2021-02-11 06:48:20,752+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.security.SecurityHandler@63226ff1
nexus_1  | 2021-02-11 06:48:20,800+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Router - Response: Response{status=Status{successful=false, code=401, message='null'}, payload=StringPayload{size=113, charset=UTF-8, contentType='application/json'}}
nexus_1  | 2021-02-11 06:48:20,801+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Request: Request{action='GET', path='/v2/', parameters={}, payload=HttpRequestPayloadAdapter{contentType='null', size=-1}, multipart=false}
nexus_1  | 2021-02-11 06:48:20,801+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.DefaultHttpResponseSender - Sending response: Response{status=Status{successful=false, code=401, message='null'}, payload=StringPayload{size=113, charset=UTF-8, contentType='application/json'}}
nexus_1  | 2021-02-11 06:48:20,806+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Service completed
nexus_1  | 2021-02-11 06:48:20,820+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Servicing: POST /repository/dio-container-snapshot/v2/example-app/blobs/uploads/ (https://snapshot.container.ABC.ABC/repository/dio-container-snapshot/v2/example-app/blobs/uploads/)
nexus_1  | 2021-02-11 06:48:20,821+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Parsed path: RepositoryPath{repositoryName='dio-container-snapshot', remainingPath='/v2/example-app/blobs/uploads/'}
nexus_1  | 2021-02-11 06:48:20,821+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Looking for repository: dio-container-snapshot
nexus_1  | 2021-02-11 06:48:20,821+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Repository: RepositoryImpl$$EnhancerByGuice$$765e645e{type=hosted, format=docker, name='dio-container-snapshot'}
nexus_1  | 2021-02-11 06:48:20,821+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Dispatching to view facet: org.sonatype.nexus.repository.view.ConfigurableViewFacet$$EnhancerByGuice$$d744b4fe@6a0c93a4
nexus_1  | 2021-02-11 06:48:20,822+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.HttpResponseSenderSelector - Looking for HTTP response sender: docker
nexus_1  | 2021-02-11 06:48:20,822+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Router - Request: Request{action='POST', path='/v2/example-app/blobs/uploads/', parameters={}, payload=HttpRequestPayloadAdapter{contentType='application/json', size=0}, multipart=false}
nexus_1  | 2021-02-11 06:48:20,822+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@2503258 AND LiteralMatcher{literal='/v2/', ignoreCase=true}
nexus_1  | 2021-02-11 06:48:20,823+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@2fb965f0 AND OrMatcher{matchers=[org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@6264781a, org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@3679c546]}
nexus_1  | 2021-02-11 06:48:20,823+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@291c9924 AND OrMatcher{matchers=[org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@4deeef12, org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@c0bea1d]}
nexus_1  | 2021-02-11 06:48:20,823+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@74a04d2f AND org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@39b83f26
nexus_1  | 2021-02-11 06:48:20,823+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@314d17c AND org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@501c8801
nexus_1  | 2021-02-11 06:48:20,824+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.token.TokenMatcher - Matching: /v2/example-app/blobs/uploads/~=TokenParser{pattern=\Q/v2/\E(?<name>.+)\Q/blobs/uploads/\E, variables=[var(name,.+)]}
nexus_1  | 2021-02-11 06:48:20,825+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Starting: Route{matcher=AndMatcher{matchers=[org.sonatype.nexus.repository.view.matchers.ActionMatcher@314d17c, org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@501c8801]}, handlers=[org.sonatype.nexus.repository.view.handlers.TimingHandler@38a76c9d, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure1@64b09cb9, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure18@60e34347, org.sonatype.nexus.repository.security.SecurityHandler@63226ff1, org.sonatype.nexus.repository.view.handlers.HandlerContributor@60e2348c, org.sonatype.nexus.repository.storage.UnitOfWorkHandler@7ba0816b, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure3@4f48429e]}
nexus_1  | 2021-02-11 06:48:20,825+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.view.handlers.TimingHandler@38a76c9d
nexus_1  | 2021-02-11 06:48:20,825+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure1@64b09cb9
nexus_1  | 2021-02-11 06:48:20,825+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure18@60e34347
nexus_1  | 2021-02-11 06:48:20,826+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.security.SecurityHandler@63226ff1
nexus_1  | 2021-02-11 06:48:20,827+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Router - Response: Response{status=Status{successful=false, code=401, message='null'}, payload=StringPayload{size=113, charset=UTF-8, contentType='application/json'}}
nexus_1  | 2021-02-11 06:48:20,827+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Request: Request{action='POST', path='/v2/example-app/blobs/uploads/', parameters={}, payload=HttpRequestPayloadAdapter{contentType='application/json', size=0}, multipart=false}
nexus_1  | 2021-02-11 06:48:20,828+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.DefaultHttpResponseSender - Sending response: Response{status=Status{successful=false, code=401, message='null'}, payload=StringPayload{size=113, charset=UTF-8, contentType='application/json'}}
nexus_1  | 2021-02-11 06:48:20,828+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Service completed

我發現了問題。Docker 配置中有一個錯誤的支架。不幸的是，環境變數有很多括號。因此，這並不容易引起注意。

更讓人吃驚的是，鹿晗子，追根究底，竟然不吐槽……

引用自：https://serverfault.com/questions/1053189