Cannot pull the image although pushed it from the same credentials in yml action

Question

I cant seem to be able to pull the image although I pushed it via the same credentials. I am getting the following error and also I have included my action yml. Could someone please help me. Everything works fine except for the pulling part. How do I configure it.

  Normal   Scheduled  44s                default-scheduler  Successfully assigned default/checkout-depl-7869b4bc9b-94xfx to aks-nodepool1-13551878-vmss000000
  Normal   BackOff    19s (x2 over 45s)  kubelet            Back-off pulling image "restrowiseacr.azurecr.io/checkout"
  Warning  Failed     19s (x2 over 45s)  kubelet            Error: ImagePullBackOff
  Normal   Pulling    5s (x3 over 45s)   kubelet            Pulling image "restrowiseacr.azurecr.io/checkout"
  Warning  Failed     5s (x3 over 45s)   kubelet            Failed to pull image "restrowiseacr.azurecr.io/checkout": rpc error: code = Unknown desc = failed to pull and unpack image "restrowiseacr.azurecr.io/checkout:latest": failed to resolve reference "restrowiseacr.azurecr.io/checkout:latest": failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://restrowiseacr.azurecr.io/oauth2/token?scope=repository%3Acheckout%3Apull&service=restrowiseacr.azurecr.io: 401 Unauthorized
  Warning  Failed     5s (x3 over 45s)   kubelet            Error: ErrImagePull

name: deploy-checkout

on:
  push:
    branches:
      - main
    paths:
      - "checkout/**"



jobs:
  buildImage:
    permissions:
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    steps:
      # Checks out the repository this file is in
      - uses: actions/checkout@v3

      - name: Initialize submodules
        run: git submodule init

      - name: Update submodules
        run: git submodule update --remote

      # Logs in with your Azure credentials
      - name: Azure login
        uses: azure/login@v1.4.6
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      # Builds and pushes an image up to your Azure Container Registry
      - name: Build and push image to ACR
        run: cd ${{ env.CONTAINER_NAME }} && az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .

  deploy:
    permissions:
      actions: read
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    needs: [buildImage]
    steps:
      # Checks out the repository this file is in
      - uses: actions/checkout@v3

      # Logs in with your Azure credentials
      - name: Azure login
        uses: azure/login@v1.4.6
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      # Use kubelogin to configure your kubeconfig for Azure auth
      - name: Set up kubelogin for non-interactive login
        uses: azure/use-kubelogin@v1
        with:
          kubelogin-version: "v0.0.25"

      # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
      - name: Get K8s context
        uses: azure/aks-set-context@v3
        with:
          resource-group: ${{ env.RESOURCE_GROUP }}
          cluster-name: ${{ env.CLUSTER_NAME }}
          admin: "false"
          use-kubelogin: "true"
      
      - name: Deployment restart
        uses: azure/setup-kubectl@v3
        id: install
      - run: kubectl rollout restart deployment ${{ env.CONTAINER_NAME }}-depl

Answer 1

Hi @Manish Budhathoki,

The Kubernetes deployment will not use the same az credentials that you used to push the ACR image; you have to integrate the AKS with your ACR to be able to pull the image using the deployment.

az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>

Reference: https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#attach-an-acr-to-an-aks-cluster