404 not found when run docker login to jfrog registry

[sanggkaitoo]

Is this a request for help?: Yes

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

Version of Helm and Kubernetes:
Helm version:

version.BuildInfo{Version:"v3.9.3", GitCommit:"414ff28d4029ae8c8b05d62aa06c7fe3dee2bc58", GitTreeState:"clean", GoVersion:"go1.17.13"}

Kubernetes version:

Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.3", GitCommit:"9e644106593f3f4aa98f8a84b23db5fa378900bd", GitTreeState:"clean", BuildDate:"2023-03-15T13:40:17Z", GoVersion:"go1.19.7", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.2", GitCommit:"7f6f68fdabc4df88cfea2dcf9a19b2b830f1e647", GitTreeState:"clean", BuildDate:"2023-05-17T14:13:28Z", GoVersion:"go1.20.4", Compiler:"gc", Platform:"linux/amd64"}

Which chart:
artifactory-jcr
App Version
7.59.12
Package Version
107.59.12

Which product license (Enterprise/Pro/oss):
oss

What happened:
After I deployed artifactory-jcr and created Docker registry I used docker login to login into self-host registry but I got this error:
Error response from daemon: login attempt to https://my_domain/v2/ failed with status: 404 Not Found

What you expected to happen:
Expected to login successfully

How to reproduce it (as minimally and precisely as possible):
Values.yaml:

artifactory:
  artifactory:
    image:
      registry: "releases-docker.jfrog.io"
      repository: "jfrog/artifactory-jcr"
    javaOpts: {}
    resources: {}
  databaseUpgradeReady: "yes"
  ingress:
    enabled: false
    tls:
  installer:
    platform: "jcr-helm"
  installerInfo: "{\"productId\": \"Helm_artifactory-jcr/{{ .Chart.Version }}\",
    \"features\": [ { \"featureId\": \"Platform/{{ default \"kubernetes\"
    .Values.installer.platform }}\"}]}"
  jfconnect:
    enabled: false
  nginx:
    enabled: true
    service:
      type: "NodePort"
    tlsSecretName: ""
  postgresql:
    enabled: false
postgresql:
  enabled: true
  postgresDatabase: "artifactory"
  postgresHost: "10.107.15.40"
  postgresPassword: "password"
  postgresPort: 5432
  postgresUser: "artifactory"
router:
  image:
    tag: "7.67.0"

Anything else we need to know:
I install Kubernetes in AWS but not using EKS, just create EC2 and join it into k8s cluster. And I using ALB to direct data to NodePort. My jfrog's host is a subdomain that manages by AWS: jfrog.mlops.sangkaito.com

Please help me solve this problem.
Thanks so much

[kammathavaran]

This seems to be an issue with the ALB/NodePort configuration. And with the information you have provided, this is difficult to analyse. Can you provide more information on

1. domain routing
2. ALB configuration
3. docker login command

[9numbernine9]

We ran into a similar issue recently as well. In our scenario, we're deploying an Artifactory instance that should be reachable at artifactory.ourdomain.com, and we want to have a couple Docker registries that are available at docker-io.artifactory.ourdomain.com and our-images.artifactory.domain.com. Initially we configured the ingress via the Helm chart like this:

ingress:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
  enabled: true
  hosts:
    - artifactory.ourdomain.com
    - docker-io.artifactory.ourdomain.com
    - our-images.artifactory.ourdomain.com
  tls:
    - hosts:
      - artifactory.ourdomain.com
      - docker-io.artifactory.ourdomain.com
      - our-images.artifactory.ourdomain.com
      secretName: artifactory-web-tls

Unfortunately, this doesn't seem to quite the right thing. This configures the K8S Ingress in such a way that artifactory.ourdomain.com, docker-io.artifactory.ourdomain.com, and our-images.artifactory.ourdomain.com effectively all become different ways to reach the Artifactory UI; what we really want is the Docker domains to redirect to the service on port 8081 automatically.

Our workaround is to use the additionalRules feature of the Helm chart to write our own rules to point the Docker hosts to the service on port 8081 directly instead:

ingress:
    additionalRules: "- \"host\": \"docker-io.artifactory.ourdomain.com\"\n  \"http\":\n\ \    \"paths\":\n    - \"backend\":\n        \"service\":\n          \"name\"\ : \"artifactory\"\n          \"port\":\n            \"number\": 8081\n      \"\ path\": \"/\"\n      \"pathType\": \"ImplementationSpecific\"\n- \"host\": \"\ our-images.artifactory.ourdomain.com\"\n  \"http\":\n    \"paths\":\n    - \"\ backend\":\n        \"service\":\n          \"name\": \"artifactory\"\n      \ \    \"port\":\n            \"number\": 8081\n      \"path\": \"/\"\n      \"\ pathType\": \"ImplementationSpecific\"\n"

  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
  enabled: true
  hosts:
    - artifactory.ourdomain.com
  tls:
    - hosts:
        - artifactory.ourdomain.com
        - docker-io.artifactory.ourdomain.com
        - our-images.artifactory.ourdomain.com
	  secretName: artifactory-web-tls

Note that the additionalRules field appears to use an escaped YAML string, so it's not pretty to look at. 🙃 This is admittedly not pretty but I can confirm that it works for us at least!

It would be nice if the Helm chart had a separate dockerHosts section that allowed these hosts to be specified separately from hosts so that right redirection would take place.