@@ -230,6 +230,12 @@ kubectl exec -it <pod-name> -n ambient-code -- curl http://backend-service:8080/
230230```
231231
232232#### Image Pull Errors
233+
234+ ** Common Symptoms:**
235+ - Pods stuck in ` ImagePullBackOff ` or ` ErrImagePull ` status
236+ - Error: ` 401 UNAUTHORIZED ` when pulling from private registries
237+
238+ ** For Public Images:**
233239``` bash
234240# Verify registry access
235241docker pull $REGISTRY /backend:latest
@@ -238,7 +244,79 @@ docker pull $REGISTRY/backend:latest
238244grep " image:" manifests/* .yaml
239245
240246# Update registry references if needed
241- sed -i " s|old-registry|new-registry|g" manifests/* .yaml
247+ sed -i ' ' " s|old-registry|new-registry|g" manifests/* .yaml
248+ ```
249+
250+ ** For Private Images (e.g., quay.io, Docker Hub private repos):**
251+
252+ 1 . ** Create Registry Secret:**
253+ ``` bash
254+ # Method 1: Using explicit credentials
255+ kubectl create secret docker-registry registry-secret \
256+ --docker-server=quay.io \
257+ --docker-username=YOUR_USERNAME \
258+ --docker-password=YOUR_PASSWORD \
259+ --docker-email=YOUR_EMAIL \
260+ --namespace=ambient-code
261+
262+ # Method 2: Using robot account (recommended for quay.io)
263+ kubectl create secret docker-registry registry-secret \
264+ --docker-server=quay.io \
265+ --docker-username=YOUR_ROBOT_ACCOUNT \
266+ --docker-password=YOUR_ROBOT_TOKEN \
267+ --docker-email=YOUR_EMAIL \
268+ --namespace=ambient-code
269+ ```
270+
271+ 2 . ** Configure Service Accounts (No Manifest Changes Required):**
272+ ``` bash
273+ # Add image pull secrets to existing service accounts
274+ kubectl patch serviceaccount backend-api -n ambient-code \
275+ -p ' {"imagePullSecrets": [{"name": "registry-secret"}]}'
276+
277+ kubectl patch serviceaccount agentic-operator -n ambient-code \
278+ -p ' {"imagePullSecrets": [{"name": "registry-secret"}]}'
279+
280+ # For deployments using default service account (like frontend)
281+ kubectl patch serviceaccount default -n ambient-code \
282+ -p ' {"imagePullSecrets": [{"name": "registry-secret"}]}'
283+ ```
284+
285+ 3 . ** Restart Deployments:**
286+ ``` bash
287+ kubectl rollout restart deployment backend-api -n ambient-code
288+ kubectl rollout restart deployment agentic-operator -n ambient-code
289+ kubectl rollout restart deployment frontend -n ambient-code
290+ ```
291+
292+ 4 . ** Verify Configuration:**
293+ ``` bash
294+ # Check if secret exists and is properly formatted
295+ kubectl get secret registry-secret -n ambient-code -o yaml
296+ kubectl get secret registry-secret -n ambient-code -o jsonpath=' {.data.\.dockerconfigjson}' | base64 -d
297+
298+ # Verify service accounts have image pull secrets
299+ kubectl get serviceaccount backend-api -n ambient-code -o yaml
300+ kubectl get serviceaccount agentic-operator -n ambient-code -o yaml
301+ kubectl get serviceaccount default -n ambient-code -o yaml
302+
303+ # Check pod status
304+ kubectl get pods -n ambient-code
305+ kubectl describe pod < failing-pod-name> -n ambient-code
306+ ```
307+
308+ ** Troubleshooting Private Image Issues:**
309+ ``` bash
310+ # If using Docker Desktop credential store, create explicit config
311+ docker --config /tmp/docker-config login quay.io
312+ kubectl create secret generic registry-secret \
313+ --from-file=.dockerconfigjson=/tmp/docker-config/config.json \
314+ --type=kubernetes.io/dockerconfigjson \
315+ --namespace=ambient-code
316+ rm -rf /tmp/docker-config
317+
318+ # Test local access to verify credentials
319+ docker pull quay.io/your-username/your-image:latest
242320```
243321
244322#### Job Failures
0 commit comments