DEV Community

iapilgrim
iapilgrim

Posted on

FluxCD Image Automation Error Troubleshooting

#fluxcd #minikube #kubernetes

Problem

Running:

flux reconcile image update flux-system
Enter fullscreen mode Exit fullscreen mode

Result:

failed to update source: failed to push to remote
ERROR: The key you are authenticating with has been marked as read only
Enter fullscreen mode Exit fullscreen mode

And:

flux get image update
Enter fullscreen mode Exit fullscreen mode

shows:

READY: False
MESSAGE: failed to push to remote
Enter fullscreen mode Exit fullscreen mode

Root Cause

FluxCD ImageUpdateAutomation needs to commit and push updates to the Git repository when it updates container image tags.

Pipeline:

Container Registry
        ↓
ImageRepository
        ↓
ImagePolicy
        ↓
ImageUpdateAutomation
        ↓
Git Commit + Push
        ↓
Flux Kustomization deploys update
Enter fullscreen mode Exit fullscreen mode

If the Git credential is read-only, the push fails.

Diagnosis Steps

1. Check Image Automation Status 

flux get image update
Enter fullscreen mode Exit fullscreen mode

Look for:

READY: False
failed to push to remote
Enter fullscreen mode Exit fullscreen mode

2. Inspect the Automation Object 

kubectl get imageupdateautomation -A
Enter fullscreen mode Exit fullscreen mode

Example:

STATUS: failed to update source
Enter fullscreen mode Exit fullscreen mode

3. Check the Git Source 

flux get sources git
Enter fullscreen mode Exit fullscreen mode

This confirms Flux can read the repo.

But pushing still fails if the key is read-only.

4. Confirm Git Authentication

Check the Git secret:

kubectl get secret flux-system -n flux-system
Enter fullscreen mode Exit fullscreen mode

This secret contains the SSH key Flux uses.

Fix Implemented

You recreated the Git authentication secret with a write-enabled SSH key.

1️⃣ Generate SSH Key 

ssh-keygen
Enter fullscreen mode Exit fullscreen mode

2️⃣ Add Public Key to GitHub

Go to repo:

Settings → Deploy Keys
Enter fullscreen mode Exit fullscreen mode

Add:

fluxcd-test.pub
Enter fullscreen mode Exit fullscreen mode

Enable:

Allow write access
Enter fullscreen mode Exit fullscreen mode

3️⃣ Recreate Flux Git Secret 

flux create secret git flux-system \
  --url=ssh://git@github.com/pilgrim2go/flux-minikube-lab \
  --private-key-file=$PWD/fluxcd-test \
  -n flux-system
Enter fullscreen mode Exit fullscreen mode

This updates the Git credential used by Flux.

4️⃣ Trigger Automation 

flux reconcile image update flux-system
Enter fullscreen mode Exit fullscreen mode

Expected Result 

flux get image update
Enter fullscreen mode Exit fullscreen mode 
READY: True
MESSAGE: committed and pushed update
Enter fullscreen mode Exit fullscreen mode

You should also see a commit in Git like:

flux: update image tag
Enter fullscreen mode Exit fullscreen mode

Useful Debug Commands

Check full Flux status:

flux get all
Enter fullscreen mode Exit fullscreen mode

Check automation logs:

kubectl logs -n flux-system deploy/image-automation-controller
Enter fullscreen mode Exit fullscreen mode

Test Git sync:

flux reconcile source git flux-system
Enter fullscreen mode Exit fullscreen mode

Best Practice

Use a dedicated Flux deploy key with:

read + write
Enter fullscreen mode Exit fullscreen mode

instead of personal access tokens when using SSH Git repositories.

Top comments (0)