Access to private images on Dockerhub doesn't work with Github app

[dancook993]

What would you like help with?

I think I found a bug

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

I am running the following renovate configuration file called .renovaterc in my project. This is used for helm and docker image updates. All the helm parts are working as are public docker images. I host my application private images in Dockerhub.

{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:base",
"docker:enableMajor",
":prHourlyLimitNone",
":rebaseStalePrs"
],
"baseBranches": ["stage"],
"prHourlyLimit": 0,
"prConcurrentLimit": 0,
"helm-values": {
"fileMatch": ["values_stage.yaml", "values_common.yaml", "values_prd.yaml"]
},
"kubernetes": {
"fileMatch": ["\.yaml$"]
},
"hostRules": [
{
"encrypted": {
"password": "REDACTED"
"hostType": "docker",
"username": "REDACTED"
}
]
}

This is erroring with "Datasource unauthorized" and "Failed to look up docker package redacted/keycloak" when I run a renovate scan.

I have tried encrypting the password with this tool:
https://app.renovatebot.com/encrypt

Using the Github Organisation name and then tried both the Dockerhub password and created an access token using Dockerhub and both failed.

Logs (if relevant)

Logs

DEBUG: hostRules: applying Basic authentication for hub.docker.com
{
  "baseBranch": "stage"
}

DEBUG: Using queue: host=hub.docker.com, concurrency=16
{
  "baseBranch": "stage"
}

DEBUG: Using queue: host=index.docker.io, concurrency=16
{
  "baseBranch": "stage"
}

DEBUG: hostRules: basic auth for https://index.docker.io
{
  "baseBranch": "stage"
}

DEBUG: Using queue: host=auth.docker.io, concurrency=16
{
  "baseBranch": "stage"
}

DEBUG: GET https://index.docker.io/v2/REDACTED/keycloak/tags/list?n=10000 = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=401 retryCount=0, duration=14)
{
  "baseBranch": "stage"
}

INFO: Docker Hub lookup failure
{
  "baseBranch": "stage"
  "err": {
    "name": "HTTPError",
    "code": "ERR_NON_2XX_3XX_RESPONSE",
    "timings": {
      "start": 1723809702874,
      "socket": 1723809702875,
      "lookup": 1723809702875,
      "connect": 1723809702875,
      "secureConnect": 1723809702875,
      "upload": 1723809702875,
      "response": 1723809702888,
      "end": 1723809702888,
      "phases": {
        "wait": 1,
        "dns": 0,
        "tcp": 0,
        "tls": 0,
        "request": 0,
        "firstByte": 13,
        "download": 0,
        "total": 14
      }
    },
    "message": "Response code 401 (Unauthorized)",
    "stack": "HTTPError: Response code 401 (Unauthorized)\n    at Request.<anonymous> (/usr/local/renovate/node_modules/.pnpm/got@11.8.6/node_modules/got/dist/source/as-promise/index.js:118:42)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)",
    "options": {
      "headers": {
        "user-agent": "RenovateBot/38.26.1 (https://github.com/renovatebot/renovate)",
        "accept": "application/json",
        "authorization": "***********",
        "accept-encoding": "gzip, deflate, br"
      },
      "url": "https://index.docker.io/v2/REDACTED/keycloak/tags/list?n=10000",
      "hostType": "docker",
      "username": "",
      "password": "",
      "method": "GET",
      "http2": false
    },
    "response": {
      "statusCode": 401,
      "statusMessage": "Unauthorized",
      "body": {
        "errors": [
          {
            "code": "UNAUTHORIZED",
            "message": "authentication required",
            "detail": [
              {
                "Type": "repository",
                "Class": "",
                "Name": "REDACTED/keycloak",
                "Action": "pull"
              }
            ]
          }
        ]
      },
      "headers": {
        "content-type": "application/json",
        "docker-distribution-api-version": "registry/2.0",
        "www-authenticate": "Bearer realm=\"https://auth.docker.io/token\",service=\"registry.docker.io\",scope=\"repository:REDACTED/keycloak:pull\",error=\"insufficient_scope\"",
        "date": "Fri, 16 Aug 2024 12:01:42 GMT",
        "content-length": "165",
        "strict-transport-security": "max-age=31536000"
      },
      "httpVersion": "1.1",
      "retryCount": 0
    }
  }
}

DEBUG: Datasource unauthorized
{
  "baseBranch": "stage"
  "datasource": "docker"
  "packageName": "REDACTED/keycloak"
  "url": "https://index.docker.io/v2/REDACTED/keycloak/tags/list?n=10000"
}

DEBUG: Failed to look up docker package REDACTED/keycloak
{
  "baseBranch": "stage"
  "dependency": "REDACTED/keycloak"
  "packageFile": "charts/keycloak/values_stage.yaml"
}

[dancook993]

Strange, I was able to fix it using:
"hostRules": [{
"hostType": "docker",
"matchHost": "docker.io",
"username": "REDACTED",
"encrypted": {
"password": "REDACTED"
}
}]
}

Please could the docs be made clearer that you need both hostType and matchHost when using private docker authentication?

[rarkins]

Yes, you can submit a PR to improve any docs you see

[rarkins]

If you encrypted it and then pasted the encrypted value straight in then it's wrong. It needs to be nested inside an "encrypted" config block. Better yet, use the app's secrets upload capability instead

[dancook993]

Thanks

It was the addition of both these fields that fixed it:
"hostType": "docker",
"matchHost": "docker.io",