Bug 1765294
Summary: | Dockercfg secret is not cleaned up when token is deleted | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Weibin Liang <weliang> | |
Component: | openshift-controller-manager | Assignee: | Adam Kaplan <adam.kaplan> | |
Status: | CLOSED ERRATA | QA Contact: | wewang <wewang> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 4.3.0 | CC: | adam.kaplan, anusaxen, aos-bugs, bparees, ccoleman, lsm5, maszulik, mfojtik, obulatov, pmuller, rmarasch, santiago, surbania | |
Target Milestone: | --- | |||
Target Release: | 4.5.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | devex | |||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Cause: pull secrets for the internal registry sometimes would not be deleted when their associated token was deleted
Consequence: stale pull secrets for the internal registry would remain associated with kubernetes service accounts
Fix: owner references were established between the internal registry pull secret and its associated token secret
Result: pull secrets are always deleted if the associated token is deleted
|
Story Points: | --- | |
Clone Of: | ||||
: | 1779282 1806792 (view as bug list) | Environment: | ||
Last Closed: | 2020-07-13 17:11:31 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1806792 |
Description
Weibin Liang
2019-10-24 18:29:36 UTC
*** Bug 1765739 has been marked as a duplicate of this bug. *** confirming the issue is still persistent in e2e tests. It still exist in e2e test: 4.3.0-0.nightly-2019-10-31-050543 https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-ocp-installer-e2e-gcp-4.3/294 *** Bug 1767655 has been marked as a duplicate of this bug. *** I wonder if this is a watch issue in the test...can we replace the logic in waitForSecretDelete that looks for the deletion event with an explicit poll that simply looks for the secret in question to go missing? I have just sent a patch that migrates away from watch, let's see if it is an issue there. The PR that Ricardo mentioned: https://github.com/openshift/origin/pull/24103 [Feature:OpenShiftControllerManager] TestDockercfgTokenDeletedController [Suite:openshift/conformance/parallel] is verified in: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-origin-installer-e2e-gcp-4.3/801 This test failure also occurred in a machine-os-content promotion job https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-promote-openshift-machine-os-content-e2e-aws-4.3/3992 It looks like the fix is supposed to be in, can you please check if the above is the same thing? Watch has been replaced by Poll, but the test still flakes [1]. [1] https://testgrid.k8s.io/redhat-openshift-ocp-release-4.3-blocking#release-openshift-origin-installer-e2e-gcp-4.3&include-filter-by-regex=TestDockercfgTokenDeletedController I have this test running individually here for more than 1 hour. It takes less than 10 seconds to complete and I had not even a single failure. Starting to look to see if there may be any problem due to parallel tests. Moving to 4.4.0, we will likely need to backport to 4.3.0 once we determine the root cause. *** Bug 1776504 has been marked as a duplicate of this bug. *** Moving this to 4.3.0 given the impact of this bug. Still seeing this in recent runs: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-ocp-installer-e2e-gcp-4.3/478 (plus many from last night) This test was (temporarily) disabled as of 15 hours ago: https://github.com/openshift/origin/pull/24221 maybe it hadn't made it through the ART cycle though. It's disabled only in master (4.4). Do we want to disable it in 4.3? ugh. yes. thanks Oleg. Note too that once we uncover the root cause of the flake, we need a 4.3 backport anyway for the .0 release or a z-stream update. Verified in version: 4.5.0-0.nightly-2020-03-06-190457 Job:https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-ocp-installer-e2e-gcp-4.5/61 https://testgrid.k8s.io/redhat-openshift-ocp-release-4.5-blocking#release-openshift-origin-installer-e2e-gcp-4.5&include-filter-by-regex=TestDockercfgTokenDeletedController Reopening. This is likely what is causing the regression in https://bugzilla.redhat.com/show_bug.cgi?id=1785023 Moving back to VERIFIED - fix for regression is being tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1785023 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409 |