Bug 1800320

Summary: Adding a default pull secret using the UI doesn't link it with the "default" service account [openshift-4.3]
Product: OpenShift Container Platform Reporter: bpeterse
Component: Management ConsoleAssignee: Jakub Hadvig <jhadvig>
Status: CLOSED ERRATA QA Contact: XiaochuanWang <xiaocwan>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.2.zCC: aos-bugs, bpeterse, jhadvig, jokerman, sgarciam, xiaocwan, yapei
Target Milestone: ---   
Target Release: 4.3.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1795144 Environment:
Last Closed: 2020-03-10 23:53:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1795144    
Bug Blocks:    

Description bpeterse 2020-02-06 21:03:26 UTC 
+++ This bug was initially created as a clone of Bug #1795144 +++

Description of problem:
Adding a default pull secret for a namespace using the UI doesn't link it with the "default" service account for pulling images.

Version-Release number of selected component (if applicable):
4.2.2

How reproducible:
Always

Steps to Reproduce:
1. Create a namespace using the UI
2. Add to it a default pull secret using https://console-openshift-console.apps.<cluster>.<subdomain>/k8s/cluster/namespaces/<namespace>
3. Deploy an image which requires the pull secret

Actual results:
It fails

Expected results:
The pull secret should be used for pulling as the text in the UI writes clearly: "Specify default credentials to be used to authenticate and download containers within this namespace. These credentials will be the default unless a pod references a specific pull secret."

--- Additional comment from Sergio G. on 2020-01-27 09:26:22 UTC ---

Version-Release in the description is wrong.

I've confirmed this bug in 4.2.14.

--- Additional comment from Jakub Hadvig on 2020-01-28 12:53:08 UTC ---

Was trying to reproduce this issue on both 4.4. and 4.2 cluster but without any luck.
After I added the "Default Pull Secret"to the namespace I was able to find and also
deploy the private image without any issues.

--- Additional comment from Sergio G. on 2020-01-28 13:45:20 UTC ---

Can you confirm if the secret is shown in "oc describe sa default" as used for pulling images?

It wasn't there for me until I linked it manually.

--- Additional comment from XiaochuanWang on 2020-02-04 03:39:53 UTC ---

Tested on 4.4.0-0.nightly-2020-02-02-225006

After Project created, sa "default" is as below:
$ oc describe sa default
Name:                default
Namespace:           xiaocwan-s
Labels:              <none>
Annotations:         <none>
Image pull secrets:  default-dockercfg-4vsq7
Mountable secrets:   default-token-9lkgk
                     default-dockercfg-4vsq7
Tokens:              default-token-4jrd8
                     default-token-9lkgk
Events:              <none>

Image app using Deployment by "default-token-9lkgk" is failed.
Image app using DC by "default-dockercfg-4vsq7" could succeed.

As per my understanding, It needs a message such as the description "Expected results:" said.
Does image app must use the correct secret (which is "Image pull secrets") from SA "default"? Is that another bug?
Please notice the Target Release is still `--`

--- Additional comment from Jakub Hadvig on 2020-02-04 15:32:16 UTC ---

Was able to reproduce the issue and about to sent fix.

--- Additional comment from Yadan Pei on 2020-02-06 09:42:08 UTC ---

1. Add a default pull secret to namespace by following steps
Administration -> Namespaces -> yapei-1 -> click edit icon in Default Pull Secret -> add credentials used to pull private image from dockerhub, create

2. A secret 'yapei-dp' is created in namespace
$ oc get secret
NAME                            TYPE                                  DATA   AGE
yapei-dp                        kubernetes.io/dockerconfigjson        1      6m9s

3. Check sa/default, the added pull secret is not linked to sa/default
$ oc describe sa default 
Name:                default
Namespace:           yapei-1
Labels:              <none>
Annotations:         <none>
Image pull secrets:  default-dockercfg-wfs66
Mountable secrets:   default-token-p5kvs
                     default-dockercfg-wfs66
Tokens:              default-token-dpvbt
                     default-token-p5kvs
Events:              <none>

4. Deploy a DeploymentConfig from private image, the image can be searched in Deploy Image catalog and DC is created successfully, but pods can't be running
$ oc get pods
NAME                           READY   STATUS             RESTARTS   AGE
wordpress-1-deploy             1/1     Running            0          7m37s
wordpress-1-kh4m8              0/1     ImagePullBackOff   0          7m28s

$ oc describe pod wordpress-1-kh4m8
.....
Events:
  Type     Reason     Age                   From                                                Message
  ----     ------     ----                  ----                                                -------
  Normal   Scheduled  <unknown>             default-scheduler                                   Successfully assigned yapei-1/wordpress-1-kh4m8 to ip-10-0-134-11.us-east-2.compute.internal
  Warning  Failed     6m53s (x6 over 8m7s)  kubelet, ip-10-0-134-11.us-east-2.compute.internal  Error: ImagePullBackOff
  Normal   Pulling    6m40s (x4 over 8m8s)  kubelet, ip-10-0-134-11.us-east-2.compute.internal  Pulling image "yapei/wordpress@sha256:92f7a99d237efd588d8e4ddc11e938049ce38816084e35a31a42e8c3cd98a940"
  Warning  Failed     6m39s (x4 over 8m7s)  kubelet, ip-10-0-134-11.us-east-2.compute.internal  Failed to pull image "yapei/wordpress@sha256:92f7a99d237efd588d8e4ddc11e938049ce38816084e35a31a42e8c3cd98a940": rpc error: code = Unknown desc = Error reading manifest sha256:92f7a99d237efd588d8e4ddc11e938049ce38816084e35a31a42e8c3cd98a940 in docker.io/yapei/wordpress: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
  Warning  Failed   6m39s (x4 over 8m7s)  kubelet, ip-10-0-134-11.us-east-2.compute.internal  Error: ErrImagePull
  Normal   BackOff  3m5s (x21 over 8m7s)  kubelet, ip-10-0-134-11.us-east-2.compute.internal  Back-off pulling image "yapei/wordpress@sha256:92f7a99d237efd588d8e4ddc11e938049ce38816084e35a31a42e8c3cd98a940"

This issue is reproduced on 4.4.0-0.nightly-2020-02-05-220946
Comment 3 XiaochuanWang 2020-02-28 05:59:24 UTC 
Verified on 4.3.0-0.nightly-2020-02-27-225047

After created and added a secret "imagepullsec" to default SA:
xiaocwan ~$ oc describe sa default
Name:                default
Namespace:           xiaocwan-t
Labels:              <none>
Annotations:         <none>
Image pull secrets:  default-dockercfg-ndk5x
                     imagepullsec
Mountable secrets:   default-token-w2c2m
                     default-dockercfg-ndk5x
Tokens:              default-token-js2m6
                     default-token-w2c2m
Events:              <none>

Then deploy image by DC (or Deployment), it'll use "Image pull secrets" correctly for pods and containers
spec:
  restartPolicy: Always
  serviceAccountName: default
  imagePullSecrets:
    - name: default-dockercfg-ndk5x
    - name: imagepullsec
Comment 5 errata-xmlrpc 2020-03-10 23:53:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0676