Bug 1883803

Summary: node pull secret feature is not working as expected
Product: OpenShift Container Platform Reporter: Sahil thakare <sthakare>
Component: BuildAssignee: Adam Kaplan <adam.kaplan>
Status: CLOSED ERRATA QA Contact: wewang <wewang>
Severity: low Docs Contact: Rolfe Dlugy-Hegwer <rdlugyhe>
Priority: medium    
Version: 4.5CC: adam.kaplan, amdas, aos-bugs, apjagtap, dcaldwel, marcus.neumann.u443666, rdlugyhe, rheinzma, wzheng
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
* Previously, the node pull secret feature did not work: Node pull secrets were not used if `forcePull: true` was set in the Source and Docker strategy builds. As a result, builds failed to pull images that required the cluster-wide pull secret. The current release fixes this issue. Now node pull secrets are always merged with user-provided pull secrets. As a result, builds can pull images when `forcePull: true` is set and the source registry requires the cluster-wide pull secret. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1883803[*BZ#1883803*])
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:21:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sahil thakare 2020-09-30 09:40:27 UTC 
Description of problem:

As per the official documentation,

Builds and imagestream imports will automatically use the pull secret used to install the cluster if a pull secret is not explicitly set. Developers do not need to copy this pull secret into their namespace." [1]

[1] https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html#ocp-4-5-node-pull-secrets

We've configured a node pull credential and for 'oc import-image' it works as expected, but if we're using Images from redhat.registry.io we got "unauthorized" message.


Below are the test results:


~~~~~~~~~~~~~~~~~~~~~~~~~~~
[quicklab@upi-0 ~]$ oc version 
Client Version: 4.5.7
Server Version: 4.5.7
~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~
[quicklab@upi-0 ~]$ oc new-project test 
~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~
quicklab@upi-0 ~]$ oc get all
NAME                  READY   STATUS    RESTARTS   AGE
pod/testing-1-build   1/1     Running   0          33s

NAME                                     TYPE     FROM         LATEST
buildconfig.build.openshift.io/testing   Docker   Dockerfile   1

NAME                                 TYPE     FROM         STATUS    STARTED          DURATION
build.build.openshift.io/testing-1   Docker   Dockerfile   Running   33 seconds ago   

NAME                                     IMAGE REPOSITORY                                                TAGS   UPDATED
imagestream.image.openshift.io/testing   image-registry.openshift-image-registry.svc:5000/test/testing          
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
quicklab@upi-0 ~]$ oc get events
LAST SEEN   TYPE     REASON           OBJECT                MESSAGE
<unknown>   Normal   Scheduled        pod/testing-1-build   Successfully assigned test/testing-1-build to worker-0.sthakarenewocp4.lab.upshift.rdu2.redhat.com
18s         Normal   AddedInterface   pod/testing-1-build   Add eth0 [10.X.X.X]
17s         Normal   Pulling          pod/testing-1-build   Pulling image "quay.io/openshift-release-dev/ocp-v4.0-art-      
---------------snip-----------------------------

13m            Normal   Created          pod/testing-1-build   Created container docker-build
13m         Normal   Started          pod/testing-1-build   Started container docker-build
13m         Normal   BuildStarted     build/testing-1       Build test/testing-1 is now running
10m         Normal   BuildFailed      build/testing-1       Build test/testing-1 failed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
quicklab@upi-0 ~]$ oc get all
NAME                  READY   STATUS   RESTARTS   AGE
pod/testing-1-build   0/1     Error    0          13m

NAME                                     TYPE     FROM         LATEST
buildconfig.build.openshift.io/testing   Docker   Dockerfile   1

NAME                                 TYPE     FROM         STATUS                       STARTED          DURATION
build.build.openshift.io/testing-1   Docker   Dockerfile   Failed (DockerBuildFailed)   13 minutes ago   3m9s

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~
[quicklab@upi-0 ~]$ oc logs pod/testing-1-build
Caching blobs under "/var/cache/blobs".

Pulling image registry.redhat.io/ubi8/nodejs-12:latest ...
Getting image source signatures
---------snip------------------------------
Storing signatures
STEP 1: FROM registry.redhat.io/ubi8/nodejs-12:latest
error: build error: error creating build container: Error initializing source docker://registry.redhat.io/ubi8/nodejs-12:latest: unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Version-Release number of selected component (if applicable):
4.5.x

How reproducible:

1. Try creating new-application without using pullsecrets in the new-projects.

Steps to Reproduce:
1. create new project 
2. Try to deploy new application
3. Application fails due to authentication issue with registry.redhat.com

Actual results:

Application fails due to authentication issue with registry.redhat.com if manual pullsecret is not created.

Expected results:

Application should use node pull secret as per new-feature mentioned in documentation.

Additional info:

https://access.redhat.com/solutions/5231531
Comment 1 Oleg Bulatov 2020-09-30 11:11:39 UTC 
The build pod cannot access registry.redhat.io. Moving to Build.
Comment 5 Adam Kaplan 2020-10-01 16:09:46 UTC 
Root cause:

Docker strategy options in the test build has the `forcePull: true` option. When forcePull: true is set, two pull actions happen:

1. An initial pull when builds detect that the base image is not present in buildah's image cache. This is always the case because at present builds do not have a caching mechanism. The initial pull has the node credentials merged in.
2. A secondary pull initiated by buildah. We are not including the node credentials here.

Removing `forcePull: true` can work around the issue.
Comment 7 Marcus 2020-10-07 14:09:08 UTC 
THX! I can confirm, removing forcePull works as workaround.
Comment 9 wewang 2020-10-26 04:10:02 UTC 
Verified in version:
4.7.0-0.nightly-2020-10-24-155529

Steps:
[wewang@wangwen work]$ oc logs -f build/test-1
Receiving source from STDIN as file Dockerfile
Caching blobs under "/var/cache/blobs".

Pulling image registry.redhat.io/ubi8/nodejs-12:latest ...
Getting image source signatures
Copying blob sha256:35ad9b4fba1fa6b00a6f266303348dc0cf9a7c341616e800c2738030c0f64167
Copying blob sha256:da1cc572023a942fff15d59aefa5abbb59d2c24a03966db8074ef8f9bab277d4
Copying blob sha256:ec1681b6a383e4ecedbeddd5abc596f3de835aed6db39a735f62395c8edbff30
Copying blob sha256:5e2ae0c76e83847010202c40d0c7ebac953a6c7871efdea7602b41507b3d11f5
Copying blob sha256:c4d668e229cd131e0a8e4f8218dca628d9cf9697572875e355fe4b247b6aa9f0
Copying config sha256:8a961c0b3cbcc653bf39713aaf79a36d9921618e2a39fd7e5057cf70c203cf87
Writing manifest to image destination
Storing signatures
STEP 1: FROM registry.redhat.io/ubi8/nodejs-12:latest
STEP 2: RUN echo "hello world"
hello world
Comment 14 Adam Kaplan 2020-11-13 14:27:43 UTC 
*** Bug 1897577 has been marked as a duplicate of this bug. ***
Comment 19 errata-xmlrpc 2021-02-24 15:21:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633