Bug 1919359

Summary: need better debug for bad pull secrets
Product: OpenShift Container Platform Reporter: Gabe Montero <gmontero>
Component: BuildAssignee: Gabe Montero <gmontero>
Status: CLOSED ERRATA QA Contact: XiuJuan Wang <xiuwang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.6.zCC: adam.kaplan, aos-bugs, xiuwang
Target Milestone: ---   
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Errors around invalid build pull secret where the auth key is not base64 encoded were not propagated through the build stack. Consequence: Determining the root cause of such build errors were difficult Fix: Changes were made so that errors like invalid key encoding with build pull secrets propagated through the build stack. Result: Determining the root cause of invalid build pull secret keys is now easier for the user.
Story Points: ---
Clone Of: 1918879 Environment:
Last Closed: 2021-02-22 13:54:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1918879    
Bug Blocks:    

Description Gabe Montero 2021-01-22 16:21:51 UTC
+++ This bug was initially created as a clone of Bug #1918879 +++

See https://github.com/openshift/builder/pull/200#issue-551795953

--- Additional comment from Gabe Montero on 2021-01-22 16:08:14 UTC ---

For testing this XiuJuan import a pull secret and then edit it so you corrupt/break the encoded value associated with the.dockerconfigjson key so we cannot json unmarshal it

the log

log.V(0).Infof("error trying to parse file %s: %s", filePath, err.Error())

should show up in the build log

and the error 

 fmt.Errorf("%s; also, error processing dockerconfigjson: %s", err.Error(), dockerConfigCredsErr.Error())

should be propagated up and ultimately visible from the log 

the bonus scenario is to do this with a build pull secret, but the registry handled by that pull secret can also be handled by the node credentials (I *think* registry.redhat.io is such a registry).

you should see the log log.V(0).Infof("error trying to parse file %s: %s", filePath, err.Error()) still, but presumably the build could still work since the pull is authenticated via the node credentials instead of the supply pull secret

Comment 1 Gabe Montero 2021-01-22 16:27:40 UTC
4.6 PR https://github.com/openshift/builder/pull/210 is waiting QE verification on https://github.com/openshift/builder/pull/200

Comment 2 XiuJuan Wang 2021-02-08 07:54:15 UTC
Test on cluster building from pr openshift/builder#210, the version '4.6.0-0.ci.test-2021-02-08-034130-ci-ln-6w1gdyt'

Could see the error from build logs with invalid pullsecret.
"error trying to parse file /var/run/secrets/openshift.io/pull/.dockerconfigjson: illegal base64 data at input byte 3"

Comment 7 errata-xmlrpc 2021-02-22 13:54:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.18 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.