Bug 1971332
| Summary: | oc new-build command does not pick automatic source clone secret in OpenShift 4.7 | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Vinu K <vkochuku> |
| Component: | Build | Assignee: | Gabe Montero <gmontero> |
| Status: | CLOSED ERRATA | QA Contact: | Jitendar Singh <jitsingh> |
| Severity: | medium | Docs Contact: | Rolfe Dlugy-Hegwer <rdlugyhe> |
| Priority: | unspecified | ||
| Version: | 4.7 | CC: | adam.kaplan, aos-bugs, gmontero, jokerman, mfojtik |
| Target Milestone: | --- | ||
| Target Release: | 4.9.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
* In {product-title} and later, the fix for bug link:https://bugzilla.redhat.com/show_bug.cgi?id=1884270[BZ#1884270] incorrectly pruned SSH protocol URLs in an attempt to provide SCP-styled URL capabilities. This error caused the `oc new-build` command not to pick automatic source clone secret: the build could not use the `build.openshift.io/sbuild.openshift.io/source-secret-match-uri-1ource-secret-match-uri-1` annotation to map SSH keys with the associated secrets, and therefore could not perform git cloning. This update reverts the changes from BZ#1884270 so that builds can use the annotation and perform git cloning.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-18 17:33:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | TargetNamespace |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1992639 | ||
Sending this over to build team who owns that bit of oc code. VERIFIED
===============
✘ jsingh@fugaku ~/.ssh ls
id_ecdsa id_ecdsa.pub id_ed25519 id_ed25519.pub id_rsa id_rsa.pub known_hosts known_hosts.old
✘ jsingh@fugaku ~/.ssh oc create secret generic foo --from-file=id=ssh-key --type=kubernetes.io/ssh-auth
✘ jsingh@fugaku ~/.ssh oc create secret generic foo --from-file=ssh-privatekey=id_ed25519 --type=kubernetes.io/ssh-auth
secret/foo created
jsingh@fugaku ~/.ssh oc secret link builder foo
✘ jsingh@fugaku ~/.ssh oc annotate secret foo "build.openshift.io/source-secret-match-uri-1=ssh://github.com:22/jitendar-singh/*"
secret/foo annotated
jsingh@fugaku ~/.ssh oc new-build ruby~ssh://git:22/jitendar-singh/repo.git --name=foo
--> Found image 76ff7f7 (6 days old) in image stream "openshift/ruby" under tag "2.7-ubi8" for "ruby"
Ruby 2.7
--------
Ruby 2.7 available as container is a base platform for building and running various Ruby 2.7 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.
Tags: builder, ruby, ruby27, ruby-27
* A source build using source code from ssh://git:22/jitendar-singh/repo.git will be created
* The resulting image will be pushed to image stream tag "foo:latest"
* Use 'oc start-build' to trigger a new build
--> Creating resources with label build=foo ...
imagestream.image.openshift.io "foo" created
buildconfig.build.openshift.io "foo" created
--> Success
jsingh@fugaku ~/.ssh oc logs bc/foo --follow
Cloning "ssh://git:22/jitendar-singh/repo.git" ...
Commit: 56eb276f78b90488781417874fdd044ddda1e67e (first commit)
Author: jsingh <jitsingh>
Date: Wed Aug 11 11:38:05 2021 +0530
Caching blobs under "/var/cache/blobs".
Getting image source signatures
Copying blob sha256:296e14ee24149e14d573a1fbf5b5a625c7bb0cc22f5b2a8b180e833258187948
Copying blob sha256:359fed170a21fd169953d50193bb1b9405d5e827bed42a220d154cadf794ac23
Copying blob sha256:19c7e0d23e1f527cfe0a0de0641d5988ce8188bea662289c92599c1d2a217614
Copying blob sha256:356f18f3a935b2f226093720b65383048249413ed99da72c87d5be58cc46661c
Copying blob sha256:d472b109c9e4f1d44ba736dcadfdeed96b11531be00a0ed86f536668c374f19c
Copying config sha256:76ff7f7ad4697e5e7246e66dfdcde414073905f6fd14d88f5a85521a1c39ee57
Writing manifest to image destination
Storing signatures
Generating dockerfile with builder image image-registry.openshift-image-registry.svc:5000/openshift/ruby@sha256:7eb161302275c7c895ba89d155548728e63dd7a1157015d60bc915b53347a29b
STEP 1: FROM image-registry.openshift-image-registry.svc:5000/openshift/ruby@sha256:7eb161302275c7c895ba89d155548728e63dd7a1157015d60bc915b53347a29b
STEP 2: LABEL "io.openshift.build.commit.message"="first commit" "io.openshift.build.source-location"="ssh://git:22/jitendar-singh/repo.git" "io.openshift.build.image"="image-registry.openshift-image-registry.svc:5000/openshift/ruby@sha256:7eb161302275c7c895ba89d155548728e63dd7a1157015d60bc915b53347a29b" "io.openshift.build.commit.author"="jsingh <jitsingh>" "io.openshift.build.commit.date"="Wed Aug 11 11:38:05 2021 +0530" "io.openshift.build.commit.id"="56eb276f78b90488781417874fdd044ddda1e67e" "io.openshift.build.commit.ref"="main"
STEP 3: ENV OPENSHIFT_BUILD_NAME="foo-1" OPENSHIFT_BUILD_NAMESPACE="foo" OPENSHIFT_BUILD_SOURCE="ssh://git:22/jitendar-singh/repo.git" OPENSHIFT_BUILD_COMMIT="56eb276f78b90488781417874fdd044ddda1e67e"
STEP 4: USER root
STEP 5: COPY upload/src /tmp/src
STEP 6: RUN chown -R 1001:0 /tmp/src
time="2021-08-11T06:22:10Z" level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"
time="2021-08-11T06:22:10Z" level=warning msg="Path \"/run/secrets/redhat.repo\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"
STEP 7: USER 1001
STEP 8: RUN /usr/libexec/s2i/assemble
time="2021-08-11T06:22:11Z" level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"
time="2021-08-11T06:22:11Z" level=warning msg="Path \"/run/secrets/redhat.repo\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"
---> Installing application source ...
---> Building your Ruby application from source ...
WARNING: Rubygem Rack is not installed in the present image.
Add rack to your Gemfile in order to start the web server.
STEP 9: CMD /usr/libexec/s2i/run
STEP 10: COMMIT temp.builder.openshift.io/foo/foo-1:0e03ab97
Getting image source signatures
Copying blob sha256:e39c3abf0df93fca44921f3548fcf6e139afdcb2ac9b7baa6c47b39f87113b32
Copying blob sha256:8f26704f753cbe8b20afc01e97a4cb652befe26791b4d33193afc99ce544ebf5
Copying blob sha256:83310c7c677cb8ade9613896d0dc2f68f905792407d9b175801221756dfd3016
Copying blob sha256:694adc66f3fa07d76b12086cc88422f8d60894559536ffab50e0030fd7fa91c6
Copying blob sha256:832243b96ad61ec5bc3b8e4f66425224d2268820c0d0c66265e0d8f418902789
Copying blob sha256:73bc48343153efd0ae1864892a4caf05cc85a8faa991736eca3d8ccc974ff720
Copying config sha256:2b6e5871802acb323b0e9f1ef54817adaf6988b4e2921159e11a9470f6bb518e
Writing manifest to image destination
Storing signatures
--> 2b6e5871802
2b6e5871802acb323b0e9f1ef54817adaf6988b4e2921159e11a9470f6bb518e
Getting image source signatures
Pushing image image-registry.openshift-image-registry.svc:5000/foo/foo:latest ...
Copying blob sha256:73bc48343153efd0ae1864892a4caf05cc85a8faa991736eca3d8ccc974ff720
Copying blob sha256:359fed170a21fd169953d50193bb1b9405d5e827bed42a220d154cadf794ac23
Copying blob sha256:296e14ee24149e14d573a1fbf5b5a625c7bb0cc22f5b2a8b180e833258187948
Copying blob sha256:d472b109c9e4f1d44ba736dcadfdeed96b11531be00a0ed86f536668c374f19c
Copying blob sha256:19c7e0d23e1f527cfe0a0de0641d5988ce8188bea662289c92599c1d2a217614
Copying blob sha256:356f18f3a935b2f226093720b65383048249413ed99da72c87d5be58cc46661c
Copying config sha256:2b6e5871802acb323b0e9f1ef54817adaf6988b4e2921159e11a9470f6bb518e
Writing manifest to image destination
Storing signatures
Successfully pushed image-registry.openshift-image-registry.svc:5000/foo/foo@sha256:559924d185bf36e2a7a32d8f955e1d7d146c3a80304c7f9a7a920db96683e04c
Push successful
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 |
Description of problem: With 4.7 oc binary, build created using 'oc new-build' command does not contain .spec.source.sourceSecret.name field after adding the automatic source clone secret. It works fine with OCP 4.6. Version-Release number of selected component (if applicable): 4.7 How reproducible: Easy Steps to Reproduce: 1. Try using 4.6 oc binary export OC='~/oc46/oc' # export OC='~/oc47/oc' ${OC} new-project foo ${OC} version ${OC} create secret generic foo --from-file=ssh-privatekey=ssh-key --type=kubernetes.io/ssh-auth ${OC} secret link builder foo ${OC} annotate secret foo "build.openshift.io/source-secret-match-uri-1=ssh://github.com:22/user/*" ${OC} new-build ruby~ssh://git:22/user/repo.git --name=foo ${OC} logs bc/foo --follow ${OC} delete project foo 2. Try using 4.7 oc binary # export OC='~/oc46/oc' export OC='~/oc47/oc' ${OC} new-project foo ${OC} version ${OC} create secret generic foo --from-file=ssh-privatekey=ssh-key --type=kubernetes.io/ssh-auth ${OC} secret link builder foo ${OC} annotate secret foo "build.openshift.io/source-secret-match-uri-1=ssh://github.com:22/user/*" ${OC} new-build ruby~ssh://git:22/user/repo.git --name=foo ${OC} logs bc/foo --follow ${OC} delete project foo Actual results: 4.6 oc binary works fine and 4.7 fails with "error: Host key verification failed". Expected results: It should work with oc 4.7 as well. Additional info: