Description of problem: Deployment hook pull image will fail with old dockercfg scheme: {"https://index.docker.io/v1/":{"username":"wjiang","password":"kkkkkkkk","email":"wjiang","auth":"xxxxxxxx"}} But succeed with new dockercfg scheme: { "auths": { "https://index.docker.io/v1/": { "auth": "uuuuuuuuu", "email": "wjiang" } } } Version-Release number of selected component (if applicable): devenv_rhel7_2638 How reproducible: Always Steps to Reproduce: 1. Create template app via https://raw.githubusercontent.com/openshift/origin/master/examples/sample-app/application-template-stibuild.json 2.Generate a secret via `oc secrets new-dockercfg` oc secrets new-dockercfg docker --docker-username=wjiang --docker-password=qqqqqqq --docker-email=wjiang 3.Modify the deploymentConfig frontend to use dockerhub private repo with both ImagePullSecrets and hooks strategy: resources: {} rollingParams: intervalSeconds: 1 maxSurge: 25% maxUnavailable: 25% post: execNewPod: command: - /bin/false containerName: ruby-helloworld env: - name: CUSTOM_VAR2 value: custom_value2 failurePolicy: Ignore pre: execNewPod: command: - /bin/true containerName: ruby-helloworld env: - name: CUSTOM_VAR1 value: custom_value1 failurePolicy: Abort timeoutSeconds: 120 updatePeriodSeconds: 1 type: Rolling ................................................. image: wjiang/origin-ruby-sample imagePullPolicy: Always name: ruby-helloworld ports: - containerPort: 8080 protocol: TCP resources: {} securityContext: capabilities: {} privileged: false terminationMessagePath: /dev/termination-log dnsPolicy: ClusterFirst imagePullSecrets: - name: hubwjiang restartPolicy: Always triggers: - type: ConfigChange 4. Try to deploy frontend if not trigger automatically 5. Replace old dockercfg scheme with new 6. Repeat step 4 Actual results: 4. Pull private image failed 6. Pull private image succeeded Expected results: 4. Pull private image succeeded Additional info:
I've proven that the kubelet respects imagePullSecrets specified on the pod in both the old and the new format using: https://gist.github.com/deads2k/919cafb99e1dffcac95e . It relies on https://github.com/openshift/origin/pull/5744 to have a sane way to create the secret. I'm still in the process of completing the entire deployment hook process.
I had to get the latest deployer image to pick up https://github.com/openshift/origin/pull/5688, but this works for me. Can you confirm you are using the latest images? If so, please provide an `oc export` of your secrets, deployment configs, and pods.
Also, you can see a helper command (not merge for 3.1) and my test case here: https://github.com/openshift/origin/pull/5744
(In reply to David Eads from comment #2) > I had to get the latest deployer image to pick up > https://github.com/openshift/origin/pull/5688, but this works for me. > > Can you confirm you are using the latest images? If so, please provide an > `oc export` of your secrets, deployment configs, and pods. Rechecked with devenv-rhel7_2643, and after modify the imageConfig.latest to true of node-config file, finally work as expected. imageConfig: format: openshift/origin-${component}:${version} latest: true
Confirmed with devenv-rhel7_2672, the issue fixed.