Bug 1278294 - Deployment hook is not compatible with ImagePullSecrets which is in old dockercfg scheme
Deployment hook is not compatible with ImagePullSecrets which is in old docke...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Deployments (Show other bugs)
3.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: David Eads
zhou ying
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-05 03:08 EST by weiwei jiang
Modified: 2016-10-30 18:54 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-23 16:18:32 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description weiwei jiang 2015-11-05 03:08:19 EST
Description of problem:
Deployment hook pull image will fail with old dockercfg scheme:
{"https://index.docker.io/v1/":{"username":"wjiang","password":"kkkkkkkk","email":"wjiang@redhat.com","auth":"xxxxxxxx"}}
But succeed with new dockercfg scheme:
{
        "auths": {
                "https://index.docker.io/v1/": {
                        "auth": "uuuuuuuuu",
                        "email": "wjiang@redhat.com"
                }
        }
}

Version-Release number of selected component (if applicable):
devenv_rhel7_2638

How reproducible:
Always

Steps to Reproduce:
1. Create template app via https://raw.githubusercontent.com/openshift/origin/master/examples/sample-app/application-template-stibuild.json
2.Generate a secret via `oc secrets new-dockercfg`
oc secrets new-dockercfg docker --docker-username=wjiang --docker-password=qqqqqqq --docker-email=wjiang@redhat.com
3.Modify the deploymentConfig frontend to use dockerhub private repo  with both ImagePullSecrets and hooks
strategy:
    resources: {}
    rollingParams:
      intervalSeconds: 1
      maxSurge: 25%
      maxUnavailable: 25%
      post:
        execNewPod:
          command:
          - /bin/false
          containerName: ruby-helloworld
          env:
          - name: CUSTOM_VAR2
            value: custom_value2
        failurePolicy: Ignore
      pre:
        execNewPod:
          command:
          - /bin/true
          containerName: ruby-helloworld
          env:
          - name: CUSTOM_VAR1
            value: custom_value1
        failurePolicy: Abort
      timeoutSeconds: 120
      updatePeriodSeconds: 1
    type: Rolling
.................................................
        image: wjiang/origin-ruby-sample
        imagePullPolicy: Always
        name: ruby-helloworld
        ports:
        - containerPort: 8080
          protocol: TCP
        resources: {}
        securityContext:
          capabilities: {}
          privileged: false
        terminationMessagePath: /dev/termination-log
      dnsPolicy: ClusterFirst
      imagePullSecrets:
      - name: hubwjiang
      restartPolicy: Always
  triggers:
  - type: ConfigChange
4. Try to deploy frontend if not trigger automatically
5. Replace old dockercfg scheme with new
6. Repeat step 4

Actual results:
4. Pull private image failed
6. Pull private image succeeded

Expected results:
4. Pull private image succeeded

Additional info:
Comment 1 David Eads 2015-11-05 14:24:27 EST
I've proven that the kubelet respects imagePullSecrets specified on the pod in both the old and the new format using:   https://gist.github.com/deads2k/919cafb99e1dffcac95e  .  It relies on https://github.com/openshift/origin/pull/5744 to have a sane way to create the secret.

I'm still in the process of completing the entire deployment hook process.
Comment 2 David Eads 2015-11-05 15:17:08 EST
I had to get the latest deployer image to pick up https://github.com/openshift/origin/pull/5688, but this works for me.

Can you confirm you are using the latest images?  If so, please provide an `oc export` of your secrets, deployment configs, and pods.
Comment 3 David Eads 2015-11-05 16:39:52 EST
Also, you can see a helper command (not merge for 3.1) and my test case here: https://github.com/openshift/origin/pull/5744
Comment 4 weiwei jiang 2015-11-06 01:11:21 EST
(In reply to David Eads from comment #2)
> I had to get the latest deployer image to pick up
> https://github.com/openshift/origin/pull/5688, but this works for me.
> 
> Can you confirm you are using the latest images?  If so, please provide an
> `oc export` of your secrets, deployment configs, and pods.

Rechecked with devenv-rhel7_2643, and after modify the imageConfig.latest to true of node-config file, finally work as expected.
imageConfig:
  format: openshift/origin-${component}:${version}
  latest: true
Comment 5 zhou ying 2015-11-11 01:04:33 EST
Confirmed with devenv-rhel7_2672, the issue fixed.

Note You need to log in before you can comment on or make changes to this bug.