Description of problem: When testing compatibility between latest oc and old openshift, oc new-build with "docker" strategy should prompt error when using absolute path for "--build-secret", and should fail to create the bc. But error does not occur and the bc is created. Version-Release number of selected component (if applicable): CLI: oc v3.1.1.904 kubernetes v1.2.0-alpha.7-703-gbc4550d Master: openshift v3.1.1.6 kubernetes v1.1.0-origin-1107-g4c8e6f4 etcd 2.1.2 How reproducible: Always Steps to Reproduce: 1. oc login and create a project 2. Prepare two secrets: $ oc secrets new mysecret <any_local_file> $ oc secrets new mysecret2 <any_local_file> 3. Run oc new-build as follows: $ oc new-build --image=ruby-22-centos7 https://github.com/openshift/ruby-hello-world.git --strategy=docker --build-secret mysecret:/tmp/mysecret --build-secret mysecret2 Actual results: 3. Command succeeds and bc is created. (Though bc is created, `oc get bc ruby-hello-world -o yaml` get null secrets: spec: ... source: ... secrets: null ) Expected results: 3. Command should fail and prompt error: error: BuildConfig "ruby-hello-world" is invalid: spec.source.secrets[0].destinationDir: Invalid value: "/tmp/mysecret": for the docker strategy the destinationDir has to be relative path Additional info: When the master version is the same as oc (i.e. both are v3.1.1.904), the bug disappears, which is as expected.
The absolute path validation happens on the API validation level, so the `oc` does not validate the provided path. Does this mean we should also validate for absolute path in `oc` binary?
Michal, this should be closed upstream as an RFE per the new trello card: https://trello.com/c/NgWdS8qU/860-validate-calls-that-oc-make-to-master-api-to-see-if-the-requested-feature-is-available right?
(In reply to Michal Fojtik from comment #1) > The absolute path validation happens on the API validation level, so the > `oc` does not validate the provided path. Does this mean we should also > validate for absolute path in `oc` binary? I agree about Clayton's opinion https://github.com/openshift/origin/issues/7552#issuecomment-187734239. If absolute path is thought as kind of "selective" check, then better to validate for it in `oc`.
I can add validation to 'oc' for that but it won't fix the problem in 'older' master where the build secrets are not supported ;-) IOW. you will not be able to create build secret with absolute path anymore, but if you provide relative, it will succeed even if the server does not support that feature...
Michal, agree with you. Just need to validate oc. Thank you.
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/85b571040d4694e059bf72cbe6d87374a84a0124 Bug 1310616: Validate absolute dir in build secret for docker strategy in oc new-build
Verified against Origin using latest oc vs openshift older than the fix commit. Now step 3 result is: error: unable to add build secrets "mysecret:/tmp/mysecret,mysecret2": for the docker strategy, the secret destination directory "/tmp/mysecret" must be a relative path The bug is fixed. But code is not merged yet to OSE. Will verify against OSE when merged.
s/than the fix commit/than v3.1.1.6
Verified using latest OSE oc version v3.1.1.911 VS old openshift v3.1.1.6.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2016:1064