This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1476330 - oc secret new-dockercfg generated secret is not compatible with registry.connect.redhat.com [NEEDINFO]
oc secret new-dockercfg generated secret is not compatible with registry.conn...
Status: ASSIGNED
Product: OpenShift Container Platform
Classification: Red Hat
Component: Command Line Interface (Show other bugs)
3.6.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Juan Vallejo
Xingxing Xia
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-28 12:07 EDT by Aaron Weitekamp
Modified: 2017-10-20 14:44 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-28 14:10:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
bparees: needinfo? (mfojtik)


Attachments (Terms of Use)

  None (edit)
Description Aaron Weitekamp 2017-07-28 12:07:34 EDT
Description of problem:
The dockercfg secret generated by oc secret new-dockercfg does not work against registry.connect.redhat.com

Version-Release number of selected component (if applicable):
oc v3.6.0-alpha.2+3c221d5
kubernetes v1.6.1+5115d708d7
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://127.0.0.1:8443
openshift v3.6.0-alpha.2+3c221d5
kubernetes v1.6.1+5115d708d7

How reproducible:
always


Steps to Reproduce:
1. Create a secret for registry.connect.redhat.com
oc secret new-dockercfg --docker-server=registry.connect.redhat.com --docker-username=developer@example.com --docker-password=******** --docker-email=unused redhat-connect
2. Create secret for SSO
oc secret new-dockercfg --docker-server=sso.redhat.com --docker-username=developer@example.com --docker-password=******** --docker-email=unused redhat-connect-sso
3. Run or import an image


Actual results:
import-image: Internal error occurred: Get https://registry.connect.redhat.com/v2/crunchydata/crunchy-postgres/manifests/latest: unable to decode token response: invalid character '<' looking for beginning of value

oc run: Error from server (BadRequest): container "crunchy" in pod "crunchy-1-79hmd" is waiting to start: trying and failing to pull image

Expected results:
oc new-dockercfg should work against registry.connect.redhat.com

Additional info:

WORKAROUND
$ sudo docker login registry.connect.redhat.com --username aweiteka@redhat.com
Password: *********
Login Succeeded
$ oc secret new redhat-connect .dockerconfigjson=/root/.docker/config.json


There seems to be an issue of format that we're saving with oc secret new-dockercfg:

FAILS (the format generated by oc secret new-dockercfg):
{
		"registry.connect.redhat.com": {
			"auth": "YXdlaXRla2...vb3JlZGhhdA=="
		}
}

SUCCEEDS:
{
	"auths": {
		"registry.connect.redhat.com": {
			"auth": "YXdlaXRla2...vb3JlZGhhdA=="
		}
	}
}
Comment 1 Aaron Weitekamp 2017-07-28 12:12:13 EDT
WORKAROUND (edit): also need to link the secret

$ docker login registry.connect.redhat.com --username developer@example.com
Password: *************
Login Succeeded
$ oc secret new redhat-connect .dockerconfigjson=/root/.docker/config.json
$ oc secrets link default redhat-connect --for=pull
Comment 2 Paul Weil 2017-07-28 14:10:15 EDT

*** This bug has been marked as a duplicate of bug 1476038 ***
Comment 3 Ben Parees 2017-10-10 18:44:49 EDT
this was improperly closed as a duplicate.
Comment 4 Ben Parees 2017-10-10 18:45:37 EDT
Michal this seems like an issue with registry.connect.redhat.com, or the k8s secret generation logic?
Comment 5 Michal Fojtik 2017-10-11 09:47:20 EDT
I think Oleg was looking into this, it is more like the secret format if I remember correctly.
Comment 6 Ben Parees 2017-10-11 10:41:21 EDT
If it's an issue w/ the secret format, why is this not a k8s bug?
Comment 7 Ben Parees 2017-10-12 10:18:26 EDT
This certainly looks like it's the classic issue w/ how k8s generates dockercfg secrets using the old docker format, not the new one.  Moving to CLI team.

(this may need to become an RFE though).
Comment 8 Juan Vallejo 2017-10-13 14:05:56 EDT
Origin PR: https://github.com/openshift/origin/pull/16868
Comment 9 Juan Vallejo 2017-10-13 19:35:56 EDT
Upstream PR: https://github.com/kubernetes/kubernetes/pull/53916
Comment 10 Juan Vallejo 2017-10-20 14:44:51 EDT
Upstream PR has merged. Waiting on Origin PR

Note You need to log in before you can comment on or make changes to this bug.