This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1476330 - oc secret new-dockercfg generated secret is not compatible with [NEEDINFO]
oc secret new-dockercfg generated secret is not compatible with registry.conn...
Product: OpenShift Container Platform
Classification: Red Hat
Component: Command Line Interface (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Juan Vallejo
Xingxing Xia
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2017-07-28 12:07 EDT by Aaron Weitekamp
Modified: 2017-10-20 14:44 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-07-28 14:10:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
bparees: needinfo? (mfojtik)

Attachments (Terms of Use)

  None (edit)
Description Aaron Weitekamp 2017-07-28 12:07:34 EDT
Description of problem:
The dockercfg secret generated by oc secret new-dockercfg does not work against

Version-Release number of selected component (if applicable):
oc v3.6.0-alpha.2+3c221d5
kubernetes v1.6.1+5115d708d7
features: Basic-Auth GSSAPI Kerberos SPNEGO

openshift v3.6.0-alpha.2+3c221d5
kubernetes v1.6.1+5115d708d7

How reproducible:

Steps to Reproduce:
1. Create a secret for
oc secret new-dockercfg --docker-password=******** --docker-email=unused redhat-connect
2. Create secret for SSO
oc secret new-dockercfg --docker-password=******** --docker-email=unused redhat-connect-sso
3. Run or import an image

Actual results:
import-image: Internal error occurred: Get unable to decode token response: invalid character '<' looking for beginning of value

oc run: Error from server (BadRequest): container "crunchy" in pod "crunchy-1-79hmd" is waiting to start: trying and failing to pull image

Expected results:
oc new-dockercfg should work against

Additional info:

$ sudo docker login --username
Password: *********
Login Succeeded
$ oc secret new redhat-connect .dockerconfigjson=/root/.docker/config.json

There seems to be an issue of format that we're saving with oc secret new-dockercfg:

FAILS (the format generated by oc secret new-dockercfg):
		"": {
			"auth": "YXdlaXRla2...vb3JlZGhhdA=="

	"auths": {
		"": {
			"auth": "YXdlaXRla2...vb3JlZGhhdA=="
Comment 1 Aaron Weitekamp 2017-07-28 12:12:13 EDT
WORKAROUND (edit): also need to link the secret

$ docker login --username
Password: *************
Login Succeeded
$ oc secret new redhat-connect .dockerconfigjson=/root/.docker/config.json
$ oc secrets link default redhat-connect --for=pull
Comment 2 Paul Weil 2017-07-28 14:10:15 EDT

*** This bug has been marked as a duplicate of bug 1476038 ***
Comment 3 Ben Parees 2017-10-10 18:44:49 EDT
this was improperly closed as a duplicate.
Comment 4 Ben Parees 2017-10-10 18:45:37 EDT
Michal this seems like an issue with, or the k8s secret generation logic?
Comment 5 Michal Fojtik 2017-10-11 09:47:20 EDT
I think Oleg was looking into this, it is more like the secret format if I remember correctly.
Comment 6 Ben Parees 2017-10-11 10:41:21 EDT
If it's an issue w/ the secret format, why is this not a k8s bug?
Comment 7 Ben Parees 2017-10-12 10:18:26 EDT
This certainly looks like it's the classic issue w/ how k8s generates dockercfg secrets using the old docker format, not the new one.  Moving to CLI team.

(this may need to become an RFE though).
Comment 8 Juan Vallejo 2017-10-13 14:05:56 EDT
Origin PR:
Comment 9 Juan Vallejo 2017-10-13 19:35:56 EDT
Upstream PR:
Comment 10 Juan Vallejo 2017-10-20 14:44:51 EDT
Upstream PR has merged. Waiting on Origin PR

Note You need to log in before you can comment on or make changes to this bug.