Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1563595 - [trello XzkI9of3] Better for 'Deploy Image' page to prompt to delete previous incorrect secret first
Summary: [trello XzkI9of3] Better for 'Deploy Image' page to prompt to delete previous...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Jakub Hadvig
QA Contact: Yadan Pei
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-04 09:17 UTC by Xingxing Xia
Modified: 2018-04-16 14:19 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-04-16 14:08:41 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Xingxing Xia 2018-04-04 09:17:49 UTC
Description of problem:
In 'Deploy Image' page, when page tells incorrect secret, it is better to prompt user to delete it first

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create project. Login to web console --> 'Deploy Image'
2. Beneath 'Image Name' input docker.io/starxia/myprivate:hello-openshift (this is a private repo), click 'create an image pull secret', create (and beneath 'Link secret to a service account' link it to sa 'default') secret 'aaa' with password typed wrong, search
3. So user 'try again': create (and beneath 'Link secret to a service account' link to sa 'default') secret 'sss' with right password, search

Actual results:
2. It prompts 'Incorrect username or password for image ...' and
'Check that you have entered the image name correctly or create an image pull secret with your image registry credentials and try again'
3. Still same as step 2, making user doubt if password works

Expected results:
2. It is better to make user's doubt not appear. When page tells incorrect secret, first prompt user to delete the wrong secret 'aaa'. After deletion, search can find the private repo's image with the right secret 'sss'
PS: 'aaa' alphabetically tried prior to 'sss'

Additional info:

Comment 1 Jakub Hadvig 2018-04-05 10:19:18 UTC
So this is a bit weird situation since user can have more then one secrets pointing to the same account and if just one of them has wrong password the search fill fail with RC 401 Unauthorized. Based on that we would have to be able to delete all of the secrets, or try to test them one by one. Not sure if we want to go that way.

I've tested the bug with the https://github.com/openshift/origin-web-console/pull/2464 change and I couldn't reproduce it. So it seems that secrets with `kubernetes.io/dockerconfigjson` type are handled in different way then the the deprecated `kubernetes.io/dockercfg`.

Even case that there already is a secret with wrong pw with the deprecated `kubernetes.io/dockercfg` and user creates a new secret(with the PR change in place) with correct pw the image is successfully found . 

After merging the PR this issue should be fixed.

@spadgett FYI

Comment 2 Jakub Hadvig 2018-04-05 13:48:25 UTC
Fixing PR: https://github.com/openshift/origin-web-console/pull/2464

Now if there is one secret that contains correct password, fetching the image metadata will succeed.

Comment 3 Xingxing Xia 2018-04-10 01:38:47 UTC
Tested in 'OpenShift Web Console: v3.10.0-0.16.0' env which includes above PR, still reproduced issue. Note, when you reproduce, ensure the wrong secret name is alphabetically prior to the correct secret such that the wrong one is first hit, e.g. wrong secret name is 'aaa' and correct secret name is 'sss'. If reverse, 'sss' is first hit thus you cannot reproduce.

Comment 4 Samuel Padgett 2018-04-16 13:58:12 UTC
> "Incorrect username or password for image"

This message seems pretty clear to me.

I don't think the web console should try to delete any secrets (or prompt to). That should be the user's decision to manage. There is also no way for the console to know which secret to delete.

Comment 5 Jakub Hadvig 2018-04-16 14:08:41 UTC
Per conversation with spadgett we are going to close this bug as WON'T FIX.


Comment 6 Samuel Padgett 2018-04-16 14:19:56 UTC
Closing as won't fix.

1. The error message is clear.
2. The console has no reliable way to know when the problem is an incorrect username or password except to parse the error message, which is fragile and will break if the server message ever changes or is translated.
3. The console has no way to know what secret to delete.
4. I don't think we should encourage users to blindly secrets anyway. We don't know what's important and what's not, and it can't be undone.

In my opinion, it's better to show the error and let users manage their own pull secrets.

Note You need to log in before you can comment on or make changes to this bug.