Description of problem: In 'Deploy Image' page, when page tells incorrect secret, it is better to prompt user to delete it first Version-Release number of selected component (if applicable): v3.10.0-0.15.0 How reproducible: Always Steps to Reproduce: 1. Create project. Login to web console --> 'Deploy Image' 2. Beneath 'Image Name' input docker.io/starxia/myprivate:hello-openshift (this is a private repo), click 'create an image pull secret', create (and beneath 'Link secret to a service account' link it to sa 'default') secret 'aaa' with password typed wrong, search 3. So user 'try again': create (and beneath 'Link secret to a service account' link to sa 'default') secret 'sss' with right password, search Actual results: 2. It prompts 'Incorrect username or password for image ...' and 'Check that you have entered the image name correctly or create an image pull secret with your image registry credentials and try again' 3. Still same as step 2, making user doubt if password works Expected results: 2. It is better to make user's doubt not appear. When page tells incorrect secret, first prompt user to delete the wrong secret 'aaa'. After deletion, search can find the private repo's image with the right secret 'sss' PS: 'aaa' alphabetically tried prior to 'sss' Additional info:
So this is a bit weird situation since user can have more then one secrets pointing to the same account and if just one of them has wrong password the search fill fail with RC 401 Unauthorized. Based on that we would have to be able to delete all of the secrets, or try to test them one by one. Not sure if we want to go that way. I've tested the bug with the https://github.com/openshift/origin-web-console/pull/2464 change and I couldn't reproduce it. So it seems that secrets with `kubernetes.io/dockerconfigjson` type are handled in different way then the the deprecated `kubernetes.io/dockercfg`. Even case that there already is a secret with wrong pw with the deprecated `kubernetes.io/dockercfg` and user creates a new secret(with the PR change in place) with correct pw the image is successfully found . After merging the PR this issue should be fixed. @spadgett FYI
Fixing PR: https://github.com/openshift/origin-web-console/pull/2464 Now if there is one secret that contains correct password, fetching the image metadata will succeed.
Tested in 'OpenShift Web Console: v3.10.0-0.16.0' env which includes above PR, still reproduced issue. Note, when you reproduce, ensure the wrong secret name is alphabetically prior to the correct secret such that the wrong one is first hit, e.g. wrong secret name is 'aaa' and correct secret name is 'sss'. If reverse, 'sss' is first hit thus you cannot reproduce.
> "Incorrect username or password for image" This message seems pretty clear to me. I don't think the web console should try to delete any secrets (or prompt to). That should be the user's decision to manage. There is also no way for the console to know which secret to delete.
Per conversation with spadgett we are going to close this bug as WON'T FIX. https://github.com/openshift/origin-web-console/pull/2956#pullrequestreview-112425793
Closing as won't fix. 1. The error message is clear. 2. The console has no reliable way to know when the problem is an incorrect username or password except to parse the error message, which is fragile and will break if the server message ever changes or is translated. 3. The console has no way to know what secret to delete. 4. I don't think we should encourage users to blindly secrets anyway. We don't know what's important and what's not, and it can't be undone. In my opinion, it's better to show the error and let users manage their own pull secrets.