Hide Forgot
Description of problem: When using multiple secrets that have 'destinationDir' in BuildConfig, only the very last secret corresponding file gets created. The other secrets get ignored. Version-Release number of selected component (if applicable): 3.11 (I've also tested in version 3.10 and the issue persists) How reproducible: Always Steps to Reproduce: 1. Create new app and save yaml in a temp file : ``` $ oc new-app --name='myapp' -l 'micro-service=myapp' \ -e DEV_MODE='true' \ nodejs:8~git:mygroup/myapp.git \ --context-dir=src --source-secret='bitbucket-sshauth' \ -o yaml > /tmp/myapp.yaml ``` 2. Create the secrets that will be needed as well: ``` $ oc secrets new bitbucket-shared-sshkey id_rsa=~/.ssh/bitbucket-sshauth $ oc create secret generic bitbucket-shared-sshkey --from-file=id_rsa=bitbucket-shared-sshkey --type=Opaque $ ssh-keyscan -H bitbucket.org >> bitbucket-shared-knownhosts $ oc create secret generic bitbucket-shared-knownhosts --from-file=known_hosts=bitbucket-shared-knownhosts --type=Opaque` ``` 3. Go in /tmp/myapp.yaml and add the 2 secrets: ``` ... source: git: ref: master uri: '[git](git):mygroup/myapp' secrets: - destinationDir: /opt/app-root/src/.ssh secret: name: bitbucket-shared-sshkey - destinationDir: /opt/app-root/src/.ssh secret: name: bitbucket-shared-knownhosts ``` 4. Build: ``` $ oc create -f /tmp/dpc.yaml oc start-build bc/myapp ``` Actual results: Only the 'known_hosts' file gets created and is available in /opt/app-root/.ssh If I swap the order then the 'id_rsa' file will get created only Expected results: Both files should get created and available in /opt/app-root/.ssh folder Additional info: Originally filed on GitHub - https://github.com/openshift/origin/issues/22032
This has been fixed in OpenShift 4.0 as a result of using buildah to drive OpenShift builds. Note that any secret content is deleted in the final image (configMap content is retained). For OpenShift 3.x, customers can work around this issue by creating secrets and/or ConfigMaps which reference multiple files: ``` $ oc create secret generic mysecret --from-file=new-filename.txt=/path/to/file.txt --from-file=/path/to/another-file.txt ... ```
Yes, in 4.0 any secret content is deleted in the final image payload: registry.svc.ci.openshift.org/ocp/release@sha256:515085c8949e60364372f208b11f80993d4a786f603ca6f39d903bd4a7065e5c version: 4.0.0-0.nightly-2019-02-27-054627 check the build log: STEP 4: USER root STEP 5: COPY upload/scripts /tmp/scripts STEP 6: COPY upload/src /tmp/src STEP 7: COPY upload/injections/var/run/secrets/openshift.io/build/testsecret1 /tmp STEP 8: COPY upload/injections/var/run/secrets/openshift.io/build/testsecret2 /opt/app-root/src STEP 9: RUN chown -R 1001:0 /tmp/scripts /tmp/src /tmp /opt/app-root/src time="2019-02-27T10:03:47Z" level=warning msg="pkg/chroot: error unmounting \"/tmp/buildah853922143/mnt/rootfs\": error checking if \"/tmp/buildah853922143/mnt/rootfs/sys/fs/cgroup/freezer\" is mounted: no such file or directory" time="2019-02-27T10:03:47Z" level=warning msg="pkg/bind: error unmounting \"/tmp/buildah853922143/mnt/rootfs\": error checking if \"/tmp/buildah853922143/mnt/rootfs/sys/fs/cgroup/freezer\" is mounted: no such file or directory" STEP 10: USER 1001 STEP 11: RUN /tmp/scripts/assemble relative-secret1=secret1 relative-secret2=secret2 secret1=secret1 secret2=secret2 time="2019-02-27T10:03:49Z" level=warning msg="pkg/chroot: error unmounting \"/tmp/buildah881963239/mnt/rootfs\": error checking if \"/tmp/buildah881963239/mnt/rootfs/sys/fs/cgroup/freezer\" is mounted: no such file or directory" time="2019-02-27T10:03:49Z" level=warning msg="pkg/bind: error unmounting \"/tmp/buildah881963239/mnt/rootfs\": error checking if \"/tmp/buildah881963239/mnt/rootfs/sys/fs/cgroup/freezer\" is mounted: no such file or directory" STEP 12: RUN rm /tmp/..2019_02_27_10_02_30.749623174/secret1 && rm /tmp/..2019_02_27_10_02_30.749623174/secret2 && rm /tmp/..2019_02_27_10_02_30.749623174/secret3 && rm /tmp/secret1 && rm /tmp/secret2 && rm /tmp/secret3 && rm /opt/app-root/src/..2019_02_27_10_02_31.296559079/secret1 && rm /opt/app-root/src/..2019_02_27_10_02_31.296559079/secret2 && rm /opt/app-root/src/..2019_02_27_10_02_31.296559079/secret3 && rm /opt/app-root/src/secret1 && rm /opt/app-root/src/secret2 && rm /opt/app-root/src/secret3 ###in STEP 11, deleted all secrets files time="2019-02-27T10:03:50Z" level=warning msg="pkg/chroot: error unmounting \"/tmp/buildah087308143/mnt/rootfs\": error checking if \"/tmp/buildah087308143/mnt/rootfs/sys/fs/cgroup/freezer\" is mounted: no such file or directory" time="2019-02-27T10:03:50Z" level=warning msg="pkg/bind: error unmounting \"/tmp/buildah087308143/mnt/rootfs\": error checking if \"/tmp/buildah087308143/mnt/rootfs/sys/fs/cgroup/freezer\" is mounted: no such file or directory" STEP 13: CMD /usr/libexec/s2i/run STEP 14: COMMIT containers-storage:[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.skip_mount_home=false]temp.builder.openshift.io/wewang5/build-secret-1:7ffd0cfb Getting image source signatures Copying blob sha256:b1e3561f65d69b456145e08024c6855f87e3ff401a23ce34830913e10b523810 Copying blob sha256:b1933d7f1c6de39dcd1cc9c702d06b5f1dd2a6d3d8574013d9349797687871da Copying blob sha256:7570c9bb6eb02a54ca3cf9ac3aee75eb8cbf0c6cf77839cc078e7362a29c5631 Copying blob sha256:064aa57f6d5c8f8d864efc0c66ece05d99475ebdc70929cbc480484d45b4321c Copying blob sha256:aa510ba01285f7d63af45a28dcc86bd1272ee12ffa9fd103e1ab848213640cf7 Copying blob sha256:0e00d99d1e7602a9d541f1a4a3a245082d84421bb9028c739ba286a46c99837d Copying config sha256:d72af5d3bf3ab89c5c5c61e2c2127c674f1906f5b095cbba838b920007993d6a
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758