Created attachment 1615850 [details] original build yaml, velero logs and template Description of problem: When a build is migrated and this build references an externa image, the builder secret is not handled properly by the velero plugin Version-Release number of selected component (if applicable): OCP4: $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.2.0-0.nightly-2019-09-15-221449 True False 12h Error while reconciling 4.2.0-0.nightly-2019-09-15-221449: the cluster operator ingress is degraded OCP3: $ oc version oc v3.11.126 kubernetes v1.11.0+d4cacc0 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https:// openshift v3.9.99 kubernetes v1.9.1+a0ce1bc657 Controller: image: quay.io/ocpmigrate/mig-controller:release-1.0 imageID: quay.io/ocpmigrate/mig-controller@sha256:0f74db7171712ffc440b3d7b0f02a775ccd71238827ec856b7d090f90f2feffb Velero: image: quay.io/ocpmigrate/velero:fusor-1.1 imageID: quay.io/ocpmigrate/velero@sha256:6c16a1288bf6aca74afbb0184fa987506839c5193ae8bb2be05cb6aa0a9f3dc5 image: quay.io/ocpmigrate/migration-plugin:release-1.0 imageID: quay.io/ocpmigrate/migration-plugin@sha256:eb9b82c3f26bcd876bc501e18dde7cffe7e451c8c8a231959ed4d9f1127b91a6 How reproducible: Always Steps to Reproduce: 1. oc new-project django 2. oc create -f https://raw.githubusercontent.com/sergiordlr/temp-testfiles/master/app_migration/django-3.9/django_template.yml 3. oc new-app --template django-psql-persistent-modified the build is ok: $ oc get build -n django NAME TYPE FROM STATUS STARTED DURATION django-psql-persistent-1 Source Git@0905223 Complete 23 hours ago 34s 4. Migrate the namespace Actual results: After the migration ends, in OCP4 the build complains about the push secret. $ oc get build NAME TYPE FROM STATUS STARTED DURATION django-psql-persistent-1 Source Git@0905223 Pending (MissingPushSecret) Expected results: There should be no problem after the migration. Additional info: Velero logs are attached, as well as the template and the original build yaml in ocp3. We can read this in velero logs: time="2019-09-16T14:48:32Z" level=error msg="[build-restore] build is not from internal image, skipping" cmd=/plugins/velero-plugins logSource="/go/src/github.com/fusor/openshift-migration-plugin/vendor/github.com/fusor/openshift-velero-plugin/velero-plugins/build/restore.go:60" pluginName=velero-plugins restore=openshift-migration/tpl-migration-cf1jq0jk-xclvf The build is still pointing to the old ocp secret, as it can be seen in the following commands executed in OCP4. -bash-4.1$ oc project django Now using project "django" on server "https://XXXXXXXXXXXX:YYY". -bash-4.1$ oc get secret NAME TYPE DATA AGE builder-dockercfg-qnhl4 kubernetes.io/dockercfg 1 27m builder-token-grv5c kubernetes.io/service-account-token 4 27m builder-token-v76wq kubernetes.io/service-account-token 4 27m default-dockercfg-mhfkm kubernetes.io/dockercfg 1 27m default-token-d4jqv kubernetes.io/service-account-token 4 27m default-token-k8j6b kubernetes.io/service-account-token 4 27m deployer-dockercfg-jmp4m kubernetes.io/dockercfg 1 27m deployer-token-6xtnp kubernetes.io/service-account-token 4 27m deployer-token-hjnd2 kubernetes.io/service-account-token 4 27m django-psql-persistent Opaque 3 27m -bash-4.1$ oc get sa builder -o yaml | grep secret -A 4 secrets: - name: builder-dockercfg-qnhl4 - name: builder-token-v76wq -bash-4.1$ oc get build NAME TYPE FROM STATUS STARTED DURATION django-psql-persistent-1 Source Git@0905223 Pending (MissingPushSecret) -bash-4.1$ oc describe build | grep -i secret Status: Pending (Missing push secret.) Push Secret: builder-dockercfg-rjhnc Warning FailedMount 91s (x21 over 28m) kubelet, compute-0 MountVolume.SetUp failed for volume "builder-dockercfg-rjhnc-push" : secrets "builder-dockercfg-rjhnc" not found
Created attachment 1615879 [details] buildconfig yaml
Fix is in this PR: https://github.com/fusor/openshift-migration-plugin/pull/27 This fix is also in the most recent migration-plugin stable build
Verified in: Controller: image: quay.io/ocpmigrate/mig-controller:release-1.0 imageID: quay.io/ocpmigrate/mig-controller@sha256:b9e78beef9f9c9d36dacb84d552ec0c7ce09fea556293d6fbec8c90c11f70cb7 Velero: image: quay.io/ocpmigrate/velero:fusor-1.1 imageID: quay.io/ocpmigrate/velero@sha256:6c16a1288bf6aca74afbb0184fa987506839c5193ae8bb2be05cb6aa0a9f3dc5 image: quay.io/ocpmigrate/migration-plugin:release-1.0 imageID: quay.io/ocpmigrate/migration-plugin@sha256:f917ce774c08b3ea4e4d5c422521230d8fb8e03bc13ac0b9a323cbd4599cd341 OCP3 # oc version oc v3.9.97 kubernetes v1.9.1+a0ce1bc657 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https:// openshift v3.9.97 kubernetes v1.9.1+a0ce1bc657 OCP4 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.2.0-0.nightly-2019-09-24-025718 True False 10h Cluster version is 4.2.0-0.nightly-2019-09-24-025718 In source OCP3 cluster, before migration this was the secret in the build: # oc get build -o yaml | grep -i pushSecret -A 1 pushSecret: name: builder-dockercfg-mnwtw In target OCP4, after the migration, the secret was properly handled and updated and the build could run with no failures: $ oc get build NAME TYPE FROM STATUS STARTED DURATION django-psql-persistent-1 Source Git@0905223 Complete 2 hours ago 1m14s $ oc get build -o yaml | grep -i pushSecret -A 1 pushSecret: name: builder-dockercfg-9mgdx
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922