Bug 1800320 - Adding a default pull secret using the UI doesn't link it with the "default" service account [openshift-4.3]
Summary: Adding a default pull secret using the UI doesn't link it with the "default" ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.2.z
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.3.z
Assignee: Jakub Hadvig
QA Contact: XiaochuanWang
URL:
Whiteboard:
Depends On: 1795144
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-06 21:03 UTC by bpeterse
Modified: 2020-03-10 23:53 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1795144
Environment:
Last Closed: 2020-03-10 23:53:27 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift console pull 4244 None closed Bug 1800320: Set default pullSecret 2020-03-10 14:57:05 UTC
Red Hat Product Errata RHBA-2020:0676 None None None 2020-03-10 23:53:43 UTC

Description bpeterse 2020-02-06 21:03:26 UTC
+++ This bug was initially created as a clone of Bug #1795144 +++

Description of problem:
Adding a default pull secret for a namespace using the UI doesn't link it with the "default" service account for pulling images.

Version-Release number of selected component (if applicable):
4.2.2

How reproducible:
Always

Steps to Reproduce:
1. Create a namespace using the UI
2. Add to it a default pull secret using https://console-openshift-console.apps.<cluster>.<subdomain>/k8s/cluster/namespaces/<namespace>
3. Deploy an image which requires the pull secret

Actual results:
It fails

Expected results:
The pull secret should be used for pulling as the text in the UI writes clearly: "Specify default credentials to be used to authenticate and download containers within this namespace. These credentials will be the default unless a pod references a specific pull secret."

--- Additional comment from Sergio G. on 2020-01-27 09:26:22 UTC ---

Version-Release in the description is wrong.

I've confirmed this bug in 4.2.14.

--- Additional comment from Jakub Hadvig on 2020-01-28 12:53:08 UTC ---

Was trying to reproduce this issue on both 4.4. and 4.2 cluster but without any luck.
After I added the "Default Pull Secret"to the namespace I was able to find and also
deploy the private image without any issues.

--- Additional comment from Sergio G. on 2020-01-28 13:45:20 UTC ---

Can you confirm if the secret is shown in "oc describe sa default" as used for pulling images?

It wasn't there for me until I linked it manually.

--- Additional comment from XiaochuanWang on 2020-02-04 03:39:53 UTC ---

Tested on 4.4.0-0.nightly-2020-02-02-225006

After Project created, sa "default" is as below:
$ oc describe sa default
Name:                default
Namespace:           xiaocwan-s
Labels:              <none>
Annotations:         <none>
Image pull secrets:  default-dockercfg-4vsq7
Mountable secrets:   default-token-9lkgk
                     default-dockercfg-4vsq7
Tokens:              default-token-4jrd8
                     default-token-9lkgk
Events:              <none>

Image app using Deployment by "default-token-9lkgk" is failed.
Image app using DC by "default-dockercfg-4vsq7" could succeed.

As per my understanding, It needs a message such as the description "Expected results:" said.
Does image app must use the correct secret (which is "Image pull secrets") from SA "default"? Is that another bug?
Please notice the Target Release is still `--`

--- Additional comment from Jakub Hadvig on 2020-02-04 15:32:16 UTC ---

Was able to reproduce the issue and about to sent fix.

--- Additional comment from Yadan Pei on 2020-02-06 09:42:08 UTC ---

1. Add a default pull secret to namespace by following steps
Administration -> Namespaces -> yapei-1 -> click edit icon in Default Pull Secret -> add credentials used to pull private image from dockerhub, create

2. A secret 'yapei-dp' is created in namespace
$ oc get secret
NAME                            TYPE                                  DATA   AGE
yapei-dp                        kubernetes.io/dockerconfigjson        1      6m9s

3. Check sa/default, the added pull secret is not linked to sa/default
$ oc describe sa default 
Name:                default
Namespace:           yapei-1
Labels:              <none>
Annotations:         <none>
Image pull secrets:  default-dockercfg-wfs66
Mountable secrets:   default-token-p5kvs
                     default-dockercfg-wfs66
Tokens:              default-token-dpvbt
                     default-token-p5kvs
Events:              <none>

4. Deploy a DeploymentConfig from private image, the image can be searched in Deploy Image catalog and DC is created successfully, but pods can't be running
$ oc get pods
NAME                           READY   STATUS             RESTARTS   AGE
wordpress-1-deploy             1/1     Running            0          7m37s
wordpress-1-kh4m8              0/1     ImagePullBackOff   0          7m28s

$ oc describe pod wordpress-1-kh4m8
.....
Events:
  Type     Reason     Age                   From                                                Message
  ----     ------     ----                  ----                                                -------
  Normal   Scheduled  <unknown>             default-scheduler                                   Successfully assigned yapei-1/wordpress-1-kh4m8 to ip-10-0-134-11.us-east-2.compute.internal
  Warning  Failed     6m53s (x6 over 8m7s)  kubelet, ip-10-0-134-11.us-east-2.compute.internal  Error: ImagePullBackOff
  Normal   Pulling    6m40s (x4 over 8m8s)  kubelet, ip-10-0-134-11.us-east-2.compute.internal  Pulling image "yapei/wordpress@sha256:92f7a99d237efd588d8e4ddc11e938049ce38816084e35a31a42e8c3cd98a940"
  Warning  Failed     6m39s (x4 over 8m7s)  kubelet, ip-10-0-134-11.us-east-2.compute.internal  Failed to pull image "yapei/wordpress@sha256:92f7a99d237efd588d8e4ddc11e938049ce38816084e35a31a42e8c3cd98a940": rpc error: code = Unknown desc = Error reading manifest sha256:92f7a99d237efd588d8e4ddc11e938049ce38816084e35a31a42e8c3cd98a940 in docker.io/yapei/wordpress: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
  Warning  Failed   6m39s (x4 over 8m7s)  kubelet, ip-10-0-134-11.us-east-2.compute.internal  Error: ErrImagePull
  Normal   BackOff  3m5s (x21 over 8m7s)  kubelet, ip-10-0-134-11.us-east-2.compute.internal  Back-off pulling image "yapei/wordpress@sha256:92f7a99d237efd588d8e4ddc11e938049ce38816084e35a31a42e8c3cd98a940"

This issue is reproduced on 4.4.0-0.nightly-2020-02-05-220946

Comment 3 XiaochuanWang 2020-02-28 05:59:24 UTC
Verified on 4.3.0-0.nightly-2020-02-27-225047

After created and added a secret "imagepullsec" to default SA:
xiaocwan ~$ oc describe sa default
Name:                default
Namespace:           xiaocwan-t
Labels:              <none>
Annotations:         <none>
Image pull secrets:  default-dockercfg-ndk5x
                     imagepullsec
Mountable secrets:   default-token-w2c2m
                     default-dockercfg-ndk5x
Tokens:              default-token-js2m6
                     default-token-w2c2m
Events:              <none>

Then deploy image by DC (or Deployment), it'll use "Image pull secrets" correctly for pods and containers
spec:
  restartPolicy: Always
  serviceAccountName: default
  imagePullSecrets:
    - name: default-dockercfg-ndk5x
    - name: imagepullsec

Comment 5 errata-xmlrpc 2020-03-10 23:53:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0676


Note You need to log in before you can comment on or make changes to this bug.