Bug 1919359 - need better debug for bad pull secrets
Summary: need better debug for bad pull secrets
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 4.6.z
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.6.z
Assignee: Gabe Montero
QA Contact: XiuJuan Wang
Depends On: 1918879
TreeView+ depends on / blocked
Reported: 2021-01-22 16:21 UTC by Gabe Montero
Modified: 2021-02-22 13:55 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Errors around invalid build pull secret where the auth key is not base64 encoded were not propagated through the build stack. Consequence: Determining the root cause of such build errors were difficult Fix: Changes were made so that errors like invalid key encoding with build pull secrets propagated through the build stack. Result: Determining the root cause of invalid build pull secret keys is now easier for the user.
Clone Of: 1918879
Last Closed: 2021-02-22 13:54:57 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift builder pull 210 0 None closed [release-4.6] Bug 1919359: better surface dockerconfigjson errors causing image pull errors 2021-02-18 01:29:24 UTC
Red Hat Product Errata RHBA-2021:0510 0 None None None 2021-02-22 13:55:20 UTC

Description Gabe Montero 2021-01-22 16:21:51 UTC
+++ This bug was initially created as a clone of Bug #1918879 +++

See https://github.com/openshift/builder/pull/200#issue-551795953

--- Additional comment from Gabe Montero on 2021-01-22 16:08:14 UTC ---

For testing this XiuJuan import a pull secret and then edit it so you corrupt/break the encoded value associated with the.dockerconfigjson key so we cannot json unmarshal it

the log

log.V(0).Infof("error trying to parse file %s: %s", filePath, err.Error())

should show up in the build log

and the error 

 fmt.Errorf("%s; also, error processing dockerconfigjson: %s", err.Error(), dockerConfigCredsErr.Error())

should be propagated up and ultimately visible from the log 

the bonus scenario is to do this with a build pull secret, but the registry handled by that pull secret can also be handled by the node credentials (I *think* registry.redhat.io is such a registry).

you should see the log log.V(0).Infof("error trying to parse file %s: %s", filePath, err.Error()) still, but presumably the build could still work since the pull is authenticated via the node credentials instead of the supply pull secret

Comment 1 Gabe Montero 2021-01-22 16:27:40 UTC
4.6 PR https://github.com/openshift/builder/pull/210 is waiting QE verification on https://github.com/openshift/builder/pull/200

Comment 2 XiuJuan Wang 2021-02-08 07:54:15 UTC
Test on cluster building from pr openshift/builder#210, the version '4.6.0-0.ci.test-2021-02-08-034130-ci-ln-6w1gdyt'

Could see the error from build logs with invalid pullsecret.
"error trying to parse file /var/run/secrets/openshift.io/pull/.dockerconfigjson: illegal base64 data at input byte 3"

Comment 7 errata-xmlrpc 2021-02-22 13:54:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.18 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.