Bug 1971332 - oc new-build command does not pick automatic source clone secret in OpenShift 4.7
Summary: oc new-build command does not pick automatic source clone secret in OpenShift...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 4.7
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: 4.9.0
Assignee: Gabe Montero
QA Contact: Jitendar Singh
Rolfe Dlugy-Hegwer
URL:
Whiteboard:
Depends On:
Blocks: 1992639
TreeView+ depends on / blocked
 
Reported: 2021-06-13 17:08 UTC by Vinu K
Modified: 2021-10-18 17:34 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
* In {product-title} and later, the fix for bug link:https://bugzilla.redhat.com/show_bug.cgi?id=1884270[BZ#1884270] incorrectly pruned SSH protocol URLs in an attempt to provide SCP-styled URL capabilities. This error caused the `oc new-build` command not to pick automatic source clone secret: the build could not use the `build.openshift.io/sbuild.openshift.io/source-secret-match-uri-1ource-secret-match-uri-1` annotation to map SSH keys with the associated secrets, and therefore could not perform git cloning. This update reverts the changes from BZ#1884270 so that builds can use the annotation and perform git cloning.
Clone Of:
Environment:
Last Closed: 2021-10-18 17:33:48 UTC
Target Upstream Version: TargetNamespace
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift builder pull 257 0 None open Bug 1971332: bump(s2i): revert incorrect ssh scp fix 2021-08-11 06:27:34 UTC
Github openshift oc issues 822 0 None open In version 4.7 of oc, a GIT SSH repository url is changed on BuildConfigs and SSH authentication secrets are not correct... 2021-06-13 17:08:12 UTC
Github openshift oc pull 875 0 None open Bug 1971332: work around s2i parse url ssh:// prefix removal to allow use of ssh and private keys in git operations 2021-07-06 22:58:15 UTC
Github openshift openshift-apiserver pull 238 0 None open Bug 1971332: revert incorrect ssh scp fix 2021-07-22 16:07:17 UTC
Github openshift source-to-image pull 1070 0 None open Bug 1971332: revert incorrect allowance of ssh:// prefix with scp styled URLs 2021-07-19 20:11:56 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:34:08 UTC

Description Vinu K 2021-06-13 17:08:12 UTC
Description of problem:
With 4.7 oc binary, build created using 'oc new-build' command does not contain .spec.source.sourceSecret.name field after adding the automatic source clone secret. It works fine with OCP 4.6.

Version-Release number of selected component (if applicable):
4.7

How reproducible:
Easy

Steps to Reproduce:
1. Try using 4.6 oc binary

export OC='~/oc46/oc'
# export OC='~/oc47/oc'
${OC} new-project foo
${OC} version
${OC} create secret generic foo --from-file=ssh-privatekey=ssh-key --type=kubernetes.io/ssh-auth
${OC} secret link builder foo
${OC} annotate secret foo "build.openshift.io/source-secret-match-uri-1=ssh://github.com:22/user/*"
${OC} new-build ruby~ssh://git:22/user/repo.git --name=foo
${OC} logs bc/foo --follow
${OC} delete project foo

2. Try using 4.7 oc binary

# export OC='~/oc46/oc'
export OC='~/oc47/oc'
${OC} new-project foo
${OC} version
${OC} create secret generic foo --from-file=ssh-privatekey=ssh-key --type=kubernetes.io/ssh-auth
${OC} secret link builder foo
${OC} annotate secret foo "build.openshift.io/source-secret-match-uri-1=ssh://github.com:22/user/*"
${OC} new-build ruby~ssh://git:22/user/repo.git --name=foo
${OC} logs bc/foo --follow
${OC} delete project foo

Actual results:
4.6 oc binary works fine and 4.7 fails with "error: Host key verification failed".

Expected results:
It should work with oc 4.7 as well.

Additional info:

Comment 1 Maciej Szulik 2021-06-14 10:48:55 UTC
Sending this over to build team who owns that bit of oc code.

Comment 6 Jitendar Singh 2021-08-11 06:24:01 UTC
VERIFIED
===============
 ✘ jsingh@fugaku  ~/.ssh  ls
id_ecdsa  id_ecdsa.pub  id_ed25519  id_ed25519.pub  id_rsa  id_rsa.pub  known_hosts  known_hosts.old

 ✘ jsingh@fugaku  ~/.ssh  oc create secret generic foo --from-file=id=ssh-key --type=kubernetes.io/ssh-auth 

 ✘ jsingh@fugaku  ~/.ssh  oc create secret generic foo --from-file=ssh-privatekey=id_ed25519 --type=kubernetes.io/ssh-auth
secret/foo created

 jsingh@fugaku  ~/.ssh  oc secret link builder foo

 ✘ jsingh@fugaku  ~/.ssh  oc annotate secret foo "build.openshift.io/source-secret-match-uri-1=ssh://github.com:22/jitendar-singh/*"
secret/foo annotated

 jsingh@fugaku  ~/.ssh  oc new-build ruby~ssh://git:22/jitendar-singh/repo.git --name=foo
--> Found image 76ff7f7 (6 days old) in image stream "openshift/ruby" under tag "2.7-ubi8" for "ruby"

    Ruby 2.7 
    -------- 
    Ruby 2.7 available as container is a base platform for building and running various Ruby 2.7 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.

    Tags: builder, ruby, ruby27, ruby-27

    * A source build using source code from ssh://git:22/jitendar-singh/repo.git will be created
      * The resulting image will be pushed to image stream tag "foo:latest"
      * Use 'oc start-build' to trigger a new build

--> Creating resources with label build=foo ...
    imagestream.image.openshift.io "foo" created
    buildconfig.build.openshift.io "foo" created
--> Success

 jsingh@fugaku  ~/.ssh  oc logs bc/foo --follow
Cloning "ssh://git:22/jitendar-singh/repo.git" ...
	Commit:	56eb276f78b90488781417874fdd044ddda1e67e (first commit)
	Author:	jsingh <jitsingh>
	Date:	Wed Aug 11 11:38:05 2021 +0530
Caching blobs under "/var/cache/blobs".
Getting image source signatures
Copying blob sha256:296e14ee24149e14d573a1fbf5b5a625c7bb0cc22f5b2a8b180e833258187948
Copying blob sha256:359fed170a21fd169953d50193bb1b9405d5e827bed42a220d154cadf794ac23
Copying blob sha256:19c7e0d23e1f527cfe0a0de0641d5988ce8188bea662289c92599c1d2a217614
Copying blob sha256:356f18f3a935b2f226093720b65383048249413ed99da72c87d5be58cc46661c
Copying blob sha256:d472b109c9e4f1d44ba736dcadfdeed96b11531be00a0ed86f536668c374f19c
Copying config sha256:76ff7f7ad4697e5e7246e66dfdcde414073905f6fd14d88f5a85521a1c39ee57
Writing manifest to image destination
Storing signatures
Generating dockerfile with builder image image-registry.openshift-image-registry.svc:5000/openshift/ruby@sha256:7eb161302275c7c895ba89d155548728e63dd7a1157015d60bc915b53347a29b
STEP 1: FROM image-registry.openshift-image-registry.svc:5000/openshift/ruby@sha256:7eb161302275c7c895ba89d155548728e63dd7a1157015d60bc915b53347a29b
STEP 2: LABEL "io.openshift.build.commit.message"="first commit"       "io.openshift.build.source-location"="ssh://git:22/jitendar-singh/repo.git"       "io.openshift.build.image"="image-registry.openshift-image-registry.svc:5000/openshift/ruby@sha256:7eb161302275c7c895ba89d155548728e63dd7a1157015d60bc915b53347a29b"       "io.openshift.build.commit.author"="jsingh <jitsingh>"       "io.openshift.build.commit.date"="Wed Aug 11 11:38:05 2021 +0530"       "io.openshift.build.commit.id"="56eb276f78b90488781417874fdd044ddda1e67e"       "io.openshift.build.commit.ref"="main"
STEP 3: ENV OPENSHIFT_BUILD_NAME="foo-1"     OPENSHIFT_BUILD_NAMESPACE="foo"     OPENSHIFT_BUILD_SOURCE="ssh://git:22/jitendar-singh/repo.git"     OPENSHIFT_BUILD_COMMIT="56eb276f78b90488781417874fdd044ddda1e67e"
STEP 4: USER root
STEP 5: COPY upload/src /tmp/src
STEP 6: RUN chown -R 1001:0 /tmp/src
time="2021-08-11T06:22:10Z" level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"
time="2021-08-11T06:22:10Z" level=warning msg="Path \"/run/secrets/redhat.repo\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"
STEP 7: USER 1001
STEP 8: RUN /usr/libexec/s2i/assemble
time="2021-08-11T06:22:11Z" level=warning msg="Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"
time="2021-08-11T06:22:11Z" level=warning msg="Path \"/run/secrets/redhat.repo\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping"
---> Installing application source ...
---> Building your Ruby application from source ...
WARNING: Rubygem Rack is not installed in the present image.
         Add rack to your Gemfile in order to start the web server.
STEP 9: CMD /usr/libexec/s2i/run
STEP 10: COMMIT temp.builder.openshift.io/foo/foo-1:0e03ab97
Getting image source signatures
Copying blob sha256:e39c3abf0df93fca44921f3548fcf6e139afdcb2ac9b7baa6c47b39f87113b32
Copying blob sha256:8f26704f753cbe8b20afc01e97a4cb652befe26791b4d33193afc99ce544ebf5
Copying blob sha256:83310c7c677cb8ade9613896d0dc2f68f905792407d9b175801221756dfd3016
Copying blob sha256:694adc66f3fa07d76b12086cc88422f8d60894559536ffab50e0030fd7fa91c6
Copying blob sha256:832243b96ad61ec5bc3b8e4f66425224d2268820c0d0c66265e0d8f418902789
Copying blob sha256:73bc48343153efd0ae1864892a4caf05cc85a8faa991736eca3d8ccc974ff720
Copying config sha256:2b6e5871802acb323b0e9f1ef54817adaf6988b4e2921159e11a9470f6bb518e
Writing manifest to image destination
Storing signatures
--> 2b6e5871802
2b6e5871802acb323b0e9f1ef54817adaf6988b4e2921159e11a9470f6bb518e
Getting image source signatures

Pushing image image-registry.openshift-image-registry.svc:5000/foo/foo:latest ...
Copying blob sha256:73bc48343153efd0ae1864892a4caf05cc85a8faa991736eca3d8ccc974ff720
Copying blob sha256:359fed170a21fd169953d50193bb1b9405d5e827bed42a220d154cadf794ac23
Copying blob sha256:296e14ee24149e14d573a1fbf5b5a625c7bb0cc22f5b2a8b180e833258187948
Copying blob sha256:d472b109c9e4f1d44ba736dcadfdeed96b11531be00a0ed86f536668c374f19c
Copying blob sha256:19c7e0d23e1f527cfe0a0de0641d5988ce8188bea662289c92599c1d2a217614
Copying blob sha256:356f18f3a935b2f226093720b65383048249413ed99da72c87d5be58cc46661c
Copying config sha256:2b6e5871802acb323b0e9f1ef54817adaf6988b4e2921159e11a9470f6bb518e
Writing manifest to image destination
Storing signatures
Successfully pushed image-registry.openshift-image-registry.svc:5000/foo/foo@sha256:559924d185bf36e2a7a32d8f955e1d7d146c3a80304c7f9a7a920db96683e04c
Push successful

Comment 12 errata-xmlrpc 2021-10-18 17:33:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.