Bug 1980704 - Web console doesn't list all the registries credentials in a secret
Summary: Web console doesn't list all the registries credentials in a secret
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.7
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.9.0
Assignee: Kim Dobestein
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks: 1986581
TreeView+ depends on / blocked
 
Reported: 2021-07-09 10:22 UTC by Sergio G.
Modified: 2021-10-18 17:39 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Default pull secret modal only shows first credential for the default pull secret. Consequence: User cannot see additional credentials or know that they exist from the default pull secret modal. Fix: Link to secret detail page instead of opening an existing pull secret in a modal. Result:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:39:02 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 9472 0 None open Bug 1980704: Web console doesn't list all the registries credentials in a secret 2021-07-12 15:09:01 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:39:04 UTC

Description Sergio G. 2021-07-09 10:22:29 UTC
Description of problem:
When visualizing the credentials in a secret, in a given namespace, only the first one registry credential is listed in the UI.


Version-Release number of selected component (if applicable):
4.7.13


How reproducible:
Always


Steps to Reproduce:
1. Create a new project (test1)
2. Go to https://console-openshift-console.apps.cluster.domain.tld/k8s/cluster/projects/test1/details
3. Add a Default pull secret and upload a config.json file with credentials for multiple registries


Actual results:
After adding the secret only the first credentials are listed in the UI. 


Expected results:
All the credentials should be listed or at least add a banner in the UI explaining that there are other credentials in the pull secret which aren't listed.

Additional info:

Comment 1 Kim Dobestein 2021-07-09 16:25:05 UTC
@sgarciam 

Just want to clarify and make sure that I understand the issue.  Here are the steps I took: 

 - Created a config.json with entries to "cloud.openshif.com", "quay.io" and "registry.connect.redhat.com" 
 - On my project details page, click on "Not configured" link under the "Default pull secret" section
 - Choose the "Upload Docker config.json" option and selected my file created in the first step.
 - Click on save.
 - When I go to the project details under the "Default pull secret" header there is a link that has the name of my default secret
 - When I click on that link, I get a modal that only shows the cloud.openshift.com entry.  My entries to quay.io and registry.connect.redhat.com are not shown nor is there an indicator that they exist in this UI.


The last step is the issue correct?


In this modal I do see a warning that says "A default pull Secret exists, but can't be parsed. Saving this will overwrite it.", but again it doesn't let me know that other entries exist.  If I do make a change (change the email for example), and then look at the secrets (using methods described below), only the first entry is shown and the other entries( quay.io and registry.connect.redhat.com in my example) are now missing.


Some related notes: 

There is a way to see all the entries if I go to  Workloads > Secrets and then choose my secret.  Under actions, choose "Edit secret" and on the next screen, all three entries are shown.

I was also able to see all of my entires if I use the CLI (oc get secret kkd-test-secrets -n kkd-test -o yaml | grep " .docker" | cut -d: -f2 | base64 -d) OR go to the secret YAML and decode the .dockerconfigjson entry.

Comment 2 Sergio G. 2021-07-09 16:34:21 UTC
>> - When I click on that link, I get a modal that only shows the cloud.openshift.com entry
That's exactly the issue. I would expect to see all three credentials in the modal (not only the first one) or at least a warning about "the default secret contains more than one credentias, review them in the Workloads -> Secrets section". 

Does it makes sense? Either list all the credentials in the modal or warn the users about other credentials in the secret not being listed.

Comment 3 Kim Dobestein 2021-07-09 18:01:39 UTC
(In reply to Sergio G. from comment #2)
> >> - When I click on that link, I get a modal that only shows the cloud.openshift.com entry
> That's exactly the issue. I would expect to see all three credentials in the
> modal (not only the first one) or at least a warning about "the default
> secret contains more than one credentias, review them in the Workloads ->
> Secrets section". 
> 
> Does it makes sense? Either list all the credentials in the modal or warn
> the users about other credentials in the secret not being listed.

Sounds good and thanks for clarifying.

Comment 4 Kim Dobestein 2021-07-12 15:42:20 UTC
Because the number of credentials per secret could be large, listing them all in the modal may not be ideal because it may require scrolling within the modal.  Wondering if having an additional warning on the modal is the better immediate approach.  The connected PR takes this approach.

Comment 6 Yadan Pei 2021-07-19 03:20:19 UTC
 - Created a config.json with entries to multiple registries, such as "cloud.openshif.com", "quay.io", "registry.connect.redhat.com" and "registry.redhat.io"
{"auths":{"cloud.openshift.com":{"auth":"xxxxx","email":"yapei"},"quay.io":{"auth":"xxxx","email":"yapei"},"registry.connect.redhat.com":{"auth":"xxx","email":"yapei"},"registry.redhat.io":{"auth":"xxxx","email":"yapei"}}}
 - Create a new project, on my project details page, click on "Not configured" link under the "Default pull secret" section
 - Choose the "Upload Docker config.json" option and selected my file created in the first step.
 - Click on save.
 - When I go to the project details under the "Default pull secret" header there is a resource link that has the name of my default secret
 - When I click on that link, I was redirected to the secret details page instead of opening a modal, click 'Reveal values' will show all the credentials of registries.


Also the "Save" button will be disabled if user is selecting to upload and hasn't uploaded a file or if the uploaded file is badly formatted JSON

Verified on 4.9.0-0.nightly-2021-07-18-155939

Comment 7 Sergio G. 2021-07-26 14:57:46 UTC
Thanks for the quick solution. Do you think it's possible to backport it to 4.8 and/or 4.7?

Comment 8 Kim Dobestein 2021-07-27 16:36:05 UTC
We can backport to 4.8

Comment 11 errata-xmlrpc 2021-10-18 17:39:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.