Bug 2019710 - When global pull secret is updated, openshift-apiserver does not reflect it.
Summary: When global pull secret is updated, openshift-apiserver does not reflect it.
Status: CLOSED DUPLICATE of bug 1984592
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 4.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Oleg Bulatov
QA Contact: XiuJuan Wang
Depends On:
TreeView+ depends on / blocked
Reported: 2021-11-03 08:17 UTC by Seunghwan Jung
Modified: 2021-11-23 11:12 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-11-23 11:04:31 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 6476871 0 None None None 2021-11-16 04:30:50 UTC

Description Seunghwan Jung 2021-11-03 08:17:03 UTC
Description of problem:

When global pull secret is updated, openshift-apiserver pod do not reflect it,
resulting in 'oc import-image' command to fail.

How reproducible:
always according to my test on OCP4.7 and 4.8. 

Steps to Reproduce:
1. Your pull secret should have been changed. 
2. Update the global pull secret on your cluster with current one according to doc[1].
3. Once applied to the cluster, check the global pull secret and one that is mounted by openshift-apiserver pods.

$ oc get secret pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' | jq '.auths."registry.redhat.io".auth' > global-pullsecret

$ oc -n openshift-apiserver rsh apiserver-XXXXnnnn-xxxx cat /var/lib/kubelet/config.json | jq '.auths."registry.redhat.io".auth'  > apipod-pullsecret

$ diff global-pullsecret apipod-pullsecret

Actual results:
openshift-apiserver pods still have old pull secret. 

Expected results:
openshift-apiserver pods should have the updated pull secret mounted. 

Additional info:

To workaround it, delete apiserver deployment to recreate the pods.
$ oc -n openshift-apiserver delete deployment apiserver


Comment 1 Stefan Schimanski 2021-11-03 09:23:17 UTC
Moving to image registry. They own the configuration of the OpenShift components to use the pull secret.

Comment 2 Oleg Bulatov 2021-11-23 11:04:31 UTC

*** This bug has been marked as a duplicate of bug 1984592 ***

Note You need to log in before you can comment on or make changes to this bug.