Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2093797

Summary: 'oc registry login' with serviceaccount function need update
Product: OpenShift Container Platform Reporter: XiuJuan Wang <xiuwang>
Component: ocAssignee: Maciej Szulik <maszulik>
oc sub component: oc QA Contact: zhou ying <yinzhou>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: mfojtik
Version: 4.11   
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 11:16:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description XiuJuan Wang 2022-06-06 06:00:20 UTC 
Description of problem:
When 'oc registry login' with serviceaccount,prompts ‘the service account no secret token generate’
Since 4.11.0-0.nightly-2022-05-25-193227, the serviceaccount secret token got depreciated, maybe we need create token before use it

Version-Release number of selected component (if applicable):
4.11.0-0.nightly-2022-06-06-025509
4.11.0-fc.0

How reproducible:
always

Steps to Reproduce:
1.Check cmd 
$oc registry login -z builder -n default

2.
3.

Actual results:
$oc registry login -z builder -n default
error: the service account builder had no valid secrets associated with it

Client Version: 4.11.0-0.nightly-2022-06-06-025509
Kustomize Version: v4.5.4
Server Version: 4.11.0-0.nightly-2022-06-04-014713
Kubernetes Version: v1.24.0+bb9c2f1
$oc get sa builder -o yaml
apiVersion: v1
imagePullSecrets:
- name: builder-dockercfg-6dpjz
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-06-06T02:20:10Z"
  name: builder
  namespace: wxj
  resourceVersion: "86636"
  uid: 1d1c52f6-b7e6-4e84-a24b-07d0eb0b07f8
secrets:
- name: builder-dockercfg-6dpjz

The secret token has been created, but not link to serviceaccount
$oc get secret
NAME                       TYPE                                  DATA   AGE
builder-dockercfg-6dpjz    kubernetes.io/dockercfg               1      3h34m
builder-token-cpxwh        kubernetes.io/service-account-token   4      3h34m
default-dockercfg-bpcnj    kubernetes.io/dockercfg               1      3h34m
default-token-mcs8t        kubernetes.io/service-account-token   4      3h34m
deployer-dockercfg-cph8z   kubernetes.io/dockercfg               1      3h34m
deployer-token-ssq4d       kubernetes.io/service-account-token   4      3h34m

Expected results:

Could use serviceaccount to login image registry

Additional info:

works on 4.11.0-0.nightly-2022-05-25-193227
$oc version
Client Version: 4.11.0-0.nightly-2022-06-06-025509
Kustomize Version: v4.5.4
Server Version: 4.11.0-0.nightly-2022-05-25-193227
Kubernetes Version: v1.23.3+ad897c4

$oc registry login -z builder -n default
info: Using internal registry hostname image-registry.openshift-image-registry.svc:5000
Saved credentials for image-registry.openshift-image-registry.svc:5000

$oc get sa builder -n default -o yaml
apiVersion: v1
imagePullSecrets:
- name: builder-dockercfg-xdghp
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-06-06T04:14:15Z"
  name: builder
  namespace: default
  resourceVersion: "11634"
  uid: 83d10d0f-c192-453e-be19-3af5e7896d09
secrets:
- name: builder-token-49txw
- name: builder-dockercfg-xdghp
Comment 1 XiuJuan Wang 2022-06-13 07:48:50 UTC 
Using -z has prompt the deprecated info.

./oc registry login -z default  --to=/tmp/config.json
Flag --service-account has been deprecated, and will be removed in the future version. Use oc create token instead.
error: the service account default had no valid secrets associated with it
Comment 3 zhou ying 2022-06-14 12:50:30 UTC 
the --service-account flag has been removed from the login help :

oc registry login -h
Log in to the OpenShift integrated registry.

 This logs your local Docker client into the OpenShift integrated registry using the external registry name (if
configured by your administrator). If you are logged in to the server using a client certificate the command will report
an error because container registries do not generally allow client certificates.

 As an advanced option you may specify the credentials to login with using --auth-basic with USER:PASSWORD.

 You may specify an alternate file to write credentials to with --to instead of .docker/config.json in your home
directory. If you pass --to=- the file will be written to standard output.

 To detect the registry hostname the client will attempt to find an image stream in the current namespace or the
openshift namespace and use the status fields that indicate the registry hostnames. If no image stream is found or if
you do not have permission to view image streams you will have to pass the --registry flag with the desired host name.

 You may also pass the --registry flag to login to the integrated registry but with a custom DNS name, or to an external
registry. Note that in absence of --auth-basic=USER:PASSWORD, the authentication token from the connected kubeconfig
file will be recorded as the auth entry in the credentials file (defaults to Docker config.json) for the passed registry
value.

 Experimental: This command is under active development and may change without notice.

Examples:
  # Log in to the integrated registry
  oc registry login
  
  # Log in to different registry using BASIC auth credentials
  oc registry login --registry quay.io/myregistry --auth-basic=USER:PASS

Options:
    --auth-basic='':
	Provide credentials in the form 'user:password' to authenticate (advanced)

    --insecure=false:
	Bypass HTTPS certificate verification when checking the registry login.

    --registry='':
	An alternate domain name and port to use for the registry, defaults to the cluster's configured external
	hostname.

    -a, --registry-config='':
	The location of the file your credentials will be stored in. Alternatively REGISTRY_AUTH_FILE env variable can
	be also specified. Defaults to ~/.docker/config.json. Default can be changed via REGISTRY_AUTH_PREFERENCE env
	variable to docker (current default - deprecated) or podman (prioritizes podman credentials over docker).

    --skip-check=false:
	Skip checking the credentials against the registry.

    --to='':
	The location of the file your credentials will be stored in. Alternatively REGISTRY_AUTH_FILE env variable can
	be also specified. Default is Docker config.json (deprecated). Default can be changed via
	REGISTRY_AUTH_PREFERENCE env variable to docker or podman.

Usage:
  oc registry login  [flags] [options]

Use "oc options" for a list of global command-line options (applies to all commands).



oc version --client
Client Version: 4.11.0-0.nightly-2022-06-14-032134
Kustomize Version: v4.5.4
Comment 5 errata-xmlrpc 2022-08-10 11:16:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069