Description of problem: When 'oc registry login' with serviceaccount,prompts ‘the service account no secret token generate’ Since 4.11.0-0.nightly-2022-05-25-193227, the serviceaccount secret token got depreciated, maybe we need create token before use it Version-Release number of selected component (if applicable): 4.11.0-0.nightly-2022-06-06-025509 4.11.0-fc.0 How reproducible: always Steps to Reproduce: 1.Check cmd $oc registry login -z builder -n default 2. 3. Actual results: $oc registry login -z builder -n default error: the service account builder had no valid secrets associated with it Client Version: 4.11.0-0.nightly-2022-06-06-025509 Kustomize Version: v4.5.4 Server Version: 4.11.0-0.nightly-2022-06-04-014713 Kubernetes Version: v1.24.0+bb9c2f1 $oc get sa builder -o yaml apiVersion: v1 imagePullSecrets: - name: builder-dockercfg-6dpjz kind: ServiceAccount metadata: creationTimestamp: "2022-06-06T02:20:10Z" name: builder namespace: wxj resourceVersion: "86636" uid: 1d1c52f6-b7e6-4e84-a24b-07d0eb0b07f8 secrets: - name: builder-dockercfg-6dpjz The secret token has been created, but not link to serviceaccount $oc get secret NAME TYPE DATA AGE builder-dockercfg-6dpjz kubernetes.io/dockercfg 1 3h34m builder-token-cpxwh kubernetes.io/service-account-token 4 3h34m default-dockercfg-bpcnj kubernetes.io/dockercfg 1 3h34m default-token-mcs8t kubernetes.io/service-account-token 4 3h34m deployer-dockercfg-cph8z kubernetes.io/dockercfg 1 3h34m deployer-token-ssq4d kubernetes.io/service-account-token 4 3h34m Expected results: Could use serviceaccount to login image registry Additional info: works on 4.11.0-0.nightly-2022-05-25-193227 $oc version Client Version: 4.11.0-0.nightly-2022-06-06-025509 Kustomize Version: v4.5.4 Server Version: 4.11.0-0.nightly-2022-05-25-193227 Kubernetes Version: v1.23.3+ad897c4 $oc registry login -z builder -n default info: Using internal registry hostname image-registry.openshift-image-registry.svc:5000 Saved credentials for image-registry.openshift-image-registry.svc:5000 $oc get sa builder -n default -o yaml apiVersion: v1 imagePullSecrets: - name: builder-dockercfg-xdghp kind: ServiceAccount metadata: creationTimestamp: "2022-06-06T04:14:15Z" name: builder namespace: default resourceVersion: "11634" uid: 83d10d0f-c192-453e-be19-3af5e7896d09 secrets: - name: builder-token-49txw - name: builder-dockercfg-xdghp
Using -z has prompt the deprecated info. ./oc registry login -z default --to=/tmp/config.json Flag --service-account has been deprecated, and will be removed in the future version. Use oc create token instead. error: the service account default had no valid secrets associated with it
the --service-account flag has been removed from the login help : oc registry login -h Log in to the OpenShift integrated registry. This logs your local Docker client into the OpenShift integrated registry using the external registry name (if configured by your administrator). If you are logged in to the server using a client certificate the command will report an error because container registries do not generally allow client certificates. As an advanced option you may specify the credentials to login with using --auth-basic with USER:PASSWORD. You may specify an alternate file to write credentials to with --to instead of .docker/config.json in your home directory. If you pass --to=- the file will be written to standard output. To detect the registry hostname the client will attempt to find an image stream in the current namespace or the openshift namespace and use the status fields that indicate the registry hostnames. If no image stream is found or if you do not have permission to view image streams you will have to pass the --registry flag with the desired host name. You may also pass the --registry flag to login to the integrated registry but with a custom DNS name, or to an external registry. Note that in absence of --auth-basic=USER:PASSWORD, the authentication token from the connected kubeconfig file will be recorded as the auth entry in the credentials file (defaults to Docker config.json) for the passed registry value. Experimental: This command is under active development and may change without notice. Examples: # Log in to the integrated registry oc registry login # Log in to different registry using BASIC auth credentials oc registry login --registry quay.io/myregistry --auth-basic=USER:PASS Options: --auth-basic='': Provide credentials in the form 'user:password' to authenticate (advanced) --insecure=false: Bypass HTTPS certificate verification when checking the registry login. --registry='': An alternate domain name and port to use for the registry, defaults to the cluster's configured external hostname. -a, --registry-config='': The location of the file your credentials will be stored in. Alternatively REGISTRY_AUTH_FILE env variable can be also specified. Defaults to ~/.docker/config.json. Default can be changed via REGISTRY_AUTH_PREFERENCE env variable to docker (current default - deprecated) or podman (prioritizes podman credentials over docker). --skip-check=false: Skip checking the credentials against the registry. --to='': The location of the file your credentials will be stored in. Alternatively REGISTRY_AUTH_FILE env variable can be also specified. Default is Docker config.json (deprecated). Default can be changed via REGISTRY_AUTH_PREFERENCE env variable to docker or podman. Usage: oc registry login [flags] [options] Use "oc options" for a list of global command-line options (applies to all commands). oc version --client Client Version: 4.11.0-0.nightly-2022-06-14-032134 Kustomize Version: v4.5.4
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069