-
Story
-
Resolution: Done
-
Major
-
None
-
None
-
3
-
False
-
-
False
-
Konflux
-
-
When creating Pods, Tekton mounts each secret attached to the service account as a volume.
Tekton generates the names for the volumes like this:
sanitizedName := dnsLabel1123Forbidden.ReplaceAllString(secret.Name, "-")
name := names.SimpleNameGenerator.RestrictLengthWithRandomSuffix("tekton-internal-secret-volume-" + sanitizedName)
That is:
- "tekton-internal-secret-volume-" + secret name
- shorten the result, add a random suffix
With secret name = imagerepository-for-rhoai-v2-13-odh-dashboard-v2-13-image-push
the volume name = tekton-internal-secret-volume-imagerepository-for-rhoai-v-{random_suffix}
For a service account like this one (rhoai-tenant, p02 cluster), which has 61 secrets named imagerepository-for-rhoai-v*, this means Tekton generates 61 volume names that differ only in the random suffix.
The chance of collisions is too high. We can reduce it by dropping/shortening the hardcoded prefix. Perhaps we can also drop the application name from the secret and keep only the component name (like we did for the quay repo names)
TLDR: drop, or at least shorten, the "imagerepository-for-" prefix for ImageRepository names. Consider dropping application name from the ImageRepository name as well. Update https://gitlab.cee.redhat.com/konflux/docs/users accordingly.
See also:
- is related to
-
SRVKP-6798 Tekton "credentials" handling may generate multiple volume with the same name
-
- To Do
-
-
-
- Closed
-