Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-34261

MachineOSConfig CurrentImagePullSecret field is not being used during image rollout

XMLWordPrintable

    • Important
    • No
    • MCO Sprint 254, MCO Sprint 255
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the `CurrentImagePullSecret` field on the `MachineOSConfig` was not being used in the rollout process. With this release, the `CurrentImagePullSecret` field on the `MachineOSConfig` object is allowed to be used by the image rollout process. (link:https://issues.redhat.com/browse/OCPBUGS-34261[*OCPBUGS-34261*])
      Show
      * Previously, the `CurrentImagePullSecret` field on the `MachineOSConfig` was not being used in the rollout process. With this release, the `CurrentImagePullSecret` field on the `MachineOSConfig` object is allowed to be used by the image rollout process. (link: https://issues.redhat.com/browse/OCPBUGS-34261 [* OCPBUGS-34261 *])

      Description of problem:

      The CurrentImagePullSecret field on the MachineOSConfig is not being consumed by the rollout process. This is evident when the designated image registry is private and the only way to pull an image is to present a secret.

       

      How reproducible:

      Always

       

      Steps to Reproduce:

      1. Configure a private image registry to be the designated image registry of choice for on-cluster layering.
      2. Get the pull secret for the registry and apply it to the cluster in the MCO namespace.
      3. Configure on-cluster layering to use this secret for pushing the image.
      4. Wait for the build to complete.
      5. Wait for the rollout to occur.

       

      Actual results:

      The node and MachineConfigPool will degrade because rpm-ostree is unable to pull the newly-built image because it does not have access to the credentials even though the MachineOSConfig has a field for them.

       

      Expected results:

      Rolling out the newly-built OS image should succeed.

       

      Additional info:

      It looks like we'll need make the getImageRegistrySecrets() function aware of all MachineOSConfigs and pull the secrets from there. Where this could be problematic is where there are two image registries with different secrets. This is because the secrets are merged based on the image registry hostname. Instead, what we may want to do is have the MCD write only the contents of the referenced secret to the nodes' filesystem before calling rpm-ostree to consume it. This could potentially also reduce or eliminate the overall complexity introduced by the getImageRegistrySecrets() while simultaneously resolving the concerns found under https://issues.redhat.com//browse/OCPBUGS-33803.

      It is worth mentioning that even though we use a private image registry to test the rollout process in OpenShift CI, the reason it works is because it uses an Imagestream which the machine-os-puller service account and its image pull secret is associated with it. This secret is surfaced to all of the cluster nodes by the getImageRegistrySecrets() process. So in effect, it may appear that its working when it does not work as intended. A way to test this would be to create an ImageStream in a separate namespace along with a separate pull secret and then attempt to use that ImageStream and pull secret within a MachineOSConfig.

      Finally, to add another wrinkle to this problem: If a cluster admin wants to use a different final image pull secret for each MachineConfigPool, merging those will get more difficult. Assuming the image registry has the same hostname, this would lead to the last secret being merged as the winner. And the last secret that gets merged would be the secret that gets used; which may be the incorrect secret.

            zzlotnik@redhat.com Zack Zlotnik
            zzlotnik@redhat.com Zack Zlotnik
            Sergio Regidor de la Rosa Sergio Regidor de la Rosa
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: