-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.19.0
-
Important
-
No
-
8
-
MCO Sprint 265, MCO Sprint 266, MCO Sprint 267, MCO Sprint 268, MCO Sprint 269
-
5
-
Proposed
-
False
-
Description of problem:
When we configure a MOSC resource that is using invalid secrets the image build fails. If we fix the secrets and we rebuild the image, the image is not properly rebuilt.
Version-Release number of selected component (if applicable):
4.19.0-0.nightly-2025-01-21-093906
How reproducible:
Always
Steps to Reproduce:
We can reproduce it executing the steps defined in this test: https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-77783
1. Create a infra pool
oc create -f - << EOF
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfigPool
metadata:
name: infra
spec:
machineConfigSelector:
matchExpressions:
- {key: machineconfiguration.openshift.io/role, operator: In, values: [worker,infra]}
nodeSelector:
matchLabels:
node-role.kubernetes.io/infra: ""
EOF
2. Create bad secrets in the MCO namespace
$ oc create secret generic my-input-pull --from-literal '.dockercfg={"fake-repo":{"auth":"'$(echo -n fake-pull-pass | base64)'"}}' --type=kubernetes.io/dockercfg
secret/my-input-pull created
$ oc create secret generic my-input-push --from-literal '.dockercfg={"fake-repo":{"auth":"'$(echo -n fake-push-pass | base64)'"}}' --type=kubernetes.io/dockercfg
secret/my-input-push created
$ oc create secret generic my-output-pull --from-literal '.dockercfg={"fake-repo":{"auth":"'$(echo -n fake-output-pull-pass | base64)'"}}' --type=kubernetes.io/dockercfg
secret/my-output-pull created
3. Create a MOSC using those bad secrets
oc create -f - << EOF
apiVersion: machineconfiguration.openshift.io/v1alpha1
kind: MachineOSConfig
metadata:
name: infra-mosc
spec:
machineConfigPool:
name: infra
buildOutputs:
currentImagePullSecret:
name: my-output-pull
buildInputs:
imageBuilder:
imageBuilderType: PodImageBuilder
baseImagePullSecret:
name: my-input-pull
renderedImagePushSecret:
name: my-input-push
renderedImagePushspec: "image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/ocb-image:latest"
EOF
4. Wait for the mosb to fail
]$ l machineosbuild
NAME PREPARED BUILDING SUCCEEDED INTERRUPTED FAILED
infra-mosc-50b0d47cc02760fee9282b3ad9356872 False False False False True
5. Fix the secrets
$ oc -n openshift-machine-config-operator set data secret/my-input-pull --from-literal ".dockercfg=$(oc get secret pull-secret -n openshift-config '--template={{index .data ".dockerconfigjson" | base64decode}}' | jq .auths)"
secret/my-input-pull data updated
$ oc -n openshift-machine-config-operator set data secret/my-input-push --from-literal ".dockercfg=$(oc get secret -n openshift-machine-config-operator $(oc get -n openshift-machine-config-operator sa builder -ojsonpath='{.secrets[0].name}') '--template={{index .data ".dockercfg" | base64decode}}')"
secret/my-input-pull data updated
$ oc -n openshift-machine-config-operator set data secret/my-output-pull --from-literal ".dockercfg=$(oc get secret -n openshift-machine-config-operator $(oc get -n openshift-machine-config-operator sa default -ojsonpath='{.secrets[0].name}') '--template={{index .data ".dockercfg" | base64decode}}')"
secret/my-output-pull data updated
6. Rebuild the image
$ oc patch machineosconfig infra-mosc --type json -p '[{"op": "add", "path": "/metadata/annotations/machineconfiguration.openshift.io~1rebuild", "value":""}]'
Actual results:
The image is not properly rebuilt.
Expected results:
The image should be rebuilt without problems and the machineosbuild resource should be reused.
Additional info:
The failure happens with both the new API and the old API.
- is related to
-
-
- Verified
-
- links to
-
RHEA-2024:11038
OpenShift Container Platform 4.19.z bug fix update
