Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.18.0
Affects Version/s: 4.16
Component/s: openshift-controller-manager / controller-manager
Labels:
None

Work Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:

4.17.z, 4.16.z, 4.18.z
Target Version:

4.18.z
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
Previously, an image pull secret generated for the internal Image Registry would not be regenerated until after the embedded credentials had expired This resulted in a small period of time in which the image pull secrets were invalid. With this release, the image pull secrets are refreshed before the embedded credentials have expired. (link:https://issues.redhat.com/browse/OCPBUGS-54304[~~OCPBUGS-54304~~])

Show
Previously, an image pull secret generated for the internal Image Registry would not be regenerated until after the embedded credentials had expired This resulted in a small period of time in which the image pull secrets were invalid. With this release, the image pull secrets are refreshed before the embedded credentials have expired. (link: https://issues.redhat.com/browse/OCPBUGS-54304 [ OCPBUGS-54304 ])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

This is a clone of issue ~~OCPBUGS-50507~~. The following is the description of the original issue:
—
Description of problem:

    Trying to pull image-registry.openshift-image-registry.svc:5000/ci-op-x1cji03c/pipeline@sha256:164133ec776adf612b6d3aab55c6f33809b02d4235c9cbc722be8b83d865e474...
error: error creating buildah builder: initializing source docker://image-registry.openshift-image-registry.svc:5000/ci-op-x1cji03c/pipeline@sha256:164133ec776adf612b6d3aab55c6f33809b02d4235c9cbc722be8b83d865e474: unable to retrieve auth token: invalid username/password: authentication required

The `invalid username/password: authentication required` occurs from multiple places, like a native Openshift build trying to push the image to the internal registry or a scheduler trying to inspect the image before scheduling the pod etc.

After some investigation, it was highlighted that after Openshift 4.16 the tokens are automatically rotated after some time. Trying to watch the secret it seems like a bad rotation mechanism is causing the issue.

When the secret is getting updated, the old token stops working.

Example token rotation:

OLD token: 
  "exp": 1739197039, // February 10, 2025 9:17:19 AM GMT-05:00
  "iat": 1739193439, // February 10, 2025 8:17:19 AM GMT-05:00
  "nbf": 1739193439, // February 10, 2025 8:17:19 AM GMT-05:00

New token:
  "exp": 1739200698, // February 10, 2025 10:18:18 AM GMT-05:00
  "iat": 1739197098, // February 10, 2025  9:18:18 AM GMT-05:00
  "nbf": 1739197098, // February 10, 2025  9:18:18 AM GMT-05:00

We also noticed that the secret got updated a minute after the old token expired. That leaves us with a window in time where there is no token working at all.

Version-Release number of selected component (if applicable):

    OCP 4.16 and after

How reproducible:

    Watch the builder-dockercfg-XXXX secret rotation process

Steps to Reproduce:

    1.Watch the auto-created builder-dockercfg-XXX token
    2.After the secret will be updated, the old token can't authenticate to the registry

Actual results:

    There is a window in time where the token is not valid

Expected results:

    The token should be valid for a specific amount of time

Additional info:

Tracking https://search.dptools.openshift.org/?search=+unable+to+retrieve+auth+token%3A+invalid+username%2Fpassword%3A+authentication+required&maxAge=12h&context=1&type=build-log&name=&excludeName=&maxMatches=5&maxBytes=20971520&groupBy=job to see active jobs that are hitting this issue.

blocks

OCPBUGS-55244 Intermittent authentication issues when accessing OpenShift registry

clones

OCPBUGS-50507 Intermittent authentication issues when accessing OpenShift registry

Closed

is blocked by

OCPBUGS-50507 Intermittent authentication issues when accessing OpenShift registry

Closed

is cloned by

OCPBUGS-55244 Intermittent authentication issues when accessing OpenShift registry

links to

openshift/openshift-controller-manager#369: [release-4.18] OCPBUGS-54304: Intermittent authentication issues when accessing OpenShift registry

RHBA-2025:8104 OpenShift Container Platform 4.18.15 bug fix update

(1 links to)

Assignee:: Luis Sanchez

Reporter:: OpenShift Prow Bot

Need Info From:: None

Contributors:: None

QA Contact:: Ying Zhou

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/03/27 11:42 AM

Updated:: 2025/07/14 1:29 PM

Resolved:: 2025/05/27 6:03 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates