In OpenShift Pipelines (Tekton), when running long-lived PipelineRuns that use the buildah task to build and push images, the push step may fail with an authentication error due to token expiration.
The image push relies on a Docker config.json file (typically at /root/.docker/config.json) that is generated by copying the contents of the image pull/push secret (pipeline-dockercfg-xxxx). This secret is dynamically created and updated by OpenShift, and its token can expire and be automatically rotated during long builds.
However, because the config.json file is created via a one-time copy rather than a live mount or symlink, it does not receive the updated token. As a result, the image push fails with authentication required even though a valid token exists in the secret mount path.
This leads to failed pipeline runs even when the correct credentials are available in the environment.

    4.16

Create a pipeline with a buildah task that:


Builds an image using a long-running process (e.g. build time > 1 hour).


Pushes the image to the internal OpenShift image registry.


Uses a Docker config copied from a mounted secret.




Bind a secret like pipeline-dockercfg-xxxx (auto-generated by OpenShift for pushing images) to the pipeline via a workspace or credentials mount.


In the buildah script or task:


Copy .dockerconfigjson to /root/.docker/config.json (e.g. cp "${WORKSPACES_DOCKERCONFIG_PATH}/.dockerconfigjson" "$HOME/.docker/config.json").


Set DOCKER_CONFIG="$HOME/.docker".




Allow the pipeline to run long enough for the token in the original .dockerconfigjson to expire (usually ~60 minutes).


Observe that the secret at the mount path has been refreshed with a new token, but /root/.docker/config.json still contains the expired one.


When the image push step runs, it fails with:
arduinoCopyEdit

    1.Create a Tekton Pipeline that includes a task using buildah (or any image-pushing tool).


Ensure the pipeline is bound to a service account that has image push permissions and is configured to use a dynamic token via a secret like pipeline-dockercfg-xxxx.


Mount the Docker config secret as a workspace or credentials volume using the .dockerconfigjson format.

taks building takes long hours say more than 1 hr

In the buildah task (or custom task), include logic like the following:
bashCopyEditif test -f "${WORKSPACES_DOCKERCONFIG_PATH}/.dockerconfigjson"; then
  mkdir -p "$HOME/.docker"
  cp "${WORKSPACES_DOCKERCONFIG_PATH}/.dockerconfigjson" "$HOME/.docker/config.json"
  export DOCKER_CONFIG="$HOME/.docker"
fi

⚠️ This creates a static copy of the token into /root/.docker/config.json.


Run the pipeline with a long-running build step (e.g., compilation or build time > 1 hour) to allow the original token to expire.


While the pipeline is still running, OpenShift rotates the token inside the mounted secret (pipeline-dockercfg-xxxx), but the copied config.json remains unchanged.


When the image push occurs (after the token expiration), the task fails with the following error:
arduinoCopyEditError: pushing image "...": authentication required




Let me know if you want the YAML for the buildah step to attach as supporting material.Get smarter responses, upload files and images, and more.     2.
    3.