Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: 4.20.0
Affects Version/s: 4.19
Component/s: Cloud Compute / Cloud Controller Manager
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
Yes

Target Backport Versions:
None
Target Version:

4.20.0
Release Blocker:
Rejected
Sprint:
CLOUD Sprint 271
sprint_count:
1

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
Done
Release Note Type:
Known Issue
Release Note Text:

Hide
* When installing a cluster on {azure-short}, if you set any of the `compute.platform.azure.identity.type`, `controlplane.platform.azure.identity.type`, or `platform.azure.defaultMachinePlatform.identity.type` field values to `None`, your cluster is unable to pull images from the Azure Container Registry. You can avoid this issue by either providing a user-assigned identity, or by leaving the identity field blank. In both cases, the installation program generates a user-assigned identity. (link:https://issues.redhat.com/browse/OCPBUGS-56008[OCPBUGS-56008])

Show
* When installing a cluster on {azure-short}, if you set any of the `compute.platform.azure.identity.type`, `controlplane.platform.azure.identity.type`, or `platform.azure.defaultMachinePlatform.identity.type` field values to `None`, your cluster is unable to pull images from the Azure Container Registry. You can avoid this issue by either providing a user-assigned identity, or by leaving the identity field blank. In both cases, the installation program generates a user-assigned identity. (link: https://issues.redhat.com/browse/OCPBUGS-56008 [ OCPBUGS-56008 ])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Pull image from ACR failed

Version-Release number of selected component (if applicable):

4.19.0-0.nightly-2025-05-11-153555

How reproducible:

Always

Steps to Reproduce:

1. Given the cluster resource-group is qe-uidaily-0508-pf2qf-rg
2. Create containerregistry on azure
$ az acr create --resource-group qe-uidaily-0508-pf2qf-rg --name zhsuncontainerregistry --sku Basic
3. Login into ACR
$ az acr login --name zhsuncontainerregistry
4. Grant AcrPull role to reourcegroup qe-uidaily-0508-pf2qf-rg
I tried manually created Identity  qe-uidaily-0508-pf2qf-identity (in 4.19 seems this is not created by default) and manually bind qe-uidaily-0508-pf2qf-identity to nodes 

5. $ docker pull openshift/hello-openshift
6. $ docker tag openshift/hello-openshift:latest zhsuncontainerregistry.azurecr.io/hello-acr:latest
7. Push the image to ACR
$ docker push zhsuncontainerregistry.azurecr.io/hello-acr:latest 
8. Create a new app using the image on ACR
$ oc new-project hello-acr  
$ oc new-app --name hello-acr --allow-missing-images   --image zhsuncontainerregistry.azurecr.io/hello-acr:latest
$ oc get po                                                                                             
NAME                         READY   STATUS             RESTARTS   AGE
hello-acr-79cd4b5bc4-dvqkt   0/1     ImagePullBackOff   0          3m31s Failed to pull image "zhsuncontainerregistry.azurecr.io/hello-acr:latest": [initializing source docker://zhsuncontainerregistry.azurecr.io/hello-acr:latest: unable to retrieve auth token: invalid username/password: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information. CorrelationId: 65fd5960-ee74-468a-86aa-277bec29cbdc, initializing source docker://zhsuncontainerregistry.azurecr.io/hello-acr:latest: unable to retrieve auth token: invalid username/password: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information. CorrelationId: bc82f7f3-f184-4617-8a16-9de6237b2995]   

sh-5.1# cat /tmp/request.json | /usr/libexec/kubelet-image-credential-provider-plugins/acr-credential-provider
Error: requires at least 1 arg(s), only received 0
Usage:
  acr-credential-provider configFile [flags]

Flags:
  -h, --help                     help for acr-credential-provider
  -r, --registry-mirror string   Mirror a source registry host to a target registry host, and image pull credential will be requested to the target registry host when the image is from source registry host

sh-5.1# cat /tmp/request.json
{
  "apiVersion": "credentialprovider.kubelet.k8s.io/v1",
  "kind": "CredentialProviderRequest",
  "image": "zhsunregistry1.azurecr.io/hello-acr:latest"
}

Actual results:

Pull image from ACR failed

Expected results:

Pull image from ACR succeed

Additional info:

This only happens in 4.19, Theo may have some finding for this, discussion https://redhat-internal.slack.com/archives/GE2HQ9QP4/p1746700433890159

blocks

OCPBUGS-56567 Pull image from ACR failed

Closed

is cloned by

OCPBUGS-56567 Pull image from ACR failed

Closed

links to

openshift/installer#9718: OCPBUGS-56008: default Azure to create VM user-assigned identities

openshift/installer#9733: OCPBUGS-56008: don't expect identity on ASH

openshift/installer#9739: OCPBUGS-56008: Remove unnecessary validation

Assignee:: Patrick Dillon

Reporter:: Zhaohua Sun

Need Info From:: None

Contributors:: None

QA Contact:: Zhaohua Sun

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2025/05/12 2:22 AM

Updated:: 2025/09/30 6:16 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates