Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker secrets created via oc result in image pull (authentication) failure #18799

Closed
rezie opened this issue Mar 2, 2018 · 2 comments
Closed

Docker secrets created via oc result in image pull (authentication) failure #18799

rezie opened this issue Mar 2, 2018 · 2 comments

Comments

@rezie
Copy link

rezie commented Mar 2, 2018
edited
Loading

edit: I'm guessing this issue is related to #18059 - we're using the same oc client as the OP.

When creating a secret via oc secrets new-dockercfg ..., attempts by OpenShift to import that image from a private Artifactory registry results in an error: Authentication is required. However, when creating the same exact secret via the web console, images are able to be pulled. The encoded values of both secrets are exactly the same as well.

I must have misread the encoded strings initially. When docker secrets are generated via CLI, the decoded value looks like this:

{"auths":{"registry.example.com":{"username":"user","password":"password","email":"[email protected]","auth":"somestring"}}}

whereas the UI equivalent is:

{"registry.example.com":{"username":"user","password":"password","email":"[email protected]","auth":"somestring"}}

Is there a reason why the auths portion can cause such a difference?

Version
oc v3.7.1+ab0f056
kubernetes v1.7.6+a08f5eeb62
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://master.example.com:8443
openshift v3.7.1+ab0f056
kubernetes v1.7.6+a08f5eeb62
Steps To Reproduce
  1. via CLI:

oc secrets new-dockercfg artifactory-cli-secret --docker-server=artifactory.example.com --docker-username=user --docker-password=password [email protected]

  1. via web console

Resources -> Secrets -> Create Secret

Current Result

Using the web console to attempt to import an image via the Add to Project option:

Could not load image metadata.
Internal error occurred: Get https://artifactory.example.com/v2/some/path/some-image/manifests/1.0.0: unknown: Authentication is required
Expected Result

For the Add to Project option, the deployment configuration form should be displayed as the docker image info pull attempt is successful

Additional Information

It doesn't matter how I attempt to "use" the image - using oc import-image and oc new-app, for example, results in the same error. And to be clear, the registry credentials work perfectly fine via docker commands.
@rezie
Copy link
Author

rezie commented Mar 2, 2018

It looks like in origin 3.6.1 the dockercfg that is generated has the same format regardless of it's generated via the web console or CLI - that is, without the auths object.

@rezie
Copy link
Author

rezie commented Mar 2, 2018

Closing for now since this seems to be #18059. Will reopen otherwise.

@rezie rezie closed this as completed Mar 2, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rezie