Trident's registry credentials not updated when credentials change
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
João Victor Portal |
Bug Description
Brief Description
-----------------
Trident's registry credentials are not updated when credentials change. The pods reports the following status after update:
trident trident-csi-5wxp4 0/2 ImagePullBackOff 70 77d
trident trident-
trident trident-csi-6kr6r 0/2 ImagePullBackOff 74 77d
trident trident-csi-7n6zj 0/2 ImagePullBackOff 66 77d
Severity
--------
Major
Steps to Reproduce
------------------
Change the registry credentials and check the secret 'trident-
Expected Behavior
------------------
The trident secret should be updated.
Actual Behavior
----------------
The trident secret value doesn't change.
Reproducibility
---------------
100% reproducible.
System Configuration
-------
All
Branch/Pull Time/Commit
-------
N/A.
Last Pass
---------
N/A.
Timestamp/Logs
--------------
Warning Failed 174m (x3 over 176m) kubelet, controller-0 Error: ErrImagePull
Warning Failed 174m (x3 over 176m) kubelet, controller-0 Failed to pull image "registry.
Warning Failed 174m (x3 over 176m) kubelet, controller-0 Error: ErrImagePull
Warning Failed 174m (x2 over 176m) kubelet, controller-0 Error: ImagePullBackOff
Warning Failed 174m (x2 over 176m) kubelet, controller-0 Error: ImagePullBackOff
Test Activity
-------------
N/A.
Workaround
----------
Use the following command to get the current base64 encoded credentials:
kubectl get secret trident-
Decode the data value .dockerconfigjson, replace the password with the new one and replace the base64 encoded username:password as well. Then re-encode the entire string. Store the new data with:
kubectl edit secret trident-
Wait for all pods to come back up. You can delete them to speed this process up.
Changed in starlingx: | |
status: | New → In Progress |
assignee: | nobody → João Victor Portal (jvictorp) |
tags: | added: stx.6.0 stx.containers stx.security |
Changed in starlingx: | |
importance: | Undecided → Medium |
Changed in starlingx: | |
status: | In Progress → Fix Committed |
Changed in starlingx: | |
status: | Fix Committed → In Progress |
The changes are ready to be reviewed at https:/ /review. opendev. org/c/starlingx /config/ +/801401 . The tests performed were the following: in an AIOSX VM deploy created with an ISO created from dev branch plus the changes, the following secrets (the complete list of secrets affected by the audit method) were edited manually and after it was verified if the secret value was corrected with the right value (the secret 'trident- local-registry- secret' was created manually).
name registry- local-secret, namespace kube-system local-registry- secret, namespace trident registry- key, namespace armada registry- key, namespace cert-manager registry- key, namespace deployment registry- key, namespace kube-system
name trident-
name default-
name default-
name default-
name default-
Values of secret used:
Wrong base64 encoded JSON credentials: ".dockerconfigjson: eyJhdXRocyI6eyJ yZWdpc3RyeS5sb2 NhbDo5MDAxIjp7I nVzZXJuYW1lIjoi enp6IiwicGFzc3d vcmQiOiJ6enoiLC JhdXRoIjoienp6I n19fQ== "
Empty base64 encoded JSON: ".dockerconfigjson: e30="
The pooling interval of audit is 1 min.