Docker credentials fails for secrets created with kubectl v1.13.0
Closed this issue · 5 comments
If you create a dockerconfigjson secret for use as an imagePullSecret, using kubectl v.1.13.0, fluxd is not able to parse it when it comes to scanning the image registry.
The reason is that the format generated by v1.13.0 is different to that prior: using v.1.12,
$ kubectl create secret docker-registry docker-reg-secret --docker-server=private.dockerrepo.com --docker-username=xxxxx --docker-password="xxxxx" --docker-email="xxx@xyz.cim" --dry-run -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d
{"auths":{"private.dockerrepo.com":{"username":"xxxxx","password":"xxxxx","email":"xxx@xyz.cim","auth":"eHh4eHg6eHh4eHg="}}}
Using v1.13.0:
$ kubectl create secret docker-registry docker-reg-secret --docker-server=private.dockerrepo.com --docker-username=xxxxx --docker-password="xxxxx" --docker-email="xxx@xyz.cim" --dry-run -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d
{"auths":{"private.dockerrepo.com":{"Username":"xxxxx","Password":"xxxxx","Email":"xxx@xyz.cim"}}}
It's the lack of an auth
field that trips fluxd up; but the capitalisation might also cause a problem. It's unclear whether this was an entirely deliberate change; we can probably work around it by looking for Username
and Password
fields (in preference to decoding auth
, even).
@awh tracked this down to kubernetes/kubernetes@9f5c2ae, which redefines DockerConfigEntry
without the Auth field and without the JSON struct annotations.
Unclear whether it was deliberate or not ...
So... any ETA on fixing this?
Looks like it's been fixed in kubectl, in time for 1.14: kubernetes/kubernetes#72344
I am inclined to add an entry to troubleshooting.md advising people to create secrets with a kubectl either side of 1.13.
@squaremo thanks, updated kubectl
to 1.13.2
on the client side and generated manifests with secrets.
@dananichev Oh, so it's fixed in 1.13.2? Hurrah!