OCPBUGS-50507: Intermittent authentication issues when accessing OpenShift registry #365

sanchezl · 2025-02-11T16:35:00Z

In some instances, the controller would re-queue an image pull secret in such a way that the check for an expiring token would only occur after the token had expired. This would result in a gap of time in which the pull secret contents would be invalid.

openshift-ci-robot · 2025-02-11T16:35:39Z

@sanchezl: This pull request references Jira Issue OCPBUGS-50507, which is invalid:

expected the bug to target the "4.19.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

sanchezl · 2025-02-11T16:42:15Z

/jira refresh

openshift-ci-robot · 2025-02-11T16:42:28Z

@sanchezl: This pull request references Jira Issue OCPBUGS-50507, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.19.0) matches configured target version for branch (4.19.0)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

ricardomaraschini

This seems to move us to a better place! Thanks for that. I would like to see some unit tests for the registryAuthenticationFileValid() and refreshThresholdTime(), if that is possible.

ricardomaraschini · 2025-02-12T10:16:04Z

pkg/internalregistry/controllers/image_pull_secret_controller.go

+func refreshThresholdTime(nbf, exp time.Time) time.Time {
+	// calculate the time at which only 40% of the valid duration would be left
+	validDuration := exp.Sub(nbf)
+	return exp.Add(-time.Duration(int64(float64(validDuration) * 0.4)))


Are we guaranteed to always get exp > nbf here ?

It would be very unlikely, it means k8s would have issued an invalid token. I added a check anyway.

ricardomaraschini · 2025-02-12T10:20:56Z

pkg/internalregistry/controllers/image_pull_secret_controller.go

 }

-func (c *imagePullSecretController) registryAuthenticationFileValid(imagePullSecret *corev1.Secret, urls, kids []string) (bool, time.Time) {
+func (c *imagePullSecretController) registryAuthenticationFileValid(imagePullSecret *corev1.Secret, urls, kids []string, now time.Time) (bool, *time.Time) {


Wouldn't it be a good idea moving parts of this function to isSecretRefreshNeeded() instead ? I mean, this function does some validations (if the secret is of the right Type for instance) while also validates if the tokens in a valid secret haven't expired. I see this as two distinct things: in one the secret is invalid while in the other the tokens are invalid. It is up to you but I believe that splitting would make things easier to reason about.

The way things are here the only purpose of isSecretRefreshNeeded() is to invert the value of valid.

Can we have some unit tests to test the logic as well?

openshift-ci · 2025-03-26T09:37:53Z

@sanchezl: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	`43e8fd9`	link	false	`/test security`
ci/prow/okd-scos-e2e-aws-ovn	`43e8fd9`	link	false	`/test okd-scos-e2e-aws-ovn`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

vrutkovs

/lgtm

openshift-ci · 2025-03-26T17:22:56Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sanchezl, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [sanchezl]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

sanchezl · 2025-03-26T17:38:05Z

/label acknowledge-critical-fixes-only

openshift-ci-robot · 2025-03-26T17:41:22Z

@sanchezl: Jira Issue OCPBUGS-50507: All pull requests linked via external trackers have merged:

openshift/openshift-controller-manager#365

Jira Issue OCPBUGS-50507 has been moved to the MODIFIED state.

In response to this:

In some instances, the controller would re-queue an image pull secret in such a way that the check for an expiring token would only occur after the token had expired. This would result in a gap of time in which the pull secret contents would be invalid.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-bot · 2025-03-26T22:39:46Z

[ART PR BUILD NOTIFIER]

Distgit: ose-openshift-controller-manager
This PR has been included in build ose-openshift-controller-manager-container-v4.20.0-202503262140.p0.g49eb6f8.assembly.stream.el9.
All builds following this will include this PR.

sanchezl · 2025-03-27T11:42:01Z

/cherry-pick release-4.18

openshift-cherrypick-robot · 2025-03-27T11:42:49Z

@sanchezl: new pull request created: #369

In response to this:

/cherry-pick release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

sanchezl changed the title ~~correct calculated refresh time~~ OCPBUGS-50507: Intermittent authentication issues when accessing OpenShift registry Feb 11, 2025

openshift-ci bot requested review from csrwng and sayan-biswas February 11, 2025 16:35

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 11, 2025

openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 11, 2025

ricardomaraschini reviewed Feb 12, 2025

View reviewed changes

sanchezl force-pushed the OCPBUGS-50507 branch from 1ba874b to 756d840 Compare March 20, 2025 17:32

correct calculated refresh time

43e8fd9

sanchezl force-pushed the OCPBUGS-50507 branch from 756d840 to 43e8fd9 Compare March 26, 2025 06:44

vrutkovs approved these changes Mar 26, 2025

View reviewed changes

openshift-ci bot assigned vrutkovs Mar 26, 2025

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 26, 2025

openshift-ci bot added the acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. label Mar 26, 2025

openshift-merge-bot bot merged commit 49eb6f8 into openshift:master Mar 26, 2025
11 of 13 checks passed

openshift-cherrypick-robot mentioned this pull request Mar 27, 2025

[release-4.18] OCPBUGS-54304: Intermittent authentication issues when accessing OpenShift registry #369

Merged

OCPBUGS-50507: Intermittent authentication issues when accessing OpenShift registry #365

OCPBUGS-50507: Intermittent authentication issues when accessing OpenShift registry #365

Uh oh!

Conversation

sanchezl commented Feb 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Feb 11, 2025

Uh oh!

sanchezl commented Feb 11, 2025

Uh oh!

openshift-ci-robot commented Feb 11, 2025

Uh oh!

ricardomaraschini left a comment

Choose a reason for hiding this comment

Uh oh!

ricardomaraschini Feb 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

sanchezl Mar 20, 2025

Choose a reason for hiding this comment

Uh oh!

ricardomaraschini Feb 12, 2025

Choose a reason for hiding this comment

Uh oh!

droslean Feb 12, 2025

Choose a reason for hiding this comment

Uh oh!

openshift-ci bot commented Mar 26, 2025

Uh oh!

vrutkovs left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci bot commented Mar 26, 2025

Uh oh!

sanchezl commented Mar 26, 2025

Uh oh!

Uh oh!

openshift-ci-robot commented Mar 26, 2025

Uh oh!

openshift-bot commented Mar 26, 2025

Uh oh!

sanchezl commented Mar 27, 2025

Uh oh!

openshift-cherrypick-robot commented Mar 27, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

sanchezl commented Feb 11, 2025 •

edited

Loading

ricardomaraschini Feb 12, 2025 •

edited

Loading