Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

installer should throw useful error message when pull secret is expired #2689

Closed
vasukulkarni opened this issue Nov 19, 2019 · 6 comments
Closed

installer should throw useful error message when pull secret is expired #2689

vasukulkarni opened this issue Nov 19, 2019 · 6 comments

Comments

@vasukulkarni
Copy link

Version

$ openshift-install version
<your output here>

v4.2.7
built from commit 425e4ff
release image registry.svc.ci.openshift.org/ocp/release@sha256:1792f2deda2dc3fd121b445790c01ac4aaf69dfa1f1c88d2d2ea6da3e16d7cda

Platform:

aws

What happened?

when the pull secret is expired, the error message is misleading

Error is Error from server (Forbidden): namespaces is forbidden: User "system:anonymous" cannot create namespaces at the cluster scope: no RBAC policy matched

What you expected to happen?

The installer should do these checks at the very beginning and should error out with clear error message.

How to reproduce it (as minimally and precisely as possible)?

use an expired pull secret key
@abhinavdahiya
Copy link
Contributor

when the pull secret is expired, the error message is misleading

Error is Error from server (Forbidden): namespaces is forbidden: User "system:anonymous" cannot create namespaces at the cluster scope: no RBAC policy matched

the error doesn't seem like an issue due to pull-secret @vasukulkarni

@vasukulkarni
Copy link
Author

@abhinavdahiya I think you are right, it was our must-gather invocation after failed create, but since I used loglevel INFO, there isnt meaningful error message when pull secret has expired, can something be done about that? and probably it can fail sooner than later. Thanks

10:12:11 - MainThread - ocs_ci.utility.utils - INFO - Executing command: /Users/vasukulkarni/ocs-ci/bin/openshift-install create cluster --dir /Users/vasukulkarni/cluster-path/ --log-level INFO
10:50:11 - MainThread - ocs_ci.ocs.utils - INFO - Must gather image: quay.io/openshift/origin-must-gather will be used.
10:50:11 - MainThread - ocs_ci.ocs.utils - INFO - OCS logs will be placed in location /tmp/failed_testcase_ocs_logs_1574187108/deployment_ocs_logs/ocp_must_gather
10:50:11 - MainThread - ocs_ci.utility.utils - INFO - Executing command: oc --kubeconfig /Users/vasukulkarni/vasu-cluster-path/auth/kubeconfig adm must-gather --image=quay.io/openshift/origin-must-gather --dest-dir=/tmp/failed_testcase_ocs_logs_1574187108/deployment_ocs_logs/ocp_must_gather
10:50:13 - MainThread - ocs_ci.ocs.utils - ERROR - Failed during must gather logs! Error: Error during execution of command: oc --kubeconfig /Users/vasukulkarni/vasu-cluster-path/auth/kubeconfig adm must-gather --image=quay.io/openshift/origin-must-gather --dest-dir=/tmp/failed_testcase_ocs_logs_1574187108/deployment_ocs_logs/ocp_must_gather.
                                                   Error is Error from server (Forbidden): namespaces is forbidden: User "system:anonymous" cannot create namespaces at the cluster scope: no RBAC policy matched

@abhinavdahiya
Copy link
Contributor 

 INFO - Executing command: oc --kubeconfig /Users/vasukulkarni/vasu-cluster-path/auth/kubeconfig adm must-gather --image=quay.io/openshift/origin-must-gather --dest-dir=/tmp/failed_testcase_ocs_logs_1574187108/deployment_ocs_logs/ocp_must_gather
 ERROR - Failed during must gather logs! Error: Error during execution of command: oc --kubeconfig /Users/vasukulkarni/vasu-cluster-path/auth/kubeconfig adm must-gather --image=quay.io/openshift/origin-must-gather --dest-dir=/tmp/failed_testcase_ocs_logs_1574187108/deployment_ocs_logs/ocp_must_gather.
                                                   Error is Error from server (Forbidden): namespaces is forbidden: User "system:anonymous" cannot create namespaces at the cluster scope: no RBAC policy matched
  1. that is not controlled by the installer sadly, the kubeconfig should be trusted by api and oc adm must-gather is also not controlled by this repo.
  2. but that is still not related to the pull-secret?
    Do you mean that the install failed due to invalid pull-secret?
    pull-secret is used to pull container-images, it is not used to authenticate with api.

@vasukulkarni
Copy link
Author

vasukulkarni commented Nov 20, 2019
edited
Loading

@abhinavdahiya I am agreeing with you that installer is not responsible for the above error, but what I am asking is if we can improve the error message check when pull-secret is invalid, my pull-secret had expired yesterday and I was hitting above issue. I can try to give you exact error message when it fails with invalid pull-secret with --debug and I have seen its not very helpful.

@abhinavdahiya
Copy link
Contributor

Ahh, I get it now.

closing it favor of #2569 as the installer cannot verify access to the release-image because there is no condition that the installer needs to have access to the release-image, only the cluster requires the access.

@openshift-ci-robot
Copy link
Contributor

@abhinavdahiya: Closing this issue.

In response to this:

Ahh, I get it now.

closing it favor of #2569 as the installer cannot verify access to the release-image because there is no condition that the installer needs to have access to the release-image, only the cluster requires the access.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vasukulkarni @abhinavdahiya @openshift-ci-robot