kops: Adding a dockerconfig secret does not flag that an update is required
I’m trying to add dockerhub credentials by following the docs at https://github.com/kubernetes/kops/blob/master/docs/security.md#docker-configuration but can’t get the update to apply
$ kops create secret --name kube1.k8s.my.tld dockerconfig -f ~/.docker/config.json --force
\ && echo $?
0
$ kops get secret dockerconfig -oplaintext
Using cluster from kubectl context: kube1.k8s.my.tld
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "XXXXXXX"
}
}
}
So far so good, but:
$ kops rolling-update cluster --name kube1.k8s.my.tld --yes
NAME STATUS NEEDUPDATE READY MIN MAX NODES
master-eu-west-1a Ready 0 1 1 1 1
master-eu-west-1b Ready 0 1 1 1 1
master-eu-west-1c Ready 0 1 1 1 1
nodes Ready 0 3 3 3 3
No rolling-update required.
Seems to work if I add --force to the rolling-update
Kops version: 1.9.0
kubectl version Client Version: version.Info{Major:“1”, Minor:“9”, GitVersion:“v1.9.3”, GitCommit:“d2835416544f298c919e2ead3be3d0864b52323b”, GitTreeState:“clean”, BuildDate:“2018-02-07T12:22:21Z”, GoVersion:“go1.9.2”, Compiler:“gc”, Platform:“linux/amd64”} Server Version: version.Info{Major:“1”, Minor:“9”, GitVersion:“v1.9.3”, GitCommit:“d2835416544f298c919e2ead3be3d0864b52323b”, GitTreeState:“clean”, BuildDate:“2018-02-07T11:55:20Z”, GoVersion:“go1.9.2”, Compiler:“gc”, Platform:“linux/amd64”}
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 20 (8 by maintainers)
This bug still exists in master.
/reopen /remove-lifecycle rotten
We would need to put a hash of (or other data derived from) the secret into the bootstrap script, possibly by inserting it into the NodeUpConfig.
Secrets currently don’t store any metadata, so it would have to be a hash. That unfortunately leaks information about the secret and would allow brute-force attacks. Better would be to add the modification time or a randomly-generated ID to the
fi.Secretstruct and use that.