Docker credentials fails for secrets created with kubectl v1.13.0

[squaremo]

If you create a dockerconfigjson secret for use as an imagePullSecret, using kubectl v.1.13.0, fluxd is not able to parse it when it comes to scanning the image registry.

The reason is that the format generated by v1.13.0 is different to that prior: using v.1.12,

$ kubectl create secret docker-registry docker-reg-secret --docker-server=private.dockerrepo.com --docker-username=xxxxx --docker-password="xxxxx" --docker-email="xxx@xyz.cim" --dry-run -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d
{"auths":{"private.dockerrepo.com":{"username":"xxxxx","password":"xxxxx","email":"xxx@xyz.cim","auth":"eHh4eHg6eHh4eHg="}}}

Using v1.13.0:

$ kubectl create secret docker-registry docker-reg-secret --docker-server=private.dockerrepo.com --docker-username=xxxxx --docker-password="xxxxx" --docker-email="xxx@xyz.cim" --dry-run -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d
{"auths":{"private.dockerrepo.com":{"Username":"xxxxx","Password":"xxxxx","Email":"xxx@xyz.cim"}}}

It's the lack of an auth field that trips fluxd up; but the capitalisation might also cause a problem. It's unclear whether this was an entirely deliberate change; we can probably work around it by looking for Username and Password fields (in preference to decoding auth, even).

[squaremo]

@awh tracked this down to kubernetes/kubernetes@9f5c2ae, which redefines DockerConfigEntry without the Auth field and without the JSON struct annotations.

Unclear whether it was deliberate or not ...

[dananichev]

So... any ETA on fixing this?

[squaremo]

Looks like it's been fixed in kubectl, in time for 1.14: kubernetes/kubernetes#72344

I am inclined to add an entry to troubleshooting.md advising people to create secrets with a kubectl either side of 1.13.

[dananichev]

@squaremo thanks, updated kubectl to 1.13.2 on the client side and generated manifests with secrets.

[squaremo]

@dananichev Oh, so it's fixed in 1.13.2? Hurrah!