Duplicate secret names in secrets list of service account.

[GrahamDumpleton]

Secret name being added to service account secrets list multiple times when UI used.

Version

oc v3.6.0+c4dd4cf
kubernetes v1.6.1+5115d708d7
features: Basic-Auth

Server https://127.0.0.1:8443
openshift v3.6.0+c4dd4cf
kubernetes v1.6.1+5115d708d7

Steps To Reproduce

First create a secret from the command link it to the builder service account.

oc secrets new-sshauth repo-at-github --ssh-privatekey=repo-at-github
oc secrets link builder repo-at-github

Listing the service account we get:

$ oc describe sa/builder
Name:		builder
Namespace:	myproject
Labels:		<none>
Annotations:	<none>

Image pull secrets:	builder-dockercfg-2k679

Mountable secrets: 	builder-token-z99xr
                   	builder-dockercfg-2k679
                   	repo-at-github

Tokens:            	builder-token-xsr30
                   	builder-token-z99xr

Delete the secret.

$ oc delete secret/repo-at-github
secret "repo-at-github" deleted

Run oc describe sa/builder again and you will see the secret name still listed. That is sort of to be expected, and is not the issue here. It is marked as (not found) at least.

Create the secret again and link it once more.

oc secrets new-sshauth repo-at-github --ssh-privatekey=repo-at-github
oc secrets link builder repo-at-github

Run oc describe sa/builder again and the secret name is still listed once, which is what one would expect. That is, avoids adding duplicates.

Delete the secret once more.

$ oc delete secret/repo-at-github
secret "repo-at-github" deleted

Remember that this will leave the secret still listed against the service account as noted above.

Now go and create the same secret from the web console and when doing that link the secret to the builder service account at the same time.

Now go back to the command line and describe the service account once more.

$ oc describe sa/builder
Name:		builder
Namespace:	myproject
Labels:		<none>
Annotations:	<none>

Image pull secrets:	builder-dockercfg-2k679

Mountable secrets: 	builder-token-z99xr
                   	builder-dockercfg-2k679
                   	repo-at-github
                   	repo-at-github

Tokens:            	builder-token-xsr30
                   	builder-token-z99xr

What you will find is that the name of the secret is listed more than once, presumably because the method used to link the secret from the web console, doesn't ensure that the secret name isn't already in the list.

Current Result

Can get duplicate secret name in secrets linked linked to service account when linked from web console.

Expected Result

Should not see duplicate name.

Additional Information

None.

[mfojtik]

@deads2k @spadgett not sure if we want to check the presence of the secret in web console or return a validation error.

[GrahamDumpleton]

A validation error complaining it is already listed against the service account would be worse because OpenShift doesn't remove entries from the service account if you had deleted the secret previously. Having it fail because the name was listed against the service account would prevent people adding the secret again and they wouldn't really understand why. Doing it from the command line doesn't error and appears to squash duplicates, so align with that behaviour.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[GrahamDumpleton]

/lifecycle frozen