Bug 1507886
Summary: | Change secret data cause ServiceInstance update fail | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Qixuan Wang <qixuan.wang> |
Component: | Service Broker | Assignee: | Matthew Staebler <mstaeble> |
Status: | CLOSED ERRATA | QA Contact: | Qixuan Wang <qixuan.wang> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.7.0 | CC: | aos-bugs, jmontleo, mstaeble, pmorie |
Target Milestone: | --- | ||
Target Release: | 3.7.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: |
undefined
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-11-28 22:20:29 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Qixuan Wang
2017-10-31 11:43:36 UTC
This appears to be the same issue described in https://github.com/kubernetes-incubator/service-catalog/issues/1488. The service catalog sends all of the parameters for the ServiceInstance when sending an Update request. The Ansible Service Broker rejects the Update request because the postgresql_database parameter is included, which is a parameter to which updates are not allowed. IMO it is unlikely we are going to get full closure on the issue of which parameters should be sent soon. If a broker doesn't allow updates to a parameter, it should just ignore the values sent for that parameter in an update. Suggest closing this as NOTABUG once Matthew has a chance to talk to the ansible broker team about it. Not just in Secret, other parameters have the same problem. For example, provision a Mediawiki APB on web, follow: Provisioned Services -> Mediawiki (APB) -> Edit -> Mediawiki Site Name, change (MediaWiki->MediaWiki-test) has the same problem. [root@preserve-qe-qw-master-etcd-nfs-1 ~]# oc describe serviceinstance dh-mediawiki123-apb-t9zh8 Name: dh-mediawiki123-apb-t9zh8 Namespace: qwang9 Labels: <none> Annotations: <none> API Version: servicecatalog.k8s.io/v1beta1 Kind: ServiceInstance Metadata: Creation Timestamp: 2017-10-31T14:27:52Z Finalizers: kubernetes-incubator/service-catalog Generate Name: dh-mediawiki123-apb- Generation: 2 Resource Version: 160481 Self Link: /apis/servicecatalog.k8s.io/v1beta1/namespaces/qwang9/serviceinstances/dh-mediawiki123-apb-t9zh8 UID: adc48c8a-be47-11e7-8db3-0a580a810006 Spec: Cluster Service Class External Name: dh-mediawiki123-apb Cluster Service Class Ref: Name: 268dbc13f56297fdd3737b7d30104eb4 Cluster Service Plan External Name: default Cluster Service Plan Ref: Name: c54bf88ce67b96a39e639d2bdf6caf1a External ID: d27a9efe-10eb-4523-863f-acf3e10f61b9 Parameters: Parameters From: Secret Key Ref: Key: parameters Name: dh-mediawiki123-apbxfloa Update Requests: 1 User Info: Extra: Scopes . Authorization . Openshift . Io: user:full Groups: system:authenticated:oauth system:authenticated UID: Username: qwang Status: Async Op In Progress: false Conditions: Last Transition Time: 2017-10-31T14:43:30Z Message: ClusterServiceBroker returned a failure for update call; operation will not be retried: Error updating ServiceInstance of ClusterServiceClass (K8S: "268dbc13f56297fdd3737b7d30104eb4" ExternalName: "dh-mediawiki123-apb") at ClusterServiceBroker "ansible-service-broker": Status: 400; ErrorMessage: <nil>; Description: parameter not updatable; ResponseError: <nil> Reason: UpdateInstanceCallFailed Status: False Type: Ready Last Transition Time: 2017-10-31T14:43:30Z Message: Error updating ServiceInstance of ClusterServiceClass (K8S: "268dbc13f56297fdd3737b7d30104eb4" ExternalName: "dh-mediawiki123-apb") at ClusterServiceBroker "ansible-service-broker": Status: 400; ErrorMessage: <nil>; Description: parameter not updatable; ResponseError: <nil> Reason: ClusterServiceBrokerReturnedFailure Status: True Type: Failed External Properties: Cluster Service Plan External Name: default Parameter Checksum: 93fb3b70c53492fb190aef20a4ab43291ae13beced38a9ae4eda5d9aa0e740ee Parameters: Mediawiki _ Admin _ Pass: <redacted> Mediawiki _ Admin _ User: <redacted> Mediawiki _ Db _ Schema: <redacted> Mediawiki _ Site _ Lang: <redacted> Mediawiki _ Site _ Name: <redacted> User Info: Extra: Scopes . Authorization . Openshift . Io: user:full Groups: system:authenticated:oauth system:authenticated UID: Username: qwang Orphan Mitigation In Progress: false Reconciled Generation: 2 Events: FirstSeen LastSeen Count From SubObjectPath Type Reason Message --------- -------- ----- ---- ------------- -------- ------ ------- 20m 20m 1 service-catalog-controller-manager Warning ErrorWithParameters Failed to prepare ServiceInstance parameters nil: secrets "dh-mediawiki123-apb-parameters2r73m" not found 20m 20m 1 service-catalog-controller-manager Normal Provisioning The instance is being provisioned asynchronously 18m 18m 1 service-catalog-controller-manager Normal ProvisionedSuccessfully The instance was provisioned successfully 5m 5m 4 service-catalog-controller-manager Warning UpdateInstanceCallFailed Error updating ServiceInstance of ClusterServiceClass (K8S: "268dbc13f56297fdd3737b7d30104eb4" ExternalName: "dh-mediawiki123-apb") at ClusterServiceBroker "ansible-service-broker": Status: 400; ErrorMessage: <nil>; Description: parameter not updatable; ResponseError: <nil> 10.129.0.1 - - [31/Oct/2017:14:40:56 +0000] "GET /ansible-service-broker/v2/catalog HTTP/1.1" 200 74028 [2017-10-31T14:43:30.675Z] [INFO] Request: "PATCH /ansible-service-broker/v2/service_instances/d27a9efe-10eb-4523-863f-acf3e10f61b9?accepts_incomplete=true HTTP/1.1\r\nHost: asb.ansible-service-broker.svc:1338\r\nAccept-Encoding: gzip\r\nContent-Length: 224\r\nContent-Type: application/json\r\nUser-Agent: Go-http-client/1.1\r\nX-Broker-Api-Originating-Identity: kubernetes eyJncm91cHMiOlsic3lzdGVtOmF1dGhlbnRpY2F0ZWQ6b2F1dGgiLCJzeXN0ZW06YXV0aGVudGljYXRlZCJdLCJzY29wZXMuYXV0aG9yaXphdGlvbi5vcGVuc2hpZnQuaW8iOlsidXNlcjpmdWxsIl0sInVpZCI6IiIsInVzZXJuYW1lIjoicXdhbmcifQ==\r\nX-Broker-Api-Version: 2.13\r\n\r\n{\"service_id\":\"268dbc13f56297fdd3737b7d30104eb4\",\"parameters\":{\"mediawiki_admin_pass\":\"111\",\"mediawiki_admin_user\":\"admin\",\"mediawiki_db_schema\":\"mediawiki\",\"mediawiki_site_lang\":\"en\",\"mediawiki_site_name\":\"MediaWiki-test\"}}" [2017-10-31T14:43:30.675Z] [DEBUG] Auto Escalate has been set to true, we are escalating permissions [2017-10-31T14:43:30.676Z] [DEBUG] Dao::GetSvcInstJobsByState [2017-10-31T14:43:30.676Z] [DEBUG] Dao::getJobsForSvcInst [2017-10-31T14:43:30.676Z] [DEBUG] Successfully loaded [ 1 ] jobs objects from [ /state/d27a9efe-10eb-4523-863f-acf3e10f61b9/job ] [2017-10-31T14:43:30.676Z] [DEBUG] Filtered on state: [ %!s(int=0) ], returning %!d(MISSING) jobs [2017-10-31T14:43:30.676Z] [DEBUG] Update received the following Request.PlanID: [] [2017-10-31T14:43:30.676Z] [DEBUG] Plan transition NOT requested as part of update [2017-10-31T14:43:30.676Z] [ERROR] Tried to update non-updatable parameter, mediawiki_site_lang, on instance d27a9efe-10eb-4523-863f-acf3e10f61b9. This is working as expected. The broker is rejecting the update because the broker does not allow the user to downgrade the plan. Ignore last comment. It was added to the wrong bug. This has been resolved by https://github.com/openshift/ansible-service-broker/pull/516. Tested on OCP (openshift v3.7.0-0.184.0, kubernetes v1.7.6+a08f5eeb62, etcd 3.2.8, brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-service-catalog:v3.7.0-0.194.0.0, brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-ansible-service-broker:v3.7.0-0.194.0.0), Mediawiki can change site name. PostgreSQL can update secret. The bug has been fixed, thanks. Here is test result: [root@host-172-16-120-51 ~]# oc describe serviceinstance dh-rhscl-postgresql-apb-nvmft Name: dh-rhscl-postgresql-apb-nvmft Namespace: qwang-p Labels: <none> Annotations: <none> API Version: servicecatalog.k8s.io/v1beta1 Kind: ServiceInstance Metadata: Creation Timestamp: 2017-11-05T16:14:57Z Finalizers: kubernetes-incubator/service-catalog Generate Name: dh-rhscl-postgresql-apb- Generation: 2 Resource Version: 41657 Self Link: /apis/servicecatalog.k8s.io/v1beta1/namespaces/qwang-p/serviceinstances/dh-rhscl-postgresql-apb-nvmft UID: 775797fe-c244-11e7-ad11-0a580a800004 Spec: Cluster Service Class External Name: dh-rhscl-postgresql-apb Cluster Service Class Ref: Name: 27793015fe45db2fbc1deb7372cc4036 Cluster Service Plan External Name: dev Cluster Service Plan Ref: Name: 9f90a44d8181941768273a684de50de5 External ID: 32dace0e-11ae-4833-9fab-3acb7fffd1fc Parameters From: Secret Key Ref: Key: parameters Name: dh-rhscl-postgresql-apb-parametershx7aa Update Requests: 1 User Info: Groups: system:cluster-admins system:authenticated UID: Username: system:admin Status: Async Op In Progress: false Conditions: Last Transition Time: 2017-11-05T16:26:40Z Message: The instance was updated successfully Reason: InstanceUpdatedSuccessfully Status: True Type: Ready Deprovision Status: Required External Properties: Cluster Service Plan External ID: 9f90a44d8181941768273a684de50de5 Cluster Service Plan External Name: dev Parameter Checksum: a6a50b5b52edf621600e805dbc074ccd981e63391de7f59eacfa25bca38ab958 Parameters: Postgresql _ Database: <redacted> Postgresql _ Password: <redacted> Postgresql _ User: <redacted> Postgresql _ Version: <redacted> User Info: Groups: system:cluster-admins system:authenticated UID: Username: system:admin Orphan Mitigation In Progress: false Reconciled Generation: 2 Events: FirstSeen LastSeen Count From SubObjectPath Type Reason Message --------- -------- ----- ---- ------------- -------- ------ ------- 24m 24m 1 service-catalog-controller-manager Warning ErrorWithParameters Failed to prepare ServiceInstance parameters nil: secrets "dh-rhscl-postgresql-apb-parametershx7aa" not found 24m 24m 1 service-catalog-controller-manager Normal Provisioning The instance is being provisioned asynchronously 24m 24m 1 service-catalog-controller-manager Normal ProvisionedSuccessfully The instance was provisioned successfully 13m 13m 1 service-catalog-controller-manager Normal UpdatingInstance The instance is being updated asynchronously 13m 13m 1 service-catalog-controller-manager Normal InstanceUpdatedSuccessfully The instance was updated successfully Here is ASB log: <-----snip------> [2017-11-05T16:26:27.608Z] [INFO] ASYNC update in progress [2017-11-05T16:26:27.609Z] [NOTICE] ============================================================ [2017-11-05T16:26:27.609Z] [NOTICE] UPDATING [2017-11-05T16:26:27.609Z] [NOTICE] ============================================================ [2017-11-05T16:26:27.609Z] [NOTICE] Spec.ID: 27793015fe45db2fbc1deb7372cc4036 [2017-11-05T16:26:27.609Z] [NOTICE] Spec.Name: dh-rhscl-postgresql-apb [2017-11-05T16:26:27.609Z] [NOTICE] Spec.Image: docker.io/ansibleplaybookbundle/rhscl-postgresql-apb:latest [2017-11-05T16:26:27.609Z] [NOTICE] Spec.Description: SCL PostgreSQL apb implementation [2017-11-05T16:26:27.609Z] [NOTICE] ============================================================ [2017-11-05T16:26:27.609Z] [INFO] Checking if project qwang-p exists... 10.128.0.1 - - [05/Nov/2017:16:26:27 +0000] "PATCH /ansible-service-broker/v2/service_instances/32dace0e-11ae-4833-9fab-3acb7fffd1fc?accepts_incomplete=true HTTP/1.1" 202 58 [2017-11-05T16:26:27.674Z] [WARNING] Removing non-updatable parameter postgresql_database, requested for update on instance 32dace0e-11ae-4833-9fab-3acb7fffd1fc, from request. [2017-11-05T16:26:27.674Z] [WARNING] Removing non-updatable parameter postgresql_password, requested for update on instance 32dace0e-11ae-4833-9fab-3acb7fffd1fc, from request. [2017-11-05T16:26:27.674Z] [WARNING] Removing non-updatable parameter postgresql_user, requested for update on instance 32dace0e-11ae-4833-9fab-3acb7fffd1fc, from request. [2017-11-05T16:26:27.698Z] [INFO] ASYNC update in progress [2017-11-05T16:26:27.698Z] [NOTICE] ============================================================ [2017-11-05T16:26:27.699Z] [NOTICE] UPDATING [2017-11-05T16:26:27.699Z] [NOTICE] ============================================================ [2017-11-05T16:26:27.699Z] [NOTICE] Spec.ID: 27793015fe45db2fbc1deb7372cc4036 [2017-11-05T16:26:27.699Z] [NOTICE] Spec.Name: dh-rhscl-postgresql-apb [2017-11-05T16:26:27.699Z] [NOTICE] Spec.Image: docker.io/ansibleplaybookbundle/rhscl-postgresql-apb:latest [2017-11-05T16:26:27.699Z] [NOTICE] Spec.Description: SCL PostgreSQL apb implementation [2017-11-05T16:26:27.699Z] [NOTICE] ============================================================ [2017-11-05T16:26:27.699Z] [INFO] Checking if project qwang-p exists... 10.128.0.1 - - [05/Nov/2017:16:26:27 +0000] "PATCH /ansible-service-broker/v2/service_instances/32dace0e-11ae-4833-9fab-3acb7fffd1fc?accepts_incomplete=true HTTP/1.1" 202 58 10.128.0.1 - - [05/Nov/2017:16:26:27 +0000] "GET /ansible-service-broker/v2/service_instances/32dace0e-11ae-4833-9fab-3acb7fffd1fc/last_operation?operation=a9cfd719-c324-4bba-83e2-f437af28b992&plan_id=9f90a44d8181941768273a684de50de5&service_id=27793015fe45db2fbc1deb7372cc4036 HTTP/1.1" 200 29 [2017-11-05T16:26:27.874Z] [INFO] Successfully wrote resources to /tmp/asb-resource-files/apb-68bc7d60-ad45-410c-8656-98e58fd6c759.yaml [2017-11-05T16:26:27.92Z] [INFO] Successfully wrote resources to /tmp/asb-resource-files/apb-754dcc49-a51e-4ec0-83aa-51848cde2240.yaml [2017-11-05T16:26:28.136Z] [INFO] Successfully created apb sandbox: [ apb-68bc7d60-ad45-410c-8656-98e58fd6c759 ], with edit permissions in namespace dh-rhscl-postgresql-apb-upda-pl2bz [2017-11-05T16:26:28.137Z] [NOTICE] Creating pod "apb-68bc7d60-ad45-410c-8656-98e58fd6c759" in the dh-rhscl-postgresql-apb-upda-pl2bz namespace [2017-11-05T16:26:28.176Z] [INFO] Successfully created apb sandbox: [ apb-754dcc49-a51e-4ec0-83aa-51848cde2240 ], with edit permissions in namespace dh-rhscl-postgresql-apb-upda-q6nns <-----snip------> Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188 |