Bug 1576718

Summary: Regression - Cannot prevent plan of serviceinstance update by "planUpdatable: false" in clusterserviceclass
Product: OpenShift Container Platform Reporter: Zhang Cheng <chezhang>
Component: Service CatalogAssignee: Jay Boyd <jaboyd>
Status: CLOSED ERRATA QA Contact: Zhang Cheng <chezhang>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.10.0CC: jaboyd, jiazha, zhsun, zitang
Target Milestone: ---   
Target Release: 3.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
closed in current release
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-30 19:14:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zhang Cheng 2018-05-10 08:59:24 UTC 
Description of problem: 
Cannot prevent serviceinstance updates by "planUpdatable: false" in clusterserviceclass.


service-catalog & asb image using images from brew registry:
service-catalog: v3.10.0-0.38.0;Upstream:v0.1.16
asb: 1.2.10


How reproducible:
Always


Steps to Reproduce:
1. Provision a postgresql serviceinstance with "dev" plan in web console
2. Edit clusterserviceclass of postgresql, and set "planUpdatable: false"
3. Try to update serviceinstance plan from "dev" to "prod" by `oc edit serviceinstance dh-postgresql-apb-q5vjx -n $user_project` in backend.


Actual results:  
3. Plan of erviceinstance can be updated succeed without any prevention in backend; Furthermore, plan update can be prevented succeed in web console(no "plan" page display to user while editing).


Expected results: 
3. Should prevent plan of serviceinstance update by "planUpdatable: false" succeed both in backend and web console.
Comment 1 Jay Boyd 2018-05-10 15:55:42 UTC 
This is due to the Catalog admission controllers not being enabled.  This is fixed upstream by https://github.com/kubernetes-incubator/service-catalog/pull/2013 and will be picked up by openshift soon.
Comment 2 Jay Boyd 2018-05-14 14:02:59 UTC 
This fix is in atomic-enterprise-service-catalog-3.10.0-0.40.0 and newer builds.
Comment 3 Zhang Cheng 2018-05-15 02:56:29 UTC 
Changing status to ON_QA since image ready for test in downstream.
Comment 4 Zhang Cheng 2018-05-15 02:57:31 UTC 
Verified and Passed with service catalog v3.10.0-0.41.0;Upstream:v0.1.18

# oc edit clusterserviceclass ddd528762894b277001df310a126d5ad
clusterserviceclass.servicecatalog.k8s.io "ddd528762894b277001df310a126d5ad" edited
[root@qe-zitang-gcemaster-etcd-1 ~]# oc edit serviceinstance -n test1
error: serviceinstances "dh-mysql-apb-qr8rg" could not be patched: serviceinstances.servicecatalog.k8s.io "dh-mysql-apb-qr8rg" is forbidden: The Service Class ddd528762894b277001df310a126d5ad does not allow plan changes.
You can run `oc replace -f /tmp/oc-edit-21nin.yaml` to try this update again.
Comment 6 errata-xmlrpc 2018-07-30 19:14:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816