Bug 1577712

Summary: Should not permit to create new servicebinding when serviceinstance DeprovisionBlockedByExistingCredentials
Product: OpenShift Container Platform Reporter: Zhang Cheng <chezhang>
Component: Service CatalogAssignee: Jay Boyd <jaboyd>
Status: CLOSED ERRATA QA Contact: Zhang Cheng <chezhang>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.10.0CC: jaboyd, jiazha, zhsun, zitang
Target Milestone: ---   
Target Release: 3.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
closed in current release
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-30 19:15:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zhang Cheng 2018-05-14 03:10:33 UTC 
Description of problem: 
Should not permit to create new servicebinding when DeprovisionBlockedByExistingCredentials


service-catalog & asb image using images from brew registry:
service-catalog: v3.10.0-0.38.0;Upstream:v0.1.16
asb: 1.2.10


How reproducible:
Always


Steps to Reproduce:
1. Deploy service catalog and ups broker.
2. Login normal user, such as "chezhang"
3. Provision a New ServiceInstance by:
# oc new-project test-ns
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-instance.yaml
4. Binding to the Instance
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-1.yaml
5. Deprovision the ServiceInstance directly in backend
# oc delete serviceinstances ups-instance -n test-ns
# oc describe serviceinstance ups-instance -n test-ns 
...Skip...
 Message: All associated ServiceBindings must be removed before this ServiceInstance can be deleted
 Reason: DeprovisionBlockedByExistingCredentials
6. Try to create a new servicebinding by:
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml


Actual results:  
6. The new servicebinding can be created when serviceinstance DeprovisionBlockedByExistingCredentials
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml
servicebinding "ups-binding-2" created

# oc describe servicebinding ups-binding-2
Name:         ups-binding-2
Namespace:    test-ns
Labels:       <none>
Annotations:  <none>
API Version:  servicecatalog.k8s.io/v1beta1
Kind:         ServiceBinding
Metadata:
  Creation Timestamp:  2018-05-14T02:59:09Z
  Finalizers:
    kubernetes-incubator/service-catalog
  Generation:        1
  Resource Version:  9655
  Self Link:         /apis/servicecatalog.k8s.io/v1beta1/namespaces/test-ns/servicebindings/ups-binding-2
  UID:               c599108b-5722-11e8-8aa8-0a580a800003
Spec:
  External ID:  c5990cdf-5722-11e8-8aa8-0a580a800003
  Instance Ref:
    Name:       ups-instance
  Secret Name:  my-secret-2
  User Info:
    Extra:
      Scopes . Authorization . Openshift . Io:
        user:full
    Groups:
      system:authenticated:oauth
      system:authenticated
    UID:       
    Username:  chezhang
Status:
  Async Op In Progress:  false
  Conditions:
    Last Transition Time:         2018-05-14T02:59:09Z
    Message:                      Binding cannot begin because referenced ServiceInstance "test-ns/ups-instance" is not ready
    Reason:                       ErrorInstanceNotReady
    Status:                       False
    Type:                         Ready
  Orphan Mitigation In Progress:  false
  Reconciled Generation:          0
  Unbind Status:                  NotRequired
Events:
  Type     Reason                 Age                From                                Message
  ----     ------                 ----               ----                                -------
  Warning  ErrorInstanceNotReady  6s (x12 over 16s)  service-catalog-controller-manager  Binding cannot begin because referenced ServiceInstance "test-ns/ups-instance" is not ready


Expected results: 
6. Should not permit to create new servicebinding when serviceinstance DeprovisionBlockedByExistingCredentials
Such as:
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml
Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml": servicebindings.servicecatalog.k8s.io "ups-binding-2" is forbidden: ServiceBindings test-ns/ups-binding-2 references an instance that is being deleted: test-ns/ups-instance


Addition info: 
None
Comment 1 Jay Boyd 2018-05-14 14:03:54 UTC 
The Service Catalog admission controllers should block the creation of new bindings.  We had a bug that caused the admission controllers to not be registered.  This was fixed upstream by https://github.com/kubernetes-incubator/service-catalog/pull/2013  and was just recently picked up by Origin in atomic-enterprise-service-catalog-3.10.0-0.40.0

if you retest on atomic-enterprise-service-catalog-3.10.0-0.40.0 it should be working properly.

Similiar to https://bugzilla.redhat.com/show_bug.cgi?id=1576718.
Comment 2 Zhang Cheng 2018-05-15 03:04:02 UTC 
Changing status to "ON_QA" since image ready for test in downstream.
Comment 3 Zhang Cheng 2018-05-15 03:04:25 UTC 
Verified and Passed with service catalog v3.10.0-0.41.0;Upstream:v0.1.18

# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml
Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml": servicebindings.servicecatalog.k8s.io "ups-binding-2" is forbidden: ServiceBinding test-ns/ups-binding-2 references a ServiceInstance that is being deleted: test-ns/ups-instance
Comment 5 errata-xmlrpc 2018-07-30 19:15:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816