Bug 1496688 – [ASB_public_377] Apb sandbox will be launched in openshift.namespace and fail to create the pod since can not find the matched secret when openshift.namespace is not the namespace which ansible-service-broker located

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1496688 - [ASB_public_377] Apb sandbox will be launched in openshift.namespace and fail to create the pod since can not find the matched secret when openshift.namespace is not the namespace which ansible-service-broker located

Summary:	[ASB_public_377] Apb sandbox will be launched in openshift.namespace and fail...

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Service Broker (Show other bugs)
Sub Component:
Version:	3.7.0
Hardware:	Unspecified Unspecified

Priority	medium Severity medium
Target Milestone:	---
Target Release:	3.7.0
Assigned To:	Fabian von Feilitzsch
QA Contact:	weiwei jiang
Docs Contact:

URL:
Whiteboard:
Keywords:	Reopened

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-09-28 02:54 EDT by weiwei jiang
Modified:	2017-11-28 03:28 EST (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-11-10 15:59:28 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-28 21:34:54 EST

Groups: None (edit)

Description weiwei jiang 2017-09-28 02:54:22 EDT

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 weiwei jiang 2017-09-28 04:29:49 EDT

Description of problem:
Apb sandbox pod will lauched in openshift.namespace When set openshift.namespace is not empty and not equal with the namespace which ansible-service-broker located. And apb sandbox will fail to launched 

Version-Release number of selected component (if applicable):
openshift v3.7.0-0.131.0
kubernetes v1.7.0+80709908fd
etcd 3.2.1
brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-ansible-service-broker:v3.7.0-0.131.0.0

How reproducible:
Always

Steps to Reproduce:
1. Setup OCP with servicecatalog and ansible-service-broker
2. Create a secrets in the namespace which ansible-service-broker is in
oc create secret generic test-secret --from-literal=key1=supersecret --from-literal=key2=topsecret -n ansible-service-broker
2. Change the broker-config configmap as following and redeploy the ansible-service-broker pod
openshift:
  ...
  namespace: wjiang1
secrets:
 - title: Best secret
   apb_name: dh-ansibleplaybookbundle-hello-world-apb-latest
   secret: test-secret
3. try to provision dh-ansibleplaybookbundle-hello-world-apb-latest to make secrets section work.
4. Check apb sandbox pod status

Actual results:
4. The sandbox will be launched in wjiang1 namespace. 
And fail to run due to can not find the matched secret.

# oc get pods -n wjiang1 -w
NAME                                       READY     STATUS    RESTARTS   AGE
apb-fa27d372-ece3-4629-9bdf-f773dd705be9   0/1       Pending   0          0s
apb-fa27d372-ece3-4629-9bdf-f773dd705be9   0/1       Pending   0         0s
apb-fa27d372-ece3-4629-9bdf-f773dd705be9   0/1       ContainerCreating   0         0s
# oc describe pod apb-fa27d372-ece3-4629-9bdf-f773dd705be9 -n wjiang1
Name:		apb-fa27d372-ece3-4629-9bdf-f773dd705be9
Namespace:	wjiang1
Node:		host-8-241-55.host.centralci.eng.rdu2.redhat.com/10.8.241.55
Start Time:	Thu, 28 Sep 2017 02:35:53 -0400
Labels:		apb-fqname=dh-ansibleplaybookbundle-hello-world-apb-latest
Annotations:	openshift.io/scc=restricted
Status:		Pending
IP:		
Containers:
  apb:
    Container ID:	
    Image:		ansibleplaybookbundle/hello-world-apb:latest
    Image ID:		
    Port:		<none>
    Args:
      provision
      --extra-vars
      {"_apb_plan_id":"default","namespace":"wjiang"}
    State:		Waiting
      Reason:		ContainerCreating
    Ready:		False
    Restart Count:	0
    Environment:	<none>
    Mounts:
      /etc/apb-secrets/apb-test-secret from apb-test-secret (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from apb-fa27d372-ece3-4629-9bdf-f773dd705be9-token-sd2n5 (ro)
Conditions:
  Type		Status
  Initialized 	True 
  Ready 	False 
  PodScheduled 	True 
Volumes:
  apb-test-secret:
    Type:	Secret (a volume populated by a Secret)
    SecretName:	test-secret
    Optional:	false
  apb-fa27d372-ece3-4629-9bdf-f773dd705be9-token-sd2n5:
    Type:	Secret (a volume populated by a Secret)
    SecretName:	apb-fa27d372-ece3-4629-9bdf-f773dd705be9-token-sd2n5
    Optional:	false
QoS Class:	BestEffort
Node-Selectors:	<none>
Tolerations:	<none>
Events:
  FirstSeen	LastSeen	Count	From								SubObjectPath	Type		Reason			Message
  ---------	--------	-----	----								-------------	--------	------			-------
  1m		1m		1	default-scheduler								Normal		Scheduled		Successfully assigned apb-fa27d372-ece3-4629-9bdf-f773dd705be9 to host-8-241-55.host.centralci.eng.rdu2.redhat.com
  1m		1m		1	kubelet, host-8-241-55.host.centralci.eng.rdu2.redhat.com			Normal		SuccessfulMountVolume	MountVolume.SetUp succeeded for volume "apb-fa27d372-ece3-4629-9bdf-f773dd705be9-token-sd2n5" 
  1m		27s		8	kubelet, host-8-241-55.host.centralci.eng.rdu2.redhat.com			Warning		FailedMount		MountVolume.SetUp failed for volume "apb-test-secret" : secrets "test-secret" not found


Expected results:
4. apb sandbox should be launched in ansible-service-broker namespace and should work well without error.

Additional info:

Comment 2 Fabian von Feilitzsch 2017-09-28 12:51:53 EDT

That `openshift.namespace` is supposed to refer to the namespace the broker is running in, so it's expected that the APBs would try to run there. Is there a reason that you set it? If it is left blank it should automatically detect the namespace the broker is running inside.

Comment 3 weiwei jiang 2017-09-29 03:42:17 EDT

Yes, you are right.
If openshift.namespace is left blank, the value should be same with /var/run/secrets/kubernetes.io/serviceaccount/namespace.


If you think this is not urgent, we can down the priority and severity.

Comment 4 Fabian von Feilitzsch 2017-10-02 12:45:22 EDT

I think this behavior is expected, the clusterconfig.namespace should point at the broker's namespace. In general this config option shouldn't be touched, I think the only way it would be useful is if your broker weren't running normally in openshift (and would therefore have no idea what namespace the broker "lived" in).

please re-open if you disagree

Comment 5 weiwei jiang 2017-10-11 22:45:49 EDT

Reopen since https://bugzilla.redhat.com/show_bug.cgi?id=1497839 will fix this.

Comment 6 weiwei jiang 2017-10-11 23:22:03 EDT

https://github.com/openshift/ansible-service-broker/pull/473

Comment 8 weiwei jiang 2017-10-20 04:55:03 EDT

Change status to assigned due to https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=607326 not contain the PR https://github.com/openshift/ansible-service-broker/pull/473

Comment 9 Fabian von Feilitzsch 2017-11-02 15:42:56 EDT

So I think the issue here is really that the configuration is wrong, openshift.namespace shouldn't be overridden unless for some reason the broker isn't running inside the cluster or something like that. If openshift.namespace is set, it should definitely be set to the namespace that the broker is running in, and not any other namespace. Secrets should only be created inside the broker's namespace. Even if the linked PR does resolve the issue, it's not in an intentional way and it is likely to break later when behavior is changed. I still think we should close this issue and tell users not to set the openshift.namespace

Comment 10 weiwei jiang 2017-11-02 23:24:32 EDT

Checked with:
# openshift version
openshift v3.7.0-0.184.0
kubernetes v1.7.6+a08f5eeb62
etcd 3.2.8

$ asbd -v
1.0.13

And found that, currently provision will be done in a transient namespace.
If we set the openshift.namespace as not equal with the namespace which asb located, the system will look up the matched secrets in openshift.namespace instead of the namespace which asb is in. So still got "secrets not found", even though we can create the same name secret in openshift.namespace to pass this.


I agree with you to not touch the openshift.namespace, and do we have any document write down this?

Note You need to log in before you can comment on or make changes to this bug.