Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Description of problem: Apb sandbox pod will lauched in openshift.namespace When set openshift.namespace is not empty and not equal with the namespace which ansible-service-broker located. And apb sandbox will fail to launched Version-Release number of selected component (if applicable): openshift v3.7.0-0.131.0 kubernetes v1.7.0+80709908fd etcd 3.2.1 brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-ansible-service-broker:v3.7.0-0.131.0.0 How reproducible: Always Steps to Reproduce: 1. Setup OCP with servicecatalog and ansible-service-broker 2. Create a secrets in the namespace which ansible-service-broker is in oc create secret generic test-secret --from-literal=key1=supersecret --from-literal=key2=topsecret -n ansible-service-broker 2. Change the broker-config configmap as following and redeploy the ansible-service-broker pod openshift: ... namespace: wjiang1 secrets: - title: Best secret apb_name: dh-ansibleplaybookbundle-hello-world-apb-latest secret: test-secret 3. try to provision dh-ansibleplaybookbundle-hello-world-apb-latest to make secrets section work. 4. Check apb sandbox pod status Actual results: 4. The sandbox will be launched in wjiang1 namespace. And fail to run due to can not find the matched secret. # oc get pods -n wjiang1 -w NAME READY STATUS RESTARTS AGE apb-fa27d372-ece3-4629-9bdf-f773dd705be9 0/1 Pending 0 0s apb-fa27d372-ece3-4629-9bdf-f773dd705be9 0/1 Pending 0 0s apb-fa27d372-ece3-4629-9bdf-f773dd705be9 0/1 ContainerCreating 0 0s # oc describe pod apb-fa27d372-ece3-4629-9bdf-f773dd705be9 -n wjiang1 Name: apb-fa27d372-ece3-4629-9bdf-f773dd705be9 Namespace: wjiang1 Node: host-8-241-55.host.centralci.eng.rdu2.redhat.com/10.8.241.55 Start Time: Thu, 28 Sep 2017 02:35:53 -0400 Labels: apb-fqname=dh-ansibleplaybookbundle-hello-world-apb-latest Annotations: openshift.io/scc=restricted Status: Pending IP: Containers: apb: Container ID: Image: ansibleplaybookbundle/hello-world-apb:latest Image ID: Port: <none> Args: provision --extra-vars {"_apb_plan_id":"default","namespace":"wjiang"} State: Waiting Reason: ContainerCreating Ready: False Restart Count: 0 Environment: <none> Mounts: /etc/apb-secrets/apb-test-secret from apb-test-secret (ro) /var/run/secrets/kubernetes.io/serviceaccount from apb-fa27d372-ece3-4629-9bdf-f773dd705be9-token-sd2n5 (ro) Conditions: Type Status Initialized True Ready False PodScheduled True Volumes: apb-test-secret: Type: Secret (a volume populated by a Secret) SecretName: test-secret Optional: false apb-fa27d372-ece3-4629-9bdf-f773dd705be9-token-sd2n5: Type: Secret (a volume populated by a Secret) SecretName: apb-fa27d372-ece3-4629-9bdf-f773dd705be9-token-sd2n5 Optional: false QoS Class: BestEffort Node-Selectors: <none> Tolerations: <none> Events: FirstSeen LastSeen Count From SubObjectPath Type Reason Message --------- -------- ----- ---- ------------- -------- ------ ------- 1m 1m 1 default-scheduler Normal Scheduled Successfully assigned apb-fa27d372-ece3-4629-9bdf-f773dd705be9 to host-8-241-55.host.centralci.eng.rdu2.redhat.com 1m 1m 1 kubelet, host-8-241-55.host.centralci.eng.rdu2.redhat.com Normal SuccessfulMountVolume MountVolume.SetUp succeeded for volume "apb-fa27d372-ece3-4629-9bdf-f773dd705be9-token-sd2n5" 1m 27s 8 kubelet, host-8-241-55.host.centralci.eng.rdu2.redhat.com Warning FailedMount MountVolume.SetUp failed for volume "apb-test-secret" : secrets "test-secret" not found Expected results: 4. apb sandbox should be launched in ansible-service-broker namespace and should work well without error. Additional info:
That `openshift.namespace` is supposed to refer to the namespace the broker is running in, so it's expected that the APBs would try to run there. Is there a reason that you set it? If it is left blank it should automatically detect the namespace the broker is running inside.
Yes, you are right. If openshift.namespace is left blank, the value should be same with /var/run/secrets/kubernetes.io/serviceaccount/namespace. If you think this is not urgent, we can down the priority and severity.
I think this behavior is expected, the clusterconfig.namespace should point at the broker's namespace. In general this config option shouldn't be touched, I think the only way it would be useful is if your broker weren't running normally in openshift (and would therefore have no idea what namespace the broker "lived" in). please re-open if you disagree
Reopen since https://bugzilla.redhat.com/show_bug.cgi?id=1497839 will fix this.
https://github.com/openshift/ansible-service-broker/pull/473
Change status to assigned due to https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=607326 not contain the PR https://github.com/openshift/ansible-service-broker/pull/473
So I think the issue here is really that the configuration is wrong, openshift.namespace shouldn't be overridden unless for some reason the broker isn't running inside the cluster or something like that. If openshift.namespace is set, it should definitely be set to the namespace that the broker is running in, and not any other namespace. Secrets should only be created inside the broker's namespace. Even if the linked PR does resolve the issue, it's not in an intentional way and it is likely to break later when behavior is changed. I still think we should close this issue and tell users not to set the openshift.namespace
Checked with: # openshift version openshift v3.7.0-0.184.0 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 $ asbd -v 1.0.13 And found that, currently provision will be done in a transient namespace. If we set the openshift.namespace as not equal with the namespace which asb located, the system will look up the matched secrets in openshift.namespace instead of the namespace which asb is in. So still got "secrets not found", even though we can create the same name secret in openshift.namespace to pass this. I agree with you to not touch the openshift.namespace, and do we have any document write down this?