1507908 – Plan of ServiceInstance can still be updated with class has spec.planUpdatable set to false

Bug 1507908 - Plan of ServiceInstance can still be updated with class has spec.planUpdatable set to false

Summary: Plan of ServiceInstance can still be updated with class has spec.planUpdatabl...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Service Broker
Sub Component:
Version:	3.7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.7.0
Assignee:	Jeff Peeler
QA Contact:	Qixuan Wang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-31 12:27 UTC by Qixuan Wang
Modified:	2017-11-28 22:20 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	This fixes the change validator admission controller to look up service classes properly, such that the planUpdatable field is respected as expected. Previously plan updates were allowed even when set to false.
Clone Of:
Environment:
Last Closed:	2017-11-28 22:20:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	0	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-29 02:34:54 UTC

Description Qixuan Wang 2017-10-31 12:27:32 UTC

Description of problem:
Plan of ServiceInstance can still be updated with class has spec.planUpdatable set to false.


Version-Release number of selected component (if applicable):
openshift v3.7.0-0.184.0
kubernetes v1.7.6+a08f5eeb62
etcd 3.2.8
ose-service-catalog v3.7.0-0.184.0
ose-ansible-service-broker v3.7.0-0.184.0


How reproducible:
Always


Steps to Reproduce:
1. Provision a PostgreSQL APB.

2. Change class of dh-rhscl-postgresql-apb.
# oc edit clusterserviceclass 27793015fe45db2fbc1deb7372cc4036
planUpdatable: false

3. Update ServiceInstance plan (dev->prod)
# oc edit serviceinstance dh-rhscl-postgresql-apb-flff8

4. Check ServiceInstance.
# oc describe serviceinstance dh-rhscl-postgresql-apb-flff8


Actual results:
4. [root@preserve-qe-qw-master-etcd-nfs-1 ~]# oc describe serviceinstance dh-rhscl-postgresql-apb-flff8 
Name:		dh-rhscl-postgresql-apb-flff8
Namespace:	qwang6
Labels:		<none>
Annotations:	<none>
API Version:	servicecatalog.k8s.io/v1beta1
Kind:		ServiceInstance
Metadata:
  Creation Timestamp:	2017-10-31T12:02:13Z
  Finalizers:
    kubernetes-incubator/service-catalog
  Generate Name:	dh-rhscl-postgresql-apb-
  Generation:		2
  Resource Version:	138173
  Self Link:		/apis/servicecatalog.k8s.io/v1beta1/namespaces/qwang6/serviceinstances/dh-rhscl-postgresql-apb-flff8
  UID:			552b7d00-be33-11e7-8db3-0a580a810006
Spec:
  Cluster Service Class External Name:	dh-rhscl-postgresql-apb
  Cluster Service Class Ref:
    Name:				27793015fe45db2fbc1deb7372cc4036
  Cluster Service Plan External Name:	prod
  Cluster Service Plan Ref:
    Name:	b2dfdcfa094694aa7377a1c69b3100a6
  External ID:	a3a557bb-4e8d-4626-9841-7b5a0606e7c3
  Parameters From:
    Secret Key Ref:
      Key:		parameters
      Name:		dh-rhscl-postgresql-apb-parameterswjofs
  Update Requests:	0
  User Info:
    Groups:
      system:cluster-admins
      system:authenticated
    UID:	
    Username:	system:admin
Status:
  Async Op In Progress:	true
  Conditions:
    Last Transition Time:	2017-10-31T12:04:11Z
    Message:			The instance is being updated asynchronously
    Reason:			UpdatingInstance
    Status:			False
    Type:			Ready
  Current Operation:		Update
  External Properties:
    Cluster Service Plan External Name:	dev
    Parameter Checksum:			e9f50a77db505e5f9a88ab91c334e573fa2a6be7020ea6799a58c08943298853
    Parameters:
      Postgresql _ Database:	<redacted>
      Postgresql _ Password:	<redacted>
      Postgresql _ User:	<redacted>
      Postgresql _ Version:	<redacted>
    User Info:
      Extra:
        Scopes . Authorization . Openshift . Io:
          user:full
      Groups:
        system:authenticated:oauth
        system:authenticated
      UID:	
      Username:	qwang
  In Progress Properties:
    Cluster Service Plan External Name:	prod
    Parameter Checksum:			e9f50a77db505e5f9a88ab91c334e573fa2a6be7020ea6799a58c08943298853
    Parameters:
      Postgresql _ Database:	<redacted>
      Postgresql _ Password:	<redacted>
      Postgresql _ User:	<redacted>
      Postgresql _ Version:	<redacted>
    User Info:
      Groups:
        system:cluster-admins
        system:authenticated
      UID:				
      Username:				system:admin
  Last Operation:			19f02f05-4657-4b2c-92f5-49d472a724ec
  Operation Start Time:			2017-10-31T12:04:11Z
  Orphan Mitigation In Progress:	false
  Reconciled Generation:		1
Events:
  FirstSeen	LastSeen	Count	From					SubObjectPath	Type		Reason			Message
  ---------	--------	-----	----					-------------	--------	------			-------
  2m		2m		1	service-catalog-controller-manager			Warning		ErrorWithParameters	Failed to prepare ServiceInstance parameters nil: secrets "dh-rhscl-postgresql-apb-parameterswjofs" not found
  2m		2m		1	service-catalog-controller-manager			Normal		Provisioning		The instance is being provisioned asynchronously
  1m		1m		1	service-catalog-controller-manager			Normal		ProvisionedSuccessfully	The instance was provisioned successfully
  10s		10s		1	service-catalog-controller-manager			Normal		UpdatingInstance	The instance is being updated asynchronously


Expected results:
4. Plan can't be update if class has spec.planUpdatable set to false.


Additional info:

Comment 1 Jeff Peeler 2017-11-02 17:43:23 UTC

Upstream PR: https://github.com/kubernetes-incubator/service-catalog/pull/1518

Comment 2 Jeff Peeler 2017-11-03 16:26:37 UTC

Merged in rebase PR: https://github.com/openshift/origin/pull/17166

Comment 4 Qixuan Wang 2017-11-05 16:52:48 UTC

Tested on OCP (openshift v3.7.0-0.184.0, kubernetes v1.7.6+a08f5eeb62, etcd 3.2.8, brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-service-catalog:v3.7.0-0.194.0.0, brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-ansible-service-broker:v3.7.0-0.194.0.0), the bug has been fixed, thanks.


Here is test result:
[root@host-172-16-120-51 ~]# oc edit serviceinstance dh-rhscl-postgresql-apb-9mt46 -n qwang-false
error: serviceinstances "dh-rhscl-postgresql-apb-9mt46" could not be patched: serviceinstances.servicecatalog.k8s.io "dh-rhscl-postgresql-apb-9mt46" is forbidden: The Service Class 27793015fe45db2fbc1deb7372cc4036 does not allow plan changes.
You can run `oc replace -f /tmp/oc-edit-pyka9.yaml` to try this update again.

Comment 7 errata-xmlrpc 2017-11-28 22:20:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.