Bug 1533425
| Summary: | Create binding failed with 'unable to load secret' when set launch_apb_on_bind=true in asb | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Zihan Tang <zitang> |
| Component: | Service Broker | Assignee: | Jesus M. Rodriguez <jesusr> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Zihan Tang <zitang> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 3.9.0 | CC: | aos-bugs, chezhang, dzager, jesusr, jiazha, jmatthew, jmontleo |
| Target Milestone: | --- | ||
| Target Release: | 3.10.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: |
undefined
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-12-20 21:10:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1539542 | ||
| Bug Blocks: | |||
If I understand this bug, it is actually in reference to our bind credential extraction process and not async bind. The downstream broker likely does not support async bind at this stage and should not be expected to work. If I am correct and we are speaking of the bind credential extraction process then the important thing to know is that bind credential extraction happens during 'provision' and not 'bind'. I recommend that we close this bug, examine the test procedure for bind credential extraction updates (https://trello.com/c/rT9jfi2P/583-improve-ansible-brokers-bind-credential-extraction-process), and after making any changes to the procedure creating new bugs if there are any. This bug was found in the test for 'bind credential extraction process'. But if still set 'launch_apb_on_bind: true', create binding will fail with error : [ERROR] - Unable to load secret 'apb-fece1389-17f1-483a-9fc2-fa1e32b09bfe' from namespace 'new-postgresql-apb-bind-cvmsz' The secret is created in provsion sandbox, but when creating binding , the broker still goes to 'bind' sandbox to load secret. After looking into this bug, asb 1.1.4 did not have async bind feature. This means that launch_apb_on_bind may have some adverse affects without async bind. Please retest with asb 1.1.5 or greater since that is where async bind feature was introduced. I was able to recreate this bug using the latest postgresql apb in ansibleplaybookbundle org. Looks like that apb does not have the bind playbook which is why when launch_apb_on _bind is enabled it fails. There are 2 problems here. 1) there should be more of an indication that the job failed to the UI from the synchronous call. 2) we need to update the apb to include bind. PRs created to fix both issues in this bugzilla. 1) add ability to detect an error when action is not found: apb-base change required: https://github.com/ansibleplaybookbundle/apb-base/pull/17 broker change required: https://github.com/openshift/ansible-service-broker/pull/716 2) add bind support to postgresql-apb (depends on apb-base PR): https://github.com/ansibleplaybookbundle/postgresql-apb/pull/32 This will require 3 new images: * new apb-base * new postgresql-apb * new broker image Correction to comment #11 there will be no new postgresql-apb with bind support. The async bind feature will be more like tech preview, in order to test this feature you need to use an example apb that has bind support in it. Might I suggest the hello-world-apb from the ansibleplaybookbundle. Also consider doing regression testing with Launch_apb_on_bind set to false to ensure that bind works as it did in 3.7.0. Image is ready , change to ON_QA. Verify failed.
ASB: 1.1.14
hello-world-db-apb:latest (in dockerhub, ansibleplaybookbundle)
step:
1. set broker-config:
registry:
- type: dockerhub
name: dh
url: https://registry.hub.docker.com
org: ansibleplaybookbundle
tag: "latest"
white_list:
- ".*-apb$"
broker:
bootstrap_on_startup: true
2. provision hello-world-db apb,
3. create binding failed with error:
Asb Log:
[2018-02-26T09:36:27.696Z] [WARNING] - launch_apb_on_bind is enabled, but accepts_incomplete is false, binding may fail
[2018-02-26T09:36:27.739Z] [INFO] - Broker configured to run APB bind
[2018-02-26T09:36:27.739Z] [NOTICE] - ============================================================
[2018-02-26T09:36:27.739Z] [NOTICE] - BINDING
[2018-02-26T09:36:27.739Z] [NOTICE] - ============================================================
[2018-02-26T09:36:27.739Z] [NOTICE] - ServiceInstance.ID: b43a4272a6efcaaa3e0b9616324f1099
[2018-02-26T09:36:27.739Z] [NOTICE] - ServiceInstance.Name: dh-hello-world-db-apb
[2018-02-26T09:36:27.739Z] [NOTICE] - ServiceInstance.Image: docker.io/ansibleplaybookbundle/hello-world-db-apb:latest
[2018-02-26T09:36:27.739Z] [NOTICE] - ServiceInstance.Description: A sample APB which deploys Hello World Database
[2018-02-26T09:36:27.739Z] [NOTICE] - ============================================================
[2018-02-26T09:36:27.801Z] [NOTICE] - Creating RoleBinding apb-e30aa480-d7ea-4761-9702-ccf2f011c139
[2018-02-26T09:36:27.933Z] [NOTICE] - Creating RoleBinding apb-e30aa480-d7ea-4761-9702-ccf2f011c139
[2018-02-26T09:36:27.985Z] [INFO] - Successfully created apb sandbox: [ apb-e30aa480-d7ea-4761-9702-ccf2f011c139 ], with edit permissions in namespace dh-hello-world-db-apb-bind-q5qs5
[2018-02-26T09:36:27.986Z] [INFO] - Running post create sandbox fuctions if defined.
[2018-02-26T09:36:27.986Z] [NOTICE] - Creating pod "apb-e30aa480-d7ea-4761-9702-ccf2f011c139" in the dh-hello-world-db-apb-bind-q5qs5 namespace
[2018-02-26T09:36:28.001Z] [INFO] - Watch pod [ apb-e30aa480-d7ea-4761-9702-ccf2f011c139 ] tick 1
[2018-02-26T09:36:33.005Z] [INFO] - Watch pod [ apb-e30aa480-d7ea-4761-9702-ccf2f011c139 ] tick 2
[2018-02-26T09:36:38.009Z] [INFO] - Watch pod [ apb-e30aa480-d7ea-4761-9702-ccf2f011c139 ] tick 3
[2018-02-26T09:36:38.025Z] [ERROR] - Unable to load secret 'apb-e30aa480-d7ea-4761-9702-ccf2f011c139' from namespace 'dh-hello-world-db-apb-bind-q5qs5'
[2018-02-26T09:36:38.025Z] [ERROR] - apb::bind error occurred - Unable to retrieve secret [ apb-e30aa480-d7ea-4761-9702-ccf2f011c139 ] - secrets "apb-e30aa480-d7ea-4761-9702-ccf2f011c139" not found
[root@host-172-16-120-90 ~]# oc describe servicebinding dh-hello-world-db-apb-hllv4-57c85
Name: dh-hello-world-db-apb-hllv4-57c85
Namespace: helloworlddb
Labels: <none>
Annotations: <none>
API Version: servicecatalog.k8s.io/v1beta1
Kind: ServiceBinding
Metadata:
Creation Timestamp: 2018-02-26T09:36:27Z
Finalizers:
kubernetes-incubator/service-catalog
Generate Name: dh-hello-world-db-apb-hllv4-
Generation: 1
Resource Version: 61803
Self Link: /apis/servicecatalog.k8s.io/v1beta1/namespaces/helloworlddb/servicebindings/dh-hello-world-db-apb-hllv4-57c85
UID: 84b2e62b-1ad8-11e8-9d42-0a580a800004
Spec:
External ID: 82f74560-f524-4e55-a01a-e330c26d595a
Instance Ref:
Name: dh-hello-world-db-apb-hllv4
Secret Name: dh-hello-world-db-apb-hllv4-credentials-u4mel
User Info:
Extra:
Scopes . Authorization . Openshift . Io:
user:full
Groups:
system:authenticated:oauth
system:authenticated
UID:
Username: zitang
Status:
Async Op In Progress: false
Conditions:
Last Transition Time: 2018-02-26T09:36:27Z
Message: ServiceBroker returned failure; bind operation will not be retried: Status: 400; ErrorMessage: <nil>; Description: Unable to retrieve secret [ apb-e30aa480-d7ea-4761-9702-ccf2f011c139 ] - secrets "apb-e30aa480-d7ea-4761-9702-ccf2f011c139" not found; ResponseError: <nil>
Reason: BindCallFailed
Status: False
Type: Ready
Last Transition Time: 2018-02-26T09:36:38Z
Message: ServiceBroker returned failure; bind operation will not be retried: Status: 400; ErrorMessage: <nil>; Description: Unable to retrieve secret [ apb-e30aa480-d7ea-4761-9702-ccf2f011c139 ] - secrets "apb-e30aa480-d7ea-4761-9702-ccf2f011c139" not found; ResponseError: <nil>
Reason: ServiceBindingReturnedFailure
Status: True
Type: Failed
Orphan Mitigation In Progress: false
Reconciled Generation: 1
Unbind Status: Required
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning BindCallFailed 9m service-catalog-controller-manager ServiceBroker returned failure; bind operation will not be retried: Status: 400; ErrorMessage: <nil>; Description: Unable to retrieve secret [ apb-e30aa480-d7ea-4761-9702-ccf2f011c139 ] - secrets "apb-e30aa480-d7ea-4761-9702-ccf2f011c139" not found; ResponseError: <nil>
Warning ServiceBindingReturnedFailure 9m service-catalog-controller-manager ServiceBroker returned failure; bind operation will not be retried: Status: 400; ErrorMessage: <nil>; Description: Unable to retrieve secret [ apb-e30aa480-d7ea-4761-9702-ccf2f011c139 ] - secrets "apb-e30aa480-d7ea-4761-9702-ccf2f011c139" not found; ResponseError: <nil>
About async binding, if I only config async in asb(enable launch_apb_on_bind) , not config service-catalog with async binding, when create binding, is it still performed as synchronous binding ?
If it is still synchronous binding, so create binding in exist apb(postgresql-apb,mariadb-apb,mysql-apb,hello-world-db-apb) should succeed.
If not support only set async in asb without service-catalog, we'd better update the doc: https://github.com/openshift/ansible-service-broker/blob/master/docs/config.md#broker-configuration.
Moving this to 3.10.0 since we are not releasing a reference APB with async bind for 3.9. Please use docker.io/jmrodri/postgresql-apb:demo this is an example apb that supports async binds. $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/jmrodri/postgresql-apb demo 1bdd30040082 6 weeks ago 1.47 GB The above APB is purely an example only. Moving back to assigned because master with CRDs will be broken. This bug requires the following PR to work with CRDs and release 3.10 (master). https://github.com/openshift/ansible-service-broker/pull/898 (In reply to Jesus M. Rodriguez from comment #21) > This bug requires the following PR to work with CRDs and release 3.10 > (master). > > https://github.com/openshift/ansible-service-broker/pull/898 This bug ACTUALLY requires PR 924. https://github.com/openshift/ansible-service-broker/pull/924 image is ready , change it to ON_QA. 1. Using apb https://registry.hub.docker.com/mhrivnak/postgresql-apb which support async binding. then only set 'launch_apb_on_bind:true' in asb, the binding will be created succeessfully. This is verified in asb 1.2.10 2. if using normal apb(postgresql-apb) , and only set 'launch_apb_on_bind:true' in asb, in my point of view, it should works as sync binding and binding can be created successfully. but acctually , in asb 1.2.10 . the bundlebinding status and servicebinding status are different. what's the expected result for this scenario ? # oc describe bundlebinding 98a4aae6-5290-11e8-8906-0a580a80000b Name: 98a4aae6-5290-11e8-8906-0a580a80000b Namespace: openshift-ansible-service-broker Labels: <none> Annotations: <none> API Version: automationbroker.io/v1alpha1 Kind: BundleBinding Metadata: Cluster Name: Creation Timestamp: 2018-05-08T07:22:42Z Generation: 1 Resource Version: 141125 Self Link: /apis/automationbroker.io/v1alpha1/namespaces/openshift-ansible-service-broker/bundlebindings/98a4aae6-5290-11e8-8906-0a580a80000b UID: 98ee42bd-5290-11e8-8260-fa163e868f10 Spec: Bundle Instance: Name: 464f1b47-5290-11e8-8906-0a580a80000b Parameters: {"_apb_last_requesting_user":"zitang","_apb_plan_id":"dev","_apb_service_binding_id":"98a4aae6-5290-11e8-8906-0a580a80000b","_apb_service_class_id":"d5915e05b253df421efe6e41fb6a66ba","_apb_service_instance_id":"464f1b47-5290-11e8-8906-0a580a80000b"} Status: Jobs: 07883539 - E 97 B - 46 B 5 - 8972 - C 2 E 11387 F 234: Description: Error occurred during bind. Please contact administrator if the issue persists. Error: action not found Last Modified Time: 2018-05-08T07:22:46Z Method: bind Podname: State: failed Last Description: Error occurred during bind. Please contact administrator if the issue persists. State: failed Events: <none> # oc describe servicebinding -n post Name: rh-postgresql-apb-brtpf-xf8s4 Namespace: post Labels: <none> Annotations: <none> API Version: servicecatalog.k8s.io/v1beta1 Kind: ServiceBinding Metadata: Creation Timestamp: 2018-05-08T07:22:42Z Finalizers: kubernetes-incubator/service-catalog Generate Name: rh-postgresql-apb-brtpf- Generation: 1 Resource Version: 141131 Self Link: /apis/servicecatalog.k8s.io/v1beta1/namespaces/post/servicebindings/rh-postgresql-apb-brtpf-xf8s4 UID: 98a4af7a-5290-11e8-8906-0a580a80000b Spec: External ID: 98a4aae6-5290-11e8-8906-0a580a80000b Instance Ref: Name: rh-postgresql-apb-brtpf Secret Name: rh-postgresql-apb-brtpf-credentials-kmc7y User Info: Extra: Scopes . Authorization . Openshift . Io: user:full Groups: system:authenticated:oauth system:authenticated UID: Username: zitang Status: Async Op In Progress: false Conditions: Last Transition Time: 2018-05-08T07:22:46Z Message: Injected bind result Reason: InjectedBindResult Status: True Type: Ready External Properties: User Info: Extra: Scopes . Authorization . Openshift . Io: user:full Groups: system:authenticated:oauth system:authenticated UID: Username: zitang Orphan Mitigation In Progress: false Reconciled Generation: 1 Unbind Status: Required Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal InjectedBindResult 1h service-catalog-controller-manager Injected bind result As comment 25 /scenario 2 described, set it to ASSIGNED. if scenario 2 is expected , please set back to ON_QA Scenario 2 is actually invalid. When you enable launch_apb_on_bind, that will instruct the broker to actually RUN the APB image and attempt to call the bind playbook on it. The "normal apb(postgresql-apb)" does not have a bind playbook to run and will FAIL. This failure is expected. If you want to use the "normal apb(postgresql-apb)" you MUST disable launch_apb_on_bind, that is, set launch_apb_on_bind=false. Setting this to false instructs the broker to NOT run the APB image, but to return any credentials that were created during the provision if there were any. Thanks for your clarification, Based on comment 25 & comment 27, marked as verified. |
Additional info: The key point for the issue may be the config: broker: launch_apb_on_bind: true If set 'launch_apb_on_bind' to false, binding will be created successfully , and the secret can be found and add to other application (such as mediawiki). ASB log: [2018-01-15T07:28:00.77Z] [DEBUG] - Injecting PlanID as parameter: { _apb_plan_id: dev } [2018-01-15T07:28:00.77Z] [DEBUG] - Injecting ServiceClassID as parameter: { _apb_service_class_id: 3bcbc1f42ae47b10e9015b7d7a8a9b97 } [2018-01-15T07:28:00.77Z] [DEBUG] - Injecting ServiceInstanceID as parameter: { _apb_service_instance_id: e6569f60-b8e7-43a1-8c7e-cad399201a3a } [2018-01-15T07:28:00.772Z] [WARNING] - Broker configured to *NOT* launch and run APB bind