Description of problem: Should not permit to create new servicebinding when DeprovisionBlockedByExistingCredentials service-catalog & asb image using images from brew registry: service-catalog: v3.10.0-0.38.0;Upstream:v0.1.16 asb: 1.2.10 How reproducible: Always Steps to Reproduce: 1. Deploy service catalog and ups broker. 2. Login normal user, such as "chezhang" 3. Provision a New ServiceInstance by: # oc new-project test-ns # oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-instance.yaml 4. Binding to the Instance # oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-1.yaml 5. Deprovision the ServiceInstance directly in backend # oc delete serviceinstances ups-instance -n test-ns # oc describe serviceinstance ups-instance -n test-ns ...Skip... Message: All associated ServiceBindings must be removed before this ServiceInstance can be deleted Reason: DeprovisionBlockedByExistingCredentials 6. Try to create a new servicebinding by: # oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml Actual results: 6. The new servicebinding can be created when serviceinstance DeprovisionBlockedByExistingCredentials # oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml servicebinding "ups-binding-2" created # oc describe servicebinding ups-binding-2 Name: ups-binding-2 Namespace: test-ns Labels: <none> Annotations: <none> API Version: servicecatalog.k8s.io/v1beta1 Kind: ServiceBinding Metadata: Creation Timestamp: 2018-05-14T02:59:09Z Finalizers: kubernetes-incubator/service-catalog Generation: 1 Resource Version: 9655 Self Link: /apis/servicecatalog.k8s.io/v1beta1/namespaces/test-ns/servicebindings/ups-binding-2 UID: c599108b-5722-11e8-8aa8-0a580a800003 Spec: External ID: c5990cdf-5722-11e8-8aa8-0a580a800003 Instance Ref: Name: ups-instance Secret Name: my-secret-2 User Info: Extra: Scopes . Authorization . Openshift . Io: user:full Groups: system:authenticated:oauth system:authenticated UID: Username: chezhang Status: Async Op In Progress: false Conditions: Last Transition Time: 2018-05-14T02:59:09Z Message: Binding cannot begin because referenced ServiceInstance "test-ns/ups-instance" is not ready Reason: ErrorInstanceNotReady Status: False Type: Ready Orphan Mitigation In Progress: false Reconciled Generation: 0 Unbind Status: NotRequired Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning ErrorInstanceNotReady 6s (x12 over 16s) service-catalog-controller-manager Binding cannot begin because referenced ServiceInstance "test-ns/ups-instance" is not ready Expected results: 6. Should not permit to create new servicebinding when serviceinstance DeprovisionBlockedByExistingCredentials Such as: # oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml": servicebindings.servicecatalog.k8s.io "ups-binding-2" is forbidden: ServiceBindings test-ns/ups-binding-2 references an instance that is being deleted: test-ns/ups-instance Addition info: None
The Service Catalog admission controllers should block the creation of new bindings. We had a bug that caused the admission controllers to not be registered. This was fixed upstream by https://github.com/kubernetes-incubator/service-catalog/pull/2013 and was just recently picked up by Origin in atomic-enterprise-service-catalog-3.10.0-0.40.0 if you retest on atomic-enterprise-service-catalog-3.10.0-0.40.0 it should be working properly. Similiar to https://bugzilla.redhat.com/show_bug.cgi?id=1576718.
Changing status to "ON_QA" since image ready for test in downstream.
Verified and Passed with service catalog v3.10.0-0.41.0;Upstream:v0.1.18 # oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml": servicebindings.servicecatalog.k8s.io "ups-binding-2" is forbidden: ServiceBinding test-ns/ups-binding-2 references a ServiceInstance that is being deleted: test-ns/ups-instance
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816