Bug 1577712 - Should not permit to create new servicebinding when serviceinstance DeprovisionBlockedByExistingCredentials
Summary: Should not permit to create new servicebinding when serviceinstance Deprovisi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Catalog
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.10.0
Assignee: Jay Boyd
QA Contact: Zhang Cheng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-14 03:10 UTC by Zhang Cheng
Modified: 2018-07-30 19:15 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
closed in current release
Clone Of:
Environment:
Last Closed: 2018-07-30 19:15:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1816 None None None 2018-07-30 19:15:53 UTC

Description Zhang Cheng 2018-05-14 03:10:33 UTC
Description of problem: 
Should not permit to create new servicebinding when DeprovisionBlockedByExistingCredentials


service-catalog & asb image using images from brew registry:
service-catalog: v3.10.0-0.38.0;Upstream:v0.1.16
asb: 1.2.10


How reproducible:
Always


Steps to Reproduce:
1. Deploy service catalog and ups broker.
2. Login normal user, such as "chezhang"
3. Provision a New ServiceInstance by:
# oc new-project test-ns
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-instance.yaml
4. Binding to the Instance
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-1.yaml
5. Deprovision the ServiceInstance directly in backend
# oc delete serviceinstances ups-instance -n test-ns
# oc describe serviceinstance ups-instance -n test-ns 
...Skip...
 Message: All associated ServiceBindings must be removed before this ServiceInstance can be deleted
 Reason: DeprovisionBlockedByExistingCredentials
6. Try to create a new servicebinding by:
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml


Actual results:  
6. The new servicebinding can be created when serviceinstance DeprovisionBlockedByExistingCredentials
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml
servicebinding "ups-binding-2" created

# oc describe servicebinding ups-binding-2
Name:         ups-binding-2
Namespace:    test-ns
Labels:       <none>
Annotations:  <none>
API Version:  servicecatalog.k8s.io/v1beta1
Kind:         ServiceBinding
Metadata:
  Creation Timestamp:  2018-05-14T02:59:09Z
  Finalizers:
    kubernetes-incubator/service-catalog
  Generation:        1
  Resource Version:  9655
  Self Link:         /apis/servicecatalog.k8s.io/v1beta1/namespaces/test-ns/servicebindings/ups-binding-2
  UID:               c599108b-5722-11e8-8aa8-0a580a800003
Spec:
  External ID:  c5990cdf-5722-11e8-8aa8-0a580a800003
  Instance Ref:
    Name:       ups-instance
  Secret Name:  my-secret-2
  User Info:
    Extra:
      Scopes . Authorization . Openshift . Io:
        user:full
    Groups:
      system:authenticated:oauth
      system:authenticated
    UID:       
    Username:  chezhang
Status:
  Async Op In Progress:  false
  Conditions:
    Last Transition Time:         2018-05-14T02:59:09Z
    Message:                      Binding cannot begin because referenced ServiceInstance "test-ns/ups-instance" is not ready
    Reason:                       ErrorInstanceNotReady
    Status:                       False
    Type:                         Ready
  Orphan Mitigation In Progress:  false
  Reconciled Generation:          0
  Unbind Status:                  NotRequired
Events:
  Type     Reason                 Age                From                                Message
  ----     ------                 ----               ----                                -------
  Warning  ErrorInstanceNotReady  6s (x12 over 16s)  service-catalog-controller-manager  Binding cannot begin because referenced ServiceInstance "test-ns/ups-instance" is not ready


Expected results: 
6. Should not permit to create new servicebinding when serviceinstance DeprovisionBlockedByExistingCredentials
Such as:
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml
Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml": servicebindings.servicecatalog.k8s.io "ups-binding-2" is forbidden: ServiceBindings test-ns/ups-binding-2 references an instance that is being deleted: test-ns/ups-instance


Addition info: 
None

Comment 1 Jay Boyd 2018-05-14 14:03:54 UTC
The Service Catalog admission controllers should block the creation of new bindings.  We had a bug that caused the admission controllers to not be registered.  This was fixed upstream by https://github.com/kubernetes-incubator/service-catalog/pull/2013  and was just recently picked up by Origin in atomic-enterprise-service-catalog-3.10.0-0.40.0

if you retest on atomic-enterprise-service-catalog-3.10.0-0.40.0 it should be working properly.

Similiar to https://bugzilla.redhat.com/show_bug.cgi?id=1576718.

Comment 2 Zhang Cheng 2018-05-15 03:04:02 UTC
Changing status to "ON_QA" since image ready for test in downstream.

Comment 3 Zhang Cheng 2018-05-15 03:04:25 UTC
Verified and Passed with service catalog v3.10.0-0.41.0;Upstream:v0.1.18

# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml
Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/svc-catalog/ups-servicebinding-2.yaml": servicebindings.servicecatalog.k8s.io "ups-binding-2" is forbidden: ServiceBinding test-ns/ups-binding-2 references a ServiceInstance that is being deleted: test-ns/ups-instance

Comment 5 errata-xmlrpc 2018-07-30 19:15:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816


Note You need to log in before you can comment on or make changes to this bug.