Bug 1579269 - [upgrade]asb should not add permission to automationbroker.io.servicebindings and serviceinstance
Summary: [upgrade]asb should not add permission to automationbroker.io.servicebindings...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.10.0
Assignee: Shawn Hurley
QA Contact: Zihan Tang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-17 09:31 UTC by Zihan Tang
Modified: 2018-07-30 19:16 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2018-07-30 19:15:42 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1816 None None None 2018-07-30 19:16:03 UTC

Description Zihan Tang 2018-05-17 09:31:08 UTC
Description of problem:
when run upgrade task ;
TASK [ansible_service_broker : Add required permissions to asb-auth clusterrole]
should add permissions to servicebindings and serviceinstance.
    {
                    "apiGroups": [
                        "automationbroker.io"
                    ], 
                    "resources": [
                        "bundles", 
                        "jobstates", 
                        "servicebindings", 
                        "serviceinstances"
                    ], 
                    "verbs": [
                        "*"
                    ]
                }
they are replaced by bundlebinding and bundleinstance ,and jobstate is deleted
Version-Release number of selected component (if applicable):
openshift-ansible-3.10.0-0.47.0

How reproducible:
always


Steps to Reproduce:
1. installl openshift v3.9 with ansible-service-broker and service-catalog
2. upgrade to 3.10

Actual results:
Add right permission to api group.

Expected results:


Additional info:

Comment 1 Zihan Tang 2018-05-17 09:33:11 UTC
update description:
TASK [ansible_service_broker : Add required permissions to asb-auth clusterrole]
should NOT add permissions to servicebindings and serviceinstance.

Comment 2 Shawn Hurley 2018-05-18 12:38:08 UTC
PR: https://github.com/openshift/openshift-ansible/pull/8420

Comment 3 openshift-github-bot 2018-05-18 16:25:46 UTC
Commits pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/0981f9f0e10bb7144c57a6aed6fdd2e71d86cbc9
Bug 1579269 - Updating the CRD resource names for migration.

https://github.com/openshift/openshift-ansible/commit/9882be2a7f64df464115095ea3efb9b7dac85f80
Merge pull request #8420 from shawn-hurley/bug-1579269

Bug 1579269 - Updating the CRD resource names for migration.

Comment 4 Zihan Tang 2018-05-21 09:19:53 UTC
Add the log when job asb-etcd-migration failed:

# oc logs -f asb-etcd-migration-v5hnx
time="2018-05-21T09:01:35Z" level=info msg="etcd configuration: {asb-etcd.openshift-ansible-service-broker.svc /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt /var/run/asb-etcd-auth/client.crt /var/run/asb-etcd-auth/client.key 2379}"
time="2018-05-21T09:01:35Z" level=info msg="== ETCD CX =="
time="2018-05-21T09:01:35Z" level=info msg="EtcdHost: asb-etcd.openshift-ansible-service-broker.svc"
time="2018-05-21T09:01:35Z" level=info msg="EtcdPort: 2379"
time="2018-05-21T09:01:35Z" level=info msg="Endpoints: [https://asb-etcd.openshift-ansible-service-broker.svc:2379]"
2018/05/21 09:01:35 Dao::BatchGetRaw
2018/05/21 09:01:35 Successfully loaded [ 4 ] objects from etcd dir [ /spec ]
2018/05/21 09:01:35 Batch idx [ 0 ] -> [ 73ead67495322cc462794387fa9884f5 ]
2018/05/21 09:01:35 Batch idx [ 1 ] -> [ d5915e05b253df421efe6e41fb6a66ba ]
2018/05/21 09:01:35 Batch idx [ 2 ] -> [ 03b69500305d9859bb9440d9f9023784 ]
2018/05/21 09:01:35 Batch idx [ 3 ] -> [ 2c259ddd8059b9bc65081e07bf20058f ]
2018/05/21 09:01:35 set spec: 73ead67495322cc462794387fa9884f5
2018/05/21 09:01:35 set spec: d5915e05b253df421efe6e41fb6a66ba
2018/05/21 09:01:35 set spec: 03b69500305d9859bb9440d9f9023784
2018/05/21 09:01:35 set spec: 2c259ddd8059b9bc65081e07bf20058f
2018/05/21 09:01:35 Dao::BatchGetRaw
2018/05/21 09:01:35 Successfully loaded [ 3 ] objects from etcd dir [ /service_instance ]
2018/05/21 09:01:35 set service instance: 55f7fa4e-4557-4a40-ace8-451ee80ff04f
2018/05/21 09:01:35 unable to save service instance - bundleinstances.automationbroker.io is forbidden: User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot create bundleinstances.automationbroker.io in the namespace "openshift-ansible-service-broker": User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot create bundleinstances.automationbroker.io in project "openshift-ansible-service-broker"
time="2018-05-21T09:01:35Z" level=info msg="reverted service instances"
2018/05/21 09:01:35 Dao::DeleteSpec-> [ 73ead67495322cc462794387fa9884f5 ]
2018/05/21 09:01:35 Dao::DeleteSpec-> [ d5915e05b253df421efe6e41fb6a66ba ]
2018/05/21 09:01:35 Dao::DeleteSpec-> [ 03b69500305d9859bb9440d9f9023784 ]
2018/05/21 09:01:35 Dao::DeleteSpec-> [ 2c259ddd8059b9bc65081e07bf20058f ]
time="2018-05-21T09:01:35Z" level=info msg="reverted saved specs - exiting now - migration failed"
panic: Unable to migrate all the service instances set service instance - bundleinstances.automationbroker.io is forbidden: User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot create bundleinstances.automationbroker.io in the namespace "openshift-ansible-service-broker": User "system:serviceaccount:openshift-ansible-service-broker:asb" cannot create bundleinstances.automationbroker.io in project "openshift-ansible-service-broker"

goroutine 1 [running]:
main.main()
	/builddir/build/BUILD/ansible-service-broker-1.2.11/cmd/migration/main.go:126 +0x357c

Comment 5 Zihan Tang 2018-05-23 06:07:47 UTC
image is ready , change it to ON_QA

Comment 6 Zihan Tang 2018-05-23 06:09:14 UTC
verified, 
ansible version: v3.10.0-0.50.0

the cluster role is right.

 {"apiGroups": ["networking.k8s.io"], "attributeRestrictions": null, "resources": ["networkpolicies"], "verbs": ["create", "delete"]}, {"apiGroups": ["automationbroker.io"], "attributeRestrictions": null, "resources": ["bundlebindings", "bundleinstances", "bundles"], "verbs": ["*"]}]}, "returncode": 0}, "state": "present"}

Comment 8 errata-xmlrpc 2018-07-30 19:15:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816


Note You need to log in before you can comment on or make changes to this bug.