Bug 1585951 - [ASB] secret created in asb namespace when provision should be deleted when delete user namespace
Summary: [ASB] secret created in asb namespace when provision should be deleted when d...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.11.0
Assignee: Erik Nelson
QA Contact: Zihan Tang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-05 07:40 UTC by Zihan Tang
Modified: 2018-10-11 07:21 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: ASB was not deleting secret containing provision credentials from its own namespace during deprovision. Consequence: Leaked secret containing credentials from provision. Fix: Delete the secret on deprovision. Result: Fixes leak.
Clone Of:
Environment:
Last Closed: 2018-10-11 07:20:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:2652 0 None None None 2018-10-11 07:21:34 UTC

Description Zihan Tang 2018-06-05 07:40:34 UTC 
Description of problem:
when delete a namespace, the secret created in provision in openshit-ansible-service-broker should also be deleted

Version-Release number of selected component (if applicable):
asb: 1.2.16

How reproducible:
always

Steps to Reproduce:
1. provision postgresql-apb  in project 'post'
2. check the serviceinstance and secret 
# oc get serviceinstances --all-namespaces
NAMESPACE   NAME                      AGE
post        rh-postgresql-apb-r4jlc   1m

# oc get secret --show-labels
NAME                                   TYPE                                  DATA      AGE       LABELS
9b7d19c6-688f-11e8-8a97-0a580a800003   Opaque                                1         1m        apbAction=provision,apbName=rh-postgresql-apb

3. delete project 
# oc delete project post
project.project.openshift.io "post" deleted

4. check the secret is deleted in openshfit-ansible-service-broker namespace

Actual results:
the secret in openshfit-ansible-service-broker namespace is not deleted

# oc get secret --show-labels
NAME                                   TYPE                                  DATA      AGE       LABELS
9b7d19c6-688f-11e8-8a97-0a580a800003   Opaque                                1         5m        apbAction=provision,apbName=rh-postgresql-apb
# oc get serviceinstance --all-namespaces
No resources found.

Asb Log:

[2018-06-05T07:13:44.175Z] [WARNING] - Broker configured to *NOT* launch and run APB unbind
10.128.0.1 - - [05/Jun/2018:07:13:44 +0000] "DELETE /ansible-service-broker/v2/service_instances/9b7d19c6-688f-11e8-8a97-0a580a800003/service_bindings/a943e0d3-688f-11e8-8a97-0a580a800003?plan_id=9783fc2e859f9179833a7dd003baa841&service_id=d5915e05b253df421efe6e41fb6a66ba HTTP/1.1" 200 3
[2018-06-05T07:13:44.617Z] [INFO] - All Jobs for instance: ab6bfc15-688f-11e8-8a97-0a580a800003 in state:  in progress - 
[]apb.JobState{}
[2018-06-05T07:13:45.417Z] [WARNING] - Broker configured to *NOT* launch and run APB unbind
10.128.0.1 - - [05/Jun/2018:07:13:44 +0000] "DELETE /ansible-service-broker/v2/service_instances/9b7d19c6-688f-11e8-8a97-0a580a800003/service_bindings/a943e0d3-688f-11e8-8a97-0a580a800003?plan_id=9783fc2e859f9179833a7dd003baa841&service_id=d5915e05b253df421efe6e41fb6a66ba HTTP/1.1" 410 5
10.128.0.1 - - [05/Jun/2018:07:13:44 +0000] "DELETE /ansible-service-broker/v2/service_instances/9b7d19c6-688f-11e8-8a97-0a580a800003/service_bindings/ab6bfc15-688f-11e8-8a97-0a580a800003?plan_id=9783fc2e859f9179833a7dd003baa841&service_id=d5915e05b253df421efe6e41fb6a66ba HTTP/1.1" 200 3
10.128.0.1 - - [05/Jun/2018:07:13:46 +0000] "DELETE /ansible-service-broker/v2/service_instances/9b7d19c6-688f-11e8-8a97-0a580a800003/service_bindings/ab6bfc15-688f-11e8-8a97-0a580a800003?plan_id=9783fc2e859f9179833a7dd003baa841&service_id=d5915e05b253df421efe6e41fb6a66ba HTTP/1.1" 410 5
[2018-06-05T07:13:47.617Z] [INFO] - All Jobs for instance: 9b7d19c6-688f-11e8-8a97-0a580a800003 in state:  in progress - 
[]apb.JobState{}
[2018-06-05T07:13:47.62Z] [INFO] - ASYNC deprovision in progress
10.128.0.1 - - [05/Jun/2018:07:13:46 +0000] "DELETE /ansible-service-broker/v2/service_instances/9b7d19c6-688f-11e8-8a97-0a580a800003?accepts_incomplete=true&plan_id=9783fc2e859f9179833a7dd003baa841&service_id=d5915e05b253df421efe6e41fb6a66ba HTTP/1.1" 202 58
[2018-06-05T07:13:48.647Z] [ERROR] - Could not find instance 9b7d19c6-688f-11e8-8a97-0a580a800003 associated with job state 66de9730-ed03-4228-931d-ff37bf7bbae0 - bundleinstances.automationbroker.io "9b7d19c6-688f-11e8-8a97-0a580a800003" not found
[2018-06-05T07:13:48.647Z] [WARNING] - unable to find job state: [9b7d19c6-688f-11e8-8a97-0a580a800003]. error: [bundleinstances.automationbroker.io "9b7d19c6-688f-11e8-8a97-0a580a800003" not found]


Expected results:
the secret in asb ns is deleted.

Additional info:
the binding secrets are deleted in asb ns when delete project.
Comment 1 Zhang Cheng 2018-06-05 07:57:05 UTC 
Setting "target release" to 3.10 in currently, please reset if you want to out of this release.
Comment 2 John Matthews 2018-06-05 12:48:45 UTC 
Aligning to 3.11
Comment 3 Erik Nelson 2018-08-02 13:14:03 UTC 
https://github.com/openshift/ansible-service-broker/pull/1024
Comment 5 Zihan Tang 2018-08-09 03:21:38 UTC 
Verified 
ASB: 1.3.7
Comment 7 errata-xmlrpc 2018-10-11 07:20:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652
Note You need to log in before you can comment on or make changes to this bug.