Description of problem: ansible-service-broker can not fetch clusterserviceclass from asb pod. curl -k -H "Authorization: Bearer `oc serviceaccounts get-token asb-client`" https://$(oc get routes -n openshift-ansible-service-broker --no-headers | awk '{print $2}')/ansible-service-broker/v2/catalog { "paths": [ "/apis", "/healthz", "/healthz/ping", "/healthz/poststarthook/generic-apiserver-start-informers", "/metrics", "/osb/" ] Version-Release number of selected component (if applicable): asb: 1.3.8 openshift-ansible-3.11.0-0.13.0 How reproducible: always Steps to Reproduce: 1. set asb with avalible registry, it can fetch apbs successfully. # oc get bundles NAME AGE 0300d1ae1841c23a9df0a179ad0605fd 2h 0e5dbb6592fec99057f94fbb095ec558 2h 48749329dd289591e11ba737f15fc71b 2h bd8dff760b959264f3ab38d42ba5e7a8 2h 2. relist service catalog by : apb catalog relist -n ansible-service-broker checking clusterserviceclass # oc get clusterserviceclass No resources found. Actual results: No resources found. # oc describe clusterservicebroker ansible-service-broker Name: ansible-service-broker Namespace: Labels: <none> Annotations: <none> API Version: servicecatalog.k8s.io/v1beta1 Kind: ClusterServiceBroker Metadata: Creation Timestamp: 2018-08-13T05:39:49Z Finalizers: kubernetes-incubator/service-catalog Generation: 1 Resource Version: 29548 Self Link: /apis/servicecatalog.k8s.io/v1beta1/clusterservicebrokers/ansible-service-broker UID: 4b92b10b-9ebb-11e8-9c5b-0a580a80001b Spec: Auth Info: Bearer: Secret Ref: Name: asb-client Namespace: openshift-ansible-service-broker Ca Bundle: L...TS9MSGsvN295RT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= Relist Behavior: Duration Relist Requests: 5 URL: https://asb.openshift-ansible-service-broker.svc:1338/osb Status: Conditions: Last Transition Time: 2018-08-13T05:39:49Z Message: Error fetching catalog.Error getting broker catalog: Status: 403; ErrorMessage: <nil>; Description: <nil>; ResponseError: <nil> Reason: ErrorFetchingCatalog Status: False Type: Ready Operation Start Time: 2018-08-13T05:39:50Z Reconciled Generation: 0 Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning ErrorFetchingCatalog 24s (x14 over 1m) service-catalog-controller-manager Error getting broker catalog: Status: 403; ErrorMessage: <nil>; Description: <nil>; ResponseError: <nil> Expected results: get clusterserviceclass successfully Additional info: osb api return 403 # curl -k -H "Authorization: Bearer `oc serviceaccounts get-token asb-client`" https://$(oc get routes -n openshift-ansible-service-broker --no-headers | awk '{print $2}')/osb/v2/catalog Error from server (NotFound): serviceaccounts "asb-client" not found { "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "forbidden: User \"system:anonymous\" cannot get path \"/osb/v2/catalog\": no RBAC policy matched", "reason": "Forbidden", "details": { }, "code": 403 Found some related PR: https://github.com/openshift/ansible-service-broker/pull/1029 https://github.com/openshift/openshift-ansible/pull/9510
In #Descripition, the ansible-service-broker URL by default is : URL: https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker
Adding "testblocker" since this issue is blocking about 90% ASB TCs.
https://github.com/openshift/openshift-ansible/pull/9510
image is ready, change it to ON_QA
Verified openshift-ansible-3.11.0-0.16.0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2652