Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1615229

Summary: [ASB] Service Catalog can not reach /osb/v2/catalog endpoint
Product: OpenShift Container Platform Reporter: Zihan Tang <zitang>
Component: Service BrokerAssignee: Jason Montleon <jmontleo>
Status: CLOSED ERRATA QA Contact: Zihan Tang <zitang>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.11.0CC: aos-bugs, chezhang, dzager, jiazha
Target Milestone: ---Keywords: TestBlocker
Target Release: 3.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-11 07:24:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1583503    

Description Zihan Tang 2018-08-13 05:50:40 UTC 
Description of problem:
ansible-service-broker can not fetch clusterserviceclass from asb pod.
curl -k -H "Authorization: Bearer `oc serviceaccounts get-token asb-client`" https://$(oc get routes -n openshift-ansible-service-broker --no-headers | awk '{print $2}')/ansible-service-broker/v2/catalog
{
  "paths": [
    "/apis",
    "/healthz",
    "/healthz/ping",
    "/healthz/poststarthook/generic-apiserver-start-informers",
    "/metrics",
    "/osb/"
  ]

Version-Release number of selected component (if applicable):
asb: 1.3.8
openshift-ansible-3.11.0-0.13.0

How reproducible:
always

Steps to Reproduce:
1. set asb with avalible registry, it can fetch apbs successfully.
# oc get bundles
NAME                               AGE
0300d1ae1841c23a9df0a179ad0605fd   2h
0e5dbb6592fec99057f94fbb095ec558   2h
48749329dd289591e11ba737f15fc71b   2h
bd8dff760b959264f3ab38d42ba5e7a8   2h

2. relist service catalog by : apb catalog relist -n ansible-service-broker
checking clusterserviceclass

# oc get clusterserviceclass
No resources found.

Actual results:
No resources found.

# oc describe clusterservicebroker ansible-service-broker
Name:         ansible-service-broker
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  servicecatalog.k8s.io/v1beta1
Kind:         ClusterServiceBroker
Metadata:
  Creation Timestamp:  2018-08-13T05:39:49Z
  Finalizers:
    kubernetes-incubator/service-catalog
  Generation:        1
  Resource Version:  29548
  Self Link:         /apis/servicecatalog.k8s.io/v1beta1/clusterservicebrokers/ansible-service-broker
  UID:               4b92b10b-9ebb-11e8-9c5b-0a580a80001b
Spec:
  Auth Info:
    Bearer:
      Secret Ref:
        Name:       asb-client
        Namespace:  openshift-ansible-service-broker
  Ca Bundle:        L...TS9MSGsvN295RT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  Relist Behavior:  Duration
  Relist Requests:  5
  URL:              https://asb.openshift-ansible-service-broker.svc:1338/osb
Status:
  Conditions:
    Last Transition Time:  2018-08-13T05:39:49Z
    Message:               Error fetching catalog.Error getting broker catalog: Status: 403; ErrorMessage: <nil>; Description: <nil>; ResponseError: <nil>
    Reason:                ErrorFetchingCatalog
    Status:                False
    Type:                  Ready
  Operation Start Time:    2018-08-13T05:39:50Z
  Reconciled Generation:   0
Events:
  Type     Reason                Age                From                                Message
  ----     ------                ----               ----                                -------
  Warning  ErrorFetchingCatalog  24s (x14 over 1m)  service-catalog-controller-manager  Error getting broker catalog: Status: 403; ErrorMessage: <nil>; Description: <nil>; ResponseError: <nil>

Expected results:
get clusterserviceclass successfully

Additional info:
osb api return 403

# curl -k -H "Authorization: Bearer `oc serviceaccounts get-token asb-client`" https://$(oc get routes -n openshift-ansible-service-broker --no-headers | awk '{print $2}')/osb/v2/catalog
Error from server (NotFound): serviceaccounts "asb-client" not found
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/osb/v2/catalog\": no RBAC policy matched",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403

Found some related PR: 
https://github.com/openshift/ansible-service-broker/pull/1029
https://github.com/openshift/openshift-ansible/pull/9510
Comment 1 Zihan Tang 2018-08-13 06:19:28 UTC 
In #Descripition, 
the ansible-service-broker URL by default is : 

  URL:              https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker
Comment 2 Zhang Cheng 2018-08-13 06:46:00 UTC 
Adding "testblocker" since this issue is blocking about 90% ASB TCs.
Comment 3 David Zager 2018-08-13 15:47:20 UTC 
https://github.com/openshift/openshift-ansible/pull/9510
Comment 4 Zihan Tang 2018-08-16 06:25:02 UTC 
image is ready, change it to ON_QA
Comment 5 Zihan Tang 2018-08-16 06:26:32 UTC 
Verified
openshift-ansible-3.11.0-0.16.0
Comment 7 errata-xmlrpc 2018-10-11 07:24:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652