Unbind service account auth error

[maleck13]

Bug:

What happened:
When the unbind pod runs, I attempt to get the route of the service using the following command:

shell: "oc get routes keycloak -n '{{ namespace }}'

This works fine during provision and bind but fails with following error on ubind:

  "msg": "kc route = {'stderr_lines': [u'Error from server (Forbidden): User \"system:serviceaccount:dh-keycloak-apb-unbi-t5mng:apb-0f21e745-621f-43ad-8929-692b0719df1e\" cannot get routes in the namespace \"work\": User \"system:serviceaccount:dh-keycloak-apb-unbi-t5mng:apb-0f21e745-621f-43ad-8929-692b0719df1e\" cannot get routes in project \"work\" (get routes keycloak)'], u'changed': True, u'end': u'2017-11-02 15:45:55.884166', u'stdout': u'', u'cmd': u\"oc get routes keycloak -n 'work' | grep -v NAME | awk '{print $2}'\", u'rc': 0, u'start': u'2017-11-02 15:45:55.516052', u'stderr': u'Error from server (Forbidden): User \"system:serviceaccount:dh-keycloak-apb-unbi-t5mng:apb-0f21e745-621f-43ad-8929-692b0719df1e\" cannot get routes in the namespace \"work\": User \"system:serviceaccount:dh-keycloak-apb-unbi-t5mng:apb-0f21e745-621f-43ad-8929-692b0719df1e\" cannot get routes in project \"work\" (get routes keycloak)', u'delta': u'0:00:00.368114', 'stdout_lines': []}"

What you expected to happen:
To find the route for the service

How to reproduce it:

I am using the following apb (maleck13/keycloak-apb) it is public and has the following in the unbind action:
https://github.com/feedhenry/keycloak-apb/blob/master/roles/bind-keycloak-apb/tasks/main.yml#L12

[maleck13]

currently using sprint139.1 tag of asb. As a side note I am seeing two unbind namespaces get created also.

full apb log below:

+ [[ unbind --extra-vars {"_apb_provision_creds":null,"namespace":"work","provision_params":{"ADMIN_NAME":"admin","ADMIN_PASSWORD":"admin","_apb_plan_id":"default"}} == *\s\2\i\/\a\s\s\e\m\b\l\e* ]]
--
  | + ACTION=unbind
  | + shift
  | + playbooks=/opt/apb/actions
  | + CREDS=/var/tmp/bind-creds
  | + whoami
  | + '[' -w /etc/passwd ']'
  | ++ id -u
  | + echo 'apb:x:1000650000:0:apb user:/opt/apb:/sbin/nologin'
  | + oc-login.sh
  | Attempting to login with a service account...
  | Logged into "https://kubernetes.default:443 " as "system:serviceaccount:dh-keycloak-apb-unbi-t5mng:apb-0f21e745-621f-43ad-8929-692b0719df1e" using the token provided.
  |  
  | You don't have any projects. Contact your system administrator to request a project.
  | Welcome! See 'oc help' to get started.
  | + [[ -e /opt/apb/actions/unbind.yaml ]]
  | + [[ -e /opt/apb/actions/unbind.yml ]]
  | + ANSIBLE_ROLES_PATH=/etc/ansible/roles:/opt/ansible/roles
  | + ansible-playbook /opt/apb/actions/unbind.yml --extra-vars '{"_apb_provision_creds":null,"namespace":"work","provision_params":{"ADMIN_NAME":"admin","ADMIN_PASSWORD":"admin","_apb_plan_id":"default"}}'
  | [WARNING]: provided hosts list is empty, only localhost is available
  |  
  | PLAY [keycloak-apb playbook to bind the application] ***************************
  |  
  | TASK [ansible.kubernetes-modules : Intall latest openshift client] *************
  | skipping: [localhost]
  |  
  | TASK [ansibleplaybookbundle.asb-modules : debug] *******************************
  | skipping: [localhost]
  |  
  | TASK [unbind-keycloak-apb : Retrieve route to keycloak] ************************
  | changed: [localhost]
  |  
  | TASK [unbind-keycloak-apb : debug] *********************************************
  | ok: [localhost] => {
  | "msg": "kc route = {'stderr_lines': [u'Error from server (Forbidden): User \"system:serviceaccount:dh-keycloak-apb-unbi-t5mng:apb-0f21e745-621f-43ad-8929-692b0719df1e\" cannot get routes in the namespace \"work\": User \"system:serviceaccount:dh-keycloak-apb-unbi-t5mng:apb-0f21e745-621f-43ad-8929-692b0719df1e\" cannot get routes in project \"work\" (get routes keycloak)'], u'changed': True, u'end': u'2017-11-02 15:45:55.884166', u'stdout': u'', u'cmd': u\"oc get routes keycloak -n 'work' \| grep -v NAME \| awk '{print $2}'\", u'rc': 0, u'start': u'2017-11-02 15:45:55.516052', u'stderr': u'Error from server (Forbidden): User \"system:serviceaccount:dh-keycloak-apb-unbi-t5mng:apb-0f21e745-621f-43ad-8929-692b0719df1e\" cannot get routes in the namespace \"work\": User \"system:serviceaccount:dh-keycloak-apb-unbi-t5mng:apb-0f21e745-621f-43ad-8929-692b0719df1e\" cannot get routes in project \"work\" (get routes keycloak)', u'delta': u'0:00:00.368114', 'stdout_lines': []}"
  | }
  |  
  | TASK [unbind-keycloak-apb : Generate keycloak auth token] **********************
  | FAILED - RETRYING: Generate keycloak auth token (20 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (19 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (18 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (17 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (16 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (15 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (14 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (13 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (12 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (11 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (10 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (9 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (8 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (7 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (6 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (5 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (4 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (3 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (2 retries left).
  | FAILED - RETRYING: Generate keycloak auth token (1 retries left).
  | fatal: [localhost]: FAILED! => {"attempts": 20, "changed": false, "content": "", "failed": true, "msg": "Status code was not [200]: Request failed: <urlopen error no host given>", "redirected": false, "status": -1, "url": "http:///auth/realms/master/protocol/openid-connect/token"}
  | to retry, use: --limit @/opt/apb/actions/unbind.retry
  |  
  | PLAY RECAP *********************************************************************
  | localhost                  : ok=2    changed=1    unreachable=0    failed=1

[maleck13]

example binding object we create. Sending through a bunch of params at the moment, which will likely get narrowed down. The main ones used in the binding are

• admin_password
• admin_username
• service_name

{
   "kind":"ServiceBinding",
   "apiVersion":"servicecatalog.k8s.io/v1beta1",
   "metadata":{
      "generateName":"dh-keycloak-apb-9947t-"
   },
   "spec":{
      "instanceRef":{
         "name":"dh-keycloak-apb-9947t"
      },
      "secretName":"keycloak-fh-sync-server",
      "parameters":{
         "admin_password":"admin",
         "admin_username":"admin",
         "bearer_client_id":"SAUsxVFDGlwkXvsvcnqw-bearer",
         "bearer_client_secret":"XmnE20xQfJiUh4xMKuUC",
         "credentials":{
            "route":"http://keycloak-myproject.192.168.37.1.nip.io",
            "service_secret":"fh-sync-server"
         },
         "public_client_id":"SAUsxVFDGlwkXvsvcnqw",
         "public_client_secret":"XmnE20xQfJiUh4xMKuUC",
         "realm":"myproject",
         "service_name":"fh-sync-server",
         "type":"keycloak"
      }
   }
}

[shawn-hurley]

@maleck13 Any chance that you could tell us the sandbox permissions that you are running the APB as?

[maleck13]

sandbox_role: "admin"

[rthallisey]

@maleck13 are you still seeing this issue?

[maleck13]

haven't tried recently will give it a go again tomorrow and get back to you

[eriknelson]

Closing after discussion during community meeting, please reopen if issue is persistent.