Pass provision credentials to the deprovision playbook even if APB is not bindable

[maleck13]

Feature:

Not sure if this is a feature or a bug, but putting it under feature at the moment.

As part of a provision or binding, we create certain resources within the application (think a realm and user in keycloak for example)
We have a usecase that developers may not want to provision a new instance of a service like keycloak every time. So we allow developers to specify using an existing keycloak as part of the provision. In this case the playbook will not create new pods etc but instead just create the new realm and user and drop the details into the credentials.
When deprovisioning, we need to access these credentials so that we can tear down the resources we created within the service as in this case the original keycloak server will remain running.

Solution
Pass through the any extracted credentials created at provision time to the deprovision action.

I happy to provide a PR for this.

[vchepeli]

_apb_provision_creds is available when we do binding/unbind phase

asb_encode_binding:
  fields:
    name: "<some-name>"
    resource: "some-resource"
    uri: "<some-url>"

But when we want also same fields available in deprovision phase e.g. _apb_provision_creds.name it says _apb_provision_creds is undefined

[maleck13]

This can be assigned to me

[dymurray]

I am still hitting this issue with the canary broker image. I am reopening this issue to track. I can also confirm that folks on the Cloudforms team have tested with canary as well and are unable to access _apb_provision_creds.

[dymurray]

This is actually due to the fact that the broker does not pass these credentials to the broker unless you make bindable True in apb.yml. We should be passing in the provision creds at all times so I am going to change this issue to reflect it.

[dymurray]

I would expect the broker to always run the GetExtractedCredentials function (Or maybe GetBind?) and if it doesn't find credentials, simply pass an empty object for _apb_provision_creds to deprovision.

[maleck13]

This seems reasonable to pass an empty value but always pass the arg. 👀

[maleck13]

Although it does raise the question of whether this should be the case for all arguments. As in we will always pass a certain set of arguments even if there is no value for them

[maleck13]

Perhaps something like

// EnsureDefaults returns the default set of parameters with default values
func (p Parameters) EnsureDefaults() {
	if _, ok := p[ProvisionCredentialsKey]; !ok {
		p[ProvisionCredentialsKey] = nil
	}
}

[dymurray]

https://github.com/dymurray/depro-creds-apb

Made a functioning example of using a configmap to pass this data between provision/deprovision as a workaround.