Adding ability to pass credentials to bind and unbind actions. #302
Conversation
shawn-hurley
force-pushed
the
bind-wkflw
branch
2 times, most recently
from
0a1443c
to
4e61fc8
Compare
TESTING New WorkflowNeeds to be run on a machine that spins up containers quickly Use: The test APB will give you the ability to select which workflow you would like the APB to do. The options are Test 1Launch catasb point to broker built with the changes. Leave
Test 2Launch catasb point to broker built with the changes. set
Test 3Launch catasb point to broker built with the changes. set
PLEASE NOTE: that if it takes too long for the APB to run the service catalog will fail to get the data and will not create the secret. This is due to lack of async binding support. |
shawn-hurley
changed the title
shawn-hurley
force-pushed
the
bind-wkflw
branch
from
4e61fc8
to
d5eed8c
Compare
1 similar comment
shawn-hurley
force-pushed
the
bind-wkflw
branch
from
d5eed8c
to
9578928
Compare
pkg/broker/broker.go
Outdated
| @@ -678,6 +677,9 @@ func (a AnsibleBroker) Bind(instanceUUID uuid.UUID, bindingUUID uuid.UUID, req * | |||
| params[planParameterKey] = req.PlanID | |||
|
|
|||
| // Create a BindingInstance with a reference to the serviceinstance. | |||
| // | |||
| // Create a BindingInstance with a reference to the serviceinstance. | |||
There was a problem hiding this comment.
Looks like an extra comment
|
LGTM. I haven't tested yet. |
| @@ -100,6 +100,8 @@ The broker config section will tell the broker what functionality should be enab | |||
| and disabled. It will also tell the broker where to find files on disk that will | |||
| enable the full functionality. | |||
|
|
|||
| *Note: with the absence of async bind, setting launch_apb_on_bind to true can cause the bind action to timeout and will span a retry. The broker will handle with with 409 Conflicts because it is the same bind request with different parameters.* | |||
| log.Notice("============================================================") | ||
| log.Notice(" UNBINDING ") | ||
| log.Notice("============================================================") | ||
|
|
||
| // podName, err | ||
| _, err := ExecuteApb( | ||
| "unbind", clusterConfig, instance.Spec, | ||
| instance.Context, instance.Parameters, log, | ||
| instance.Context, parameters, log, | ||
| ) |
pkg/apb/unbind.go
Outdated
| @@ -10,15 +10,15 @@ import ( | |||
| // github.com/op/go-logging, which is used all over the broker | |||
| // Maybe apb defines its own interface and accepts that optionally | |||
| // Little looser, but still not great | |||
| func Unbind(instance *ServiceInstance, clusterConfig ClusterConfig, log *logging.Logger) error { | |||
| func Unbind(instance *ServiceInstance, clusterConfig ClusterConfig, log *logging.Logger, parameters *Parameters) error { | |||
There was a problem hiding this comment.
It would be nice to use the same order as Bind:
func Bind(
instance *ServiceInstance,
parameters *Parameters,
clusterConfig ClusterConfig,
log *logging.Logger,
) (string, *ExtractedCredentials, error) {
pkg/broker/broker.go
Outdated
| @@ -751,31 +734,28 @@ func (a AnsibleBroker) Bind(instanceUUID uuid.UUID, bindingUUID uuid.UUID, req * | |||
| return nil, err | |||
| } | |||
| } else { | |||
| a.log.Warning("Broker configured to *NOT* launch and run APB bind") | |||
| a.log.Warningf("Broker configured to *NOT* launch and run APB bind") | |||
There was a problem hiding this comment.
I like using the f version, but do we need to change it if we're not passing in variables. I think it's ok, but I wouldn't change them unless we're passing in a variable.
| a.log.Error("No extracted credentials found from provision or bind") | ||
| a.log.Error("Instance ID: %s", instanceUUID.String()) | ||
| a.log.Errorf("No extracted credentials found from provision or bind instance ID: %s", | ||
| instanceUUID.String()) |
There was a problem hiding this comment.
This is a prime example of requiring the change as we are passing the variable in.
| return nil, err | ||
| if bindExtCreds != nil { | ||
| err = a.dao.DeleteExtractedCredentials(bindingUUID.String()) | ||
| if err != nil { |
There was a problem hiding this comment.
is it possible we could leak bindings?
There was a problem hiding this comment.
I see 4 cases on 777 we will attempt to get the credentials.
- etcd/dao error that is something other than creds could not be found
- we return the error and error out to service catalog which will re-try.
- etcd/dao error that is creds not found
- we don't need to attempt to delete anything that is not there
- etcd/dao finds creds and delete succeeds
- happy path
- etcd/dao finds creds and delete creds fails.
- we will error out which will bubble up to service catalog which will re-try.
Can you think of another path?
There was a problem hiding this comment.
I think we're covered by service cat retries.
pkg/handler/handler.go
Outdated
| resp, err := h.broker.Unbind(instanceUUID, bindingUUID, planID) | ||
|
|
||
| if errors.IsNotFound(err) { | ||
| writeResponse(w, http.StatusGone, resp) |
There was a problem hiding this comment.
any reason we deleted the blank lines? they were single lines which isn't egregious and I think it makes it more readable.
There was a problem hiding this comment.
No good reason, I will add it back
scripts/prep_local_devel_env.sh
Outdated
| @@ -113,7 +113,7 @@ echo -e "Wrote \n${BROKER_SVC_ACCT_TOKEN}\n to: ${SVC_ACCT_TOKEN_FILE}\n" | |||
| ### | |||
| # Fetch the tls.crt for the asb deployment | |||
| ### | |||
| TLS_CRT_DATA=`oc get secret asb-tls -o jsonpath='{ .data.tls\.crt }'` | |||
| TLS_CRT_DATA=`oc get secret asb-tls -o jsonpath='{ .data.tls\.crt}'` | |||
There was a problem hiding this comment.
What this intentional? we should be consistent and we currently aren't. I would not make this change as part of this PR. Here are other ones in the same file:
[jesusr@speed3 ansible-service-broker{authimpl}]$ grep jsonpath scripts/prep_local_devel_env.sh
BROKER_SVC_ACCT_SECRET_NAME=`oc get serviceaccount asb -n ansible-service-broker -o jsonpath='{.secrets[0].name}'`
SVC_ACCT_CA_CRT_DATA=`oc get secret ${BROKER_SVC_ACCT_SECRET_NAME} -n ${ASB_PROJECT} -o jsonpath='{ .data.service-ca\.crt }'`
BROKER_SVC_ACCT_TOKEN=`oc get secret ${BROKER_SVC_ACCT_SECRET_NAME} -n ${ASB_PROJECT} -o jsonpath='{ .data.token }'`
TLS_CRT_DATA=`oc get secret asb-tls -o jsonpath='{ .data.tls\.crt }'`
TLS_KEY_DATA=`oc get secret asb-tls -o jsonpath='{ .data.tls\.key }'`
etcd_route=`oc get route asb-etcd -n ${ASB_PROJECT} -o=jsonpath=\'\{.spec.host\}\'`
There was a problem hiding this comment.
I had to fix this and they you submitted the patch, I must have chosen the wrong one on the merge. I will add the space back my fault.
pkg/broker/broker.go
Outdated
| } | ||
|
|
||
| err = a.dao.DeleteBindInstance(bindingUUID.String()) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
There was a problem hiding this comment.
I would have left this blank line as well.
pkg/broker/broker.go
Outdated
| params[provisionCredentialsKey] = provExtCreds.Credentials | ||
| if bindExtCreds != nil { | ||
| params[bindCredentialsKey] = bindExtCreds.Credentials | ||
| } |
There was a problem hiding this comment.
- Questions around APBs that return only provision credentials, or only bind credentials. Unbind is written expecting both to be present
- Return err if serviceInstance is not found on unbind
- Waning on no launch APB in unbind
- Spoke with @shawn-hurley in IRC, thought it was a little weird to key into /extracted_credentials sourcing from two different places (instance_ids and binding_ids). Would be useful to know where they came from, he came up with an additional namespace:
/extracted_credentials/prov&/extracted_credentials/bind
Overall I like this a lot. Solves a problem we've been wondering about in the past: how should the broker deal with two different sets of binding credentials? Answer: it shouldn't. Delegate that decision to the APBs and remain dumb.
| @@ -100,6 +100,8 @@ The broker config section will tell the broker what functionality should be enab | |||
| and disabled. It will also tell the broker where to find files on disk that will | |||
| enable the full functionality. | |||
|
|
|||
| *Note: with the absence of async bind, setting launch_apb_on_bind to true can cause the bind action to timeout and will span a retry. The broker will handle with with 409 Conflicts because it is the same bind request with different parameters.* | |||
| a.log.Errorf("Could not persist extracted credentials - %v", err) | ||
| return nil, err | ||
| } | ||
| return &BindResponse{Credentials: bindExtCreds.Credentials}, nil |
There was a problem hiding this comment.
This is better than our original thinking. Keeps the broker dumb and delegates the responsibility for what needs to be in the bind response entirely to the APBs, while still allowing them to include provision credentials since they're passed in as a param during the bind action. Nice job 👍
| @@ -789,14 +769,41 @@ func (a AnsibleBroker) Unbind( | |||
| return nil, errors.New(errMsg) | |||
| } | |||
|
|
|||
| params := make(apb.Parameters) | |||
| provExtCreds, err := a.dao.GetExtractedCredentials(instanceUUID.String()) | |||
There was a problem hiding this comment.
This reads like any APB that has been bound is required to have credentials stashed for both provision and bind. What if I have a bindable APB that only returns credentials during a bind operation? This will error out unless the provision object is some kind of empty object, which I also don't think we should be doing.
| params[provisionCredentialsKey] = provExtCreds.Credentials | ||
| if bindExtCreds != nil { | ||
| params[bindCredentialsKey] = bindExtCreds.Credentials | ||
| } | ||
| serviceInstance, err := a.getServiceInstance(instanceUUID) | ||
| if err != nil { | ||
| a.log.Debugf("Service instance with id %s does not exist", instanceUUID.String()) |
There was a problem hiding this comment.
Just noticing this; if this branch is taken it's a hard error and we need to return w/ error code. We'll potentially hit an NPE continuing with a nil serviceInstance.
This would also be quite bad; if someone is trying to unbind from a service that we don't know exists, we're in a real corrupt state.
pkg/broker/broker.go
Outdated
| if err != nil { | ||
| return nil, err | ||
| } | ||
| } |
There was a problem hiding this comment.
I would add a warning to indicate the APB was not run in the logs, making sure we are clear that nothing was launched in case somebody expects otherwise.
| return nil, err | ||
| if bindExtCreds != nil { | ||
| err = a.dao.DeleteExtractedCredentials(bindingUUID.String()) | ||
| if err != nil { |
There was a problem hiding this comment.
I think we're covered by service cat retries.
but should still handle bind and unbind.
…hift#302) * adding ability to pass credentials to bind and unbind actions. * fixing unbind. and updating name of params to spec compliant * update style, making note of issues with lack of async support * config fix up * removing duplicate comment. * addressing comments * addressing issues where prov credentials not sent. but should still handle bind and unbind. * adding warning for not finding any credentials at unbind
Implementation for #293. Just getting thoughts down. This allows you test with the the test apps and APB
https://github.com/shawn-hurley/rhscl-postgresql-apb
https://github.com/shawn-hurley/bottle-todo-demo