[Ansible-service-broker] deleting a binding's secret
Shawn Hurley
shurley at redhat.com
Thu Jan 4 17:32:21 UTC 2018
+1 that is also what I was thinking
> On Jan 4, 2018, at 12:16 PM, David Zager <dzager at redhat.com> wrote:
>
> I agree with having bind/unbind playbooks that are called on those actions. However, in this case at least, a bind playbook didn't place the secret in the deployment config, the Openshift ?Console? did. This sounds like a bug against origin. If there is a process for adding the secret to the deployment then there should be a process that removes it.
>
> On Thu, Jan 4, 2018, 11:59 AM Dylan Murray <dymurray at redhat.com <mailto:dymurray at redhat.com>> wrote:
> I like it. Makes sense and fits the inital approach we wanted to take. It would also be useful for Amazon APBs to remove credentials from RDS for example.
>
> On Thu, Jan 4, 2018 at 11:07 AM, Ryan Hallisey <rhallise at redhat.com <mailto:rhallise at redhat.com>> wrote:
> Michael,
>
> I agree there is a gap here. In the past with pod presets, the
> catalog managed the relationship
> between the app and the bind. Until the catalog has another solution,
> maybe we can deal with
> this with an unbind apb playbook. The playbook will get called from
> the broker unbind action,
> an apb will run for each app in the bind, and the reference to the
> secret will be removed by the
> playbook.
>
> What are folks thoughts on that?
>
> Thanks,
> - Ryan
>
>
> On Wed, Jan 3, 2018 at 5:10 PM, Michael Hrivnak <mhrivnak at redhat.com <mailto:mhrivnak at redhat.com>> wrote:
> > Looking at this BZ, and continuing a discussion from IRC:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1511760 <https://bugzilla.redhat.com/show_bug.cgi?id=1511760>
> >
> > It seems there is a gap in the lifecycle of the secret that gets created by
> > a binding. When the ServiceBinding gets deleted (such as via the binding's
> > "Delete" link in the UI), its secret gets deleted too. But if that secret
> > had been added to a DeploymentConfig, that DC retains a reference to the
> > secret. Any re-deployment will fail.
> >
> > What is the missing step? Something should presumably clean up any
> > references to the secret, which in this case would mean updating the
> > DeploymentConfig. What should implement that business logic?
> >
> > --
> >
> > Michael Hrivnak
> >
> > Principal Software Engineer, RHCE
> >
> > Red Hat
> >
> >
> > _______________________________________________
> > Ansible-service-broker mailing list
> > Ansible-service-broker at redhat.com <mailto:Ansible-service-broker at redhat.com>
> > https://www.redhat.com/mailman/listinfo/ansible-service-broker <https://www.redhat.com/mailman/listinfo/ansible-service-broker>
> >
>
> _______________________________________________
> Ansible-service-broker mailing list
> Ansible-service-broker at redhat.com <mailto:Ansible-service-broker at redhat.com>
> https://www.redhat.com/mailman/listinfo/ansible-service-broker <https://www.redhat.com/mailman/listinfo/ansible-service-broker>
>
> _______________________________________________
> Ansible-service-broker mailing list
> Ansible-service-broker at redhat.com <mailto:Ansible-service-broker at redhat.com>
> https://www.redhat.com/mailman/listinfo/ansible-service-broker <https://www.redhat.com/mailman/listinfo/ansible-service-broker>
> _______________________________________________
> Ansible-service-broker mailing list
> Ansible-service-broker at redhat.com
> https://www.redhat.com/mailman/listinfo/ansible-service-broker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/ansible-service-broker/attachments/20180104/e26aeab6/attachment.htm>
More information about the Ansible-service-broker
mailing list