[Ansible-service-broker] Best approach to delete serviceInstance created/owned by a CRD

Charles Moulliard cmoullia at redhat.com
Tue Oct 23 13:16:41 UTC 2018 

On Tue, Oct 23, 2018 at 2:19 PM Shawn Hurley <shurley at redhat.com> wrote:

> I think I would question using an operator to create serviceInstances and
> serviyBindings. I think doing it this way has one too many abstraction and
> is not going to play super nice.
>
> Also, I assume the problem is the broker your using requires the secret to
> do some cleanup and/unbind the user?
>
>From what I have been able to investigate this morning, the serviceBindings
(which contains a reference to a ServiceInstance) must be first deleted
before to delete the ServiceInstance. When we delete the serviceBindings,
then all the secret referenced (= having a ownerReference to the
serviceBinding) will be then deleted.
By consequence, I have implemented the same logic within the operator

if a CRD is deleted, then we delete the serviceBindings linked to the
serviceInstance name defined within the CRD and finally the serviceInstance
[1]

[1] https://goo.gl/WtNJ8v


> In this case I would use owner references but I would use a finalized to
> handle the clean up. This means deleting the binding then the instance then
> the secret in that order to make sure everything goes well.
>
To be able to use  owner references, then we need a way to define the
order, otherwise the resources will not be necessarily deleted according
tothis order  : serviceBindings > secrets > serviceInstance but instead in
parallel serviceInstance, serviceBindings,...

>
> As for force deleting, I don’t think that any code should be doing that
> automatically. Force delete should be a user action. To do this you delete
> the finalizer kubernetes-incubator/service-catalog on the service binding
> and the service instance.
>
> Thanks,
>
> Shawn Hurley
>
> On Tue, Oct 23, 2018 at 3:23 AM Charles Moulliard <cmoullia at redhat.com>
> wrote:
>
>> Hi,
>>
>> We have developed a CRD responsible, with the help of an operator, to
>> create k8s resources such as serviceInstance, serviceBinding and secret.
>> When the serviceInstance, serviceBinding are created, we add
>> ownerReferences to allow the CRD to do the garbage collection of such
>> resources.
>>
>> Example
>>
>> oc get serviceinstance/my-postgresql-db -o yaml
>> apiVersion: servicecatalog.k8s.io/v1beta1
>> kind: ServiceInstance
>> metadata:
>>   creationTimestamp: 2018-10-22T16:23:16Z
>>   deletionGracePeriodSeconds: 0
>>   deletionTimestamp: 2018-10-23T07:11:42Z
>>   finalizers:
>>   - kubernetes-incubator/service-catalog
>>   generation: 2
>>   labels:
>>     app: my-spring-boot-service
>>     name: my-spring-boot-service
>>   name: my-postgresql-db
>>   namespace: my-spring-app
>>   ownerReferences:
>>   - apiVersion: component.k8s.io/v1alpha1
>>     blockOwnerDeletion: true
>>     controller: true
>>     kind: Component
>>     name: my-spring-boot-service
>>     uid: c7aee0ee-d616-11e8-9b27-08002710b4d8
>> ...
>>
>> Unfortunately, when we delete the CRD, the secret is deleted but not the
>> ServiceInstance & serviceBinding which are marked for deletion
>>
>> The status mentions such info for the serviceInstance
>>
>>   - lastTransitionTime: 2018-10-23T07:00:04Z
>>     message: All associated ServiceBindings must be removed before this
>> ServiceInstance
>>       can be deleted
>>     reason: DeprovisionBlockedByExistingCredentials
>>     status: "False"
>>     type: Ready
>>
>> and for the serviceBinding
>>
>>   Warning  UnbindCallFailed  3m (x63 over 18m)
>> service-catalog-controller-manager  Error unbinding from ServiceInstance
>> "my-spring-app/my-postgresql-db" of ClusterServiceClass (K8S:
>> "1dda1477cace09730bd8ed7a6505607e" ExternalName: "dh-postgresql-apb") at
>> ClusterServiceBroker "openshift-automation-service-broker": Status: 403;
>> ErrorMessage: <nil>; Description: User does not have sufficient
>> permissions; ResponseError: <nil>
>>
>> okd version used : 3.11
>>
>> Question :
>> - Can we use "ownerReferences" to delete from a CRD the service's k8s
>> resources ?
>> - What is the alternative if we can use "ownerReferences" ?
>> - How can we force to delete such k8s resources ?
>>
>> Regards
>>
>> Charles
>> _______________________________________________
>> Ansible-service-broker mailing list
>> Ansible-service-broker at redhat.com
>> https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/ansible-service-broker/attachments/20181023/ad15fed6/attachment.htm>

More information about the Ansible-service-broker mailing list