[Ansible-service-broker] Best approach to delete serviceInstance created/owned by a CRD
Charles Moulliard
cmoullia at redhat.com
Tue Oct 23 13:16:41 UTC 2018
On Tue, Oct 23, 2018 at 2:19 PM Shawn Hurley <shurley at redhat.com> wrote:
> I think I would question using an operator to create serviceInstances and
> serviyBindings. I think doing it this way has one too many abstraction and
> is not going to play super nice.
>
> Also, I assume the problem is the broker your using requires the secret to
> do some cleanup and/unbind the user?
>
>From what I have been able to investigate this morning, the serviceBindings
(which contains a reference to a ServiceInstance) must be first deleted
before to delete the ServiceInstance. When we delete the serviceBindings,
then all the secret referenced (= having a ownerReference to the
serviceBinding) will be then deleted.
By consequence, I have implemented the same logic within the operator
if a CRD is deleted, then we delete the serviceBindings linked to the
serviceInstance name defined within the CRD and finally the serviceInstance
[1]
[1] https://goo.gl/WtNJ8v
> In this case I would use owner references but I would use a finalized to
> handle the clean up. This means deleting the binding then the instance then
> the secret in that order to make sure everything goes well.
>
To be able to use owner references, then we need a way to define the
order, otherwise the resources will not be necessarily deleted according
tothis order : serviceBindings > secrets > serviceInstance but instead in
parallel serviceInstance, serviceBindings,...
>
> As for force deleting, I don’t think that any code should be doing that
> automatically. Force delete should be a user action. To do this you delete
> the finalizer kubernetes-incubator/service-catalog on the service binding
> and the service instance.
>
> Thanks,
>
> Shawn Hurley
>
> On Tue, Oct 23, 2018 at 3:23 AM Charles Moulliard <cmoullia at redhat.com>
> wrote:
>
>> Hi,
>>
>> We have developed a CRD responsible, with the help of an operator, to
>> create k8s resources such as serviceInstance, serviceBinding and secret.
>> When the serviceInstance, serviceBinding are created, we add
>> ownerReferences to allow the CRD to do the garbage collection of such
>> resources.
>>
>> Example
>>
>> oc get serviceinstance/my-postgresql-db -o yaml
>> apiVersion: servicecatalog.k8s.io/v1beta1
>> kind: ServiceInstance
>> metadata:
>> creationTimestamp: 2018-10-22T16:23:16Z
>> deletionGracePeriodSeconds: 0
>> deletionTimestamp: 2018-10-23T07:11:42Z
>> finalizers:
>> - kubernetes-incubator/service-catalog
>> generation: 2
>> labels:
>> app: my-spring-boot-service
>> name: my-spring-boot-service
>> name: my-postgresql-db
>> namespace: my-spring-app
>> ownerReferences:
>> - apiVersion: component.k8s.io/v1alpha1
>> blockOwnerDeletion: true
>> controller: true
>> kind: Component
>> name: my-spring-boot-service
>> uid: c7aee0ee-d616-11e8-9b27-08002710b4d8
>> ...
>>
>> Unfortunately, when we delete the CRD, the secret is deleted but not the
>> ServiceInstance & serviceBinding which are marked for deletion
>>
>> The status mentions such info for the serviceInstance
>>
>> - lastTransitionTime: 2018-10-23T07:00:04Z
>> message: All associated ServiceBindings must be removed before this
>> ServiceInstance
>> can be deleted
>> reason: DeprovisionBlockedByExistingCredentials
>> status: "False"
>> type: Ready
>>
>> and for the serviceBinding
>>
>> Warning UnbindCallFailed 3m (x63 over 18m)
>> service-catalog-controller-manager Error unbinding from ServiceInstance
>> "my-spring-app/my-postgresql-db" of ClusterServiceClass (K8S:
>> "1dda1477cace09730bd8ed7a6505607e" ExternalName: "dh-postgresql-apb") at
>> ClusterServiceBroker "openshift-automation-service-broker": Status: 403;
>> ErrorMessage: <nil>; Description: User does not have sufficient
>> permissions; ResponseError: <nil>
>>
>> okd version used : 3.11
>>
>> Question :
>> - Can we use "ownerReferences" to delete from a CRD the service's k8s
>> resources ?
>> - What is the alternative if we can use "ownerReferences" ?
>> - How can we force to delete such k8s resources ?
>>
>> Regards
>>
>> Charles
>> _______________________________________________
>> Ansible-service-broker mailing list
>> Ansible-service-broker at redhat.com
>> https://www.redhat.com/mailman/listinfo/ansible-service-broker
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/ansible-service-broker/attachments/20181023/ad15fed6/attachment.htm>
More information about the Ansible-service-broker
mailing list