Unable to load secret on ASB
abessifi opened this issue · 4 comments
I'm running AWS Service Broker on OpenShift 3.7 and trying, according to these instructions, to hide some sensitive parameters from Service Catalog users (aws_access_key, aws_secret_key, etc).
I've correctly created the secret within the same namespace where the broker is running (aws-service-broker in my case) and updated the broker-config configmap. After restart, the broker bootstraped correctly but when it gets requests from the Service Catalog it didn't hide the parameters from the Service Provisiong Wizard. In the broker logs I can see the following messages:
[2019-03-06T16:24:32.767Z] [INFO] - Request: "GET /aws-service-broker/v2/catalog HTTP/1.1\r\nHost: aws-asb.aws-service-broker.svc:1338\r\nAccept-Encoding: gzip\r\nUser-Agent: Go-http-client/1.1\r\nX-Broker-Api-Version: 2.13\r\n\r\n"
[2019-03-06T16:24:32.768Z] [INFO] - AnsibleBroker::Catalog
[2019-03-06T16:24:32.778Z] [WARNING] - Unable to load secret 'aws-access-secret' from namespace ''
10.129.4.1 - - [06/Mar/2019:16:24:32 +0000] "GET /aws-service-broker/v2/catalog HTTP/1.1" 200 392309
It seems like it didn't find the secret and I don't know why the namespace value in the log is empty.
Here is the secret definition:
---
apiVersion: v1
kind: Secret
metadata:
name: aws-access-secret
stringData:
aws_access_key: "XXXXXXXXXXX"
aws_secret_key: "XXXXXXXXXX"
aws_cloudformation_role_arn: "XXXXXXXX"and the broker-config configmap :
registry:
- type: "dockerhub"
name: "dh"
url: "https://registry.hub.docker.com"
org: "awsservicebroker"
tag: "latest"
white_list:
- ".*-apb$"
dao:
etcd_host: aws-asb-etcd.aws-service-broker.svc
etcd_port: 2379
etcd_ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
etcd_client_cert: /var/run/aws-asb-etcd-auth/client.crt
etcd_client_key: /var/run/aws-asb-etcd-auth/client.key
log:
logfile: /var/log/ansible-service-broker/asb.log
stdout: true
level: info
color: true
openshift:
host: ""
ca_file: ""
bearer_token_file: ""
image_pull_policy: "IfNotPresent"
sandbox_role: "edit"
keep_namespace: false
keep_namespace_on_error: true
secrets:
- {apb_name: dh-s3, secret: aws-access-secret, title: aws-access-secret}
broker:
dev_broker: true
bootstrap_on_startup: true
refresh_interval: "600s"
launch_apb_on_bind: false
output_request: true
recovery: true
ssl_cert_key: /etc/tls/private/tls.key
ssl_cert: /etc/tls/private/tls.crt
auto_escalate: false
cluster_url: "aws-service-broker"
auth:
- type: basic
enabled: falseThe asbd version is: 1.1.15
Do you have an idea how to fix this please ?
Thanks for posting, I will investigate this issue.
@abessifi I think you need to add the namespace to the openshift section of the broker configmap. So determine the namespace of the broker and the secret, they should be the same. Then update the broker configmap and in the openshift section:
openshift:
host: ""
ca_file: ""
bearer_token_file: ""
image_pull_policy: "IfNotPresent"
sandbox_role: "edit"
keep_namespace: false
keep_namespace_on_error: true
namespace: PUTNAMESPACEOFBROKERHERE
Then restart the broker so it can re-read the config. Based one what I've seen in the code I think that will fix it. Because the error Unable to load secret 'aws-access-secret' from namespace '' occurs because the namespace being passed to the function is read from the openshift section of the config.
Thanks @jmrodri
Now it works correctly!
[2019-03-06T22:36:21.319Z] [INFO] - Request: "GET /aws-service-broker/v2/catalog HTTP/1.1\r\nHost: aws-asb.aws-service-broker.svc:1338\r\nAccept-Encoding: gzip\r\nUser-Agent: Go-http-client/1.1\r\nX-Broker-Api-Version: 2.13\r\n\r\n"
[2019-03-06T22:36:21.319Z] [INFO] - AnsibleBroker::Catalog
10.129.4.1 - - [06/Mar/2019:22:36:21 +0000] "GET /aws-service-broker/v2/catalog HTTP/1.1" 200 390087
I just opened an issue to update the OCP official documentation according to your fix.