Created
May 9, 2018 11:15
-
-
Save matzew/62684d1ce575ae7645d27fbcf8f453bd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Template | |
metadata: | |
name: ansible-service-broker | |
objects: | |
- apiVersion: v1 | |
kind: Service | |
metadata: | |
name: asb | |
labels: | |
app: ansible-service-broker | |
service: asb | |
annotations: | |
service.alpha.openshift.io/serving-cert-secret-name: asb-tls | |
spec: | |
ports: | |
- name: port-1338 | |
port: 1338 | |
targetPort: 1338 | |
protocol: TCP | |
selector: | |
app: ansible-service-broker | |
service: asb | |
- apiVersion: v1 | |
kind: Service | |
metadata: | |
name: asb-etcd | |
labels: | |
app: etcd | |
service: asb-etcd | |
annotations: | |
service.alpha.openshift.io/serving-cert-secret-name: etcd-tls | |
spec: | |
ports: | |
- name: port-2379 | |
port: 2379 | |
targetPort: 2379 | |
protocol: TCP | |
selector: | |
app: etcd | |
service: asb-etcd | |
- apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: asb | |
namespace: ansible-service-broker | |
- apiVersion: rbac.authorization.k8s.io/v1beta1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: asb | |
roleRef: | |
name: admin | |
kind: ClusterRole | |
apiGroup: rbac.authorization.k8s.io | |
subjects: | |
- kind: ServiceAccount | |
name: asb | |
namespace: ansible-service-broker | |
- apiVersion: rbac.authorization.k8s.io/v1beta1 | |
kind: ClusterRole | |
metadata: | |
name: asb-auth | |
rules: | |
- apiGroups: [""] | |
resources: ["namespaces"] | |
verbs: ["create", "delete"] | |
- apiGroups: ["authorization.openshift.io"] | |
resources: ["subjectrulesreview"] | |
verbs: ["create"] | |
- apiGroups: ["authorization.k8s.io"] | |
resources: ["subjectaccessreviews"] | |
verbs: ["create"] | |
- apiGroups: ["authentication.k8s.io"] | |
resources: ["tokenreviews"] | |
verbs: ["create"] | |
- apiGroups: ["image.openshift.io", ""] | |
attributeRestrictions: null | |
resources: ["images"] | |
verbs: ["get", "list"] | |
- apiGroups: ["network.openshift.io", ""] | |
attributeRestrictions: null | |
resources: ["clusternetworks", "netnamespaces"] | |
verbs: ["get"] | |
- apiGroups: ["network.openshift.io", ""] | |
attributeRestrictions: null | |
resources: ["netnamespaces"] | |
verbs: ["update"] | |
- apiGroups: ["networking.k8s.io", ""] | |
attributeRestrictions: null | |
resources: ["networkpolicies"] | |
verbs: ["create", "delete"] | |
- apiVersion: rbac.authorization.k8s.io/v1beta1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: asb-auth-bind | |
subjects: | |
- kind: ServiceAccount | |
name: asb | |
namespace: ansible-service-broker | |
roleRef: | |
kind: ClusterRole | |
name: asb-auth | |
apiGroup: rbac.authorization.k8s.io | |
- apiVersion: rbac.authorization.k8s.io/v1beta1 | |
kind: ClusterRole | |
metadata: | |
name: access-asb-role | |
rules: | |
- nonResourceURLs: ["${BROKER_URL_PREFIX}", "${BROKER_URL_PREFIX}/*"] | |
verbs: ["get", "post", "put", "patch", "delete"] | |
- apiVersion: v1 | |
kind: PersistentVolumeClaim | |
metadata: | |
name: etcd | |
namespace: ansible-service-broker | |
spec: | |
accessModes: | |
- ReadWriteOnce | |
resources: | |
requests: | |
storage: 1Gi | |
- apiVersion: v1 | |
kind: DeploymentConfig | |
metadata: | |
name: asb | |
labels: | |
app: ansible-service-broker | |
service: asb | |
spec: | |
replicas: 1 | |
selector: | |
app: ansible-service-broker | |
strategy: | |
type: Rolling | |
template: | |
metadata: | |
labels: | |
app: ansible-service-broker | |
service: asb | |
spec: | |
serviceAccount: asb | |
containers: | |
- image: ${BROKER_IMAGE} | |
name: asb | |
imagePullPolicy: IfNotPresent | |
volumeMounts: | |
- name: config-volume | |
mountPath: /etc/ansible-service-broker | |
- name: asb-tls | |
mountPath: /etc/tls/private | |
- name: asb-auth-volume | |
mountPath: /var/run/asb-auth | |
- name: asb-etcd-auth | |
mountPath: /var/run/asb-etcd-auth | |
ports: | |
- containerPort: 1338 | |
protocol: TCP | |
env: | |
- name: BROKER_CONFIG | |
value: ${BROKER_CONFIG} | |
resources: {} | |
terminationMessagePath: /tmp/termination-log | |
readinessProbe: | |
httpGet: | |
path: /healthz | |
port: 1338 | |
scheme: HTTPS | |
initialDelaySeconds: 15 | |
timeoutSeconds: 1 | |
livenessProbe: | |
httpGet: | |
port: 1338 | |
path: /healthz | |
scheme: HTTPS | |
initialDelaySeconds: 15 | |
timeoutSeconds: 1 | |
volumes: | |
- name: config-volume | |
configMap: | |
name: broker-config | |
items: | |
- key: broker-config | |
path: config.yaml | |
- name: asb-tls | |
secret: | |
secretName: asb-tls | |
- name: asb-auth-volume | |
secret: | |
secretName: asb-auth-secret | |
- name: asb-etcd-auth | |
secret: | |
secretName: broker-etcd-auth-secret | |
- apiVersion: v1 | |
kind: DeploymentConfig | |
metadata: | |
name: asb-etcd | |
labels: | |
app: etcd | |
service: asb-etcd | |
spec: | |
replicas: 1 | |
selector: | |
app: etcd | |
strategy: | |
type: Rolling | |
template: | |
metadata: | |
labels: | |
app: etcd | |
service: asb-etcd | |
spec: | |
serviceAccount: asb | |
containers: | |
- image: ${ETCD_IMAGE} | |
name: etcd | |
volumeMounts: | |
- name: etcd | |
mountPath: /data | |
- name: etcd-tls | |
mountPath: /etc/tls/private | |
- name: etcd-auth | |
mountPath: /var/run/etcd-auth-secret | |
imagePullPolicy: IfNotPresent | |
terminationMessagePath: /tmp/termination-log | |
workingDir: /etcd | |
args: | |
- ${ETCD_PATH} | |
- --data-dir=/data | |
- --listen-client-urls=https://0.0.0.0:2379 | |
- --advertise-client-urls=https://0.0.0.0:2379 | |
- --client-cert-auth | |
- --trusted-ca-file=${ETCD_TRUSTED_CA_FILE} | |
- --cert-file=${ETCD_CERT_FILE} | |
- --key-file=${ETCD_KEY_FILE} | |
ports: | |
- containerPort: 2379 | |
protocol: TCP | |
env: | |
- name: ETCDCTL_API | |
value: "3" | |
volumes: | |
- name: etcd | |
persistentVolumeClaim: | |
claimName: etcd | |
- name: etcd-tls | |
secret: | |
secretName: etcd-tls | |
- name: etcd-auth | |
secret: | |
secretName: etcd-auth-secret | |
- apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: asb-auth-secret | |
namespace: ansible-service-broker | |
data: | |
username: ${BROKER_USER} | |
password: ${BROKER_PASS} | |
- apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: ${REGISTRY_SECRET_NAME} | |
namespace: ansible-service-broker | |
data: | |
username: ${DOCKERHUB_USER} | |
password: ${DOCKERHUB_PASS} | |
- apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: etcd-auth-secret | |
namespace: ansible-service-broker | |
data: | |
ca.crt: ${ETCD_TRUSTED_CA} | |
- apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: broker-etcd-auth-secret | |
namespace: ansible-service-broker | |
data: | |
client.crt: ${BROKER_CLIENT_CERT} | |
client.key: ${BROKER_CLIENT_KEY} | |
- apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: broker-config | |
namespace: ansible-service-broker | |
labels: | |
app: ansible-service-broker | |
data: | |
broker-config: | | |
registry: | |
- type: "${REGISTRY_TYPE}" | |
name: "${REGISTRY_NAME}" | |
url: "${REGISTRY_URL}" | |
org: "${DOCKERHUB_ORG}" | |
tag: "latest" | |
white_list: | |
- ".*-apb$" | |
- type: local_openshift | |
name: localregistry | |
namespaces: ['openshift'] | |
white_list: | |
- ".*-apb$" | |
dao: | |
etcd_host: asb-etcd.${NAMESPACE}.svc | |
etcd_port: 2379 | |
etcd_ca_file: ${BROKER_ETCD_TRUSTED_CA} | |
etcd_client_cert: ${BROKER_CLIENT_CERT_PATH} | |
etcd_client_key: ${BROKER_CLIENT_KEY_PATH} | |
log: | |
logfile: /var/log/ansible-service-broker/asb.log | |
stdout: true | |
level: debug | |
color: true | |
openshift: | |
host: "${CLUSTER_AUTH_HOST}" | |
ca_file: "${CA_FILE}" | |
bearer_token_file: "${BEARER_TOKEN_FILE}" | |
image_pull_policy: "${IMAGE_PULL_POLICY}" | |
sandbox_role: "${SANDBOX_ROLE}" | |
namespace: ansible-service-broker | |
keep_namespace: ${KEEP_NAMESPACE} | |
keep_namespace_on_error: ${KEEP_NAMESPACE_ON_ERROR} | |
broker: | |
dev_broker: ${DEV_BROKER} | |
bootstrap_on_startup: ${BOOTSTRAP_ON_STARTUP} | |
refresh_interval: "${REFRESH_INTERVAL}" | |
launch_apb_on_bind: ${LAUNCH_APB_ON_BIND} | |
output_request: ${OUTPUT_REQUEST} | |
recovery: ${RECOVERY} | |
ssl_cert_key: /etc/tls/private/tls.key | |
ssl_cert: /etc/tls/private/tls.crt | |
auto_escalate: ${AUTO_ESCALATE} | |
auth: | |
- type: basic | |
enabled: ${ENABLE_BASIC_AUTH} | |
- apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: ansibleservicebroker-client | |
namespace: ansible-service-broker | |
- apiVersion: rbac.authorization.k8s.io/v1beta1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: ansibleservicebroker-client | |
subjects: | |
- kind: ServiceAccount | |
name: ansibleservicebroker-client | |
namespace: ansible-service-broker | |
roleRef: | |
kind: ClusterRole | |
name: access-asb-role | |
apiGroup: rbac.authorization.k8s.io | |
- apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: ansibleservicebroker-client | |
annotations: | |
kubernetes.io/service-account.name: ansibleservicebroker-client | |
type: kubernetes.io/service-account-token | |
- apiVersion: v1 | |
kind: Route | |
metadata: | |
name: asb-1338 | |
labels: | |
app: ansible-service-broker | |
service: asb | |
spec: | |
to: | |
kind: Service | |
name: asb | |
port: | |
targetPort: port-1338 | |
tls: | |
termination: reencrypt | |
- apiVersion: ${SVC_CAT_API_VER} | |
kind: ${BROKER_KIND} | |
metadata: | |
name: ansible-service-broker | |
spec: | |
url: https://asb.ansible-service-broker.svc:1338${BROKER_URL_PREFIX}/ | |
authInfo: | |
${{BROKER_AUTH}} | |
caBundle: ${BROKER_CA_CERT} | |
parameters: | |
- description: Service Catalog API Version. Newer service-catalogs use servicecatalog.k8s.io/v1beta1 | |
displayname: Service Catalog API Version. Newer service-catalogs use servicecatalog.k8s.io/v1beta1 | |
name: SVC_CAT_API_VER | |
value: servicecatalog.k8s.io/v1beta1 | |
- description: Service Broker kind. Newer service-catalogs use ClusterServiceBroker | |
displayname: Service Broker kind. Newer service-catalogs use ClusterServiceBroker | |
name: BROKER_KIND | |
value: ClusterServiceBroker | |
- description: Service Broker CA Cert. | |
displayname: Service Broker kind. | |
name: BROKER_CA_CERT | |
value: "" | |
- description: Service Broker url prefix for the cluster | |
displayname: ASB Url Prefix | |
name: BROKER_URL_PREFIX | |
value: "/ansible-service-broker" | |
- description: Broker Auth Info | |
displayname: Broker Auth Info | |
name: BROKER_AUTH | |
value: '{ "bearer": { "secretRef": { "kind": "Secret", "namespace": "ansible-service-broker", "name": "ansibleservicebroker-client" } } }' | |
- description: Suffix for OpenShift routes | |
displayname: Suffix for OpenShift routes | |
name: ROUTING_SUFFIX | |
value: "172.17.0.1.nip.io" | |
- description: Container Image to use for Ansible Service Broker in format of imagename:tag | |
displayname: Ansible Service Broker Image | |
name: BROKER_IMAGE | |
value: ansibleplaybookbundle/origin-ansible-service-broker:release-1.1 | |
- description: Container Image to use for etcd in format of imagename:tag | |
displayname: etcd Image | |
name: ETCD_IMAGE | |
value: quay.io/coreos/etcd:latest | |
- description: Path of the etcd binary | |
displayname: etcd path | |
name: ETCD_PATH | |
value: /usr/local/bin/etcd | |
- description: Path of the etcd trusted ca file | |
displayname: etcd trusted ca file path | |
name: ETCD_TRUSTED_CA_FILE | |
value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt | |
- description: Path of the etcd server cert file | |
displayname: etcd server cert path | |
name: ETCD_CERT_FILE | |
value: /etc/tls/private/tls.crt | |
- description: Path of the etcd server cert key file | |
displayname: etcd server key path | |
name: ETCD_KEY_FILE | |
value: /etc/tls/private/tls.key | |
- description: Path of the broker client cert file for etcd | |
displayname: etcd client cert path | |
name: BROKER_CLIENT_CERT_PATH | |
value: /etc/tls/private/tls.crt | |
- description: Path of the broker client cert key file for etcd | |
displayname: etcd client cert key path | |
name: BROKER_CLIENT_KEY_PATH | |
value: /etc/tls/private/tls.key | |
- description: Path of the etcd trusted ca file | |
displayname: etcd trusted ca file path | |
name: BROKER_ETCD_TRUSTED_CA | |
value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt | |
- description: Value of the etcd server ca file | |
displayname: etcd trusted ca | |
name: ETCD_TRUSTED_CA | |
value: "YWRtaW4=" | |
- description: Value of the broker client cert for etcd | |
displayname: broker client cert | |
name: BROKER_CLIENT_CERT | |
value: "YWRtaW4=" | |
- description: Value of the broker client cert key for etcd | |
displayname: broker client cert key | |
name: BROKER_CLIENT_KEY | |
value: "YWRtaW4=" | |
- description: Namespace of the project that is being deploy | |
displayname: broker client cert key | |
name: NAMESPACE | |
value: "ansible-service-broker" | |
- description: Configuration filepath for Ansible Service Broker | |
displayname: Ansible Service Broker Configuration File | |
name: BROKER_CONFIG | |
value: /etc/ansible-service-broker/config.yaml | |
- description: Dockerhub organization | |
displayname: Dockerhub organization | |
name: DOCKERHUB_ORG | |
value: ansibleplaybookbundle | |
- description: APB Image Tag | |
displayname: APB Image Tag | |
name: TAG | |
value: release-1.1 | |
- description: OpenShift User Password | |
displayname: OpenShift User Password | |
name: OPENSHIFT_PASS | |
value: admin | |
- description: OpenShift User Name | |
displayname: OpenShift User Name | |
name: OPENSHIFT_USER | |
value: admin | |
- description: OpenShift Target URL | |
displayname: OpenShift Target URL | |
name: OPENSHIFT_TARGET | |
value: kubernetes.default | |
- description: Registry Type | |
displayname: Registry Type | |
name: REGISTRY_TYPE | |
value: dockerhub | |
- description: Registry Secret Name | |
displayname: Registry Secret Name | |
name: REGISTRY_SECRET_NAME | |
value: registry-auth-secret | |
- description: Registry Auth Type | |
displayname: Registry Auth Type | |
name: REGISTRY_AUTH_TYPE | |
value: secret | |
# Intentionally shortening the registry name to lessen impact of | |
# PodPreset name has a requirement of being less than 63 chars | |
# https://github.com/kubernetes-incubator/service-catalog/issues/1047 | |
# https://github.com/openshift/ansible-service-broker/issues/283 | |
- description: Registry Name | |
displayname: Registry Name | |
name: REGISTRY_NAME | |
value: dh | |
- description: Registry URL | |
displayname: Registry URL | |
name: REGISTRY_URL | |
value: https://registry.hub.docker.com | |
- description: Include Broker Development Endpoint | |
displayname: Include Broker Development Endpoint | |
name: DEV_BROKER | |
value: "true" | |
- description: Launch APB on bind | |
displayname: Launch APB on bind | |
name: LAUNCH_APB_ON_BIND | |
value: "false" | |
- description: Will automatically bootstrap the broker on startup | |
displayname: Bootstrap On Startup | |
name: BOOTSTRAP_ON_STARTUP | |
value: "true" | |
- description: Refresh the available broker images every interval of seconds | |
displayname: Refresh Interval | |
name: REFRESH_INTERVAL | |
value: "600s" | |
- description: Output broker requests to log | |
displayname: Output broker requests to log | |
name: OUTPUT_REQUEST | |
value: "true" | |
- description: Recover unfinshed jobs on restart | |
displayname: Recovery | |
name: RECOVERY | |
value: "true" | |
- description: Auto escalate the broker. Will remove user impresonation | |
displayname: Auto Escalate | |
name: AUTO_ESCALATE | |
value: "false" | |
- description: APB ImagePullPolicy | |
displayname: APB ImagePullPolicy | |
name: IMAGE_PULL_POLICY | |
value: "IfNotPresent" | |
- description: Will enable basic authentication | |
displayname: Enable basic authentication | |
name: ENABLE_BASIC_AUTH | |
value: "false" | |
############################################################ | |
# NOTE: These values MUST be base64 encoded. | |
# http://red.ht/2wbrCYo states "The value associated with | |
# keys in the data map must be base64 encoded." | |
############################################################ | |
- description: Broker user password | |
displayname: Broker user password | |
name: BROKER_PASS | |
value: YWRtaW4= | |
- description: Broker user name | |
displayname: Broker user name | |
name: BROKER_USER | |
value: YWRtaW4= | |
- description: Dockerhub user password | |
displayname: Dockerhub user password | |
name: DOCKERHUB_PASS | |
value: "" | |
- description: Dockerhub user name | |
displayname: Dockerhub user name | |
name: DOCKERHUB_USER | |
value: "" | |
############################################################ | |
# NOTE: Default behavior for these are going to use the kubernetes | |
# InClusterConfig. These are typically overridden for running | |
# the broker outside of a cluster. Under normal circumstances, | |
# you probably want to leave these blank. | |
############################################################ | |
- description: Service Account CAFile Path | |
displayname: Service Account CAFile Path | |
name: CA_FILE | |
value: "" | |
- description: Service Account Bearer Token File | |
displayname: Service Account Bearer Token File | |
name: BEARER_TOKEN_FILE | |
value: "" | |
- description: Cluster Authentication Host | |
displayname: Cluster Authentication Host | |
name: CLUSTER_AUTH_HOST | |
value: "" | |
- description: Role to use for APB Sandboxes | |
displayname: Role to use for APB Sandboxes | |
name: SANDBOX_ROLE | |
value: "edit" | |
- description: Always keep the namespace after an APB is executed. | |
displayname: Always keep the namespace after an APB is executed. | |
name: KEEP_NAMESPACE | |
value: "false" | |
- description: Always keep the namespace after an APB is executed and has errored. | |
displayname: Always keep the namespace after an APB is executed and has errored. | |
name: KEEP_NAMESPACE_ON_ERROR | |
value: "true" | |
############################################################ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment