Skip to content

Instantly share code, notes, and snippets.

@matzew

matzew/asb.yml

Created December 19, 2017 19:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save matzew/7bd131d02d86a3c3557a8316aa3c9b8a to your computer and use it in GitHub Desktop.
Save matzew/7bd131d02d86a3c3557a8316aa3c9b8a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
asb.yml
apiVersion: v1
kind: Template
metadata:
name: ansible-service-broker
objects:
- apiVersion: v1
kind: Service
metadata:
name: asb
labels:
app: ansible-service-broker
service: asb
annotations:
service.alpha.openshift.io/serving-cert-secret-name: asb-tls
spec:
ports:
- name: port-1338
port: 1338
targetPort: 1338
protocol: TCP
selector:
app: ansible-service-broker
service: asb
- apiVersion: v1
kind: Service
metadata:
name: asb-etcd
labels:
app: etcd
service: asb-etcd
annotations:
service.alpha.openshift.io/serving-cert-secret-name: etcd-tls
spec:
ports:
- name: port-2379
port: 2379
targetPort: 2379
protocol: TCP
selector:
app: etcd
service: asb-etcd
- apiVersion: v1
kind: ServiceAccount
metadata:
name: asb
namespace: ansible-service-broker
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: asb
roleRef:
name: admin
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: asb
namespace: ansible-service-broker
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: asb-auth
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["create", "delete"]
- apiGroups: ["authorization.openshift.io"]
resources: ["subjectrulesreview"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["image.openshift.io", ""]
attributeRestrictions: null
resources: ["images"]
verbs: ["get", "list"]
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: asb-auth-bind
subjects:
- kind: ServiceAccount
name: asb
namespace: ansible-service-broker
roleRef:
kind: ClusterRole
name: asb-auth
apiGroup: rbac.authorization.k8s.io
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: access-asb-role
rules:
- nonResourceURLs: ["${BROKER_URL_PREFIX}", "${BROKER_URL_PREFIX}/*"]
verbs: ["get", "post", "put", "patch", "delete"]
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: etcd
namespace: ansible-service-broker
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: asb
labels:
app: ansible-service-broker
service: asb
spec:
replicas: 1
selector:
app: ansible-service-broker
strategy:
type: Rolling
template:
metadata:
labels:
app: ansible-service-broker
service: asb
spec:
serviceAccount: asb
containers:
- image: ${BROKER_IMAGE}
name: asb
imagePullPolicy: IfNotPresent
volumeMounts:
- name: config-volume
mountPath: /etc/ansible-service-broker
- name: asb-tls
mountPath: /etc/tls/private
- name: asb-auth-volume
mountPath: /var/run/asb-auth
- name: asb-etcd-auth
mountPath: /var/run/asb-etcd-auth
ports:
- containerPort: 1338
protocol: TCP
env:
- name: BROKER_CONFIG
value: ${BROKER_CONFIG}
resources: {}
terminationMessagePath: /tmp/termination-log
readinessProbe:
httpGet:
path: /healthz
port: 1338
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 1
livenessProbe:
httpGet:
port: 1338
path: /healthz
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 1
volumes:
- name: config-volume
configMap:
name: broker-config
items:
- key: broker-config
path: config.yaml
- name: asb-tls
secret:
secretName: asb-tls
- name: asb-auth-volume
secret:
secretName: asb-auth-secret
- name: asb-etcd-auth
secret:
secretName: broker-etcd-auth-secret
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: asb-etcd
labels:
app: etcd
service: asb-etcd
spec:
replicas: 1
selector:
app: etcd
strategy:
type: Rolling
template:
metadata:
labels:
app: etcd
service: asb-etcd
spec:
serviceAccount: asb
containers:
- image: ${ETCD_IMAGE}
name: etcd
volumeMounts:
- name: etcd
mountPath: /data
- name: etcd-tls
mountPath: /etc/tls/private
- name: etcd-auth
mountPath: /var/run/etcd-auth-secret
imagePullPolicy: IfNotPresent
terminationMessagePath: /tmp/termination-log
workingDir: /etcd
args:
- ${ETCD_PATH}
- --data-dir=/data
- --listen-client-urls=https://0.0.0.0:2379
- --advertise-client-urls=https://0.0.0.0:2379
- --client-cert-auth
- --trusted-ca-file=${ETCD_TRUSTED_CA_FILE}
- --cert-file=${ETCD_CERT_FILE}
- --key-file=${ETCD_KEY_FILE}
ports:
- containerPort: 2379
protocol: TCP
env:
- name: ETCDCTL_API
value: "3"
volumes:
- name: etcd
persistentVolumeClaim:
claimName: etcd
- name: etcd-tls
secret:
secretName: etcd-tls
- name: etcd-auth
secret:
secretName: etcd-auth-secret
- apiVersion: v1
kind: Secret
metadata:
name: asb-auth-secret
namespace: ansible-service-broker
data:
username: ${BROKER_USER}
password: ${BROKER_PASS}
- apiVersion: v1
kind: Secret
metadata:
name: ${REGISTRY_SECRET_NAME}
namespace: ansible-service-broker
data:
username: ${DOCKERHUB_USER}
password: ${DOCKERHUB_PASS}
- apiVersion: v1
kind: Secret
metadata:
name: etcd-auth-secret
namespace: ansible-service-broker
data:
ca.crt: ${ETCD_TRUSTED_CA}
- apiVersion: v1
kind: Secret
metadata:
name: broker-etcd-auth-secret
namespace: ansible-service-broker
data:
client.crt: ${BROKER_CLIENT_CERT}
client.key: ${BROKER_CLIENT_KEY}
- apiVersion: v1
kind: ConfigMap
metadata:
name: broker-config
namespace: ansible-service-broker
labels:
app: ansible-service-broker
data:
broker-config: |
registry:
- type: "${REGISTRY_TYPE}"
name: "${REGISTRY_NAME}"
url: "${REGISTRY_URL}"
org: "${DOCKERHUB_ORG}"
tag: "${TAG}"
white_list:
- ".*-apb$"
- type: local_openshift
name: localregistry
namespaces: ['openshift']
white_list:
- ".*-apb$"
dao:
etcd_host: asb-etcd.${NAMESPACE}.svc
etcd_port: 2379
etcd_ca_file: ${BROKER_ETCD_TRUSTED_CA}
etcd_client_cert: ${BROKER_CLIENT_CERT_PATH}
etcd_client_key: ${BROKER_CLIENT_KEY_PATH}
log:
logfile: /var/log/ansible-service-broker/asb.log
stdout: true
level: debug
color: true
openshift:
host: "${CLUSTER_AUTH_HOST}"
ca_file: "${CA_FILE}"
bearer_token_file: "${BEARER_TOKEN_FILE}"
image_pull_policy: "${IMAGE_PULL_POLICY}"
sandbox_role: "${SANDBOX_ROLE}"
keep_namespace: ${KEEP_NAMESPACE}
keep_namespace_on_error: ${KEEP_NAMESPACE_ON_ERROR}
broker:
dev_broker: ${DEV_BROKER}
bootstrap_on_startup: ${BOOTSTRAP_ON_STARTUP}
refresh_interval: "${REFRESH_INTERVAL}"
launch_apb_on_bind: ${LAUNCH_APB_ON_BIND}
output_request: ${OUTPUT_REQUEST}
recovery: ${RECOVERY}
ssl_cert_key: /etc/tls/private/tls.key
ssl_cert: /etc/tls/private/tls.crt
auto_escalate: ${AUTO_ESCALATE}
auth:
- type: basic
enabled: ${ENABLE_BASIC_AUTH}
- apiVersion: v1
kind: ServiceAccount
metadata:
name: ansibleservicebroker-client
namespace: ansible-service-broker
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: ansibleservicebroker-client
subjects:
- kind: ServiceAccount
name: ansibleservicebroker-client
namespace: ansible-service-broker
roleRef:
kind: ClusterRole
name: access-asb-role
apiGroup: rbac.authorization.k8s.io
- apiVersion: v1
kind: Secret
metadata:
name: ansibleservicebroker-client
annotations:
kubernetes.io/service-account.name: ansibleservicebroker-client
type: kubernetes.io/service-account-token
- apiVersion: v1
kind: Route
metadata:
name: asb-1338
labels:
app: ansible-service-broker
service: asb
spec:
to:
kind: Service
name: asb
port:
targetPort: port-1338
tls:
termination: reencrypt
- apiVersion: ${SVC_CAT_API_VER}
kind: ${BROKER_KIND}
metadata:
name: ansible-service-broker
spec:
url: https://asb.ansible-service-broker.svc:1338${BROKER_URL_PREFIX}/
authInfo:
${{BROKER_AUTH}}
caBundle: ${BROKER_CA_CERT}
parameters:
- description: Service Catalog API Version. Newer service-catalogs use servicecatalog.k8s.io/v1beta1
displayname: Service Catalog API Version. Newer service-catalogs use servicecatalog.k8s.io/v1beta1
name: SVC_CAT_API_VER
value: servicecatalog.k8s.io/v1beta1
- description: Service Broker kind. Newer service-catalogs use ClusterServiceBroker
displayname: Service Broker kind. Newer service-catalogs use ClusterServiceBroker
name: BROKER_KIND
value: ClusterServiceBroker
- description: Service Broker CA Cert.
displayname: Service Broker kind.
name: BROKER_CA_CERT
value: ""
- description: Service Broker url prefix for the cluster
displayname: ASB Url Prefix
name: BROKER_URL_PREFIX
value: "/ansible-service-broker"
- description: Broker Auth Info
displayname: Broker Auth Info
name: BROKER_AUTH
value: '{ "bearer": { "secretRef": { "kind": "Secret", "namespace": "ansible-service-broker", "name": "ansibleservicebroker-client" } } }'
- description: Suffix for OpenShift routes
displayname: Suffix for OpenShift routes
name: ROUTING_SUFFIX
value: "172.17.0.1.nip.io"
- description: Container Image to use for Ansible Service Broker in format of imagename:tag
displayname: Ansible Service Broker Image
name: BROKER_IMAGE
value: ansibleplaybookbundle/origin-ansible-service-broker:latest
- description: Container Image to use for etcd in format of imagename:tag
displayname: etcd Image
name: ETCD_IMAGE
value: quay.io/coreos/etcd:latest
- description: Path of the etcd binary
displayname: etcd path
name: ETCD_PATH
value: /usr/local/bin/etcd
- description: Path of the etcd trusted ca file
displayname: etcd trusted ca file path
name: ETCD_TRUSTED_CA_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- description: Path of the etcd server cert file
displayname: etcd server cert path
name: ETCD_CERT_FILE
value: /etc/tls/private/tls.crt
- description: Path of the etcd server cert key file
displayname: etcd server key path
name: ETCD_KEY_FILE
value: /etc/tls/private/tls.key
- description: Path of the broker client cert file for etcd
displayname: etcd client cert path
name: BROKER_CLIENT_CERT_PATH
value: /etc/tls/private/tls.crt
- description: Path of the broker client cert key file for etcd
displayname: etcd client cert key path
name: BROKER_CLIENT_KEY_PATH
value: /etc/tls/private/tls.key
- description: Path of the etcd trusted ca file
displayname: etcd trusted ca file path
name: BROKER_ETCD_TRUSTED_CA
value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- description: Value of the etcd server ca file
displayname: etcd trusted ca
name: ETCD_TRUSTED_CA
value: "YWRtaW4="
- description: Value of the broker client cert for etcd
displayname: broker client cert
name: BROKER_CLIENT_CERT
value: "YWRtaW4="
- description: Value of the broker client cert key for etcd
displayname: broker client cert key
name: BROKER_CLIENT_KEY
value: "YWRtaW4="
- description: Namespace of the project that is being deploy
displayname: broker client cert key
name: NAMESPACE
value: "ansible-service-broker"
- description: Configuration filepath for Ansible Service Broker
displayname: Ansible Service Broker Configuration File
name: BROKER_CONFIG
value: /etc/ansible-service-broker/config.yaml
- description: Dockerhub organization
displayname: Dockerhub organization
name: DOCKERHUB_ORG
value: ansibleplaybookbundle
- description: APB Image Tag
displayname: APB Image Tag
name: TAG
value: latest
- description: OpenShift User Password
displayname: OpenShift User Password
name: OPENSHIFT_PASS
value: admin
- description: OpenShift User Name
displayname: OpenShift User Name
name: OPENSHIFT_USER
value: admin
- description: OpenShift Target URL
displayname: OpenShift Target URL
name: OPENSHIFT_TARGET
value: kubernetes.default
- description: Registry Type
displayname: Registry Type
name: REGISTRY_TYPE
value: dockerhub
- description: Registry Secret Name
displayname: Registry Secret Name
name: REGISTRY_SECRET_NAME
value: registry-auth-secret
- description: Registry Auth Type
displayname: Registry Auth Type
name: REGISTRY_AUTH_TYPE
value: secret
# Intentionally shortening the registry name to lessen impact of
# PodPreset name has a requirement of being less than 63 chars
# https://github.com/kubernetes-incubator/service-catalog/issues/1047
# https://github.com/openshift/ansible-service-broker/issues/283
- description: Registry Name
displayname: Registry Name
name: REGISTRY_NAME
value: dh
- description: Registry URL
displayname: Registry URL
name: REGISTRY_URL
value: https://registry.hub.docker.com
- description: Include Broker Development Endpoint
displayname: Include Broker Development Endpoint
name: DEV_BROKER
value: "true"
- description: Launch APB on bind
displayname: Launch APB on bind
name: LAUNCH_APB_ON_BIND
value: "false"
- description: Will automatically bootstrap the broker on startup
displayname: Bootstrap On Startup
name: BOOTSTRAP_ON_STARTUP
value: "true"
- description: Refresh the available broker images every interval of seconds
displayname: Refresh Interval
name: REFRESH_INTERVAL
value: "600s"
- description: Output broker requests to log
displayname: Output broker requests to log
name: OUTPUT_REQUEST
value: "true"
- description: Recover unfinshed jobs on restart
displayname: Recovery
name: RECOVERY
value: "true"
- description: Auto escalate the broker. Will remove user impresonation
displayname: Auto Escalate
name: AUTO_ESCALATE
value: "false"
- description: APB ImagePullPolicy
displayname: APB ImagePullPolicy
name: IMAGE_PULL_POLICY
value: "IfNotPresent"
- description: Will enable basic authentication
displayname: Enable basic authentication
name: ENABLE_BASIC_AUTH
value: "false"
############################################################
# NOTE: These values MUST be base64 encoded.
# http://red.ht/2wbrCYo states "The value associated with
# keys in the data map must be base64 encoded."
############################################################
- description: Broker user password
displayname: Broker user password
name: BROKER_PASS
value: YWRtaW4=
- description: Broker user name
displayname: Broker user name
name: BROKER_USER
value: YWRtaW4=
- description: Dockerhub user password
displayname: Dockerhub user password
name: DOCKERHUB_PASS
value: ""
- description: Dockerhub user name
displayname: Dockerhub user name
name: DOCKERHUB_USER
value: ""
############################################################
# NOTE: Default behavior for these are going to use the kubernetes
# InClusterConfig. These are typically overridden for running
# the broker outside of a cluster. Under normal circumstances,
# you probably want to leave these blank.
############################################################
- description: Service Account CAFile Path
displayname: Service Account CAFile Path
name: CA_FILE
value: ""
- description: Service Account Bearer Token File
displayname: Service Account Bearer Token File
name: BEARER_TOKEN_FILE
value: ""
- description: Cluster Authentication Host
displayname: Cluster Authentication Host
name: CLUSTER_AUTH_HOST
value: ""
- description: Role to use for APB Sandboxes
displayname: Role to use for APB Sandboxes
name: SANDBOX_ROLE
value: "edit"
- description: Always keep the namespace after an APB is executed.
displayname: Always keep the namespace after an APB is executed.
name: KEEP_NAMESPACE
value: "false"
- description: Always keep the namespace after an APB is executed and has errored.
displayname: Always keep the namespace after an APB is executed and has errored.
name: KEEP_NAMESPACE_ON_ERROR
value: "true"
############################################################
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment