apiVersion: v1 kind: Template metadata: name: ansible-service-broker objects: - apiVersion: v1 kind: Service metadata: name: asb labels: app: ansible-service-broker service: asb annotations: service.alpha.openshift.io/serving-cert-secret-name: asb-tls spec: ports: - name: port-1338 port: 1338 targetPort: 1338 protocol: TCP - name: port-1337 port: 1337 targetPort: 1337 protocol: TCP selector: app: ansible-service-broker service: asb - apiVersion: v1 kind: ServiceAccount metadata: name: asb namespace: "${NAMESPACE}" - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: asb roleRef: name: admin kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: asb namespace: "${NAMESPACE}" - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: asb-auth rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["create", "delete"] - apiGroups: ["authorization.openshift.io"] resources: ["subjectrulesreview"] verbs: ["create"] - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] verbs: ["create"] - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] - apiGroups: ["image.openshift.io", ""] attributeRestrictions: null resources: ["images"] verbs: ["get", "list"] - apiGroups: ["network.openshift.io", ""] attributeRestrictions: null resources: ["clusternetworks", "netnamespaces"] verbs: ["get"] - apiGroups: ["network.openshift.io", ""] attributeRestrictions: null resources: ["netnamespaces"] verbs: ["update"] - apiGroups: ["networking.k8s.io", ""] attributeRestrictions: null resources: ["networkpolicies"] verbs: ["create", "delete"] - apiGroups: ["automationbroker.io"] attributeRestrictions: null resources: ["bundles", "bundlebindings", "bundleinstances"] verbs: ["*"] - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: asb-auth-bind subjects: - kind: ServiceAccount name: asb namespace: "${NAMESPACE}" roleRef: kind: ClusterRole name: asb-auth apiGroup: rbac.authorization.k8s.io - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: access-asb-role rules: - nonResourceURLs: ["${BROKER_URL_PREFIX}", "${BROKER_URL_PREFIX}/*"] verbs: ["get", "post", "put", "patch", "delete"] - apiVersion: v1 kind: DeploymentConfig metadata: name: asb labels: app: ansible-service-broker service: asb spec: replicas: 1 selector: app: ansible-service-broker strategy: type: Rolling template: metadata: labels: app: ansible-service-broker service: asb spec: serviceAccount: asb containers: - image: ${BROKER_IMAGE} name: dashboard-redirector imagePullPolicy: IfNotPresent ports: - containerPort: 1337 protocol: TCP command: - dashboard-redirector - image: ${BROKER_IMAGE} name: asb imagePullPolicy: IfNotPresent volumeMounts: - name: config-volume mountPath: /etc/ansible-service-broker - name: asb-tls mountPath: /etc/tls/private - name: asb-auth-volume mountPath: /var/run/asb-auth ports: - containerPort: 1338 protocol: TCP env: - name: BROKER_CONFIG value: ${BROKER_CONFIG} resources: {} terminationMessagePath: /tmp/termination-log readinessProbe: httpGet: path: /healthz port: 1338 scheme: HTTPS initialDelaySeconds: 15 timeoutSeconds: 1 livenessProbe: httpGet: port: 1338 path: /healthz scheme: HTTPS initialDelaySeconds: 15 timeoutSeconds: 1 volumes: - name: config-volume configMap: name: broker-config items: - key: broker-config path: config.yaml - name: asb-tls secret: secretName: asb-tls - name: asb-auth-volume secret: secretName: asb-auth-secret - apiVersion: v1 kind: Secret metadata: name: asb-auth-secret namespace: "${NAMESPACE}" data: username: ${BROKER_USER} password: ${BROKER_PASS} - apiVersion: v1 kind: Secret metadata: name: ${REGISTRY_SECRET_NAME} namespace: "${NAMESPACE}" data: username: ${DOCKERHUB_USER} password: ${DOCKERHUB_PASS} - apiVersion: v1 kind: ConfigMap metadata: name: broker-config namespace: "${NAMESPACE}" labels: app: ansible-service-broker data: broker-config: | registry: - type: "${REGISTRY_TYPE}" name: "${REGISTRY_NAME}" url: "${REGISTRY_URL}" org: "${DOCKERHUB_ORG}" tag: "${TAG}" white_list: - ".*-apb$" - type: local_openshift name: localregistry namespaces: ['openshift'] # NOTE TO ADMINS: The default whitelist policy here will pass *all* APBs # found in the local openshift registry. If this is not desired, # manipulate the following regex to only match APBs you wish to be made available. white_list: - ".*" dao: type: "${DAO_TYPE}" log: logfile: /var/log/ansible-service-broker/asb.log stdout: true level: debug color: true openshift: host: "${CLUSTER_AUTH_HOST}" ca_file: "${CA_FILE}" bearer_token_file: "${BEARER_TOKEN_FILE}" image_pull_policy: "${IMAGE_PULL_POLICY}" sandbox_role: "${SANDBOX_ROLE}" namespace: "${NAMESPACE}" keep_namespace: ${KEEP_NAMESPACE} keep_namespace_on_error: ${KEEP_NAMESPACE_ON_ERROR} broker: dev_broker: ${DEV_BROKER} bootstrap_on_startup: ${BOOTSTRAP_ON_STARTUP} refresh_interval: "${REFRESH_INTERVAL}" launch_apb_on_bind: ${LAUNCH_APB_ON_BIND} output_request: ${OUTPUT_REQUEST} recovery: ${RECOVERY} ssl_cert_key: /etc/tls/private/tls.key ssl_cert: /etc/tls/private/tls.crt auto_escalate: ${AUTO_ESCALATE} cluster_url: ${NAMESPACE} dashboard_redirector: http://dashboard-redirector-1337-${NAMESPACE}.${ROUTING_SUFFIX} auth: - type: basic enabled: ${ENABLE_BASIC_AUTH} - apiVersion: v1 kind: ServiceAccount metadata: name: ansibleservicebroker-client namespace: "${NAMESPACE}" - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: ansibleservicebroker-client subjects: - kind: ServiceAccount name: ansibleservicebroker-client namespace: "${NAMESPACE}" roleRef: kind: ClusterRole name: access-asb-role apiGroup: rbac.authorization.k8s.io - apiVersion: v1 kind: Secret metadata: name: ansibleservicebroker-client annotations: kubernetes.io/service-account.name: ansibleservicebroker-client type: kubernetes.io/service-account-token - apiVersion: v1 kind: Route metadata: name: dashboard-redirector-1337 labels: app: ansible-service-broker service: asb spec: to: kind: Service name: asb port: targetPort: port-1337 - apiVersion: v1 kind: Route metadata: name: asb-1338 labels: app: ansible-service-broker service: asb spec: to: kind: Service name: asb port: targetPort: port-1338 tls: termination: reencrypt - apiVersion: ${SVC_CAT_API_VER} kind: ${BROKER_KIND} metadata: name: ansible-service-broker spec: url: https://asb.${NAMESPACE}.svc:1338${BROKER_URL_PREFIX}/ authInfo: ${{BROKER_AUTH}} caBundle: ${BROKER_CA_CERT} # CRDs for the broker. - apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: bundles.automationbroker.io spec: group: automationbroker.io version: v1alpha1 scope: Namespaced names: plural: bundles singular: bundle kind: Bundle - apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: bundlebindings.automationbroker.io spec: group: automationbroker.io version: v1alpha1 scope: Namespaced names: plural: bundlebindings singular: bundlebinding kind: BundleBinding - apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: bundleinstances.automationbroker.io spec: group: automationbroker.io version: v1alpha1 scope: Namespaced names: plural: bundleinstances singular: bundleinstance kind: BundleInstance parameters: - description: Service Catalog API Version. Newer service-catalogs use servicecatalog.k8s.io/v1beta1 displayname: Service Catalog API Version. Newer service-catalogs use servicecatalog.k8s.io/v1beta1 name: SVC_CAT_API_VER value: servicecatalog.k8s.io/v1beta1 - description: Service Broker kind. Newer service-catalogs use ClusterServiceBroker displayname: Service Broker kind. Newer service-catalogs use ClusterServiceBroker name: BROKER_KIND value: ClusterServiceBroker - description: Service Broker CA Cert. displayname: Service Broker kind. name: BROKER_CA_CERT value: "" - description: Service Broker url prefix for the cluster displayname: ASB Url Prefix name: BROKER_URL_PREFIX value: "/osb" - description: Broker Auth Info displayname: Broker Auth Info name: BROKER_AUTH value: '{ "bearer": { "secretRef": { "kind": "Secret", "namespace": "ansible-service-broker", "name": "ansibleservicebroker-client" } } }' - description: Suffix for OpenShift routes displayname: Suffix for OpenShift routes name: ROUTING_SUFFIX value: "172.17.0.1.nip.io" - description: Container Image to use for Ansible Service Broker in format of imagename:tag displayname: Ansible Service Broker Image name: BROKER_IMAGE value: ansibleplaybookbundle/origin-ansible-service-broker:latest - description: Namespace of the project that is being deploy displayname: broker client cert key name: NAMESPACE value: "ansible-service-broker" - description: Configuration filepath for Ansible Service Broker displayname: Ansible Service Broker Configuration File name: BROKER_CONFIG value: /etc/ansible-service-broker/config.yaml - description: Dockerhub organization displayname: Dockerhub organization name: DOCKERHUB_ORG value: ansibleplaybookbundle - description: APB Image Tag displayname: APB Image Tag name: TAG value: latest - description: OpenShift User Password displayname: OpenShift User Password name: OPENSHIFT_PASS value: admin - description: OpenShift User Name displayname: OpenShift User Name name: OPENSHIFT_USER value: admin - description: OpenShift Target URL displayname: OpenShift Target URL name: OPENSHIFT_TARGET value: kubernetes.default - description: Registry Type displayname: Registry Type name: REGISTRY_TYPE value: dockerhub - description: Registry Secret Name displayname: Registry Secret Name name: REGISTRY_SECRET_NAME value: registry-auth-secret - description: Registry Auth Type displayname: Registry Auth Type name: REGISTRY_AUTH_TYPE value: secret # Intentionally shortening the registry name to lessen impact of # PodPreset name has a requirement of being less than 63 chars # https://github.com/kubernetes-incubator/service-catalog/issues/1047 # https://github.com/openshift/ansible-service-broker/issues/283 - description: Registry Name displayname: Registry Name name: REGISTRY_NAME value: dh - description: Registry URL displayname: Registry URL name: REGISTRY_URL value: https://registry.hub.docker.com - description: Include Broker Development Endpoint displayname: Include Broker Development Endpoint name: DEV_BROKER value: "true" - description: Launch APB on bind displayname: Launch APB on bind name: LAUNCH_APB_ON_BIND value: "false" - description: Will automatically bootstrap the broker on startup displayname: Bootstrap On Startup name: BOOTSTRAP_ON_STARTUP value: "true" - description: Refresh the available broker images every interval of seconds displayname: Refresh Interval name: REFRESH_INTERVAL value: "600s" - description: Output broker requests to log displayname: Output broker requests to log name: OUTPUT_REQUEST value: "true" - description: Recover unfinshed jobs on restart displayname: Recovery name: RECOVERY value: "true" - description: Auto escalate the broker. Will remove user impresonation displayname: Auto Escalate name: AUTO_ESCALATE value: "false" - description: APB ImagePullPolicy displayname: APB ImagePullPolicy name: IMAGE_PULL_POLICY value: "IfNotPresent" - description: Will enable basic authentication displayname: Enable basic authentication name: ENABLE_BASIC_AUTH value: "false" - description: Will enable CRD use. Valid values crd | etcd | "" displayname: Enable CRD backend storage, will not use etcd. name: DAO_TYPE value: "crd" ############################################################ # NOTE: These values MUST be base64 encoded. # http://red.ht/2wbrCYo states "The value associated with # keys in the data map must be base64 encoded." ############################################################ - description: Broker user password displayname: Broker user password name: BROKER_PASS value: YWRtaW4= - description: Broker user name displayname: Broker user name name: BROKER_USER value: YWRtaW4= - description: Dockerhub user password displayname: Dockerhub user password name: DOCKERHUB_PASS value: "" - description: Dockerhub user name displayname: Dockerhub user name name: DOCKERHUB_USER value: "" ############################################################ # NOTE: Default behavior for these are going to use the kubernetes # InClusterConfig. These are typically overridden for running # the broker outside of a cluster. Under normal circumstances, # you probably want to leave these blank. ############################################################ - description: Service Account CAFile Path displayname: Service Account CAFile Path name: CA_FILE value: "" - description: Service Account Bearer Token File displayname: Service Account Bearer Token File name: BEARER_TOKEN_FILE value: "" - description: Cluster Authentication Host displayname: Cluster Authentication Host name: CLUSTER_AUTH_HOST value: "" - description: Role to use for APB Sandboxes displayname: Role to use for APB Sandboxes name: SANDBOX_ROLE value: "edit" - description: Always keep the namespace after an APB is executed. displayname: Always keep the namespace after an APB is executed. name: KEEP_NAMESPACE value: "false" - description: Always keep the namespace after an APB is executed and has errored. displayname: Always keep the namespace after an APB is executed and has errored. name: KEEP_NAMESPACE_ON_ERROR value: "true" ############################################################