Chapter 3. Service brokers
3.1. Installing the service catalog
The service catalog is deprecated in OpenShift Container Platform 4. Equivalent and better functionality is present in the Operator Framework and Operator Lifecycle Manager (OLM).
3.1.1. About the service catalog
When developing microservices-based applications to run on cloud native platforms, there are many ways to provision different resources and share their coordinates, credentials, and configuration, depending on the service provider and the platform.
To give developers a more seamless experience, OpenShift Container Platform includes a service catalog, an implementation of the Open Service Broker API (OSB API) for Kubernetes. This allows users to connect any of their applications deployed in OpenShift Container Platform to a wide variety of service brokers.
The service catalog allows cluster administrators to integrate multiple platforms using a single API specification. The OpenShift Container Platform web console displays the cluster service classes offered by service brokers in the service catalog, allowing users to discover and instantiate those services for use with their applications.
As a result, service users benefit from ease and consistency of use across different types of services from different providers, while service providers benefit from having one integration point that gives them access to multiple platforms.
The service catalog is not installed by default in OpenShift Container Platform 4.
3.1.2. Installing service catalog
If you plan on using any of the services from the OpenShift Ansible Broker or Template Service Broker, you must install the service catalog by completing the following steps.
The custom resources for the service catalog’s API server and controller manager are created by default in OpenShift Container Platform, but initially have a managementState of Removed. To install the service catalog, you must change the managementState for these resources to Managed.
Procedure
Enable the service catalog API server.
Use the following command to edit the service catalog API server resource.
$ oc edit servicecatalogapiservers
Under
spec, set themanagementStatefield toManaged:spec: logLevel: Normal managementState: Managed
Save the file to apply the changes.
The Operator installs the service catalog API server component. As of OpenShift Container Platform 4, this component is installed into the
openshift-service-catalog-apiservernamespace.
Enable the service catalog controller manager.
Use the following command to edit the service catalog controller manager resource.
$ oc edit servicecatalogcontrollermanagers
Under
spec, set themanagementStatefield toManaged:spec: logLevel: Normal managementState: Managed
Save the file to apply the changes.
The Operator installs the service catalog controller manager component. As of OpenShift Container Platform 4, this component is installed into the
openshift-service-catalog-controller-managernamespace.
3.2. Installing the Template Service Broker
You can install the Template Service Broker to gain access to the template applications that it provides.
The Template Service Broker is deprecated in OpenShift Container Platform 4. Equivalent and better functionality is present in the Operator Framework and Operator Lifecycle Manager (OLM).
Prerequisites
3.2.1. About the Template Service Broker
The Template Service Broker gives the service catalog visibility into the default Instant App and Quickstart templates that have shipped with OpenShift Container Platform since its initial release. The Template Service Broker can also make available as a service anything for which an OpenShift Container Platform template has been written, whether provided by Red Hat, a cluster administrator or user, or a third-party vendor.
By default, the Template Service Broker shows objects that are globally available from the openshift project. It can also be configured to watch any other project that a cluster administrator chooses.
The Template Service Broker is not installed by default in OpenShift Container Platform 4.
3.2.2. Installing the Template Service Broker Operator
Prerequisites
- You have installed the service catalog.
Procedure
The following procedure installs the Template Service Broker Operator using the web console.
Create a namespace.
- Navigate in the web console to Administration → Namespaces and click Create Namespace.
Enter
openshift-template-service-brokerin the Name field and click Create.NoteThe namespace must start with
openshift-.
-
Navigate to the Operators → OperatorHub page. Verify that the
openshift-template-service-brokerproject is selected. - Select Template Service Broker Operator.
- Read the information about the Operator and click Install.
- Review the default selections and click Subscribe.
Next, you must start the Template Service Broker in order to access the template applications it provides.
3.2.3. Starting the Template Service Broker
After you have installed the Template Service Broker Operator, you can start the Template Service Broker using the following procedure.
Prerequisites
- You have installed the service catalog.
- You have installed the Template Service Broker Operator.
Procedure
-
Navigate in the web console to Operators → Installed Operators and select the
openshift-template-service-brokerproject. - Select the Template Service Broker Operator.
- Under Provided APIs, click Create New for Template Service Broker.
- Review the default YAML and click Create.
Verify that the Template Service Broker has started.
After the Template Service Broker has started, you can view the available template applications by navigating to Catalog → Developer Catalog and selecting the Service Class checkbox. Note that it may take a few minutes for the Template Service Broker to start and the template applications to be available.
If you do not yet see these Service classes, you can check the status of the following items:
Template Service Broker Pod status
-
From the Workloads → Pods page for the openshift-template-service-broker project, verify that the Pod that starts with
apiserver-has a status of Running and readiness of Ready.
-
From the Workloads → Pods page for the openshift-template-service-broker project, verify that the Pod that starts with
Cluster service broker status
- From the Catalog → Broker Management → Service Brokers page, verify that the template-service-broker service broker has a status of Ready.
Service catalog controller manager Pod logs
-
From the Workloads → Pods page for the openshift-service-catalog-controller-manager project, review the logs for each of the Pods and verify that you see a log entry with the message
Successfully fetched catalog entries from broker.
-
From the Workloads → Pods page for the openshift-service-catalog-controller-manager project, review the logs for each of the Pods and verify that you see a log entry with the message
3.3. Provisioning template applications
3.3.1. Provisioning template applications
The following procedure provisions an example PostgreSQL template application that was made available by the Template Service Broker.
Prerequisites
- The service catalog is installed.
- The Template Service Broker is installed.
Procedure
Create a project.
- Navigate in the web console to Home → Projects and click Create Project.
-
Enter
test-postgresqlin the Name field and click Create.
Create a service instance.
- Navigate to the Catalog → Developer Catalog page.
- Select the PostgreSQL (Ephemeral) template application and click Create Service Instance.
- Review the default selections and set any other required fields, and click Create.
Go to Catalog → Provisioned Services and verify that the postgresql-ephemeral service instance is created and has a status of Ready.
You can check the progress on the Home → Events page. After a few moments, you should see an event for postgresql-ephemeral with the message "The instance was provisioned successfully".
Create a service binding.
- From the Provisioned Services page, click postgresql-ephemeral and click Create Service Binding.
Review the default service binding name and click Create.
This creates a new secret for binding using the name provided.
Review the secret that was created.
- Navigate to Workloads → Secrets and verify that a secret named postgresql-ephemeral was created.
- Click postgresql-ephemeral and review the key-value pairs in the Data section, which are used for binding to other apps.
3.4. Uninstalling the Template Service Broker
You can uninstall the Template Service Broker if you no longer require access to the template applications that it provides.
The Template Service Broker is deprecated in OpenShift Container Platform 4. Equivalent and better functionality is present in the Operator Framework and Operator Lifecycle Manager (OLM).
3.4.1. Uninstalling the Template Service Broker
The following procedure uninstalls the Template Service Broker and its Operator using the web console.
Do not uninstall the Template Service Broker if there are any provisioned services from it in your cluster, otherwise you might encounter errors when trying to manage the services.
Prerequisites
- The Template Service Broker is installed.
Procedure
This procedure assumes that you installed the Template Service Broker into the openshift-template-service-broker project.
Uninstall the Template Service Broker.
- Navigate to Operators → Installed Operators and select the openshift-template-service-broker project from the drop-down menu.
- Click Template Service Broker Operator.
- Select the Template Service Broker tab.
- Click template-service-broker.
- From the Actions drop-down menu, select Delete Template Service Broker.
Click Delete from the confirmation pop-up window.
The Template Service Broker is now uninstalled, and template applications will soon be removed from the Developer Catalog.
Uninstall the Template Service Broker Operator.
- From the Operators → Installed Operators page, scroll or type a keyword into the Filter by name to find the Template Service Broker Operator, then click on it.
- On the right-hand side of the Operator Details page, select Uninstall Operator from the Actions drop-down menu.
- When prompted by the Remove Operator Subscription window, optionally select the Also completely remove the Operator from the selected namespace check box if you want all components related to the installation to be removed. This removes the CSV, which in turn removes the Pods, Deployments, CRDs, and CRs associated with the Operator.
- Select Remove. This Operator will stop running and no longer receive updates. The Template Service Broker Operator is no longer installed in your cluster.
After the Template Service Broker is uninstalled, users will no longer have access to the template applications provided by the Template Service Broker.
3.5. Installing the OpenShift Ansible Broker
You can install the OpenShift Ansible Broker to gain access to the service bundles that it provides.
The OpenShift Ansible Broker is deprecated in OpenShift Container Platform 4. Equivalent and better functionality is present in the Operator Framework and Operator Lifecycle Manager (OLM).
Prerequisites
3.5.1. About the OpenShift Ansible Broker
The OpenShift Ansible Broker is an implementation of the Open Service Broker (OSB) API that manages applications defined by Ansible playbook bundles (APBs). APBs provide a method for defining and distributing container applications in OpenShift Container Platform, and consist of a bundle of Ansible playbooks built into a container image with an Ansible runtime. APBs leverage Ansible to create a standard mechanism to automate complex deployments.
The OpenShift Ansible Broker follows this basic workflow:
- A user requests the list of available applications from the service catalog using the OpenShift Container Platform web console.
- The service catalog requests the list of available applications from the OpenShift Ansible Broker.
- The OpenShift Ansible Broker communicates with a defined container image registry to learn which APBs are available.
- The user issues a request to provision a specific APB.
- The OpenShift Ansible Broker fulfills the user’s provision request by invoking the provision method on the APB.
The OpenShift Ansible Broker is not installed by default in OpenShift Container Platform 4.
3.5.1.1. Ansible playbook bundles
An Ansible playbook bundle (APB) is a lightweight application definition that allows you to leverage existing investment in Ansible roles and playbooks.
APBs use a simple directory with named playbooks to perform OSB API actions, such as provision and bind. Metadata defined in the apb.yml file contains a list of required and optional parameters for use during deployment.
Additional resources
3.5.2. Installing the OpenShift Ansible Service Broker Operator
Prerequisites
- You have installed the service catalog.
Procedure
The following procedure installs the OpenShift Ansible Service Broker Operator using the web console.
Create a namespace.
- Navigate in the web console to Administration → Namespaces and click Create Namespace.
Enter
openshift-ansible-service-brokerin the Name field andopenshift.io/cluster-monitoring=truein the Labels field and click Create.NoteThe namespace must start with
openshift-.
Create a cluster role binding.
- Navigate to Administration → Role Bindings and click Create Binding.
- For the Binding Type, select Cluster-wide Role Binding (ClusterRoleBinding).
-
For the Role Binding, enter
ansible-service-brokerin the Name field. - For the Role, select admin.
-
For the Subject, choose the Service Account option, select the
openshift-ansible-service-brokernamespace, and enteropenshift-ansible-service-broker-operatorin the Subject Name field. - Click Create.
Create a secret to connect to the Red Hat Container Catalog.
-
Navigate to Workloads → Secrets. Verify that the
openshift-ansible-service-brokerproject is selected. - Click Create → Key/Value Secret.
-
Enter
asb-registry-authas the Secret Name. -
Add a Key of
usernameand a Value of your Red Hat Container Catalog user name. -
Click Add Key/Value and add a Key of
passwordand a Value of your Red Hat Container Catalog password. - Click Create.
-
Navigate to Workloads → Secrets. Verify that the
-
Navigate to the Operators → OperatorHub page. Verify that the
openshift-ansible-service-brokerproject is selected. - Select OpenShift Ansible Service Broker Operator.
- Read the information about the Operator and click Install.
- Review the default selections and click Subscribe.
Next, you must start the OpenShift Ansible Broker in order to access the service bundles it provides.
3.5.3. Starting the OpenShift Ansible Broker
After you have installed the OpenShift Ansible Service Broker Operator, you can start the OpenShift Ansible Broker using the following procedure.
Prerequisites
- You have installed the service catalog.
- You have installed the OpenShift Ansible Service Broker Operator.
Procedure
-
Navigate in the web console to Operators → Installed Operators and select the
openshift-ansible-service-brokerproject. - Select the OpenShift Ansible Service Broker Operator.
- Under Provided APIs, click Create New for Automation Broker.
Add the following to the
specfield in the default YAML provided:registry: - name: rhcc type: rhcc url: https://registry.redhat.io auth_type: secret auth_name: asb-registry-authThis references the secret that was created when installing the OpenShift Ansible Service Broker Operator, which allows you to connect to the Red Hat Container Catalog.
- Set any additional OpenShift Ansible Broker configuration options and click Create.
Verify that the OpenShift Ansible Broker has started.
After the OpenShift Ansible Broker has started, you can view the available service bundles by navigating to Catalog → Developer Catalog and selecting the Service Class checkbox. Note that it may take a few minutes for the OpenShift Ansible Broker to start and the service bundles to be available.
If you do not yet see these Service classes, you can check the status of the following items:
OpenShift Ansible Broker Pod status
-
From the Workloads → Pods page for the openshift-ansible-service-broker project, verify that the Pod that starts with
asb-has a status of Running and readiness of Ready.
-
From the Workloads → Pods page for the openshift-ansible-service-broker project, verify that the Pod that starts with
Cluster service broker status
- From the Catalog → Broker Management → Service Brokers page, verify that the ansible-service-broker service broker has a status of Ready.
Service catalog controller manager Pod logs
-
From the Workloads → Pods page for the openshift-service-catalog-controller-manager project, review the logs for each of the Pods and verify that you see a log entry with the message
Successfully fetched catalog entries from broker.
-
From the Workloads → Pods page for the openshift-service-catalog-controller-manager project, review the logs for each of the Pods and verify that you see a log entry with the message
3.5.3.1. OpenShift Ansible Broker configuration options
You can set the following options for your OpenShift Ansible Broker.
Table 3.1. OpenShift Ansible Broker configuration options
| YAML key | Description | Default value |
|---|---|---|
|
| The name used to identify the broker instance. |
|
|
| The namespace where the broker resides. |
|
|
| The fully qualified image used for the broker. |
|
|
| The pull policy used for the broker image itself. |
|
|
| The node selector string used for the broker’s deployment. |
|
|
| Expressed as a yaml list of broker registry configs, allowing the user to configure the image registries the broker will discover and source its APBs from. | See the default registries array. |
|
| The log level used for the broker’s logs. |
|
|
| The pull policy used for APB Pods. |
|
|
| The role granted to the service account used to execute APBs. |
|
|
| Whether the transient namespace created to run the APB is deleted after the conclusion of the APB, regardless of the result. |
|
|
| Whether the transient namespace created to run the APB is deleted after the conclusion of the APB, only in the event of an error result. |
|
|
| Whether or not the broker should run its bootstrap routine on startup. |
|
|
| The interval of time between broker bootstraps, refreshing its inventory of APBs. |
|
|
| Experimental: Toggles the broker executing APBs on bind operations. |
|
|
|
Whether the broker should escalate the permissions of a user while running the APB. This should typically remain |
|
|
| Whether to output the low level HTTP requests that the broker receives. |
|
Default array for registries
- type: rhcc name: rhcc url: https://registry.redhat.io white_list: - ".*-apb$" auth_type: secret auth_name: asb-registry-auth
3.6. Configuring the OpenShift Ansible Broker
The OpenShift Ansible Broker is deprecated in OpenShift Container Platform 4. Equivalent and better functionality is present in the Operator Framework and Operator Lifecycle Manager (OLM).
3.6.1. Configuring the OpenShift Ansible Broker
The following procedure customizes the settings for your OpenShift Ansible Broker.
Prerequisites
- You have installed and started the OpenShift Ansible Broker.
Procedure
This procedure assumes that you used ansible-service-broker both as the OpenShift Ansible Broker name and the project that it was installed into.
-
Navigate in the web console to Operators → Installed Operators and select the
ansible-service-brokerproject. - Select the OpenShift Ansible Service Broker Operator.
-
On the Automation Broker tab, select
ansible-service-broker. On the YAML tab, add or update any OpenShift Ansible Broker configuration options under the
specfield.For example:
spec: keepNamespace: true sandboxRole: edit
- Click Save to apply these changes.
3.6.1.1. OpenShift Ansible Broker configuration options
You can set the following options for your OpenShift Ansible Broker.
Table 3.2. OpenShift Ansible Broker configuration options
| YAML key | Description | Default value |
|---|---|---|
|
| The name used to identify the broker instance. |
|
|
| The namespace where the broker resides. |
|
|
| The fully qualified image used for the broker. |
|
|
| The pull policy used for the broker image itself. |
|
|
| The node selector string used for the broker’s deployment. |
|
|
| Expressed as a yaml list of broker registry configs, allowing the user to configure the image registries the broker will discover and source its APBs from. | See the default registries array. |
|
| The log level used for the broker’s logs. |
|
|
| The pull policy used for APB Pods. |
|
|
| The role granted to the service account used to execute APBs. |
|
|
| Whether the transient namespace created to run the APB is deleted after the conclusion of the APB, regardless of the result. |
|
|
| Whether the transient namespace created to run the APB is deleted after the conclusion of the APB, only in the event of an error result. |
|
|
| Whether or not the broker should run its bootstrap routine on startup. |
|
|
| The interval of time between broker bootstraps, refreshing its inventory of APBs. |
|
|
| Experimental: Toggles the broker executing APBs on bind operations. |
|
|
|
Whether the broker should escalate the permissions of a user while running the APB. This should typically remain |
|
|
| Whether to output the low level HTTP requests that the broker receives. |
|
Default array for registries
- type: rhcc name: rhcc url: https://registry.redhat.io white_list: - ".*-apb$" auth_type: secret auth_name: asb-registry-auth
3.6.2. Configuring monitoring for the OpenShift Ansible Broker
In order for Prometheus to monitor the OpenShift Ansible Broker, you must create the following resources to grant Prometheus permission to access the namespace where the OpenShift Ansible Broker was installed.
Prerequisites
The OpenShift Ansible Broker is installed.
NoteThis procedure assumes that you installed the OpenShift Ansible Broker into the
openshift-ansible-service-brokernamespace.
Procedure
Create the role.
- Navigate to Administration → Roles and click Create Role.
Replace the YAML in the editor with the following:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: prometheus-k8s namespace: openshift-ansible-service-broker rules: - apiGroups: - "" resources: - services - endpoints - pods verbs: - get - list - watch
- Click Create.
Create the role binding.
- Navigate to Administration → Role Bindings and click Create Binding.
- For the Binding Type, select Namespace Role Binding (RoleBinding).
-
For the Role Binding, enter
prometheus-k8sin the Name field andopenshift-ansible-service-brokerin the Namespace field. - For the Role, select prometheus-k8s.
-
For the Subject, choose the Service Account option, select the
openshift-monitoringnamespace, and enterprometheus-k8sin the Subject Name field. - Click Create.
Prometheus will now have access to OpenShift Ansible Broker metrics.
3.7. Provisioning service bundles
3.7.1. Provisioning service bundles
The following procedure provisions an example PostgreSQL service bundle (APB) that was made available by the OpenShift Ansible Broker.
Prerequisites
- The service catalog is installed.
- The OpenShift Ansible Broker is installed.
Procedure
Create a project.
- Navigate in the web console to Home → Projects and click Create Project.
-
Enter
test-postgresql-apbin the Name field and click Create.
Create a service instance.
- Navigate to the Catalog → Developer Catalog page.
- Select the PostgreSQL (APB) service bundle and click Create Service Instance.
- Review the default selections and set any other required fields, and click Create.
Go to Catalog → Provisioned Services and verify that the dh-postgresql-apb service instance is created and has a status of Ready.
You can check the progress on the Home → Events page. After a few moments, you should see an event for dh-postgresql-apb with the message "The instance was provisioned successfully".
Create a service binding.
- From the Provisioned Services page, click dh-postgresql-apb and click Create Service Binding.
Review the default service binding name and click Create.
This creates a new secret for binding using the name provided.
Review the secret that was created.
- Navigate to Workloads → Secrets and verify that a secret named dh-postgresql-apb was created.
- Click dh-postgresql-apb and review the key-value pairs in the Data section, which are used for binding to other apps.
3.8. Uninstalling the OpenShift Ansible Broker
You can uninstall the OpenShift Ansible Broker if you no longer require access to the service bundles that it provides.
The OpenShift Ansible Broker is deprecated in OpenShift Container Platform 4. Equivalent and better functionality is present in the Operator Framework and Operator Lifecycle Manager (OLM).
3.8.1. Uninstalling the OpenShift Ansible Broker
The following procedure uninstalls the OpenShift Ansible Broker and its Operator using the web console.
Do not uninstall the OpenShift Ansible Broker if there are any provisioned services from it in your cluster, otherwise you might encounter errors when trying to manage the services.
Prerequisites
- The OpenShift Ansible Broker is installed.
Procedure
This procedure assumes that you installed the OpenShift Ansible Broker into the openshift-ansible-service-broker project.
Uninstall the OpenShift Ansible Broker.
- Navigate to Operators → Installed Operators and select the openshift-ansible-service-broker project from the drop-down menu.
- Click OpenShift Ansible Service Broker Operator.
- Select the Automation Broker tab.
- Click ansible-service-broker.
- From the Actions drop-down menu, select Delete Automation Broker.
Click Delete from the confirmation pop-up window.
The OpenShift Ansible Broker is now uninstalled, and service bundles will soon be removed from the Developer Catalog.
Uninstall the OpenShift Ansible Service Broker Operator.
- From the Operators → Installed Operators page, scroll or type a keyword into the Filter by name to find the OpenShift Ansible Service Broker Operator, then click on it.
- On the right-hand side of the Operator Details page, select Uninstall Operator from the Actions drop-down menu.
- When prompted by the Remove Operator Subscription window, optionally select the Also completely remove the Operator from the selected namespace check box if you want all components related to the installation to be removed. This removes the CSV, which in turn removes the Pods, Deployments, CRDs, and CRs associated with the Operator.
- Select Remove. This Operator will stop running and no longer receive updates.
The OpenShift Ansible Service Broker Operator is no longer installed in your cluster.
After the OpenShift Ansible Broker is uninstalled, users will no longer have access to the service bundles provided by the OpenShift Ansible Broker.
