This repo has been deprecated, please refer to https://github.com/awslabs/aws-servicebroker/tree/master/docs
This library is licensed under the Apache 2.0 License.
AWS Service Broker documentation
License: Apache License 2.0
This repo has been deprecated, please refer to https://github.com/awslabs/aws-servicebroker/tree/master/docs
This library is licensed under the Apache 2.0 License.
Hi,
On the service broker getting-started page it says this
Production
• Only way to run with on-premises multi-node OpenShift cluster
I am wondering what "on-premises" means? That it can’t be deployed with OCP cluster on AWS, just on-premise? Can you help to clarify this?
This script was used in conjunction with some documentation which is no longer in this repo. It should be removed.
OpenShift 3.9 uses Daemon Sets so, instead of:
oc edit deployment controller-manager -n kube-service-catalog
it should be (with 'ds'):
oc edit ds controller-manager -n kube-service-catalog
and then delete the existing pod to refresh it:
oc delete po controller-manager-xyz123 -n kube-service-catalog
Then you should see this:
# oc logs aws-asb-2-xyz123 | grep -i "Filtering secrets from spec"
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-emr-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-dynamodb-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-rds-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-r53-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-sns-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-s3-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-elasticache-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-athena-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-redshift-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-sqs-apb
When I create an SQS queue and then a SNS topic + subscription to the sqs arn, the messages are not passed along because the permissions are not updated for the SQS queue. Is there a way with aws servicebroker to set the AccessPolicy on the SQS queue? I was unable to find it.
Does this only work with OpenShift? Will it work with pure Kubernetes? Are there plans for it to work with Kubernetes?
Landing page would help clarify which doc to look at first for getting started. We should repurpose README.md to serve as an index.
I'm running AWS Service Broker on OpenShift 3.7
and trying, according to these instructions, to hide some sensitive parameters from Service Catalog
users (aws_access_key, aws_secret_key, etc).
I've correctly created the secret within the same namespace
where the broker is running (aws-service-broker
in my case) and updated the broker-config
configmap. After restart, the broker bootstraped correctly but when it gets requests from the Service Catalog
it didn't hide the parameters from the Service Provisiong Wizard. In the broker logs I can see the following messages:
[2019-03-06T16:24:32.767Z] [INFO] - Request: "GET /aws-service-broker/v2/catalog HTTP/1.1\r\nHost: aws-asb.aws-service-broker.svc:1338\r\nAccept-Encoding: gzip\r\nUser-Agent: Go-http-client/1.1\r\nX-Broker-Api-Version: 2.13\r\n\r\n"
[2019-03-06T16:24:32.768Z] [INFO] - AnsibleBroker::Catalog
[2019-03-06T16:24:32.778Z] [WARNING] - Unable to load secret 'aws-access-secret' from namespace ''
10.129.4.1 - - [06/Mar/2019:16:24:32 +0000] "GET /aws-service-broker/v2/catalog HTTP/1.1" 200 392309
It seems like it didn't find the secret and I don't know why the namespace
value in the log is empty.
Here is the secret definition:
---
apiVersion: v1
kind: Secret
metadata:
name: aws-access-secret
stringData:
aws_access_key: "XXXXXXXXXXX"
aws_secret_key: "XXXXXXXXXX"
aws_cloudformation_role_arn: "XXXXXXXX"
and the broker-config
configmap :
registry:
- type: "dockerhub"
name: "dh"
url: "https://registry.hub.docker.com"
org: "awsservicebroker"
tag: "latest"
white_list:
- ".*-apb$"
dao:
etcd_host: aws-asb-etcd.aws-service-broker.svc
etcd_port: 2379
etcd_ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
etcd_client_cert: /var/run/aws-asb-etcd-auth/client.crt
etcd_client_key: /var/run/aws-asb-etcd-auth/client.key
log:
logfile: /var/log/ansible-service-broker/asb.log
stdout: true
level: info
color: true
openshift:
host: ""
ca_file: ""
bearer_token_file: ""
image_pull_policy: "IfNotPresent"
sandbox_role: "edit"
keep_namespace: false
keep_namespace_on_error: true
secrets:
- {apb_name: dh-s3, secret: aws-access-secret, title: aws-access-secret}
broker:
dev_broker: true
bootstrap_on_startup: true
refresh_interval: "600s"
launch_apb_on_bind: false
output_request: true
recovery: true
ssl_cert_key: /etc/tls/private/tls.key
ssl_cert: /etc/tls/private/tls.crt
auto_escalate: false
cluster_url: "aws-service-broker"
auth:
- type: basic
enabled: false
The asbd
version is: 1.1.15
Do you have an idea how to fix this please ?
The only difference is that I used "albert" which has an admin role.
Are they related? Can I use Service Broker to use service created under AWS Service Catalog?
If so, how can I do it or do you know an example?
I'm running AWS Service Broker on OpenShift 3.7
and tried, according to these instructions, to hide some sensitive parameters from Service Catalog
users (aws_access_key, aws_secret_key, etc).
I've correctly created the secret within the same namespace where the broker is running (aws-service-broker
in my case) and updated the broker-config
configmap. After restart, the broker bootstraped correctly but when it gets requests from the Service Catalog it didn't hide the parameters from the Service Provisiong Wizard. I can see the following message in the broker logs:
[2019-03-06T16:24:32.778Z] [WARNING] - Unable to load secret 'aws-access-secret' from namespace ''
Please add the following notes to this documentation section:
Make sure to set the namespace
parameter to the ASB project's name so the broker can fetch the secrets.
openshift:
host: ""
ca_file: ""
bearer_token_file: ""
image_pull_policy: "IfNotPresent"
sandbox_role: "edit"
keep_namespace: false
keep_namespace_on_error: true
namespace: <PUT NAMESPACE OF BROKER HERE>
If the namespace
parameter is omitted the broker won't read the secrets.
Could you provide tear down instructions please?
Thanks!
Running on OCP3.7onAWS the command
oc get secret -n kube-service-catalog -o go-template='{{ range .items }}{{ if eq .type "kubernetes.io/service-account-token" }}{{ index .data "service-ca.crt" }}{{end}}{{"\n"}}{{end}}' | tail -n 1
fails
Had to adjust to
oc get secret -n kube-service-catalog -o go-template='{{ range .items }}{{ if eq .type "kubernetes.io/service-account-token" }}{{ index .data "service-ca.crt" }}{{end}}{{"\n"}}{{end}}' | tail -n 2
to make the script to run successfully.
I think it would make sense to consolidate info into a single document to guide a user through the deployment process. We should consider whether this makes sense / if it will break current links.
Created secret 'aws-secret' in 'was-service-broker' namespace.
But there is a warning in logs as below
[WARNING] - Unable to load secret 'aws-secret' from namespace ''
and the values for aws_access_key and aws_secret_key are not taken from the secret.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.