awslabs / aws-servicebroker-documentation Goto Github PK

Hi,
On the service broker getting-started page it says this
Production
• Only way to run with on-premises multi-node OpenShift cluster
I am wondering what "on-premises" means? That it can’t be deployed with OCP cluster on AWS, just on-premise? Can you help to clarify this?

This script was used in conjunction with some documentation which is no longer in this repo. It should be removed.

OpenShift 3.9 uses Daemon Sets so, instead of:

oc edit deployment controller-manager -n kube-service-catalog

it should be (with 'ds'):

oc edit ds controller-manager -n kube-service-catalog

and then delete the existing pod to refresh it:

oc delete po controller-manager-xyz123 -n kube-service-catalog

Then you should see this:

# oc logs aws-asb-2-xyz123 | grep -i "Filtering secrets from spec"
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-emr-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-dynamodb-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-rds-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-r53-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-sns-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-s3-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-elasticache-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-athena-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-redshift-apb
[2018-04-02T02:17:49.585Z] [DEBUG] Filtering secrets from spec dh-sqs-apb

When I create an SQS queue and then a SNS topic + subscription to the sqs arn, the messages are not passed along because the permissions are not updated for the SQS queue. Is there a way with aws servicebroker to set the AccessPolicy on the SQS queue? I was unable to find it.

Does this only work with OpenShift? Will it work with pure Kubernetes? Are there plans for it to work with Kubernetes?

Landing page would help clarify which doc to look at first for getting started. We should repurpose README.md to serve as an index.

I'm running AWS Service Broker on OpenShift 3.7 and trying, according to these instructions, to hide some sensitive parameters from Service Catalog users (aws_access_key, aws_secret_key, etc).

I've correctly created the secret within the same namespace where the broker is running (aws-service-broker in my case) and updated the broker-config configmap. After restart, the broker bootstraped correctly but when it gets requests from the Service Catalog it didn't hide the parameters from the Service Provisiong Wizard. In the broker logs I can see the following messages:

[2019-03-06T16:24:32.767Z] [INFO] - Request: "GET /aws-service-broker/v2/catalog HTTP/1.1\r\nHost: aws-asb.aws-service-broker.svc:1338\r\nAccept-Encoding: gzip\r\nUser-Agent: Go-http-client/1.1\r\nX-Broker-Api-Version: 2.13\r\n\r\n"
[2019-03-06T16:24:32.768Z] [INFO] - AnsibleBroker::Catalog
[2019-03-06T16:24:32.778Z] [WARNING] - Unable to load secret 'aws-access-secret' from namespace ''
10.129.4.1 - - [06/Mar/2019:16:24:32 +0000] "GET /aws-service-broker/v2/catalog HTTP/1.1" 200 392309

It seems like it didn't find the secret and I don't know why the namespace value in the log is empty.

Here is the secret definition:

---
apiVersion: v1
kind: Secret
metadata:
  name: aws-access-secret
stringData:
  aws_access_key: "XXXXXXXXXXX"
  aws_secret_key: "XXXXXXXXXX"
  aws_cloudformation_role_arn: "XXXXXXXX"

and the broker-config configmap :

registry:
  - type: "dockerhub"
    name: "dh"
    url: "https://registry.hub.docker.com"
    org: "awsservicebroker"
    tag: "latest"
    white_list:
      - ".*-apb$"
dao:
  etcd_host: aws-asb-etcd.aws-service-broker.svc
  etcd_port: 2379
  etcd_ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
  etcd_client_cert: /var/run/aws-asb-etcd-auth/client.crt
  etcd_client_key: /var/run/aws-asb-etcd-auth/client.key
log:
  logfile: /var/log/ansible-service-broker/asb.log
  stdout: true
  level: info
  color: true
openshift:
  host: ""
  ca_file: ""
  bearer_token_file: ""
  image_pull_policy: "IfNotPresent"
  sandbox_role: "edit"
  keep_namespace: false
  keep_namespace_on_error: true
secrets:
  - {apb_name: dh-s3, secret: aws-access-secret, title: aws-access-secret}
broker:
  dev_broker: true
  bootstrap_on_startup: true
  refresh_interval: "600s"
  launch_apb_on_bind: false
  output_request: true
  recovery: true
  ssl_cert_key: /etc/tls/private/tls.key
  ssl_cert: /etc/tls/private/tls.crt
  auto_escalate: false
  cluster_url: "aws-service-broker"
  auth:
    - type: basic
      enabled: false

The asbd version is: 1.1.15

Do you have an idea how to fix this please ?

The only difference is that I used "albert" which has an admin role.

Are they related? Can I use Service Broker to use service created under AWS Service Catalog?
If so, how can I do it or do you know an example?

Problem

I'm running AWS Service Broker on OpenShift 3.7 and tried, according to these instructions, to hide some sensitive parameters from Service Catalog users (aws_access_key, aws_secret_key, etc).

I've correctly created the secret within the same namespace where the broker is running (aws-service-broker in my case) and updated the broker-config configmap. After restart, the broker bootstraped correctly but when it gets requests from the Service Catalog it didn't hide the parameters from the Service Provisiong Wizard. I can see the following message in the broker logs:

[2019-03-06T16:24:32.778Z] [WARNING] - Unable to load secret 'aws-access-secret' from namespace ''

Solution

Please add the following notes to this documentation section:

Make sure to set the namespace parameter to the ASB project's name so the broker can fetch the secrets.

openshift:
  host: ""
  ca_file: ""
  bearer_token_file: ""
  image_pull_policy: "IfNotPresent"
  sandbox_role: "edit"
  keep_namespace: false
  keep_namespace_on_error: true
  namespace: <PUT NAMESPACE OF BROKER HERE>

If the namespace parameter is omitted the broker won't read the secrets.

Could you provide tear down instructions please?

Thanks!

Running on OCP3.7onAWS the command
oc get secret -n kube-service-catalog -o go-template='{{ range .items }}{{ if eq .type "kubernetes.io/service-account-token" }}{{ index .data "service-ca.crt" }}{{end}}{{"\n"}}{{end}}' | tail -n 1
fails

Had to adjust to
oc get secret -n kube-service-catalog -o go-template='{{ range .items }}{{ if eq .type "kubernetes.io/service-account-token" }}{{ index .data "service-ca.crt" }}{{end}}{{"\n"}}{{end}}' | tail -n 2

to make the script to run successfully.

I think it would make sense to consolidate info into a single document to guide a user through the deployment process. We should consider whether this makes sense / if it will break current links.

Created secret 'aws-secret' in 'was-service-broker' namespace.

But there is a warning in logs as below
[WARNING] - Unable to load secret 'aws-secret' from namespace ''

and the values for aws_access_key and aws_secret_key are not taken from the secret.