Chapter 6. OpenShift Ansible Broker Configuration
6.1. Overview
When the OpenShift Ansible broker (OAB) is deployed in a cluster, its behavior is largely dictated by the broker’s configuration file loaded on startup. The broker’s configuration is stored as a ConfigMap object in the broker’s namespace (openshift-ansible-service-broker by default).
Example OpenShift Ansible Broker Configuration File
registry: 1 - type: dockerhub name: docker url: https://registry.hub.docker.com org: <dockerhub_org> fail_on_error: false - type: rhcc name: rhcc url: https://registry.access.redhat.com fail_on_error: true white_list: - "^foo.*-apb$" - ".*-apb$" black_list: - "bar.*-apb$" - "^my-apb$" - type: local_openshift name: lo namespaces: - openshift white_list: - ".*-apb$" dao: 2 etcd_host: localhost etcd_port: 2379 log: 3 logfile: /var/log/ansible-service-broker/asb.log stdout: true level: debug color: true openshift: 4 host: "" ca_file: "" bearer_token_file: "" image_pull_policy: IfNotPresent sandbox_role: "edit" keep_namespace: false keep_namespace_on_error: true broker: 5 bootstrap_on_startup: true dev_broker: true launch_apb_on_bind: false recovery: true output_request: true ssl_cert_key: /path/to/key ssl_cert: /path/to/cert refresh_interval: "600s" auth: - type: basic enabled: true secrets: 6 - title: Database credentials secret: db_creds apb_name: dh-rhscl-postgresql-apb
- 1
- See Registry Configuration for details.
- 2
- See DAO Configuration for details.
- 3
- See Log Configuration for details.
- 4
- See OpenShift Configuration for details.
- 5
- See Broker Configuration for details.
- 6
- See Secrets Configuration for details.
6.2. Modifying the OpenShift Ansible Broker Configuration
To modify the OAB’s default broker configuration after it has been deployed:
Edit the the broker-config ConfigMap object in the OAB’s namespace as a user with cluster-admin privileges:
$ oc edit configmap broker-config -n openshift-ansible-service-broker
After saving any updates, redeploy the OAB’s deployment configuration for the changes to take effect:
$ oc rollout latest dc/asb -n openshift-ansible-service-broker
6.3. Registry Configuration
The registry section allows you to define the registries that the broker should look at for APBs.
| Field | Description | Required |
|---|---|---|
|
| The name of the registry. Used by the broker to identify APBs from this registry. | Y |
|
|
How the broker should read the registry credentials. Can be | N [a] |
|
|
Name of the secret or file storing the registry credentials that should be read. Used when | N [a] |
|
|
The user name for authenticating to the registry when using | N |
|
|
The password for authenticating to the registry when using | N |
|
| The namespace or organization that the image is contained in. | N |
|
|
The type of registry. Available adapters are | Y |
|
|
The list of namespaces to configure the | N |
|
|
The URL that is used to retrieve image information. Used extensively for RHCC while the | N |
|
| Should this registry fail, the bootstrap request if it fails. Will stop the execution of other registries loading. | N |
|
|
The list of regular expressions used to define which image names should be allowed through. Must have a white list to allow APBs to be added to the catalog. The most permissive regular expression that you can use is | N |
|
| The list of regular expressions used to define which images names should never be allowed through. See APB Filtering for more details. | N |
|
| The list of images to be used with an OpenShift Container Registry. | N |
[a]
auth_type is currently required for the openshift registry type, due to a bug that will be addressed in an upcoming release (BZ#1526949). auth_name is only required in this case if auth_type is set to secret or file. See ISV Registry.
| ||
6.3.1. Production or Development
A production broker configuration is designed to be pointed at a trusted container distribution registry, such as the Red Hat Container Catalog (RHCC):
registry:
- name: rhcc
type: rhcc
url: https://registry.access.redhat.com
tag: v3.7
white_list:
- ".*-apb$"
- type: local_openshift
name: localregistry
namespaces:
- openshift
white_list: []
However, a development broker configuration is primarily used by developers working on the broker. To enable developer settings, set the registry name to dev and the dev_broker field in the broker section to true:
registry: name: dev
broker: dev_broker: true
6.3.2. Storing Registry Credentials
The auth_type field in the registry section of the broker configuration determines how the broker should read the registry credentials, either the config, secret, or file type.
With the config type, the registry credentials are read from the broker configuration’s user and pass values in the registry section, for example:
registry:
- name: isv
type: openshift
url: https://registry.connect.redhat.com
auth_type: config
user: <user>
pass: <password>
...
If you want to ensure these credentials are not publicly accessible, you can use the secret type to configure a registry to use a secret from the broker’s namespace. Alternatively, you can use the file to configure a registry to use a secret mounted as a volume.
To use the secret or file type:
The associated secret should have the values
usernameandpassworddefined. When using a secret, you must ensure that theopenshift-ansible-service-brokernamespace exists, as this is where the secret will be read from.For example, create a reg-creds.yaml file:
$ cat reg-creds.yaml --- username: <username> password: <password>
Create a secret from this file in the
openshift-ansible-service-brokernamespace:$ oc create secret generic \ registry-credentials-secret \ --from-file reg-creds.yaml \ -n openshift-ansible-service-brokerChoose whether you want to use the
secretorfiletype:To use the
secrettype, in the broker configuration, setauth_typetosecretandauth_nameto the name of the secret:registry: - name: isv type: openshift url: https://registry.connect.redhat.com auth_type: secret auth_name: registry-credentials-secretTo use the
filetype:Edit the
asbdeployment configuration to mount your file into /tmp/registry-credentials/reg-creds.yaml:$ oc edit dc/asb -n openshift-ansible-service-broker
In the
containers.volumeMountssection, add:volumeMounts: - name: reg-auth mountPath: /tmp/registry-credentialsIn the
volumessection, add:volumes: - name: reg-auth secret: defaultMode: 420 secretName: registry-credentials-secretIn the broker configuration, set
auth_typetofileandauth_typeto the location of the file:registry: - name: isv type: openshift url: https://registry.connect.redhat.com auth_type: file auth_name: /tmp/registry-credentials/reg-creds.yaml
6.3.3. Mock Registry
A mock registry is useful for reading local APB specs. Instead of going out to a registry to search for image specs, this uses a list of local specs. Set the name of the registry to mock to use the mock registry.
registry:
- name: mock
type: mock6.3.4. Dockerhub Registry
The dockerhub type allows you to load APBs from a specific organization in the DockerHub. For example, the ansibleplaybookbundle organization.
registry:
- name: dockerhub
type: dockerhub
org: ansibleplaybookbundle
user: <user>
pass: <password>
white_list:
- ".*-apb$"6.3.5. APB Filtering
APBs can be filtered out by their image name using a combination of the white_list or black_list parameters, set on a registry basis inside the broker’s configuration.
Both are optional lists of regular expressions that will be run over the total set of discovered APBs for a given registry to determine matches.
| Present | Allowed | Blocked |
|---|---|---|
| Only whitelist | Matches a regex in list. | Any APB that does not match. |
| Only blacklist | All APBs that do not match. | APBs that match a regex in list. |
| Both present | Matches regex in whitelist but not in blacklist. | APBs that match a regex in blacklist. |
| None | No APBs from the registry. | All APBs from that registry. |
For example:
Whitelist Only
white_list: - "foo.*-apb$" - "^my-apb$"
Anything matching on foo.*-apb$ and only my-apb will be allowed through in this case. All other APBs will be rejected.
Blacklist Only
black_list: - "bar.*-apb$" - "^foobar-apb$"
Anything matching on bar.*-apb$ and only foobar-apb will be blocked in this case. All other APBs will be allowed through.
Whitelist and Blacklist
white_list: - "foo.*-apb$" - "^my-apb$" black_list: - "^foo-rootkit-apb$"
Here, foo-rootkit-apb is specifically blocked by the blacklist despite its match in the whitelist because the whitelist match is overridden.
Otherwise, only those matching on foo.*-apb$ and my-apb will be allowed through.
Example Broker Configuration registry Section:
registry:
- type: dockerhub
name: dockerhub
url: https://registry.hub.docker.com
user: <user>
pass: <password>
org: <org>
white_list:
- "foo.*-apb$"
- "^my-apb$"
black_list:
- "bar.*-apb$"
- "^foobar-apb$"
6.3.6. Local OpenShift Container Registry
Using the local_openshift type will allow you to load APBs from the OpenShift Container Registry that is internal to the OpenShift Container Platform cluster. You can configure the namespaces in which you want to look for published APBs.
registry:
- type: local_openshift
name: lo
namespaces:
- openshift
white_list:
- ".*-apb$"6.3.7. Red Hat Container Catalog Registry
Using the rhcc type will allow you to load APBs that are published to the Red Hat Container Catalog (RHCC) registry.
registry:
- name: rhcc
type: rhcc
url: https://registry.access.redhat.com
white_list:
- ".*-apb$"6.3.8. ISV Registry
Using the openshift type allows you to load APBs that are published to the ISV container registry at registry.connect.redhat.com.
registry:
- name: isv
type: openshift
auth_type: config 1
user: <user>
pass: <password>
url: https://registry.connect.redhat.com
images: 2
- <image_1>
- <image_2>
white_list:
- ".*-apb$"- 1
- Using the
openshiftregistry type currently requires thatauth_typebe declared in the configuration (toconfig,secret, orfile) due to a bug that will be addressed in a future release (BZ#1526949). See Storing Registry Credentials for options. - 2
- Because the
openshifttype currently cannot search the configured registry, it is required that you configure the broker with a list of images you would like to source from for when the broker bootstraps. The image names must be the fully qualified name without the registry URL.
6.3.9. Multiple Registries
You can use more than one registry to separate APBs into logical organizations and be able to manage them from the same broker. The registries must have a unique, non-empty name. If there is no unique name, the service broker will fail to start with an error message alerting you to the problem.
registry:
- name: dockerhub
type: dockerhub
org: ansibleplaybookbundle
user: <user>
pass: <password>
white_list:
- ".*-apb$"
- name: rhcc
type: rhcc
url: <rhcc_url>
white_list:
- ".*-apb$"6.4. DAO Configuration
| Field | Description | Required |
|---|---|---|
|
| The URL of the etcd host. | Y |
|
|
The port to use when communicating with | Y |
6.5. Log Configuration
| Field | Description | Required |
|---|---|---|
|
| Where to write the broker’s logs. | Y |
|
| Write logs to stdout. | Y |
|
| Level of the log output. | Y |
|
| Color the logs. | Y |
6.6. OpenShift Configuration
| Field | Description | Required |
|---|---|---|
|
| OpenShift Container Platform host. | N |
|
| Location of the certificate authority file. | N |
|
| Location of bearer token to be used. | N |
|
| When to pull the image. | Y |
|
| Role to give to an APB sandbox environment. | Y |
|
| Always keep namespace after an APB execution. | N |
|
| Keep namespace after an APB execution has an error. | N |
6.7. Broker Configuration
The broker section tells the broker what functionality should be enabled and disabled. It will also tell the broker where to find files on disk that will enable the full functionality.
With the absence of async bind, setting launch_apb_on_bind to true can cause the bind action to timeout and will span a retry. The broker will handle this with "409 Conflicts" because it is the same bind request with different parameters.
| Field | Description | Default Value | Required |
|---|---|---|---|
|
| Allow development routes to be accessible. |
| N |
|
| Allow bind to be a no-op. |
| N |
|
| Allow the broker attempt to bootstrap itself on start up. Will retrieve the APBs from configured registries. |
| N |
|
| Allow the broker to attempt to recover itself by dealing with pending jobs noted in etcd. |
| N |
|
| Allow the broker to output the requests to the log file as they come in for easier debugging. |
| N |
|
| Tells the broker where to find the TLS key file. If not set, the API server will attempt to create one. |
| N |
|
| Tells the broker where to find the TLS .crt file. If not set, the API server will attempt to create one. |
| N |
|
| The interval to query registries for new image specs. |
| N |
|
| Allows the broker to escalate the permissions of a user while running the APB. |
| N |
|
| Sets the prefix for the URL that the broker is expecting. |
| N |
6.8. Secrets Configuration
The secrets section creates associations between secrets in the broker’s namespace and APBs the broker runs. The broker uses these rules to mount secrets into running APBs, allowing the user to use secrets to pass parameters without exposing them to the catalog or users.
The section is a list where each entry has the following structure:
| Field | Description | Required |
|---|---|---|
|
| The title of the rule. This is just for display and output purposes. | Y |
|
|
The name of the APB to associate with the specified secret. This is the fully qualified name ( | Y |
|
| The name of the secret to pull parameters from. | Y |
You can download and use the create_broker_secret.py file to create and format this configuration section.
secrets: - title: Database credentials secret: db_creds apb_name: dh-rhscl-postgresql-apb
