Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 6. OpenShift Ansible Broker Configuration

6.1. Overview
링크 복사

When the OpenShift Ansible broker (OAB) is deployed in a cluster, its behavior is largely dictated by the broker’s configuration file loaded on startup. The broker’s configuration is stored as a ConfigMap object in the broker’s namespace (openshift-ansible-service-broker by default).

Example OpenShift Ansible Broker Configuration File

registry:
1 

  - type: dockerhub
    name: docker
    url: https://registry.hub.docker.com
    org: <dockerhub_org>
    fail_on_error: false
  - type: rhcc
    name: rhcc
    url: https://registry.access.redhat.com
    fail_on_error: true
    white_list:
      - "^foo.*-apb$"
      - ".*-apb$"
    black_list:
      - "bar.*-apb$"
      - "^my-apb$"
  - type: local_openshift
    name: lo
    namespaces:
      - openshift
    white_list:
      - ".*-apb$"
dao:
2 

  etcd_host: localhost
  etcd_port: 2379
log:
3 

  logfile: /var/log/ansible-service-broker/asb.log
  stdout: true
  level: debug
  color: true
openshift:
4 

  host: ""
  ca_file: ""
  bearer_token_file: ""
  image_pull_policy: IfNotPresent
  sandbox_role: "edit"
  keep_namespace: false
  keep_namespace_on_error: true
broker:
5 

  bootstrap_on_startup: true
  dev_broker: true
  launch_apb_on_bind: false
  recovery: true
  output_request: true
  ssl_cert_key: /path/to/key
  ssl_cert: /path/to/cert
  refresh_interval: "600s"
  auth:
    - type: basic
      enabled: true
secrets:
6 

  - title: Database credentials
    secret: db_creds
    apb_name: dh-rhscl-postgresql-apb
Copy to Clipboard Toggle word wrap

1
See Registry Configuration for details.
2
See DAO Configuration for details.
3
See Log Configuration for details.
4
See OpenShift Configuration for details.
5
See Broker Configuration for details.
6
See Secrets Configuration for details.

6.2. Modifying the OpenShift Ansible Broker Configuration
링크 복사

To modify the OAB’s default broker configuration after it has been deployed:

  1. Edit the the broker-config ConfigMap object in the OAB’s namespace as a user with cluster-admin privileges: 

    $ oc edit configmap broker-config -n openshift-ansible-service-broker
    Copy to Clipboard Toggle word wrap

  2. After saving any updates, redeploy the OAB’s deployment configuration for the changes to take effect: 

    $ oc rollout latest dc/asb -n openshift-ansible-service-broker
    Copy to Clipboard Toggle word wrap

6.3. Registry Configuration
링크 복사

The registry section allows you to define the registries that the broker should look at for APBs.

Expand
Table 6.1. registry Section Configuration Options
FieldDescriptionRequired

name

The name of the registry. Used by the broker to identify APBs from this registry.

Y

auth_type

How the broker should read the registry credentials. Can be config (uses user and pass as defined in the registry section), secret (uses a secret in the broker namespace), or file (uses a mounted file).

N [a]

auth_name

Name of the secret or file storing the registry credentials that should be read. Used when auth_type is set to secret.

N [a]

user

The user name for authenticating to the registry when using auth_type: config.

N

pass

The password for authenticating to the registry when using auth_type: config.

N

org

The namespace or organization that the image is contained in.

N

type

The type of registry. Available adapters are mock, rhcc, openshift, dockerhub, and local_openshift.

Y

namespaces

The list of namespaces to configure the local_openshift registry type with. By default, a user should use openshift.

N

url

The URL that is used to retrieve image information. Used extensively for RHCC while the dockerhub type uses hard-coded URLs.

N

fail_on_error

Should this registry fail, the bootstrap request if it fails. Will stop the execution of other registries loading.

N

white_list

The list of regular expressions used to define which image names should be allowed through. Must have a white list to allow APBs to be added to the catalog. The most permissive regular expression that you can use is .*-apb$ if you would want to retrieve all APBs in a registry. See APB Filtering for more details.

N

black_list

The list of regular expressions used to define which images names should never be allowed through. See APB Filtering for more details.

N

images

The list of images to be used with an OpenShift Container Registry.

N

[a] auth_type is currently required for the openshift registry type, due to a bug that will be addressed in an upcoming release (BZ#1526949). auth_name is only required in this case if auth_type is set to secret or file. See ISV Registry.

6.3.1. Production or Development
링크 복사

A production broker configuration is designed to be pointed at a trusted container distribution registry, such as the Red Hat Container Catalog (RHCC): 

registry:
  - name: rhcc
    type: rhcc
    url: https://registry.access.redhat.com
    tag: v3.7
    white_list:
      - ".*-apb$"
  - type: local_openshift
    name: localregistry
    namespaces:
      - openshift
    white_list: []
Copy to Clipboard Toggle word wrap

However, a development broker configuration is primarily used by developers working on the broker. To enable developer settings, set the registry name to dev and the dev_broker field in the broker section to true: 

registry:
  name: dev
Copy to Clipboard Toggle word wrap 
broker:
  dev_broker: true
Copy to Clipboard Toggle word wrap

6.3.2. Storing Registry Credentials
링크 복사

The auth_type field in the registry section of the broker configuration determines how the broker should read the registry credentials, either the config, secret, or file type.

With the config type, the registry credentials are read from the broker configuration’s user and pass values in the registry section, for example: 

registry:
  - name: isv
    type: openshift
    url: https://registry.connect.redhat.com
    auth_type: config
    user: <user>
    pass: <password>
...
Copy to Clipboard Toggle word wrap

If you want to ensure these credentials are not publicly accessible, you can use the secret type to configure a registry to use a secret from the broker’s namespace. Alternatively, you can use the file to configure a registry to use a secret mounted as a volume.

To use the secret or file type:

  1. The associated secret should have the values username and password defined. When using a secret, you must ensure that the openshift-ansible-service-broker namespace exists, as this is where the secret will be read from.

    For example, create a reg-creds.yaml file: 

    $ cat reg-creds.yaml
---
username: <username>
password: <password>
    Copy to Clipboard Toggle word wrap

  2. Create a secret from this file in the openshift-ansible-service-broker namespace: 

    $ oc create secret generic \
    registry-credentials-secret \
    --from-file reg-creds.yaml \
    -n openshift-ansible-service-broker
    Copy to Clipboard Toggle word wrap

  3. Choose whether you want to use the secret or file type:

    • To use the secret type, in the broker configuration, set auth_type to secret and auth_name to the name of the secret: 

      registry:
  - name: isv
    type: openshift
    url: https://registry.connect.redhat.com
    auth_type: secret
    auth_name: registry-credentials-secret
      Copy to Clipboard Toggle word wrap

    • To use the file type:

      1. Edit the asb deployment configuration to mount your file into /tmp/registry-credentials/reg-creds.yaml: 

        $ oc edit dc/asb -n openshift-ansible-service-broker
        Copy to Clipboard Toggle word wrap

        In the containers.volumeMounts section, add: 

              volumeMounts:
        - name: reg-auth
        mountPath: /tmp/registry-credentials
        Copy to Clipboard Toggle word wrap

        In the volumes section, add: 

            volumes:
      - name: reg-auth
        secret:
          defaultMode: 420
          secretName: registry-credentials-secret
        Copy to Clipboard Toggle word wrap

      2. In the broker configuration, set auth_type to file and auth_type to the location of the file: 

        registry:
  - name: isv
    type: openshift
    url: https://registry.connect.redhat.com
    auth_type: file
    auth_name: /tmp/registry-credentials/reg-creds.yaml
        Copy to Clipboard Toggle word wrap

6.3.3. Mock Registry
링크 복사

A mock registry is useful for reading local APB specs. Instead of going out to a registry to search for image specs, this uses a list of local specs. Set the name of the registry to mock to use the mock registry. 

registry:
  - name: mock
    type: mock
Copy to Clipboard Toggle word wrap

6.3.4. Dockerhub Registry
링크 복사

The dockerhub type allows you to load APBs from a specific organization in the DockerHub. For example, the ansibleplaybookbundle organization. 

registry:
  - name: dockerhub
    type: dockerhub
    org: ansibleplaybookbundle
    user: <user>
    pass: <password>
    white_list:
      - ".*-apb$"
Copy to Clipboard Toggle word wrap

6.3.5. APB Filtering
링크 복사

APBs can be filtered out by their image name using a combination of the white_list or black_list parameters, set on a registry basis inside the broker’s configuration.

Both are optional lists of regular expressions that will be run over the total set of discovered APBs for a given registry to determine matches.

Expand
Table 6.2. APB Filter Behavior
PresentAllowedBlocked

Only whitelist

Matches a regex in list.

Any APB that does not match.

Only blacklist

All APBs that do not match.

APBs that match a regex in list.

Both present

Matches regex in whitelist but not in blacklist.

APBs that match a regex in blacklist.

None

No APBs from the registry.

All APBs from that registry.

For example:

Whitelist Only

white_list:
  - "foo.*-apb$"
  - "^my-apb$"
Copy to Clipboard Toggle word wrap

Anything matching on foo.*-apb$ and only my-apb will be allowed through in this case. All other APBs will be rejected.

Blacklist Only

black_list:
  - "bar.*-apb$"
  - "^foobar-apb$"
Copy to Clipboard Toggle word wrap

Anything matching on bar.*-apb$ and only foobar-apb will be blocked in this case. All other APBs will be allowed through.

Whitelist and Blacklist

white_list:
  - "foo.*-apb$"
  - "^my-apb$"
black_list:
  - "^foo-rootkit-apb$"
Copy to Clipboard Toggle word wrap

Here, foo-rootkit-apb is specifically blocked by the blacklist despite its match in the whitelist because the whitelist match is overridden.

Otherwise, only those matching on foo.*-apb$ and my-apb will be allowed through.

Example Broker Configuration registry Section:

registry:
  - type: dockerhub
    name: dockerhub
    url: https://registry.hub.docker.com
    user: <user>
    pass: <password>
    org: <org>
    white_list:
      - "foo.*-apb$"
      - "^my-apb$"
    black_list:
      - "bar.*-apb$"
      - "^foobar-apb$"
Copy to Clipboard Toggle word wrap

6.3.6. Local OpenShift Container Registry
링크 복사

Using the local_openshift type will allow you to load APBs from the OpenShift Container Registry that is internal to the OpenShift Container Platform cluster. You can configure the namespaces in which you want to look for published APBs. 

registry:
  - type: local_openshift
    name: lo
    namespaces:
      - openshift
    white_list:
      - ".*-apb$"
Copy to Clipboard Toggle word wrap

6.3.7. Red Hat Container Catalog Registry
링크 복사

Using the rhcc type will allow you to load APBs that are published to the Red Hat Container Catalog (RHCC) registry. 

registry:
  - name: rhcc
    type: rhcc
    url: https://registry.access.redhat.com
    white_list:
      - ".*-apb$"
Copy to Clipboard Toggle word wrap

6.3.8. ISV Registry
링크 복사

Using the openshift type allows you to load APBs that are published to the ISV container registry at registry.connect.redhat.com. 

registry:
  - name: isv
    type: openshift
    auth_type: config
1 

    user: <user>
    pass: <password>
    url: https://registry.connect.redhat.com
    images:
2 

      - <image_1>
      - <image_2>
    white_list:
      - ".*-apb$"
Copy to Clipboard Toggle word wrap
1
Using the openshift registry type currently requires that auth_type be declared in the configuration (to config, secret, or file) due to a bug that will be addressed in a future release (BZ#1526949). See Storing Registry Credentials for options.
2
Because the openshift type currently cannot search the configured registry, it is required that you configure the broker with a list of images you would like to source from for when the broker bootstraps. The image names must be the fully qualified name without the registry URL.

6.3.9. Multiple Registries
링크 복사

You can use more than one registry to separate APBs into logical organizations and be able to manage them from the same broker. The registries must have a unique, non-empty name. If there is no unique name, the service broker will fail to start with an error message alerting you to the problem. 

registry:
  - name: dockerhub
    type: dockerhub
    org: ansibleplaybookbundle
    user: <user>
    pass: <password>
    white_list:
      - ".*-apb$"
  - name: rhcc
    type: rhcc
    url: <rhcc_url>
    white_list:
      - ".*-apb$"
Copy to Clipboard Toggle word wrap

6.4. DAO Configuration
링크 복사

Expand
FieldDescriptionRequired

etcd_host

The URL of the etcd host.

Y

etcd_port

The port to use when communicating with etcd_host.

Y

6.5. Log Configuration
링크 복사

Expand
FieldDescriptionRequired

logfile

Where to write the broker’s logs.

Y

stdout

Write logs to stdout.

Y

level

Level of the log output.

Y

color

Color the logs.

Y

6.6. OpenShift Configuration
링크 복사

Expand
FieldDescriptionRequired

host

OpenShift Container Platform host.

N

ca_file

Location of the certificate authority file.

N

bearer_token_file

Location of bearer token to be used.

N

image_pull_policy

When to pull the image.

Y

sandbox_role

Role to give to an APB sandbox environment.

Y

keep_namespace

Always keep namespace after an APB execution.

N

keep_namespace_on_error

Keep namespace after an APB execution has an error.

N

6.7. Broker Configuration
링크 복사

The broker section tells the broker what functionality should be enabled and disabled. It will also tell the broker where to find files on disk that will enable the full functionality.

Note

With the absence of async bind, setting launch_apb_on_bind to true can cause the bind action to timeout and will span a retry. The broker will handle this with "409 Conflicts" because it is the same bind request with different parameters.

Expand
FieldDescriptionDefault ValueRequired

dev_broker

Allow development routes to be accessible.

false

N

launch_apb_on_bind

Allow bind to be a no-op.

false

N

bootstrap_on_startup

Allow the broker attempt to bootstrap itself on start up. Will retrieve the APBs from configured registries.

false

N

recovery

Allow the broker to attempt to recover itself by dealing with pending jobs noted in etcd.

false

N

output_request

Allow the broker to output the requests to the log file as they come in for easier debugging.

false

N

ssl_cert_key

Tells the broker where to find the TLS key file. If not set, the API server will attempt to create one.

""

N

ssl_cert

Tells the broker where to find the TLS .crt file. If not set, the API server will attempt to create one.

""

N

refresh_interval

The interval to query registries for new image specs.

"600s"

N

auto_escalate

Allows the broker to escalate the permissions of a user while running the APB.

false

N

cluster_url

Sets the prefix for the URL that the broker is expecting.

ansible-service-broker

N

6.8. Secrets Configuration
링크 복사

The secrets section creates associations between secrets in the broker’s namespace and APBs the broker runs. The broker uses these rules to mount secrets into running APBs, allowing the user to use secrets to pass parameters without exposing them to the catalog or users.

The section is a list where each entry has the following structure:

Expand
FieldDescriptionRequired

title

The title of the rule. This is just for display and output purposes.

Y

apb_name

The name of the APB to associate with the specified secret. This is the fully qualified name (<registry_name>-<image_name>).

Y

secret

The name of the secret to pull parameters from.

Y

You can download and use the create_broker_secret.py file to create and format this configuration section. 

secrets:
- title: Database credentials
  secret: db_creds
  apb_name: dh-rhscl-postgresql-apb
Copy to Clipboard Toggle word wrap
맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat