From mhrivnak at redhat.com Wed Jan 3 22:10:06 2018 From: mhrivnak at redhat.com (Michael Hrivnak) Date: Wed, 3 Jan 2018 17:10:06 -0500 Subject: [Ansible-service-broker] deleting a binding's secret Message-ID: Looking at this BZ, and continuing a discussion from IRC: https://bugzilla.redhat.com/show_bug.cgi?id=1511760 It seems there is a gap in the lifecycle of the secret that gets created by a binding. When the ServiceBinding gets deleted (such as via the binding's "Delete" link in the UI), its secret gets deleted too. But if that secret had been added to a DeploymentConfig, that DC retains a reference to the secret. Any re-deployment will fail. What is the missing step? Something should presumably clean up any references to the secret, which in this case would mean updating the DeploymentConfig. What should implement that business logic? -- Michael Hrivnak Principal Software Engineer, RHCE Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: From rhallise at redhat.com Thu Jan 4 16:07:30 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Thu, 4 Jan 2018 11:07:30 -0500 Subject: [Ansible-service-broker] deleting a binding's secret In-Reply-To: References: Message-ID: Michael, I agree there is a gap here. In the past with pod presets, the catalog managed the relationship between the app and the bind. Until the catalog has another solution, maybe we can deal with this with an unbind apb playbook. The playbook will get called from the broker unbind action, an apb will run for each app in the bind, and the reference to the secret will be removed by the playbook. What are folks thoughts on that? Thanks, - Ryan On Wed, Jan 3, 2018 at 5:10 PM, Michael Hrivnak wrote: > Looking at this BZ, and continuing a discussion from IRC: > https://bugzilla.redhat.com/show_bug.cgi?id=1511760 > > It seems there is a gap in the lifecycle of the secret that gets created by > a binding. When the ServiceBinding gets deleted (such as via the binding's > "Delete" link in the UI), its secret gets deleted too. But if that secret > had been added to a DeploymentConfig, that DC retains a reference to the > secret. Any re-deployment will fail. > > What is the missing step? Something should presumably clean up any > references to the secret, which in this case would mean updating the > DeploymentConfig. What should implement that business logic? > > -- > > Michael Hrivnak > > Principal Software Engineer, RHCE > > Red Hat > > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > From dymurray at redhat.com Thu Jan 4 16:58:37 2018 From: dymurray at redhat.com (Dylan Murray) Date: Thu, 4 Jan 2018 11:58:37 -0500 Subject: [Ansible-service-broker] deleting a binding's secret In-Reply-To: References: Message-ID: I like it. Makes sense and fits the inital approach we wanted to take. It would also be useful for Amazon APBs to remove credentials from RDS for example. On Thu, Jan 4, 2018 at 11:07 AM, Ryan Hallisey wrote: > Michael, > > I agree there is a gap here. In the past with pod presets, the > catalog managed the relationship > between the app and the bind. Until the catalog has another solution, > maybe we can deal with > this with an unbind apb playbook. The playbook will get called from > the broker unbind action, > an apb will run for each app in the bind, and the reference to the > secret will be removed by the > playbook. > > What are folks thoughts on that? > > Thanks, > - Ryan > > > On Wed, Jan 3, 2018 at 5:10 PM, Michael Hrivnak > wrote: > > Looking at this BZ, and continuing a discussion from IRC: > > https://bugzilla.redhat.com/show_bug.cgi?id=1511760 > > > > It seems there is a gap in the lifecycle of the secret that gets created > by > > a binding. When the ServiceBinding gets deleted (such as via the > binding's > > "Delete" link in the UI), its secret gets deleted too. But if that secret > > had been added to a DeploymentConfig, that DC retains a reference to the > > secret. Any re-deployment will fail. > > > > What is the missing step? Something should presumably clean up any > > references to the secret, which in this case would mean updating the > > DeploymentConfig. What should implement that business logic? > > > > -- > > > > Michael Hrivnak > > > > Principal Software Engineer, RHCE > > > > Red Hat > > > > > > _______________________________________________ > > Ansible-service-broker mailing list > > Ansible-service-broker at redhat.com > > https://www.redhat.com/mailman/listinfo/ansible-service-broker > > > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dzager at redhat.com Thu Jan 4 17:16:19 2018 From: dzager at redhat.com (David Zager) Date: Thu, 04 Jan 2018 17:16:19 +0000 Subject: [Ansible-service-broker] deleting a binding's secret In-Reply-To: References: Message-ID: I agree with having bind/unbind playbooks that are called on those actions. However, in this case at least, a bind playbook didn't place the secret in the deployment config, the Openshift ?Console? did. This sounds like a bug against origin. If there is a process for adding the secret to the deployment then there should be a process that removes it. On Thu, Jan 4, 2018, 11:59 AM Dylan Murray wrote: > I like it. Makes sense and fits the inital approach we wanted to take. It > would also be useful for Amazon APBs to remove credentials from RDS for > example. > > On Thu, Jan 4, 2018 at 11:07 AM, Ryan Hallisey > wrote: > >> Michael, >> >> I agree there is a gap here. In the past with pod presets, the >> catalog managed the relationship >> between the app and the bind. Until the catalog has another solution, >> maybe we can deal with >> this with an unbind apb playbook. The playbook will get called from >> the broker unbind action, >> an apb will run for each app in the bind, and the reference to the >> secret will be removed by the >> playbook. >> >> What are folks thoughts on that? >> >> Thanks, >> - Ryan >> >> >> On Wed, Jan 3, 2018 at 5:10 PM, Michael Hrivnak >> wrote: >> > Looking at this BZ, and continuing a discussion from IRC: >> > https://bugzilla.redhat.com/show_bug.cgi?id=1511760 >> > >> > It seems there is a gap in the lifecycle of the secret that gets >> created by >> > a binding. When the ServiceBinding gets deleted (such as via the >> binding's >> > "Delete" link in the UI), its secret gets deleted too. But if that >> secret >> > had been added to a DeploymentConfig, that DC retains a reference to the >> > secret. Any re-deployment will fail. >> > >> > What is the missing step? Something should presumably clean up any >> > references to the secret, which in this case would mean updating the >> > DeploymentConfig. What should implement that business logic? >> > >> > -- >> > >> > Michael Hrivnak >> > >> > Principal Software Engineer, RHCE >> > >> > Red Hat >> > >> > >> > _______________________________________________ >> > Ansible-service-broker mailing list >> > Ansible-service-broker at redhat.com >> > https://www.redhat.com/mailman/listinfo/ansible-service-broker >> > >> >> _______________________________________________ >> Ansible-service-broker mailing list >> Ansible-service-broker at redhat.com >> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shurley at redhat.com Thu Jan 4 17:32:21 2018 From: shurley at redhat.com (Shawn Hurley) Date: Thu, 4 Jan 2018 12:32:21 -0500 Subject: [Ansible-service-broker] deleting a binding's secret In-Reply-To: References: Message-ID: +1 that is also what I was thinking > On Jan 4, 2018, at 12:16 PM, David Zager wrote: > > I agree with having bind/unbind playbooks that are called on those actions. However, in this case at least, a bind playbook didn't place the secret in the deployment config, the Openshift ?Console? did. This sounds like a bug against origin. If there is a process for adding the secret to the deployment then there should be a process that removes it. > > On Thu, Jan 4, 2018, 11:59 AM Dylan Murray > wrote: > I like it. Makes sense and fits the inital approach we wanted to take. It would also be useful for Amazon APBs to remove credentials from RDS for example. > > On Thu, Jan 4, 2018 at 11:07 AM, Ryan Hallisey > wrote: > Michael, > > I agree there is a gap here. In the past with pod presets, the > catalog managed the relationship > between the app and the bind. Until the catalog has another solution, > maybe we can deal with > this with an unbind apb playbook. The playbook will get called from > the broker unbind action, > an apb will run for each app in the bind, and the reference to the > secret will be removed by the > playbook. > > What are folks thoughts on that? > > Thanks, > - Ryan > > > On Wed, Jan 3, 2018 at 5:10 PM, Michael Hrivnak > wrote: > > Looking at this BZ, and continuing a discussion from IRC: > > https://bugzilla.redhat.com/show_bug.cgi?id=1511760 > > > > It seems there is a gap in the lifecycle of the secret that gets created by > > a binding. When the ServiceBinding gets deleted (such as via the binding's > > "Delete" link in the UI), its secret gets deleted too. But if that secret > > had been added to a DeploymentConfig, that DC retains a reference to the > > secret. Any re-deployment will fail. > > > > What is the missing step? Something should presumably clean up any > > references to the secret, which in this case would mean updating the > > DeploymentConfig. What should implement that business logic? > > > > -- > > > > Michael Hrivnak > > > > Principal Software Engineer, RHCE > > > > Red Hat > > > > > > _______________________________________________ > > Ansible-service-broker mailing list > > Ansible-service-broker at redhat.com > > https://www.redhat.com/mailman/listinfo/ansible-service-broker > > > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker -------------- next part -------------- An HTML attachment was scrubbed... URL: From rhallise at redhat.com Thu Jan 4 17:40:22 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Thu, 4 Jan 2018 12:40:22 -0500 Subject: [Ansible-service-broker] deleting a binding's secret In-Reply-To: References: Message-ID: Sounds good. Let's raise the issue with the UI folks and get their input. If we can't get a solution there, we can fall back to using an apb. -Ryan On Thu, Jan 4, 2018 at 12:16 PM, David Zager wrote: > I agree with having bind/unbind playbooks that are called on those actions. > However, in this case at least, a bind playbook didn't place the secret in > the deployment config, the Openshift ?Console? did. This sounds like a bug > against origin. If there is a process for adding the secret to the > deployment then there should be a process that removes it. > > On Thu, Jan 4, 2018, 11:59 AM Dylan Murray wrote: >> >> I like it. Makes sense and fits the inital approach we wanted to take. It >> would also be useful for Amazon APBs to remove credentials from RDS for >> example. >> >> On Thu, Jan 4, 2018 at 11:07 AM, Ryan Hallisey >> wrote: >>> >>> Michael, >>> >>> I agree there is a gap here. In the past with pod presets, the >>> catalog managed the relationship >>> between the app and the bind. Until the catalog has another solution, >>> maybe we can deal with >>> this with an unbind apb playbook. The playbook will get called from >>> the broker unbind action, >>> an apb will run for each app in the bind, and the reference to the >>> secret will be removed by the >>> playbook. >>> >>> What are folks thoughts on that? >>> >>> Thanks, >>> - Ryan >>> >>> >>> On Wed, Jan 3, 2018 at 5:10 PM, Michael Hrivnak >>> wrote: >>> > Looking at this BZ, and continuing a discussion from IRC: >>> > https://bugzilla.redhat.com/show_bug.cgi?id=1511760 >>> > >>> > It seems there is a gap in the lifecycle of the secret that gets >>> > created by >>> > a binding. When the ServiceBinding gets deleted (such as via the >>> > binding's >>> > "Delete" link in the UI), its secret gets deleted too. But if that >>> > secret >>> > had been added to a DeploymentConfig, that DC retains a reference to >>> > the >>> > secret. Any re-deployment will fail. >>> > >>> > What is the missing step? Something should presumably clean up any >>> > references to the secret, which in this case would mean updating the >>> > DeploymentConfig. What should implement that business logic? >>> > >>> > -- >>> > >>> > Michael Hrivnak >>> > >>> > Principal Software Engineer, RHCE >>> > >>> > Red Hat >>> > >>> > >>> > _______________________________________________ >>> > Ansible-service-broker mailing list >>> > Ansible-service-broker at redhat.com >>> > https://www.redhat.com/mailman/listinfo/ansible-service-broker >>> > >>> >>> _______________________________________________ >>> Ansible-service-broker mailing list >>> Ansible-service-broker at redhat.com >>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> >> >> _______________________________________________ >> Ansible-service-broker mailing list >> Ansible-service-broker at redhat.com >> https://www.redhat.com/mailman/listinfo/ansible-service-broker From rhallise at redhat.com Wed Jan 10 17:27:46 2018 From: rhallise at redhat.com (rhallise at redhat.com) Date: Wed, 10 Jan 2018 17:27:46 +0000 Subject: [Ansible-service-broker] Invitation: APB tool discussion @ Thu Jan 11, 2018 2pm - 2:30pm (EST) (ansible-service-broker@redhat.com) Message-ID: <94eb2c13cbe281abb305626f5951@google.com> You have been invited to the following event. Title: APB tool discussion https://bluejeans.com/rhallise x9198908220 Discuss re factoring of the apb tool. http://etherpad.corp.redhat.com/apb-tool-refactor When: Thu Jan 11, 2018 2pm ? 2:30pm Eastern Time Calendar: ansible-service-broker at redhat.com Who: * rhallise at redhat.com - organizer * mhrivnak at redhat.com * dymurray at redhat.com * fvonfeil at redhat.com * dzager at redhat.com * ansible-service-broker at redhat.com Event details: https://www.google.com/calendar/event?action=VIEW&eid=MGZnMnJzY3VrOGhsdmhwdHRkY3FxdXVhZGggYW5zaWJsZS1zZXJ2aWNlLWJyb2tlckByZWRoYXQuY29t&tok=MTkjcmhhbGxpc2VAcmVkaGF0LmNvbTlhZTU3YTZmYTUwZTE5MTAxYzcyNTVmZjU1YzU0MmM0NWViYzM1MmU&ctz=America/New_York&hl=en Invitation from Google Calendar: https://www.google.com/calendar/ You are receiving this courtesy email at the account ansible-service-broker at redhat.com because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to modify your RSVP response. Learn more at https://support.google.com/calendar/answer/37135#forwarding -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/calendar Size: 2033 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: invite.ics Type: application/ics Size: 2075 bytes Desc: not available URL: From rhallise at redhat.com Wed Jan 10 18:13:24 2018 From: rhallise at redhat.com (rhallise at redhat.com) Date: Wed, 10 Jan 2018 18:13:24 +0000 Subject: [Ansible-service-broker] Updated invitation: APB tool discussion @ Thu Jan 11, 2018 2pm - 2:30pm (EST) (ansible-service-broker@redhat.com) Message-ID: <94eb2c1a7d50b78c2905626ffcf4@google.com> This event has been changed. Title: APB tool discussion https://bluejeans.com/rhallise x9198908220 Discuss re factoring of the apb tool. http://etherpad.corp.redhat.com/apb-tool-refactor - Improve the apb-tool's structure by breaking it into a series of class https://docs.google.com/document/d/1IUMVy-nma3xgOyk6xh1iW-P6Mu7RBYpO99Qp65WRQsY/edit?usp=sharing - Re write the apb tool in go (changed) When: Thu Jan 11, 2018 2pm ? 2:30pm Eastern Time Calendar: ansible-service-broker at redhat.com Who: * rhallise at redhat.com - organizer * mhrivnak at redhat.com * dymurray at redhat.com * fvonfeil at redhat.com * dzager at redhat.com * ansible-service-broker at redhat.com Event details: https://www.google.com/calendar/event?action=VIEW&eid=MGZnMnJzY3VrOGhsdmhwdHRkY3FxdXVhZGggYW5zaWJsZS1zZXJ2aWNlLWJyb2tlckByZWRoYXQuY29t&tok=MTkjcmhhbGxpc2VAcmVkaGF0LmNvbTlhZTU3YTZmYTUwZTE5MTAxYzcyNTVmZjU1YzU0MmM0NWViYzM1MmU&ctz=America/New_York&hl=en Invitation from Google Calendar: https://www.google.com/calendar/ You are receiving this courtesy email at the account ansible-service-broker at redhat.com because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to modify your RSVP response. Learn more at https://support.google.com/calendar/answer/37135#forwarding -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/calendar Size: 2226 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: invite.ics Type: application/ics Size: 2271 bytes Desc: not available URL: From rhallise at redhat.com Thu Jan 11 20:13:45 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Thu, 11 Jan 2018 15:13:45 -0500 Subject: [Ansible-service-broker] apb tool refactor Message-ID: Hey folks, There's been some investigation and discussion over the last few days about refactoring the apb tool. Initially, the discussion was around improving the code's structure, until it was brought up that it might be worth re-writing the apb tool in go since we're considering big changes anyway. Today, the community had a meeting to discuss if it's worth re-writing the apb tool in go, notes are here [1]. Overall, folks liked the idea. Here were some of the positives: 1) We could vendor the broker to provide a way to run apbs outside of the broker, without having to do `docker run ....`. This would be similar to the way helm executes a chart. 2) No longer have to deal with python-deps The next steps are to gather more feedback and to plan how we can accomplish the move to go. Starting with a proposal in the ansible-playbook-bundle repo and an outline of how the new apb tool will look in terms of class structure [2]. I'll work on the proposal today and tomorrow. If folks have anything else to add about the meeting or any other comments, let me know. Thanks, -Ryan [1] - http://etherpad.corp.redhat.com/apb-tool-refactor [2] - https://docs.google.com/document/d/1IUMVy-nma3xgOyk6xh1iW-P6Mu7RBYpO99Qp65WRQsY/edit?usp=sharing From rhallise at redhat.com Fri Jan 12 19:57:38 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Fri, 12 Jan 2018 14:57:38 -0500 Subject: [Ansible-service-broker] [ccpeng] apb tool refactor In-Reply-To: References: Message-ID: Hey folks, Here's a link to the proposal for the apb tool refactor: https://github.com/ansibleplaybookbundle/ansible-playbook-bundle/pull/197 -Ryan On Fri, Jan 12, 2018 at 9:24 AM, Dylan Murray wrote: > +1 to both Michael and David's comments. If I am understanding properly > these proposed changes would mainly affect `apb init` and how we publish the > images, not necessarily impacting what we want to accomplish with the > tooling itself. The same problem we want to solve exists moving forward > mocking out the functionality of the broker. > > On Thu, Jan 11, 2018 at 10:22 PM, David Zager wrote: >> >> Michael, that is an interesting overview of the APB tool as it stands >> today and I agree with your suggestion that, "the most compelling future >> opportunities for the apb tool have to do with facilitating execution of an >> apb...", well said. I think the team has put a lot of thought and effort >> into how to properly facilitate apb execution. >> >> As a note, the point that got me talking with people about writing the APB >> tool in golang was all of the work that we had already done in the broker to >> execute an apb in the cluster that I didn't want for us to rewrite in python >> for both k8s and openshift. The use case of a meager developer wanting to >> execute an APB that deploys wordpress but only a superuser/admin can execute >> an APB to deploy cluster level logging and metrics (w/ and w/o a broker) is >> what I am most interested in. >> >> It is not immediately clear to me what impact APBs refactored into >> ansible-galaxy compatible roles would do as it appears more of a replacement >> to our packaging as RPMs than removing our >> provision/bind/unbind/update/deprovision playbooks (since I don't see how >> those playbooks would go away). >> >> I am certainly interested to hear more of this conversation. >> >> On Thu, Jan 11, 2018, 5:53 PM Michael Hrivnak wrote: >>> >>> Interesting. I'll toss my observations in, having taken a fresh look at >>> all the apb tool code this week. Please jump in if I misjudged anything. >>> >>> The apb tool has 99% of its behavior in these areas: >>> - build a container >>> - interact with a container registry >>> - interact with the broker >>> - interact with the service catalog >>> - interact with a k8s cluster >>> >>> The other 1% is where anything ansible-related happens. And it's just the >>> creation of a base apb skeleton on disk via "apb init". It throws down >>> pre-made files with a touch of template logic, but there is no interaction >>> with ansible. >>> >>> It sounds like the most compelling future opportunities for the apb tool >>> have to do with facilitating execution of an apb without a broker. That >>> would take the code deeper into the 99% territory and require it to >>> assimilate some of the broker's capabilities. >>> >>> It would be very interesting to hear if there are any ideas for >>> integrating the apb tool more directly with ansible, and where that road >>> could lead. Maybe the act of building the apb container image could involve >>> retrieving roles from ansible galaxy? But even then, it seems like something >>> that might only happen inside the image build process, and not something the >>> apb tool would directly do itself. Speaking of which, one of the elegant >>> aspects of this whole workflow as it is today is that the only place you >>> need ansible and its dependencies installed is inside your apb container >>> image. >>> >>> I'm looking forward to hearing more about the galaxy direction. >>> >>> On Thu, Jan 11, 2018 at 3:34 PM, John Matthews >>> wrote: >>>> >>>> Moving this to internal since it's related to some uncommitted future >>>> direction and brand new conversations. >>>> >>>> There is talk of APBs being refactored to line up closer to Ansible >>>> community, namely being written as a single Role which can be published to >>>> galaxy (in addition to our normal workflow with building a container and >>>> published to a registry). Meeting with Ansible guys next week to sketch out >>>> the possible vision a bit more, will share with team once we have a better >>>> vision to communicate. >>>> >>>> With this work we may want to consider integrating closer to ansible >>>> tools, i.e. "ansible-galaxy" >>>> >>>> We will need to weigh the benefit of Python and reusing ansible....or >>>> Golang and reuse k8s/origin work and have a self-contained executable. >>>> >>>> >>>> >>>> >>>> >>>> On Thu, Jan 11, 2018 at 3:13 PM, Ryan Hallisey >>>> wrote: >>>>> >>>>> Hey folks, >>>>> >>>>> There's been some investigation and discussion over the last few days >>>>> about refactoring the apb tool. Initially, the discussion was around >>>>> improving the code's structure, until it was brought up that it might >>>>> be worth re-writing the apb tool in go since we're considering big >>>>> changes anyway. >>>>> >>>>> Today, the community had a meeting to discuss if it's worth re-writing >>>>> the apb tool in go, notes are here [1]. Overall, folks liked the >>>>> idea. Here were some of the positives: >>>>> 1) We could vendor the broker to provide a way to run apbs >>>>> outside of the broker, without having to do `docker run ....`. This >>>>> would be similar to the way helm executes a chart. >>>>> 2) No longer have to deal with python-deps >>>>> >>>>> The next steps are to gather more feedback and to plan how we can >>>>> accomplish the move to go. Starting with a proposal in the >>>>> ansible-playbook-bundle repo and an outline of how the new apb tool >>>>> will look in terms of class structure [2]. >>>>> >>>>> I'll work on the proposal today and tomorrow. >>>>> >>>>> If folks have anything else to add about the meeting or any other >>>>> comments, let me know. >>>>> >>>>> Thanks, >>>>> -Ryan >>>>> >>>>> >>>>> [1] - http://etherpad.corp.redhat.com/apb-tool-refactor >>>>> [2] - >>>>> https://docs.google.com/document/d/1IUMVy-nma3xgOyk6xh1iW-P6Mu7RBYpO99Qp65WRQsY/edit?usp=sharing >>>>> >>>>> _______________________________________________ >>>>> Ansible-service-broker mailing list >>>>> Ansible-service-broker at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >>>> >>>> >>> >>> >>> >>> -- >>> >>> Michael Hrivnak >>> >>> Principal Software Engineer, RHCE >>> >>> Red Hat > > From rhallise at redhat.com Wed Jan 17 17:25:14 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Wed, 17 Jan 2018 12:25:14 -0500 Subject: [Ansible-service-broker] Travis slow down Message-ID: Hey folks, There's a temporary slow down with Travis queuing up jobs. They noted they had a 'growing backlog' yesterday and today. So expect jobs to take a little longer to get picked off the queue. Hopefully it will go back to normal soon. Thanks, - Ryan From cmoullia at redhat.com Fri Jan 19 09:20:26 2018 From: cmoullia at redhat.com (Charles Moulliard) Date: Fri, 19 Jan 2018 10:20:26 +0100 Subject: [Ansible-service-broker] Question about how to generate serviceInstance, serviceBinding and next mount the secret to DC Message-ID: Hi, The creation of the serviceInstance resource from a clusterServiceClass is very easy using python apb client - https://goo.gl/zwWPJz but how do you achieve this goal with the Ansible Service Broker like also to create the serviceBinding resource ? Why such questions ? I would like to replace these files created manually here : - ServiceBinding : https://github.com/cmoulliard/spring-boot-jpa-rest/blob/master/openshift/mysql-secret_servicebinding.yml - ServiceInstance : https://github.com/cmoulliard/spring-boot-jpa-rest/blob/master/openshift/mysql_serviceinstance.yml and executed using these oc commands oc create -f openshift/mysql_serviceinstance.yml oc create -f openshift/mysql-secret_servicebinding.yml oc env --from=secret/spring-boot-notes-mysql-binding dc/spring-boot-db-notes with new commands where by example, we will create the serviceInstance using "oc create-service " Next bind the Service to a DeploymentConfig using maybe the following command "oc bind-service Regards, Charles -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmoullia at redhat.com Fri Jan 19 10:17:25 2018 From: cmoullia at redhat.com (Charles Moulliard) Date: Fri, 19 Jan 2018 11:17:25 +0100 Subject: [Ansible-service-broker] Map serviceClass parameters with servicebinding secret ? Message-ID: Hi, Is it possible to map or rename the env vars mounted within the pod of the application consuming a service as the current situation is not convenient ? Example - MySQL ClusterServiceClass will use these parameters as defined within the apb.yml file : https://goo.gl/HFrpSy - Then, if a serviceInstance is created, it will contain the same parameters but customized according to the user's choice: https://goo.gl/dXTZvA mysql_database: "devel" mysql_password: "devel" mysql_user: "devel" - But, when the secret is mounted as env var to the pod, then the parameters have been renamed to export DB_NAME="devel" export DB_PASSWORD="devel" export DB_USER="devel" Where such transformation take place ? Is it possible to define its own mapping ? Regards CHARLES MOULLIARD SOFTWARE ENGINEER MANAGER SPRING(BOOT) Red Hat cmoulliard at redhat.com M: +32-473-604014 @cmoulliard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rhallise at redhat.com Fri Jan 19 13:14:36 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Fri, 19 Jan 2018 08:14:36 -0500 Subject: [Ansible-service-broker] Question about how to generate serviceInstance, serviceBinding and next mount the secret to DC In-Reply-To: References: Message-ID: Hey Charles, I think you raise some good questions. I'll respond inline. > The creation of the serviceInstance resource from a clusterServiceClass is > very easy using python apb client - https://goo.gl/zwWPJz but how do you > achieve this goal with the Ansible Service Broker like also to create the > serviceBinding resource ? > > > Why such questions ? > > I would like to replace these files created manually here : > > - ServiceBinding : > https://github.com/cmoulliard/spring-boot-jpa-rest/blob/master/openshift/mysql-secret_servicebinding.yml > - ServiceInstance : > https://github.com/cmoulliard/spring-boot-jpa-rest/blob/master/openshift/mysql_serviceinstance.yml > > and executed using these oc commands > > oc create -f openshift/mysql_serviceinstance.yml > oc create -f openshift/mysql-secret_servicebinding.yml > oc env --from=secret/spring-boot-notes-mysql-binding dc/spring-boot-db-notes > > with new commands where by example, we will create the serviceInstance using > > "oc create-service > " > > Next bind the Service to a DeploymentConfig using maybe the following > command > > "oc bind-service > The `apb serviceinstance` command was an first attempt to improve the creation of serviceinstances. I think there is plenty the community can do to build on that effort. But to get at your broader point here, if we're able to generate the template like with `apb serviceinstance`, then the cli could also execute the command to use the template. Thus providing users with out of the box application and a way to interact with the API in a few cli commands. Yesterday, after we talked about this, I created two issues to track this. I think it's a great idea and it will greatly improve the developer experience. That being said, if you are interested in developing some of this work, I would encourage it. I think this would be a great contribution to the apb tool. https://github.com/ansibleplaybookbundle/ansible-playbook-bundle/issues/204 https://github.com/ansibleplaybookbundle/ansible-playbook-bundle/issues/203 Thanks for bringing this up for discussion on IRC and the mailing list. Sincerely, -Ryan From cmoullia at redhat.com Fri Jan 19 13:28:33 2018 From: cmoullia at redhat.com (Charles Moulliard) Date: Fri, 19 Jan 2018 14:28:33 +0100 Subject: [Ansible-service-broker] Question about how to generate serviceInstance, serviceBinding and next mount the secret to DC In-Reply-To: References: Message-ID: Many thanks Ryan for your response Is the right place within the apb python client project to make such developments (ticket 203, 204) ? Ideally such development to improve developer experience should take place around "oc" client or the new one that DevExp team is discussing "ocd" On Fri, Jan 19, 2018 at 2:14 PM, Ryan Hallisey wrote: > Hey Charles, > > I think you raise some good questions. I'll respond inline. > > > The creation of the serviceInstance resource from a clusterServiceClass > is > > very easy using python apb client - https://goo.gl/zwWPJz but how do you > > achieve this goal with the Ansible Service Broker like also to create the > > serviceBinding resource ? > > > > > > Why such questions ? > > > > I would like to replace these files created manually here : > > > > - ServiceBinding : > > https://github.com/cmoulliard/spring-boot-jpa-rest/blob/ > master/openshift/mysql-secret_servicebinding.yml > > - ServiceInstance : > > https://github.com/cmoulliard/spring-boot-jpa-rest/blob/ > master/openshift/mysql_serviceinstance.yml > > > > and executed using these oc commands > > > > oc create -f openshift/mysql_serviceinstance.yml > > oc create -f openshift/mysql-secret_servicebinding.yml > > oc env --from=secret/spring-boot-notes-mysql-binding > dc/spring-boot-db-notes > > > > with new commands where by example, we will create the serviceInstance > using > > > > "oc create-service > > " > > > > Next bind the Service to a DeploymentConfig using maybe the following > > command > > > > "oc bind-service > > > > The `apb serviceinstance` command was an first attempt to improve the > creation of serviceinstances. I think there is plenty the community > can do to build on that effort. But to get at your broader point > here, if we're able to generate the template like with `apb > serviceinstance`, then the cli could also execute the command to use > the template. Thus providing users with out of the box application > and a way to interact with the API in a few cli commands. > > Yesterday, after we talked about this, I created two issues to track > this. I think it's a great idea and it will greatly improve the > developer experience. That being said, if you are interested in > developing some of this work, I would encourage it. I think this > would be a great contribution to the apb tool. > > https://github.com/ansibleplaybookbundle/ansible- > playbook-bundle/issues/204 > https://github.com/ansibleplaybookbundle/ansible- > playbook-bundle/issues/203 > > Thanks for bringing this up for discussion on IRC and the mailing list. > > Sincerely, > -Ryan > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmoullia at redhat.com Fri Jan 19 13:38:56 2018 From: cmoullia at redhat.com (Charles Moulliard) Date: Fri, 19 Jan 2018 14:38:56 +0100 Subject: [Ansible-service-broker] Question about how to generate serviceInstance, serviceBinding and next mount the secret to DC In-Reply-To: References: Message-ID: kubectl client provides such commands -> https://github.com/kubernetes-incubator/service-catalog/pull/840 ;-) On Fri, Jan 19, 2018 at 2:28 PM, Charles Moulliard wrote: > Many thanks Ryan for your response > > Is the right place within the apb python client project to make such > developments (ticket 203, 204) ? Ideally such development to improve > developer experience should take place around "oc" client or the new one > that DevExp team is discussing "ocd" > > > On Fri, Jan 19, 2018 at 2:14 PM, Ryan Hallisey > wrote: > >> Hey Charles, >> >> I think you raise some good questions. I'll respond inline. >> >> > The creation of the serviceInstance resource from a clusterServiceClass >> is >> > very easy using python apb client - https://goo.gl/zwWPJz but how do >> you >> > achieve this goal with the Ansible Service Broker like also to create >> the >> > serviceBinding resource ? >> > >> > >> > Why such questions ? >> > >> > I would like to replace these files created manually here : >> > >> > - ServiceBinding : >> > https://github.com/cmoulliard/spring-boot-jpa-rest/blob/mast >> er/openshift/mysql-secret_servicebinding.yml >> > - ServiceInstance : >> > https://github.com/cmoulliard/spring-boot-jpa-rest/blob/mast >> er/openshift/mysql_serviceinstance.yml >> > >> > and executed using these oc commands >> > >> > oc create -f openshift/mysql_serviceinstance.yml >> > oc create -f openshift/mysql-secret_servicebinding.yml >> > oc env --from=secret/spring-boot-notes-mysql-binding >> dc/spring-boot-db-notes >> > >> > with new commands where by example, we will create the serviceInstance >> using >> > >> > "oc create-service >> > " >> > >> > Next bind the Service to a DeploymentConfig using maybe the following >> > command >> > >> > "oc bind-service >> > >> >> The `apb serviceinstance` command was an first attempt to improve the >> creation of serviceinstances. I think there is plenty the community >> can do to build on that effort. But to get at your broader point >> here, if we're able to generate the template like with `apb >> serviceinstance`, then the cli could also execute the command to use >> the template. Thus providing users with out of the box application >> and a way to interact with the API in a few cli commands. >> >> Yesterday, after we talked about this, I created two issues to track >> this. I think it's a great idea and it will greatly improve the >> developer experience. That being said, if you are interested in >> developing some of this work, I would encourage it. I think this >> would be a great contribution to the apb tool. >> >> https://github.com/ansibleplaybookbundle/ansible-playbook- >> bundle/issues/204 >> https://github.com/ansibleplaybookbundle/ansible-playbook- >> bundle/issues/203 >> >> Thanks for bringing this up for discussion on IRC and the mailing list. >> >> Sincerely, >> -Ryan >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dymurray at redhat.com Fri Jan 19 13:42:26 2018 From: dymurray at redhat.com (Dylan Murray) Date: Fri, 19 Jan 2018 08:42:26 -0500 Subject: [Ansible-service-broker] Map serviceClass parameters with servicebinding secret ? In-Reply-To: References: Message-ID: Great insight. Up to this point most users are On Fri, Jan 19, 2018 at 8:34 AM, Charles Moulliard wrote: > Thanks for the info/clarification. > > How can a dev project discover before to bind an app to a service what > will be the env vars that the secret will mount ? Can we show such info > using an oc command ? > > On Fri, Jan 19, 2018 at 2:07 PM, Dylan Murray wrote: > >> Charles, >> >> I think you might be confusing the bind credentials with the APB >> parameters. https://github.com/ansibleplaybookbundle/mysql- >> apb/blob/master/roles/rhscl-mysql-apb-openshift/tasks/main.yml#L79 shows >> where the actual Bind credentials are set. If you would like those to be >> renamed you would need to fork the APB and publish your own version >> changing the name of these credentials. >> >> Hope that helps, >> Dylan >> >> On Fri, Jan 19, 2018 at 5:17 AM, Charles Moulliard >> wrote: >> >>> Hi, >>> >>> Is it possible to map or rename the env vars mounted within the pod of >>> the application consuming a service as the current situation is not >>> convenient ? >>> >>> Example >>> >>> - MySQL ClusterServiceClass will use these parameters as defined within >>> the apb.yml file : https://goo.gl/HFrpSy >>> - Then, if a serviceInstance is created, it will contain the same >>> parameters but customized according to the user's choice: >>> https://goo.gl/dXTZvA >>> >>> mysql_database: "devel" >>> mysql_password: "devel" >>> mysql_user: "devel" >>> >>> - But, when the secret is mounted as env var to the pod, then the >>> parameters have been renamed to >>> >>> export DB_NAME="devel" >>> export DB_PASSWORD="devel" >>> export DB_USER="devel" >>> >>> Where such transformation take place ? Is it possible to define its own >>> mapping ? >>> >>> Regards >>> >>> CHARLES MOULLIARD >>> >>> SOFTWARE ENGINEER MANAGER SPRING(BOOT) >>> >>> Red Hat >>> >>> cmoulliard at redhat.com M: +32-473-604014 >>> >>> @cmoulliard >>> >>> _______________________________________________ >>> Ansible-service-broker mailing list >>> Ansible-service-broker at redhat.com >>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dymurray at redhat.com Fri Jan 19 13:43:36 2018 From: dymurray at redhat.com (Dylan Murray) Date: Fri, 19 Jan 2018 08:43:36 -0500 Subject: [Ansible-service-broker] Map serviceClass parameters with servicebinding secret ? In-Reply-To: References: Message-ID: Sorry... hit send too early. Up to this point most users are looking through the code to see what the bind params are, but it would be much more advantageous if we displayed this information on the repos. It makes sense that our Dockerhub repo is openly displaying the bind credentials for a developer to know how to consume it. It would also be nice if this was displayed in the service catalog. On Fri, Jan 19, 2018 at 8:42 AM, Dylan Murray wrote: > Great insight. Up to this point most users are > > On Fri, Jan 19, 2018 at 8:34 AM, Charles Moulliard > wrote: > >> Thanks for the info/clarification. >> >> How can a dev project discover before to bind an app to a service what >> will be the env vars that the secret will mount ? Can we show such info >> using an oc command ? >> >> On Fri, Jan 19, 2018 at 2:07 PM, Dylan Murray >> wrote: >> >>> Charles, >>> >>> I think you might be confusing the bind credentials with the APB >>> parameters. https://github.com/ansibleplaybookbundle/mysql-a >>> pb/blob/master/roles/rhscl-mysql-apb-openshift/tasks/main.yml#L79 shows >>> where the actual Bind credentials are set. If you would like those to be >>> renamed you would need to fork the APB and publish your own version >>> changing the name of these credentials. >>> >>> Hope that helps, >>> Dylan >>> >>> On Fri, Jan 19, 2018 at 5:17 AM, Charles Moulliard >>> wrote: >>> >>>> Hi, >>>> >>>> Is it possible to map or rename the env vars mounted within the pod of >>>> the application consuming a service as the current situation is not >>>> convenient ? >>>> >>>> Example >>>> >>>> - MySQL ClusterServiceClass will use these parameters as defined within >>>> the apb.yml file : https://goo.gl/HFrpSy >>>> - Then, if a serviceInstance is created, it will contain the same >>>> parameters but customized according to the user's choice: >>>> https://goo.gl/dXTZvA >>>> >>>> mysql_database: "devel" >>>> mysql_password: "devel" >>>> mysql_user: "devel" >>>> >>>> - But, when the secret is mounted as env var to the pod, then the >>>> parameters have been renamed to >>>> >>>> export DB_NAME="devel" >>>> export DB_PASSWORD="devel" >>>> export DB_USER="devel" >>>> >>>> Where such transformation take place ? Is it possible to define its own >>>> mapping ? >>>> >>>> Regards >>>> >>>> CHARLES MOULLIARD >>>> >>>> SOFTWARE ENGINEER MANAGER SPRING(BOOT) >>>> >>>> Red Hat >>>> >>>> cmoulliard at redhat.com M: +32-473-604014 >>>> >>>> @cmoulliard >>>> >>>> _______________________________________________ >>>> Ansible-service-broker mailing list >>>> Ansible-service-broker at redhat.com >>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rhallise at redhat.com Fri Jan 19 13:54:22 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Fri, 19 Jan 2018 08:54:22 -0500 Subject: [Ansible-service-broker] Question about how to generate serviceInstance, serviceBinding and next mount the secret to DC In-Reply-To: References: Message-ID: We rolled out the apb tool in order to bootstrap our tooling. We haven't discussed merging the functionality into the oc client yet, but I could see us heading there eventually. Until we have those discussions, the python client is where the primary development will be focused. -Ryan On Fri, Jan 19, 2018 at 8:28 AM, Charles Moulliard wrote: > Many thanks Ryan for your response > > Is the right place within the apb python client project to make such > developments (ticket 203, 204) ? Ideally such development to improve > developer experience should take place around "oc" client or the new one > that DevExp team is discussing "ocd" > > > On Fri, Jan 19, 2018 at 2:14 PM, Ryan Hallisey wrote: >> >> Hey Charles, >> >> I think you raise some good questions. I'll respond inline. >> >> > The creation of the serviceInstance resource from a clusterServiceClass >> > is >> > very easy using python apb client - https://goo.gl/zwWPJz but how do you >> > achieve this goal with the Ansible Service Broker like also to create >> > the >> > serviceBinding resource ? >> > >> > >> > Why such questions ? >> > >> > I would like to replace these files created manually here : >> > >> > - ServiceBinding : >> > >> > https://github.com/cmoulliard/spring-boot-jpa-rest/blob/master/openshift/mysql-secret_servicebinding.yml >> > - ServiceInstance : >> > >> > https://github.com/cmoulliard/spring-boot-jpa-rest/blob/master/openshift/mysql_serviceinstance.yml >> > >> > and executed using these oc commands >> > >> > oc create -f openshift/mysql_serviceinstance.yml >> > oc create -f openshift/mysql-secret_servicebinding.yml >> > oc env --from=secret/spring-boot-notes-mysql-binding >> > dc/spring-boot-db-notes >> > >> > with new commands where by example, we will create the serviceInstance >> > using >> > >> > "oc create-service >> > " >> > >> > Next bind the Service to a DeploymentConfig using maybe the following >> > command >> > >> > "oc bind-service >> > >> >> The `apb serviceinstance` command was an first attempt to improve the >> creation of serviceinstances. I think there is plenty the community >> can do to build on that effort. But to get at your broader point >> here, if we're able to generate the template like with `apb >> serviceinstance`, then the cli could also execute the command to use >> the template. Thus providing users with out of the box application >> and a way to interact with the API in a few cli commands. >> >> Yesterday, after we talked about this, I created two issues to track >> this. I think it's a great idea and it will greatly improve the >> developer experience. That being said, if you are interested in >> developing some of this work, I would encourage it. I think this >> would be a great contribution to the apb tool. >> >> >> https://github.com/ansibleplaybookbundle/ansible-playbook-bundle/issues/204 >> >> https://github.com/ansibleplaybookbundle/ansible-playbook-bundle/issues/203 >> >> Thanks for bringing this up for discussion on IRC and the mailing list. >> >> Sincerely, >> -Ryan > > From rhallise at redhat.com Fri Jan 19 13:56:07 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Fri, 19 Jan 2018 08:56:07 -0500 Subject: [Ansible-service-broker] Question about how to generate serviceInstance, serviceBinding and next mount the secret to DC In-Reply-To: References: Message-ID: Thanks for the link. I wasn't aware the service-catalog was working on a plugin. Perhaps that's an additional place we can tie in. - Ryan On Fri, Jan 19, 2018 at 8:38 AM, Charles Moulliard wrote: > kubectl client provides such commands -> > https://github.com/kubernetes-incubator/service-catalog/pull/840 ;-) > > > On Fri, Jan 19, 2018 at 2:28 PM, Charles Moulliard > wrote: >> >> Many thanks Ryan for your response >> >> Is the right place within the apb python client project to make such >> developments (ticket 203, 204) ? Ideally such development to improve >> developer experience should take place around "oc" client or the new one >> that DevExp team is discussing "ocd" >> >> >> On Fri, Jan 19, 2018 at 2:14 PM, Ryan Hallisey >> wrote: >>> >>> Hey Charles, >>> >>> I think you raise some good questions. I'll respond inline. >>> >>> > The creation of the serviceInstance resource from a clusterServiceClass >>> > is >>> > very easy using python apb client - https://goo.gl/zwWPJz but how do >>> > you >>> > achieve this goal with the Ansible Service Broker like also to create >>> > the >>> > serviceBinding resource ? >>> > >>> > >>> > Why such questions ? >>> > >>> > I would like to replace these files created manually here : >>> > >>> > - ServiceBinding : >>> > >>> > https://github.com/cmoulliard/spring-boot-jpa-rest/blob/master/openshift/mysql-secret_servicebinding.yml >>> > - ServiceInstance : >>> > >>> > https://github.com/cmoulliard/spring-boot-jpa-rest/blob/master/openshift/mysql_serviceinstance.yml >>> > >>> > and executed using these oc commands >>> > >>> > oc create -f openshift/mysql_serviceinstance.yml >>> > oc create -f openshift/mysql-secret_servicebinding.yml >>> > oc env --from=secret/spring-boot-notes-mysql-binding >>> > dc/spring-boot-db-notes >>> > >>> > with new commands where by example, we will create the serviceInstance >>> > using >>> > >>> > "oc create-service >>> > >>> > " >>> > >>> > Next bind the Service to a DeploymentConfig using maybe the following >>> > command >>> > >>> > "oc bind-service >>> > >>> >>> The `apb serviceinstance` command was an first attempt to improve the >>> creation of serviceinstances. I think there is plenty the community >>> can do to build on that effort. But to get at your broader point >>> here, if we're able to generate the template like with `apb >>> serviceinstance`, then the cli could also execute the command to use >>> the template. Thus providing users with out of the box application >>> and a way to interact with the API in a few cli commands. >>> >>> Yesterday, after we talked about this, I created two issues to track >>> this. I think it's a great idea and it will greatly improve the >>> developer experience. That being said, if you are interested in >>> developing some of this work, I would encourage it. I think this >>> would be a great contribution to the apb tool. >>> >>> >>> https://github.com/ansibleplaybookbundle/ansible-playbook-bundle/issues/204 >>> >>> https://github.com/ansibleplaybookbundle/ansible-playbook-bundle/issues/203 >>> >>> Thanks for bringing this up for discussion on IRC and the mailing list. >>> >>> Sincerely, >>> -Ryan >> >> > From cmoullia at redhat.com Fri Jan 19 14:01:33 2018 From: cmoullia at redhat.com (Charles Moulliard) Date: Fri, 19 Jan 2018 15:01:33 +0100 Subject: [Ansible-service-broker] Map serviceClass parameters with servicebinding secret ? In-Reply-To: References: Message-ID: During development, dev/architect of a project should have access to the service catalog in order to see what the parameters are and how they will (within the code of the app) map them to their own parameters. Ideally such a catalog should be a website where the APB services are listed, where you can select one of them to see the plan(s) available, the parameters, ... On Fri, Jan 19, 2018 at 2:43 PM, Dylan Murray wrote: > Sorry... hit send too early. Up to this point most users are looking > through the code to see what the bind params are, but it would be much more > advantageous if we displayed this information on the repos. It makes sense > that our Dockerhub repo is openly displaying the bind credentials for a > developer to know how to consume it. It would also be nice if this was > displayed in the service catalog. > > On Fri, Jan 19, 2018 at 8:42 AM, Dylan Murray wrote: > >> Great insight. Up to this point most users are >> >> On Fri, Jan 19, 2018 at 8:34 AM, Charles Moulliard >> wrote: >> >>> Thanks for the info/clarification. >>> >>> How can a dev project discover before to bind an app to a service what >>> will be the env vars that the secret will mount ? Can we show such info >>> using an oc command ? >>> >>> On Fri, Jan 19, 2018 at 2:07 PM, Dylan Murray >>> wrote: >>> >>>> Charles, >>>> >>>> I think you might be confusing the bind credentials with the APB >>>> parameters. https://github.com/ansibleplaybookbundle/mysql-a >>>> pb/blob/master/roles/rhscl-mysql-apb-openshift/tasks/main.yml#L79 shows >>>> where the actual Bind credentials are set. If you would like those to be >>>> renamed you would need to fork the APB and publish your own version >>>> changing the name of these credentials. >>>> >>>> Hope that helps, >>>> Dylan >>>> >>>> On Fri, Jan 19, 2018 at 5:17 AM, Charles Moulliard >>> > wrote: >>>> >>>>> Hi, >>>>> >>>>> Is it possible to map or rename the env vars mounted within the pod of >>>>> the application consuming a service as the current situation is not >>>>> convenient ? >>>>> >>>>> Example >>>>> >>>>> - MySQL ClusterServiceClass will use these parameters as defined >>>>> within the apb.yml file : https://goo.gl/HFrpSy >>>>> - Then, if a serviceInstance is created, it will contain the same >>>>> parameters but customized according to the user's choice: >>>>> https://goo.gl/dXTZvA >>>>> >>>>> mysql_database: "devel" >>>>> mysql_password: "devel" >>>>> mysql_user: "devel" >>>>> >>>>> - But, when the secret is mounted as env var to the pod, then the >>>>> parameters have been renamed to >>>>> >>>>> export DB_NAME="devel" >>>>> export DB_PASSWORD="devel" >>>>> export DB_USER="devel" >>>>> >>>>> Where such transformation take place ? Is it possible to define its >>>>> own mapping ? >>>>> >>>>> Regards >>>>> >>>>> CHARLES MOULLIARD >>>>> >>>>> SOFTWARE ENGINEER MANAGER SPRING(BOOT) >>>>> >>>>> Red Hat >>>>> >>>>> cmoulliard at redhat.com M: +32-473-604014 >>>>> >>>>> @cmoulliard >>>>> >>>>> _______________________________________________ >>>>> Ansible-service-broker mailing list >>>>> Ansible-service-broker at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From psturc at redhat.com Fri Jan 19 12:59:29 2018 From: psturc at redhat.com (Pavel Sturc) Date: Fri, 19 Jan 2018 13:59:29 +0100 Subject: [Ansible-service-broker] [DEMO] APB PR-based testing on Jenkins Message-ID: Hello guys, we were working on the implementation of APB PR-based testing and we also recorded a quick demo about it. https://youtu.be/ByDW8a9bhaw Relevant links are in the description of the video. -- Regards, PAVEL STURC QUALITY ENGINEER Red Hat Mobile Application Platform psturc at redhat.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dymurray at redhat.com Fri Jan 19 15:11:03 2018 From: dymurray at redhat.com (Dylan Murray) Date: Fri, 19 Jan 2018 10:11:03 -0500 Subject: [Ansible-service-broker] Map serviceClass parameters with servicebinding secret ? In-Reply-To: References: Message-ID: Agreed, I think it makes sense to include the bind credential information in the service catalog for bindable applications. This will require that we add the bind creds to the APB metadata. I have created an issue to track this here: https://github.com/ansibleplaybookbundle/ansible-playbook-bundle/issues/206 On Fri, Jan 19, 2018 at 9:01 AM, Charles Moulliard wrote: > During development, dev/architect of a project should have access to the > service catalog in order to see what the parameters are and how they will > (within the code of the app) map them to their own parameters. Ideally such > a catalog should be a website where the APB services are listed, where you > can select one of them to see the plan(s) available, the parameters, ... > > On Fri, Jan 19, 2018 at 2:43 PM, Dylan Murray wrote: > >> Sorry... hit send too early. Up to this point most users are looking >> through the code to see what the bind params are, but it would be much more >> advantageous if we displayed this information on the repos. It makes sense >> that our Dockerhub repo is openly displaying the bind credentials for a >> developer to know how to consume it. It would also be nice if this was >> displayed in the service catalog. >> >> On Fri, Jan 19, 2018 at 8:42 AM, Dylan Murray >> wrote: >> >>> Great insight. Up to this point most users are >>> >>> On Fri, Jan 19, 2018 at 8:34 AM, Charles Moulliard >>> wrote: >>> >>>> Thanks for the info/clarification. >>>> >>>> How can a dev project discover before to bind an app to a service what >>>> will be the env vars that the secret will mount ? Can we show such info >>>> using an oc command ? >>>> >>>> On Fri, Jan 19, 2018 at 2:07 PM, Dylan Murray >>>> wrote: >>>> >>>>> Charles, >>>>> >>>>> I think you might be confusing the bind credentials with the APB >>>>> parameters. https://github.com/ansibleplaybookbundle/mysql-a >>>>> pb/blob/master/roles/rhscl-mysql-apb-openshift/tasks/main.yml#L79 shows >>>>> where the actual Bind credentials are set. If you would like those to be >>>>> renamed you would need to fork the APB and publish your own version >>>>> changing the name of these credentials. >>>>> >>>>> Hope that helps, >>>>> Dylan >>>>> >>>>> On Fri, Jan 19, 2018 at 5:17 AM, Charles Moulliard < >>>>> cmoullia at redhat.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Is it possible to map or rename the env vars mounted within the pod >>>>>> of the application consuming a service as the current situation is not >>>>>> convenient ? >>>>>> >>>>>> Example >>>>>> >>>>>> - MySQL ClusterServiceClass will use these parameters as defined >>>>>> within the apb.yml file : https://goo.gl/HFrpSy >>>>>> - Then, if a serviceInstance is created, it will contain the same >>>>>> parameters but customized according to the user's choice: >>>>>> https://goo.gl/dXTZvA >>>>>> >>>>>> mysql_database: "devel" >>>>>> mysql_password: "devel" >>>>>> mysql_user: "devel" >>>>>> >>>>>> - But, when the secret is mounted as env var to the pod, then the >>>>>> parameters have been renamed to >>>>>> >>>>>> export DB_NAME="devel" >>>>>> export DB_PASSWORD="devel" >>>>>> export DB_USER="devel" >>>>>> >>>>>> Where such transformation take place ? Is it possible to define its >>>>>> own mapping ? >>>>>> >>>>>> Regards >>>>>> >>>>>> CHARLES MOULLIARD >>>>>> >>>>>> SOFTWARE ENGINEER MANAGER SPRING(BOOT) >>>>>> >>>>>> Red Hat >>>>>> >>>>>> cmoulliard at redhat.com M: +32-473-604014 >>>>>> >>>>>> @cmoulliard >>>>>> >>>>>> _______________________________________________ >>>>>> Ansible-service-broker mailing list >>>>>> Ansible-service-broker at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >>>>>> >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmoullia at redhat.com Fri Jan 19 15:14:01 2018 From: cmoullia at redhat.com (Charles Moulliard) Date: Fri, 19 Jan 2018 16:14:01 +0100 Subject: [Ansible-service-broker] Map serviceClass parameters with servicebinding secret ? In-Reply-To: References: Message-ID: Excellent. Many thanks ! On Fri, Jan 19, 2018 at 4:11 PM, Dylan Murray wrote: > Agreed, I think it makes sense to include the bind credential information > in the service catalog for bindable applications. This will require that we > add the bind creds to the APB metadata. > > I have created an issue to track this here: https://github.com/ > ansibleplaybookbundle/ansible-playbook-bundle/issues/206 > > On Fri, Jan 19, 2018 at 9:01 AM, Charles Moulliard > wrote: > >> During development, dev/architect of a project should have access to the >> service catalog in order to see what the parameters are and how they will >> (within the code of the app) map them to their own parameters. Ideally such >> a catalog should be a website where the APB services are listed, where you >> can select one of them to see the plan(s) available, the parameters, ... >> >> On Fri, Jan 19, 2018 at 2:43 PM, Dylan Murray >> wrote: >> >>> Sorry... hit send too early. Up to this point most users are looking >>> through the code to see what the bind params are, but it would be much more >>> advantageous if we displayed this information on the repos. It makes sense >>> that our Dockerhub repo is openly displaying the bind credentials for a >>> developer to know how to consume it. It would also be nice if this was >>> displayed in the service catalog. >>> >>> On Fri, Jan 19, 2018 at 8:42 AM, Dylan Murray >>> wrote: >>> >>>> Great insight. Up to this point most users are >>>> >>>> On Fri, Jan 19, 2018 at 8:34 AM, Charles Moulliard >>> > wrote: >>>> >>>>> Thanks for the info/clarification. >>>>> >>>>> How can a dev project discover before to bind an app to a service what >>>>> will be the env vars that the secret will mount ? Can we show such info >>>>> using an oc command ? >>>>> >>>>> On Fri, Jan 19, 2018 at 2:07 PM, Dylan Murray >>>>> wrote: >>>>> >>>>>> Charles, >>>>>> >>>>>> I think you might be confusing the bind credentials with the APB >>>>>> parameters. https://github.com/ansibleplaybookbundle/mysql-a >>>>>> pb/blob/master/roles/rhscl-mysql-apb-openshift/tasks/main.yml#L79 shows >>>>>> where the actual Bind credentials are set. If you would like those to be >>>>>> renamed you would need to fork the APB and publish your own version >>>>>> changing the name of these credentials. >>>>>> >>>>>> Hope that helps, >>>>>> Dylan >>>>>> >>>>>> On Fri, Jan 19, 2018 at 5:17 AM, Charles Moulliard < >>>>>> cmoullia at redhat.com> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Is it possible to map or rename the env vars mounted within the pod >>>>>>> of the application consuming a service as the current situation is not >>>>>>> convenient ? >>>>>>> >>>>>>> Example >>>>>>> >>>>>>> - MySQL ClusterServiceClass will use these parameters as defined >>>>>>> within the apb.yml file : https://goo.gl/HFrpSy >>>>>>> - Then, if a serviceInstance is created, it will contain the same >>>>>>> parameters but customized according to the user's choice: >>>>>>> https://goo.gl/dXTZvA >>>>>>> >>>>>>> mysql_database: "devel" >>>>>>> mysql_password: "devel" >>>>>>> mysql_user: "devel" >>>>>>> >>>>>>> - But, when the secret is mounted as env var to the pod, then the >>>>>>> parameters have been renamed to >>>>>>> >>>>>>> export DB_NAME="devel" >>>>>>> export DB_PASSWORD="devel" >>>>>>> export DB_USER="devel" >>>>>>> >>>>>>> Where such transformation take place ? Is it possible to define its >>>>>>> own mapping ? >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> CHARLES MOULLIARD >>>>>>> >>>>>>> SOFTWARE ENGINEER MANAGER SPRING(BOOT) >>>>>>> >>>>>>> Red Hat >>>>>>> >>>>>>> cmoulliard at redhat.com M: +32-473-604014 >>>>>>> >>>>>>> @cmoulliard >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Ansible-service-broker mailing list >>>>>>> Ansible-service-broker at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmatthew at redhat.com Fri Jan 19 15:16:09 2018 From: jmatthew at redhat.com (John Matthews) Date: Fri, 19 Jan 2018 10:16:09 -0500 Subject: [Ansible-service-broker] [DEMO] APB PR-based testing on Jenkins In-Reply-To: References: Message-ID: Pavel, Nice job! Thanks for sharing. I added your video to the Ansible Broker youtube page under "Testing CI/CD APBs" playlist. https://www.youtube.com/watch?v=ByDW8a9bhaw&list=PLZ7osZ-J70IaIgzMyxNiH6AK0gG__bVcl On Fri, Jan 19, 2018 at 7:59 AM, Pavel Sturc wrote: > Hello guys, > > we were working on the implementation of APB PR-based testing and we also > recorded a quick demo about it. > > https://youtu.be/ByDW8a9bhaw > > Relevant links are in the description of the video. > > -- > Regards, > > PAVEL STURC > > QUALITY ENGINEER > > Red Hat Mobile Application Platform > > > psturc at redhat.com > > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmatthew at redhat.com Fri Jan 19 16:42:35 2018 From: jmatthew at redhat.com (John Matthews) Date: Fri, 19 Jan 2018 11:42:35 -0500 Subject: [Ansible-service-broker] Blog: Up and Running with the OpenShift Ansible Broker Message-ID: Jesus posted the below prior to holidays to help show an easy path for trying out the Ansible Broker. https://blog.openshift.com/up-and-running-with-the-openshift-ansible-broker/ Up and Running with the OpenShift Ansible Broker DECEMBER 20, 2017 BY JESUS RODRIGUEZ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmatthew at redhat.com Fri Jan 19 16:43:59 2018 From: jmatthew at redhat.com (John Matthews) Date: Fri, 19 Jan 2018 11:43:59 -0500 Subject: [Ansible-service-broker] =?utf-8?q?Blog=3A_APB_Development_Tutori?= =?utf-8?q?al_=E2=80=93_MediaWiki_1=2E23_+_PostgreSQL_9=2E5?= Message-ID: Here's a link to Dylan's tutorial on creating 2 APBs. https://blog.openshift.com/apb-development-tutorial-mediawiki-1-23-postgresql-9-5/ APB Development Tutorial ? MediaWiki 1.23 + PostgreSQL 9.5 JANUARY 8, 2018 BY DYLAN MURRAY -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmatthew at redhat.com Fri Jan 19 16:47:54 2018 From: jmatthew at redhat.com (John Matthews) Date: Fri, 19 Jan 2018 11:47:54 -0500 Subject: [Ansible-service-broker] Blog: Rocket.Chat Ansible Playbook Bundle Development & Deployment Tutorial Message-ID: This Tutorial is focused on APB Development from the ISV perspective. https://blog.openshift.com/rocket-chat-ansible-playbook-bundle-development-deployment-tutorial/ Rocket.Chat Ansible Playbook Bundle Development & Deployment Tutorial JANUARY 17, 2018 BY DYLAN MURRAY -------------- next part -------------- An HTML attachment was scrubbed... URL: From rhallise at redhat.com Mon Jan 22 19:38:04 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Mon, 22 Jan 2018 14:38:04 -0500 Subject: [Ansible-service-broker] Kubernetes gate Message-ID: Folks, The kubernetes CI jobs has merged into master. The patch comes with a few things: - Tests the broker running on kubernetes. - The CI job runs in parallel to the openshift job so no additional time waiting for jobs. - The CI job tests provision, bind, unbind, and deprovision. - The job tests against the master branch of the service catalog. This will allow us to catch catalog changes that break the broker within a short period of time. - Finally, the patch adds a script that will launch the broker on top of an existing kubernetes cluster - goo.gl/aA7Dnh Thanks, -Ryan From jesusr at redhat.com Thu Jan 25 18:44:11 2018 From: jesusr at redhat.com (jesus m. rodriguez) Date: Thu, 25 Jan 2018 13:44:11 -0500 Subject: [Ansible-service-broker] branching broker 1.1 into release-1.1 today Message-ID: <1516905851.28387.3.camel@redhat.com> We have quite a few PRs that are all for the 3.10 release. So we are going to branch the broker into release-1.1 for targeting the 3.9 release. And master will become post 3.9 work. jesus -- jesus m. rodriguez | jesusr at redhat.com principal software engineer | irc: zeus red hat systems management | 919.754.4413 (w) rhce # 805008586930012 | 919.623.0080 (c) +---------------------------------------------+ | "you will be assimilated; | | resistance is futile" | | -- Borg | +---------------------------------------------+ From jesusr at redhat.com Thu Jan 25 19:03:10 2018 From: jesusr at redhat.com (jesus m. rodriguez) Date: Thu, 25 Jan 2018 14:03:10 -0500 Subject: [Ansible-service-broker] branching broker 1.1 into release-1.1 today In-Reply-To: <1516905851.28387.3.camel@redhat.com> References: <1516905851.28387.3.camel@redhat.com> Message-ID: <1516906990.28387.6.camel@redhat.com> On Thu, 2018-01-25 at 13:44 -0500, jesus m. rodriguez wrote: > We have quite a few PRs that are all for the 3.10 release. So we are > going to branch the broker into release-1.1 for targeting the 3.9 > release. And master will become post 3.9 work. > > jesus > Branch is done. master - broker 1.2 work (OpenShift 3.10+) release-1.1 - broker 1.1 (OpenShift 3.9 bugs ONLY!) release-1.0 - broker 1.0 (OpenShift 3.7 backport) If you have any questions let me know. jesus -- jesus m. rodriguez | jesusr at redhat.com principal software engineer | irc: zeus red hat systems management | 919.754.4413 (w) rhce # 805008586930012 | 919.623.0080 (c) +---------------------------------------------+ | "you will be assimilated; | | resistance is futile" | | -- Borg | +---------------------------------------------+ From jmatthew at redhat.com Thu Jan 25 21:11:10 2018 From: jmatthew at redhat.com (John Matthews) Date: Thu, 25 Jan 2018 16:11:10 -0500 Subject: [Ansible-service-broker] http://ansiblebroker.org/ now live Message-ID: All, Please visit our new landing page for the Ansible Broker project: http://ansiblebroker.org/ A big thank you to Mairin Duffy and her awesome design skills and Christopher Chase for doing a superb job in implementation. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmontleo at redhat.com Thu Jan 25 21:15:45 2018 From: jmontleo at redhat.com (Jason Montleon) Date: Thu, 25 Jan 2018 16:15:45 -0500 Subject: [Ansible-service-broker] Update Demo: Preserve data during update of Service Plans Message-ID: <32e8c726-a184-bfcb-82ee-d512281d0ad6@redhat.com> This YouTube video demonstrates how we are able to preserve data when performing plan updates even if the application containers don't necessarily have persistent storage. The demo uses Mediawiki bound to PostgreSQL, but it works just as well with MariaDB and MySQL. https://youtu.be/kslVbbQCZ8s -- Jason Montleon | email: jmontleo at redhat.com Software Engineer | gpg key: 0x069E3022 Red Hat, Inc. | irc: jmontleo desk: 978-392-3930 | cell: 508-496-0663 From cmoullia at redhat.com Fri Jan 26 12:06:41 2018 From: cmoullia at redhat.com (Charles Moulliard) Date: Fri, 26 Jan 2018 13:06:41 +0100 Subject: [Ansible-service-broker] Issue to create MySQL APB instance on ocp 3.7 Message-ID: Hi, I have used the Openshift UI screens to install under "test" namespace the MySQL service instance and I get such errors if I look to the "events" https://www.dropbox.com/s/5cptnq47zf8rava/Screenshot%202018-01-26%2013.04.33.png?dl=0 ServiceBinding cannot begin because referenced ServiceInstance "test/dh-mysql-apb-7wzcr" is not ready Provision call failed: Error occurred during provision. Please contact administrator if it persists. Project has been installed on OCP 3.7 with option --service-catalog and Ansible Broker using the following template oc new-project ansible-service-broker curl -s https://raw.githubusercontent.com/openshift/ansible-service-broker/master/templates/simple-broker-template.yaml | oc process -n "ansible-service-broker" -f - | oc create -f - How can I troubleshoot such errors ? Regards Charles -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmoullia at redhat.com Fri Jan 26 12:28:44 2018 From: cmoullia at redhat.com (Charles Moulliard) Date: Fri, 26 Jan 2018 13:28:44 +0100 Subject: [Ansible-service-broker] Issue to create MySQL APB instance on ocp 3.7 In-Reply-To: References: Message-ID: If I look to the log of the ASB pod, then I see such error when AS B tries to create the network resource within the "test" namespace [2018-01-26T12:02:41.757Z] [DEBUG] - Creating network policy for pod: apb-36748357-1681-44b8-be32-6e0cc12ec606 to grant network access to ns: test [2018-01-26T12:02:41.758Z] [ERROR] - unable to create network policy object - User "system:serviceaccount:ansible-service-broker:asb" cannot create networkpolicies.networking.k8s.io in the namespace "test": User "system:serviceaccount:ansible-service-broker:asb" cannot create networkpolicies.networking.k8s.io in project "test" (post networkpolicies.networking.k8s.io) [2018-01-26T12:02:41.758Z] [ERROR] - User "system:serviceaccount:ansible-service-broker:asb" cannot create networkpolicies.networking.k8s.io in the namespace "test": User "system:serviceaccount:ansible-service-broker:asb" cannot create networkpolicies.networking.k8s.io in project "test" (post networkpolicies.networking.k8s.io) [2018-01-26T12:02:41.758Z] [ERROR] - Problem executing apb [apb-36748357-1681-44b8-be32-6e0cc12ec606] provision - err: User "system:serviceaccount:ansible-service-broker:asb" cannot create networkpolicies.networking.k8s.io in the namespace "test": User "system:serviceaccount:ansible-service-broker:asb" cannot create networkpolicies.networking.k8s.io in project "test" (post networkpolicies.networking.k8s.io) Is it the reason of my issue ? If yes, how can we resolve the problem ? On Fri, Jan 26, 2018 at 1:06 PM, Charles Moulliard wrote: > Hi, > > I have used the Openshift UI screens to install under "test" namespace the > MySQL service instance > and I get such errors if I look to the "events" > > https://www.dropbox.com/s/5cptnq47zf8rava/Screenshot% > 202018-01-26%2013.04.33.png?dl=0 > > ServiceBinding cannot begin because referenced ServiceInstance > "test/dh-mysql-apb-7wzcr" is not ready > Provision call failed: Error occurred during provision. Please contact > administrator if it persists. > > Project has been installed on OCP 3.7 with option --service-catalog > and Ansible Broker using the following template > > oc new-project ansible-service-broker > curl -s https://raw.githubusercontent.com/openshift/ansible-service- > broker/master/templates/simple-broker-template.yaml | oc process -n > "ansible-service-broker" -f - | oc create -f - > > How can I troubleshoot such errors ? > > Regards > > Charles > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmoullia at redhat.com Fri Jan 26 13:03:04 2018 From: cmoullia at redhat.com (Charles Moulliard) Date: Fri, 26 Jan 2018 14:03:04 +0100 Subject: [Ansible-service-broker] Issue to create MySQL APB instance on ocp 3.7 In-Reply-To: References: Message-ID: This is really strange as ServiceAccount has the right oc adm policy who-can create networkpolicies Namespace: ansible-service-broker Verb: create Resource: networkpolicies.extensions Users: admin system:admin system:serviceaccount:ansible-service-broker:asb system:serviceaccount:default:pvinstaller system:serviceaccount:openshift-infra:template-instance-controller Groups: system:cluster-admins system:masters CHARLES MOULLIARD SOFTWARE ENGINEER MANAGER SPRING(BOOT) Red Hat cmoulliard at redhat.com M: +32-473-604014 @cmoulliard On Fri, Jan 26, 2018 at 1:28 PM, Charles Moulliard wrote: > If I look to the log of the ASB pod, then I see such error when AS B tries > to create the network resource within the "test" namespace > > [2018-01-26T12:02:41.757Z] [DEBUG] - Creating network policy for pod: > apb-36748357-1681-44b8-be32-6e0cc12ec606 to grant network access to ns: > test > [2018-01-26T12:02:41.758Z] [ERROR] - unable to create network policy > object - User "system:serviceaccount:ansible-service-broker:asb" cannot > create networkpolicies.networking.k8s.io in the namespace "test": User > "system:serviceaccount:ansible-service-broker:asb" cannot create > networkpolicies.networking.k8s.io in project "test" (post > networkpolicies.networking.k8s.io) > [2018-01-26T12:02:41.758Z] [ERROR] - User "system:serviceaccount:ansible-service-broker:asb" > cannot create networkpolicies.networking.k8s.io in the namespace "test": > User "system:serviceaccount:ansible-service-broker:asb" cannot create > networkpolicies.networking.k8s.io in project "test" (post > networkpolicies.networking.k8s.io) > [2018-01-26T12:02:41.758Z] [ERROR] - Problem executing apb > [apb-36748357-1681-44b8-be32-6e0cc12ec606] provision - err: User > "system:serviceaccount:ansible-service-broker:asb" cannot create > networkpolicies.networking.k8s.io in the namespace "test": User > "system:serviceaccount:ansible-service-broker:asb" cannot create > networkpolicies.networking.k8s.io in project "test" (post > networkpolicies.networking.k8s.io) > > Is it the reason of my issue ? If yes, how can we resolve the problem ? > > > On Fri, Jan 26, 2018 at 1:06 PM, Charles Moulliard > wrote: > >> Hi, >> >> I have used the Openshift UI screens to install under "test" namespace >> the MySQL service instance >> and I get such errors if I look to the "events" >> >> https://www.dropbox.com/s/5cptnq47zf8rava/Screenshot%202018- >> 01-26%2013.04.33.png?dl=0 >> >> ServiceBinding cannot begin because referenced ServiceInstance >> "test/dh-mysql-apb-7wzcr" is not ready >> Provision call failed: Error occurred during provision. Please contact >> administrator if it persists. >> >> Project has been installed on OCP 3.7 with option --service-catalog >> and Ansible Broker using the following template >> >> oc new-project ansible-service-broker >> curl -s https://raw.githubusercontent.com/openshift/ansible-service- >> broker/master/templates/simple-broker-template.yaml | oc process -n >> "ansible-service-broker" -f - | oc create -f - >> >> How can I troubleshoot such errors ? >> >> Regards >> >> Charles >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmoullia at redhat.com Fri Jan 26 13:10:49 2018 From: cmoullia at redhat.com (Charles Moulliard) Date: Fri, 26 Jan 2018 14:10:49 +0100 Subject: [Ansible-service-broker] Issue to create MySQL APB instance on ocp 3.7 In-Reply-To: References: Message-ID: Hmhmh. The rule is not there. apiVersion: v1 kind: ClusterRole metadata: creationTimestamp: 2018-01-26T10:33:15Z name: asb-auth resourceVersion: "4154" selfLink: /oapi/v1/clusterroles/asb-auth uid: 512a7de2-0284-11e8-bd96-8a164c505ef4 rules: - apiGroups: - "" attributeRestrictions: null resources: - namespaces verbs: - create - delete - apiGroups: - authorization.openshift.io attributeRestrictions: null resources: - subjectrulesreview verbs: - create - apiGroups: - authorization.k8s.io attributeRestrictions: null resources: - subjectaccessreviews verbs: - create - apiGroups: - authentication.k8s.io attributeRestrictions: null resources: - tokenreviews verbs: - create On Fri, Jan 26, 2018 at 2:04 PM, Ryan Hallisey wrote: > I could be wrong, but I think the User > "system:serviceaccount:ansible-service-broker:asb" is only allowed to > create networkpolicies in the namespace ansible-service-broker. > > Also let's double check your user has the correct permissions. See if > you find the rule below in `kubectl get clusterrole asb-auth -o yaml`. > > - apiGroups: ["networking.k8s.io", ""] > attributeRestrictions: null > resources: ["networkpolicies"] > verbs: ["create", "delete"] > > On Fri, Jan 26, 2018 at 7:28 AM, Charles Moulliard > wrote: > > If I look to the log of the ASB pod, then I see such error when AS B > tries > > to create the network resource within the "test" namespace > > > > [2018-01-26T12:02:41.757Z] [DEBUG] - Creating network policy for pod: > > apb-36748357-1681-44b8-be32-6e0cc12ec606 to grant network access to ns: > test > > [2018-01-26T12:02:41.758Z] [ERROR] - unable to create network policy > object > > - User "system:serviceaccount:ansible-service-broker:asb" cannot create > > networkpolicies.networking.k8s.io in the namespace "test": User > > "system:serviceaccount:ansible-service-broker:asb" cannot create > > networkpolicies.networking.k8s.io in project "test" (post > > networkpolicies.networking.k8s.io) > > [2018-01-26T12:02:41.758Z] [ERROR] - User > > "system:serviceaccount:ansible-service-broker:asb" cannot create > > networkpolicies.networking.k8s.io in the namespace "test": User > > "system:serviceaccount:ansible-service-broker:asb" cannot create > > networkpolicies.networking.k8s.io in project "test" (post > > networkpolicies.networking.k8s.io) > > [2018-01-26T12:02:41.758Z] [ERROR] - Problem executing apb > > [apb-36748357-1681-44b8-be32-6e0cc12ec606] provision - err: User > > "system:serviceaccount:ansible-service-broker:asb" cannot create > > networkpolicies.networking.k8s.io in the namespace "test": User > > "system:serviceaccount:ansible-service-broker:asb" cannot create > > networkpolicies.networking.k8s.io in project "test" (post > > networkpolicies.networking.k8s.io) > > > > Is it the reason of my issue ? If yes, how can we resolve the problem ? > > > > > > On Fri, Jan 26, 2018 at 1:06 PM, Charles Moulliard > > wrote: > >> > >> Hi, > >> > >> I have used the Openshift UI screens to install under "test" namespace > the > >> MySQL service instance > >> and I get such errors if I look to the "events" > >> > >> > >> https://www.dropbox.com/s/5cptnq47zf8rava/Screenshot% > 202018-01-26%2013.04.33.png?dl=0 > >> > >> ServiceBinding cannot begin because referenced ServiceInstance > >> "test/dh-mysql-apb-7wzcr" is not ready > >> Provision call failed: Error occurred during provision. Please contact > >> administrator if it persists. > >> > >> Project has been installed on OCP 3.7 with option --service-catalog > >> and Ansible Broker using the following template > >> > >> oc new-project ansible-service-broker > >> curl -s > >> https://raw.githubusercontent.com/openshift/ansible-service- > broker/master/templates/simple-broker-template.yaml > >> | oc process -n "ansible-service-broker" -f - | oc create -f - > >> > >> How can I troubleshoot such errors ? > >> > >> Regards > >> > >> Charles > >> > > > > > > _______________________________________________ > > Ansible-service-broker mailing list > > Ansible-service-broker at redhat.com > > https://www.redhat.com/mailman/listinfo/ansible-service-broker > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rhallise at redhat.com Fri Jan 26 13:04:59 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Fri, 26 Jan 2018 08:04:59 -0500 Subject: [Ansible-service-broker] Issue to create MySQL APB instance on ocp 3.7 In-Reply-To: References: Message-ID: I could be wrong, but I think the User "system:serviceaccount:ansible-service-broker:asb" is only allowed to create networkpolicies in the namespace ansible-service-broker. Also let's double check your user has the correct permissions. See if you find the rule below in `kubectl get clusterrole asb-auth -o yaml`. - apiGroups: ["networking.k8s.io", ""] attributeRestrictions: null resources: ["networkpolicies"] verbs: ["create", "delete"] On Fri, Jan 26, 2018 at 7:28 AM, Charles Moulliard wrote: > If I look to the log of the ASB pod, then I see such error when AS B tries > to create the network resource within the "test" namespace > > [2018-01-26T12:02:41.757Z] [DEBUG] - Creating network policy for pod: > apb-36748357-1681-44b8-be32-6e0cc12ec606 to grant network access to ns: test > [2018-01-26T12:02:41.758Z] [ERROR] - unable to create network policy object > - User "system:serviceaccount:ansible-service-broker:asb" cannot create > networkpolicies.networking.k8s.io in the namespace "test": User > "system:serviceaccount:ansible-service-broker:asb" cannot create > networkpolicies.networking.k8s.io in project "test" (post > networkpolicies.networking.k8s.io) > [2018-01-26T12:02:41.758Z] [ERROR] - User > "system:serviceaccount:ansible-service-broker:asb" cannot create > networkpolicies.networking.k8s.io in the namespace "test": User > "system:serviceaccount:ansible-service-broker:asb" cannot create > networkpolicies.networking.k8s.io in project "test" (post > networkpolicies.networking.k8s.io) > [2018-01-26T12:02:41.758Z] [ERROR] - Problem executing apb > [apb-36748357-1681-44b8-be32-6e0cc12ec606] provision - err: User > "system:serviceaccount:ansible-service-broker:asb" cannot create > networkpolicies.networking.k8s.io in the namespace "test": User > "system:serviceaccount:ansible-service-broker:asb" cannot create > networkpolicies.networking.k8s.io in project "test" (post > networkpolicies.networking.k8s.io) > > Is it the reason of my issue ? If yes, how can we resolve the problem ? > > > On Fri, Jan 26, 2018 at 1:06 PM, Charles Moulliard > wrote: >> >> Hi, >> >> I have used the Openshift UI screens to install under "test" namespace the >> MySQL service instance >> and I get such errors if I look to the "events" >> >> >> https://www.dropbox.com/s/5cptnq47zf8rava/Screenshot%202018-01-26%2013.04.33.png?dl=0 >> >> ServiceBinding cannot begin because referenced ServiceInstance >> "test/dh-mysql-apb-7wzcr" is not ready >> Provision call failed: Error occurred during provision. Please contact >> administrator if it persists. >> >> Project has been installed on OCP 3.7 with option --service-catalog >> and Ansible Broker using the following template >> >> oc new-project ansible-service-broker >> curl -s >> https://raw.githubusercontent.com/openshift/ansible-service-broker/master/templates/simple-broker-template.yaml >> | oc process -n "ansible-service-broker" -f - | oc create -f - >> >> How can I troubleshoot such errors ? >> >> Regards >> >> Charles >> > > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > From cmoullia at redhat.com Tue Jan 30 07:12:27 2018 From: cmoullia at redhat.com (Charles Moulliard) Date: Tue, 30 Jan 2018 08:12:27 +0100 Subject: [Ansible-service-broker] How can I customize the catalog displayed ? Message-ID: Hi, When ASB is deployed on openshift using this template [1], then a list of predefined services will be uploaded and next can be used from the openshift UI - Where is this list of Services declared ? - Can we customize it to crate its list of services ? - What are the prereq needed to follow in order to add / create a new service available from the openshift UI ? [1] https://goo.gl/1kUWcr Regards Charles -------------- next part -------------- An HTML attachment was scrubbed... URL: From cbrookes at redhat.com Tue Jan 30 08:57:32 2018 From: cbrookes at redhat.com (Craig Brookes) Date: Tue, 30 Jan 2018 08:57:32 +0000 Subject: [Ansible-service-broker] How can I customize the catalog displayed ? In-Reply-To: References: Message-ID: Hi Charles, I am not familiar with that template, but will give you my answers to the list of questions: - Where is this list of Services declared ? At startup, the ASB looks at a docker registry for images with a specified name for example: *-apb. It then reads meta data about this image provided as a labels[1] This information forms the basis for the ClusterServiceClass consumed by the service catalog. - Can we customize it to crate its list of services ? Yes you can change the config map set in the ansible-service-broker namespace and redeploy. More info on the config can be found at [2]. - What are the prereq needed to follow in order to add / create a new service available from the openshift UI ? You will need to create at least 1 APB and you will need to change the configuration to point at a docker registry with the apb docker image. There is tooling and docs around APBs to help you do this at [3] Craig Brookes [1] https://hub.docker.com/r/aerogearcatalog/aerogear-digger-apb/~/dockerfile/ [2] https://github.com/openshift/ansible-service-broker/blob/master/docs/config.md [3] https://github.com/ansibleplaybookbundle/ansible-playbook-bundle On Tue, Jan 30, 2018 at 7:12 AM, Charles Moulliard wrote: > Hi, > > When ASB is deployed on openshift using this template [1], then a list of > predefined services will be uploaded and next can be used from the > openshift UI > > - Where is this list of Services declared ? > - Can we customize it to crate its list of services ? > - What are the prereq needed to follow in order to add / create a new > service available from the openshift UI ? > > [1] https://goo.gl/1kUWcr > > Regards > > Charles > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > > -- Craig Brookes RHMAP @maleck13 Github -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmoullia at redhat.com Tue Jan 30 09:07:22 2018 From: cmoullia at redhat.com (Charles Moulliard) Date: Tue, 30 Jan 2018 10:07:22 +0100 Subject: [Ansible-service-broker] How can I customize the catalog displayed ? In-Reply-To: References: Message-ID: Many thanks. Do you how how the UI screen is able to know which Service or Template should be presented within the screen [1] ? [1] https://www.dropbox.com/s/29aqb2obgc8b46r/catalog.png?dl=0 On Tue, Jan 30, 2018 at 9:57 AM, Craig Brookes wrote: > Hi Charles, > > I am not familiar with that template, but will give you my answers to the > list of questions: > > - Where is this list of Services declared ? > > At startup, the ASB looks at a docker registry for images with a specified > name for example: *-apb. It then reads meta data about this image provided > as a labels[1] > This information forms the basis for the ClusterServiceClass consumed by > the service catalog. > > - Can we customize it to crate its list of services ? > > Yes you can change the config map set in the ansible-service-broker > namespace and redeploy. More info on the config can be found at [2]. > > - What are the prereq needed to follow in order to add / create a new > service available from the openshift UI ? > > You will need to create at least 1 APB and you will need to change the > configuration to point at a docker registry with the apb docker image. > There is tooling and docs around APBs to help you do this at [3] > > > Craig Brookes > > > [1]https://hub.docker.com/r/aerogearcatalog/aerogear- > digger-apb/~/dockerfile/ > [2] https://github.com/openshift/ansible-service-broker/blob/master/docs/ > config.md > [3] https://github.com/ansibleplaybookbundle/ansible-playbook-bundle > > > On Tue, Jan 30, 2018 at 7:12 AM, Charles Moulliard > wrote: > >> Hi, >> >> When ASB is deployed on openshift using this template [1], then a list of >> predefined services will be uploaded and next can be used from the >> openshift UI >> >> - Where is this list of Services declared ? >> - Can we customize it to crate its list of services ? >> - What are the prereq needed to follow in order to add / create a new >> service available from the openshift UI ? >> >> [1] https://goo.gl/1kUWcr >> >> Regards >> >> Charles >> >> _______________________________________________ >> Ansible-service-broker mailing list >> Ansible-service-broker at redhat.com >> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> >> > > > -- > Craig Brookes > RHMAP > @maleck13 Github > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cbrookes at redhat.com Tue Jan 30 09:35:55 2018 From: cbrookes at redhat.com (Craig Brookes) Date: Tue, 30 Jan 2018 09:35:55 +0000 Subject: [Ansible-service-broker] How can I customize the catalog displayed ? In-Reply-To: References: Message-ID: The UI [1] calls out to the service-catalog [2] which is a k8s extension api server. The catalog aggregates the different broker services into a single list of ClusterServiceClasses which the UI then renders. [1] https://github.com/openshift/origin-web-catalog [2] https://github.com/kubernetes-incubator/service-catalog/ On Tue, Jan 30, 2018 at 9:07 AM, Charles Moulliard wrote: > Many thanks. > > Do you how how the UI screen is able to know which Service or Template > should be presented within the screen [1] ? > > [1] https://www.dropbox.com/s/29aqb2obgc8b46r/catalog.png?dl=0 > > > On Tue, Jan 30, 2018 at 9:57 AM, Craig Brookes > wrote: > >> Hi Charles, >> >> I am not familiar with that template, but will give you my answers to the >> list of questions: >> >> - Where is this list of Services declared ? >> >> At startup, the ASB looks at a docker registry for images with a >> specified name for example: *-apb. It then reads meta data about this image >> provided as a labels[1] >> This information forms the basis for the ClusterServiceClass consumed by >> the service catalog. >> >> - Can we customize it to crate its list of services ? >> >> Yes you can change the config map set in the ansible-service-broker >> namespace and redeploy. More info on the config can be found at [2]. >> >> - What are the prereq needed to follow in order to add / create a new >> service available from the openshift UI ? >> >> You will need to create at least 1 APB and you will need to change the >> configuration to point at a docker registry with the apb docker image. >> There is tooling and docs around APBs to help you do this at [3] >> >> >> Craig Brookes >> >> >> [1]https://hub.docker.com/r/aerogearcatalog/aerogear-digger- >> apb/~/dockerfile/ >> [2] https://github.com/openshift/ansible-service-broker/ >> blob/master/docs/config.md >> [3] https://github.com/ansibleplaybookbundle/ansible-playbook-bundle >> >> >> On Tue, Jan 30, 2018 at 7:12 AM, Charles Moulliard >> wrote: >> >>> Hi, >>> >>> When ASB is deployed on openshift using this template [1], then a list >>> of predefined services will be uploaded and next can be used from the >>> openshift UI >>> >>> - Where is this list of Services declared ? >>> - Can we customize it to crate its list of services ? >>> - What are the prereq needed to follow in order to add / create a new >>> service available from the openshift UI ? >>> >>> [1] https://goo.gl/1kUWcr >>> >>> Regards >>> >>> Charles >>> >>> _______________________________________________ >>> Ansible-service-broker mailing list >>> Ansible-service-broker at redhat.com >>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >>> >>> >> >> >> -- >> Craig Brookes >> RHMAP >> @maleck13 Github >> > > -- Craig Brookes RHMAP @maleck13 Github -------------- next part -------------- An HTML attachment was scrubbed... URL: From rhallise at redhat.com Wed Jan 31 02:56:34 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Tue, 30 Jan 2018 21:56:34 -0500 Subject: [Ansible-service-broker] cluster-role escalation Message-ID: Karim, I think I have a workaround patch that will get provision working for the kubevirt-apb. Instructions for how to test it are in the commit message. https://github.com/rthallisey/ansible-service-broker/commit/f27e0538959c43d47d2ff80bba1e894f2249ad62 To summarize for folks what I think is happening. We need the apb to have the cluster-admin role so it can create cluster-roles. To do this, set sandbox_role: cluster-admin, auto_escalate: true, and make the asb user cluster-admin. Then when you provision, you'll hit this issue: https://github.com/openshift/ansible-service-broker/issues/711. The rolebinding fails to create with the error: rolebindings.rbac.authorization.k8s.io "apb-9c21c424-7091-4bc1-b5c5-0caa08aeec39" is forbidden: attempt to grant extra privileges. It seems that we can't create a rolebinding that is cluster-admin. I'm still exploring for the reason why it fails, but my theory is that the cluster-admin role gives access outside the scope of a role so it requires a clusterrolebinding. With the clusterrolebinding created with cluster-admin permissions, I was able to create cluster-resources from the apb. Thanks, -Ryan From jesusr at redhat.com Wed Jan 31 04:08:07 2018 From: jesusr at redhat.com (jesus m. rodriguez) Date: Tue, 30 Jan 2018 23:08:07 -0500 Subject: [Ansible-service-broker] expectation when apb is missing an action Message-ID: <1517371687.13478.2.camel@redhat.com> Hey folks, What should we expect when an APB is missing an action? Say for example, we tell it to run bind or deprovision and the APB doesn't have one. I expected an error, but looks like we return 0 from the entrypoint.sh if the ACTION.y(a)ml is not found. Is that on purpose? Thoughts? jesus From cbrookes at redhat.com Wed Jan 31 08:30:31 2018 From: cbrookes at redhat.com (Craig Brookes) Date: Wed, 31 Jan 2018 08:30:31 +0000 Subject: [Ansible-service-broker] expectation when apb is missing an action In-Reply-To: <1517371687.13478.2.camel@redhat.com> References: <1517371687.13478.2.camel@redhat.com> Message-ID: I would expect an error. Seems like a better experience for the developer and the consumer. I ask the service to upgrade for example, but it can't complete that action, then I think it should be an error. On Wed, Jan 31, 2018 at 4:08 AM, jesus m. rodriguez wrote: > Hey folks, > > What should we expect when an APB is missing an action? Say for > example, we tell it to run bind or deprovision and the APB doesn't have > one. > > I expected an error, but looks like we return 0 from the entrypoint.sh > if the ACTION.y(a)ml is not found. Is that on purpose? > > Thoughts? > > jesus > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > -- Craig Brookes RHMAP @maleck13 Github -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmatthew at redhat.com Wed Jan 31 11:13:20 2018 From: jmatthew at redhat.com (John Matthews) Date: Wed, 31 Jan 2018 06:13:20 -0500 Subject: [Ansible-service-broker] cluster-role escalation In-Reply-To: References: Message-ID: Mo, Do you have any thoughts on the issue Ryan mentions below on being unable to create a rolebinding that is cluster-admin? For background, this is for enabling the Broker to deploy APBs that will modify cluster infrastructure...not a typical application/service but special APBs that require extra privileges. On Tue, Jan 30, 2018 at 9:56 PM, Ryan Hallisey wrote: > Karim, > > I think I have a workaround patch that will get provision working for > the kubevirt-apb. Instructions for how to test it are in the commit > message. > > https://github.com/rthallisey/ansible-service-broker/commit/ > f27e0538959c43d47d2ff80bba1e894f2249ad62 > > To summarize for folks what I think is happening. We need the apb to > have the cluster-admin role so it can create cluster-roles. To do > this, set sandbox_role: cluster-admin, auto_escalate: true, and make > the asb user cluster-admin. Then when you provision, you'll hit this > issue: https://github.com/openshift/ansible-service-broker/issues/711. > The rolebinding fails to create with the error: > rolebindings.rbac.authorization.k8s.io > "apb-9c21c424-7091-4bc1-b5c5-0caa08aeec39" is forbidden: attempt to > grant extra privileges. > It seems that we can't create a rolebinding that is cluster-admin. > I'm still exploring for the reason why it fails, but my theory is that > the cluster-admin role gives access outside the scope of a role so it > requires a clusterrolebinding. With the clusterrolebinding created > with cluster-admin permissions, I was able to create cluster-resources > from the apb. > > Thanks, > -Ryan > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dymurray at redhat.com Wed Jan 31 13:26:52 2018 From: dymurray at redhat.com (Dylan Murray) Date: Wed, 31 Jan 2018 08:26:52 -0500 Subject: [Ansible-service-broker] expectation when apb is missing an action In-Reply-To: References: <1517371687.13478.2.camel@redhat.com> Message-ID: +1, I would expect it to error and complain loudly. On Wed, Jan 31, 2018 at 3:30 AM, Craig Brookes wrote: > I would expect an error. Seems like a better experience for the developer > and the consumer. I ask the service to upgrade for example, but it can't > complete that action, then I think it should be an error. > > On Wed, Jan 31, 2018 at 4:08 AM, jesus m. rodriguez > wrote: > >> Hey folks, >> >> What should we expect when an APB is missing an action? Say for >> example, we tell it to run bind or deprovision and the APB doesn't have >> one. >> >> I expected an error, but looks like we return 0 from the entrypoint.sh >> if the ACTION.y(a)ml is not found. Is that on purpose? >> >> Thoughts? >> >> jesus >> >> _______________________________________________ >> Ansible-service-broker mailing list >> Ansible-service-broker at redhat.com >> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> > > > > -- > Craig Brookes > RHMAP > @maleck13 Github > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rhallise at redhat.com Wed Jan 31 13:43:09 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Wed, 31 Jan 2018 08:43:09 -0500 Subject: [Ansible-service-broker] expectation when apb is missing an action In-Reply-To: References: <1517371687.13478.2.camel@redhat.com> Message-ID: I agree that we should error. Maybe we can make the apb exit with a specific code so that the broker can bubble up a message like "$action not implemented in your apb". Or maybe we can set the last_operation annotation? -Ryan On Wed, Jan 31, 2018 at 8:26 AM, Dylan Murray wrote: > +1, I would expect it to error and complain loudly. > > On Wed, Jan 31, 2018 at 3:30 AM, Craig Brookes wrote: >> >> I would expect an error. Seems like a better experience for the developer >> and the consumer. I ask the service to upgrade for example, but it can't >> complete that action, then I think it should be an error. >> >> On Wed, Jan 31, 2018 at 4:08 AM, jesus m. rodriguez >> wrote: >>> >>> Hey folks, >>> >>> What should we expect when an APB is missing an action? Say for >>> example, we tell it to run bind or deprovision and the APB doesn't have >>> one. >>> >>> I expected an error, but looks like we return 0 from the entrypoint.sh >>> if the ACTION.y(a)ml is not found. Is that on purpose? >>> >>> Thoughts? >>> >>> jesus >>> >>> _______________________________________________ >>> Ansible-service-broker mailing list >>> Ansible-service-broker at redhat.com >>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> >> >> >> >> -- >> Craig Brookes >> RHMAP >> @maleck13 Github >> >> _______________________________________________ >> Ansible-service-broker mailing list >> Ansible-service-broker at redhat.com >> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> > > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > From shurley at redhat.com Wed Jan 31 13:56:27 2018 From: shurley at redhat.com (Shawn Hurley) Date: Wed, 31 Jan 2018 08:56:27 -0500 Subject: [Ansible-service-broker] expectation when apb is missing an action In-Reply-To: References: <1517371687.13478.2.camel@redhat.com> Message-ID: +1 on error and complain loudly -Shawn > On Jan 31, 2018, at 8:43 AM, Ryan Hallisey wrote: > > I agree that we should error. Maybe we can make the apb exit with a > specific code so that the broker can bubble up a message like "$action > not implemented in your apb". Or maybe we can set the last_operation > annotation? > > -Ryan > > On Wed, Jan 31, 2018 at 8:26 AM, Dylan Murray wrote: >> +1, I would expect it to error and complain loudly. >> >> On Wed, Jan 31, 2018 at 3:30 AM, Craig Brookes wrote: >>> >>> I would expect an error. Seems like a better experience for the developer >>> and the consumer. I ask the service to upgrade for example, but it can't >>> complete that action, then I think it should be an error. >>> >>> On Wed, Jan 31, 2018 at 4:08 AM, jesus m. rodriguez >>> wrote: >>>> >>>> Hey folks, >>>> >>>> What should we expect when an APB is missing an action? Say for >>>> example, we tell it to run bind or deprovision and the APB doesn't have >>>> one. >>>> >>>> I expected an error, but looks like we return 0 from the entrypoint.sh >>>> if the ACTION.y(a)ml is not found. Is that on purpose? >>>> >>>> Thoughts? >>>> >>>> jesus >>>> >>>> _______________________________________________ >>>> Ansible-service-broker mailing list >>>> Ansible-service-broker at redhat.com >>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >>> >>> >>> >>> >>> -- >>> Craig Brookes >>> RHMAP >>> @maleck13 Github >>> >>> _______________________________________________ >>> Ansible-service-broker mailing list >>> Ansible-service-broker at redhat.com >>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >>> >> >> >> _______________________________________________ >> Ansible-service-broker mailing list >> Ansible-service-broker at redhat.com >> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker From dzager at redhat.com Wed Jan 31 14:13:54 2018 From: dzager at redhat.com (David Zager) Date: Wed, 31 Jan 2018 14:13:54 +0000 Subject: [Ansible-service-broker] cluster-role escalation In-Reply-To: References: Message-ID: Ryan, My understanding of wanting to run APBs with extra privileges from our broker is that this is a feature we would like to support down the line. As an aside, it seems worth pointing out that you can workaround this issue by using docker run like: docker run --rm --net=host \ -v $HOME/.kube:/opt/apb/.kube:z \ -u $UID \ ${APB_NAME} ${APB_ACTION:-'provision'} \ --extra-vars "namespace=mycoolnamespace" \ --extra-vars "etc=etc" Notes on this command: 1. You need to be using your host's network stack (--net=host) 2. Passing your kube config allows the APB to run at your permission level (ie. if you are an cluster-admin you can do what you want). 3. APB_NAME in this case would be kubevirt-apb 4. You may or may not need the namespace argument, I just know that a lot of our existing APBs assume that the namespace already exists I am a huge fan of the idea of using APBs to manage a cluster outside the service-catalog/service-broker context. However, I am also excited about pursuing the extra privileged APBs in our broker and how we will meet that use case, so this is not meant to take away from that discussion. Thanks, David On Wed, Jan 31, 2018 at 6:13 AM John Matthews wrote: > Mo, > > Do you have any thoughts on the issue Ryan mentions below on being unable > to create a rolebinding that is cluster-admin? > For background, this is for enabling the Broker to deploy APBs that will > modify cluster infrastructure...not a typical application/service but > special APBs that require extra privileges. > > > > > On Tue, Jan 30, 2018 at 9:56 PM, Ryan Hallisey > wrote: > >> Karim, >> >> I think I have a workaround patch that will get provision working for >> the kubevirt-apb. Instructions for how to test it are in the commit >> message. >> >> >> https://github.com/rthallisey/ansible-service-broker/commit/f27e0538959c43d47d2ff80bba1e894f2249ad62 >> >> To summarize for folks what I think is happening. We need the apb to >> have the cluster-admin role so it can create cluster-roles. To do >> this, set sandbox_role: cluster-admin, auto_escalate: true, and make >> the asb user cluster-admin. Then when you provision, you'll hit this >> issue: https://github.com/openshift/ansible-service-broker/issues/711. >> The rolebinding fails to create with the error: >> rolebindings.rbac.authorization.k8s.io >> "apb-9c21c424-7091-4bc1-b5c5-0caa08aeec39" is forbidden: attempt to >> grant extra privileges. >> It seems that we can't create a rolebinding that is cluster-admin. >> I'm still exploring for the reason why it fails, but my theory is that >> the cluster-admin role gives access outside the scope of a role so it >> requires a clusterrolebinding. With the clusterrolebinding created >> with cluster-admin permissions, I was able to create cluster-resources >> from the apb. >> >> Thanks, >> -Ryan >> >> _______________________________________________ >> Ansible-service-broker mailing list >> Ansible-service-broker at redhat.com >> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rhallise at redhat.com Wed Jan 31 16:20:15 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Wed, 31 Jan 2018 11:20:15 -0500 Subject: [Ansible-service-broker] cluster-role escalation In-Reply-To: References: Message-ID: Thanks David, that's really good to know. On Wed, Jan 31, 2018 at 9:13 AM, David Zager wrote: > Ryan, > > My understanding of wanting to run APBs with extra privileges from our > broker is that this is a feature we would like to support down the line. As > an aside, it seems worth pointing out that you can workaround this issue by > using docker run like: > > docker run --rm --net=host \ > -v $HOME/.kube:/opt/apb/.kube:z \ > -u $UID \ > ${APB_NAME} ${APB_ACTION:-'provision'} \ > --extra-vars "namespace=mycoolnamespace" \ > --extra-vars "etc=etc" > > > Notes on this command: > > You need to be using your host's network stack (--net=host) > Passing your kube config allows the APB to run at your permission level (ie. > if you are an cluster-admin you can do what you want). > APB_NAME in this case would be kubevirt-apb > You may or may not need the namespace argument, I just know that a lot of > our existing APBs assume that the namespace already exists > > I am a huge fan of the idea of using APBs to manage a cluster outside the > service-catalog/service-broker context. However, I am also excited about > pursuing the extra privileged APBs in our broker and how we will meet that > use case, so this is not meant to take away from that discussion. > > Thanks, > David > > On Wed, Jan 31, 2018 at 6:13 AM John Matthews wrote: >> >> Mo, >> >> Do you have any thoughts on the issue Ryan mentions below on being unable >> to create a rolebinding that is cluster-admin? >> For background, this is for enabling the Broker to deploy APBs that will >> modify cluster infrastructure...not a typical application/service but >> special APBs that require extra privileges. >> >> >> >> >> On Tue, Jan 30, 2018 at 9:56 PM, Ryan Hallisey >> wrote: >>> >>> Karim, >>> >>> I think I have a workaround patch that will get provision working for >>> the kubevirt-apb. Instructions for how to test it are in the commit >>> message. >>> >>> >>> https://github.com/rthallisey/ansible-service-broker/commit/f27e0538959c43d47d2ff80bba1e894f2249ad62 >>> >>> To summarize for folks what I think is happening. We need the apb to >>> have the cluster-admin role so it can create cluster-roles. To do >>> this, set sandbox_role: cluster-admin, auto_escalate: true, and make >>> the asb user cluster-admin. Then when you provision, you'll hit this >>> issue: https://github.com/openshift/ansible-service-broker/issues/711. >>> The rolebinding fails to create with the error: >>> rolebindings.rbac.authorization.k8s.io >>> "apb-9c21c424-7091-4bc1-b5c5-0caa08aeec39" is forbidden: attempt to >>> grant extra privileges. >>> It seems that we can't create a rolebinding that is cluster-admin. >>> I'm still exploring for the reason why it fails, but my theory is that >>> the cluster-admin role gives access outside the scope of a role so it >>> requires a clusterrolebinding. With the clusterrolebinding created >>> with cluster-admin permissions, I was able to create cluster-resources >>> from the apb. >>> >>> Thanks, >>> -Ryan >>> >>> _______________________________________________ >>> Ansible-service-broker mailing list >>> Ansible-service-broker at redhat.com >>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> >> >> _______________________________________________ >> Ansible-service-broker mailing list >> Ansible-service-broker at redhat.com >> https://www.redhat.com/mailman/listinfo/ansible-service-broker > > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > From rhallise at redhat.com Wed Jan 31 18:44:29 2018 From: rhallise at redhat.com (Ryan Hallisey) Date: Wed, 31 Jan 2018 13:44:29 -0500 Subject: [Ansible-service-broker] cluster-role escalation In-Reply-To: References: Message-ID: Following up on my original post. I found the reason the rolebinding was failing to create the cluster-admin role. My broker service account was not a cluster-admin. This makes sense since you shouldn't be able to elevate to higher permissions that you are. However, adding the cluster-admin role to apb does not provide cluster level access. Since we're creating a role binding, the apb is granted cluster-admin permissions within it's namespace. In order to access cluster level resources (anything outside it's namespace), we need to create a clusterrolebinding. Here's a writeup for adding a feature that will allow developers to have full access to the cluster: https://github.com/openshift/ansible-service-broker/issues/715 -Ryan On Wed, Jan 31, 2018 at 11:20 AM, Ryan Hallisey wrote: > Thanks David, that's really good to know. > > > On Wed, Jan 31, 2018 at 9:13 AM, David Zager wrote: >> Ryan, >> >> My understanding of wanting to run APBs with extra privileges from our >> broker is that this is a feature we would like to support down the line. As >> an aside, it seems worth pointing out that you can workaround this issue by >> using docker run like: >> >> docker run --rm --net=host \ >> -v $HOME/.kube:/opt/apb/.kube:z \ >> -u $UID \ >> ${APB_NAME} ${APB_ACTION:-'provision'} \ >> --extra-vars "namespace=mycoolnamespace" \ >> --extra-vars "etc=etc" >> >> >> Notes on this command: >> >> You need to be using your host's network stack (--net=host) >> Passing your kube config allows the APB to run at your permission level (ie. >> if you are an cluster-admin you can do what you want). >> APB_NAME in this case would be kubevirt-apb >> You may or may not need the namespace argument, I just know that a lot of >> our existing APBs assume that the namespace already exists >> >> I am a huge fan of the idea of using APBs to manage a cluster outside the >> service-catalog/service-broker context. However, I am also excited about >> pursuing the extra privileged APBs in our broker and how we will meet that >> use case, so this is not meant to take away from that discussion. >> >> Thanks, >> David >> >> On Wed, Jan 31, 2018 at 6:13 AM John Matthews wrote: >>> >>> Mo, >>> >>> Do you have any thoughts on the issue Ryan mentions below on being unable >>> to create a rolebinding that is cluster-admin? >>> For background, this is for enabling the Broker to deploy APBs that will >>> modify cluster infrastructure...not a typical application/service but >>> special APBs that require extra privileges. >>> >>> >>> >>> >>> On Tue, Jan 30, 2018 at 9:56 PM, Ryan Hallisey >>> wrote: >>>> >>>> Karim, >>>> >>>> I think I have a workaround patch that will get provision working for >>>> the kubevirt-apb. Instructions for how to test it are in the commit >>>> message. >>>> >>>> >>>> https://github.com/rthallisey/ansible-service-broker/commit/f27e0538959c43d47d2ff80bba1e894f2249ad62 >>>> >>>> To summarize for folks what I think is happening. We need the apb to >>>> have the cluster-admin role so it can create cluster-roles. To do >>>> this, set sandbox_role: cluster-admin, auto_escalate: true, and make >>>> the asb user cluster-admin. Then when you provision, you'll hit this >>>> issue: https://github.com/openshift/ansible-service-broker/issues/711. >>>> The rolebinding fails to create with the error: >>>> rolebindings.rbac.authorization.k8s.io >>>> "apb-9c21c424-7091-4bc1-b5c5-0caa08aeec39" is forbidden: attempt to >>>> grant extra privileges. >>>> It seems that we can't create a rolebinding that is cluster-admin. >>>> I'm still exploring for the reason why it fails, but my theory is that >>>> the cluster-admin role gives access outside the scope of a role so it >>>> requires a clusterrolebinding. With the clusterrolebinding created >>>> with cluster-admin permissions, I was able to create cluster-resources >>>> from the apb. >>>> >>>> Thanks, >>>> -Ryan >>>> >>>> _______________________________________________ >>>> Ansible-service-broker mailing list >>>> Ansible-service-broker at redhat.com >>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >>> >>> >>> _______________________________________________ >>> Ansible-service-broker mailing list >>> Ansible-service-broker at redhat.com >>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> >> >> _______________________________________________ >> Ansible-service-broker mailing list >> Ansible-service-broker at redhat.com >> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> From monis at redhat.com Wed Jan 31 19:30:04 2018 From: monis at redhat.com (Mo Khan) Date: Wed, 31 Jan 2018 14:30:04 -0500 Subject: [Ansible-service-broker] cluster-role escalation In-Reply-To: References: Message-ID: Just to be clear, I am extremely uncomfortable in giving the ASB any more powers. If you want a broker that can manipulate cluster resources, it needs to be completely separated from the standard ASB broker that handles user requests. A better approach will likely involve the user giving the ASB a token that it then uses to perform actions (i.e. the user must have the powers needed to perform those actions but the ASB itself does not). Ryan is correct on the scoping of bindings and the escalation checks. On Wed, Jan 31, 2018 at 1:44 PM, Ryan Hallisey wrote: > Following up on my original post. I found the reason the rolebinding > was failing to create the cluster-admin role. My broker service > account was not a cluster-admin. This makes sense since you shouldn't > be able to elevate to higher permissions that you are. However, > adding the cluster-admin role to apb does not provide cluster level > access. Since we're creating a role binding, the apb is granted > cluster-admin permissions within it's namespace. In order to access > cluster level resources (anything outside it's namespace), we need to > create a clusterrolebinding. > > Here's a writeup for adding a feature that will allow developers to > have full access to the cluster: > https://github.com/openshift/ansible-service-broker/issues/715 > > -Ryan > > On Wed, Jan 31, 2018 at 11:20 AM, Ryan Hallisey > wrote: > > Thanks David, that's really good to know. > > > > > > On Wed, Jan 31, 2018 at 9:13 AM, David Zager wrote: > >> Ryan, > >> > >> My understanding of wanting to run APBs with extra privileges from our > >> broker is that this is a feature we would like to support down the > line. As > >> an aside, it seems worth pointing out that you can workaround this > issue by > >> using docker run like: > >> > >> docker run --rm --net=host \ > >> -v $HOME/.kube:/opt/apb/.kube:z \ > >> -u $UID \ > >> ${APB_NAME} ${APB_ACTION:-'provision'} \ > >> --extra-vars "namespace=mycoolnamespace" \ > >> --extra-vars "etc=etc" > >> > >> > >> Notes on this command: > >> > >> You need to be using your host's network stack (--net=host) > >> Passing your kube config allows the APB to run at your permission level > (ie. > >> if you are an cluster-admin you can do what you want). > >> APB_NAME in this case would be kubevirt-apb > >> You may or may not need the namespace argument, I just know that a lot > of > >> our existing APBs assume that the namespace already exists > >> > >> I am a huge fan of the idea of using APBs to manage a cluster outside > the > >> service-catalog/service-broker context. However, I am also excited about > >> pursuing the extra privileged APBs in our broker and how we will meet > that > >> use case, so this is not meant to take away from that discussion. > >> > >> Thanks, > >> David > >> > >> On Wed, Jan 31, 2018 at 6:13 AM John Matthews > wrote: > >>> > >>> Mo, > >>> > >>> Do you have any thoughts on the issue Ryan mentions below on being > unable > >>> to create a rolebinding that is cluster-admin? > >>> For background, this is for enabling the Broker to deploy APBs that > will > >>> modify cluster infrastructure...not a typical application/service but > >>> special APBs that require extra privileges. > >>> > >>> > >>> > >>> > >>> On Tue, Jan 30, 2018 at 9:56 PM, Ryan Hallisey > >>> wrote: > >>>> > >>>> Karim, > >>>> > >>>> I think I have a workaround patch that will get provision working for > >>>> the kubevirt-apb. Instructions for how to test it are in the commit > >>>> message. > >>>> > >>>> > >>>> https://github.com/rthallisey/ansible-service-broker/commit/ > f27e0538959c43d47d2ff80bba1e894f2249ad62 > >>>> > >>>> To summarize for folks what I think is happening. We need the apb to > >>>> have the cluster-admin role so it can create cluster-roles. To do > >>>> this, set sandbox_role: cluster-admin, auto_escalate: true, and make > >>>> the asb user cluster-admin. Then when you provision, you'll hit this > >>>> issue: https://github.com/openshift/ansible-service-broker/issues/711 > . > >>>> The rolebinding fails to create with the error: > >>>> rolebindings.rbac.authorization.k8s.io > >>>> "apb-9c21c424-7091-4bc1-b5c5-0caa08aeec39" is forbidden: attempt to > >>>> grant extra privileges. > >>>> It seems that we can't create a rolebinding that is cluster-admin. > >>>> I'm still exploring for the reason why it fails, but my theory is that > >>>> the cluster-admin role gives access outside the scope of a role so it > >>>> requires a clusterrolebinding. With the clusterrolebinding created > >>>> with cluster-admin permissions, I was able to create cluster-resources > >>>> from the apb. > >>>> > >>>> Thanks, > >>>> -Ryan > >>>> > >>>> _______________________________________________ > >>>> Ansible-service-broker mailing list > >>>> Ansible-service-broker at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker > >>> > >>> > >>> _______________________________________________ > >>> Ansible-service-broker mailing list > >>> Ansible-service-broker at redhat.com > >>> https://www.redhat.com/mailman/listinfo/ansible-service-broker > >> > >> > >> _______________________________________________ > >> Ansible-service-broker mailing list > >> Ansible-service-broker at redhat.com > >> https://www.redhat.com/mailman/listinfo/ansible-service-broker > >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmatthew at redhat.com Wed Jan 31 20:57:07 2018 From: jmatthew at redhat.com (John Matthews) Date: Wed, 31 Jan 2018 15:57:07 -0500 Subject: [Ansible-service-broker] cluster-role escalation In-Reply-To: References: Message-ID: On Wed, Jan 31, 2018 at 2:30 PM, Mo Khan wrote: > Just to be clear, I am extremely uncomfortable in giving the ASB any more > powers. If you want a broker that can manipulate cluster resources, it > needs to be completely separated from the standard ASB broker that handles > user requests. A better approach will likely involve the user giving the > ASB a token that it then uses to perform actions (i.e. the user must have > the powers needed to perform those actions but the ASB itself does not). > Totally agree, no objections. Think of the work happening now is R&D effort focused on APB development for future of how cluster infrastructure APBs can be developed. The larger problem of proper permissions for cluster infrastructure has not been researched yet. That is future work we have yet to begin. > > Ryan is correct on the scoping of bindings and the escalation checks. > > On Wed, Jan 31, 2018 at 1:44 PM, Ryan Hallisey > wrote: > >> Following up on my original post. I found the reason the rolebinding >> was failing to create the cluster-admin role. My broker service >> account was not a cluster-admin. This makes sense since you shouldn't >> be able to elevate to higher permissions that you are. However, >> adding the cluster-admin role to apb does not provide cluster level >> access. Since we're creating a role binding, the apb is granted >> cluster-admin permissions within it's namespace. In order to access >> cluster level resources (anything outside it's namespace), we need to >> create a clusterrolebinding. >> >> Here's a writeup for adding a feature that will allow developers to >> have full access to the cluster: >> https://github.com/openshift/ansible-service-broker/issues/715 >> >> -Ryan >> >> On Wed, Jan 31, 2018 at 11:20 AM, Ryan Hallisey >> wrote: >> > Thanks David, that's really good to know. >> > >> > >> > On Wed, Jan 31, 2018 at 9:13 AM, David Zager wrote: >> >> Ryan, >> >> >> >> My understanding of wanting to run APBs with extra privileges from our >> >> broker is that this is a feature we would like to support down the >> line. As >> >> an aside, it seems worth pointing out that you can workaround this >> issue by >> >> using docker run like: >> >> >> >> docker run --rm --net=host \ >> >> -v $HOME/.kube:/opt/apb/.kube:z \ >> >> -u $UID \ >> >> ${APB_NAME} ${APB_ACTION:-'provision'} \ >> >> --extra-vars "namespace=mycoolnamespace" \ >> >> --extra-vars "etc=etc" >> >> >> >> >> >> Notes on this command: >> >> >> >> You need to be using your host's network stack (--net=host) >> >> Passing your kube config allows the APB to run at your permission >> level (ie. >> >> if you are an cluster-admin you can do what you want). >> >> APB_NAME in this case would be kubevirt-apb >> >> You may or may not need the namespace argument, I just know that a lot >> of >> >> our existing APBs assume that the namespace already exists >> >> >> >> I am a huge fan of the idea of using APBs to manage a cluster outside >> the >> >> service-catalog/service-broker context. However, I am also excited >> about >> >> pursuing the extra privileged APBs in our broker and how we will meet >> that >> >> use case, so this is not meant to take away from that discussion. >> >> >> >> Thanks, >> >> David >> >> >> >> On Wed, Jan 31, 2018 at 6:13 AM John Matthews >> wrote: >> >>> >> >>> Mo, >> >>> >> >>> Do you have any thoughts on the issue Ryan mentions below on being >> unable >> >>> to create a rolebinding that is cluster-admin? >> >>> For background, this is for enabling the Broker to deploy APBs that >> will >> >>> modify cluster infrastructure...not a typical application/service but >> >>> special APBs that require extra privileges. >> >>> >> >>> >> >>> >> >>> >> >>> On Tue, Jan 30, 2018 at 9:56 PM, Ryan Hallisey >> >>> wrote: >> >>>> >> >>>> Karim, >> >>>> >> >>>> I think I have a workaround patch that will get provision working for >> >>>> the kubevirt-apb. Instructions for how to test it are in the commit >> >>>> message. >> >>>> >> >>>> >> >>>> https://github.com/rthallisey/ansible-service-broker/commit/ >> f27e0538959c43d47d2ff80bba1e894f2249ad62 >> >>>> >> >>>> To summarize for folks what I think is happening. We need the apb to >> >>>> have the cluster-admin role so it can create cluster-roles. To do >> >>>> this, set sandbox_role: cluster-admin, auto_escalate: true, and make >> >>>> the asb user cluster-admin. Then when you provision, you'll hit this >> >>>> issue: https://github.com/openshift/ansible-service-broker/issues/7 >> 11. >> >>>> The rolebinding fails to create with the error: >> >>>> rolebindings.rbac.authorization.k8s.io >> >>>> "apb-9c21c424-7091-4bc1-b5c5-0caa08aeec39" is forbidden: attempt to >> >>>> grant extra privileges. >> >>>> It seems that we can't create a rolebinding that is cluster-admin. >> >>>> I'm still exploring for the reason why it fails, but my theory is >> that >> >>>> the cluster-admin role gives access outside the scope of a role so it >> >>>> requires a clusterrolebinding. With the clusterrolebinding created >> >>>> with cluster-admin permissions, I was able to create >> cluster-resources >> >>>> from the apb. >> >>>> >> >>>> Thanks, >> >>>> -Ryan >> >>>> >> >>>> _______________________________________________ >> >>>> Ansible-service-broker mailing list >> >>>> Ansible-service-broker at redhat.com >> >>>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> >>> >> >>> >> >>> _______________________________________________ >> >>> Ansible-service-broker mailing list >> >>> Ansible-service-broker at redhat.com >> >>> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> >> >> >> >> >> _______________________________________________ >> >> Ansible-service-broker mailing list >> >> Ansible-service-broker at redhat.com >> >> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: