-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Broker bind output #25
Conversation
- debug: | ||
msg: "<BIND_CREDENTIALS>{{ encoded_bind_credentials.stdout }}</BIND_CREDENTIALS>" | ||
- copy: | ||
content="<BIND_CREDENTIALS>{{ encoded_bind_credentials.stdout }}</BIND_CREDENTIALS>" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we use colons instead of equals?
- copy:
content: "<BIND_CREDENTIALS>{{ encoded_bind_credentials.stdout }}</BIND_CREDENTIALS>"
dest: /etc/ansible-service-broker/bind-creds
instead of:
- copy:
content="<BIND_CREDENTIALS>{{ encoded_bind_credentials.stdout }}</BIND_CREDENTIALS>"
dest=/etc/ansible-service-broker/bind-creds
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now that bind credentials are in their own file instead of scraping a log, do we still need to use <BIND_CREDENTIALS>
tags? Can the broker just read it without having to look for and omit the tags?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ya I can make that work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm going to fix <BIND_CRENTIALS> in another patch #34
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More of a question, I'm a little confused how all this fits together. maybe because it's 1:13am and I'm not thinking clearly. :)
apb-base/Dockerfile
Outdated
/etc/ansible /opt/ansible \ | ||
${BASE_DIR} ${BASE_DIR}/etc \ | ||
${BASE_DIR}/.kube ${BASE_DIR}/.ansible/tmp && \ | ||
useradd -u ${USER_UID} -r -g 0 -M -d ${BASE_DIR} -b ${BASE_DIR} -s /sbin/nologin -c "apb user" ${USER_NAME} && \ | ||
chown -R ${USER_NAME}:0 /opt/{ansible,apb} && \ | ||
chown -R ${USER_NAME}:0 /etc/ansible-service-broker && \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I actually find it weird to see ansible-service-broker
in the base apb image. Maybe it's not a bad thing, but I find it weird to see it leaking in. Especially in /etc/
which I think of a config directory
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm using this location to hold the bind credentials for the apb. I can change it to be /etc/apb if that makes it clearer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree with wanting to remove 'ansible-service-broker' and go with a different name, also feels weird to be writing into '/etc' for this, I would think we'd want a dir under /var
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I figured '/etc' because it's storing credentials. But I could also see '/var/lib/apb' since it's data relative to the apb.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I never addressed this. I think we want this to be apb.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Switch to : from = and test.
f56c0a6
to
19692aa
Compare
@cfchase tested |
19692aa
to
2bf8385
Compare
@rthallisey I think I understand what's going on. We used to just print out the credentials to stdout. The container could conceivably go away before the broker saw the credentials. This patch seems to keep the container running until broker can get the creds. And instead of using stdout, it uses a file on the container. |
2bf8385
to
f795bd6
Compare
Before we merge this I want to confirm the workflow with a few others on AOS to be sure we are on right track. Tracking this in card: |
Verified this approach is good to go. We want to get this in when we can. |
bb4e706
to
c3b7642
Compare
796ca99
to
39ef43b
Compare
- Script for the broker to use when it execs into the container - Script that will keep the apb running until the broker scoops up the bind credentials
This patch was written when only bind was returning credentials. Reconfigure this to support both provision and bind.
39ef43b
to
67d8f2b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NACK pending changes from the broker PR:
67d8f2b
to
2fac6eb
Compare
Only execute a one time command and exit so we keep the retry logic in one place.
Merging, openshift/ansible-service-broker#124 just got merged to broker master. This PR is required for any images that will be run by that broker moving forwards. |
Rework of the broker bind output. We're going to have the broker exec into the container to gather bind creds.
Ref: openshift/ansible-service-broker#124