deploy-ansible-service-broker.template.yaml

apiVersion: v1
kind: Template
metadata:
  name: ansible-service-broker
objects:
- apiVersion: v1
  kind: Service
  metadata:
    name: asb
    labels:
      app: ansible-service-broker
      service: asb
    annotations:
      service.alpha.openshift.io/serving-cert-secret-name: asb-tls
  spec:
    ports:
      - name: port-1338
        port: 1338
        targetPort: 1338
        protocol: TCP
    selector:
      app: ansible-service-broker
      service: asb

- apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: asb
    namespace: ansible-service-broker

- apiVersion: authorization.openshift.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: asb
  roleRef:
    name: admin
  subjects:
  - kind: ServiceAccount
    name: asb
    namespace: ansible-service-broker

- apiVersion: authorization.openshift.io/v1
  kind: ClusterRole
  metadata:
    name: asb-auth
  rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["create", "delete"]
  - apiGroups: ["authorization.openshift.io"]
    resources: ["subjectrulesreview"]
    verbs: ["create"]
  - apiGroups: ["authorization.k8s.io"]
    resources: ["subjectaccessreviews"]
    verbs: ["create"]
  - apiGroups: ["authentication.k8s.io"]
    resources: ["tokenreviews"]
    verbs: ["create"]

- apiVersion: authorization.openshift.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: asb-auth-bind
  subjects:
  - kind: ServiceAccount
    name: asb
    namespace: ansible-service-broker
  roleRef:
    kind: ClusterRole
    name: asb-auth

- apiVersion: authorization.openshift.io/v1
  kind: ClusterRole
  metadata:
    name: access-asb-role
  rules:
  - nonResourceURLs: ["${BROKER_URL_PREFIX}", "${BROKER_URL_PREFIX}/*"]
    verbs: ["get", "post", "put", "patch", "delete"]

- apiVersion: v1
  kind: PersistentVolumeClaim
  metadata:
    name: etcd
    namespace: ansible-service-broker
  spec:
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 1Gi

- apiVersion: v1
  kind: DeploymentConfig
  metadata:
    name: asb
    labels:
      app: ansible-service-broker
      service: asb
  spec:
    replicas: 1
    selector:
      app: ansible-service-broker
    strategy:
      type: Rolling
    template:
      metadata:
        labels:
          app: ansible-service-broker
          service: asb
      spec:
        serviceAccount: asb
        containers:
        - image: ${BROKER_IMAGE}
          name: asb
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: config-volume
              mountPath: /etc/ansible-service-broker
            - name: asb-tls
              mountPath: /etc/tls/private
            - name: asb-auth-volume
              mountPath: /var/run/asb-auth
          ports:
            - containerPort: 1338
              protocol: TCP
          env:
          - name: BROKER_CONFIG
            value: ${BROKER_CONFIG}
          resources: {}
          terminationMessagePath: /tmp/termination-log

        - image: ${ETCD_IMAGE}
          name: etcd
          imagePullPolicy: IfNotPresent
          terminationMessagePath: /tmp/termination-log
          workingDir: /etcd
          args:
            - ${ETCD_PATH}
            - --data-dir=/data
            - --listen-client-urls=http://0.0.0.0:2379
            - --advertise-client-urls=http://0.0.0.0:2379
          ports:
          - containerPort: 2379
            protocol: TCP
          env:
          - name: ETCDCTL_API
            value: "3"
          volumeMounts:
            - mountPath: /data
              name: etcd
        volumes:
          - name: etcd
            persistentVolumeClaim:
              claimName: etcd
          - name: config-volume
            configMap:
              name: broker-config
              items:
              - key: broker-config
                path: config.yaml
          - name: asb-tls
            secret:
              secretName: asb-tls
          - name: asb-auth-volume
            secret:
              secretName: asb-auth-secret

- apiVersion: v1
  kind: Secret
  metadata:
    name: asb-auth-secret
    namespace: ansible-service-broker
  data:
    username: ${BROKER_USER}
    password: ${BROKER_PASS}

- apiVersion: v1
  kind: ConfigMap
  metadata:
    name: broker-config
    namespace: ansible-service-broker
    labels:
      app: ansible-service-broker
  data:
    broker-config: |
      registry:
        - type: "${REGISTRY_TYPE}"
          name: "${REGISTRY_NAME}"
          url: "${REGISTRY_URL}"
          user: "${DOCKERHUB_USER}"
          pass: "${DOCKERHUB_PASS}"
          org: "${DOCKERHUB_ORG}"
          tag: "${TAG}"
          white_list:
            - ".*-apb$"
      dao:
        etcd_host: 0.0.0.0
        etcd_port: 2379
      log:
        logfile: /var/log/ansible-service-broker/asb.log
        stdout: true
        level: debug
        color: true
      openshift:
        host: "${CLUSTER_AUTH_HOST}"
        ca_file: "${CA_FILE}"
        bearer_token_file: "${BEARER_TOKEN_FILE}"
        image_pull_policy: "${IMAGE_PULL_POLICY}"
        sandbox_role: "${SANDBOX_ROLE}"
      broker:
        dev_broker: ${DEV_BROKER}
        bootstrap_on_startup: ${BOOTSTRAP_ON_STARTUP}
        refresh_interval: "${REFRESH_INTERVAL}"
        launch_apb_on_bind: ${LAUNCH_APB_ON_BIND}
        output_request: ${OUTPUT_REQUEST}
        recovery: ${RECOVERY}
        ssl_cert_key: /etc/tls/private/tls.key
        ssl_cert: /etc/tls/private/tls.crt
        auto_escalate: ${AUTO_ESCALATE}
        auth:
          - type: basic
            enabled: ${ENABLE_BASIC_AUTH}

- apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: ansibleservicebroker-client
    namespace: ansible-service-broker

- apiVersion: authorization.openshift.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: ansibleservicebroker-client
  subjects:
  - kind: ServiceAccount
    name: ansibleservicebroker-client
    namespace: ansible-service-broker
  roleRef:
    kind: ClusterRole
    name: access-asb-role

- apiVersion: v1
  kind: Secret
  metadata:
    name: ansibleservicebroker-client
    annotations:
      kubernetes.io/service-account.name: ansibleservicebroker-client
  type: kubernetes.io/service-account-token

- apiVersion: v1
  kind: Route
  metadata:
    name: asb-1338
    labels:
      app: ansible-service-broker
      service: asb
  spec:
    to:
      kind: Service
      name: asb
    port:
      targetPort: port-1338
    tls:
      termination: reencrypt

- apiVersion: servicecatalog.k8s.io/v1alpha1
  kind: ${BROKER_KIND}
  metadata:
    name: ansible-service-broker
  spec:
    url: https://asb.ansible-service-broker.svc:1338${BROKER_URL_PREFIX}/
    authInfo:
      ${{BROKER_AUTH}}
    caBundle: ${BROKER_CA_CERT}

parameters:
- description: Service Broker kind. Newer service-catalogs use ServiceBroker
  displayname: Service Broker kind. Newer service-catalogs use ServiceBroker
  name: BROKER_KIND
  value: ServiceBroker

- description: Service Broker CA Cert.
  displayname: Service Broker kind.
  name: BROKER_CA_CERT
  value: ""

- description: Service Broker url prefix for the cluster
  displayname: ASB Url Prefix
  name: BROKER_URL_PREFIX
  value: "/ansible-service-broker"

- description: Broker Auth Info
  displayname: Broker Auth Info
  name: BROKER_AUTH
  value: '{ "bearer": { "secretRef": { "kind": "Secret", "namespace": "ansible-service-broker", "name": "ansibleservicebroker-client" } } }'

- description: Suffix for OpenShift routes
  displayname: Suffix for OpenShift routes
  name: ROUTING_SUFFIX
  value: "172.17.0.1.nip.io"

- description: Container Image to use for Ansible Service Broker in format of imagename:tag
  displayname: Ansible Service Broker Image
  name: BROKER_IMAGE
  value: ansibleplaybookbundle/origin-ansible-service-broker:latest

- description: Container Image to use for etcd in format of imagename:tag
  displayname: etcd Image
  name: ETCD_IMAGE
  value: quay.io/coreos/etcd:latest

- description: Path of the etcd binary
  displayname: etcd path
  name: ETCD_PATH
  value: /usr/local/bin/etcd

- description: Configuration filepath for Ansible Service Broker
  displayname: Ansible Service Broker Configuration File
  name: BROKER_CONFIG
  value: /etc/ansible-service-broker/config.yaml

- description: Dockerhub user password
  displayname: Dockerhub user password
  name: DOCKERHUB_PASS
  value: changeme

- description: Dockerhub user name
  displayname: Dockerhub user name
  name: DOCKERHUB_USER
  value: changeme

- description: Dockerhub organization
  displayname: Dockerhub organization
  name: DOCKERHUB_ORG
  value: ansibleplaybookbundle

- description: APB Image Tag
  displayname: APB Image Tag
  name: TAG
  value: latest

- description: OpenShift User Password
  displayname: OpenShift User Password
  name: OPENSHIFT_PASS
  value: admin

- description: OpenShift User Name
  displayname: OpenShift User Name
  name: OPENSHIFT_USER
  value: admin

- description: OpenShift Target URL
  displayname: OpenShift Target URL
  name: OPENSHIFT_TARGET
  value: kubernetes.default

- description: Registry Type
  displayname: Registry Type
  name: REGISTRY_TYPE
  value: dockerhub

# Intentionally shortening the registry name to lessen impact of
# PodPreset name has a requirement of being less than 63 chars
# https://github.com/kubernetes-incubator/service-catalog/issues/1047
# https://github.com/openshift/ansible-service-broker/issues/283
- description: Registry Name
  displayname: Registry Name
  name: REGISTRY_NAME
  value: dh

- description: Registry URL
  displayname: Registry URL
  name: REGISTRY_URL
  value: https://registry.hub.docker.com

- description: Include Broker Development Endpoint
  displayname: Include Broker Development Endpoint
  name: DEV_BROKER
  value: "true"

- description: Launch APB on bind
  displayname: Launch APB on bind
  name: LAUNCH_APB_ON_BIND
  value: "false"

- description: Will automatically bootstrap the broker on startup
  displayname: Bootstrap On Startup
  name: BOOTSTRAP_ON_STARTUP
  value: "true"

- description: Refresh the available broker images every interval of seconds
  displayname: Refresh Interval
  name: REFRESH_INTERVAL
  value: "600s"

- description: Output broker requests to log
  displayname: Output broker requests to log
  name: OUTPUT_REQUEST
  value: "true"

- description: Recover unfinshed jobs on restart
  displayname: Recovery
  name: RECOVERY
  value: "true"

 #TODO: NEED TO CHANGE TO FALSE AFTER THE 3.7 CUT
- description: Auto escalate the broker. Will remove user impresonation
  displayname: Auto Escalate
  name: AUTO_ESCALATE
  value: "true"

- description: APB ImagePullPolicy
  displayname: APB ImagePullPolicy
  name: IMAGE_PULL_POLICY
  value: "IfNotPresent"

- description: Will enable basic authentication
  displayname: Enable basic authentication
  name: ENABLE_BASIC_AUTH
  value: "true"

############################################################
# NOTE: These values MUST be base64 encoded.
# http://red.ht/2wbrCYo states "The value associated with
# keys in the data map must be base64 encoded."
############################################################
- description: Broker user password
  displayname: Broker user password
  name: BROKER_PASS
  value: YWRtaW4=

- description: Broker user name
  displayname: Broker user name
  name: BROKER_USER
  value: YWRtaW4=

############################################################
# NOTE: Default behavior for these are going to use the kubernetes
# InClusterConfig. These are typically overridden for running
# the broker outside of a cluster. Under normal circumstances,
# you probably want to leave these blank.
############################################################
- description: Service Account CAFile Path
  displayname: Service Account CAFile Path
  name: CA_FILE
  value: ""

- description: Service Account Bearer Token File
  displayname: Service Account Bearer Token File
  name: BEARER_TOKEN_FILE
  value: ""

- description: Cluster Authentication Host
  displayname: Cluster Authentication Host
  name: CLUSTER_AUTH_HOST
  value: ""

- description: Role to use for APB Sandboxes
  displayname: Role to use for APB Sandboxes
  name: SANDBOX_ROLE
  value: "edit"

############################################################