-
Notifications
You must be signed in to change notification settings - Fork 28
Home
The ECS Cloud Foundry Service broker uses Spring Configuration, and can, therefore, be configured via an application.yml file or environment variables. Environment variables will take precedence over configuration parameters provided in the application.yml file and the Spring profile that is set.
Spring configurations specified in the application.yml can support multiple profiles which can set at runtime with a system property, spring.profiles.active (using the -D command-line flag) or with an environment variable, SPRING_PROFILES_ACTIVE. The default configuration file includes a development profile, and leaves a placeholder for a production profile.
To set the profile in the broker when run as a Cloud Foundry application, simply set the profile in the application manifest like so:
---
applications:
- name: ecs-broker
path: ./build/libs/ecs-cf-service-broker-0.0.1-SNAPSHOT.jar
env:
SPRING_ACTIVE_PROFILES: productionThe configuration is split into three sections:
- The broker security configuration.
- The broker application configuration, which includes the Cloud Foundry integration parameters and connectivity to the ECS management API.
- The catalog configuration, which includes the services and plans that will be offered to Cloud Foundry end-users.
The broker takes advantage of Spring Security to handle authentication from Cloud Foundry to the broker. Without any configuration, the broker will dynamically generate a password; however, it will change with each restart of the application, so Cloud Foundry would need to be updated each time this happens. In order to configure the password with a static password, the following configuration can be applied to the application.yml file:
security:
user:
password: passwordThis can also be configured via a environment variable in the Cloud Foundry manifest.yml file like so:
applications:
- name: ecs-broker
path: ./build/libs/ecs-cf-service-broker-0.0.1-SNAPSHOT.jar
env:
SECURITY_USER_PASSWORD: passwordThe broker configuration provides connectivity information, so that the broker has enough information to address the ECS appliance, create namespaces & buckets based on the services & plans that to which the Cloud Foundry users have access. There are also a couple of parameters that customize behavior for the Cloud Foundry implementation itself.
These configuration parameters can be added to the application.yml file using the following format:
broker:
certificate: localhost.pem
namespace: ns1
replication-group: rg1
management-endpoint: https://myecsappliance.domain.com:4443
base-url: MyAwesomeBaseUrl
repository-service-id: f3cbab6a-5172-4ff1-a5c7-72990f0ce2aa
repository-plan-id: 89d20694-9ab0-4a98-bc6a-868d6d4ecf31This can also be configured via a environment variable in the Cloud Foundry manifest.yml file like so:
applications:
- name: ecs-broker
path: ./build/libs/ecs-cf-service-broker-0.0.1-SNAPSHOT.jar
env:
BROKER_CERTIFICATE: localhost.pem
BROKER_NAMESPACE: ns1
BROKER_REPLICATION_GROUP: rg1
BROKER_MANAGEMENT_ENDPOINT: https://myecsappliance.domain.com:4443
BROKER_BASE_URL: MyAwesomeBaseUrlThe following table includes the broker configuration parameters and descriptions of each:
| YAML Parameter | Environment Variable | Description |
|---|---|---|
| management-endpoint | BROKER_MANAGEMENT_ENDPOINT | The ECS management API URI. This provides access from the broker to the management API of the ECS. Typically this service runs on port 4443 of the ECS, but may be different if using a "local traffic manager" or "load balancer" between the Cloud Foundry Foundation and the ECS. The API is only accessible via HTTPS. |
| replication-group | BROKER_REPLICATION_GROUP | Name (not ID) of replication group. This global setting specifies the replication group that this broker will use for creation of buckets or namespaces. |
| namespace | BROKER_NAMESPACE | When using CF to create buckets (not namespaces) this is the namespace used. This namespace will also be used for the repository bucket, where ECS stores CF created metadata for the buckets & namespaces. |
| base-url | BROKER_BASE_URL | ECS Base URL name. This is the base URL configured in the ECS appliance that is used to connect via data service protocols (like S3). If none is specified, a default will be used. If none is configured, and if the objectEndpoint parameter is not used, then the broker will error. The broker makes use of the base URL configuration to properly configure URLs when namespaces are used. In cases in which a load balancer or local traffic manager is used, the object endpoint can be overridden to match the correct name using the objectEndpoint parameter |
| object-endpoint | BROKER_OBJECT_ENDPOINT | The objectEndpoint can be used when no ECS base URL is configured, or when a local traffic manager or load balancer is used, and the local base URL does not match the addressable name. |
| repository-endpoint | BROKER_REPOSITORY_ENDPOINT | When creating a bucket and/or objects that represent broker-created metadata, this parameter can be used to specify the objectEndpoint (using S3 protocol) that the broker should address. By default, this will use the endpoint detected from either the objectEndpoint or baseUrl parameters. |
| repository-user | BROKER_REPOSITORY_USER | This is the username created or used by the broker when writing CF generated metadata to an internal bucket. The broker will create/use an ECS object user and secret key. The configured broker prefix will be applied to this. |
| username | BROKER_USERNAME | This is the username used by the broker to authenticate to the ECS management API. |
| password | BROKER_PASSWORD | This is the password used by the broker to authenticate to the ECS management API. |
| repository-bucket | BROKER_REPOSITORY_BUCKET | The broker will create/use a bucket of this name to store CF generated metadata. The configured broker prefix will be applied to this. |
| prefix | BROKER_PREFIX | Any broker created object users, buckets or namespaces will have this prefix applied to them upon creation. |
| broker-api-version | BROKER_BROKER_API_VERSION | This is the API version advertised by the broker to Cloud Foundry. It should typically match the maximum version of the service broker API supported by the Cloud Foundry revision. |
| certificate | BROKER_CERTIFICATE | This is the SSL certificate used by the broker when communicating with the ECS management API. This is only used when the ECS management API/GUI is configured with a self-signed certificate. When SSL termination is done by a local traffic manager or load balancer, or the certificate is signed by a trust accessible from Cloud Foundry, this parameter is not required. The certificate should be added in PEM format, and can be exported from the ECS GUI using a web browser, or downloaded from CURL/WGET and converted to PEM X509 with openssl. |
| repository-service-id | BROKER_REPOSITORY_SERVICE_ID | Services are defined in the catalog configuration of the broker. The repository-service-id parameter references the specific service that will be used when creating the repository bucket for Cloud Foundry service metadata. |
| repository-plan-id | BROKER_REPOSITORY_PLAN_ID | Plans are defined within a specific services in the catalog configuration of the broker. The repository-plan-id parameter references the specific plan that will be used when creating the repository bucket for Cloud Foundry metadata. |
TODO
TODO
TODO
Consult Using ECS Service Broker for VMware Tanzu page on VMWare Partner documentation portal. See the Managing Service Instances with the cf CLI page to get generic understanging about CF CLI tools usage scenarios.
By default, services for new brokers are not enabled in marketplace until they are not enabled by administrator. To enable them, first check the name of your service broker in the Cloud Foundry instance and namespace:
cf service-brokers
Then run cf service-access to see the list of services provided by each service broker. Notice the access column - if it shows none, the service cannot be used. Run the 'enable-service-access' command to open access, with -b option if any of services has duplicate names for different brokers:
cf enable-service-access ecs-bucket -b ecs-broker
cf enable-service-access ecs-namespace -b ecs-broker
Then, use the 'marketplace' command to list all accessible services with plans offered by broker:
cf marketplace
Use the 'create-service' command to create a named service instance: 'cf create-service SERVICE PLAN INSTANCE_NAME'
cf create-service ecs-bucket 100gb test-bucket
List created services with 'cf services' to see if it shows new entry ('test-bucket' in our example).
TODO
If you need a namespace access for deployed application, you need to
- create Namespace service plan
- use it to create service instance.
- create a binding for your application.
On instance creation, broker calls ECS to create a namespace with (optional) quota and retention class parameters. Then, on instance binding, an S3 user is created and it's credentials are returned to CF and will be passed as environment variables to the app (see Obtain Service Instance Access Credentials).
TODO