You can install the OpenShift Ansible Broker to gain access to the service bundles that it provides.

The OpenShift Ansible Broker is deprecated in OpenShift Container Platform 4. Equivalent and better functionality is present in the Operator Framework and Operator Lifecycle Manager (OLM).

About the OpenShift Ansible Broker

The OpenShift Ansible Broker is an implementation of the Open Service Broker (OSB) API that manages applications defined by Ansible playbook bundles (APBs). APBs provide a method for defining and distributing container applications in OpenShift Container Platform, and consist of a bundle of Ansible playbooks built into a container image with an Ansible runtime. APBs leverage Ansible to create a standard mechanism to automate complex deployments.

The OpenShift Ansible Broker follows this basic workflow:

  1. A user requests the list of available applications from the service catalog using the OpenShift Container Platform web console.

  2. The service catalog requests the list of available applications from the OpenShift Ansible Broker.

  3. The OpenShift Ansible Broker communicates with a defined container image registry to learn which APBs are available.

  4. The user issues a request to provision a specific APB.

  5. The OpenShift Ansible Broker fulfills the user’s provision request by invoking the provision method on the APB.

The OpenShift Ansible Broker is not installed by default in OpenShift Container Platform 4.

Ansible playbook bundles

An Ansible playbook bundle (APB) is a lightweight application definition that allows you to leverage existing investment in Ansible roles and playbooks.

APBs use a simple directory with named playbooks to perform OSB API actions, such as provision and bind. Metadata defined in the apb.yml file contains a list of required and optional parameters for use during deployment.

Additional resources

Installing the OpenShift Ansible Service Broker Operator

Prerequisites
  • You have installed the service catalog.

Procedure

The following procedure installs the OpenShift Ansible Service Broker Operator using the web console.

  1. Create a namespace.

    1. Navigate in the web console to AdministrationNamespaces and click Create Namespace.

    2. Enter openshift-ansible-service-broker in the Name field and openshift.io/cluster-monitoring=true in the Labels field and click Create.

      The namespace must start with openshift-.
  2. Create a cluster role binding.

    1. Navigate to AdministrationRole Bindings and click Create Binding.

    2. For the Binding Type, select Cluster-wide Role Binding (ClusterRoleBinding).

    3. For the Role Binding, enter ansible-service-broker in the Name field.

    4. For the Role, select admin.

    5. For the Subject, choose the Service Account option, select the openshift-ansible-service-broker namespace, and enter openshift-ansible-service-broker-operator in the Subject Name field.

    6. Click Create.

  3. Create a secret to connect to the Red Hat Container Catalog.

    1. Navigate to WorkloadsSecrets. Verify that the openshift-ansible-service-broker project is selected.

    2. Click CreateKey/Value Secret.

    3. Enter asb-registry-auth as the Secret Name.

    4. Add a Key of username and a Value of your Red Hat Container Catalog user name.

    5. Click Add Key/Value and add a Key of password and a Value of your Red Hat Container Catalog password.

    6. Click Create.

  4. Navigate to the CatalogOperatorHub page. Verify that the openshift-ansible-service-broker project is selected.

  5. Select OpenShift Ansible Service Broker Operator.

  6. Read the information about the Operator and click Install.

  7. Review the default selections and click Subscribe.

Next, you must start the OpenShift Ansible Broker in order to access the service bundles it provides.

Starting the OpenShift Ansible Broker

After you have installed the OpenShift Ansible Service Broker Operator, you can start the OpenShift Ansible Broker using the following procedure.

Prerequisites
  • You have installed the service catalog.

  • You have installed the OpenShift Ansible Service Broker Operator.

Procedure
  1. Navigate in the web console to CatalogInstalled Operators and select the openshift-ansible-service-broker project.

  2. Select the OpenShift Ansible Service Broker Operator.

  3. Under Provided APIs, click Create New for Automation Broker.

  4. Add the following to the spec field in the default YAML provided:

    registry:
      - name: rhcc
        type: rhcc
        url: https://registry.redhat.io
        auth_type: secret
        auth_name: asb-registry-auth

    This references the secret that was created when installing the OpenShift Ansible Service Broker Operator, which allows you to connect to the Red Hat Container Catalog.

  5. Set any additional OpenShift Ansible Broker configuration options and click Create.

  6. Verify that the OpenShift Ansible Broker has started.

    After the OpenShift Ansible Broker has started, you can view the available service bundles by navigating to CatalogDeveloper Catalog and selecting the Service Class checkbox. Note that it may take a few minutes for the OpenShift Ansible Broker to start and the service bundles to be available.

    If you do not yet see these Service classes, you can check the status of the following items:

    • OpenShift Ansible Broker Pod status

      • From the WorkloadsPods page for the openshift-ansible-service-broker project, verify that the Pod that starts with asb- has a status of Running and readiness of Ready.

    • Cluster service broker status

      • From the CatalogBroker ManagementService Brokers page, verify that the ansible-service-broker service broker has a status of Ready.

    • Service catalog controller manager Pod logs

      • From the WorkloadsPods page for the openshift-service-catalog-controller-manager project, review the logs for each of the Pods and verify that you see a log entry with the message Successfully fetched catalog entries from broker.

OpenShift Ansible Broker configuration options

You can set the following options for your OpenShift Ansible Broker.

Table 1. OpenShift Ansible Broker configuration options
YAML key Description Default value

brokerName

The name used to identify the broker instance.

ansible-service-broker

brokerNamespace

The namespace where the broker resides.

openshift-ansible-service-broker

brokerImage

The fully qualified image used for the broker.

docker.io/ansibleplaybookbundle/origin-ansible-service-broker:v4.0

brokerImagePullPolicy

The pull policy used for the broker image itself.

IfNotPresent

brokerNodeSelector

The node selector string used for the broker’s deployment.

''

registries

Expressed as a yaml list of broker registry configs, allowing the user to configure the image registries the broker will discover and source its APBs from.

logLevel

The log level used for the broker’s logs.

info

apbPullPolicy

The pull policy used for APB Pods.

IfNotPresent

sandboxRole

The role granted to the service account used to execute APBs.

edit

keepNamespace

Whether the transient namespace created to run the APB is deleted after the conclusion of the APB, regardless of the result.

false

keepNamespaceOnError

Whether the transient namespace created to run the APB is deleted after the conclusion of the APB, only in the event of an error result.

false

bootstrapOnStartup

Whether or not the broker should run its bootstrap routine on startup.

true

refreshInterval

The interval of time between broker bootstraps, refreshing its inventory of APBs.

600s

launchApbOnBind

Experimental: Toggles the broker executing APBs on bind operations.

false

autoEscalate

Whether the broker should escalate the permissions of a user while running the APB. This should typically remain false since the broker performs originating user authorization to ensure that the user has permissions granted to the APB sandbox.

false

outputRequest

Whether to output the low level HTTP requests that the broker receives.

false

Default array for registries
- type: rhcc
  name: rhcc
  url: https://registry.redhat.io
  white_list:
  - ".*-apb$"
  auth_type: secret
  auth_name: asb-registry-auth