The AWS Service Broker exposes AWS Services through the Open Service Broker (OSB) protocol. These docs are based on the AWS Service Broker Documentation. This doc covers two possible installations:
- Install the AWS Service Broker in the Kf Kubernetes Cluster (recommended)
- Install the AWS Service Broker in AWS and exposing the API via a VPC bridge
Prerequisites
In addition to a Kubernetes cluster with Kf and Service Catalog installed (see
these instructions), the following tools must be installed on the
workstation where you will be using the kf CLI:
helm: Follow these instructions to install thehelmCLI.
Method 1: Install in GKE
The AWS Service Broker is deployed using the Helm chart from the AWS Service Broker's getting started guide for Kubernetes.
Infrastructure
The AWS Service Broker requires a DynamoDB table and an IAM user to access the table. The easiest method is to deploy the provided CloudFormation template. For manual installation, see the prerequisite docs.
Helm
First, add the Helm repository to your machine:
$ helm repo add aws-sb https://awsservicebroker.s3.amazonaws.com/charts
Then deploy the Helm chart, setting the correct AWS accesskeyid and secretkey:
$ helm install aws-sb/aws-servicebroker \
--name aws-servicebroker \
--namespace aws-sb \
--set aws.secretkey=REPLACEME \
--set aws.accesskeyid=REPLACEME
If you don't want the broker installed cluster-wide set the flag
--set deployNamespacedServiceBroker=true which will register the broker into
the deployed Namespace.
A full list of configuration parameters can be found in the Helm template's values.yaml definition.
Verification
After the Helm chart is deployed, a ClusterServiceBroker resource should have
been created. You can check for it with kubectl:
$ kubectl get ClusterServiceBroker aws-servicebroker
NAME URL STATUS AGE
aws-servicebroker https://aws-servicebroker-aws-servicebroker.aws-sb.svc.cluster.local Ready 3d
If the STATUS is not ready, there was an issue. Some things to check while troubleshooting are:
- The DynamoDB infrastructure is up
- The AWS User has access to the DynamoDB table via Policy or Group
- The Helm chart values were set correctly
It may take several minutes for your broker to come up and register itself with
Service Catalog. Once the broker is registed, you can view the provided services
with the kf marketplace command.
Method 2: Install in AWS
The downside to installing the AWS Service Broker in a GKE cluster is the required use of AWS User credentials instead of an AWS Role. However, the only required Kubernetes resource for the AWS Service Broker to work with Kf is the ClusterServiceBroker, assuming the AWS Service Broker's API is reachable from the GKE cluster.
There are two methods the API can be exposed to the GKE cluster:
- The API is accessible via a VPN bridge between Google Cloud and AWS
- The API is publicly accessible (not recommended)
In either case, it is strongly recommended to secure the Service Broker's API with a trusted TLS certificate and access credentials.
Once the API is accessible, kubectl apply a ClusterServiceBroker and a
Kubernetes Secret which contains the credentials for authorizing with the
Service Broker.
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ClusterServiceBroker
metadata:
name: aws-sb
spec:
# For all configuration options, look at the service catalog's
# type definitions:
# https://github.com/kubernetes-sigs/service-catalog/blob/master/pkg/apis/servicecatalog/v1beta1/types.go#L185
url: https://replace.with.url.to.service.broker
insecureSkipTLSVerify: false # use a trusted TLS certificate
authInfo:
bearer: # or basic
secretRef:
namespace: some-namespace
name: some-secret-name