AWS Service Broker

The AWS Service Broker exposes AWS Services through the Open Service Broker (OSB) protocol. These docs are based on the AWS Service Broker Documentation. This doc covers two possible installations:

  1. Install the AWS Service Broker in the Kf Kubernetes Cluster (recommended)
  2. Install the AWS Service Broker in AWS and exposing the API via a VPC bridge

Prerequisites

In addition to a Kubernetes cluster with Kf and Service Catalog installed (see these instructions), the following tools must be installed on the workstation where you will be using the kf CLI:

  1. helm: Follow these instructions to install the helm CLI.

Method 1: Install in GKE

The AWS Service Broker is deployed using the Helm chart from the AWS Service Broker's getting started guide for Kubernetes.

Infrastructure

The AWS Service Broker requires a DynamoDB table and an IAM user to access the table. The easiest method is to deploy the provided CloudFormation template. For manual installation, see the prerequisite docs.

Helm

First, add the Helm repository to your machine:

$ helm repo add aws-sb https://awsservicebroker.s3.amazonaws.com/charts

Then deploy the Helm chart, setting the correct AWS accesskeyid and secretkey:

$ helm install aws-sb/aws-servicebroker \
  --name aws-servicebroker \
  --namespace aws-sb \
  --set aws.secretkey=REPLACEME \
  --set aws.accesskeyid=REPLACEME

If you don't want the broker installed cluster-wide set the flag --set deployNamespacedServiceBroker=true which will register the broker into the deployed Namespace.

A full list of configuration parameters can be found in the Helm template's values.yaml definition.

Verification

After the Helm chart is deployed, a ClusterServiceBroker resource should have been created. You can check for it with kubectl:

$ kubectl get ClusterServiceBroker aws-servicebroker

NAME              URL                                                                    STATUS   AGE
aws-servicebroker https://aws-servicebroker-aws-servicebroker.aws-sb.svc.cluster.local   Ready    3d

If the STATUS is not ready, there was an issue. Some things to check while troubleshooting are:

  • The DynamoDB infrastructure is up
  • The AWS User has access to the DynamoDB table via Policy or Group
  • The Helm chart values were set correctly

It may take several minutes for your broker to come up and register itself with Service Catalog. Once the broker is registed, you can view the provided services with the kf marketplace command.

Method 2: Install in AWS

The downside to installing the AWS Service Broker in a GKE cluster is the required use of AWS User credentials instead of an AWS Role. However, the only required Kubernetes resource for the AWS Service Broker to work with Kf is the ClusterServiceBroker, assuming the AWS Service Broker's API is reachable from the GKE cluster.

There are two methods the API can be exposed to the GKE cluster:

  1. The API is accessible via a VPN bridge between Google Cloud and AWS
  2. The API is publicly accessible (not recommended)

In either case, it is strongly recommended to secure the Service Broker's API with a trusted TLS certificate and access credentials.

Once the API is accessible, kubectl apply a ClusterServiceBroker and a Kubernetes Secret which contains the credentials for authorizing with the Service Broker.

apiVersion: servicecatalog.k8s.io/v1beta1
kind: ClusterServiceBroker
metadata:
  name: aws-sb
spec:
  # For all configuration options, look at the service catalog's
  # type definitions:
  #  https://github.com/kubernetes-sigs/service-catalog/blob/master/pkg/apis/servicecatalog/v1beta1/types.go#L185
  url: https://replace.with.url.to.service.broker
  insecureSkipTLSVerify: false # use a trusted TLS certificate
  authInfo:
    bearer: # or basic
      secretRef:
        namespace: some-namespace
        name: some-secret-name