Add --enable=automation-service-broker

[jmontleon]

No description provided.

[jmontleon]

/assign @derekwaynecarr

[soltysh]

Just

return component.MakeReady(...

[soltysh]

Are you sure this is Job, looking at the .spec this should rather be DeploymentConfig.

[jmontleon]

This container will run once and exit. It launches the broker in the ansible-service-broker namespace.

You end up with:

NAMESPACE                           NAME                                 READY     STATUS      RESTARTS   AGE
ansible-service-broker              ansible-service-broker-1-kldc6       1/1       Running     0          22h
automation-broker-apb               automation-broker-apb-8hr8r          0/1       Completed   1          22h

Doesn't a job make more sense for this?

[soltysh]

Job is fine, what I'm saying is that the definition you have in the yaml is not a valid job. See https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ for an example job, what you have in here is a mixture of a job and deployment.

[jmontleon]

Thank you. I misunderstood. I'll clean it up.

[jmontleon]

/test gcp

[soltysh]

This lgtm, please squash your changes and you're good to go.

[jmontleon]

/test extended_conformance_install

[djzager]

you could use args: instead of command so you don't have to specify entrypoint.sh.

[djzager]

Is there a reason why we are going with automation-service-broker instead of automation-broker (default)?

[djzager]

If you are taking the $NAMESPACE as an argument you may want to add -e broker_namespace=${NAMESPACE}

[jmontleon]

ACK on first.
Second, that's what I was told to set it to to be similar to template-service-broker.
Third, as mentioned above the NAMESPACE is where the apb is running not the broker.

[djzager]

You may want to specifically run this job in the ${NAMESPACE} where the automation-broker-apb service account will live.

[jmontleon]

It runs in the namespace set here:
https://github.com/openshift/origin/pull/19409/files#diff-0b8cd438a5f3db747099c64b502fe091R12
https://github.com/openshift/origin/pull/19409/files#diff-0b8cd438a5f3db747099c64b502fe091R24

[deads2k]

You may want to specifically run this job in the ${NAMESPACE} where the automation-broker-apb service account will live.

I second this. I think it's best to be very specific.

[jmontleon]

/test extended_conformance_install

[jmontleon]

/test extended_conformance_install

[jmontleon]

/test extended_conformance_install

[jmontleon]

@soltysh sorry for the delay. The changes have been squashed and are passing again. Thanks!

[soltysh]

/lgtm
/approve

[jmontleon]

In testing I found the deadline was too short and the job would sometimes be ended before had a chance to complete. I've upped the time a bit to compensate.

[jmontleon]

/test gcp

[jmontleon]

/test extended_conformance_install

[jmontleon]

/test extended_conformance_install

[jmontleon]

/test extended_conformance_install

[jmontleon]

/test gcp

[jmontleon]

/test gcp

[soltysh]

/lgtm

[jwmatthews]

@deads2k @bparees @smarterclayton @derekwaynecarr would one of you have a few mins to review/approve this PR to help us get deployment of automation broker integrated with 'oc'?

[deads2k]

We reserve openshift-***. You should use a namespace under there.

@openshift/api-review this is our first external-ish component. How shall we reserve names?

[deads2k]

Thank you for making this very clear. Do you have a link to where this was litigated before?

@sdodson do you install this with ansible? Do you grant this permission?

[sdodson]

It looks like the current implementation creates a clusterrole. I'm not sure how closely this new work aligns with the older implementation in openshift-ansible.

https://github.com/openshift/openshift-ansible/blob/master/roles/ansible_service_broker/tasks/install.yml#L30-L90

[deads2k]

use v1 if you please

[deads2k]

This should be split into install-rbac.yaml since bindings are reconciled. The rest should be in install.yaml for consistency.

[deads2k]

"create_broker_namespace=true" looks weird. What does that do?

[deads2k]

I think we're going to require the WaitCondition value.

@mfojtik probably worth updating to enforce. I can't think of a reason not to.

[deads2k]

I'm not familiar with what it does, but it appears to fit nicely. On the authorship side, how was it?

@jmontleon @jwmatthews To make the boundary clear, we'll keep it compiling, but if there are functional breaks over time you'll be responsible for your component.

[jwmatthews]

@deads2k thank you for the review.

As to owning functional breakage, sounds good to me, our team will own the functional issues that pop up.

[jmontleon]

@deads2k Thank you for the review. I have:

• moved the namespace to openshift-automation-service-broker
• used v1 for the clusterrolebinding resource
• renamed the template to install.yaml
• split the clusterrolebinding into a separate install-rbac.yaml template
• removed "create_broker_namespace=true" as we don't actually need it (it will create the namespace for the broker if it doesn't exist)
• add a wait condition for the job completion.

I think this addresses all your comments except possibly, "Do you have a link to where this was litigated before?" Do we need to follow up with someone to permit the clusterrolebinding to be created? The job actually runs a containerized ansible role[1] that we created install the automation broker on an openshift cluster. The broker itself does require a clusterrolebinding [2], and it's my understanding that we need this permission in order to create this and (possibly other resources) using the container.

We also fully expected and understand that we will be on the hook to maintain this going forward.

Re: authorship I found it pretty straight forward to look at the existing options (service-catalog, template-service-broker, etc.) and work from there. I think I had it at least functioning within a day.

1. https://github.com/automationbroker/automation-broker-apb
2. https://github.com/automationbroker/automation-broker-apb/blob/master/templates/broker-auth.clusterrolebinding.yaml

[deads2k]

Re: authorship I found it pretty straight forward to look at the existing options (service-catalog, template-service-broker, etc.) and work from there. I think I had it at least functioning within a day.

https://github.com/automationbroker/automation-broker-apb
https://github.com/automationbroker/automation-broker-apb/blob/master/templates/broker-auth.clusterrolebinding.yaml

A cluster up record! :)

[deads2k]

Please make these permissions match https://github.com/openshift/openshift-ansible/blob/master/roles/ansible_service_broker/tasks/install.yml#L30-L90 .

[deads2k]

hmmm... perhaps I misunderstood what's happening. This is basically an installer pod?

[deads2k]

Alright, I cleared up my confusion with @jwmatthews . This gets cluster-admin because the job is actually installing the components. A few details to note that are not bugs with cluster-up

1. Components can be installed in any order. There is no concept of a "prereq", so you may be called in any order. Including in parallel with or before the service catalog. Going forward, we're expecting operators to manage the coming and going of prereqs.

2. Components must be idempotent. We are likely to call you multiple times.

3. Components are likely to be asked for a "remove" at some point. It isn't a requirement today.

This looks like a good starting point.

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, jmontleon, soltysh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jmontleon]

/test cmd

[jmontleon]

@deads2k is remove possible now? We have a deprovision playbook in the container that will remove the broker and other resources it creates as well so it might be pretty trivial for us to implement it today if so.

[jmontleon]

/test unit

[deads2k]

@deads2k is remove possible now? We have a deprovision playbook in the container that will remove the broker and other resources it creates as well so it might be pretty trivial for us to implement it today if so.

It won't be possible in v3.10. It may be possible in 3.11. I mentioned it so that you wouldn't be surprised if we contacted all component owners and asked them for one.