This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Service brokers

Learn to install and operate backing service marketplaces for Kf.

1: Service Brokers Overview
2: About Kf Cloud Service Broker

3: Deploy Kf Cloud Service Broker
4: Set up NFS platform

1 - Service Brokers Overview

Kf supports binding and provisioning apps to Open Service Broker (OSB) services.

Any compatible service broker can be installed using the create-service-broker command, but only the Kf Cloud Service Broker is fully supported.

Special services such as syslog drains, volume services, route services, service keys, and shared services aren’t currently supported.

2 - About Kf Cloud Service Broker

The Kf Cloud Service Broker is a Service Broker bundle that includes the open source Cloud Service Broker and Google Cloud Brokerpak. It is made available as a public Docker image and ready to deploy as a Kubernetes service in Kf clusters. Once the Kf Cloud Service Broker service is deployed in a cluster, developers can provision Google Cloud backing services through the Kf Cloud Service Broker service, and bind the backing services to Kf Apps.

Requirements

Kf Cloud Service Broker requires a MySQL instance and a service account for accessing the MySQL instance and Google Cloud backing services to be provisioned. Connection from the Kf Cloud Service Broker to the MySQL instance goes through the Cloud SQL Auth Proxy.
Requests to access Google Cloud services (for example: Cloud SQL for MySQL or Cloud Memorystore for Redis) are authenticated via Workload Identity.

Override Brokerpak defaults

Brokerpaks are essentially a Terraform plan and related dependencies in a tar file. You can inspect the Terraform plans to see what the defaults are, and then you can tell Kf Cloud Service Broker to override them when creating new services.

For example, the Terraform plan for MySQL includes a variable called authorized_network. If not overridden, the default VPC will be used. If you’d like to override the default, you can pass that during service creation. Here are some examples:

Override the compute region config.

 kf create-service csb-google-postgres small spring-music-postgres-db -c '{"config":"YOUR_COMPUTE_REGION"}'

Override the authorized_network and compute region config.

 kf create-service csb-google-postgres small spring-music-postgres-db -c '{"config":"YOUR_COMPUTE_REGION","authorized_network":"YOUR_CUSTOM_VPC_NAME"}'

You can learn more by reading the MySQL Plans and Configs documentation.

Architecture

The following Kf Cloud Service Broker architecture shows how instances are created.

The Kf Cloud Service Broker (CSB) is installed in its own namespace.
On installation, a MySQL instance must be provided to persist business logic used by Kf Cloud Service Broker. Requests are sent securely from the Kf Cloud Service Broker pod to the MySQL instance via the MySQL Auth Proxy.
On service provisioning, a Kf Service custom resource is created. The reconciler of the Kf Service provisions Google Cloud backing services using the Open Service Broker API.
When a request to provision/deprovision backing resources is received, Kf Cloud Service Broker sends resource creation/deletion requests to the corresponding Google Cloud service, and these requests are authenticated with Workload Identity. It also persists the business logics (e.g. mapping of Kf services to backing services, service bindings) to the MySQL instance.
On backing service creation success, the backing service is bound to an App via VCAP_SERVICES.

What’s next?

{% endblock %}

3 - Deploy Kf Cloud Service Broker

This page shows you how to deploy Kf Cloud Service Broker and use it to provision or deprovision backing resources. Read about the concepts and architecture to learn more about the Kf Cloud Service Broker.

Create environment variables

Linux

export PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID
export CSB_IMAGE_DESTINATION=YOUR_DOCKER_REPO_CSB_PATH
export CLUSTER_NAME=kf-cluster
export INSTANCE_NAME=cloud-service-broker
export COMPUTE_REGION=us-central1

Windows PowerShell

Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CSB_IMAGE_DESTINATION=YOUR_DOCKER_REPO_CSB_PATH
Set-Variable -Name CLUSTER_NAME -Value kf-cluster
Set-Variable -Name INSTANCE_NAME -Value cloud-service-broker
Set-Variable -Name COMPUTE_REGION -Value us-central1

Build the broker

First you’ll want to download and build the broker and push it to your container registry:

git clone --single-branch --branch main https://github.com/google/kf.git kf
cd kf/samples/cloud-service-broker
docker build --tag ${CSB_IMAGE_DESTINATION} .
docker push ${CSB_IMAGE_DESTINATION}

Set up the Kf Cloud Service Broker database

Create a MySQL instance.
Note: Read Creating and managing MySQL users for Google Cloud SQL and set a secure password for the default root user.
```
gcloud sql instances create ${INSTANCE_NAME} --cpu=2 --memory=7680MB --require-ssl --region=${COMPUTE_REGION}
```
Create a database named servicebroker in the MySQL instance.
Note: Document the database name since it is used in later steps.
```
gcloud sql databases create servicebroker -i ${INSTANCE_NAME}
```
Create a username and password to be used by the broker.
Note: Document these values since they will be used in later steps.
```
gcloud sql users create csbuser -i ${INSTANCE_NAME} --password=csbpassword
```

Set up a Google Service Account for the broker

Create a Google Service Account.

 gcloud iam service-accounts create csb-${CLUSTER_NAME}-sa \
     --project=${CLUSTER_PROJECT_ID} \
     --description="GSA for CSB at ${CLUSTER_NAME}" \
     --display-name="csb-${CLUSTER_NAME}"

Grant roles/cloudsql.client permissions to the Service Account. This is required to connect the service broker pod to the CloudSQL for MySQL instance through the CloudSQL Proxy.

 gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
     --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
     --role="roles/cloudsql.client"

Grant additional Google Cloud permissions to the Service Account.

Note: In the example below, we grant IAM roles required to provision an instance of CloudSQL and Cloud Memorystore. You must grant this service account the appropriate roles to provision instances of other Google Cloud managed services listed in kf marketplace.

 gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
     --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
     --role="roles/compute.networkUser"

 gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
     --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
     --role="roles/cloudsql.admin"

 gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
     --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
     --role="roles/redis.admin"

Verify the permissions.
Warning: Replace the CSB_SERVICE_ACCOUNT_NAME variable in the YAML below with the full service account resolved from csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com.
```
 gcloud projects get-iam-policy ${CLUSTER_PROJECT_ID} \
     --filter='bindings.members:serviceAccount:"CSB_SERVICE_ACCOUNT_NAME"' \
     --flatten="bindings[].members"
```

Set up Workload Identity for the broker

Bind the Google Service Account with the Kubernetes Service Account.

 gcloud iam service-accounts add-iam-policy-binding "csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
     --project=${CLUSTER_PROJECT_ID} \
     --role="roles/iam.workloadIdentityUser" \
     --member="serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[kf-csb/csb-user]"

Verify the binding.

 gcloud iam service-accounts get-iam-policy "csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
     --project=${CLUSTER_PROJECT_ID}

Set up a Kubernetes Secret to share configuration with the broker

Create a config.yml file.

Note: Replace the default user/password if desired. Ensure you have set the CLUSTER_PROJECT_ID in the Create environment variables step.

cat << EOF >> ./config.yml
gcp:
  credentials: ""
  project: ${CLUSTER_PROJECT_ID}

db:
  host: 127.0.0.1
  password: csbpassword
  user: csbuser
  tls: false
api:
  user: servicebroker
  password: password
EOF

Create the kf-csb namespace.
```
kubectl create ns kf-csb
```

Create the Kubernetes Secret.

kubectl create secret generic csb-secret --from-file=config.yml -n kf-csb

Install the Kf Cloud Service Broker

Copy the kf-csb-template.yaml into kf-csb.yaml for working:
```
cp kf-csb-template.yaml /tmp/kf-csb.yaml
```

Edit /tmp/kf-csb.yaml and replace placeholders with final values. In the example below, sed is used.

sed -i "s|<GSA_NAME>|csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com|g" /tmp/kf-csb.yaml

sed -i "s|<INSTANCE_CONNECTION_NAME>|${CLUSTER_PROJECT_ID}:${COMPUTE_REGION}:${INSTANCE_NAME}|g" /tmp/kf-csb.yaml

sed -i "s|<DB_PORT>|3306|g" /tmp/kf-csb.yaml

sed -i "s|<CSB_IMAGE_DESTINATION>|${CSB_IMAGE_DESTINATION}|g" /tmp/kf-csb.yaml

Apply yaml for Kf Cloud Service Broker.
```
kubectl apply -f /tmp/kf-csb.yaml
```
Verify the Cloud Service Broker installation status.
```
kubectl get pods -n kf-csb
```

Create a service broker

kf create-service-broker cloud-service-broker servicebroker password http://csb-controller.kf-csb/

Validate installation

Check for available services in the marketplace.

kf marketplace

If everything is installed and configured correctly, you should see the following:

$ kf marketplace

Broker                Name                          Namespace  Description
cloud-service-broker  csb-google-bigquery                      A fast, economical and fully managed data warehouse for large-scale data analytics.
cloud-service-broker  csb-google-dataproc                      Dataproc is a fully-managed service for running Apache Spark and Apache Hadoop clusters in a simpler, more cost-efficient way.
cloud-service-broker  csb-google-mysql                         Mysql is a fully managed service for the Google Cloud Platform.
cloud-service-broker  csb-google-postgres                      PostgreSQL is a fully managed service for the Google Cloud Platform.
cloud-service-broker  csb-google-redis                         Cloud Memorystore for Redis is a fully managed Redis service for the Google Cloud Platform.
cloud-service-broker  csb-google-spanner                       Fully managed, scalable, relational database service for regional and global application data.
cloud-service-broker  csb-google-stackdriver-trace             Distributed tracing service
cloud-service-broker  csb-google-storage-bucket                Google Cloud Storage that uses the Terraform back-end and grants service accounts IAM permissions directly on the bucket.

Clean up

Delete cloud-service-broker.

kf delete-service-broker cloud-service-broker

Delete CSB components.
```
kubectl delete ns kf-csb
```

Delete the broker’s database instance.

 gcloud sql instances delete ${INSTANCE_NAME} --project=${CLUSTER_PROJECT_ID}

Remove the IAM policy bindings.

 gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
 --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \
 --role=roles/cloudsql.client

 gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
 --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \
 --role=roles/compute.networkUser

 gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
 --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \
 --role=roles/redis.admin

Remove the GSA.

 gcloud iam service-accounts delete csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com \
   --project=${CLUSTER_PROJECT_ID}

4 - Set up NFS platform

Kf supports Kubernetes native NFS, and exposes them with a dedicated nfsvolumebroker service broker for developers to consume. This broker has an nfs service offering which has a service plan named existing.

Use kf marketplace to see the service offering:

$ kf marketplace
...
Broker           Name  Namespace  Description
nfsvolumebroker  nfs              mout nfs shares
...

Use kf marketplace -s nfs to see the service plan:

$ kf marketplace -s nfs
...
Broker           Name      Free  Description
nfsvolumebroker  existing  true  mount existing nfs server
...

Requirements

You need an NFS volume that can be accessed by your Kubernetes cluster. For example Cloud Filestore which Google’s managed NFS solution that provides access to clusters in the same gcloud project.

Prepare NFS

If you have an existing NFS service, you can use that. If you want a Google managed NFS service, create a Filestore instance and Kf will automaticlaly configure the cluster to use it.

Warning: You only need to create the NFS instance. Kf will create relevant Kubernetes objects, including PersistentVolume and PersistentVolumeClaims. Do not manually mount the volume.

What’s next?

Configure NFS volumes