Create AWS broker bundle (#80)

bundles/aws-service-broker-0.0.1/README.md

@@ -0,0 +1,19 @@
+## Overview
+
+The AWS Service Broker bundle installs the [Open Service Broker for AWS](https://github.com/awslabs/aws-servicebroker) in a given Namespace.
+
+## Details
+
+The AWS Service Broker bundle contains two plans - `default` and `customizable`. The bundle requires a Secret with AWS credentials to each Namespace where the bundle will be provisioned. 
+
+For more information about generating a Secret, read [this](docs/overview.md) document.
+For more information about the provisioning and deprovisioning flow, see the ServiceClass [plan details](docs/plans-details.md) document. 
+
+### Additional template files
+
+Comparing to the original `AWS Service Broker` chart, the `aws-service-broker` bundle contains these additional files: 
+* `docs-check-job.yaml` which checks if all deployed DocsTopics are in the READY state.
+* `broker-check-job.yaml` which checks if the Service Broker resource is ready to use. After the job is finished, the Service Instance changes its state to **Running**.
+* `pre-delete-job.yaml` which removes a Service Broker before a Secret resource is removed. Otherwise, the Secret can be removed before the Service Broker, in which case the deprovisioning process fails.
+* `jobs-sa.yaml` which adds permissions for the preceding jobs.
+* `docs.yaml` which contains DocsTopics definitions that provide documentation into the Kyma Console.

bundles/aws-service-broker-0.0.1/chart/aws-service-broker/Chart.yaml

@@ -0,0 +1,5 @@
+name: aws-service-broker
+description: Deploys the AWS Service Broker
+
+# Chart version is used to fetch ServiceClass documentation in the same version
+version: 1.0.0

bundles/aws-service-broker-0.0.1/chart/aws-service-broker/templates/_helpers.tpl

@@ -0,0 +1,9 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "fullname" -}}
+{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

bundles/aws-service-broker-0.0.1/chart/aws-service-broker/templates/broker-check-job.yaml

@@ -0,0 +1,62 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+    name: aws-service-broker-check-job
+    labels:
+        app: {{ template "fullname" . }}
+        chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+        release: "{{ .Release.Name }}"
+        heritage: "{{ .Release.Service }}"
+    annotations:
+        "helm.sh/hook": post-install,post-upgrade
+        "helm.sh/hook-weight": "0"
+        "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+    backoffLimit: 0
+    template:
+        metadata:
+            annotations:
+                 sidecar.istio.io/inject: "false"
+        spec:
+            serviceAccountName: {{ template "fullname" . }}
+            restartPolicy: Never
+            containers:
+                - name: broker-checker
+                  image: "{{ .Values.jobs.kubectlImage.repository }}:{{ .Values.jobs.kubectlImage.tag }}"
+                  imagePullPolicy: {{ .Values.jobs.kubectlImage.pullPolicy }}
+                  command: ["/bin/sh","-c"]
+                  args:
+                    - |
+                      EXPECTED_SECRET_NAME={{ .Values.secretName }}
+                      SECRET_NAME=$(kubectl get secret -n {{ .Release.Namespace }} {{ .Values.secretName }} -o jsonpath="{.metadata.name}")
+                      if [[ "$SECRET_NAME" == "$EXPECTED_SECRET_NAME" ]] ;
+                        then
+                          echo "Success! Secret is present.";
+                        else
+                          echo "Failure! Secret '$EXPECTED_SECRET_NAME' is not present";
+                          exit 1;
+                      fi
+
+                      success=false;
+                      i=1;
+                      limit=180;
+                      while [ "$i" -le "$limit" ];
+                      do
+                          BROKER_TYPE=$(kubectl get servicebroker -n {{ .Release.Namespace }} {{ template "fullname" . }} -o jsonpath="{.status.conditions[0].type}")
+                          BROKER_STATUS=$(kubectl get servicebroker -n {{ .Release.Namespace }} {{ template "fullname" . }} -o jsonpath="{.status.conditions[0].status}")
+                          if [[ "$BROKER_TYPE" == "Ready" ]] && [[ "$BROKER_STATUS" == "True" ]];
+                            then
+                              echo "ServiesBroker is ready. Job is done.";
+                              success=true;
+                              break;
+                            else
+                              echo "Check $i/$limit - ServiceBroker is not ready, wait...";
+                              sleep 5;
+                          fi
+                        i=$(( i + 1 ))
+                      done;
+                      if [ "$success" = false ] ;
+                      then
+                        echo "ServiesBroker is not ready. Timeout reached";
+                        exit 1;
+                      fi

bundles/aws-service-broker-0.0.1/chart/aws-service-broker/templates/broker-deployment.yaml

@@ -0,0 +1,111 @@
+kind: Deployment
+apiVersion: extensions/v1beta1
+metadata:
+  name: {{ template "fullname" . }}
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ template "fullname" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "fullname" . }}
+        chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+        release: "{{ .Release.Name }}"
+        heritage: "{{ .Release.Service }}"
+      annotations:
+        sidecar.istio.io/inject: "true"
+    spec:
+      serviceAccount: {{ template "fullname" . }}-service
+      containers:
+      - name: healthcheck
+        image: eu.gcr.io/kyma-project/develop/service-catalog/health-proxy:0.0.1
+        env:
+        - name: PROXY_TARGET_URL
+          value: "https://localhost:3199/"
+        imagePullPolicy: Always
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 40
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 5
+        readinessProbe:
+          failureThreshold: 1
+          httpGet:
+            path: /healthz
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 5
+      - name: awssb
+        image: {{ .Values.image }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+        command:
+        - /usr/local/bin/aws-servicebroker
+        args:
+        - --logtostderr
+        - --port=3199
+        {{- if .Values.tls.cert}}
+        - --tlsCert={{ .Values.tls.cert }}
+        {{- end}}
+        {{- if .Values.tls.key}}
+        - --tlsKey={{ .Values.tls.key }}
+        {{- end}}
+        - --v={{ .Values.brokerconfig.verbosity }}
+        - --tls-cert-file=/var/run/awssb/awssb.crt
+        - --tls-private-key-file=/var/run/awssb/awssb.key
+        - --region={{ .Values.region }}
+        - --s3Bucket={{ .Values.bucket }}
+        - --s3Key={{ .Values.key }}
+        - --s3Region={{ .Values.s3region }}
+        - --tableName={{ .Values.tablename }}
+        - --brokerId={{ .Values.brokerid }}
+        - --prescribeOverrides={{ .Values.prescribeoverrides }}
+        ports:
+        - containerPort: 3199
+        volumeMounts:
+        - mountPath: /var/run/awssb
+          name: awssb-ssl
+          readOnly: true
+        env:
+        - name: AWS_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secretName }}
+              key: accesskeyid
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secretName }}
+              key: secretkey
+        - name: PARAM_OVERRIDE_{{ .Values.brokerid }}_all_all_all_region
+          value: {{ .Values.region }}
+        - name: PARAM_OVERRIDE_{{ .Values.brokerid }}_all_all_all_VpcId
+          value: {{ .Values.vpcid }}
+        - name: PARAM_OVERRIDE_{{ .Values.brokerid }}_all_all_all_target_account_id
+          value: "{{ .Values.targetaccountid }}"
+        - name: PARAM_OVERRIDE_{{ .Values.brokerid }}_all_all_all_target_role_name
+          value: {{ .Values.targetrolename }}
+      volumes:
+      - name: awssb-ssl
+        secret:
+          defaultMode: 420
+          secretName: {{ template "fullname" . }}-cert
+          items:
+          - key: tls.crt
+            path: awssb.crt
+          - key: tls.key
+            path: awssb.key

bundles/aws-service-broker-0.0.1/chart/aws-service-broker/templates/broker-sa.yaml

@@ -0,0 +1,104 @@
+# Service account for the broker to run as.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "fullname" . }}-service
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}--{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+{{- if .Values.authenticate}}
+---
+# Service account for the client, in most cases the service catalog.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "fullname" . }}-client
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}--{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+---
+# Cluster role to grant service account that the broker is running as
+# to have the rights it needs.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: {{ template "fullname" . }}
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}--{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["subjectaccessreviews"]
+  verbs: ["create"]
+
+---
+# Cluster role to grant the client service account the rights
+# to call the /v2/* URLs that the broker serves
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: access-{{ template "fullname" . }}
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}--{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+rules:
+- nonResourceURLs: ["/v2", "/v2/*"]
+  verbs: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "fullname" . }}-client
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}--{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "fullname" . }}-client
+    namespace: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: access-{{ template "fullname" . }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "fullname" . }}-service
+    namespace: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "fullname" . }}
+---
+# This secret needs to be a post install hook because otherwise it is skipped
+# This causes the service catalog's cluster serverice broker to be unable to
+# contact the broker.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "fullname" . }}
+  annotations:
+    kubernetes.io/service-account.name: {{ template "fullname" . }}-client
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+type: kubernetes.io/service-account-token
+{{- end }}

bundles/aws-service-broker-0.0.1/chart/aws-service-broker/templates/broker-service.yaml

@@ -0,0 +1,16 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ template "fullname" . }}
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  selector:
+    app: {{ template "fullname" . }}
+  ports:
+  - protocol: TCP
+    port: 443
+    targetPort: 3199

bundles/aws-service-broker-0.0.1/chart/aws-service-broker/templates/broker.yaml

@@ -0,0 +1,25 @@
+{{- if or .Values.deployClusterServiceBroker .Values.deployNamespacedServiceBroker }}
+apiVersion: servicecatalog.k8s.io/v1beta1
+{{- if .Values.deployNamespacedServiceBroker }}
+kind: ServiceBroker
+{{- else if .Values.deployClusterServiceBroker }}
+kind: ClusterServiceBroker
+{{- end }}
+metadata:
+  name:  {{ template "fullname" . }}
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}--{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  url: https://{{ template "fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
+  insecureSkipTLSVerify: true
+{{- if .Values.authenticate}}
+  authInfo:
+    bearer:
+      secretRef:
+        namespace: {{.Release.Namespace}}
+        name: {{ template "fullname" . }}
+{{- end }}
+{{- end }}