Service Instance Sharing in PCF
In this article, we are going to talk about how a service instance can be shared with multiple orgs/spaces in PCF 2.3 and 2.4.
Join the DZone community and get the full member experience.
Join For Free1. Overview
In today's world, everyone is creating microservices and calling the DB or other services to process the data and complete their business processing.
The twelve-factor app pattern recommends consuming all these services as backing services for any cloud application. PCF also supports backing services through the market place. To consume a market place service, we need to create a service instance which does the provisioning. By default, this instance can be used only in a particular org/space where the instance has been created.
Let's take an example to understand it in detail. Let's suppose we have a REST based service and it puts the message in RabbitMQ. So we will be creating a service instance using the below command:
cf create-service <SERVICE> <PLAN> <SERVICE_INSTANCE>Let's assume that we are currently in the TeamA org and the Products space. This instance will thus be visible only in the Products space. Now, let's suppose you have development work going on in the Consumers space and an application needs to consume the same RabbitMQ service. Before PCF 2.3, this would not have been possible, as the service instance was not sharable across orgs/spaces. The only solution was to put both the applications into one space. Let's see how we can share the service instances across orgs/spaces.
2. Enable Service Instance Sharing
Before we look into how to enable service instance sharing, let's go over a few basic rules:
- Service instances can be shared into multiple spaces and across orgs.
- Developers and administrators can share service instances between spaces in which they have the Space Developer role.
- Developers who have a service instance shared with them can only bind and unbind apps to that service instance. They cannot update, rename, or delete it.
- Developers who have a service instance shared with them can view the values of any configuration parameters that were used to provision or update the service instance.
1. To view if the Service Instance sharing flag is enabled, we need to run below command:
> cf feature-flags
features state
user_org_creation disabled
private_domain_creation enabled
app_bits_upload enabled
app_scaling enabled
route_creation enabled
service_instance_creation enabled
diego_docker disabled
set_roles_by_username enabled
unset_roles_by_username enabled
task_creation enabled
env_var_visibility enabled
space_scoped_private_broker_creation enabled
space_developer_env_var_visibility enabled
service_instance_sharing enabled
hide_marketplace_from_unauthenticated_users disabledIt is showing as enabled for me. However, if you see it as disabled for some reason, you can run the below command to enable it.
> cf enable-feature-flag service_instance_sharingPlease note that only Administrator role has the ability to enable feature flags. So contact your administrator if you are not an admin.
2. Next, we need to ensure that the service in which you want to enable sharing has a broker and that the broker has enabled sharing. Service brokers must explicitly enable service instance sharing by setting a flag in their service-level metadata object. This allows service instances, of any service plan, to be shared across orgs and spaces. The "shareable" flag must be set to true in the service-level metadata to enable service instance sharing. If the flag is set to false or is absent, sharing is disabled:
{
"services":[{
"id":"521db166-a310-4b12-asdf-d12ga3cf2fdc",
"name": "p-config-server",
"metadata": {
"shareable": true
}
}]
}3. Service Instance Sharing Through CF CLI
With PCF 2.3, we got this service instance sharing option to do through the CF CLI. We need to have a Space Developer role in both spaces to share an instance from one space to another. We need to run the below command to do this:
> cf share-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG]To unshare the service instance, we need to run below command:
> cf unshare-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG] [-f]The -f flag is used to enforce the unshare without confirmation.
4. Service Instance Sharing Through the Apps Manager
With PCF 2.4, we can use service instance sharing through the Apps Manager as well. So now its just a matter of clicking a button to share the service instance with other orgs/spaces.
We need to go to the service instance that we want to share.
Click on the SHARE SERVICE INSTANCE button to share the instance with other orgs/spaces. It will show all the orgs/spaces where we have access.
Please note that there is only a share instance option available in Apps Manager. The unshare feature is still not available in the Apps Manager.
5. A Few Tips
1. You may want to have the service broker return credentials with different permissions, depending on the space to which an app is bound. For example, a messaging service may permit writes from the originating space and only reads from any of the spaces with which the service is shared.
To determine whether the space of the app is the same as the originating space of the service instance, the service broker can compare the
context.space_guidandbind_resource.space_guidfields in the binding request. Thecontext.space_guidfield represents the space where the service instance was created, andbind_resource.space_guidrepresents the space of the app involved in the binding.
2. Ensure that we don't have any service instances with the same name in the space where we are sharing them.
3. Unsharing the service will delete all the bindings of the apps in the space in which it was shared. So, we should ensure all the applications are taken care of, as they may fail.
6. Summary
To summarize, sharing instances is a very useful feature to certain business use cases and with PCF 2.4 it has become very easy to do. My only suggestion for the security side is to pay attention and ensure your service broker is implemented correctly when giving the only required permission to the space with which the instance is shared.
Opinions expressed by DZone contributors are their own.
Comments