In PCF, any service is consumed through PCF marketplace. To consume a service, we need to create a service instance which does the provisioning. By default, this instance can be used only for a particular Org/Space in which instance has been created.
Let's take an example to understand it in detail. Let's suppose we do have a REST based service and it puts the message in RabbitMQ. So we will create a service instance using the below command:
cf create-service <SERVICE> <PLAN> <SERVICE_INSTANCE>
You can watch this video to understand this feature or read through the blog below:
2. Enable Service Instance Sharing
- Service instances can be shared into multiple spaces and across orgs.
- Developers and administrators can share service instances between spaces in which they have the Space Developer role.
- Developers who have a service instance shared with them can only bind and unbind apps to that service instance. They cannot update, rename, or delete it.
- Developers who have a service instance shared with them can view the values of any configuration parameters that were used to provision or update the service instance.
1. To view if the Service Instance sharing flag is enabled, we need to run below command:
> cf feature-flags
features state user_org_creation disabled private_domain_creation enabled app_bits_upload enabled app_scaling enabled route_creation enabled service_instance_creation enabled diego_docker disabled set_roles_by_username enabled unset_roles_by_username enabled task_creation enabled env_var_visibility enabled space_scoped_private_broker_creation enabled space_developer_env_var_visibility enabled service_instance_sharing enabled hide_marketplace_from_unauthenticated_users disabled
It is showing enabled for me. However, if you see it disabled for some reason, you can run below command to enable it.
> cf enable-feature-flag service_instance_sharing
Please note that only Administrator role has the access to enable feature flag. So contact your administrator if you are not an admin.
2. Next, we need to ensure the service which you want to allow for sharing has its broker enabled the sharing. Service broker must explicitly enable service instance sharing by setting a flag in their service-level metadata object. This allows service instances, of any service plan, to be shared across orgs and spaces. The "shareable" flag must be set to true in the service-level metadata to enable service instance sharing. If the flag is set to false or is absent, sharing is disabled:
3. Service Instance Sharing Through CF CLI
With PCF 2.3 version, we got this service instance sharing option to do through CF CLI. We need to have Space Developer role in both spaces to share an instance from one space to another. We need to run the below command to do the same:
> cf share-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG]
To unshare the service instance, we need to run below command:
> cf unshare-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG] [-f]
-f flag is used to force the unshare without confirmation.
4. Service Instance Sharing Through Apps Manager
With PCF 2.4, this option is also available through Apps Manager as well. So now its just a matter of clicking a button to share the service instance with other Orgs/spaces.
We need to go to the service instance which we want to share.
Click on SHARE SERVICE INSTANCE button to share the instance with other Orgs/Spaces. It will show all the orgs/spaces where we have access.
Please note that there is only share instance option available in Apps Manager. Unshare feature is still not available in Apps Manager.
5. Few Tips
1. You may want to have the service broker return credentials with different permissions depending on which space an app is bound. For example, a messaging service may permit writes from the originating space and only reads from any spaces that the service is shared into.
To determine whether the space of the app is the same as the originating space of the service instance, the service broker can compare the context.space_guid and bind_resource.space_guid fields in the binding request. The context.space_guid field represents the space where the service instance was created, and bind_resource.space_guid represents the space of the app involved in the binding.
2. Just ensure that we don't have any service instance with the same name in the space where we are sharing.
3. Unsharing the service will delete all the bindings of the apps in the space it was shared into. So, we should ensure all the applications are taken care as they may fail.
To summarize, sharing instance feature is very useful in certain business use cases and with PCF 2.4 it has become very easy to use it. My two cent on the security side is that pay attention to ensure your service broker is implemented correctly to give the required permission only to Space, with which, the instance is shared.