PCF 2.4 - Service Instance Sharing in PCF

1. Overview

In PCF, any service is consumed through PCF marketplace. To consume a service, we need to create a service instance which does the provisioning. By default, this instance can be used only for a particular Org/Space in which instance has been created. 
Let's take an example to understand it in detail. Let's suppose we do have a REST based service and it puts the message in RabbitMQ. So we will create a service instance using the below command:

 cf create-service <SERVICE> <PLAN> <SERVICE_INSTANCE>

 Let's assume, we are currently in Org -TeamA and Space- Products. So this instance will be visible only in Products space. Now, Let's suppose you have any development work going on in Space Consumers and an application needs to consume this RabbitMQ service. Before PCF 2.3 version, it was not possible as service instance is not sharable across Orgs/spaces. The only solution was to put both applications into one space. Let's see now how we can share the service instances across Orgs/Spaces.

You can watch this video to understand this feature or read through the blog below:

2. Enable Service Instance Sharing

  • Service instances can be shared into multiple spaces and across orgs.
  • Developers and administrators can share service instances between spaces in which they have the Space Developer role.
  • Developers who have a service instance shared with them can only bind and unbind apps to that service instance. They cannot update, rename, or delete it.
  • Developers who have a service instance shared with them can view the values of any configuration parameters that were used to provision or update the service instance.
1. To view if the Service Instance sharing flag is enabled, we need to run below command:

> cf feature-flags
features                                      state
user_org_creation                             disabled
private_domain_creation                       enabled
app_bits_upload                               enabled
app_scaling                                   enabled
route_creation                                enabled
service_instance_creation                     enabled
diego_docker                                  disabled
set_roles_by_username                         enabled
unset_roles_by_username                       enabled
task_creation                                 enabled
env_var_visibility                            enabled
space_scoped_private_broker_creation          enabled
space_developer_env_var_visibility            enabled
service_instance_sharing                      enabled
hide_marketplace_from_unauthenticated_users   disabled
It is showing enabled for me. However, if you see it disabled for some reason, you can run below command to enable it.
> cf enable-feature-flag service_instance_sharing

Please note that only Administrator role has the access to enable feature flag. So contact your administrator if you are not an admin.

2. Next, we need to ensure the service which you want to allow for sharing has its broker enabled the sharing. Service broker must explicitly enable service instance sharing by setting a flag in their service-level metadata object. This allows service instances, of any service plan, to be shared across orgs and spaces. The "shareable" flag must be set to true in the service-level metadata to enable service instance sharing. If the flag is set to false or is absent, sharing is disabled:

      "name": "p-config-server",
      "metadata": {
         "shareable": true

3. Service Instance Sharing Through CF CLI

With PCF 2.3 version, we got this service instance sharing option to do through CF CLI. We need to have Space Developer role in both spaces to share an instance from one space to another. We need to run the below command to do the same:

 > cf share-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG]

To unshare the service instance, we need to run below command: 

 > cf unshare-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG] [-f]

-f flag is used to force the unshare without confirmation.

4. Service Instance Sharing Through Apps Manager

With PCF 2.4, this option is also available through Apps Manager as well. So now its just a matter of clicking a button to share the service instance with other Orgs/spaces.
We need to go to the service instance which we want to share.

Click on SHARE SERVICE INSTANCE button to share the instance with other Orgs/Spaces. It will show all the orgs/spaces where we have access.

Please note that there is only share instance option available in Apps Manager. Unshare feature is still not available in Apps Manager.

5. Few Tips

 1. You may want to have the service broker return credentials with different permissions depending on which space an app is bound. For example, a messaging service may permit writes from the originating space and only reads from any spaces that the service is shared into.

To determine whether the space of the app is the same as the originating space of the service instance, the service broker can compare the context.space_guid and bind_resource.space_guid fields in the binding request. The context.space_guid field represents the space where the service instance was created, and bind_resource.space_guid represents the space of the app involved in the binding.
2. Just ensure that we don't have any service instance with the same name in the space where we are sharing.

3. Unsharing the service will delete all the bindings of the apps in the space it was shared into. So, we should ensure all the applications are taken care as they may fail.

6. Summary

To summarize, sharing instance feature is very useful in certain business use cases and with PCF 2.4 it has become very easy to use it. My two cent on the security side is that pay attention to ensure your service broker is implemented correctly to give the required permission only to Space, with which, the instance is shared

No comments: