Service Instance Sharing in PCF

1. Overview

In today's world, everyone is creating microservices and calling the DB or other services to process the data and complete their business processing.

The twelve-factor app pattern recommends consuming all these services as backing services for any cloud application. PCF also supports backing services through the market place. To consume a market place service, we need to create a service instance which does the provisioning. By default, this instance can be used only in a particular org/space where the instance has been created.

Let's take an example to understand it in detail. Let's suppose we have a REST based service and it puts the message in RabbitMQ. So we will be creating a service instance using the below command:

cf create-service <SERVICE> <PLAN> <SERVICE_INSTANCE>

Let's assume that we are currently in the TeamA org and the Products space. This instance will thus be visible only in the Products space. Now, let's suppose you have development work going on in the Consumers space and an application needs to consume the same RabbitMQ service. Before PCF 2.3, this would not have been possible, as the service instance was not sharable across orgs/spaces. The only solution was to put both the applications into one space. Let's see how we can share the service instances across orgs/spaces.

2. Enable Service Instance Sharing

Before we look into how to enable service instance sharing, let's go over a few basic rules:

• Service instances can be shared into multiple spaces and across orgs.
• Developers and administrators can share service instances between spaces in which they have the Space Developer role.
• Developers who have a service instance shared with them can only bind and unbind apps to that service instance. They cannot update, rename, or delete it.
• Developers who have a service instance shared with them can view the values of any configuration parameters that were used to provision or update the service instance.

1. To view if the Service Instance sharing flag is enabled, we need to run below command:

> cf feature-flags
features                                      state
user_org_creation                             disabled
private_domain_creation                       enabled
app_bits_upload                               enabled
app_scaling                                   enabled
route_creation                                enabled
service_instance_creation                     enabled
diego_docker                                  disabled
set_roles_by_username                         enabled
unset_roles_by_username                       enabled
task_creation                                 enabled
env_var_visibility                            enabled
space_scoped_private_broker_creation          enabled
space_developer_env_var_visibility            enabled
service_instance_sharing                      enabled
hide_marketplace_from_unauthenticated_users   disabled

It is showing as enabled for me. However, if you see it as disabled for some reason, you can run the below command to enable it.

> cf enable-feature-flag service_instance_sharing

Please note that only Administrator role has the ability to enable feature flags. So contact your administrator if you are not an admin.

2. Next, we need to ensure that the service in which you want to enable sharing has a broker and that the broker has enabled sharing. Service brokers must explicitly enable service instance sharing by setting a flag in their service-level metadata object. This allows service instances, of any service plan, to be shared across orgs and spaces. The "shareable" flag must be set to true in the service-level metadata to enable service instance sharing. If the flag is set to false or is absent, sharing is disabled:

{
   "services":[{
      "id":"521db166-a310-4b12-asdf-d12ga3cf2fdc",
      "name": "p-config-server",
      "metadata": {
         "shareable": true
      }
   }]
}

3. Service Instance Sharing Through CF CLI

With PCF 2.3, we got this service instance sharing option to do through the CF CLI. We need to have a Space Developer role in both spaces to share an instance from one space to another. We need to run the below command to do this:

 > cf share-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG]

To unshare the service instance, we need to run below command: 

 > cf unshare-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG] [-f]

The -f flag is used to enforce the unshare without confirmation.

4. Service Instance Sharing Through the Apps Manager

With PCF 2.4, we can use service instance sharing through the Apps Manager as well. So now its just a matter of clicking a button to share the service instance with other orgs/spaces.

We need to go to the service instance that we want to share.

Click on the SHARE SERVICE INSTANCE button to share the instance with other orgs/spaces. It will show all the orgs/spaces where we have access.

Please note that there is only a share instance option available in Apps Manager. The unshare feature is still not available in the Apps Manager.

5. A Few Tips

1. You may want to have the service broker return credentials with different permissions, depending on the space to which an app is bound. For example, a messaging service may permit writes from the originating space and only reads from any of the spaces with which the service is shared.

To determine whether the space of the app is the same as the originating space of the service instance, the service broker can compare the context.space_guid and bind_resource.space_guid fields in the binding request. The context.space_guid field represents the space where the service instance was created, and bind_resource.space_guid represents the space of the app involved in the binding.

2. Ensure that we don't have any service instances with the same name in the space where we are sharing them.

3. Unsharing the service will delete all the bindings of the apps in the space in which it was shared. So, we should ensure all the applications are taken care of, as they may fail.

6. Summary

To summarize, sharing instances is a very useful feature to certain business use cases and with PCF 2.4 it has become very easy to do. My only suggestion for the security side is to pay attention and ensure your service broker is implemented correctly when giving the only required permission to the space with which the instance is shared.