Service Binding Specification for Kubernetes

[baijum]

Signed-off-by: Baiju Muthukadan [email protected]

Issue #1289 , if available:

Description of changes:

Proposal to add support for Service Binding Specification for Kubernetes

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[ack-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: baijum
To complete the pull request process, please assign redbackthomson after the PR has been reviewed.
You can assign the PR to them by writing /assign @redbackthomson in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jaypipes]

Hi @baijum, cool idea! I like this proposal. Couple inline questions/comments for you to think about.

[jaypipes]

We would want to place this field within the Status.ACKResourceMetadata subfield. That way, it won't conflict with any resources that might have a Binding field already in their status...

[baijum]

The Service Binding Specification expects the Provisioned Service (e.g., DBInstance) to point to the Secret resource from .status.binding.name attribute. I think we can confirm if that field is not conflicting with any existing fields.

[jaypipes]

@baijum the problem is that the Status and Spec fields for all ACK resources are automatically generated by looking at the AWS service API's model definition. We don't know if there are APIs that have a Binding field in any Create operation's Output shape. If there were, that would conflict with this.

[baijum]

Can we check if the.status.binding.name attribute exists for any API? Also is it possible to reserve this field for service binding, so that it will not conflict in the future?

[jaypipes]

We could do this, sure, but the problem is we cannot predict the future. Since ACK CRDs are generated from the upstream API models, what happens if an upstream service API adds a Binding field in the future? This is why we place these kinds of fields into Status.ACKResourceMetadata to ensure that we don't conflict.

[baijum]

I have created a proposal to the spec here: servicebinding/spec#223
Let me know if creating a Secret resource with the same name as that of DBInstance resource (or any other service) would be acceptable.

[jaypipes]

@baijum I left a comment in the other PR. I would be OK with a separate reconciler (ala the FieldExportReconciler we already have in ACK) that would create/manage Secret resources like servicebinding.io expects.

[RedbackThomson]

+1 with Jay's comment here. This functionality seems similar enough to FieldExport, in that it accesses CRD fields and outputs into a Secret, that I believe it could simply be handled by that reconciler. In fact, we could add this feature by simply adding an optional field within the FieldExport CRD that provides an alternative to from.path, instead being from.bindingSpecification: true/false (name TBD). This would sidestep the need to reserve the .status.binding field.

[jaypipes]

The current ClusterRole allows getting, patching, listing and watching Secret resources. Why would we need to add Create and Delete permissions?

[baijum]

The Service Binding Specification expects the Provisioned Service (e.g., DBInstance) to point to a Secret resource with all values required for connectivity from the application. In the case of DBInstance, the corresponding controller needs to ensure the presence of the Secret resource. To create a Secret, Create permission is required. Similarly when the DBInstance is getting deleted, cleaning up the corresponding Secret resource would be good. Hence the Delete permission.

[jaypipes]

@baijum how does the controller know what the Secret's name will be?

[baijum]

The DBInstance controller generates the Secret. For example, the name could be the same as the DBInstance name.

[jaypipes]

The DBInstance controller generates the Secret. For example, the name could be the same as the DBInstance name.

@baijum ACK's approach is generally to give that power to the Kubernetes user, which is why the separate reconciler in ACK processes FieldExport CRs that allow the Kubernetes user to specify the name of the Secret or ConfigMap to export fields into.

[jaypipes]

Are the above fields intended to be populated as keys within a Secret?

[baijum]

Yes, the keys will change depending on the service. The above keys are examples that can be used with a relational database.

[RedbackThomson]

+1 with Jay's comment here. This functionality seems similar enough to FieldExport, in that it accesses CRD fields and outputs into a Secret, that I believe it could simply be handled by that reconciler. In fact, we could add this feature by simply adding an optional field within the FieldExport CRD that provides an alternative to from.path, instead being from.bindingSpecification: true/false (name TBD). This would sidestep the need to reserve the .status.binding field.

[RedbackThomson]

This implementation doesn't really touch on how we know which fields are required for the binding specification? I imagine that each of the bindings will need to be manually crafted. It would be good to have a section that describes how controller maintainers can add new bindings and how they know what the spec should be.

[baijum]

I am closing this proposal as FieldExport can be used as a solution for the problem.

[RedbackThomson]

@baijum I see you have closed this PR. Do you have an example for the ACK community with how FieldExport could implement the service binding spec?

[baijum]

@baijum I see you have closed this PR. Do you have an example for the ACK community with how FieldExport could implement the service binding spec?

As I explained here: https://gist.github.com/baijum/96158408eaf544f692acfad42f2b49df
The Secret generated through FieldExport can be used for ServiceBiding. The Secret must have type field and optionally it can also add provider, something like this:

apiVersion: v1
kind: Secret
metadata:
  name: rds-postgres-field-exports
  namespace: ack-system
stringData:
  type: postgresql
  provider: was

[ack-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: baijum
Once this PR has been reviewed and has the lgtm label, please assign jljaco for approval by writing /assign @jljaco in a comment. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ack-bot]

Issues go stale after 180d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 60d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle stale

[ack-bot]

Stale issues rot after 60d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 60d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle rotten

[ack-bot]

Rotten issues close after 60d of inactivity.
Reopen the issue with /reopen.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/close

[ack-prow]

@ack-bot: Closed this PR.

In response to this:

Rotten issues close after 60d of inactivity.
Reopen the issue with /reopen.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.