Service Binding for operator-backed services #12
Conversation
sbose78
commented
Mar 19, 2020
•
sbose78
commented
- Add details about existing work
- Advanced configuration
- Bill of materials
- Permissions
- Migration strategy: Bringing a non Operator Framework project into Operator Framework
- Roadmap
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
@dmesser @ecordell I've made some progress with the proposal with 20% remaining, do you mind taking a look and helping me with early feedback if the format and content of the proposal makes sense? Let me know if there's something explicitly I should be adding. CC @siamaksade |
|
@sbose78 Thank you. Can you add some information about the following:
|
|
Thank you. I am working to define a specification as well ( early stage, needs work ) along with a plan for the first wave of adopters . I'll update this with the new information! |
|
We made agreements on what the specification could look like https://github.com/application-stacks/service-binding-specification and stabilized it for the time being. Based on the conversations, I will be updating the proposal and taking it to completion. |
sbose78
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
Removed WIP, there are a few additions I'll make along the way, however it is ready for a detailed review now. |
enhancements/service-binding.md
Outdated
| ### Custom Environment variables | ||
|
|
||
|
|
||
| To make binding applications (e.g., legacy Java applications that depend on JDBC connectioon strings) together with backing services more flexible, the Service Binding Operator supports the optional use of custom environment variables. To use custom environment variables, an application developer creates a ServiceBindingRequest that looks like the one shown |
There was a problem hiding this comment.
ServiceBinding instead of ServiceBindingRequest
enhancements/service-binding.md
Outdated
| operator's OLM (Operator Lifecycle Manager) descriptor. The Service Binding | ||
| Operator extracts to bind the application together with the backing service. | ||
| The information may be specified in the "status" and/or "spec" section of the | ||
| OLM in plaintext or as a reference to a secret. |
enhancements/service-binding.md
Outdated
| kind: Database | ||
| resourceRef: db-demo | ||
|
|
||
| customEnvVar: |
There was a problem hiding this comment.
Should this be renamed to dataMapping as well? refer https://issues.redhat.com/browse/APPSVC-538
There was a problem hiding this comment.
@sbose78 Thanks for the update. I think we still need a section that discusses the security model of this Operator. How do avoid that a user that normally doesn't have the privileges to read bindable fields can misuse the Service Binding Operator to get those injected into a resource they have access to?
I'll add the section, thank you @dmesser ! We'll be doing Subject Access Review checks using a validating webhook - it isn't supported yet, but we have an epic on our backlog https://issues.redhat.com/browse/APPSVC-546 If there's anything that needs to be prioritized to ensure the transition is smooth, we shall prioritize. |
|
Do we want this apart of the default OLM install for upstream install of OLM? |
@dmesser @siamaksade I'll need you to weigh in on this. |
enhancements/service-binding.md
Outdated
| wildcardPolicy: None | ||
| ``` | ||
|
|
||
| A detailed guide to decorating backing services to make them binding friendly has been documented [here](https://github.com/application-stacks/service-binding-specification/blob/master/annotations.md). |
There was a problem hiding this comment.
This has moved, and will be updated.
enhancements/service-binding.md
Outdated
| To make binding applications (e.g., legacy Java applications that depend on JDBC connectioon strings) together with backing services more flexible, the Service Binding Operator supports the optional use of custom environment variables. To use custom environment variables, an application developer creates a ServiceBinding that looks like the one shown | ||
|
|
||
| ```yaml | ||
| apiVersion: service.binding/v1alpha1 |
There was a problem hiding this comment.
We are using operators.coreos.com at the moment.
The specification @sbose78 mentioned has moved here: https://github.com/k8s-service-bindings/spec |
Update: I stopped working on my side-project for now. The spec is now part of a Kubernetes SIG: |
|
|
||
| The Service Binding Controller enables applications to use external services by automatically collecting and sharing binding information (credentials, connection details, volume mounts, secrets, etc.) with the application. In effect, the Service Binding Operator defines a contract between a “bindable” backing service (for example, a database operator) and an application requiring that backing service. | ||
|
|
||
| Note that in addition to the initial sharing of binding information, the binding is also “managed” by the Service Binding Operator. This statement means that, if credentials or URLs undergo modification by the backing service operator, those changes are automatically reflected in the application. |
There was a problem hiding this comment.
Have we concluded that this should/would be managed by the Service Binding Operator or should be part of OLM? (or enabled by default with OLM?)
Or is the discussion on how it is included in a different enhancement/discussion?
There was a problem hiding this comment.
This proposal intends to make a pitch to move Service Binding into the OperatorFramework umbrella. Shipping it with OLM is a related conversation.
|
@sbose78 i am struggling to understand what this is proposing, vs what exists already in SBO + OLM. It talks about several different apis/annotations for specifying bindings, some generic and some specific to operators. Can you rework this to make it clearer which part is "background info" about how things work today, and which parts are the actual proposed enhancements? It would also help if it was clearer whether this is proposing changes just in OLM, changes just in SBO, or both. |
|
Yes, this enhancement proposal needs some maintenance since this was a while ago. I'm on it! |
|
@bparees I've updated the proposal to reflect the current state of SBO accurately. |
enhancements/service-binding.md
Outdated
|
|
||
| The backing service may provide binding information as | ||
| * Metadata in the CRD as annotations | ||
| * Metadata in the OLM bunde manifest file as Descriptors |
There was a problem hiding this comment.
is this referring to the CSV? (also typo on bundle)
| status: proposed | ||
| --- | ||
|
|
||
| # Service Binding for operator-backed services |
There was a problem hiding this comment.
very little of this seems specific to operators. it's generically about binding for a variety of resource types.
- how much of this represents capabilities the SBO already has?
- what does it really have to do with OLM? (at a minimum i'd expect to see examples/discussion of how operators expose bindable information, or bind to information, using the CSV metadata mechanism).
There was a problem hiding this comment.
how much of this represents capabilities the SBO already has?
All of it
what does it really have to do with OLM? (at a minimum i'd expect to see examples/discussion of how operators expose bindable information, or bind to information, using the CSV metadata mechanism).
Yes, CSV descriptors are an option. I wanted to cast a wider net with Operators/CRDs in this proposal. Let me add in the pieces for CSV too.
There was a problem hiding this comment.
All of it
so what is the enhancement that is being proposed? this reads more like (possibly sorely needed) product docs. Or preamble/background leading up to a proposal but not actually making one.
There was a problem hiding this comment.
so what is the enhancement that is being proposed?
A proposal to enhance the Service Binding Operator would be made to the Service Binding Operator project.
This proposal describes what the Service Binding Operator is, with the ultimate goal of making it an Operator Framework project ( ie, a part of it). The latter is what I'm really proposing.
There was a problem hiding this comment.
This proposal describes what the Service Binding Operator is, with the ultimate goal of making it an Operator Framework project ( ie, a part of it). The latter is what I'm really proposing.
ok, can you clarify what that would mean? (lift+shift the operator into the operator-framework github org? deprecate the standalone operator and embed the binding logic/behavior into OLM itself? something else?) That seems like the critical piece of the proposal. (But the background is very helpful)
