Skip to content
This repository was archived by the owner on Jun 26, 2024. It is now read-only.
This repository was archived by the owner on Jun 26, 2024. It is now read-only.

CRD updates for advanced binding scenarios #355

@arthurdm

Description

@arthurdm

We're looking at adopt the ServiceBindingRequest CRD in the service binding specification that we're working on, and two new scenarios were flushed out in the last meeting. We started to chat about them here, and now moving to a proper issue to continue the chat.

The net is: we would like to propose the ServiceBindingRequest CRD supports two new optional fields, each discussed below:

1. Supporting subscription / provisioned secrets

This is the case where a bindable service has some way for users to subscribe (e.g. an API catalog where they sign up for a plan and get an API key, or perhaps a new single-tenant database that was provisioned for them, etc). The artifact that results from this subscription is a k8s Secret, containing 1..N of the service binding schema. The ask here is:

  • add a new field to SecretBindingRequest, something like subscriptionSecret which points to the k8s Secret that holds that subscription-created data
  • the Service Binding Operator then just augments that Secret with any other data it retrieved from the bindable service (relevant part of the spec here)

2. Supporting role-based access to the bindable Secret

This is the case where the bindable data (k8s Secret, or other CRs) is protected so that only certain roles should be able to access it. The tricky part is that the Service Binding Operator can already access all secrets in all namespaces.

One solution we thought about in the spec call was to enforce (in the cases where the bindable data had a role-required defined) that a service account was passed into the ServiceBindingRequest (new field in the CRD, something like serviceAccount), which the Service Binding Operator could use to read the data (instead of its default SA), just for this request. Any other request uses the Service Binding Operator's default cluster-wide SA.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions