Reference implementation of the ServiceBinding.io 1.1 spec, along with 1.0. The full specification is implemented, please open an issue for any discrepancies.
- Getting Started
- Samples
- Supported Services
- Supported Workloads
- Architecture
- Contributing
- Community, discussion, contribution, and support
You’ll need a Kubernetes cluster to run against. You can use kind to get a local cluster for testing, or run against a remote cluster.
After the controller is deployed, try out the samples.
The easiest way to get started is by deploying the latest release. Alternatively, you can build the runtime from source.
-
Define where to publish images:
export KO_DOCKER_REPO=<a-repository-you-can-write-to>
For kind, a registry is not required:
export KO_DOCKER_REPO=kind.local -
Build and deploy the controller to the cluster:
Note: The cluster must have the cert-manager deployed. There is a
make deploy-cert-managertarget to deploy the cert-manager.make deploy
Undeploy the controller to the cluster:
make undeploySamples are located in the samples directory, including:
- Spring PetClinic with MySQL
- Controlled Resource
- Overridden Type and Provider
- Multiple Bindings
- External Secrets Operator
Kubernetes defines no provisioned services by default, however, Secrets may be directly referenced.
Additional services can be supported dynamically by defining a ClusterRole.
Support for the built-in k8s workload resource is pre-configured including:
- apps
DaemonSet - apps
Deployment - apps
ReplicaSet - apps
StatefulSet - batch
CronJob(also includes aClusterResourceMapping) - batch
Job(since Jobs are immutable, the ServiceBinding must be defined and service resolved before the job is created) - core
ReplicationController
Additional workloads can be supported dynamically by defining a ClusterRole and if not PodSpecable, a ClusterWorkloadResourceMapping.
The Service Binding for Kubernetes Specification defines the shape of Provisioned Services, and how the Secret is projected into a workload. The spec says less (intentionally) about how this happens.
Both a controller and mutating admission webhook are used to project a Secret defined by the service referenced by the ServiceBinding resource into the workloads referenced. The controller is used to process ServiceBindings by resolving services, projecting workloads and updating the status. The webhook is used to prevent removal of the workload projection, projecting workload on create, and a notification trigger for ServiceBindings the controller should process.
The apis, resolver and projector packages are defined by the reference implementation and reused here with slight modifications. The bulk of the work to bind a service to a workload is encapsulated with these packages. The output from the projector is deterministic and idempotent. The order that service bindings are applied to, or removed from, a workload does not matter. If a workload is bound and then unbound, the only trace will be the SERVICE_BINDING_ROOT environment variable.
There are a limited number of resources that maintain an informer cache within the manager:
ServiceBindingClusterWorkloadResourceMappingMutatingWebhookConfigurationValidatingWebhookConfiguration
When a ServiceBinding is created, updated or deleted the controller processes the resource. It will:
- resolve the referenced service resource, looking at it's
.spec.binding.namefor the name of the Secret to bind - reflect the discovered
Secretname onto theServiceBinding's.status.binding.name - the
ServiceAvailablecondition is updated on theServiceBinding - the referenced workloads are resolved (either by name or selector)
- a
ClusterWorkloadResourceMappingis resolved for the apiVersion/kind of the workload (or a default value for a PodSpecable workload is used) - the resolved
Secretname is projected into the workload - the
Readycondition is updated on theServiceBinding
In addition to that main flow, a MutatingWebhookConfiguration and ValidatingWebhookConfiguration are updated:
- all
ServiceBindings in the cluster are resolved - the rules for a
MutatingWebhookConfigurationare updated based on the set of all workload group-kinds referenced - the rules for a
ValidatingWebhookConfigurationare updated based on the set of all workload and service group-kinds referenced
The MutatingWebhookConfiguration is used to intercept create and update requests for workloads:
- all
ServiceBindings targeting the workload are resolved - a
ClusterWorkloadResourceMappingis resolved for the apiVersion/kind of the workload (or a default value for a PodSpecable workload is used) - for each
ServiceBindingthe resolvedSecretname is projected into the workload - the delta between the original resource and the projected resource is returned with the webhook response as a patch
The ValidatingWebhookConfiguration is used as an alternative to watching the API Server directly for these types and keeping an informer cache. When a webhook request is received, the ServiceBindings that reference that resource as a workload or service are resolved and enqueued for the controller to process.
No blocking work is performed within the webhooks.
Run the unit tests:
make testIf you are editing the API definitions, generate the manifests such as CRs or CRDs using:
make manifestsNOTE: Run make help for more information on all potential make targets
More information can be found via the Kubebuilder Documentation
The Service Binding Controller project is a community lead effort. A bi-weekly working group call is open to the public. Discussions occur here on GitHub and on the #bindings-discuss channel in the Kubernetes Slack.
If you catch an error in the implementation, please let us know by opening an issue at our GitHub repository.
Participation in the Service Binding community is governed by the Contributor Covenant.