Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Binding Secret Generation Extensions #156

Open
baijum opened this issue May 29, 2021 · 8 comments
Open

Binding Secret Generation Extensions #156

baijum opened this issue May 29, 2021 · 8 comments
Labels
extension
Milestone
secret-generation...

Comments

@baijum
Copy link
Contributor

baijum commented May 29, 2021
edited
Loading

I propose to convert the "Binding Secret Generation Strategies'' extension to three extensions. The first one based on OLM x-descriptors, the second one based on custom resource definition annotations, and the third one based on custom resource annotations.

These extensions can follow the pattern of ProvisionedService duck type as described in issue #145.

apiVersion: mapping.service.binding/v1alpha2
kind: XDescriptorsSecretGenerator
spec:
  type: <optional-type-value>
  provider: <optional-provider-value>
  service:
    apiVersion: com.example/v1alpha1
    kind: AccountService
    name: prod-account-service
status:
  binding:
    name: <generated-secret-resource>

apiVersion: mapping.service.binding/v1alpha2
kind: CustomResourceDefinitionSecretGenerator
spec:
  type: <optional-type-value>
  provider: <optional-provider-value>
  service:
    apiVersion: com.example/v1alpha1
    kind: AccountService
    name: prod-account-service
status:
  binding:
    name: <generated-secret-resource>

apiVersion: mapping.service.binding/v1alpha2
kind: CustomResourceSecretGenerator
spec:
  type: <optional-type-value>
  provider: <optional-provider-value>
  service:
    apiVersion: com.example/v1alpha1
    kind: AccountService
    name: prod-account-service
status:
  binding:
    name: <generated-secret-resource>

Since these are ProvisionedService conforming resources, all the implementation of the core-spec will be compatible.
@DhritiShikhar
Copy link

@baijum What is the benefit of this proposal?

@baijum
Copy link
Contributor Author

baijum commented May 31, 2021

What is the benefit of this proposal?

The current extension expects the ServiceBinding reconciler to act upon the x-descriptors or annotations. That makes the extension tied to the implementation. With the proposed new extensions, the secret generation logic can be implemented by separate reconcilers. For example, if an organization wants to implement these extensions, it can easily integrate with the other existing implementations. This also makes it easy to mix and match core implementation and extensions. Please read issue #145 for more details.

@baijum baijum mentioned this issue May 31, 2021
Merged
@baijum
Copy link
Contributor Author

baijum commented Jun 3, 2021
edited
Loading

If CRD proliferation is a concern, we could go for a single CRD with the .spec.category attribute.

apiVersion: mapping.service.binding/v1alpha2
kind: SecretGenerator
spec:
  category: <Xdescriptor | CustomResourceDefinition | CustomResource>
  type: <optional-type-value>
  provider: <optional-provider-value>
  service:
    apiVersion: com.example/v1alpha1
    kind: AccountService
    name: prod-account-service
status:
  binding:
    name: <generated-secret-resource>

@baijum baijum mentioned this issue Jun 3, 2021
Open
@sbose78
Copy link
Contributor

sbose78 commented Jun 9, 2021

CRD proliferation

This is definitely a concern, I like what you've proposed to address this.

Question, who would be creating/providing this CR ?

  • The one who connects the application to the service ( probably the application author ), Or
  • The service provider would be shipping this SecretGenerator CR ?

@baijum
Copy link
Contributor Author

baijum commented Jun 9, 2021

The SecretGenerator custom resource will be created by the one who connects the application to the service. We can encourage service providers to document and/or give examples for the same.

@scothis
Copy link
Contributor

scothis commented Jun 9, 2021

Question, who would be creating/providing this CR ?

You can make a strong case for both parties. Either the app dev who needs to consume a service that wasn't fully compliant, or by a service provider who has a resource that isn't itself compliant, but still want to offer a compliant sibling resource.

I agree with @baijum that it will most often be "one who connects the application to the service", but unlike with the ServiceBinding resource it won't be exclusively that person.

@baijum
Copy link
Contributor Author

baijum commented Jun 10, 2021

The current implementation of Red Hat's Service Binding Operator merge CR annotation, CRD annotation, and X-Descriptors. As long as the order of precedence is well defined, I think we can avoid .spec.category. This behavior will be closer to the existing implementation. Since CR annotation has more precedence over CRD annotation, the person who connects the application to the service gets a chance to override what's there in the CRD annotation. Contrary to the current implementation, I think X-Descriptors should get precedence over CRD annotation. That will give those who package the original operator a chance to override what's there in the CRD annotation.

apiVersion: mapping.service.binding/v1alpha2
kind: SecretGenerator
spec:
  type: <optional-type-value>
  provider: <optional-provider-value>
  service:
    apiVersion: com.example/v1alpha1
    kind: AccountService
    name: prod-account-service
status:
  binding:
    name: <generated-secret-resource>

@baijum
Copy link
Contributor Author

baijum commented Jun 10, 2021

The SecretGenerator is going to be used with the ServiceBinding resource in tandem. And ServiceBinding resource has special attributes to override type and provider values. So, I think we can drop those two optional attributes from the SecretGenerator resource.

apiVersion: mapping.service.binding/v1alpha2
kind: SecretGenerator
spec:
  service:
    apiVersion: com.example/v1alpha1
    kind: AccountService
    name: prod-account-service
status:
  binding:
    name: <generated-secret-resource>

baijum added a commit to baijum/service-binding-specification that referenced this issue Jun 10, 2021
@baijum
Remove Secret Generation Strategies extension
bb2897e 
Based on the discussion in servicebinding#158 and servicebinding#156, this extension can become a
separate standard by itself.
@baijum baijum mentioned this issue Jun 10, 2021
Merged
baijum added a commit to baijum/service-binding-specification that referenced this issue Jun 17, 2021
@baijum
Remove Secret Generation Strategies extension
9d73684 
Based on the discussion in servicebinding#158 and servicebinding#156, this extension can become a
separate standard by itself.
nebhale pushed a commit that referenced this issue Aug 5, 2021
@baijum @nebhale
Remove Secret Generation Strategies extension
e570615 
Based on the discussion in #158 and #156, this extension can become a
separate standard by itself.
@nebhale nebhale added this to the mappings/1.0.0-alpha1 milestone Sep 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
extension
Projects
None yet
Milestone
secret-generation/1.0.0-alpha1
Development

No branches or pull requests
5 participants
@nebhale @baijum @scothis @sbose78 @DhritiShikhar