Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for the Provisioned Service defined in the Service Binding Specification for Kubernetes #95

Open
baijum opened this issue Aug 6, 2022 · 10 comments
Labels
carvel-accepted This issue should be considered for future work and that the triage process has been completed enhancement This issue is a feature request priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.

Comments

@baijum
Copy link

baijum commented Aug 6, 2022

Describe the problem/challenge you have

I want to use the SecretTemplate API with implementations of the Service Binding Specification for Kubernetes.

Describe the solution you'd like

Make the SecretTemplate API a Provisioned Service as defined in the Service Binding Specification for Kubernetes.

Anything else you would like to add:


Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you would like to work on this issue.

@baijum baijum added carvel-triage This issue has not yet been reviewed for validity enhancement This issue is a feature request labels Aug 6, 2022
@carvel-bot carvel-bot added this to Carvel Aug 6, 2022
@carvel-bot carvel-bot moved this to To Triage in Carvel Aug 6, 2022
@joe-kimmel-vmw
Copy link
Contributor

Thanks @baijum for contributing. I'm not familiar with the docs you linked but from a quick read it seems like you're proposing that we conform to this standard or API. Can you tell us more about your use-case, what your goals, and how they would be made simpler or enabled by SecretTemplate adopting these standards?

@Samze
Copy link
Contributor

Samze commented Aug 8, 2022

For reference we had a bit of discussion about this in the original issue see #54 (comment)

In the end we decided to not adopt it by default initially for two reasons:

  1. Not all uses of SecretTemplate generate a secret that is logically "bindable".
  2. The k8s-binding specification allows you to refer to Secrets directly, which gives us an avenue to a basic integration with the binding specification without implementing the ProvisionedService duck type.

However we left the door open for this being added in the future.

I think providing compliance to ProvisionedService could make sense, but if we did it we would need to make it optional as part of the spec of the template. Something like .spec.provisionedService: true.

@baijum what are your thoughts on using a direct secret reference vs ProvisionedService?

@baijum
Copy link
Author

baijum commented Aug 9, 2022

Thanks, @Samze, for pointing out the original issue (#54) with a discussion about Provisioned Service.

@joe-kimmel-vmw As described in the spec, Provisioned Service expects .status.binding.name attribute pointing to a Secret resource. I have written a blog post about it.

My current use case is to use AWS services using the AWS Controllers for Kubernetes and SecretTemplate. Here is an example written by @Samze :
https://github.com/Samze/secrettemplate-examples/tree/main/02-aws-rds
If SecretTemplate conforms to the ProvisionedService, I could use it for binding using the ServiceBinding resource as per the spec.

Regarding the use of Direct Secret Reference, there is a good explanation in the spec docs:

Note: Implementing the Provisioned Service contract frees the ServiceBinding creator from needing to know about the name of the Secret holding the credentials. The service can update the secret name exposed over time. This behavior not only decouples the ServiceBinding and the workload from needing to know the name of the Secret, it also enables use of immutable secrets. An immutable secret cannot be updated after it is created. To rotate the credentials, a new secret can be created and update the same in the Provisioned Service resource’s .status.binding.name attribute.

If SecretTemplate introduces a boolean flag, .spec.provisionedService, to conform to Provisioned Service, that would be a great solution.

@Samze
Copy link
Contributor

Samze commented Aug 9, 2022

Thanks @baijum!

I agree this would be a good change to include. If theres broad agreement from other folks, would you be interested in contributing it?

Though just to be clear we already integrate using a direct secret reference today. This works since today the generated bindable Secret is always the same name as the SecretTemplate itself. So by knowing the SecretTemplate name, you can create a ServiceBinding with a direct reference to the generated Secret.

@baijum
Copy link
Author

baijum commented Aug 9, 2022

I agree this would be a good change to include. If theres broad agreement from other folks, would you be interested in contributing it?

I am glad to hear that there is an interest in supporting this feature. However, I will wait for a consensus before proceeding with implementation.

@Samze
Copy link
Contributor

Samze commented Aug 15, 2022

@cppforlife / @joe-kimmel-vmw / @neil-hickey do you have thoughts on this?

@joe-kimmel-vmw
Copy link
Contributor

Thanks @Samze and @baijum IIRC we had a very short chat about it last week and thought it sounded fine, esp. if someone wanted to contribute it. I'll let @cppforlife or @neil-hickey correct if my recollection is way off.

@joe-kimmel-vmw joe-kimmel-vmw added carvel-accepted This issue should be considered for future work and that the triage process has been completed priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed carvel-triage This issue has not yet been reviewed for validity labels Aug 16, 2022
@cppforlife
Copy link
Contributor

cppforlife commented Aug 18, 2022

it's good by me (sorry, i thought i already posted a comment)

@baijum
Copy link
Author

baijum commented Aug 19, 2022

I think providing compliance to ProvisionedService could make sense, but if we did it we would need to make it optional as part of the spec of the template. Something like .spec.provisionedService: true.

Does introducing an optional boolean field with a default value as false requires an API version upgrade?

@cppforlife
Copy link
Contributor

Does introducing an optional boolean field with a default value as false requires an API version upgrade?

nope, we are happy to accept it as part of the current api version.

@github-project-automation github-project-automation bot moved this to To Triage in Carvel Feb 14, 2023
@neil-hickey neil-hickey moved this from To Triage to Unprioritized in Carvel Feb 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
carvel-accepted This issue should be considered for future work and that the triage process has been completed enhancement This issue is a feature request priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
Status: Unprioritized
Development

No branches or pull requests

4 participants