Service Bindings for Kubernetes implements the Service Binding Specification for Kubernetes v1.0.
This implementation provides support for:
- Provisioned Service
- Workload Projection
- Service Binding
- Direct Secret Reference
- Role-Based Access Control (RBAC)
The following are not implemented:
- Workload Resource Mapping
- Extensions including:
Equivalent capabilities from the v1.0.0-rc3 (servicebinding.io/v1alpha3) version of the spec are also supported. There are no significant API or runtime changes between v1alpha3 and v1beta1 versions.
Prerequisites:
- a Kubernetes 1.18+ cluster
Using the latest release is recommended.
We use Golang and ko
to build the CRD and reconciler, and kapp
to deploy them.
From within the cloned directory for this project, run:
kapp deploy -a service-bindings -f <(ko resolve -f config)
kapp delete -a service-bindings
Retrieve pod logs from the manager
running in the service-bindings
namespace.
kubectl -n service-bindings logs -l role=manager
For example:
2021/11/05 15:25:28 Registering 3 clients
2021/11/05 15:25:28 Registering 3 informer factories
2021/11/05 15:25:28 Registering 7 informers
2021/11/05 15:25:28 Registering 8 controllers
{"severity":"INFO","timestamp":"2021-11-05T15:25:28.483823208Z","caller":"logging/config.go:116","message":"Successfully created the logger."}
{"severity":"INFO","timestamp":"2021-11-05T15:25:28.48392361Z","caller":"logging/config.go:117","message":"Logging level set to: info"}
{"severity":"INFO","timestamp":"2021-11-05T15:25:28.483999911Z","caller":"logging/config.go:79","message":"Fetch GitHub commit ID from kodata failed","error":"open /var/run/ko/HEAD: no such file or directory"}
{"severity":"INFO","timestamp":"2021-11-05T15:25:28.484035711Z","logger":"webhook","caller":"profiling/server.go:64","message":"Profiling enabled: false"}
{"severity":"INFO","timestamp":"2021-11-05T15:25:28.522884909Z","logger":"webhook","caller":"leaderelection/context.go:46","message":"Running with Standard leader election"}
{"severity":"INFO","timestamp":"2021-11-05T15:25:28.523358615Z","logger":"webhook","caller":"provisionedservice/controller.go:31","message":"Setting up event handlers."}
...
{"severity":"ERROR","timestamp":"2021-11-17T15:00:24.561881861Z","logger":"webhook","caller":"controller/controller.go:548","message":"Reconcile error","duration":"167.902µs","error":"deployments.apps \"spring-petclinic\" not found","stacktrace":"knative.dev/pkg/controller.(*Impl).handleErr\n\tknative.dev/pkg@v0.0.0-20210331065221-952fdd90dbb0/controller/controller.go:548\nknative.dev/pkg/controller.(*Impl).processNextWorkItem\n\tknative.dev/pkg@v0.0.0-20210331065221-952fdd90dbb0/controller/controller.go:531\nknative.dev/pkg/controller.(*Impl).RunContext.func3\n\tknative.dev/pkg@v0.0.0-20210331065221-952fdd90dbb0/controller/controller.go:468"}
For basic troubleshooting Service Bindings, please see the troubleshooting guide here.
Samples are located in the samples directory, including:
- Spring PetClinic with MySQL
- Controlled Resource
- Overridden Type and Provider
- Provisioned Service
- Multiple Bindings
The ServiceBinding
resource shape and behavior is defined by the spec.
apiVersion: servicebinding.io/v1beta1
kind: ServiceBinding
metadata:
name: account-db
spec:
service:
apiVersion: bindings.labs.vmware.com/v1alpha1
kind: ProvisionedService
name: account-db
workload:
apiVersion: apps/v1
kind: Deployment
name: account-service
The ProvisionedService
exposes a resource Secret
by implementing the upstream Provisioned Service duck type, and may be the target of the .spec.service
reference for a ServiceBinding
. It is intended for compatibility with existing services that do not directly implement the duck type.
For example to expose a service with an existing Secret
named account-db-service
:
apiVersion: bindings.labs.vmware.com/v1alpha1
kind: ProvisionedService
metadata:
name: account-db
spec:
binding:
name: account-db-service
---
apiVersion: v1
kind: Secret
metadata:
name: account-db-service
type: Opaque
stringData:
type: mysql
# use appropriate values
host: localhost
database: default
password: ""
port: "3306"
username: root
The controller writes the resource's status to implement the duck type.
The Service Bindings for Kubernetes project team welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our FAQ. For more detailed information, refer to CONTRIBUTING.md.
Service Bindings for Kubernetes is an implementation of the Service Binding Specification for Kubernetes. Thanks to Arthur De Magalhaes and Ben Hale for leading the spec effort.
The initial implementation was conceived in projectriff/bindings
by Scott Andrews, Emily Casey and the riff community at large, drawing inspiration from mattmoor/bindings and Knative duck type reconcilers.
Apache License v2.0: see LICENSE for details.