From bb2897e779733ab5267c8df850b087dc64e60d80 Mon Sep 17 00:00:00 2001 From: Baiju Muthukadan Date: Thu, 10 Jun 2021 07:54:20 +0530 Subject: [PATCH] Remove Secret Generation Strategies extension Based on the discussion in #158 and #156, this extension can become a separate standard by itself. --- README.md | 220 ------------------------------------------------------ 1 file changed, 220 deletions(-) diff --git a/README.md b/README.md index 158ce6c..f6febcb 100644 --- a/README.md +++ b/README.md @@ -73,11 +73,6 @@ Participation in the Kubernetes community is governed by the [Kubernetes Code of - [Role-Based Access Control (RBAC)](#role-based-access-control-rbac) - [Example Resource](#example-resource-3) - [Extensions](#extensions) - - [Binding `Secret` Generation Strategies](#binding-secret-generation-strategies) - - [OLM Operator Descriptors](#olm-operator-descriptors) - - [Descriptor Examples](#descriptor-examples) - - [Non-OLM Operator and Resource Annotations](#non-olm-operator-and-resource-annotations) - - [Annotation Examples](#annotation-examples) --- ## Status @@ -628,218 +623,3 @@ rules: [] # The control plane automatically fills in the rules # Extensions Extensions are optional additions to the core specification as defined above. Implementation and support of these specifications are not required in order for a platform to be considered compliant. However, if the features addressed by these specifications are supported a platform **MUST** be in compliance with the specification that governs that feature. - -## Binding `Secret` Generation Strategies - -Many services, especially initially, will not be Provisioned Service-compliant. These services will expose the appropriate binding `Secret` information, but not in the way that the specification or applications expect. Users should have a way of describing a mapping from existing data associated with arbitrary resources and CRDs to a representation of a binding `Secret`. - -To handle the majority of existing resources and CRDs, `Secret` generation needs to support the following behaviors: - -1. Extract a string from a resource -1. Extract an entire `ConfigMap`/`Secret` refrenced from a resource -1. Extract a specific entry in a `ConfigMap`/`Secret` referenced from a resource -1. Extract entries from a collection of objects, mapping keys and values from entries in a `ConfigMap`/`Secret` referenced from a resource -1. Exctact a collection of specific entry values in a resource's collection of objects -1. Map each value to a specific key -1. Map each value of a collection to a key with generated name - -While the syntax of the generation strategies are specific to the system they are annotating, they are based on a common data model. - -| Model | Description -| ----- | ----------- -| `path` | A template represention of the path to an element in a Kubernetes resource. The value of `path` is specified as [JSONPath](https://kubernetes.io/docs/reference/kubectl/jsonpath/). Required. -| `objectType` | Specifies the type of the object selected by the `path`. One of `ConfigMap`, `Secret`, or `string` (default). -| `elementType` | Specifies the type of object in an array selected by the `path`. One of `sliceOfMaps`, `sliceOfStrings`, `string` (default). -| `sourceKey` | Specifies a particular key to select if a `ConfigMap` or `Secret` is selected by the `path`. Specifies a value to use for the key for an entry in a binding `Secret` when `elementType` is `sliceOfMaps`. -| `sourceValue` | Specifies a particular value to use for the value for an entry in a binding `Secret` when `elementType` is `sliceOfMaps` or `sliceOfStrings`. - - -### OLM Operator Descriptors - -OLM Operators are configured by setting the `specDescriptor` and `statusDescriptor` entries in the [ClusterServiceVersion](https://docs.openshift.com/container-platform/4.4/operators/operator_sdk/osdk-generating-csvs.html) with mapping descriptors. - -### Descriptor Examples - -The following examples refer to this resource definition. - -```yaml -apiVersion: apps.kube.io/v1beta1 -kind: Database -metadata: - name: my-cluster -spec: - tags: - - Brno - - PWR - - stage - ... - -status: - bootstrap: - - type: plain - url: myhost2.example.com - name: hostGroup1 - - type: tls - url: myhost1.example.com:9092,myhost2.example.com:9092 - name: hostGroup2 - data: - dbConfiguration: database-config # ConfigMap - dbCredentials: database-cred-Secret # Secret - url: db.stage.ibm.com -``` - -1. Mount an entire `Secret` as the binding `Secret` - - ```yaml - - path: data.dbCredentials - x-descriptors: - - urn:alm:descriptor:io.kubernetes:Secret - - service.binding - ``` - -1. Mount an entire `ConfigMap` as the binding `Secret` - - ```yaml - - path: data.dbConfiguration - x-descriptors: - - urn:alm:descriptor:io.kubernetes:ConfigMap - - service.binding - ``` - -1. Mount an entry from a `ConfigMap` into the binding `Secret` - - ```yaml - - path: data.dbConfiguration - x-descriptors: - - urn:alm:descriptor:io.kubernetes:ConfigMap - - service.binding:certificate:sourceKey=certificate - ``` - -1. Mount an entry from a `ConfigMap` into the binding `Secret` with a different key - - ```yaml - - path: data.dbConfiguration - x-descriptors: - - urn:alm:descriptor:io.kubernetes:ConfigMap - - service.binding:timeout:sourceKey=db_timeout - ``` - -1. Mount a resource definition value into the binding `Secret` - - ```yaml - - path: data.uri - x-descriptors: - - service.binding:uri - ``` - -1. Mount a resource definition value into the binding `Secret` with a different key - - ```yaml - - path: data.connectionURL - x-descriptors: - - service.binding:uri - ``` - -1. Mount the entries of a collection into the binding `Secret` selecting the key and value from each entry - - ```yaml - - path: bootstrap - x-descriptors: - - service.binding:endpoints:elementType=sliceOfMaps:sourceKey=type:sourceValue=url - ``` - -1. Mount the items of a collection into the binding `Secret` with one key per item - - ```yaml - - path: spec.tags - x-descriptors: - - service.binding:tags:elementType=sliceOfStrings - ``` - -1. Mount the values of collection entries into the binding `Secret` with one key per entry value - - ```yaml - - path: bootstrap - x-descriptors: - - service.binding:endpoints:elementType=sliceOfStrings:sourceValue=url - ``` - -### Non-OLM Operator and Resource Annotations - -Non-OLM Operators are configured by adding annotations to the Operator's CRD with mapping configuration. All Kubernetes resources are configured by adding annotations to the resource. - -### Annotation Examples - -The following examples refer to this resource definition. - -```yaml -apiVersion: apps.kube.io/v1beta1 -kind: Database -metadata: - name: my-cluster -spec: - tags: - - Brno - - PWR - - stage - ... - -status: - bootstrap: - - type: plain - url: myhost2.example.com - name: hostGroup1 - - type: tls - url: myhost1.example.com:9092,myhost2.example.com:9092 - name: hostGroup2 - data: - dbConfiguration: database-config # ConfigMap - dbCredentials: database-cred-Secret # Secret - url: db.stage.ibm.com -``` - -1. Mount an entire `Secret` as the binding `Secret` - ```plain - “service.binding": - ”path={.status.data.dbCredentials},objectType=Secret” - ``` -1. Mount an entire `ConfigMap` as the binding `Secret` - ```plain - service.binding”: - "path={.status.data.dbConfiguration},objectType=ConfigMap” - ``` -1. Mount an entry from a `ConfigMap` into the binding `Secret` - ```plain - “service.binding/certificate”: - "path={.status.data.dbConfiguration},objectType=ConfigMap,sourceKey=certificate" - ``` -1. Mount an entry from a `ConfigMap` into the binding `Secret` with a different key - ```plain - “service.binding/timeout”: - “path={.status.data.dbConfiguration},objectType=ConfigMap,sourceKey=db_timeout” - ``` -1. Mount a resource definition value into the binding `Secret` - ```plain - “service.binding/uri”: - "path={.status.data.url}" - ``` -1. Mount a resource definition value into the binding `Secret` with a different key - ```plain - “service.binding/uri": - "path={.status.data.connectionURL}” - ``` -1. Mount the entries of a collection into the binding `Secret` selecting the key and value from each entry - ```plain - “service.binding/endpoints”: - "path={.status.bootstrap},elementType=sliceOfMaps,sourceKey=type,sourceValue=url" - ``` -1. Mount the items of a collection into the binding `Secret` with one key per item - ```plain - "service.binding/tags": - "path={.spec.tags},elementType=sliceOfStrings - ``` -1. Mount the values of collection entries into the binding `Secret` with one key per entry value - ```plain - “service.binding/endpoints”: - "path={.status.bootstrap},elementType=sliceOfStrings,sourceValue=url" - ```