Provisioned Service Syncer
Synchronize Provisioned Service Secret Resources across Namespace
Service Binding Specification for Kubernetes recommends keeping the provisioned
service and the application in the same namespace.
In the Provisioned
Service
section, it is written like this:
The Secret
MUST be in the same namespace as the resource.
Later in the 2nd
paragraph of
Service Binding section:
Restricting service binding to resources within the same namespace is strongly RECOMMENDED
The Provisioned Service Syncer operator synchronizes Provisioned Service Secret
resources across namespace. You can create ProvisionedServiceSyncer
resource
in the same namespace as where the application is going to run. The
ProvisionedServiceSyncer
custom resource will be a Provisioned Service-able
resource that you can use in the ServiceBinding
configuration.
Installation
This project is in the Beta stage right now. The recommended approach for
installation is through Helm charts
Helm must be installed to use the charts. Please refer to Helm's
documentation to get started.
Once Helm has been set up correctly, add the repo as follows:
helm repo add kubepreset https://kubepreset.github.io/helm-charts
If you had already added this repo earlier, run helm repo update
to retrieve
the latest versions of the packages. You can then run helm search repo provisioned-service-syncer
to see the charts.
To install the provisioned-service-syncer
chart:
helm install my-provisioned-service-syncer kubepreset/provisioned-service-syncer
Note: The my-provisioned-service-syncer
corresponds to the release name, feel
free to change it to suit your needs. You can also add additional flags to the
helm install command if you need to.
To uninstall the chart:
helm delete my-provisioned-service-syncer
Usage
Suppose there is a Provisioned Service of kind Database
in the prod-postgres
namespace. In that case, you can create a configuration like this in the
namespace where the application will run. Note: You can create ServiceBinding
resource also in the same namespace where the application is running.
apiVersion: binding.kubepreset.dev/v1beta1
kind: ProvisionedServiceSyncer
metadata:
name: postgres-instance
spec:
apiVersion: kubepostgresql.dev/v1beta1
kind: Database
name: postgres
namespace: prod-postgres
You also need to create a ClusterRole
like this to give permission:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: postgres-database
labels:
binding.kubepreset.dev/provisioned-service-syncer: "true"
rules:
- apiGroups:
- kubepostgresql.dev
resources:
- databases
verbs:
- get
- list
- watch
After a successful reconciliation, the operator will update the resource status
with .status.binding.name
, pointing to a new Secret resource with the values
from the other namespace. It makes ProvisionedServiceSyncer
a Provisioned
Service-able resource that can be used for Service Binding:
apiVersion: binding.kubepreset.dev/v1beta1
kind: ProvisionedServiceSyncer
metadata:
name: postgres-instance
spec:
apiVersion: kubepostgresql.dev/v1beta1
kind: Database
name: postgres
namespace: prod-postgres
status:
observedGeneration: 1
binding:
name: postgres-instance-r8w47
sourceSecret:
name: postgres-db-7hk4a
conditions:
- lastTransitionTime: 2021-07-20T02:40:32Z
message: "Secret resource created"
reason: SecretCreated
status: "True"
type: Ready
Here is an example configuration of ServiceBinding
with the
ProvisionedServiceSyncer
used for the service:
apiVersion: service.binding/v1alpha2
kind: ServiceBinding
metadata:
name: account-service
spec:
application:
apiVersion: apps/v1
kind: Deployment
name: online-banking
service:
apiVersion: binding.kubepreset.dev/v1beta1
kind: ProvisionedServiceSyncer
name: postgres-instance
Direct Secret Reference
Provisioned Service Syncer also support Direct Secret Reference
in the resource configuration:
apiVersion: binding.kubepreset.dev/v1beta1
kind: ProvisionedServiceSyncer
metadata:
name: postgres-instance
spec:
apiVersion: v1
kind: Secret
name: prod-account-service-secret
namespace: prod-postgres
Contributing to Provisioned Service Syncer
👍🎉 First off, thanks for taking the time to contribute!
🎉👍
You can look at the issues with help wanted label for items that
you can work on.
If you need help, please feel free to reach out to our discussion
group!
When contributing to this repository, please first discuss the change you wish
to make via issue, email, or any other method with the owners of this repository
before making a change. Small pull requests are easy to review and merge. So,
please send small pull requests.
Please note we have a code of conduct, please follow it in all your
interactions with the project.
Contributions to this project should conform to the Developer Certificate of
Origin.
Remember, when you send pull requests:
- Write tests.
- Write a good commit message.
See the contribution guidelines for more details. The KubePreset Wiki
has additional information for contributors.
Development
We recommend using GNU/Linux systems for the development of Provisioned Service
Syncer. This project requires the Go version 1.16 or above installed in
your system. You also should have make and GCC installed in your
system.
To build the project:
make
To run the tests:
make test
We have a mailing list (kubepreset@googlegroups.com) for community
support and discussion. You are welcome to ask any questions about Provisioned
Service Syncer or KubePreset.
To report any issues, use our GitHub issue tracker. You can make
feature requests and report bugs. For reporting any security issues, see the
security policy page.
You are welcome to contribute code and documentation to this project. See the
contribution guidelines for more details.