From f50262f73219a0387fd32fec87c81c97e58c51f9 Mon Sep 17 00:00:00 2001 From: Ashwin Krishna Date: Wed, 23 Mar 2022 15:15:38 -0700 Subject: [PATCH] Volume mount serviceBinding credentials onto workloads - Add ClusterRole required by the ServiceBinding Controller to fetch the referenced CFServiceBinding object - Add installation of ServiceBinding controller to `deploy-on-kind` script. - Update README with manual installation instructions Co-authored-by: Akira Wong --- README.md | 15 +++++++++++++++ .../rbac/cfservicebinding_reconciler_role.yaml | 17 +++++++++++++++++ controllers/config/rbac/kustomization.yaml | 1 + controllers/reference/cf-k8s-controllers.yaml | 18 ++++++++++++++++++ scripts/install-dependencies.sh | 6 ++++++ 5 files changed, 57 insertions(+) create mode 100644 controllers/config/rbac/cfservicebinding_reconciler_role.yaml diff --git a/README.md b/README.md index 96898de45..cd497a967 100644 --- a/README.md +++ b/README.md @@ -163,6 +163,21 @@ subnamespaces. kubectl hns config set-resource secrets --mode Propagate ``` +--- +## Optional: Install Service Bindings Controller + +Cloud Native Buildpacks and other app frameworks (such as [Spring Cloud Bindings](https://github.com/spring-cloud/spring-cloud-bindings)) are adopting the [K8s ServiceBinding spec](https://github.com/servicebinding/spec#workload-projection) model of volume mounted secrets. +We currently are providing apps access to these via the `VCAP_SERVICES` environment variable ([see this issue](https://github.com/cloudfoundry/cf-k8s-controllers/issues/462)) for backwards compatibility reasons. +We would also want to support the newer developments in the ServiceBinding ecosystem as well. + +We are not implementing this ourselves but allowing controller that adopts the [ServiceBinding Spec](https://github.com/servicebinding/spec) that volume mounts secrets to workload containers to be used. +We have tested with [this Service Binding reconciler](https://github.com/vmware-labs/service-bindings). Install it using + +```sh +kubectl apply -f https://github.com/vmware-tanzu/servicebinding/releases/download/v0.7.1/service-bindings-0.7.1.yaml +``` + +--- # Installation ## Configure cf-k8s-controllers Configuration file for cf-k8s-controllers is at `controllers/config/base/controllersconfig/cf_k8s_controllers_config.yaml` diff --git a/controllers/config/rbac/cfservicebinding_reconciler_role.yaml b/controllers/config/rbac/cfservicebinding_reconciler_role.yaml new file mode 100644 index 000000000..54af5736c --- /dev/null +++ b/controllers/config/rbac/cfservicebinding_reconciler_role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cfservicebinding-reconciler-role + labels: + servicebinding.io/controller: "true" # matches the aggregation rule selector +rules: +- apiGroups: + - services.cloudfoundry.org + resources: + - cfservicebindings + verbs: + - get + - list + - watch + - update + - patch diff --git a/controllers/config/rbac/kustomization.yaml b/controllers/config/rbac/kustomization.yaml index 731832a6a..4e710c0a5 100644 --- a/controllers/config/rbac/kustomization.yaml +++ b/controllers/config/rbac/kustomization.yaml @@ -9,6 +9,7 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml +- cfservicebinding_reconciler_role.yaml # Comment the following 4 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. diff --git a/controllers/reference/cf-k8s-controllers.yaml b/controllers/reference/cf-k8s-controllers.yaml index 4c8ed6922..f923df77e 100644 --- a/controllers/reference/cf-k8s-controllers.yaml +++ b/controllers/reference/cf-k8s-controllers.yaml @@ -1723,6 +1723,24 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + servicebinding.io/controller: "true" + name: cf-k8s-controllers-cfservicebinding-reconciler-role +rules: +- apiGroups: + - services.cloudfoundry.org + resources: + - cfservicebindings + verbs: + - get + - list + - watch + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: creationTimestamp: null name: cf-k8s-controllers-manager-role diff --git a/scripts/install-dependencies.sh b/scripts/install-dependencies.sh index 71ccc828e..6d98ea6c1 100755 --- a/scripts/install-dependencies.sh +++ b/scripts/install-dependencies.sh @@ -166,6 +166,12 @@ helm template eirini-controller "${EIRINI_DIR}/deployment/helm" \ --set "images.eirini_controller=eirini/eirini-controller@sha256:42e22b3222e9b3788782f5c141d260a5e163da4f4032e2926752ef2e5bae0685" \ --namespace "eirini-controller" | kubectl apply -f - +echo "**************************************" +echo "Installing Service Binding Controller" +echo "**************************************" + +kubectl apply -f https://github.com/vmware-tanzu/servicebinding/releases/download/v0.7.1/service-bindings-0.7.1.yaml + echo "******" echo "Done" echo "******"