Service Bindings for Kubernetes

Service Bindings for Kubernetes implements the Service Binding Specification for Kubernetes v1.0.

This implementation provides support for:

• Provisioned Service
• Workload Projection
• Service Binding
• Direct Secret Reference
• Role-Based Access Control (RBAC)

The following are not implemented:

• Workload Resource Mapping
• Extensions including:
  • Binding Secret Generation Strategies

Equivalent capabilities from the v1.0.0-rc3 (servicebinding.io/v1alpha3) version of the spec are also supported. There are no significant API or runtime changes between v1alpha3 and v1beta1 versions.

Try it out

Prerequisites:

• a Kubernetes 1.18+ cluster

Using the latest release is recommended.

Build from source

We use Golang and ko to build the CRD and reconciler, and kapp to deploy them.

From within the cloned directory for this project, run:

kapp deploy -a service-bindings -f <(ko resolve -f config)

Uninstall

kapp delete -a service-bindings

Collecting logs from service binding manager

Retrieve pod logs from the manager running in the service-bindings namespace.

kubectl -n service-bindings logs -l role=manager

For example:

2021/11/05 15:25:28 Registering 3 clients
2021/11/05 15:25:28 Registering 3 informer factories
2021/11/05 15:25:28 Registering 7 informers
2021/11/05 15:25:28 Registering 8 controllers
{"severity":"INFO","timestamp":"2021-11-05T15:25:28.483823208Z","caller":"logging/config.go:116","message":"Successfully created the logger."}
{"severity":"INFO","timestamp":"2021-11-05T15:25:28.48392361Z","caller":"logging/config.go:117","message":"Logging level set to: info"}
{"severity":"INFO","timestamp":"2021-11-05T15:25:28.483999911Z","caller":"logging/config.go:79","message":"Fetch GitHub commit ID from kodata failed","error":"open /var/run/ko/HEAD: no such file or directory"}
{"severity":"INFO","timestamp":"2021-11-05T15:25:28.484035711Z","logger":"webhook","caller":"profiling/server.go:64","message":"Profiling enabled: false"}
{"severity":"INFO","timestamp":"2021-11-05T15:25:28.522884909Z","logger":"webhook","caller":"leaderelection/context.go:46","message":"Running with Standard leader election"}
{"severity":"INFO","timestamp":"2021-11-05T15:25:28.523358615Z","logger":"webhook","caller":"provisionedservice/controller.go:31","message":"Setting up event handlers."}
...
  {"severity":"ERROR","timestamp":"2021-11-17T15:00:24.561881861Z","logger":"webhook","caller":"controller/controller.go:548","message":"Reconcile error","duration":"167.902µs","error":"deployments.apps \"spring-petclinic\" not found","stacktrace":"knative.dev/pkg/controller.(*Impl).handleErr\n\tknative.dev/[email protected]/controller/controller.go:548\nknative.dev/pkg/controller.(*Impl).processNextWorkItem\n\tknative.dev/[email protected]/controller/controller.go:531\nknative.dev/pkg/controller.(*Impl).RunContext.func3\n\tknative.dev/[email protected]/controller/controller.go:468"}

Troubleshooting

For basic troubleshooting Service Bindings, please see the troubleshooting guide here.

Samples

Samples are located in the samples directory, including:

• Spring PetClinic with MySQL
• Controlled Resource
• Overridden Type and Provider
• Provisioned Service
• Multiple Bindings

Resources

ServiceBinding (servicebinding.io/v1beta1)

The ServiceBinding resource shape and behavior is defined by the spec.

apiVersion: servicebinding.io/v1beta1
kind: ServiceBinding
metadata:
  name: account-db
spec:
  service:
    apiVersion: bindings.labs.vmware.com/v1alpha1
    kind: ProvisionedService
    name: account-db
  workload:
    apiVersion: apps/v1
    kind: Deployment
    name: account-service

ProvisionedService (bindings.labs.vmware.com/v1alpha1)

The ProvisionedService exposes a resource Secret by implementing the upstream Provisioned Service duck type, and may be the target of the .spec.service reference for a ServiceBinding. It is intended for compatibility with existing services that do not directly implement the duck type.

For example to expose a service with an existing Secret named account-db-service:

apiVersion: bindings.labs.vmware.com/v1alpha1
kind: ProvisionedService
metadata:
  name: account-db
spec:
  binding:
    name: account-db-service

---
apiVersion: v1
kind: Secret
metadata:
  name: account-db-service
type: Opaque
stringData:
  type: mysql
  # use appropriate values
  host: localhost
  database: default
  password: ""
  port: "3306"
  username: root

The controller writes the resource's status to implement the duck type.

Contributing

The Service Bindings for Kubernetes project team welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our FAQ. For more detailed information, refer to CONTRIBUTING.md.

Acknowledgements

Service Bindings for Kubernetes is an implementation of the Service Binding Specification for Kubernetes. Thanks to Arthur De Magalhaes and Ben Hale for leading the spec effort.

The initial implementation was conceived in projectriff/bindings by Scott Andrews, Emily Casey and the riff community at large, drawing inspiration from mattmoor/bindings and Knative duck type reconcilers.

License

Apache License v2.0: see LICENSE for details.