|
79 | 79 | NOTE: This feature is only available for `ServiceBinding` in the |
80 | 80 | `binding.operators.coreos.com` API group. |
81 | 81 |
|
82 | | -SBO provides an API to inject a binding secret name into a custom application resource field. |
| 82 | +SBO provides an API to project a binding secret name into a custom application resource field. |
83 | 83 | Here is an example CR with the secret in a custom location: |
84 | 84 |
|
85 | 85 | [source,yaml] |
@@ -132,3 +132,83 @@ metadata: |
132 | 132 | spec: |
133 | 133 | secret: binding-request-72ddc0c540ab3a290e138726940591debf14c581 |
134 | 134 | .... |
| 135 | + |
| 136 | +== Workload resource mapping |
| 137 | + |
| 138 | +The specification also provides a way of defining exactly where binding data needs to be projected |
| 139 | +into, which may work in situations where the above methods won't work. This is done by defining |
| 140 | +`ClusterWorkloadResourceMapping.servicebindings.io` resources, which define where binding data gets |
| 141 | +projected for a given workload kind. This works for both CoreOS and specification service binding |
| 142 | +resources. |
| 143 | + |
| 144 | +The schema of these resources looks like the following: |
| 145 | +[source,yaml] |
| 146 | +.... |
| 147 | +apiVersion: servicebinding.io/v1alpha3 |
| 148 | +kind: ClusterWorkloadResourceMapping |
| 149 | +metadata: |
| 150 | + name: # string <1> |
| 151 | + ... |
| 152 | +spec: |
| 153 | + versions: # required, at least one entry must be defined |
| 154 | + - version: # string <2> |
| 155 | + annotations: # string (Fixed JSONPath), optional <3> |
| 156 | + containers: # optional |
| 157 | + - path: # string (JSONPath) <4> |
| 158 | + name: # string (Fixed JSONPath), optional <5> |
| 159 | + env: # string (Fixed JSONPath), optional <6> |
| 160 | + volumeMounts: # string (Fixed JSONPath), optional <7> |
| 161 | + volumes: # string (Fixed JSONPath), optional <8> |
| 162 | +.... |
| 163 | +<1> the name of this resource (must be qualified as `plural.group`, i.e. `cronjobs.batch` for CronJobs) |
| 164 | +<2> the version of the resource we're mapping (can match all unspecified versions with the wildcard "*") |
| 165 | +<3> where annotations live with a fixed JSONPath (default: `.spec.template.spec.annotations`) |
| 166 | +<4> where containers live with a JSONPath (if no entries are defined, SBO defaults to two paths: |
| 167 | +`.spec.template.spec.containers` and `.spec.template.spec.initContainers` with all other fields |
| 168 | +set as their default). |
| 169 | +<5> corresponds to the `.name` field in a pod. Defaults to `.name`. |
| 170 | +<6> corresponds to the `.env` environment variables. Defaults to `.env`. |
| 171 | +<7> corresponds to where the volume mounts of a pod lives. Defaults to `.volumeMounts`. |
| 172 | +<8> where volumes live with a fixed JSONPath (default: `.spec.template.spec.volumes`) |
| 173 | + |
| 174 | +[IMPORTANT] |
| 175 | +==== |
| 176 | +In this context, a "Fixed JSONPath" is a subset of the JSONPath grammar that accepts only the |
| 177 | +following operations: |
| 178 | +
|
| 179 | +. Field lookup: `.spec.template` |
| 180 | +. Array indexing: `.spec['template']` |
| 181 | +
|
| 182 | +All other operations are forbidden. |
| 183 | +==== |
| 184 | + |
| 185 | +Most of these fields are optional, and SBO assumes PodSpec-compatible defaults when not specified. |
| 186 | +SBO requires that each of these fields is semantically equivalent to the corresponding field in a Pod |
| 187 | +deployment; failing to maintain this may result in unexpected behavior. |
| 188 | + |
| 189 | +Using the above schema, we can define the following YAML as an example mapping for `CronJob.batch/v1` |
| 190 | +resources: |
| 191 | + |
| 192 | +[source,yaml] |
| 193 | +.... |
| 194 | +apiVersion: servicebinding.io/v1alpha3 |
| 195 | +kind: ClusterWorkloadResourceMapping |
| 196 | +metadata: |
| 197 | + name: cronjobs.batch |
| 198 | +spec: |
| 199 | + versions: |
| 200 | + - version: "v1" |
| 201 | + annotations: .spec.jobTemplate.spec.template.metadata.annotations |
| 202 | + containers: |
| 203 | + - path: .spec.jobTemplate.spec.template.spec.containers[*] |
| 204 | + - path: .spec.jobTemplate.spec.template.spec.initContainers[*] |
| 205 | + volumes: .spec.jobTemplate.spec.template.spec.volumes |
| 206 | +.... |
| 207 | + |
| 208 | +NOTE: There is some behavior in the CoreOS API that doesn't exist in the specification API: |
| 209 | + |
| 210 | +. If a `ServiceBinding` resource with `bindAsFiles: false` is created with one of these mappings, |
| 211 | +then environment variables will be projected into `.envFrom` underneath each `path` field specified |
| 212 | +in the corresponding `ClusterWorkloadResourceMapping` resource. |
| 213 | +. Both this and the `containersPath` field documented above can be used at the same time. This would |
| 214 | +be equivalent to adding a container entry with `path: $(containersPath)`. |
0 commit comments