Service Resource Claims

Install

See the documentation on installing the latest release of the Services Toolkit to get started.

Terminology

  • Service Resource - Represents a concrete resource that provides a certain service like databases, message queues, caches, DNS records, firewall rules, virtual networks, etc.
  • Service Bindings Represents the intent of providing information about a well-known Service Resource object to a well-known Application.
  • Provisioned service used to refer to any kubernetes object that adheres to the Provisioned Service duck type
  • Service Resource Claim - Represents a request by an Application to use any Service Resource of a certain category as long as it satisfies a set of specified requirements

Resources

ResourceClaim

The main purpose of ResourceClaim is to identify the concrete Kubernetes object within the cluster that satisfies the requirements stated in the claim.

Once the object is identified the status condition ResourceMatched is set to true.
If the reference object adheres to the Provisioned Service duck type the .status.binding.name will be copied to the ResourceClaim .status.binding.name and the ResourceClaimed condition will be set to true. The claim object itself is a Provisioned Service, so it can be used to define a Service Binding.

ResourceClaims are currently exclusive. A Service Resource can only have ONE successfully claimed ResourceClaim in the cluster.

apiVersion: services.apps.tanzu.vmware.com/v1alpha1
kind: ResourceClaim
metadata:
  name: rmq-claim
  namespace: accounts
spec:
  ref:
    apiVersion: rabbitmq.com/v1alpha1
    kind: RabbitmqCluster
    name: my-rmq
    namespace: my-rmq-namespace # optional (if claiming across namespaces)
status:
  binding:
    name: my-rmq-secret # copied from RabbitmqCluster/my-rmq
  conditions:
    - lastTransitionTime: "2019-10-22T16:29:25Z"
      status: "True"
      type: Ready
    - lastTransitionTime: "2019-10-22T16:29:24Z"
      status: "True"
      type: ResourceClaimed
    - lastTransitionTime: "2019-10-22T16:29:23Z"
      status: "True"
      type: ResourceMatched

ResourceClaimPolicy

ResourceClaimPolicy enables ResourceClaims to work across namespaces.

The Policy refers to two pieces of information. Service Resources (e.g. RabbitmqClusters) that this policy applies to and which namespaces are allowed to claim these resources. * The matching Service Resources MUST reside in the same namespace as the ResourceClaimPolicy and their type must also be specified in .spec.type. * Namespaces that are allowed to claim these service resources must have their namespace name in the .spec.consumingNamespaces array. A value of * would allow claiming from ALL namespaces in this cluster.

apiVersion: services.apps.tanzu.vmware.com/v1alpha1
kind: ResourceClaimPolicy
metadata:
  name: rmq-policy
  namespace: my-rmq-namespace
spec:
  consumingNamespaces:
  - accounts # or "*" for all namespaces
  type:
    group: rabbitmq.com
    kind: RabbitmqCluster

Permissions (RBAC)

The ResourceClaim controller MUST have read access to Resources specified in the ResourceClaim spec. As these resources are not known upfront, the appropriate RBAC must be setup on the Cluster. To accomplish this RBAC must be setup using Aggregated ClusterRoles with the resourceclaims.services.apps.tanzu.vmware.com/controller: "true" label.

An example of a ClusterRole that allows RabbitmqCluster resources to be read by the ResourceClaim controller:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: resource-claims-rmq-role
  labels:
    resourceclaims.services.apps.tanzu.vmware.com/controller: "true"
rules:
- apiGroups:
  - rabbitmq.com
  resources:
  - rabbitmqclusters
  verbs:
  - get
  - list
  - watch
  - update
check-circle-line exclamation-circle-line close-line
Scroll to top icon