RSS
 

Resource Claims

Install

See the documentation on installing the latest release of the Services Toolkit to get started.

Resources

ResourceClaim

The main purpose of ResourceClaim is to identify the concrete Kubernetes object within the cluster that satisfies the requirements stated in the claim.

After the object is identified, the status condition ResourceMatched is set to true. If the reference object adheres to the provisioned service duck type the .status.binding.name is copied to the ResourceClaim. .status.binding.name and the ResourceClaimed condition are set to true. The claim object itself is a provisioned service, so it can be< used to define a service binding.

ResourceClaims are currently exclusive. A Service Resource can only have one successfully claimed ResourceClaim in the cluster.

apiVersion: services.apps.tanzu.vmware.com/v1alpha1
kind: ResourceClaim
metadata:
  name: rmq-claim
  namespace: accounts
spec:
  ref:
    apiVersion: rabbitmq.com/v1alpha1
    kind: RabbitmqCluster
    name: my-rmq
    namespace: my-rmq-namespace # optional (if claiming across namespaces)
status:
  binding:
    name: my-rmq-secret # copied from RabbitmqCluster/my-rmq
  conditions:
    - lastTransitionTime: "2019-10-22T16:29:25Z"
      status: "True"
      type: Ready
    - lastTransitionTime: "2019-10-22T16:29:24Z"
      status: "True"
      type: ResourceClaimed
    - lastTransitionTime: "2019-10-22T16:29:23Z"
      status: "True"
      type: ResourceMatched

ResourceClaimPolicy

ResourceClaimPolicy enables ResourceClaims to work across namespaces.

The policy refers to two pieces of information:

  • Service Resources, such as RabbitmqClusters, that this policy applies to
  • The namespaces allowed to claim these resources

The matching Service Resources must reside in the same namespace as the ResourceClaimPolicy and their type must also be specified in .spec.subject.

Namespaces that are allowed to claim these service resources must have their namespace name in the .spec.consumingNamespaces array. A value of * allows claiming from all namespaces in this cluster.

apiVersion: services.apps.tanzu.vmware.com/v1alpha1
kind: ResourceClaimPolicy
metadata:
  name: rmq-policy
  namespace: my-rmq-namespace
spec:
  consumingNamespaces:
  - accounts # or "*" for all namespaces
  subject:
    group: rabbitmq.com
    kind: RabbitmqCluster
    selector: # optional
      matchLabels:
        "key": "value"
      matchExpressions:
      - key: "key"
        operator: In
        values: ["value1", "value2"]

ClusterInstanceClass

ClusterInstanceClass represents a set of service instances and holds descriptive metadata about those instances.

The class provides a description of the types of service instances represented by this class (.spec.description) and also the traits that a resource needs to be part of the class (.spec.pool). For example, its kind and the labels it has.

---
apiVersion: services.apps.tanzu.vmware.com/v1alpha1
kind: ClusterInstanceClass
metadata:
  name: test
spec:
  description:
    short: test
  pool:
    kind: Secret
    labelSelector:
      matchLabels:
        service: "rds-postgres"
        claimable: "true"

InstanceQuery

InstanceQuery is a create-only API that, given a ClusterInstanceClass, returns the intersection of the set of instances represented by that class and the claimable service instances for the namespace of the InstanceQuery.

The InstanceQuery takes an input of a ClusterInstanceClass through .spec.class and an optional limit on the number of instances returned through .spec.limit. This defaults to 50.

---
apiVersion: claimable.services.apps.tanzu.vmware.com/v1alpha1
kind: InstanceQuery
metadata:
  name: test
spec:
  class: my-db-class
  limit: 30
status:
  instances:
  - apiVersion: v1
    kind: Secret
    name: my-secret-two
    namespace: default
  - apiVersion: v1
    kind: Secret
    name: my-secret-ns-one
    namespace: one

Permissions (RBAC)

The ResourceClaim controller MUST have read access to Resources specified in the ResourceClaim specification. As these resources are not known upfront, the appropriate RBAC must be setup on the Cluster. To accomplish this RBAC must be set up using Aggregated ClusterRoles with the servicebinding.io/controller: "true" label. For more information, see the Kubernetes documentation

An example of a ClusterRole that allows RabbitmqCluster resources to be read by the ResourceClaim controller:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: resource-claims-rmq-role
  labels:
    servicebinding.io/controller: "true"
rules:
- apiGroups:
  - rabbitmq.com
  resources:
  - rabbitmqclusters
  verbs:
  - get
  - list
  - watch
check-circle-line exclamation-circle-line close-line
Scroll to top icon