See the documentation on installing the latest release of the Services Toolkit to get started.
The main purpose of
ResourceClaim is to identify the concrete Kubernetes object within the cluster that satisfies the requirements stated in the claim.
After the object is identified, the status condition
ResourceMatched is set to
true. If the reference object adheres to the provisioned service duck type the
.status.binding.name is copied to the
.status.binding.name and the
ResourceClaimed condition are set to
true. The claim object itself is a provisioned service, so it can be< used to define a service binding.
ResourceClaims are currently exclusive. A Service Resource can only have one successfully claimed ResourceClaim in the cluster.
apiVersion: services.apps.tanzu.vmware.com/v1alpha1 kind: ResourceClaim metadata: name: rmq-claim namespace: accounts spec: ref: apiVersion: rabbitmq.com/v1alpha1 kind: RabbitmqCluster name: my-rmq namespace: my-rmq-namespace # optional (if claiming across namespaces) status: binding: name: my-rmq-secret # copied from RabbitmqCluster/my-rmq conditions: - lastTransitionTime: "2019-10-22T16:29:25Z" status: "True" type: Ready - lastTransitionTime: "2019-10-22T16:29:24Z" status: "True" type: ResourceClaimed - lastTransitionTime: "2019-10-22T16:29:23Z" status: "True" type: ResourceMatched
ResourceClaims to work across namespaces.
The policy refers to two pieces of information:
The matching Service Resources must reside in the same namespace as the
ResourceClaimPolicy and their type must also be specified in
Namespaces that are allowed to claim these service resources must have their namespace name in the
.spec.consumingNamespaces array. A value of
* allows claiming from all namespaces in this cluster.
apiVersion: services.apps.tanzu.vmware.com/v1alpha1 kind: ResourceClaimPolicy metadata: name: rmq-policy namespace: my-rmq-namespace spec: consumingNamespaces: - accounts # or "*" for all namespaces subject: group: rabbitmq.com kind: RabbitmqCluster selector: # optional matchLabels: "key": "value" matchExpressions: - key: "key" operator: In values: ["value1", "value2"]
ClusterInstanceClass represents a set of service instances and holds descriptive metadata about those instances.
The class provides a description of the types of service instances represented by this class (
.spec.description) and also the traits that a resource needs to be part of the class (
.spec.pool). For example, its kind and the labels it has.
--- apiVersion: services.apps.tanzu.vmware.com/v1alpha1 kind: ClusterInstanceClass metadata: name: test spec: description: short: test pool: kind: Secret labelSelector: matchLabels: service: "rds-postgres" claimable: "true"
InstanceQuery is a create-only API that, given a
ClusterInstanceClass, returns the intersection of the set of instances represented by that class and the claimable service instances for the namespace of the
InstanceQuery takes an input of a
.spec.class and an optional limit on the number of instances returned through
.spec.limit. This defaults to
--- apiVersion: claimable.services.apps.tanzu.vmware.com/v1alpha1 kind: InstanceQuery metadata: name: test spec: class: my-db-class limit: 30 status: instances: - apiVersion: v1 kind: Secret name: my-secret-two namespace: default - apiVersion: v1 kind: Secret name: my-secret-ns-one namespace: one
ResourceClaim controller MUST have read access to Resources specified in the
ResourceClaim specification. As these resources are not known upfront, the appropriate RBAC must be setup on the Cluster. To accomplish this RBAC must be set up using Aggregated ClusterRoles with the
servicebinding.io/controller: "true" label. For more information, see the Kubernetes documentation
An example of a ClusterRole that allows
RabbitmqCluster resources to be read by the
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: resource-claims-rmq-role labels: servicebinding.io/controller: "true" rules: - apiGroups: - rabbitmq.com resources: - rabbitmqclusters verbs: - get - list - watch