See the documentation on installing the latest release of the Services Toolkit to get started.
The main purpose of ResourceClaim is to identify the concrete Kubernetes object within the cluster that satisfies the requirements stated in the claim.
After the object is identified, the status condition ResourceMatched is set to true. If the reference object adheres to the provisioned service duck type the .status.binding.name is copied to the ResourceClaim’s .status.binding.name and the ResourceClaimed condition is set to true. The claim object itself is a provisioned service, so it can be used to define a ServiceBinding.
ResourceClaims are currently exclusive. A Service Resource can only have one successfully claimed ResourceClaim in the cluster.
To learn more about when to use ResourceClaim vs ClassClaim, see When to use ClassClaim vs ResourceClaim
apiVersion: services.apps.tanzu.vmware.com/v1alpha1
kind: ResourceClaim
metadata:
name: rmq-claim
namespace: accounts
spec:
ref:
apiVersion: rabbitmq.com/v1alpha1
kind: RabbitmqCluster
name: my-rmq
namespace: my-rmq-namespace # optional (if claiming across namespaces)
status:
binding:
name: my-rmq-secret # copied from RabbitmqCluster/my-rmq
conditions:
- lastTransitionTime: "2019-10-22T16:29:25Z"
status: "True"
type: Ready
- lastTransitionTime: "2019-10-22T16:29:24Z"
status: "True"
type: ResourceClaimed
- lastTransitionTime: "2019-10-22T16:29:23Z"
status: "True"
type: ResourceMatched
ResourceClaimPolicy enables ResourceClaims to work across namespaces.
The policy refers to two pieces of information:
The matching Service Resources must reside in the same namespace as the ResourceClaimPolicy and their type must also be specified in .spec.subject.
Namespaces that are allowed to claim these service resources must have their namespace name in the .spec.consumingNamespaces array. A value of * allows claiming from all namespaces in this cluster.
apiVersion: services.apps.tanzu.vmware.com/v1alpha1
kind: ResourceClaimPolicy
metadata:
name: rmq-policy
namespace: my-rmq-namespace
spec:
consumingNamespaces:
- accounts # or "*" for all namespaces
subject:
group: rabbitmq.com
kind: RabbitmqCluster
selector: # optional
matchLabels:
"key": "value"
matchExpressions:
- key: "key"
operator: In
values: ["value1", "value2"]
The main purpose of ClassClaim is to express the need to access a provisioned service for a given ClusterInstanceClass.
After the target ClusterInstanceClass is identified, the status condition ClassMatched is set to true. If there is an unclaimed instance of that class that can be claimed from the ClassClaim’s namespace then the status condition ResourceMatched is set to true. If that instance adheres to the provisioned service duck type, the .status.binding.name is copied to the ClassClaim’s .status.binding.name and the ResourceClaimed condition are set to true. The claim object itself is a provisioned service, so it can be used to define a ServiceBinding.
ClassClaims are currently exclusive with regards to the Service Resource they can claim. In order words, many ClassClaims can claim from the same ClusterInstanceClass but can not result in claiming the same Service Resource. Also the spec field classRef is immutable as it can only be set a creation time of the ClassClaim.
To learn more about when to use ResourceClaim vs ClassClaim, see When to use ClassClaim vs ResourceClaim
apiVersion: services.apps.tanzu.vmware.com/v1alpha1
kind: ClassClaim
metadata:
name: rmq-claim
namespace: accounts
spec:
classRef: # can only be set at creation time
name: rmq-class
status:
binding:
name: my-rmq-secret # copied from a RabbitmqCluster of the class
conditions:
- lastTransitionTime: "2019-10-22T16:29:22Z"
status: "True"
type: ClassClaimed
- lastTransitionTime: "2019-10-22T16:29:25Z"
status: "True"
type: Ready
- lastTransitionTime: "2019-10-22T16:29:24Z"
status: "True"
type: ResourceClaimed
- lastTransitionTime: "2019-10-22T16:29:23Z"
status: "True"
type: ResourceMatched
ClusterInstanceClass represents a set of service instances. It holds metadata that describes what service instances belong in this class.
The ClusterInstanceClass provides a description of the types of service instances represented by this class (.spec.description) and also the traits that a resource needs to be part of the class (.spec.pool). For example, its kind and the labels it has.
---
apiVersion: services.apps.tanzu.vmware.com/v1alpha1
kind: ClusterInstanceClass
metadata:
name: test
spec:
description:
short: test
pool:
group: "" # optional field if the group is ""
kind: Secret
labelSelector: # optional
matchLabels:
service: "rds-postgres"
claimable: "true"
InstanceQuery is a create-only API that, given a ClusterInstanceClass, returns the intersection of the set of service instances represented by that class and the claimable service instances for the namespace of the InstanceQuery.
The InstanceQuery takes an input of a ClusterInstanceClass through .spec.class and an optional limit on the number of instances returned through .spec.limit. This defaults to 50.
---
apiVersion: claimable.services.apps.tanzu.vmware.com/v1alpha1
kind: InstanceQuery
metadata:
name: test
spec:
class: my-db-class
limit: 30
status:
instances:
- apiVersion: v1
kind: Secret
name: my-secret-two
namespace: default
- apiVersion: v1
kind: Secret
name: my-secret-ns-one
namespace: one
The ResourceClaim controller MUST have read access to Resources specified in the ResourceClaim specification. As these resources are not known upfront, the appropriate RBAC must be setup on the Cluster. To accomplish this RBAC must be set up using Aggregated ClusterRoles with the servicebinding.io/controller: "true" label. For more information, see the Kubernetes documentation
An example of a ClusterRole that allows RabbitmqCluster resources to be read by the ResourceClaim controller:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: resource-claims-rmq-role
labels:
servicebinding.io/controller: "true"
rules:
- apiGroups:
- rabbitmq.com
resources:
- rabbitmqclusters
verbs:
- get
- list
- watch
