Kubernetes Service Binding Spec
Jeffrey Ellin
Why Service Bindings
Service Bindings
Kubernetes-wide specification for communicating service secrets to workloads in an automated way.
Concept adopted from Cloud Foundry and Heroku
Allows developers to focus on business value and not utility code
{Application Developer}
expects secrets to be exposed consistently and predictably
# Devloper
As a Developer I need a cloud agnostic way to consume credentials
Workload Projection
$SERVICE_BINDING_ROOT
├── account-database
│ ├── type
│ ├── provider
│ ├── uri
│ ├── username
│ └── password
└── transaction-event-stream
├── type
├── connection-count
├── uri
├── certificates
└── private-key# Developer
# Developer
Language Runtimes
Java Sample
import com.nebhale.bindings.Binding;
import com.nebhale.bindings.Bindings;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
public class Application {
public static void main(String[] args) {
Binding[] bindings = Bindings.fromServiceBindingRoot();
bindings = Bindings.filter(bindings, "postgresql");
if (bindings.length != 1) {
System.err.printf("Incorrect number of PostgreSQL drivers: %d\n", bindings.length);
System.exit(1);
}
String url = bindings[0].get("url");
if (url == null) {
System.err.println("No URL in binding");
System.exit(1);
}
Connection conn;
try {
conn = DriverManager.getConnection(url);
} catch (SQLException e) {
System.err.printf("Unable to connect to database: %s", e);
System.exit(1);
}
// ...
}
}# Developer
{Service Provider}
expects secrets to be collected consistently and predictably
Crossplane Composite Resource
apiVersion: example.dev/v1beta1
kind: Database
metadata:
name: database-service
...
status:
binding:
name: production-db-secret# Service Provider
Crossplane Secret
apiVersion: v1
kind: Secret
metadata:
name: production-db-secret
stringData:
type: mysql
provider: bitnami
host: localhost
port: 3306
username: root
password: root# Service Provider
Well Known Secret Entries
Apart from the special type, and provider entries in the Secret data, there are few special words called well-known entries.
| Name | Requirements |
|---|---|
| host | A DNS-resolvable host name or IP address |
| port | A valid port number |
| uri | A valid URI as defined by RFC3986 |
| username | A string-based username credential |
| password | A string-based password credential |
| certificates | A collection of PEM-encoded X.509 certificates, representing a certificate chain used in mTLS client authentication |
| private-key | A PEM-encoded private key used in mTLS client authentication |
# Service Provider
{Application Operator}
expects secrets to be transferred from services to workloads consistently and predictably
Application operators bind application workloads with services by creating ServiceBinding resources.
kind: ServiceBinding
apiVersion: servicebinding.io/v1beta1
kind: ServiceBinding
metadata:
name: account-service
spec:
service:
apiVersion: com.example/v1alpha1
kind: AccountService
name: prod-account-service
workload:
apiVersion: apps/v1
kind: Deployment
name: online-banking# Application Operator
Multiple Workloads
apiVersion: servicebinding.io/v1beta1
kind: ServiceBinding
metadata:
name: online-banking-frontend-to-account-service
spec:
name: account-service
service:
apiVersion: com.example/v1alpha1
kind: AccountService
name: prod-account-service
workload:
apiVersion: apps/v1
kind: Deployment
selector:
matchLabels:
app.kubernetes.io/part-of: online-banking
app.kubernetes.io/component: frontend# Application Operator
Further Info
Crossplane
ServiceBinding
Specification
Tanzu Application Platform
Further Info
https://slack.crossplane.io/
