Skip to content

Latest commit

 

History

History
371 lines (292 loc) · 17.5 KB

custom_resources.adoc

File metadata and controls

371 lines (292 loc) · 17.5 KB

RHOAS Operator Custom Resources

The OpenShift Application Sercvices (RHOAS) Operator manages the following types of Custom Resources (CRs):

  • CloudServicesRequest

  • KafkaConnection

  • CloudServiceAccountRequest

All CRs are namespace-scoped and include Operator-managed conditions. Each CR is described in the sections that follow.

CloudServicesRequest

The CloudServicesRequest CR is used to get a list of available services. The controller for the CR updates the CR with services that are available to the provided access token. These services are listed under the status subresource. For example, the ID of an available Kafka service is used by the KafkaConnection CR.

Example

An example of the CloudServicesRequest CR is shown below.

example.yaml
## Namespaced
apiVersion: rhoas.redhat.com/v1alpha1
kind: CloudServicesRequest
metadata:
  name: namespace-name-kafkas
  namespace: rhoas-operator-testing
  labels:
    app.kubernetes.io/component: external-service
    app.kubernetes.io/managed-by: rhoas
spec:
  accessTokenSecretName: rh-cloud-services-api-accesstoken # see `AcccesTokenSecretValid Condition`
# status:
  ## conditions:
  ## - lastTransitionTime: "2021-03-04T00:41:25.745120Z"
  ##   message: ""
  ##   reason: ""
  ##   status: "True"
  ##   type: AcccesTokenSecretValid
  ##- lastTransitionTime: "2021-03-04T00:41:25.745179Z"
  ##  message: ""
  ##  reason: ""
  ##  status: "True"
  ##  type: Finished
  ##- lastTransitionTime: "2021-03-04T00:41:25.745209Z"
  ##  message: ""
  ##  reason: ""
  ##  status: "True"
  ##  type: UserKafkasUpToDate
  ##lastUpdate: "2021-03-03T22:11:57.691906Z"
  ##userKafkas:
  ##- bootstrapServerHost: example.com
  ##  createdAt: "2021-02-25T10:01:40.888639Z"
  ##  id: 484udj72378YIsdfsdI8378
  ##  name: test-kafka
  ##  owner: elephant_rose
  ##  provider: aws
  ##  region: us-east-1
  ##  status: ready
  ##  updatedAt: "2021-02-25T10:06:03.417238Z"

Specification details

Fields and subresources in the CloudServicesRequest CR are described below.

spec

accessTokenSecretName

Name of the secret that contains an offline access token. The Operator uses this offline token to request a live access token from an authentication service. The live access token, in turn, authenticates with the Cloud Services API. The status field for the AcccesTokenSecretValid condition indicates whether the token was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

spec.status

The status subresource has the following properties:

lastUpdate

Last update of the status object, in ISO format

userKafkas

List of available Kafka services

spec.status.userKafkas

The userKafkas status field is a list of userKafka objects. These objects have the following properties:

id

ID field used to reference the service. For more information, see KafkaConnection.

bootstrapServerHost

URL for the service instance

name

Human-readable name for the service instance

provider

Cloud provider that is hosting the service

region

Geographic region in which the service is hosted

owner

Human or organization that owns the service instance

updatedAt

ISO-formatted date that shows when the service instance was updated

createdAt

ISO-formatted date that shows when the service instance was created

status

Human or machine-readable status for the service instance

spec.status.conditions

UserKafkasUpToDate

If the value of the status field is True, then the userKafkas property is up to date, as of lastTransitionTime.

Finished

Indicates whether the Operator has successfully finished processing the CR. For more information, see Finished condition.

AcccesTokenSecretValid

Indicates whether the token specified as a value for the accessTokenSecretName field was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

KafkaConnection

The KafkaConnection CR represents a binding between a service account and a managed Kafka instance. The Operator references the service account name using both of these values:

  • The value of the serviceAccountSecretName field provided by the CloudServiceAccountRequest CR

  • The value of the kafkaId property for a userKafka instance provided by the CloudServicesRequest CR

Example

An example of the KafkaConnection CR is shown below.

example.yaml
apiVersion: rhoas.redhat.com/v1alpha1
kind: KafkaConnection
metadata:
  name: test-connection
  namespace: rhoas-operator
spec:
  accessTokenSecretName: rh-managed-services-api-accesstoken
  kafkaId: "valid-kafka-id"
  credentials:
    serviceAccountSecretName: service-account-secret
#status:
#  bootstrapServerHost: kafka.example.com:443
#  conditions:
#  - lastTransitionTime: "2021-03-05T02:02:34.828265Z"
#    message: ""
#    reason: ""
#    status: "True"
#    type: AcccesTokenSecretValid
#  - lastTransitionTime: "2021-03-05T02:02:34.828304Z"
#    message: ""
#    reason: ""
#    status: "True"
#    type: FoundKafkaById
#  - lastTransitionTime: "2021-03-05T02:02:34.828329Z"
#    message: ""
#    reason: ""
#    status: "True"
#    type: Finished
#  message: Created
#  saslMechanism: PLAIN
#  securityProtocol: SASL_SSL
#  serviceAccountSecretName: service-account-credentials
#  uiRef: https://console.redhat.com/beta/application-services/openshift-streams/kafkas/valid-kafka-id

Specification details

Fields and subresources in the ` KafkaConnection` CR are described below.

spec

kafkaId

ID of the Kafka instance. For more information, see status.userKafkas in the CloudServicesRequest CR.

credentials

Credentials object to be used when accessing the kafkaId instance. For more information, see the CloudServicesRequest CR.

accessTokenSecretName

Name of the secret that contains an offline access token. The Operator uses this offline token to request a live access token from an authentication service. The live access token, in turn, authenticates with the Cloud Services API. The status field for the AcccesTokenSecretValid condition indicates whether the token was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

spec.credentials

serviceAccountSecretName

Name of the secret that contains service account credentials

spec.status

bootstrapServerHost

URL for the bootstrap server of the Kafka instance

uiRef

URL for the UI of the Kafka instance

serviceAccountSecretName

Name of the secret that contains the service account credentials used to connect to the Kafka instance

saslMechanism

Security mechanism used to connect to the Kafka instance. The default value is PLAIN.

securityProtocol

Security protocol used to connect to the Kafka instance. The default value is SSL.

spec.status.conditions

FoundKafkaById

If value is True, then the value of the kafkaId field matches a Kafka instance ID.

Finished

Indicates whether the Operator has successfully finished processing the CR. For more information, see Finished condition.

AcccesTokenSecretValid

Indicates whether the token specified as a value for the accessTokenSecretName field was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

ServiceRegistryConnection

The ServiceRegistryConnection CR represents a binding between a service account and a managed Service Registry instance. The Operator references the service account name using both of these values:

  • The value of the serviceAccountSecretName field provided by the CloudServiceAccountRequest CR

  • The value of the serviceRegistryId property for a serviceRegistries instance provided by the CloudServicesRequest CR

Example

An example of the ServiceRegistryConnection CR is shown below.

example.yaml
apiVersion: rhoas.redhat.com/v1alpha1
kind: ServiceRegistryConnection
metadata:
  name: test-connection
  namespace: rhoas-operator
spec:
  accessTokenSecretName: rh-managed-services-api-accesstoken
  serviceRegistryId: "valid-service-regsitry-id"
  credentials:
    serviceAccountSecretName: service-account-secret
#status:
#  conditions:
#  - lastTransitionGeneration: 1
#    lastTransitionTime: "2021-12-09T16:42:34.874951655Z"
#    message: ""
#    reason: ""
#    status: "True"
#    type: AcccesTokenSecretValid
#  - lastTransitionGeneration: 1
#    lastTransitionTime: "2021-12-09T16:42:34.874971145Z"
#    message: ""
#    reason: ""
#    status: "True"
#    type: FoundServiceRegistryById
#  - lastTransitionGeneration: 1
#    lastTransitionTime: "2021-12-09T16:42:34.874980304Z"
#    message: ""
#    reason: ""
#    status: "True"
#    type: Finished
#  message: Created
#  metadata:
#    oauthTokenUrl: https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token
#    provider: rhoas
#    type: serviceregistry
#  registryUrl: https://bu98.serviceregistry.rhcloud.com/t/ca6b69b3-12be-4ec9-add5-0098567008f5/apis/registry/v2
#  serviceAccountSecretName: rh-cloud-services-service-account
#  updated: "2021-12-09T16:42:34.874851028Z"

Specification details

Fields and subresources in the ServiceRegistryConnection CR are described below.

spec

serviceRegistryId

ID of the Service Registry instance. For more information, see status.serviceRegistries in the CloudServicesRequest CR.

credentials

Credentials object to be used when accessing the kafkaId instance. For more information, see the CloudServicesRequest CR.

accessTokenSecretName

Name of the secret that contains an offline access token. The Operator uses this offline token to request a live access token from an authentication service. The live access token, in turn, authenticates with the Cloud Services API. The status field for the AcccesTokenSecretValid condition indicates whether the token was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

spec.credentials

serviceAccountSecretName

Name of the secret that contains service account credentials.

spec.status

registryUrl

URL for the server of the Service Registry instance.

oauthTokenUrl

URL for the token authentication endpoint for the Service Registry instance.

serviceAccountSecretName

Name of the secret that contains the service account credentials used to connect to the Service Registry instance.

spec.status.conditions

FoundServiceRegistryById

If value is True, then the value of the serviceRegistryId field matches a Service Registry instance ID.

Finished

Indicates whether the Operator has successfully finished processing the CR. For more information, see Finished condition.

AcccesTokenSecretValid

Indicates whether the token specified as a value for the accessTokenSecretName field was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

CloudServiceAccountRequest

The CloudServiceAccountRequest CR creates service accounts to connect to Kafka instances. Credentials for the service account are stored in a secret. The name of the credentials secret is specified by the value of the serviceAccountSecretName field. For more information about connecting to Kafka instances, see the KafkaConnection CR.

Example

An example of the CloudServiceAccountRequest CR is shown below.

example.yaml
apiVersion: rhoas.redhat.com/v1alpha1
kind: CloudServiceAccountRequest
metadata:
  name: service-account-1
  namespace: rhoas-operator
spec:
  serviceAccountName: "RhoasOperatorServiceAccount"
  serviceAccountDescription: "Operator created service account"

  serviceAccountSecretName: service-account-credentials
  accessTokenSecretName: rh-managed-services-api-accesstoken
status:
  conditions:
  - lastTransitionTime: "2021-03-05T02:06:49.407299Z"
    message: ""
    reason: ""
    status: "True"
    type: AcccesTokenSecretValid
  - lastTransitionTime: "2021-03-05T02:06:49.407330Z"
    message: ""
    reason: ""
    status: "True"
    type: ServiceAccountCreated
  - lastTransitionTime: "2021-03-05T02:06:49.407346Z"
    message: ""
    reason: ""
    status: "True"
    type: ServiceAccountSecretCreated
  - lastTransitionTime: "2021-03-05T02:06:49.407384Z"
    message: ""
    reason: ""
    status: "True"
    type: Finished
  message: Created
  serviceAccountSecretName: service-account-credentials
  updated: "2021-03-05T02:06:49.407249Z"

Format of credentials secret

The Operator creates and manages a secret for the secret account created by the CloudServiceAccountRequest CR. The credentials secret is an opaque secret with the following keys:

client-id

Identifier provided by the service API for the client

client-secret

Secret provided by the service API for the client

Specification details

Fields and subresources in the CloudServiceAccountRequest CR are described below.

spec

serviceAccountName

Name of the service account to be created by the Operator

serviceAccountDescription

Description of the service account to be created by the Operator

serviceAccountSecretName

Name of the secret to be created by the Operator. For more information, see Format of credentials secret.

accessTokenSecretName

Name of the secret that contains an offline access token. The Operator uses this offline token to request a live access token from an authentication service. The live access token, in turn, authenticates with the Cloud Services API. The status field for the AcccesTokenSecretValid condition indicates whether the token was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

spec.status

updated

ISO-formatted timestamp that shows when the status was created

serviceAccountSecretName

Secret name that contains the credentials for the service account

spec.status.conditions

ServiceAccountCreated

If the value of this field is True, the Operator successfully created the service account.

ServiceAccountSecretCreated

If the value of this field is True, the Operator successfully created the credentials secret.

Finished

Indicates whether the Operator has successfully finished processing the CR. For more information, see Finished condition.

AcccesTokenSecretValid

Indicates whether the token specified as a value for the accessTokenSecretName field was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

Conditions common to all RHOAS Custom Resources

Each CR type managed by the RHOAS Operator has several conditions defined in the status subresource. Some conditions are shared by multiple types and some are type-specific.

Each CR has a condition field that follows the same standard. Conditions are represented as an array of objects. All condition objects have a status value of True, False, or Unknown. When the Operator processes a CR, it first sets the status value of each condition to Unknown. Then, the Operator sets each condition to a value of True as the condition is checked. If a condition fails to check, the Operator sets the status values of the condition and the Finished condition to False. The Operator also updates the reason and message fields with more information.

When a check fails, the Operator halts processing of the CR. The Operator does not check subsequent conditions and their values remain set to Unknown. To resume processing of the CR, you must correct the errors and submit a new CR.

Finished condition

The Operator sets the status value of this condition to True if processing is completed successfully, or False if it is not. The Operator also updates the reason and message fields with more information. The lastTransitionGeneration field records the value of metadata.generation when the condition was set. This condition is included in all of the CRs managed by the RHOAS Operator.

AcccesTokenSecretValid condition

All of the CRs managed by the RHOAS Operator require a value to be specified for the accessTokenSecretName field. This field is the name of an opaque secret with the value key of the secret set to an offline access token. The Operator exchanges this token with an authentication service to get a live access token. The Operator then uses the live access token to perform operations. If this condition has a status value of True, this indicates that the token was available and exchanged. If the status value is False, then there was an error with the accessTokenSecretName property. The Operator updates the reason and message fields with more information.