The OpenShift Application Sercvices (RHOAS) Operator manages the following types of Custom Resources (CRs):
-
CloudServicesRequest
-
KafkaConnection
-
CloudServiceAccountRequest
All CRs are namespace-scoped and include Operator-managed conditions. Each CR is described in the sections that follow.
The CloudServicesRequest
CR is used to get a list of available services. The controller for the CR updates the CR with services that are available to the provided access token. These services are listed under the status
subresource. For example, the ID of an available Kafka service is used by the KafkaConnection
CR.
An example of the CloudServicesRequest
CR is shown below.
## Namespaced
apiVersion: rhoas.redhat.com/v1alpha1
kind: CloudServicesRequest
metadata:
name: namespace-name-kafkas
namespace: rhoas-operator-testing
labels:
app.kubernetes.io/component: external-service
app.kubernetes.io/managed-by: rhoas
spec:
accessTokenSecretName: rh-cloud-services-api-accesstoken # see `AcccesTokenSecretValid Condition`
# status:
## conditions:
## - lastTransitionTime: "2021-03-04T00:41:25.745120Z"
## message: ""
## reason: ""
## status: "True"
## type: AcccesTokenSecretValid
##- lastTransitionTime: "2021-03-04T00:41:25.745179Z"
## message: ""
## reason: ""
## status: "True"
## type: Finished
##- lastTransitionTime: "2021-03-04T00:41:25.745209Z"
## message: ""
## reason: ""
## status: "True"
## type: UserKafkasUpToDate
##lastUpdate: "2021-03-03T22:11:57.691906Z"
##userKafkas:
##- bootstrapServerHost: example.com
## createdAt: "2021-02-25T10:01:40.888639Z"
## id: 484udj72378YIsdfsdI8378
## name: test-kafka
## owner: elephant_rose
## provider: aws
## region: us-east-1
## status: ready
## updatedAt: "2021-02-25T10:06:03.417238Z"
Fields and subresources in the CloudServicesRequest
CR are described below.
accessTokenSecretName
-
Name of the secret that contains an offline access token. The Operator uses this offline token to request a live access token from an authentication service. The live access token, in turn, authenticates with the Cloud Services API. The
status
field for theAcccesTokenSecretValid
condition indicates whether the token was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.
The status
subresource has the following properties:
lastUpdate
-
Last update of the status object, in ISO format
userKafkas
-
List of available Kafka services
The userKafkas
status field is a list of userKafka
objects. These objects have the following properties:
id
-
ID field used to reference the service. For more information, see
KafkaConnection
. bootstrapServerHost
-
URL for the service instance
name
-
Human-readable name for the service instance
provider
-
Cloud provider that is hosting the service
region
-
Geographic region in which the service is hosted
owner
-
Human or organization that owns the service instance
updatedAt
-
ISO-formatted date that shows when the service instance was updated
createdAt
-
ISO-formatted date that shows when the service instance was created
status
-
Human or machine-readable status for the service instance
UserKafkasUpToDate
-
If the value of the
status
field isTrue
, then theuserKafkas
property is up to date, as oflastTransitionTime
. Finished
-
Indicates whether the Operator has successfully finished processing the CR. For more information, see Finished condition.
AcccesTokenSecretValid
-
Indicates whether the token specified as a value for the
accessTokenSecretName
field was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.
The KafkaConnection
CR represents a binding between a service account and a managed Kafka instance. The Operator references the service account name using both of these values:
-
The value of the
serviceAccountSecretName
field provided by theCloudServiceAccountRequest
CR -
The value of the
kafkaId
property for auserKafka
instance provided by theCloudServicesRequest
CR
An example of the KafkaConnection
CR is shown below.
apiVersion: rhoas.redhat.com/v1alpha1
kind: KafkaConnection
metadata:
name: test-connection
namespace: rhoas-operator
spec:
accessTokenSecretName: rh-managed-services-api-accesstoken
kafkaId: "valid-kafka-id"
credentials:
serviceAccountSecretName: service-account-secret
#status:
# bootstrapServerHost: kafka.example.com:443
# conditions:
# - lastTransitionTime: "2021-03-05T02:02:34.828265Z"
# message: ""
# reason: ""
# status: "True"
# type: AcccesTokenSecretValid
# - lastTransitionTime: "2021-03-05T02:02:34.828304Z"
# message: ""
# reason: ""
# status: "True"
# type: FoundKafkaById
# - lastTransitionTime: "2021-03-05T02:02:34.828329Z"
# message: ""
# reason: ""
# status: "True"
# type: Finished
# message: Created
# saslMechanism: PLAIN
# securityProtocol: SASL_SSL
# serviceAccountSecretName: service-account-credentials
# uiRef: https://console.redhat.com/beta/application-services/openshift-streams/kafkas/valid-kafka-id
Fields and subresources in the ` KafkaConnection` CR are described below.
kafkaId
-
ID of the Kafka instance. For more information, see status.userKafkas in the
CloudServicesRequest
CR. credentials
-
Credentials object to be used when accessing the
kafkaId
instance. For more information, see the CloudServicesRequest CR. accessTokenSecretName
-
Name of the secret that contains an offline access token. The Operator uses this offline token to request a live access token from an authentication service. The live access token, in turn, authenticates with the Cloud Services API. The
status
field for theAcccesTokenSecretValid
condition indicates whether the token was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.
serviceAccountSecretName
-
Name of the secret that contains service account credentials
bootstrapServerHost
-
URL for the bootstrap server of the Kafka instance
uiRef
-
URL for the UI of the Kafka instance
serviceAccountSecretName
-
Name of the secret that contains the service account credentials used to connect to the Kafka instance
saslMechanism
-
Security mechanism used to connect to the Kafka instance. The default value is
PLAIN
. securityProtocol
-
Security protocol used to connect to the Kafka instance. The default value is
SSL
.
FoundKafkaById
-
If value is
True
, then the value of thekafkaId
field matches a Kafka instance ID. Finished
-
Indicates whether the Operator has successfully finished processing the CR. For more information, see Finished condition.
AcccesTokenSecretValid
-
Indicates whether the token specified as a value for the
accessTokenSecretName
field was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.
The ServiceRegistryConnection
CR represents a binding between a service account and a managed Service Registry instance. The Operator references the service account name using both of these values:
-
The value of the
serviceAccountSecretName
field provided by theCloudServiceAccountRequest
CR -
The value of the
serviceRegistryId
property for aserviceRegistries
instance provided by theCloudServicesRequest
CR
An example of the ServiceRegistryConnection
CR is shown below.
apiVersion: rhoas.redhat.com/v1alpha1
kind: ServiceRegistryConnection
metadata:
name: test-connection
namespace: rhoas-operator
spec:
accessTokenSecretName: rh-managed-services-api-accesstoken
serviceRegistryId: "valid-service-regsitry-id"
credentials:
serviceAccountSecretName: service-account-secret
#status:
# conditions:
# - lastTransitionGeneration: 1
# lastTransitionTime: "2021-12-09T16:42:34.874951655Z"
# message: ""
# reason: ""
# status: "True"
# type: AcccesTokenSecretValid
# - lastTransitionGeneration: 1
# lastTransitionTime: "2021-12-09T16:42:34.874971145Z"
# message: ""
# reason: ""
# status: "True"
# type: FoundServiceRegistryById
# - lastTransitionGeneration: 1
# lastTransitionTime: "2021-12-09T16:42:34.874980304Z"
# message: ""
# reason: ""
# status: "True"
# type: Finished
# message: Created
# metadata:
# oauthTokenUrl: https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token
# provider: rhoas
# type: serviceregistry
# registryUrl: https://bu98.serviceregistry.rhcloud.com/t/ca6b69b3-12be-4ec9-add5-0098567008f5/apis/registry/v2
# serviceAccountSecretName: rh-cloud-services-service-account
# updated: "2021-12-09T16:42:34.874851028Z"
Fields and subresources in the ServiceRegistryConnection
CR are described below.
serviceRegistryId
-
ID of the Service Registry instance. For more information, see status.serviceRegistries in the
CloudServicesRequest
CR. credentials
-
Credentials object to be used when accessing the
kafkaId
instance. For more information, see the CloudServicesRequest CR. accessTokenSecretName
-
Name of the secret that contains an offline access token. The Operator uses this offline token to request a live access token from an authentication service. The live access token, in turn, authenticates with the Cloud Services API. The
status
field for theAcccesTokenSecretValid
condition indicates whether the token was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.
serviceAccountSecretName
-
Name of the secret that contains service account credentials.
registryUrl
-
URL for the server of the Service Registry instance.
oauthTokenUrl
-
URL for the token authentication endpoint for the Service Registry instance.
serviceAccountSecretName
-
Name of the secret that contains the service account credentials used to connect to the Service Registry instance.
FoundServiceRegistryById
-
If value is
True
, then the value of theserviceRegistryId
field matches a Service Registry instance ID. Finished
-
Indicates whether the Operator has successfully finished processing the CR. For more information, see Finished condition.
AcccesTokenSecretValid
-
Indicates whether the token specified as a value for the
accessTokenSecretName
field was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.
The CloudServiceAccountRequest
CR creates service accounts to connect to Kafka instances. Credentials for the service account are stored in a secret. The name of the credentials secret is specified by the value of the serviceAccountSecretName
field. For more information about connecting to Kafka instances, see the KafkaConnection CR.
An example of the CloudServiceAccountRequest
CR is shown below.
apiVersion: rhoas.redhat.com/v1alpha1
kind: CloudServiceAccountRequest
metadata:
name: service-account-1
namespace: rhoas-operator
spec:
serviceAccountName: "RhoasOperatorServiceAccount"
serviceAccountDescription: "Operator created service account"
serviceAccountSecretName: service-account-credentials
accessTokenSecretName: rh-managed-services-api-accesstoken
status:
conditions:
- lastTransitionTime: "2021-03-05T02:06:49.407299Z"
message: ""
reason: ""
status: "True"
type: AcccesTokenSecretValid
- lastTransitionTime: "2021-03-05T02:06:49.407330Z"
message: ""
reason: ""
status: "True"
type: ServiceAccountCreated
- lastTransitionTime: "2021-03-05T02:06:49.407346Z"
message: ""
reason: ""
status: "True"
type: ServiceAccountSecretCreated
- lastTransitionTime: "2021-03-05T02:06:49.407384Z"
message: ""
reason: ""
status: "True"
type: Finished
message: Created
serviceAccountSecretName: service-account-credentials
updated: "2021-03-05T02:06:49.407249Z"
The Operator creates and manages a secret for the secret account created by the CloudServiceAccountRequest
CR. The credentials secret is an opaque secret with the following keys:
client-id
-
Identifier provided by the service API for the client
client-secret
-
Secret provided by the service API for the client
Fields and subresources in the CloudServiceAccountRequest
CR are described below.
serviceAccountName
-
Name of the service account to be created by the Operator
serviceAccountDescription
-
Description of the service account to be created by the Operator
serviceAccountSecretName
-
Name of the secret to be created by the Operator. For more information, see Format of credentials secret.
accessTokenSecretName
-
Name of the secret that contains an offline access token. The Operator uses this offline token to request a live access token from an authentication service. The live access token, in turn, authenticates with the Cloud Services API. The
status
field for theAcccesTokenSecretValid
condition indicates whether the token was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.
updated
-
ISO-formatted timestamp that shows when the status was created
serviceAccountSecretName
-
Secret name that contains the credentials for the service account
ServiceAccountCreated
-
If the value of this field is
True
, the Operator successfully created the service account. ServiceAccountSecretCreated
-
If the value of this field is
True
, the Operator successfully created the credentials secret. Finished
-
Indicates whether the Operator has successfully finished processing the CR. For more information, see Finished condition.
AcccesTokenSecretValid
-
Indicates whether the token specified as a value for the
accessTokenSecretName
field was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.
Each CR type managed by the RHOAS Operator has several conditions defined in the status
subresource. Some conditions are shared by multiple types and some are type-specific.
Each CR has a condition field that follows the same standard. Conditions are represented as an array of objects.
All condition objects have a status
value of True
, False
, or Unknown
. When the Operator processes a CR, it first sets the status
value of each condition to Unknown
. Then, the Operator sets each condition to a value of True
as the condition is checked. If a condition fails to check, the Operator sets the status
values of the condition and the Finished
condition to False
. The Operator also updates the reason
and message
fields with more information.
When a check fails, the Operator halts processing of the CR. The Operator does not check subsequent conditions and their values remain set to Unknown
. To resume processing of the CR, you must correct the errors and submit a new CR.
The Operator sets the status
value of this condition to True
if processing is completed successfully, or False
if it is not. The Operator also updates the reason
and message
fields with more information. The lastTransitionGeneration
field records the value of metadata.generation
when the condition was set. This condition is included in all of the CRs managed by the RHOAS Operator.
All of the CRs managed by the RHOAS Operator require a value to be specified for the accessTokenSecretName
field. This field is the name of an opaque secret with the value
key of the secret set to an offline access token. The Operator exchanges this token with an authentication service to get a live access token. The Operator then uses the live access token to perform operations. If this condition has a status
value of True
, this indicates that the token was available and exchanged. If the status
value is False
, then there was an error with the accessTokenSecretName
property. The Operator updates the reason
and message
fields with more information.