Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: App Developer can see credentials from Service Bindings are projected onto kpack staging Pods #463

Closed
tcdowney opened this issue Jan 13, 2022 · 5 comments · Fixed by #649
Closed

[Feature]: App Developer can see credentials from Service Bindings are projected onto kpack staging Pods #463

tcdowney opened this issue Jan 13, 2022 · 5 comments · Fixed by #649
Labels
UPSI

Comments

@tcdowney
Copy link
Member

tcdowney commented Jan 13, 2022
edited
Loading

Blockers/Dependencies

No response

Background

As an App Developer
I want Credentials from Service Bindings for User-provided Service Instances to be accessible to kpack Pods when staging my app
So that service credential binding is available to buildpacks that might make use of it during staging

Acceptance Criteria

GIVEN I have one or more CFServiceBindings bindings bound to an app
WHEN I initiate a new Build for my app
THEN I see the CFServiceBindings that are referred to by the spec.services of the Kpack Image for that app/build. See: https://github.com/pivotal/kpack/blob/main/docs/servicebindings.md
AND I can see that the credentials in the UPSI/CFServiceBinding Secrets are volume mounted in the Kpack staging Pod when the build executes

Dev Notes

Resources:
@tcdowney tcdowney added the UPSI label Jan 13, 2022
@tcdowney tcdowney changed the title [Feature]: App Developer can see credentials from UPSI bindings are projected onto kpack staging Pods [Feature]: App Developer can see credentials from Service Bindings are projected onto kpack staging Pods Jan 13, 2022
@julian-hj
Copy link
Member

I added an issue to kpack here to point out that the ProvisionedService binding is not very well implemented, and doesn't log errors.

For now, we will just bind the secret directly to the Image, since it doesn't seem that binding to CFServiceBindings will work very well.

@julian-hj
Copy link
Member

Note that Matt McNew opened this PR to allow us to grant kpack access to our ServiceBindings without reaching into kpack: buildpacks-community/kpack#922

@tcdowney
Copy link
Member Author

Wow that was fast. Hypothetically, one long term benefit to actually using the CFServiceInstance over directly using Secrets I think is that it would more easily support credential rotation for managed services. I still think what we've done with binding the Secret directly is probably fine for now considering we're making new kpack Images per build and CF devs are already well acquainted with needing to do a cf restage after bindings are changed/added.

gnovv added a commit that referenced this issue Feb 10, 2022
@gnovv @julian-hj
Add CFServiceBindings to CFBuildController
5fc80f3 
#463
- Updates ServiceInstance Secret to include type
- Updates BuildController to add ServiceBinding

Co-authored-by: Clint Yoshimura <clinty@vmware.com>
Co-authored-by: Julian Hjortshoj <hjortshojj@vmware.com>
@gnovv gnovv mentioned this issue Feb 10, 2022
Merged
@gnovv
Copy link
Contributor

gnovv commented Feb 11, 2022

There are small issues we noted with the initial implementation:

1- In order to have the secret be ingested by kpack we had to add the type key to the Data with the value user-provided. We decided to do so by adding/overwriting the key on the shim side when the secret is created. Effectively this makes it so that the type field cannot be set by cf cups

2- There is a "closed door" problem with eventual consistency around the builds. If the secrets and bindings are created at the same time as the CFBuild- the first reconcile will silently complete potentially without the secrets. Since we never rebuild once a build is completed, the kpack image will never be updated unless you cf restage

gnovv added a commit that referenced this issue Feb 11, 2022
@gnovv @julian-hj
Add CFServiceBindings to CFBuildController (#649)
d84001c 
#463
- Updates ServiceInstance Secret to include type
- Updates BuildController to add ServiceBinding

Co-authored-by: Clint Yoshimura <clinty@vmware.com>
Co-authored-by: Julian Hjortshoj <hjortshojj@vmware.com>
@tcdowney
Copy link
Member Author

If the secrets and bindings are created at the same time as the CFBuild- the first reconcile will silently complete potentially without the secrets. Since we never rebuild once a build is completed, the kpack image will never be updated unless you cf restage

I think this is fine. I think the sequence of events in cf push will make this case very unlikely if not impossible (app is configured, then package is uploaded, then build is created). If you're doing the service binding concurrently / shortly after cf push then the existing behavior is to require a cf restage anyway.

@tcdowney tcdowney mentioned this issue Mar 7, 2022
Closed
@tcdowney tcdowney mentioned this issue Mar 22, 2022
Closed
@gcapizzi gcapizzi moved this to ✅ Done in Korifi - Backlog Nov 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
UPSI
Projects
Korifi - Backlog
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add CFServiceBindings to CFBuildController cloudfoundry/korifi
3 participants
@tcdowney @julian-hj @gnovv