-
Notifications
You must be signed in to change notification settings - Fork 434
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support update on Bindings #123
Comments
@shalako was there a reason for not having In CF it may require the application to be restaged to pick up the altered binding. I am not sure if restaging would be part of the default workflow. |
CF would require a restart if the change in params changed the bound credentials. But, I can think of some use cases for updating a binding that wouldn't change credentials in CF. For example, if I have a service that uses an up stream load balancer to provide rate limiting to a route, I could change that rate limit for a single route by updating the params on the route service binding with out unbinding the route service and re-binding with new arbitrary parameters. |
@avade Wasn't implemented before because no one asked for it. No reason we couldn't do it soon, except there are so many other things being asked for also ;) |
I will plan to write a proposal doc for this shortly. |
@vaikas-google I've taken a quick first stab at this. Let me know if you think this is going in the right direction. I realised we didn't really discuss what a broker should return when a binding is updated, so I've said it can return the same information as with a create binding for now. https://github.com/mattmcneeney/servicebroker/blob/support-update-on-bindings/spec.md |
can we just call the Binding API again for update binding ? what we should consider is when should we trigger the update action, for example:
|
Hi @tsjsdbd - in the API today performing an update on a binding is not supported. This is something that has been raised before though and is something we have been considering via a Are your use cases for this regarding updating credentials? |
Hi, @mattmcneeney , the Binding API is more like: then, let's consider use case 2, when update only one credential. the Broker also can decide the new credential from the information of the Binding request, for example:
the broker can create the first credential for the app
the Broker know the account only in use case 3, we have no idea. because the instance change the credential itself. we can not decide when to call the api I think we are all agree that it is very careful to add new api to Broker, right? |
I like the general direction of this. A couple of comments:
|
let focus on when should we fresh the credential, new, our Update Response is:
Or once instance is updated, we need call all of Bindings refresh of this instance. |
I'm not sure I totally follow the above. Is the general consensus that we want to use the same PUT request for creating and updating a binding? I'd be hesitant to do that due to the inconsistency with service instances ( |
I agree with @mattmcneeney. PUT for creating, PATCH for updating. If you want a new cred, use PUT with a new ID. If you want to fetch existing creds, the upcoming GET enables this. |
OK,Let's nail down using
|
@tsjsdbd For obtaining new credentials, why not just create a new binding? In many cases, a binding really just means a set of credentials. If that's not possible, your broker could accept a parameter to update binding (say |
I'd prefer to update an existing Binding rather than create a new one because there may be a cost associated with each Binding. However, having said that, the process of rotating credentials could be tricky. Between the time the new creds are created and the app is provided those new creds, it (the app) might try to talk to the service with the old creds and we don't necessarily want that to fail. But, how does the broker know its safe to delete the old creds? The easiest might be to create a new Binding, then the platform can delete the old one when it knows the app has the new creds (and has been restarted, if needed). But give my first statement, I'm wondering if it would make any sense at all to create a second Binding but include a reference to the first so that the Broker knows we're in the process of rotating creds and doesn't treat it like a totally new Binding (and charge us). The broker could even have a timeout turned on for the first Binding if the Platform forgets to delete it. Another option is to have two sets of creds within a single Binding, then the platform would have to do another PATCH to delete the first set of creds when ready. Can't decide if that's cleaner or more complex though - but it would avoid the need to distinguish between two types of Bindings. |
One of the reasons we originally proposed this is that bindings really aren't just credentials. That may be what they are on the surface, but a binding may have lots of other expensive stuff behind it, e.g., proxies, firewalls, etc., and it would be beneficial not to have to duplicate that effort every time credentials need to rotate. It seems to me that bindings are actually two separate things, the credentials, and the binding resource itself. As a binding operator I may want to:
Is there maybe an intersect here with the Actions proposal to do credential rotation? |
Branch updated: https://github.com/mattmcneeney/servicebroker/tree/support-update-on-bindings |
8/29 call: Wait for aysync PR/issue to be resolved before we review/discuss this one |
Looks like this is already covered as previously mentioned by bmelville #123 (comment)
The ability to update #3 without updating/recreating/redefining #1 or #2 is a high impact on UX. The main benefit is that users can use the common service broker interface to pass service specific (arbitrary) config and not have to know the API of the service itself. This is especially impactful in the cases where the API for the service itself is not a standard or well known interface and is a burden for users to learn. |
Reviving this thread. |
@n3wscott the previous attempt to revive this thread didn't go so well! I'm interested to hear if people still need this? Can we revisit what we think a binding update gives us that an unbind/rebind doesn't? |
Closing due to inactivity. Please reopen if this is still urgent for anyone. Note that the issue of credential rotation is being discussed in #176 |
There should be a way to update a binding object. Once a binding is created, one can only delete it. But there are some use cases where being able to support update on Binding would be nice to have. For example, a user of a service could apply quota adjustment that would be on per binding. The model proposed for Service Instance actions could be one way to achieve this.
Other use cases might include credential rotation as well as route modifications.
The text was updated successfully, but these errors were encountered: