ibm / cloud-operators Goto Github PK
View Code? Open in Web Editor NEWProvision and bind IBM Cloud services to your Kubernetes cluster in a Kubernetes-native way
License: Apache License 2.0
Provision and bind IBM Cloud services to your Kubernetes cluster in a Kubernetes-native way
License: Apache License 2.0
Document the following:
Tried the binding operator with the following yaml. It appears that the operator did not name the secret with secretName
as specified in yaml. The secret was named binding-messagehub
instead of laura-messagehub-secret
.
apiVersion: ibmcloud.ibm.com/v1alpha1
kind: Binding
metadata:
name: binding-messagehub
spec:
serviceName: mymessagehub
secretName: laura-messagehub-secret
When using the IBM Cloud operator, any service creation results in a service creation event is logged into Activity Tracker. Currently, because of the way IBM Cloud operator works, the initiator will be corresponding to the API key/service id used by AT instead of the actual user who initiate the service creation. The request here is to add a feature to Cloud operator to create an additional service creation event that shows the actual user who created the service.
It might be possible to some how create a service with the user's name, then we don't need another AT event.
Please contact me if you have any questions.
When using IKS or Red Hat OpenShift on IBM Cloud users are authenticating with openshift/kubernetes with an IBM Cloud IAM identity. Any thoughts on if it would be possible to use this identity for authentication with IBM Cloud when trying to manage the services?
It may be a pipedream, but I do think it's worth investigation to see if there could be a method for leveraging this identity.
Context:
I was testing an example application example that uses an instance of the Watson Language Translator from the IBM cloud. I was using an IKS 1.14.x cluster with cloudoperators/ibmcloud-operator:0.1.0 installed.
At the start of a sequence of operations, I had no instances of binding or service CRDs in the cluster and no instances of the Watson Language Translator in my cloud account.
At the end of a sequence of operations, I had no instances of binding or service CRDs in the cluster, BUT there was still an instance of the Watson Language Translator in my cloud account (still there 24 hours later). Based on the name of the instance, it was the one created by the ibmcloud operator and not deleted when the CRDs were deleted.
Attached is the relevant section of logs from the operator.
{"level":"info","ts":1572487334.5800693,"logger":"service","msg":"Error deleting resource","mytranslator":"Request failed with status code: 400, ServerErrorResponse: {"message":"Instance is already in pending_reclamation state.","status_code":400}\n"}
The controller doesn't recover from this
apiVersion: ibmcloud.ibm.com/v1alpha1
kind: Service
metadata:
name: sysdiglite
spec:
plan: lite
serviceClass: sysdig-monitor
---
apiVersion: ibmcloud.ibm.com/v1alpha1
kind: Binding
metadata:
name: binding-sysdiglite
spec:
serviceName: sysdiglite
The result is that the service.ibmcloud is just fine, but i get the following for the binding.ibmcloud
Name: binding-sysdiglite
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"ibmcloud.ibm.com/v1alpha1","kind":"Binding","metadata":{"annotations":{},"name":"binding-sysdiglite","namespace":"default"},"spec":{"ser...
API Version: ibmcloud.ibm.com/v1alpha1
Kind: Binding
Metadata:
Creation Timestamp: 2019-07-11T15:08:01Z
Finalizers:
binding.ibmcloud.ibm.com
Generation: 1
Owner References:
API Version: ibmcloud.ibm.com/v1alpha1
Block Owner Deletion: true
Controller: true
Kind: Service
Name: sysdiglite
UID: acea4390-a3ed-11e9-a260-7a9326862861
Resource Version: 6010884
Self Link: /apis/ibmcloud.ibm.com/v1alpha1/namespaces/default/bindings/binding-sysdiglite
UID: acf32645-a3ed-11e9-a260-7a9326862861
Spec:
Service Name: sysdiglite
Status:
Instance Id: crn:v1:bluemix:public:sysdig-monitor:us-south:a/33c5711b8afbf7fd809a4529de613a08:0d1d43af-29e8-4098-a7ad-f1252f5ca684::
Key Instance Id: crn:v1:bluemix:public:sysdig-monitor:us-south:a/33c5711b8afbf7fd809a4529de613a08:0d1d43af-29e8-4098-a7ad-f1252f5ca684:resource-key:0e21964e-e3d2-4c63-82f4-c4ccdd42af04
Message: Secret "binding-sysdiglite" is invalid: [data[Sysdig Access Key]: Invalid value: "Sysdig Access Key": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+'), data[Sysdig Collector Endpoint]: Invalid value: "Sysdig Collector Endpoint": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+'), data[Sysdig Customer Id]: Invalid value: "Sysdig Customer Id": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+'), data[Sysdig Endpoint]: Invalid value: "Sysdig Endpoint": a valid config key must consist of alphanumeric characters, '-', '_' or '.' (e.g. 'key.name', or 'KEY_NAME', or 'key-name', regex used for validation is '[-._a-zA-Z0-9]+')]
State: Failed
Events: <none>
Hi, is that possible to create any release tag to publish the stable version instead of always installing with the latest master.zip?
2019/09/04 11:10:30 Registering Components.
{"level":"info","ts":1567595430.383996,"logger":"kubebuilder.controller","msg":"Starting EventSource","controller":"binding-controller","source":"kind source: /, Kind="}
{"level":"info","ts":1567595430.384281,"logger":"kubebuilder.controller","msg":"Starting EventSource","controller":"binding-controller","source":"kind source: /, Kind="}
{"level":"info","ts":1567595430.384528,"logger":"kubebuilder.controller","msg":"Starting EventSource","controller":"service-controller","source":"kind source: /, Kind="}
{"level":"info","ts":1567595430.3847806,"logger":"kubebuilder.controller","msg":"Starting EventSource","controller":"token-controller","source":"kind source: /, Kind="}
2019/09/04 11:10:30 Starting the Cmd.
{"level":"info","ts":1567595430.4853036,"logger":"kubebuilder.controller","msg":"Starting Controller","controller":"token-controller"}
{"level":"info","ts":1567595430.4853926,"logger":"kubebuilder.controller","msg":"Starting Controller","controller":"binding-controller"}
{"level":"info","ts":1567595430.485429,"logger":"kubebuilder.controller","msg":"Starting Controller","controller":"service-controller"}
{"level":"info","ts":1567595430.585615,"logger":"kubebuilder.controller","msg":"Starting workers","controller":"token-controller","worker count":1}
{"level":"info","ts":1567595430.5858042,"logger":"kubebuilder.controller","msg":"Starting workers","controller":"service-controller","worker count":30}
{"level":"info","ts":1567595430.5857067,"logger":"kubebuilder.controller","msg":"Starting workers","controller":"binding-controller","worker count":33}
{"level":"info","ts":1567595430.5860016,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595430.5862157,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595431.5611506,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595431.6002471,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595460.457385,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595460.457479,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595461.023003,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595461.1133666,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595490.4581864,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595490.4582605,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595490.6674898,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595490.7247064,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595520.459059,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595520.4591346,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595520.7943714,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595520.8722453,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595550.459095,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595550.459168,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595550.6792963,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595550.7460973,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595580.4596167,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595580.4597182,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595581.3568347,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595581.4320064,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595610.4605396,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595610.4606142,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595610.647946,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595610.7103074,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595640.4604962,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595640.4605722,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595641.455251,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595641.5189216,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595670.4615536,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595670.4616308,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595670.781947,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595670.8239803,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595700.4620593,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595700.46217,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595701.2653816,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595701.4408503,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595730.4625704,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595730.4626958,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595731.3687491,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595731.6761453,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595760.4628518,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595760.4629266,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595762.2687404,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595762.9215274,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595790.4639907,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595790.4640663,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595790.766511,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595790.893934,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595820.4639208,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595820.464038,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595821.0999365,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595821.1949873,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595850.4647455,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595850.464858,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595851.0882504,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595851.1474195,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595880.4655426,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595880.4656255,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595881.6596067,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595881.7811937,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595910.4656918,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595910.4657555,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595910.7067425,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595910.7580051,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595940.466467,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595940.4665887,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595941.3466737,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595941.4124768,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567595970.46677,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567595970.4668615,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567595970.9634576,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567595971.0092242,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567596000.467724,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567596000.4677951,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567596000.628489,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567596000.7129726,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567596030.4676917,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567596030.4677715,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567596030.6161482,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567596030.6956184,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
{"level":"info","ts":1567596031.6005745,"logger":"iam-token","msg":"reconciling IBM cloud IAM tokens","secretRef":"seed-secret"}
{"level":"info","ts":1567596031.6007035,"logger":"iam-token","msg":"authenticating..."}
{"level":"info","ts":1567596032.3850238,"logger":"iam-token","msg":"creating tokens secret","name":"seed-secret-tokens"}
{"level":"info","ts":1567596032.4597018,"logger":"iam-token","msg":"secret created","name":"seed-secret-tokens"}
It's not finding the secret in the default namespace.
olm $ oc describe service.ibmcloud
Name: mypersonality
Namespace: ibmcloud
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"ibmcloud.ibm.com/v1alpha1","kind":"Service","metadata":{"annotations":{},"name":"mypersonality","namespace":"ibmcloud"},"spec":{"plan":"...
API Version: ibmcloud.ibm.com/v1alpha1
Kind: Service
Metadata:
Creation Timestamp: 2019-07-10T19:29:16Z
Generation: 1
Resource Version: 16373
Self Link: /apis/ibmcloud.ibm.com/v1alpha1/namespaces/ibmcloud/services/mypersonality
UID: 017c240f-a349-11e9-8052-229d59c3b269
Spec:
Plan: lite
Service Class: personality-insights
Status:
Context:
Org:
Region:
Resourcegroup:
Resourcelocation:
Space:
Message: Secret "seed-secret" not found
Plan: lite
Service Class: personality-insights
Service Class Type:
State: Failed
Events: <none>
Re-introduce the ability to reference and bind existing services via usage of the Alias
plan.
$ curl -sL https://raw.githubusercontent.com/IBM/cloud-operators/master/hack/install-operator.sh | bash
I'm trying to apply this yaml:
apiVersion: ibmcloud.ibm.com/v1alpha1
kind: Binding
metadata:
name: cloudant
spec:
plan: Alias
serviceName: cloudant
serviceClass: cloudantnosqldb
After applying and waiting 3-4mn I see:
Status:
Message: Processing Resource
State: Pending
It'd be nice if the status section reports what's wrong with either spec
or my configuration.
Create a translator
Change serviceClass to messagehub
Result is 3 services (2 messagehubs and 1 translator)
The usage docs describe:
A Binding generates a secret with the same name as the binding resource and contains service credentials that can be consumed by your application.
Is there anyway to revoke or rotate the secret?
Thinking of use cases where the secret has been compromised or if it needs to be rotated periodically due to some biz security policy.
If there is a better place to ask such questions please let me know.
Thank You
I provision a cloudant service with multiple bindings according to the following yaml file:
apiVersion: ibmcloud.ibm.com/v1alpha1
kind: Service
metadata:
name: my-cloudant
spec:
plan: standard
serviceClass: cloudantnosqldb
---
apiVersion: ibmcloud.ibm.com/v1alpha1
kind: Binding
metadata:
name: my-binding-cloudant-1
spec:
serviceName: my-cloudant
---
apiVersion: ibmcloud.ibm.com/v1alpha1
kind: Binding
metadata:
name: my-binding-cloudant-2
spec:
serviceName: my-cloudant
However, I can see there are two service instances in IBM Cloud Portal resource list, one has two bindings, another one has none, showing as below:
Is that possible to publish ibm-cloud-operator with http://registry.access.redhat.com/ubi8-minimal image?
I used a IBM cloud service id(Administrator role)'s apikey to provision a service by using cloud-operator the latest release, the error threw:
Request failed with status code: 400, BXNIM0106E: Validation of property 'response_type' with value '[uaa, cloud_iam]' failed. Valid values: 'cloud_iam, delegated_refresh_token'
I have verified that with the service id's api key, I can successfully provision service by using ibmcloud cli.
So does cloud-operator support service id?
Some services such as DB2 can only have one instance created for the free plan.
So if there is already such a service instantiated, and another one is created with this operator then that fails.
However, if the existing service is deleted then the operator should recover and create a new instance (since the reason for failure no longer exists). This does not happen and we are left with an ill-formed object that has no Status.State.
We should document the usage of secretName
in Binding.
ibmcloud-operator-manager-role
does not have labels and was not removed by running uninstall-operator.sh
.
Travis are now recommending removing the sudo tag.
"If you currently specify sudo: false in your .travis.yml, we recommend removing that configuration"
I found that we have a folder for olm https://github.com/IBM/cloud-operators/tree/master/olm , the question is for on-line install, where I can get those olm files? From operatorhub or some other places?
I followed the instructions to create a service and binding for Streams (e.g., mystreams
service instance). The service and binding are created. When I click on the mystreams
service from the OCP cluster console I get an empty page which you cannot go back.
Looking in the web browser console I see the following error.
`WebSocket connection to 'wss://console.dan-rhos10-f0a5715bb2873122b708ede2bf765701-0001.us-east.containers.appdomain.cloud/api/kubernetes/apis/ibmcloud.ibm.com/v1alpha1/namespaces/default/services?watch=true&fieldSelector=metadata.name%3Dmystreams&x-csrf-token=XXXXXXXXXXXX' failed: WebSocket is closed before the connection is established.
o.destroy @ index.tsx:52'
https://github.com/IBM/cloud-operators/blob/master/config/samples/cos.yaml
Message: Failed: No deployment found for service plan lite at location us-south. Valid location(s) are: ["global"].
Object description:
Name: b2c-auth-dev-cos-dal-01-test
Namespace: tpol
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"ibmcloud.ibm.com/v1alpha1","kind":"Service","metadata":{"annotations":{},"name":"b2c-auth-dev-cos-dal-01-test","namespace":...
API Version: ibmcloud.ibm.com/v1alpha1
Kind: Service
Metadata:
Creation Timestamp: 2019-09-04T12:02:39Z
Generation: 1
Resource Version: 16278396
Self Link: /apis/ibmcloud.ibm.com/v1alpha1/namespaces/tpol/services/b2c-auth-dev-cos-dal-01-test
UID: e4a0f379-cf0b-11e9-a426-e27ade6abd72
Spec:
Plan: lite
Service Class: cloud-object-storage
Status:
Context:
Org:
Region:
Resourcegroup:
Resourcelocation:
Space:
Message: Failed: No deployment found for service plan lite at location us-south. Valid location(s) are: ["global"].
Use service instance example if the service is a Cloud Foundry service
Plan: lite
Service Class: cloud-object-storage
Service Class Type:
State: Failed
Events: <none>
operator should look for seed-secret in current namespace, and if not present, in the namespace specified in seed-defaults, using a naming convention (one seed-secret per namespace)
Example: postgresql
Per @paolo, Another one is to create secrets in an admin-only accessible workspace, with some naming convention, such as ico-secret- and have the operator look up there as well to get the API key. This way we can keep a even better separation and use kube best practices for management of secrets.
Let us use this issue to track this feature development.
When a credential (originally created by Binding operator) is deleted manually on IBM cloud console, Binding operator did not detect the missing credential and the old secret remained unchanged.
There is a closed issue (#11) that added an annotation to control the self-healing
behavior and there is at least one example that includes the self-healing annotation.
However, there is no documentation anywhere else as to what exactly this is doing and how to apply it. I believe this annotation will address an issue on my project but I'm hesitant to use it without getting a better understanding of how it works.
The controller should not recreate an Alias service.
Recreating an existing Cloudant service seems to crash it and causes its deletion.
Currently self-healing is enabled by default. Since that might not be always desirable, especially for stateful services, we should control self-healing with an annotation such as:
annotations:
ibmcloud.ibm.com/self-healing: enabled
Label not present or any other value than enabled should disable the self-healing feature.
{"level":"info","ts":1583890921.6279922,"logger":"service","msg":"Error deleting resource","my-cloudant":"Request failed with status code: 400, ServerErrorResponse: {"message":"Instance is pending reclamation. Please restore the instance and retry.","status_code":400,"transaction_id":"bss-47d37a02da442b8d"}\n"}
Each time a binding CR is created, it creates a corresponding credential in the service even if a credential of the same name already exists on that service.
Each credential, in turn, creates an access policy against the account.
An account has a hard limit of 600 policies that can be created. In several accounts, using the IBM Cloud operator on a medium scale deployment has resulted in policy limit to be hit.
This may be compounded by some other issue in the Operator where the credentials are not cleaned up properly when the service is destroyed and/or the Operator creating orphaned policies when it removes/re-creates the binding.
Once we have RC1 of the service binding specification and SBO supports it, all that IBM Cloud's operator would have to do to be considered compliant with the spec is update its x-descriptor to also use the spec's annotation (which should be very similar), and another simple update to claim that it is bindable.
The current installation approach in https://github.com/IBM/cloud-operators/blob/master/hack/install-operator.sh#L37 is not friendly enough to end-user.
Suggest to create releases
for this version, and attach the yaml files as releases assets, so that we can use https://github.com/IBM/cloud-operators/releases/download/.....yaml to do the installation.
Also, suggest to create an overall yaml file for deployment as well .
Sometimes when using the IBM Cloud CLI, the region is not being set resulting in IC_REGION
being empty. This results in rather obscure errors during secret creation like:
error: error validating “STDIN”: error validating data: unknown object type “nil” in Secret.data.region; if you choose to ignore these errors, turn validation off with --validate=false
It would be helpful to do a quick validation of the IC...
fields in this script and putting up an error message to help users spot and fix the CLI session configuration issue.
Per discussion in #91, I created a new issue to bring this up
===================
@pdettor I just curious, are the names seed-secret and seed-defaults configurable? If we put them into the end-user's namespace where the service/bind resource being created, I would like to use a more explicitly name , i.e. secret-ibm-cloud-operator and config-ibm-cloud-operator to avoid the deletion by end-user.
Answered by @vazirim
@cdlliuy Sure, we can rename.
===================
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.