-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SB: Service Binding for Kyma Service Instance - Epic #284
Comments
the static bootstrap token created at the provisioning is extremely short living. (~5min) |
As we discussed we should not use static token. I think TokenRequest api would be the best. KEB can call it directly (without provisioner / infrastructure manager in the middle) using own Kubeconfig. That would be quick and easy solution. |
POCs:
|
FWIW, in order to address kyma-project/kyma#18092 in our project we have come up with a script that
The human user has to be a cluster admin in order to be able to create the service account though. |
Next steps should be discussed with @pbochynski @PK85 @piotrmiskiewicz. |
@PK85, @tobiscr, @pbochynski wouldnt' this gardener's feature offer an alternative, shortcut solution? |
Another meeting with CIS team needed |
We had a meeting again, and we agreed to implement MVP with Service Bindings. The MVP proposal is already to CIS team, awaiting timelines |
MVP proposal, awaiting for CIS team: https://wiki.one.int.sap/wiki/display/kyma/Kyma+Environment+Service+Binding+-+MVP+proposal |
Decisions after a meeting (5.08.2024) with CIS team:
|
Communication from CIS (11.08.2024): A few updates from ERS side:
So, in terms of payload for service broker from ERS:
And my answer:
That means you should gerenate UUID, or we will generate that, see SM APIs https://api.sap.com/api/APIServiceManager/resource/ for service bindings and then if sync mode 201 with ID and credentials in the response, or if async 202 and location header where the path serves as the relative path for the base request URI of the API: 'Get operation status'. I think we need to meet and clarify that. Cause ERS is a platform and features like GET bindings belongs to it. Same like we have GET environments. |
Areas:
|
@pbochynski Is it a right approach, for the runtime implement a service binding to provide the kubeconfig ? Usually, service binding is for the services. |
@gowrisankar22 Service Bindings APIs are right now under implementation for Provisioning Service by CIS team. The Kyma Environment Broker is the OSB API implementation. Why do you think Service Bindings are only for services? Cheers, PK |
Exactly - Kyma runtime is a service and this is the long-term strategy. You can already provision Kyma from Service Marketplace in BTP cockpit. |
Final meetings with CIS team (Zahi) Hi, we should talk about three things.
|
There are two ways of getting an access token for SAP Provisioning Service API:
During binding creation KEB receives body with context:
Context should be saved to database as
During binding creation KEB receives body with context:
Context should be saved to database as |
Meeting notes 16.10.24
|
10.10.2024 - Summary from the meeting about using only token requests from SA from SKR and idempotent behaviour: Legend: Contract between Provisioning Service and KEB bindings: KEB bindings responses details: @MarekMichali KEB implementation about handling binding related resources, like ServiceAccount, ClusterRole, ClusterRoleBidning
KEB binding-cleanup-job details |
@PK85
It would be necessary for good devex in automation scenario |
@kwiatekus |
Managing Kyma Runtime Using the Provisioning API of the SAP Cloud Management Service added and ready for review. |
Description
Provide a service binding for Kyma Runtime instance. The binding should contain all the information to connect to the runtime (KUBECONFIG or all the information required to build a KUBECONFIG). The binding request can create TokenRequest and return the token in the binding.
Reasons
Users can create Kyma Runtime instances with API or BTP CLI. But the instance cannot be accessed without user being authenticated (OIDC flow). Therefore any automation flow that involves provisioning Kyma and deploying any workload there cannot be easily implemented. The only way to do that is to use custom OIDC provider, but that option is not easy to set up and use.
Attachments
Other way to achieve the automation would be kyma-project/kyma#18305
AC Added by PK
Links
The text was updated successfully, but these errors were encountered: