openshift/ansible-service-broker

Sharing credentials between provisions of service instances

maleck13 opened this issue · 3 comments

maleck13 commented

Feature:

UseCase

I have an Operator that will deploy a number of service instances from a namespace broker into a privileged namespace based on a custom resource. These services are intended to be shared and consumed by users of the cluster. Once provisioned, I want to tell the broker to use a secret that contains the credentials and coordinates of a shared service with each subsequent provisions of that APB so that subsequent provisions can interact with the shared service without the need for the requesting user to know the credentials or coordinates of that service.

Currently, if you have perms, you can create a secret in the brokers namespace and have them mounted into a specific APB container using the broker-config https://github.com/openshift/ansible-service-broker/blob/master/docs/config.md#secrets-configuration

It would be useful to be able to define these secrets dynamically.

  • It would stop the need to redeploy the broker to pick up new secrets
  • It would mean you would not need to know all the details ahead of time.

Initial concerns

  • As the secret could change / be updated (for instance as one shared service became full and a new one was provisioned) , the broker will need to copy this credential for each provision or keep track of which service instances received which secret so that during a deprovision the APB would receive the correct values to interact with the same service again.

@eriknelson @jmrodri any thoughts on the concern of tracking which credential were given to which service instance.

openshift-bot commented

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

jmrodri commented

/close

openshift-ci-robot commented

@jmrodri: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.