-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: Updated Binding Credentials #66
Comments
Hi, |
Hi there,
Yes, that's it.
You are right, CF does not provide a mechanism to update a binding. However, if the operator kept a mapping between a
|
Thanks for the feedback, we'll raise your request to our PO and try to find appropriate solution to cred rotation. |
Wouldn't it anyway be safer to enforce a Deployment rollout @jkbschmid? If you mount the Secret as directory the container will see the binding credentials updated (which at least was not the case when mounting the Secret as a file), but the application also needs to watch the file system and read the new content. In contrast, if you simply rollout the Deployment with the new Secret, the newly started application process will pick up the new certs automatically. |
@loewenstein I think any kind of Pod restart to make the application re-read binding creds is necessary, no matter if rollout or blue/green. |
Ah, ok @jkbschmid. I think I understand the use case better now. I am not sure who could implement this and how. It is something on the edge between service instance/binding management and workload management. I.e. you must not delete the binding as long as any |
It is important to only delete old bindings after there is no app instance left which uses its credentials. For certificate based credentials this is not critical, but there can still be services with binding level secrets. Those would become invalid in the moment the binding is dropped and cause errors if it is still in use.
In CF this problem is solved as a side effect of how blue green deployment is done by deploy service:
|
I am wondering if the Kubernetes Service Binding Spec could be part of a solution for this. The btp-service-operator The btp-service-operator I am still checking if all my assumptions are correct (see Kubernetes Slack) |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
I assume this issue is still valid and should not be closed. |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
I believe this is still relevant. |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
After consulting with our PO, we'll have BLI for 2A for cred rotation. |
I wasn't really reviewing that PR, just being curious as to the solution and the constraints involved. Having placed some thoughts and a little research into it, I am sure there is no easy, straightforward solution anyway. If I understand your reply correctly, the constraint on workloads (or better on workload owners) is that they must not rotate credentials more than once without marking sure all instances of the workload were restarted and had a chance to pick up the new binding secret. I suppose this is the best you can get without requiring coordination with the workloads. But it does indeed sound limited in a sense that fully automated rotation with a given schedule are dangerous and can easily cause outages. |
As I see it, I expect that rotation interval will be months and not minutes or hours so it should be enough.
Isn't it all about? otherwise you can create your own secret, reference workloads to it and copy binding secrets into it using whatever strategy suits you. |
Great to hear you are working on this issue. Thanks, @pavelmaliy ! |
Hi, Rotate the binding directly in SM and override the current binding secret
Introduce new CRD RotatableServiceBinding which will maintain 2 or more bindings underneath and maintain his own secret which will be updated with latest binding (Resembles to user-provided-service in CF)
Thoughts? |
we have the very same problem for the binding rotation and build a small operator for the KLACKS Validation App which handles this for us. https://github.tools.sap/kernelservice-validation/core-binding-rotation ( or https://pages.github.tools.sap/kernelservice-validation/documentation/setup/svc.html#./content/090-ias-credential-rotation/README ) Maybe this is an option until the rotation is part of the operator. BUT - if the operator rotates the binding, you need maybe another operator to do related stuff. e.g. push the cred to the SubscriptionManager...in case you are using the IAS as OSB. |
I see that different approaches are also being discussed here. With the components I mentioned, we follow the approach that we have two valid bindings at a certain time. This is important for us, because at the moment of the invalidation/update of the binding we may establish a connection to the server to which the binding belongs. If we invalidate the binding at this time, the service may reject the connection request. Which happens sometime in our setup (rare). So there is always a short time when a binding is not valid. In our approach, the obsolete binding is deleted only after all consumers are working with the new binding. Thus here never a connection request runs into a HTTP-401 |
Thanks for sharing the drafts, @pavelmaliy !
Regarding option 1): For me the question is how the "rotation interval" is defined, i.e. when will the operator delete bindings. I also think that, in the long run, revocation should be supported. I.e., a consumer should be able to instantly trigger a binding rotation. Adding these features to the existing CRD would make it too complex, that's why I'd prefer option 2 with a separate CRD. |
Hi, Also it's not so nice behavior if I create one CR and get in my namespace multiple Basically the idea is to add additional configuration to
During the transition there will be 2 bindings: Technically what allows this implementation be easy is the cluster recovery flow we have, which in case no bindingID on the status tries to lookup binding in SM and if it's not found, BTP Operator will create new binding in SM.
It should be easy one, we can use some sort of annotation to trigger the rotation right now which will be removed after successful rotation by the operator. Will it fit your requirements? |
That sounds nice to me. There should be some way to learn about when the rotation has happened (maybe a field in the ServiceBinding status?) so that it can be watched/reacted on. Would it be possible for the operator to also trigger an application restart/rollout (the way |
Just a thought on the redundant CR issue. Maybe we could have a |
@loewenstein actually Another problem is that Brokers need user info during binding but the binding created by "ServiceBindingSet" so the user needs to be propagated.
of course this is the plan regarding trigger an application restart/rollout I think not in the first phase, |
that would mean that we would get one secret per ServiceBinding, right? Consequently it would mean that we need to change the secret referenced from the Deployment, that would not be great.
I do agree that restarts/rollouts are not needed in the first phase. Nevertheless no matter whether the binding is exposed via volumeMounts or via the environments a restart of the workload is oftentimes the right thing after the change in bindings (for comparison: Cloud Foundry changes bindings during re-staging) - I think this is only feasible if at maximum the task is to trigger a rollout of a Deployment/StatefulSet, changing the used secrets is likely too complicated. |
No @patrickhuy I agree regarding the monitoring the file system besides I can't control how secrets are consumed and where. |
I agree! I think if the operator would be able to restart Deployments we should list the Deployments for it to restart within the ServiceBinding (probably via a selector?) and it should be limited to the current namespace (because otherwise it makes security considerations harder) |
Hi, |
please take the latest version cred rotation available there |
Hello,
there are some services that require a re-bind after a certain time period to update the service credentials (e.g. for renewing certs).
Does the operator support a mechanism (e.g. via an annotation) to trigger such a re-bind?
In theory, it is possible to create a second binding with a different name, but this would require changing the deployment yaml on each update. That's why it would be much more convenient to have an annotation or similar.
Thank you!
The text was updated successfully, but these errors were encountered: