1

The openshift documentation has a feature Exposing Object Fields that I am struggling to comprehend. When I load my secret I am exposing it as per the documentation. Yet it is unclear from the language of the documentation what are the actual mechanism to bind to the exposed variables. The docs state:

An example response to a bind operation given the above partial template follows:

{   "credentials": {
     "username": "foo",
     "password": "YmFy",
     "service_ip_port": "172.30.12.34:8080",
     "uri": "http://route-test.router.default.svc.cluster.local/mypath"   } }

Yet that example isn't helpful as its not clear what was bound and how it was bound to actually pick-up the exposed variables. What I am hoping it is all about is that the exposed values become ambient and that when I run some other templates into the same project (???) it will automatically resolve (bind) the variables. Then I can decouple secret creation (happening at product creation time) and secret usage (happening when developers populate their project). Am I correct that this feature creates ambient properties and that they are picked up by any template? Are there any examples of using this feature to decouple secret creation from secret usage (i.e. using this feature for segregation fo duties).

I am running Redhat OCP:

OpenShift Master: v3.5.5.31.24 Kubernetes Master: v1.5.2+43a9be4

simbo1905
  • 6,321
  • 5
  • 58
  • 86
  • What version of OpenShift are you using? Has the new service catalog user interface and template service broker been enabled? I suspect that documentation requires the template service broker to be enabled, which is only in preview in 3.6 and not on by default. – Graham Dumpleton Nov 27 '17 at 19:43
  • Version I have updated the question with the versions which is RH OCP: OpenShift Master: v3.5.5.31.24 Kubernetes Master: v1.5.2+43a9be4 – simbo1905 Nov 27 '17 at 19:54
  • Refer docs for that version then. https://docs.openshift.com/container-platform/3.5/dev_guide/templates.html You may find they are 3.6+ features and still need template service broker and new service catalog enabled. – Graham Dumpleton Nov 27 '17 at 20:02
  • yep this feature is in 3.6 not 3.5. however the 3.6 docs are still mysterious so i don't know what or how it is used to decide if i want to upgrade to it. so any pointers to what it is as an answer will allow me to close the question. thanks! – simbo1905 Nov 27 '17 at 20:05
  • 1
    I don't have a simple answer. With the new service broker there is a template service broker to deal with existing OpenShift templates. My assumption is that those annotations relate to specifying what values from the template will be used when you later bind a service (such as a database) to a an application which uses it. This act of binding will result in environment variables being added to the deployment config and injected into your application. So is a more automated way to set environment variables for things like database credentials in your application. – Graham Dumpleton Nov 27 '17 at 22:08
  • Unfortunately the OpenShift interactive learning environment only has a 3.7 preview image so far and template service broker isn't enabled, so the new scenario which shows how the binding is done is not available yet. – Graham Dumpleton Nov 27 '17 at 22:10
  • As @GrahamDumpleton mentions these exposed fields will end up being available as environment variables or as a file on other deploymentconfigs or statefulsets if the template is "bindable". The broker will create a Secret containing the exposed fields. – Ruben Romero May 17 '18 at 09:01

0 Answers0