Cluster Application Resource Mapping

This change adds an extension specification for a cluster-wide mapping
of non-Podspec-able resource types acting as applications.

Signed-off-by: Ben Hale <[email protected]>

Author: nebhale

.gitignore

@@ -1,2 +1 @@
-*.orig.*
-*.toc.*
+.idea

README.md

@@ -57,9 +57,14 @@ Behavior within the project is governed by the [Contributor Covenant Code of Con
   - [Direct Secret Reference](#direct-secret-reference)
     - [Direct Secret Reference Example Resource](#direct-secret-reference-example-resource)
 - [Extensions](#extensions)
+  - [Application Resource Mapping](#application-resource-mapping)
+    - [Resource Type Schema](#resource-type-schema-2)
+    - [Container-based Example Resource](#container-based-example-resource)
+    - [Element-based Example Resource](#element-based-example-resource)
+    - [Reconciler Implementation](#reconciler-implementation-1)
   - [Custom Projection](#custom-projection)
     - [Custom Projection Service Binding Example Resource](#custom-projection-service-binding-example-resource)
-    - [Resource Type Schema](#resource-type-schema-2)
+    - [Resource Type Schema](#resource-type-schema-3)
     - [Service Binding Projection Example Resource](#service-binding-projection-example-resource)
   - [Binding `Secret` Generation Strategies](#binding-secret-generation-strategies)
     - [OLM Operator Descriptors](#olm-operator-descriptors)
@@ -201,7 +206,6 @@ The Service Binding resource **MAY** define `.spec.application.containers`, as a
 - if the value is a string (`${containerString}`), a container or init container matching by name (`.spec.template.spec.containers[?(@.name=='${containerString}')]` or `.spec.template.spec.initContainers[?(@.name=='${containerString}')]`) **MUST** be bound
 - values that do not match a container or init container **SHOULD** be ignored
 
-
 A Service Binding Resource **MAY** define a `.spec.mappings` which is an array of `Mapping` objects.  A `Mapping` object **MUST** define `name` and `value` entries.  The `value` of a `Mapping` **MUST** be handled as a [Go Template][gt] exposing binding `Secret` keys for substitution. The executed output of the template **MUST** be added to the `Secret` exposed to the resource represented by `application` as the key specified by the `name` of the `Mapping`.  If the `name` of a `Mapping` matches that of a Provisioned Service `Secret` key, the value from `Mapping` **MUST** be used for binding.
 
 A Service Binding Resource **MAY** define a `.spec.env` which is an array of `EnvMapping`.  An `EnvMapping` object **MUST** define `name` and `key` entries.  The `key` of an `EnvMapping` **MUST** refer to a binding `Secret` key name including any key defined by a `Mapping`.  The value of this `Secret` entry **MUST** be configured as an environment variable on the resource represented by `application`.
@@ -434,6 +438,98 @@ status:
 
 Extensions are optional additions to the core specification as defined above.  Implementation and support of these specifications are not required in order for a platform to be considered compliant.  However, if the features addressed by these specifications are supported a platform **MUST** be in compliance with the specification that governs that feature.
 
+## Application Resource Mapping
+
+There are scenarios where an application resource is not strictly PodSpec-able but does include the `env`, `volumeMounts`, and `volumes` elements that are required to project a service binding.  This extension defines a mapping of those elements onto any type.  It **MUST** be codified as a concrete resource type with API version `service.binding/v1alpha2` and kind `ClusterApplicationResourceMapping`.  An exemplar CRD can be found [here][cam-crd].
+
+An Application Resource Mapping **MUST** define its name using [CRD syntax][crd-syntax] (`<plural>.<group>`) for the resource that it defines a mapping for.  An Application Resource Mapping **MUST** define a `spec.versions` which is an array of `Version` objects.  A `Version` object must define a `version` entry that represents a version of the mapped resource.  A `Version` object **MAY** define `.containers`, as an array of strings containing [JSONPath][jsonpath], that describes the location of [`Container`][container] entries in the target resource.  A `Version` object **MAY** define `.envs`, as an array of strings containing [JSONPath][jsonpath], that describes the location of [`EnvVar`][envvar] entries in the target resource.  A `Version` object **MAY** define `.volumeMounts`, as an array of strings containing [JSONPath][jsonpath], that describes the location of [`VolumeMount`][volumemount] entries in the target resource.  A `Version` object **MUST** define `.volumes`, as a string containing [JSONPath][jsonpath], that describes the location of [`Volume`][volume] entries in the target resource.
+
+If an Application Resource Mapping defines `containers`, it **MUST NOT** define `envs` and `volumeMounts`.  If an Application resources does not define `containers`, it **MUST** define `envs` and `volumeMounts`.
+
+[cam-crd]: service.binding_clusterapplicationmappings.yaml
+[container]: https://kubernetes.io/docs/reference/kubernetes-api/workloads-resources/container/
+[crd-syntax]: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#create-a-customresourcedefinition
+[envvar]: https://kubernetes.io/docs/reference/kubernetes-api/workloads-resources/container/#environment-variables
+[jsonpath]: https://kubernetes.io/docs/reference/kubectl/jsonpath/
+[volume]: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/volume
+[volumemount]: https://kubernetes.io/docs/reference/kubernetes-api/workloads-resources/container/#volumes
+
+### Resource Type Schema
+
+```yaml
+apiVersion: service.binding/v1alpha2
+kind: ClusterApplicationResourceMapping
+metadata:
+  name:                 # string
+  generation:           # int64, defined by the Kubernetes control plane
+  ...
+spec:
+  versions:             # []Version
+  - version:            # string
+    containers:         # []string, optional
+    envs:               # []string, optional
+    volumeMounts:       # []string, optional
+    volumes:            # string
+```
+
+### Container-based Example Resource
+
+```yaml
+apiVersion: service.binding/v1alpha2
+kind: ClusterApplicationResourceMapping
+metadata:
+ name:  cronjobs.batch
+spec:
+  versions:
+  - version: v1beta1
+    containers:
+    - .spec.jobTemplate.spec.template.spec.containers
+    - .spec.jobTemplate.spec.template.spec.initContainers
+    volumes: .spec.jobTemplate.spec.template.spec.volumes
+  - version: v2alpha1
+    containers:
+    - .spec.jobTemplate.spec.template.spec.containers
+    - .spec.jobTemplate.spec.template.spec.initContainers
+    volumes: .spec.jobTemplate.spec.template.spec.volumes
+```
+
+### Element-based Example Resource
+
+```yaml
+apiVersion: service.binding/v1alpha2
+kind: ClusterApplicationResourceMapping
+metadata:
+ name:  cronjobs.batch
+spec:
+  versions:
+  - version: v1beta1
+    env:
+    - .spec.jobTemplate.spec.template.spec.containers[*].env
+    - .spec.jobTemplate.spec.template.spec.initContainers[*].env
+    volumeMounts:
+    - .spec.jobTemplate.spec.template.spec.containers[*].volumeMounts
+    - .spec.jobTemplate.spec.template.spec.initContainers[*].volumeMounts
+    volumes: .spec.jobTemplate.spec.template.spec.volumes
+  - version: v2alpha1
+    env:
+    - .spec.jobTemplate.spec.template.spec.containers[*].env
+    - .spec.jobTemplate.spec.template.spec.initContainers[*].env
+    volumeMounts:
+    - .spec.jobTemplate.spec.template.spec.containers[*].volumeMounts
+    - .spec.jobTemplate.spec.template.spec.initContainers[*].volumeMounts
+    volumes: .spec.jobTemplate.spec.template.spec.volumes
+```
+
+### Reconciler Implementation
+
+A reconciler implementation that supports `ClusterApplicationResourceMapping`s **MUST** support `ServiceBinding` resources that refer to applications that are not PodSpec-able.  If no Application Resource Mapping exists for the `ServiceBinding` application resource type, the reconciliation **MUST** fail.
+
+If a `ClusterApplicationResourceMapping` defines `containers`, the reconciler **MUST** first resolve a set of candidate locations in the application resource addressed by the `ServiceBinding` using the `Container` type (`.env`, `.volumeMounts`) for all available containers and then filter that collection by the `ServiceBinding` `.spec.application.containers` filter before applying the appropriate modification.
+
+If a `ClusterApplicationResourceMapping` defines `env` and `volumeMounts`, the reconciler **MUST** first resolve a set of candidate locations in the application resource addressed by the `ServiceBinding` for all available containers and then filter that collection by the `ServiceBinding` `.spec.application.containers` filter before applying the appropriate modification.
+
+A reconciler **MUST** apply the appropriate modification to the application resource addressed by the `ServiceBinding` as defined by `volumes`.
+
 ## Custom Projection
 
 There are scenarios where the Reconciler that processes a `ServiceBinding` (hereinafter referred to as "Reconciler A") is different than the Reconciler that will project the binding into the Application (hereinafter referred to as "Reconciler B"). To transfer the projection responsibility from Reconciler A to Reconciler B the `ServiceBinding` author **MUST** set the `projection.service.binding/type` annotation to `Custom`.  An exemplar CRD can be found [here][sbp-crd].

internal.service.binding_servicebindingprojections.yaml

@@ -132,8 +132,8 @@ spec:
                 description: Env is the collection of mappings from Secret entries
                   to environment variables
                 items:
-                  description: EnvMapping defines a mapping from
-                    the value of a Secret entry to an environment variable
+                  description: EnvMapping defines a mapping from the value of a Secret
+                    entry to an environment variable
                   properties:
                     key:
                       description: Key is the key in the Secret that will be exposed

internal/service.binding/v1alpha2/cluster_application_resource_mapping.go

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package v1alpha2
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// ClusterApplicationResourceMappingVersion defines the mapping for a specific version of an application resource.
+type ClusterApplicationResourceMappingVersion struct {
+	// Version is the version of the application resource that this mapping is for.
+	Version string `json:"version"`
+	// Containers is the collection of JSONPaths that container configuration may be written to.
+	Containers []string `json:"containers,omitempty"`
+	// Envs is the collection of JSONPaths that env configuration may be written to.
+	Envs []string `json:"envs,omitempty"`
+	// VolumeMounts is the collection of JSONPaths that volume mount configuration may be written to.
+	VolumeMounts []string `json:"volumeMounts,omitempty"`
+	// Volumes is the JSONPath that volume configuration must be written to.
+	Volumes string `json:"volumes"`
+}
+
+
+// ClusterApplicationResourceMappingSpec defines the desired state of ClusterApplicationResourceMapping
+type ClusterApplicationResourceMappingSpec struct {
+	// Versions is the collection of versions for a given resource, with mappings.
+	Versions []ClusterApplicationResourceMappingVersion `json:"versions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+
+// ClusterApplicationResourceMapping is the Schema for the clusterapplicationresourcemappings API
+type ClusterApplicationResourceMapping struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ClusterApplicationResourceMappingSpec   `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ClusterApplicationResourceMappingList contains a list of ClusterApplicationResourceMapping
+type ClusterApplicationResourceMappingList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []ClusterApplicationResourceMapping `json:"items"`
+}

service.binding_clusterapplicationresourcemappings.yaml

@@ -0,0 +1,94 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: clusterapplicationresourcemappings.service.binding
+spec:
+  group: service.binding
+  names:
+    kind: ClusterApplicationResourceMapping
+    listKind: ClusterApplicationResourceMappingList
+    plural: clusterapplicationresourcemappings
+    singular: clusterapplicationresourcemapping
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: ClusterApplicationResourceMapping is the Schema for the clusterapplicationresourcemappings
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterApplicationResourceMappingSpec defines the desired
+              state of ClusterApplicationResourceMapping
+            properties:
+              versions:
+                description: Versions is the collection of versions for a given resource,
+                  with mappings.
+                items:
+                  description: ClusterApplicationResourceMappingVersion defines the
+                    mapping for a specific version of an application resource.
+                  properties:
+                    containers:
+                      description: Containers is the collection of JSONPaths that
+                        container configuration may be written to.
+                      items:
+                        type: string
+                      type: array
+                    envs:
+                      description: Envs is the collection of JSONPaths that env configuration
+                        may be written to.
+                      items:
+                        type: string
+                      type: array
+                    version:
+                      description: Version is the version of the application resource
+                        that this mapping is for.
+                      type: string
+                    volumeMounts:
+                      description: VolumeMounts is the collection of JSONPaths that
+                        volume mount configuration may be written to.
+                      items:
+                        type: string
+                      type: array
+                    volumes:
+                      description: Volumes is the JSONPath that volume configuration
+                        must be written to.
+                      type: string
+                  required:
+                  - version
+                  - volumes
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

service.binding_servicebindings.yaml

@@ -121,8 +121,8 @@ spec:
                 description: Env is the collection of mappings from Secret entries
                   to environment variables
                 items:
-                  description: EnvMapping defines a mapping from the value
-                    of a Secret entry to an environment variable
+                  description: EnvMapping defines a mapping from the value of a Secret
+                    entry to an environment variable
                   properties:
                     key:
                       description: Key is the key in the Secret that will be exposed