New to KubeVault? Please start here.
AppBinding
What is AppBinding
AppBinding CRD provides a way to specify connection information, credential, and parameters that are necessary for communicating with an app/service. In KubeVault operator, AppBinding used to communicate with externally provisioned Vault, database, etc.
An AppBinding
is a Kubernetes CustomResourceDefinition
(CRD) which points to an application using either its URL (usually for a non-Kubernetes resident service instance) or a Kubernetes service object (if self-hosted in a Kubernetes cluster), some optional parameters and a credential secret. To learn more about AppBinding and the problems it solves, please read this blog post: The case for AppBinding.
AppBinding CRD Specification
Like any official Kubernetes resource, an AppBinding
has TypeMeta
, ObjectMeta
and Spec
sections. However, unlike other Kubernetes resources, it does not have a Status
section.
An AppBinding
object created by KubeVault
for a Vault server is shown below,
apiVersion: appcatalog.appscode.com/v1alpha1
kind: AppBinding
metadata:
name: vault-app
namespace: demo
spec:
type: vault
secret:
name: vault-token
clientConfig:
service:
name: vault
port: 8200
scheme: HTTPS
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN1RENDQWFDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFOTVFzd0NRWURWUVFERXdKallUQWUKRncweE9ERXlNamN3TkRVNU1qVmFGdzB5T0RFeU1qUXdORFU1TWpWYU1BMHhDekFKQmdOVkJBTVRBbU5oTUlJQgpJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBMVhid2wyQ1NNc2VQTU5RRzhMd3dUVWVOCkI1T05oSTlDNzFtdUoyZEZjTTlUc1VDQnlRRk1weUc5dWFvV3J1ZDhtSWpwMVl3MmVIUW5udmoybXRmWGcrWFcKSThCYkJUaUFKMWxMMFE5MlV0a1BLczlXWEt6dTN0SjJUR1hRRDhhbHZhZ0JrR1ViOFJYaUNqK2pnc1p6TDRvQQpNRWszSU9jS0xnMm9ldFZNQ0hwNktpWTBnQkZiUWdJZ1A1TnFwbksrbU02ZTc1ZW5hWEdBK2V1d09FT0YwV0Z2CmxGQmgzSEY5QlBGdTJKbkZQUlpHVDJKajBRR1FNeUxodEY5Tk1pZTdkQnhiTWhRVitvUXp2d1EvaXk1Q2pndXQKeDc3d29HQ2JtM0o4cXRybUg2Tjl6Tlc3WlR0YTdLd05PTmFoSUFEMSsrQm5rc3JvYi9BYWRKT0tMN2dLYndJRApBUUFCb3lNd0lUQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFXeWFsdUt3Wk1COWtZOEU5WkdJcHJkZFQyZnFTd0lEOUQzVjN5anBlaDVCOUZHN1UKSS8wNmpuRVcyaWpESXNHNkFDZzJKOXdyaSttZ2VIa2Y2WFFNWjFwZHRWeDZLVWplWTVnZStzcGdCRTEyR2NPdwpxMUhJb0NrekVBMk5HOGRNRGM4dkQ5WHBQWGwxdW5veWN4Y0VMeFVRSC9PRlc4eHJxNU9vcXVYUkxMMnlKcXNGCmlvM2lJV3EvU09Yajc4MVp6MW5BV1JSNCtSYW1KWjlOcUNjb1Z3b3R6VzI1UWJKWWJ3QzJOSkNENEFwOUtXUjUKU2w2blk3NVMybEdSRENsQkNnN2VRdzcwU25seW5mb3RaTUpKdmFzbStrOWR3U0xtSDh2RDNMMGNGOW5SOENTSgpiTjBiZzczeVlWRHgyY3JRYk0zcko4dUJnY3BsWlRpUy91SXJ2QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
Here, we are going to describe the sections of an AppBinding
crd that are relevant to KubeVault.
AppBinding Spec
An AppBinding
object has the following fields in the spec
section:
spec.type
spec.type
is an optional field that specifies the type of app.
spec:
type: vault
spec.clientConfig
spec.clientConfig
is a required field that specifies the information to make a connection with an app.
spec:
clientConfig:
service:
name: vault
port: 8200
scheme: HTTPS
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN1RENDQWFDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFOTVFzd0NRWURWUVFERXdKallUQWUKRncweE9ERXlNamN3TkRVNU1qVmFGdzB5T0RFeU1qUXdORFU1TWpWYU1BMHhDekFKQmdOVkJBTVRBbU5oTUlJQgpJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBMVhid2wyQ1NNc2VQTU5RRzhMd3dUVWVOCkI1T05oSTlDNzFtdUoyZEZjTTlUc1VDQnlRRk1weUc5dWFvV3J1ZDhtSWpwMVl3MmVIUW5udmoybXRmWGcrWFcKSThCYkJUaUFKMWxMMFE5MlV0a1BLczlXWEt6dTN0SjJUR1hRRDhhbHZhZ0JrR1ViOFJYaUNqK2pnc1p6TDRvQQpNRWszSU9jS0xnMm9ldFZNQ0hwNktpWTBnQkZiUWdJZ1A1TnFwbksrbU02ZTc1ZW5hWEdBK2V1d09FT0YwV0Z2CmxGQmgzSEY5QlBGdTJKbkZQUlpHVDJKajBRR1FNeUxodEY5Tk1pZTdkQnhiTWhRVitvUXp2d1EvaXk1Q2pndXQKeDc3d29HQ2JtM0o4cXRybUg2Tjl6Tlc3WlR0YTdLd05PTmFoSUFEMSsrQm5rc3JvYi9BYWRKT0tMN2dLYndJRApBUUFCb3lNd0lUQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFXeWFsdUt3Wk1COWtZOEU5WkdJcHJkZFQyZnFTd0lEOUQzVjN5anBlaDVCOUZHN1UKSS8wNmpuRVcyaWpESXNHNkFDZzJKOXdyaSttZ2VIa2Y2WFFNWjFwZHRWeDZLVWplWTVnZStzcGdCRTEyR2NPdwpxMUhJb0NrekVBMk5HOGRNRGM4dkQ5WHBQWGwxdW5veWN4Y0VMeFVRSC9PRlc4eHJxNU9vcXVYUkxMMnlKcXNGCmlvM2lJV3EvU09Yajc4MVp6MW5BV1JSNCtSYW1KWjlOcUNjb1Z3b3R6VzI1UWJKWWJ3QzJOSkNENEFwOUtXUjUKU2w2blk3NVMybEdSRENsQkNnN2VRdzcwU25seW5mb3RaTUpKdmFzbStrOWR3U0xtSDh2RDNMMGNGOW5SOENTSgpiTjBiZzczeVlWRHgyY3JRYk0zcko4dUJnY3BsWlRpUy91SXJ2QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
It has following fields:
clientConfig.url
:Optional
. Specifies the location of the app, in standard URL form ([scheme://]host:port/path
).clientConfig.service
:Optional
. Specifies the reference of the Kubernetes service for this app. It has the following fields:service.scheme
:Optional
. Specifies which scheme to use, for example, HTTP, https. If specified, then it will be applied as the prefix in this format:scheme://
. If not specified, then nothing will be prefixed.service.name
:Required
. Specifies the name of the service. Thisservice.name
and AppBinding’s namespace will be used to create app DNS.service.port
:Required
. Specifies the port that will be exposed by this app.service.path
:Optional
. Specifies the URL path which will be sent in any request to this service.service.query
:Optional
. Specifies the encoded query string, without ‘?’ which will be sent in any request to this service.
Note: Either
clientConfig.url
orclientConfig.service
must be specified.
clientConfig.caBundle
:Optional
. Specifies the PEM encoded CA bundle which will be used to validate the serving certificate of this app.clientConfig.insecureSkipTLSVerify
:Optional
. To skip TLS certificate verification when communicating with this app. This is strongly discouraged. You should use theclientConfig.caBundle
instead.
spec.secret
spec.secret
is an optional field that specifies the name of the secret containing credentials associated with AppBinding. It must be in AppBinding’s namespace.
spec:
secret:
name: vault-token
spec.parameters
spce.parameters
is an optional field that specifies the list of parameters to be used to connect to the app. The Parameters field is not secret or secured in any way and should never be used to hold sensitive information.
spec:
parameters:
apiVersion: config.kubevault.com/v1alpha1
kind: VaultServerConfiguration
path: kubernetes
vaultRole: vault-policy-controller
kubernetes:
serviceAccountName: vault
tokenReviewerServiceAccountName: vault-k8s-token-reviewer
usePodServiceAccountForCSIDriver: true
spec.secretTransforms
spec.secretTransforms
is an optional field that contains the list of transformations that should be applied to the credentials associated with the AppBinding before they are inserted into the Secret. For example, the credential secret specified in spec.secret.name
has the key USERNAME
, but the consumer requires the username to be exposed under the key DB_USER
instead. To have the KubeVault operator transform the secret, the following secret transformation must be specified in spec.secretTransforms
.
spec:
secretTransforms:
- renameKey:
from: USERNAME
to: DB_USER
It has the following fields:
secretTransforms[].renameKey
:Optional
. Specifies a transform that renames a credentials secret entry’s key. It has the following fields:renameKey.from
:Required
. Specifies the name of the key to rename.renameKey.to
:Required
. Specifies the new name for the key.
secretTransforms[].addKey
:Optional
. Specifies a transform that adds an additional key to the credentials secret.addKey.key
:Required
. Specifies the name of the key to add.addKey.value
:Required
. Specifies the value (possibly non-binary) to add to the secret under the specified key.addKey.stringValue
:Required
. Specifies the string value to add to the secret under the specified key. If bothaddKey.value
andaddKey.stringValue
are specified, thenaddKey.value
is ignored andaddKey.stringValue
is stored.addKey.jsonPathExpression
:Required
. Specifies the JSONPath expression, the result of which will be added to the Secret under the specified key. For example, given the following credentials:{ "foo": { "bar": "foobar" } }
and the jsonPathExpression{.foo.bar}
, the valuefoobar
will be stored in the credentials secret under the specified key.
secretTransforms[].addKeysFrom
:Optional
. Specifies a transform that merges all the entries of an existing secret into the credentials secret.addKeysFrom.secretRef.name
:Optinal
. Specifies the name of the secret.addKeysFrom.secretRef.namespace
:Optinal
. Specifies the namespace of the secret.
secretTransforms[].removeKey
:Optional
. Specifies a transform that removes a credentials secret entry.removeKey.key
.Required
. Specifies the key to remove from secret.