Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Does parametersFrom work with automatic credential rotation? #431

Closed
lanthoor opened this issue May 9, 2024 · 8 comments
Closed

Does parametersFrom work with automatic credential rotation? #431

lanthoor opened this issue May 9, 2024 · 8 comments

Comments

@lanthoor
Copy link
Member

lanthoor commented May 9, 2024

Premise

I have a ServiceInstance (called instance-a) and its ServiceBinding (called binding-a) that are created using the SAP BTP Service Operator.

apiVersion: services.cloud.sap.com/v1
kind: ServiceInstance
metadata:
  name: instance-a
  namespace: instance-a-namespace
spec:
  serviceOfferingName: service-a
  servicePlanName: plan-a
  externalName: instance-a
  parameters:
    param: value-a

---

apiVersion: services.cloud.sap.com/v1
kind: ServiceBinding
metadata:
  name: binding-a
  namespace: namespace-b
spec:
  serviceInstanceName: instance-a
  serviceInstnaceNamespace: namespace-a
  externalName: binding-a
  secretName: secret-a
  credentialsRotationPolicy:
    enabled: true
    rotationFrequency: 600h
    rotatedBindingTTL: 1680h

I have another ServiceInstance (called instance-b) that uses parametersFrom to read values from the Secret generated from the above ServiceBinding (binding-a).

apiVersion: services.cloud.sap.com/v1
kind: ServiceInstance
metadata:
  name: instance-b
  namespace: namespace-b
spec:
  serviceOfferingName: service-b
  servicePlanName: plan-b
  externalName: instance-b
  parameters:
    param: value-b
  parametersFrom:
    - secretKeyRef:
        name: secret-a
        key: key-a

Question

A new Secret will be created based on the rotation policy I've defined in binding-a and the old one will be moved to a suffixed Secret till TTL expires. Will the ServiceInstance with the name instance-b automatically pick up the new values from the Secret or do we have to perform some action to make it happen?

@kerenlahav
Copy link
Contributor

Hi @lanthoor
The instance will not be updated automatically when the secret changes, you need to update the instance's spec in order to use the new paramerts from the secret.
The is an open feature request about it that is currently being evaluated.
Thanks

@loewenstein
Copy link

I would indeed argue that the btp-service-operator in supporting parametersFrom should watch those secrets for changes and update the instance or binding accordingly.

I can see how this could be breaking and I could also see the use case of keeping the parameters once read from a secret. So this should probably be configurable.

Where could I track the feature request you mentioned?

@kerenlahav
Copy link
Contributor

Copy link

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the Stale label Aug 18, 2024
@MarcusNotheis
Copy link

Feature Request is still open, adding this comment to prevent automatic issue closing.

@github-actions github-actions bot removed the Stale label Aug 23, 2024
@corey-aloia
Copy link

corey-aloia commented Oct 2, 2024

Just to add another use case: I have a saas registry where I want to change the display name. The service instance gets the parameters from a secret like:

  parametersFrom:
  - secretKeyRef:
      key: parameters
      name: my-secret

I was able to actually use the "customTags" section to force an upgrade:

spec:
  customTags:
  - 'checksum/secret: 123'

but this seems like a hack. And it is also not usable due to not owning the charts... was just a poc

Currently it seems that teammates will be tempted to delete the serviceinstances and recreate when wanting to change. Something that may not be possible if having multiple subcribers to a saas registry service

@loewenstein-sap
Copy link

Could you please consider prioritizing this and solve the parametersFrom case. This is not only a problem of service instance interdependencies. Even a simple service instance that needs a confidential parameter cannot be updated at the moment without touching an arbitrary property in the spec of the instance.

@I065450
Copy link
Collaborator

I065450 commented Dec 31, 2024

Added in version v0.7.1:

We have introduced a new field to the serviceInstance resource: watchParametersFromChanges (boolean).

This field determines whether changes to the secret values referenced in parametersFrom should trigger an automatic update of the service instance.

If set to true, any change to the referenced secret values will trigger an update of the service instance.
The default value is false.

Regards,
Naama

@I065450 I065450 closed this as completed Dec 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants