RHOAS Operator Custom Resources

The OpenShift Application Sercvices (RHOAS) Operator manages the following types of Custom Resources (CRs):

CloudServicesRequest
KafkaConnection
CloudServiceAccountRequest

All CRs are namespace-scoped and include Operator-managed conditions. Each CR is described in the sections that follow.

CloudServicesRequest

The CloudServicesRequest CR is used to get a list of available services. The controller for the CR updates the CR with services that are available to the provided access token. These services are listed under the status subresource. For example, the ID of an available Kafka service is used by the KafkaConnection CR.

Example

An example of the CloudServicesRequest CR is shown below.

example.yaml

## Namespaced
apiVersion: rhoas.redhat.com/v1alpha1
kind: CloudServicesRequest
metadata:
  name: namespace-name-kafkas
  namespace: rhoas-operator-testing
  labels:
    app.kubernetes.io/component: external-service
    app.kubernetes.io/managed-by: rhoas
spec:
  accessTokenSecretName: rh-cloud-services-api-accesstoken # see `AcccesTokenSecretValid Condition`
# status:
  ## conditions:
  ## - lastTransitionTime: "2021-03-04T00:41:25.745120Z"
  ##   message: ""
  ##   reason: ""
  ##   status: "True"
  ##   type: AcccesTokenSecretValid
  ##- lastTransitionTime: "2021-03-04T00:41:25.745179Z"
  ##  message: ""
  ##  reason: ""
  ##  status: "True"
  ##  type: Finished
  ##- lastTransitionTime: "2021-03-04T00:41:25.745209Z"
  ##  message: ""
  ##  reason: ""
  ##  status: "True"
  ##  type: UserKafkasUpToDate
  ##lastUpdate: "2021-03-03T22:11:57.691906Z"
  ##userKafkas:
  ##- bootstrapServerHost: example.com
  ##  createdAt: "2021-02-25T10:01:40.888639Z"
  ##  id: 484udj72378YIsdfsdI8378
  ##  name: test-kafka
  ##  owner: elephant_rose
  ##  provider: aws
  ##  region: us-east-1
  ##  status: ready
  ##  updatedAt: "2021-02-25T10:06:03.417238Z"

Specification details

Fields and subresources in the CloudServicesRequest CR are described below.

spec

accessTokenSecretName: Name of the secret that contains an offline access token. The Operator uses this offline token to request a live access token from an authentication service. The live access token, in turn, authenticates with the Cloud Services API. The status field for the AcccesTokenSecretValid condition indicates whether the token was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

spec.status

The status subresource has the following properties:

lastUpdate: Last update of the status object, in ISO format
userKafkas: List of available Kafka services

spec.status.userKafkas

The userKafkas status field is a list of userKafka objects. These objects have the following properties:

id: ID field used to reference the service. For more information, see KafkaConnection.
bootstrapServerHost: URL for the service instance
name: Human-readable name for the service instance
provider: Cloud provider that is hosting the service
region: Geographic region in which the service is hosted
owner: Human or organization that owns the service instance
updatedAt: ISO-formatted date that shows when the service instance was updated
createdAt: ISO-formatted date that shows when the service instance was created
status: Human or machine-readable status for the service instance

spec.status.conditions

UserKafkasUpToDate: If the value of the status field is True, then the userKafkas property is up to date, as of lastTransitionTime.
Finished: Indicates whether the Operator has successfully finished processing the CR. For more information, see Finished condition.
AcccesTokenSecretValid: Indicates whether the token specified as a value for the accessTokenSecretName field was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

KafkaConnection

The KafkaConnection CR represents a binding between a service account and a managed Kafka instance. The Operator references the service account name using both of these values:

The value of the serviceAccountSecretName field provided by the CloudServiceAccountRequest CR
The value of the kafkaId property for a userKafka instance provided by the CloudServicesRequest CR

Example

An example of the KafkaConnection CR is shown below.

example.yaml

apiVersion: rhoas.redhat.com/v1alpha1
kind: KafkaConnection
metadata:
  name: test-connection
  namespace: rhoas-operator
spec:
  accessTokenSecretName: rh-managed-services-api-accesstoken
  kafkaId: "valid-kafka-id"
  credentials:
    serviceAccountSecretName: service-account-secret
#status:
#  bootstrapServerHost: kafka.example.com:443
#  conditions:
#  - lastTransitionTime: "2021-03-05T02:02:34.828265Z"
#    message: ""
#    reason: ""
#    status: "True"
#    type: AcccesTokenSecretValid
#  - lastTransitionTime: "2021-03-05T02:02:34.828304Z"
#    message: ""
#    reason: ""
#    status: "True"
#    type: FoundKafkaById
#  - lastTransitionTime: "2021-03-05T02:02:34.828329Z"
#    message: ""
#    reason: ""
#    status: "True"
#    type: Finished
#  message: Created
#  saslMechanism: PLAIN
#  securityProtocol: SASL_SSL
#  serviceAccountSecretName: service-account-credentials
#  uiRef: https://console.redhat.com/beta/application-services/openshift-streams/kafkas/valid-kafka-id

Specification details

Fields and subresources in the ` KafkaConnection` CR are described below.

spec

kafkaId: ID of the Kafka instance. For more information, see status.userKafkas in the CloudServicesRequest CR.
credentials: Credentials object to be used when accessing the kafkaId instance. For more information, see the CloudServicesRequest CR.
accessTokenSecretName: Name of the secret that contains an offline access token. The Operator uses this offline token to request a live access token from an authentication service. The live access token, in turn, authenticates with the Cloud Services API. The status field for the AcccesTokenSecretValid condition indicates whether the token was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

spec.credentials

serviceAccountSecretName: Name of the secret that contains service account credentials

spec.status

bootstrapServerHost: URL for the bootstrap server of the Kafka instance
uiRef: URL for the UI of the Kafka instance
serviceAccountSecretName: Name of the secret that contains the service account credentials used to connect to the Kafka instance
saslMechanism: Security mechanism used to connect to the Kafka instance. The default value is PLAIN.
securityProtocol: Security protocol used to connect to the Kafka instance. The default value is SSL.

spec.status.conditions

FoundKafkaById: If value is True, then the value of the kafkaId field matches a Kafka instance ID.
Finished: Indicates whether the Operator has successfully finished processing the CR. For more information, see Finished condition.
AcccesTokenSecretValid: Indicates whether the token specified as a value for the accessTokenSecretName field was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

ServiceRegistryConnection

The ServiceRegistryConnection CR represents a binding between a service account and a managed Service Registry instance. The Operator references the service account name using both of these values:

The value of the serviceAccountSecretName field provided by the CloudServiceAccountRequest CR
The value of the serviceRegistryId property for a serviceRegistries instance provided by the CloudServicesRequest CR

Example

An example of the ServiceRegistryConnection CR is shown below.

example.yaml

apiVersion: rhoas.redhat.com/v1alpha1
kind: ServiceRegistryConnection
metadata:
  name: test-connection
  namespace: rhoas-operator
spec:
  accessTokenSecretName: rh-managed-services-api-accesstoken
  serviceRegistryId: "valid-service-regsitry-id"
  credentials:
    serviceAccountSecretName: service-account-secret
#status:
#  conditions:
#  - lastTransitionGeneration: 1
#    lastTransitionTime: "2021-12-09T16:42:34.874951655Z"
#    message: ""
#    reason: ""
#    status: "True"
#    type: AcccesTokenSecretValid
#  - lastTransitionGeneration: 1
#    lastTransitionTime: "2021-12-09T16:42:34.874971145Z"
#    message: ""
#    reason: ""
#    status: "True"
#    type: FoundServiceRegistryById
#  - lastTransitionGeneration: 1
#    lastTransitionTime: "2021-12-09T16:42:34.874980304Z"
#    message: ""
#    reason: ""
#    status: "True"
#    type: Finished
#  message: Created
#  metadata:
#    oauthTokenUrl: https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token
#    provider: rhoas
#    type: serviceregistry
#  registryUrl: https://bu98.serviceregistry.rhcloud.com/t/ca6b69b3-12be-4ec9-add5-0098567008f5/apis/registry/v2
#  serviceAccountSecretName: rh-cloud-services-service-account
#  updated: "2021-12-09T16:42:34.874851028Z"

Specification details

Fields and subresources in the ServiceRegistryConnection CR are described below.

spec

serviceRegistryId: ID of the Service Registry instance. For more information, see status.serviceRegistries in the CloudServicesRequest CR.
credentials: Credentials object to be used when accessing the kafkaId instance. For more information, see the CloudServicesRequest CR.
accessTokenSecretName: Name of the secret that contains an offline access token. The Operator uses this offline token to request a live access token from an authentication service. The live access token, in turn, authenticates with the Cloud Services API. The status field for the AcccesTokenSecretValid condition indicates whether the token was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

spec.credentials

serviceAccountSecretName: Name of the secret that contains service account credentials.

spec.status

registryUrl: URL for the server of the Service Registry instance.
oauthTokenUrl: URL for the token authentication endpoint for the Service Registry instance.
serviceAccountSecretName: Name of the secret that contains the service account credentials used to connect to the Service Registry instance.

spec.status.conditions

FoundServiceRegistryById: If value is True, then the value of the serviceRegistryId field matches a Service Registry instance ID.
Finished: Indicates whether the Operator has successfully finished processing the CR. For more information, see Finished condition.
AcccesTokenSecretValid: Indicates whether the token specified as a value for the accessTokenSecretName field was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

CloudServiceAccountRequest

The CloudServiceAccountRequest CR creates service accounts to connect to Kafka instances. Credentials for the service account are stored in a secret. The name of the credentials secret is specified by the value of the serviceAccountSecretName field. For more information about connecting to Kafka instances, see the KafkaConnection CR.

Example

An example of the CloudServiceAccountRequest CR is shown below.

example.yaml

apiVersion: rhoas.redhat.com/v1alpha1
kind: CloudServiceAccountRequest
metadata:
  name: service-account-1
  namespace: rhoas-operator
spec:
  serviceAccountName: "RhoasOperatorServiceAccount"
  serviceAccountDescription: "Operator created service account"

  serviceAccountSecretName: service-account-credentials
  accessTokenSecretName: rh-managed-services-api-accesstoken
status:
  conditions:
  - lastTransitionTime: "2021-03-05T02:06:49.407299Z"
    message: ""
    reason: ""
    status: "True"
    type: AcccesTokenSecretValid
  - lastTransitionTime: "2021-03-05T02:06:49.407330Z"
    message: ""
    reason: ""
    status: "True"
    type: ServiceAccountCreated
  - lastTransitionTime: "2021-03-05T02:06:49.407346Z"
    message: ""
    reason: ""
    status: "True"
    type: ServiceAccountSecretCreated
  - lastTransitionTime: "2021-03-05T02:06:49.407384Z"
    message: ""
    reason: ""
    status: "True"
    type: Finished
  message: Created
  serviceAccountSecretName: service-account-credentials
  updated: "2021-03-05T02:06:49.407249Z"

Format of credentials secret

The Operator creates and manages a secret for the secret account created by the CloudServiceAccountRequest CR. The credentials secret is an opaque secret with the following keys:

client-id: Identifier provided by the service API for the client
client-secret: Secret provided by the service API for the client

Specification details

Fields and subresources in the CloudServiceAccountRequest CR are described below.

spec

serviceAccountName: Name of the service account to be created by the Operator
serviceAccountDescription: Description of the service account to be created by the Operator
serviceAccountSecretName: Name of the secret to be created by the Operator. For more information, see Format of credentials secret.
accessTokenSecretName: Name of the secret that contains an offline access token. The Operator uses this offline token to request a live access token from an authentication service. The live access token, in turn, authenticates with the Cloud Services API. The status field for the AcccesTokenSecretValid condition indicates whether the token was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

spec.status

updated: ISO-formatted timestamp that shows when the status was created
serviceAccountSecretName: Secret name that contains the credentials for the service account

spec.status.conditions

ServiceAccountCreated: If the value of this field is True, the Operator successfully created the service account.
ServiceAccountSecretCreated: If the value of this field is True, the Operator successfully created the credentials secret.
Finished: Indicates whether the Operator has successfully finished processing the CR. For more information, see Finished condition.
AcccesTokenSecretValid: Indicates whether the token specified as a value for the accessTokenSecretName field was available and successfully exchanged with the authentication service. For more information, see AcccesTokenSecretValid condition.

Conditions common to all RHOAS Custom Resources

Each CR type managed by the RHOAS Operator has several conditions defined in the status subresource. Some conditions are shared by multiple types and some are type-specific.

Each CR has a condition field that follows the same standard. Conditions are represented as an array of objects. All condition objects have a status value of True, False, or Unknown. When the Operator processes a CR, it first sets the status value of each condition to Unknown. Then, the Operator sets each condition to a value of True as the condition is checked. If a condition fails to check, the Operator sets the status values of the condition and the Finished condition to False. The Operator also updates the reason and message fields with more information.

When a check fails, the Operator halts processing of the CR. The Operator does not check subsequent conditions and their values remain set to Unknown. To resume processing of the CR, you must correct the errors and submit a new CR.

Finished condition

The Operator sets the status value of this condition to True if processing is completed successfully, or False if it is not. The Operator also updates the reason and message fields with more information. The lastTransitionGeneration field records the value of metadata.generation when the condition was set. This condition is included in all of the CRs managed by the RHOAS Operator.

AcccesTokenSecretValid condition

All of the CRs managed by the RHOAS Operator require a value to be specified for the accessTokenSecretName field. This field is the name of an opaque secret with the value key of the secret set to an offline access token. The Operator exchanges this token with an authentication service to get a live access token. The Operator then uses the live access token to perform operations. If this condition has a status value of True, this indicates that the token was available and exchanged. If the status value is False, then there was an error with the accessTokenSecretName property. The Operator updates the reason and message fields with more information.