Accessing the foundational services

The OperandBindInfo API file contains secrets and configmaps, which are provided by the service operators.

The individual service operators create these secrets and configmaps to store data. Secrets and configmaps that have a public scope are accessible from any namespace.

By default, all services are installed in the foundational-services namespace. If you need to access a service from another namespace, you must request the service operator to share the secrets and configmaps. When you create an OperandRequest for a service, the service operator copies the secrets and configmaps to the namespace of the OperandRequest. The service operator combines the operator OperandBindInfo name and the default name of the secret or configmap to create the identity of the secret or configmap that is shared.

If you want the service operator to use a custom secret or configmap name to create the identity, you must add a bindings section in the OperandRequest instance for the service, and set the customized name after secret: and configmap:. If you do not add the bindings section in the OperandRequest instance, the service operator uses the default names.

Following is a sample OperandRequest that has The bindings section for each service. The secret and configmap names in the bindings section are the default names that would be used in the namespace of the OperandRequest. You can update these names based on your requirement. See Bindings customization.

apiVersion: operator.ibm.com/v1alpha1
kind: OperandRequest
metadata:
  name: common-service
  namespace: <your-foundational-services-namespace>
spec:
  requests:
    - operands:
        - name: ibm-cert-manager-operator
        - name: ibm-im-operator
          bindings:
            public-oidc-creds:
              secret: platform-oidc-credentials
            public-auth-creds:
              secret: platform-auth-idp-credentials
            public-auth-cert:
              secret: platform-auth-secret
            public-cam-secret:
              secret: oauth-client-secret
            public-cam-map:
              configmap: oauth-client-map
            public-auth-config:
              configmap: platform-auth-idp
        - name: ibm-events-operator
        - name: ibm-licensing-operator
          bindings:
            public-api-token:
              secret: ibm-licensing-token
            public-api-upload:
              secret: ibm-licensing-upload-token
              configmap: ibm-licensing-upload-config
      registry: common-service

Example OperandRequest with custom name and shared configmap identity

Consider the following ibm-im-operator example, which shows the default configmap name. By using this default configmap name, the ibm-im-operator would generate ibm-iam-bindinfo-oauth-client-map as the identity of the shared configmap.

spec:
  requests:
    - operands:
        - name: ibm-im-operator
          bindings:
            public-cam-map:
              configmap: <custom-name-of-oauth-client-map-configmap>
      registry: common-service
      registryNamespace: <your-foundational-services-namespace>

If you want the configmap oauth-client-map to be named as auth-config in the namespace of your OperandRequest, you can create the following OperandRequest. By using this custom configmap name, the ibm-im-operator would generate ibm-iam-bindinfo-auth-config as the identity of the shared configmap.

spec:
  requests:
    - operands:
        - name: ibm-im-operator
          bindings:
            public-cam-map:
              configmap: auth-config
      registry: common-service
      registryNamespace: <your-foundational-services-namespace>

Bindings customization

You must add these parameters in the OperandRequest instance before you create it. That is, add it when you are defining the OperandRequest API instance. See Installing foundational services in your cluster.

To change the bindings names, add the following bindings section to the OperandRequest before you install a service. The bindings section for each service is provided here.

Note: The operator generates the secrets and configmaps in the following namespaces:

- The names that are mentioned in the **Secret or configmap default name** column of the tables are generated in the `foundational-services` namespace.
- The names that are mentioned in the **Default identity of the shared secret or configmap** column of the tables are copied to your namespace from where you install IBM Common Service Operator.

You can change the bindings names for these operators:

ibm-im-operator

The ibm-im-operator generates the following secrets and configmaps, and uses these default names.

Table 1. ibm-im-operator bindings
Secret or configmap default name Description Default identity of the shared secret or configmap
platform-oidc-credentials secret Stores the OAuth client registration secret. ibm-iam-bindinfo-platform-oidc-credentials
platform-auth-idp-credentials secret Stores the default admin username and password. ibm-iam-bindinfo-platform-auth-idp-credentials
platform-auth-secret secret Stores the token signing certificate. ibm-iam-bindinfo-platform-auth-secret
oauth-client-secret secret Stores the OAuth client registration secret and the default admin username. ibm-iam-bindinfo-oauth-client-secret
oauth-client-map configmap Stores the cluster domain name, master IP address, and proxy IP address. ibm-iam-bindinfo-oauth-client-map
platform-auth-idp configmap Stores the Identity Management (IM) configuration settings. ibm-iam-bindinfo-platform-auth-idp
ibmcloud-cluster-info configmap Provides the cluster access information ibm-iam-ibmcloud-cluster-info

Bindings for the ibm-im-operator

spec:
  requests:
    - operands:
        - name: ibm-im-operator
          bindings:
            public-oidc-creds:
              secret: <custom-name-of-platform-oidc-credentials-secret>
            public-auth-creds:
              secret: <custom-name-of-platform-auth-idp-credentials-secret>
            public-auth-cert:
              secret: <custom-name-of-platform-auth-secret>
            public-cam-secret:
              secret: <custom-name-of-oauth-client-secret>
            public-cam-map:
              configmap: <custom-name-of-oauth-client-map-configmap>
            public-auth-config:
              configmap: <custom-name-of-platform-auth-idp-configmap>
      registry: common-service
      registryNamespace: <your-foundational-services-namespace>

ibm-licensing-operator

The ibm-licensing-operator generates the following secrets and configmap, and uses these default names.

Table 2. ibm-licensing-operator bindings
Secret or configmap default name Description Default identity of the shared secret or configmap
ibm-licensing-token secret Contains an API token and is used to request License Service for reporting license usage. ibm-licensing-bindinfo-ibm-licensing-token
ibm-licensing-upload-token secret Contains an API token and is used to integrate with License Service to upload the non-Virtual-Processor-Core license usage data. ibm-licensing-bindinfo-ibm-licensing-upload-token
ibm-licensing-upload-config configmap Contains the API URL and is used to integrate with License Service to upload the non-Virtual-Processor-Core license usage data. ibm-licensing-bindinfo-ibm-licensing-upload-config
ibm-licensing-info configmap Contains the API URL and is used to request License Service for reporting license usage. ibm-licensing-bindinfo-ibm-licensing-info

Bindings for the ibm-licensing-operator

spec:
  requests:
    - operands:
        - name: ibm-licensing-operator
          bindings:
            public-api-data:
              secret: <custom-name-of-ibm-licensing-token-secret>
              configmap: <custom-name-of-ibm-licensing-info-configmap>
            public-api-token:
              secret: <custom-name-of-ibm-licensing-token-secret>
            public-api-upload:
              secret: <custom-name-of-ibm-licensing-upload-token-secret>
              configmap: <custom-name-of-ibm-licensing-upload-config-configmap>
      registry: common-service
      registryNamespace: <your-foundational-services-namespace>