Accessing the foundational services
The OperandBindInfo
API file contains secrets and configmaps, which are provided by the service operators.
The individual service operators create these secrets and configmaps to store data. Secrets and configmaps that have a public scope are accessible from any namespace.
By default, all services are installed in the foundational-services
namespace. If you need to access a service from another namespace, you must request the service operator to share the secrets and configmaps. When you create an OperandRequest
for a service, the service operator copies the secrets and configmaps to the namespace of the OperandRequest
. The service operator combines the operator OperandBindInfo
name and the default name of the secret or configmap
to create the identity of the secret or configmap that is shared.
If you want the service operator to use a custom secret or configmap name to create the identity, you must add a bindings
section in the OperandRequest
instance for the service, and set the customized name after secret:
and configmap:
. If you do not add the bindings
section in the OperandRequest
instance, the service operator uses the default names.
- Example OperandRequest with default bindings
- Bindings customization
- ibm-im-operator
- ibm-licensing-operator
Example OperandRequest with default bindings
Following is a sample OperandRequest
that has The bindings
section for each service. The secret and configmap names in the bindings
section are the default names that would be used in the namespace of the OperandRequest
.
You can update these names based on your requirement. See Bindings customization.
apiVersion: operator.ibm.com/v1alpha1
kind: OperandRequest
metadata:
name: common-service
namespace: <your-foundational-services-namespace>
spec:
requests:
- operands:
- name: ibm-cert-manager-operator
- name: ibm-im-operator
bindings:
public-oidc-creds:
secret: platform-oidc-credentials
public-auth-creds:
secret: platform-auth-idp-credentials
public-auth-cert:
secret: platform-auth-secret
public-cam-secret:
secret: oauth-client-secret
public-cam-map:
configmap: oauth-client-map
public-auth-config:
configmap: platform-auth-idp
- name: ibm-events-operator
- name: ibm-licensing-operator
bindings:
public-api-token:
secret: ibm-licensing-token
public-api-upload:
secret: ibm-licensing-upload-token
configmap: ibm-licensing-upload-config
registry: common-service
Example OperandRequest with custom name and shared configmap identity
Consider the following ibm-im-operator
example, which shows the default configmap name. By using this default configmap name, the ibm-im-operator
would generate ibm-iam-bindinfo-oauth-client-map
as the identity
of the shared configmap.
spec:
requests:
- operands:
- name: ibm-im-operator
bindings:
public-cam-map:
configmap: <custom-name-of-oauth-client-map-configmap>
registry: common-service
registryNamespace: <your-foundational-services-namespace>
If you want the configmap oauth-client-map
to be named as auth-config
in the namespace of your OperandRequest
, you can create the following OperandRequest
. By using this custom configmap name,
the ibm-im-operator
would generate ibm-iam-bindinfo-auth-config
as the identity of the shared configmap.
spec:
requests:
- operands:
- name: ibm-im-operator
bindings:
public-cam-map:
configmap: auth-config
registry: common-service
registryNamespace: <your-foundational-services-namespace>
Bindings customization
You must add these parameters in the OperandRequest
instance before you create it. That is, add it when you are defining the OperandRequest
API instance. See Installing foundational services in your cluster.
To change the bindings names, add the following bindings
section to the OperandRequest
before you install a service. The bindings
section for each service is provided here.
Note: The operator generates the secrets and configmaps in the following namespaces:
- The names that are mentioned in the **Secret or configmap default name** column of the tables are generated in the `foundational-services` namespace.
- The names that are mentioned in the **Default identity of the shared secret or configmap** column of the tables are copied to your namespace from where you install IBM Common Service Operator.
You can change the bindings names for these operators:
ibm-im-operator
The ibm-im-operator
generates the following secrets and configmaps, and uses these default names.
Secret or configmap default name | Description | Default identity of the shared secret or configmap |
---|---|---|
platform-oidc-credentials secret |
Stores the OAuth client registration secret. | ibm-iam-bindinfo-platform-oidc-credentials |
platform-auth-idp-credentials secret |
Stores the default admin username and password. | ibm-iam-bindinfo-platform-auth-idp-credentials |
platform-auth-secret secret |
Stores the token signing certificate. | ibm-iam-bindinfo-platform-auth-secret |
oauth-client-secret secret |
Stores the OAuth client registration secret and the default admin username. | ibm-iam-bindinfo-oauth-client-secret |
oauth-client-map configmap |
Stores the cluster domain name, master IP address, and proxy IP address. | ibm-iam-bindinfo-oauth-client-map |
platform-auth-idp configmap |
Stores the Identity Management (IM) configuration settings. | ibm-iam-bindinfo-platform-auth-idp |
ibmcloud-cluster-info configmap |
Provides the cluster access information | ibm-iam-ibmcloud-cluster-info |
Bindings for the ibm-im-operator
spec:
requests:
- operands:
- name: ibm-im-operator
bindings:
public-oidc-creds:
secret: <custom-name-of-platform-oidc-credentials-secret>
public-auth-creds:
secret: <custom-name-of-platform-auth-idp-credentials-secret>
public-auth-cert:
secret: <custom-name-of-platform-auth-secret>
public-cam-secret:
secret: <custom-name-of-oauth-client-secret>
public-cam-map:
configmap: <custom-name-of-oauth-client-map-configmap>
public-auth-config:
configmap: <custom-name-of-platform-auth-idp-configmap>
registry: common-service
registryNamespace: <your-foundational-services-namespace>
ibm-licensing-operator
The ibm-licensing-operator
generates the following secrets and configmap, and uses these default names.
Secret or configmap default name | Description | Default identity of the shared secret or configmap |
---|---|---|
ibm-licensing-token secret |
Contains an API token and is used to request License Service for reporting license usage. | ibm-licensing-bindinfo-ibm-licensing-token |
ibm-licensing-upload-token secret |
Contains an API token and is used to integrate with License Service to upload the non-Virtual-Processor-Core license usage data. | ibm-licensing-bindinfo-ibm-licensing-upload-token |
ibm-licensing-upload-config configmap |
Contains the API URL and is used to integrate with License Service to upload the non-Virtual-Processor-Core license usage data. | ibm-licensing-bindinfo-ibm-licensing-upload-config |
ibm-licensing-info configmap |
Contains the API URL and is used to request License Service for reporting license usage. | ibm-licensing-bindinfo-ibm-licensing-info |
Bindings for the ibm-licensing-operator
spec:
requests:
- operands:
- name: ibm-licensing-operator
bindings:
public-api-data:
secret: <custom-name-of-ibm-licensing-token-secret>
configmap: <custom-name-of-ibm-licensing-info-configmap>
public-api-token:
secret: <custom-name-of-ibm-licensing-token-secret>
public-api-upload:
secret: <custom-name-of-ibm-licensing-upload-token-secret>
configmap: <custom-name-of-ibm-licensing-upload-config-configmap>
registry: common-service
registryNamespace: <your-foundational-services-namespace>