Use different attributes in your ServiceBinding resource to generate different formats of your Secret resources.
Secret resources share a common set of basic parameters that can be divided into two categories:
-
Credentials returned from the service broker that allow your application to access and consume an SAP BTP service.
-
Attributes of the associated service instance: The details of the service instance itself.
However, the Secret resources can come in various formats:
-
Default key-value pairs
-
A JSON object
-
One JSON object with credentials and service information
-
Custom formats
If you do not use any of the attributes, the generated Secret is by default in the key-value pair format, as in the following examples:
-
Service binding
apiVersion: services.cloud.sap.com/v1 kind: ServiceBinding metadata: name: {BINDING_NAME} spec: serviceInstanceName: {SERVICE_INSTANCE_NAME} -
Secret
apiVersion: v1 metadata: name: {BINDING_NAME} kind: Secret data: url: {URL} client_id: {CLIENT_ID} client_secret: {CLIENT_SECRET} instance_guid: {SERVICE_INSTANCE_ID} instance_name: {SERVICE_INSTANCE_NAME} plan: {SERVICE_PLAN_NAME} type: {SERVICE_OFFERING_NAME}
To show credentials that the service broker returns within the Secret resource as a JSON object, use the secretKey attribute in the service binding spec. The value of the secretKey is the name of the key that stores the credentials. The credentials are represented in both formats: YAML or JSON.
See the following examples:
-
Service binding
apiVersion: services.cloud.sap.com/v1 kind: ServiceBinding metadata: name: {BINDING_NAME} spec: serviceInstanceName: {SERVICE_INSTANCE_NAME} secretKey: myCredentials -
Secret
apiVersion: v1 kind: Secret metadata: name: {BINDING_NAME} data: myCredentials: url: {URL} client_id: {CLIENT_ID}, client_secret: {CLIENT_SECRET} instance_guid: {SERVICE_INSTANCE_ID} instance_name: {SERVICE_INSTANCE_NAME} plan: {SERVICE_PLAN_NAME} type: {SERVICE_OFFERING_NAME}
To show both credentials returned from the service broker and additional service instance attributes as a JSON object, use the secretRootKey attribute in the service binding spec.
The secretRootKey value is the name of the key that stores both credentials and service instance info. The credentials are represented in both formats: YAML or JSON.
See the following examples:
-
Service binding
apiVersion: services.cloud.sap.com/v1 kind: ServiceBinding metadata: name: {BINDING_NAME} spec: serviceInstanceName: {SERVICE_INSTANCE_NAME} secretRootKey: myCredentialsAndInstance -
Secret
apiVersion: v1 kind: Secret metadata: name: {BINDING_NAME} data: myCredentialsAndInstance: url: {URL} client_id: {CLIENT_ID} client_secret: {CLIENT_SECRET} instance_guid: {SERVICE_INSTANCE_ID} instance_name: {SERVICE_INSTANCE_NAME} plan: {SERVICE_PLAN_NAME} type: {SERVICE_OFFERING_NAME}
For additional flexibility, model the Secret resources according to your needs. To generate a custom-formatted Secret, use the secretTemplate attribute in the service binding spec. This attribute expects a Go template as its value. For more information, see Go Templates.
Ensure the template is in the YAML format and has the structure of a Kubernetes Secret.
In the provided Secret, you can customize the metadata and data sections with the following options:
-
metadata: labels and annotations -
data: customize or utilize one of the available formatting options listed in the Context section
If you customize
data, it takes precedence over the provided predefined formats.
The provided templates are executed on a map with the following available attributes:
Custom Formatting Parameters
|
Reference |
Description |
|---|---|
|
|
The service instance ID. |
|
|
The service instance name. |
|
|
The name of the service plan used to create this service instance. |
|
|
The name of the associated service offering. |
|
|
The content of the credentials depends on a service. For more details, refer to the documentation of the service you're using. |
|
|
The service offering name. |
The following examples demonstrate the service binding and generated Secret resources:
-
In a service binding with customized
metadataanddatasections, you specify both metadata and data in thesecretTemplate:-
Service binding
apiVersion: services.cloud.sap.com/v1 kind: ServiceBinding metadata: name: {BINDING_NAME} spec: serviceInstanceName: {SERVICE_INSTANCE_NAME} secretTemplate: | apiVersion: v1 kind: Secret metadata: labels: service_plan: {{ .instance.plan }} annotations: instance: {{ .instance.instance_name }} data: USERNAME: {{ .credentials.client_id }} PASSWORD: {{ .credentials.client_secret }} -
Secret
apiVersion: v1 kind: Secret metadata: labels: service_plan: {SERVICE_PLAN_NAME} annotations: instance: {SERVICE_INSTANCE_NAME} data: USERNAME: {CLIENT_ID} PASSWORD: {CLIENT_SECRET}
-
-
In a binding with a customized
metadatasection and applied preexisting formatting option fordatawith credentials as a JSON object, you omitdatafrom thesecretTemplateand use thesecretKeyto format yourdatainstead:-
Service binding
apiVersion: services.cloud.sap.com/v1 kind: ServiceBinding metadata: name: {BINDING_NAME} spec: serviceInstanceName: {SERVICE_INSTANCE_NAME} secretKey: myCredentials secretTemplate: | apiVersion: v1 kind: Secret metadata: labels: service_plan: {{ .instance.plan }} annotations: instance: {{ .instance.instance_name }} -
Secret
apiVersion: v1 kind: Secret metadata: labels: service_plan: {SERVICE_PLAN_NAME} annotations: instance: {SERVICE_INSTANCE_NAME} data: myCredentials: url: {URL} client_id: {CLIENT_ID} client_secret: {CLIENT_SECRET} instance_guid: {SERVICE_INSTANCE_ID} instance_name: {SERVICE_INSTANCE_NAME} plan: {SERVICE_PLAN_NAME} type: {SERVICE_OFFERING_NAME}
-