2 minute read
SecretBinding Provider Controller
This page describes the process on how to enable the SecretBinding provider controller.
With Gardener v1.38.0 the SecretBinding resource does now contain a new optional field
.provider.type (details about the motivation can be found in https://github.com/gardener/gardener/issues/4888). To make the process of setting the new field automated and afterwards to enforce validation on the new field in backwards compatible manner, Gardener features the SecretBinding provider controller and a feature gate -
A Gardener landscape operator can follow the following steps:
Enable the SecretBinding provider controller of Gardener Controller Manager.
The SecretBinding provider controller is responsible to populate the
.provider.typefield of a SecretBinding based on its current usage by Shoot resources. For example if a Shoot
.provider.type=awsis using a SecretBinding
my-secret-binding, then the SecretBinding provider controller will take care to set the
.provider.typefield of the SecretBinding to the same provider type (
aws). To enable the SecretBinding provider controller, in the ControllerManagerConfiguration set the
controller.secretBindingProvider.concurentSyncsfield (e.g set it to
5). Although that it is not recommended, the API allows Shoots from different provider types to reference the same SecretBinding (assuming that backing Secret contains data for both of the provider types). To preserve the backwards compatibility for such SecretBindings, the provider controller will maintain the multiple provider types in the field (it will join them with separator
,- for example
Disable the SecretBinding provider controller and enable
SecretBindingProviderValidationfeature gate of Gardener API server.
SecretBindingProviderValidationfeature gate of Gardener API server enables set of validations for the SecretBinding provider field. It forbids creating a Shoot that has a different provider type from the referenced SecretBinding’s one. It also enforces immutability on the field. After making sure that SecretBinding provider controller is enabled and it populated the
.provider.typefield of a majority of the SecretBindings on a Gardener landscape (the SecretBindings that are unused will have their provider type unset), a Gardener landscape operator has to disable the SecretBinding provider controller and to enable the
SecretBindingProviderValidationfeature gate of Gardener API server. To disable the SecretBinding provider controller, in the ControllerManagerConfiguration set the
- Gardener v1.38: SecretBinding resource has a new optional field
.provider.type. SecretBinding provider controller is disabled by default.
SecretBindingProviderValidationfeature gate of Gardener API server is disabled by default.
- Gardener v1.42: SecretBinding provider controller is enabled by default.
Was this page helpful?