Gardener

Appearance

SecretBinding to CredentialsBinding Migration

With the introduction of the CredentialsBinding resource a new way of referencing credentials through the Shoot was created. While SecretBindings can only reference Secrets, CredentialsBindings can also reference WorkloadIdentitys which provide an alternative authentication method. WorkloadIdentitys do not directly contain credentials but are rather a representation of the workload that is going to access the user's account.

As CredentialsBindings cover the functionality of SecretBindings, the latter are considered legacy and will be deprecated in the future. This incurs the need for migration from SecretBinding to CredentialsBinding resources.

NOTE

Mind that the migration will be allowed only if the old SecretBinding and the new CredentialsBinding refer to the same exact Secret. One cannot do a direct migration to a CredentialsBinding that reference a WorkloadIdentity. For information on how to use WorkloadIdentity, please refer to the following document.

Migration Path

A standard use of SecretBinding can look like the following example.

yaml
apiVersion: core.gardener.cloud/v1beta1
kind: SecretBinding
metadata:
  name: infrastructure-credentials
  namespace: garden-proj
provider:
  type: foo-provider
secretRef:
  name: infrastructure-credentials-secret
  namespace: garden-proj
---
apiVersion: core.gardener.cloud/v1beta1
kind: Shoot
metadata:
  name: bar
  namespace: garden-proj
spec:
  secretBindingName: infrastructure-credentials
  ...

In order to migrate to CredentialsBinding one should:

  1. Create a CredentialsBinding resource corresponding to the existing SecretBinding. The main difference is that we set the kind and apiVersion of the credentials that the CredentialsBinding is referencing.

    yaml
    apiVersion: security.gardener.cloud/v1alpha1
kind: CredentialsBinding
metadata:
  name: infrastructure-credentials
  namespace: garden-proj
credentialsRef:
  apiVersion: v1
  kind: Secret
  name: infrastructure-credentials-secret
  namespace: garden-proj
provider:
  type: foo-provider

  2. Replace secretBindingName with credentialsBindingName in the Shoot spec.

    yaml
    apiVersion: core.gardener.cloud/v1beta1
kind: Shoot
metadata:
  name: bar
  namespace: garden-proj
spec:
  credentialsBindingName: infrastructure-credentials
  ...
EU and German government funding logos

Funded by the European Union – NextGenerationEU.

The views and opinions expressed are solely those of the author(s) and do not necessarily reflect the views of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.

Copyright © Linux Foundation Europe.

SecretBinding to CredentialsBinding Migration | Gardener is a project of NeoNephos Foundation. For applicable policies including privacy policy, terms of use and trademark usage guidelines, please see https://linuxfoundation.eu. Linux is a registered trademark of Linus Torvalds.
Terms of Use|Privacy Statement|Legal Disclosure