Accessing the foundational services

The OperandBindInfo API file contains secrets and configmaps, which are provided by the service operators.

The individual service operators create these secrets and configmaps to store data. Secrets and configmaps that have a public scope are accessible from any namespace.

By default, all services are installed in the ibm-common-services namespace. If you need to access a service from another namespace, you must request the service operator to share the secrets and configmaps. When you create an OperandRequest for a service, the service operator copies the secrets and configmaps to the namespace of the OperandRequest. The service operator combines the operator OperandBindInfo name and the default name of the secret or configmap to create the identity of the secret or configmap that is shared.

If you want the service operator to use a custom secret or configmap name to create the identity, you must add a bindings section in the OperandRequest instance for the service, and set the customized name after secret: and configmap:. If you do not add the bindings section in the OperandRequest instance, the service operator uses the default names.

Example OperandRequest with default bindings
- Example OperandRequest with custom name and shared configmap identity
Bindings customization
- ibm-iam-operator
- ibm-metering-operator
  
  Note: The deprecated Metering service is removed in IBM Cloud Pak® foundational services version 3.7.x
- ibm-management-ingress-operator
- ibm-licensing-operator
- ibm-elastic-stack-operator
- ibm-auditlogging-operator
- ibm-user-data-services-operator

Example OperandRequest with default bindings

Following is a sample OperandRequest that has The bindings section for each service. The secret and configmap names in the bindings section are the default names that would be used in the namespace of the OperandRequest. You can update these names based on your requirement. See Bindings customization.

apiVersion: operator.ibm.com/v1alpha1
kind: OperandRequest
metadata:
 name: common-service
 namespace: ibm-common-services
spec:
 requests:
   - operands:
       - name: ibm-cert-manager-operator
       - name: ibm-mongodb-operator
       - name: ibm-iam-operator
         bindings:
           public-oidc-creds:
             secret: platform-oidc-credentials
           public-auth-creds:
             secret: platform-auth-idp-credentials
           public-auth-cert:
             secret: platform-auth-secret
           public-cam-secret:
             secret: oauth-client-secret
           public-cam-map:
             configmap: oauth-client-map
           public-auth-config:
             configmap: platform-auth-idp
       - name: ibm-monitoring-exporters-operator
       - name: ibm-monitoring-prometheusext-operator
       - name: ibm-monitoring-grafana-operator
       - name: ibm-healthcheck-operator
       - name: ibm-management-ingress-operator
         bindings:
           public:
             secret: ibmcloud-cluster-ca-cert
             configmap: ibmcloud-cluster-info
       - name: ibm-licensing-operator
         bindings:
           public-api-token:
             secret: ibm-licensing-token
           public-api-upload:
             secret: ibm-licensing-upload-token
             configmap: ibm-licensing-upload-config
       - name: ibm-elastic-stack-operator
         bindings:
           public-certs:
             secret: logging-elk-certs
           public-passphrases:
             secret: logging-elk-elasticsearch-pki-secret
       - name: ibm-ingress-nginx-operator
       - name: ibm-auditlogging-operator
         bindings:
           public:
             secret: audit-server-certs
             configmap: audit-logging-fluentd-ds-httpingest-url
       - name: ibm-platform-api-operator
       - name: ibm-helm-api-operator
       - name: ibm-helm-repo-operator
       - name: ibm-catalog-ui-operator
     registry: common-service

Example OperandRequest with custom name and shared configmap identity

Consider the following ibm-iam-operator example, which shows the default configmap name. By using this default configmap name, the ibm-iam-operator would generate ibm-iam-bindinfo-oauth-client-map as the identity of the shared configmap.

spec:
  requests:
    - operands:
        - name: ibm-iam-operator
          bindings:
            public-cam-map:
              configmap: <custom-name-of-oauth-client-map-configmap>
      registry: common-service
      registryNamespace: ibm-common-services

If you want the configmap oauth-client-map to be named as auth-config in the namespace of your OperandRequest, you can create the following OperandRequest. By using this custom configmap name, the ibm-iam-operator would generate ibm-iam-bindinfo-auth-config as the identity of the shared configmap.

spec:
  requests:
    - operands:
        - name: ibm-iam-operator
          bindings:
            public-cam-map:
              configmap: auth-config
      registry: common-service
      registryNamespace: ibm-common-services

Bindings customization

You must add these parameters in the OperandRequest instance before you create it. That is, add it when you are defining the OperandRequest API instance. See Installing foundational services in your cluster.

To change the bindings names, add the following bindings section to the OperandRequest before you install a service. The bindings section for each service is provided here.

Note: The operator generates the secrets and configmaps in the following namespaces:

The names that are mentioned in the Secret or configmap default name column of the tables are generated in the ibm-common-services namespace.
The names that are mentioned in the Default identity of the shared secret or configmap column of the tables are copied to your namespace from where you install IBM Common Service Operator.

You can change the bindings names for these operators:

ibm-iam-operator
ibm-metering-operator

Note: The deprecated Metering service is removed in IBM Cloud Pak foundational services version 3.7.x
ibm-management-ingress-operator
ibm-licensing-operator
ibm-elastic-stack-operator
ibm-auditlogging-operator
ibm-user-data-services-operator

ibm-iam-operator

The ibm-iam-operator generates the following secrets and configmaps, and uses these default names.

Table 1. ibm-iam-operator bindings
Secret or configmap default name	Description	Default identity of the shared secret or configmap
`platform-oidc-credentials` secret	Stores the OAuth client registration secret.	`ibm-iam-bindinfo-platform-oidc-credentials`
`platform-auth-idp-credentials` secret	Stores the default admin username and password.	`ibm-iam-bindinfo-platform-auth-idp-credentials`
`platform-auth-secret` secret	Stores the token signing certificate.	`ibm-iam-bindinfo-platform-auth-secret`
`oauth-client-secret` secret	Stores the OAuth client registration secret and the default admin username.	`ibm-iam-bindinfo-oauth-client-secret`
`oauth-client-map` configmap	Stores the cluster domain name, master IP address, and proxy IP address.	`ibm-iam-bindinfo-oauth-client-map`
`platform-auth-idp` configmap	Stores the Identity and Access Management (IAM) configuration settings.	`ibm-iam-bindinfo-platform-auth-idp`

Bindings for the ibm-iam-operator

spec:
  requests:
    - operands:
        - name: ibm-iam-operator
          bindings:
            public-oidc-creds:
              secret: <custom-name-of-platform-oidc-credentials-secret>
            public-auth-creds:
              secret: <custom-name-of-platform-auth-idp-credentials-secret>
            public-auth-cert:
              secret: <custom-name-of-platform-auth-secret>
            public-cam-secret:
              secret: <custom-name-of-oauth-client-secret>
            public-cam-map:
              configmap: <custom-name-of-oauth-client-map-configmap>
            public-auth-config:
              configmap: <custom-name-of-platform-auth-idp-configmap>
      registry: common-service
      registryNamespace: ibm-common-services

ibm-metering-operator

Note: The deprecated Metering service is removed in IBM Cloud Pak foundational services version 3.7.x

The ibm-metering-operator generates the following secret and uses this default name.

Table 2. ibm-metering-operator bindings
Secret or configmap default name	Description	Default identity of the shared secret or configmap
`icp-metering-api-secret` secret	Contains the Transport Layer Security (TLS) certificate that is required to use the metering `Read` API.	`ibm-metering-bindinfo-icp-metering-api-secret`

Bindings for the ibm-metering-operator

spec:
  requests:
    - operands:
        - name: ibm-metering-operator
          bindings:
            public:
              secret: <custom-name-of-icp-metering-api-secret>
      registry: common-service
      registryNamespace: ibm-common-services

ibm-management-ingress-operator

The ibm-management-ingress-operator generates the following secret and configmap, and uses these default names.

Table 4. ibm-management-ingress-operator bindings
Secret or configmap default name	Description	Default identity of the shared secret or configmap
`ibmcloud-cluster-ca-cert` secret	Stores the root certificate authority (CA) certificates	`management-ingress-ibmcloud-cluster-ca-cert`
`ibmcloud-cluster-info` configmap	Provides the cluster access information	`management-ingress-ibmcloud-cluster-info`

Bindings for the ibm-management-ingress-operator

spec:
  requests:
    - operands:
        - name: ibm-management-ingress-operator
          bindings:
            public:
              secret: <custom-name-of-ibmcloud-cluster-ca-cert-secret>
              configmap: <custom-name-of-ibmcloud-cluster-info-configmap>
      registry: common-service
      registryNamespace: ibm-common-services

ibm-licensing-operator

The ibm-licensing-operator generates the following secrets and configmap, and uses these default names.

Table 5. ibm-licensing-operator bindings
Secret or configmap default name	Description	Default identity of the shared secret or configmap
`ibm-licensing-token` secret	Contains an API token and is used to request License Service for reporting license usage.	`ibm-licensing-bindinfo-ibm-licensing-token`
`ibm-licensing-upload-token` secret	Contains an API token and is used to integrate with License Service to upload the non-Virtual-Processor-Core license usage data.	`ibm-licensing-bindinfo-ibm-licensing-upload-token`
`ibm-licensing-upload-config` configmap	Contains the API URL and is used to integrate with License Service to upload the non-Virtual-Processor-Core license usage data.	`ibm-licensing-bindinfo-ibm-licensing-upload-config`
`ibm-licensing-info` configmap	Contains the API URL and is used to request License Service for reporting license usage.	`ibm-licensing-bindinfo-ibm-licensing-info`

Bindings for the ibm-licensing-operator

spec:
  requests:
    - operands:
        - name: ibm-licensing-operator
          bindings:
            public-api-data:
              secret: <custom-name-of-ibm-licensing-token-secret>
              configmap: <custom-name-of-ibm-licensing-info-configmap>
            public-api-token:
              secret: <custom-name-of-ibm-licensing-token-secret>
            public-api-upload:
              secret: <custom-name-of-ibm-licensing-upload-token-secret>
              configmap: <custom-name-of-ibm-licensing-upload-config-configmap>
      registry: common-service
      registryNamespace: ibm-common-services

ibm-elastic-stack-operator

The ibm-elastic-stack-operator generates the following secrets and uses these default names.

Table 6. ibm-elastic-stack-operator bindings
Secret or configmap default name	Description	Default identity of the shared secret or configmap
`logging-elk-certs` secret		`ibm-elastic-stack-bindinfo-logging-elk-certs`
`logging-elk-elasticsearch-pki-secret` secret		`ibm-elastic-stack-bindinfo-logging-elk-elasticsearch-pki-secret`

Bindings for the ibm-elastic-stack-operator

spec:
  requests:
    - operands:
        - name: ibm-elastic-stack-operator
          bindings:
            public-certs:
              secret: <custom-name-of-logging-elk-certs-secret>
            public-passphrases:
              secret: <custom-name-of-logging-elk-elasticsearch-pki-secret-secret>
      registry: common-service
      registryNamespace: ibm-common-services

ibm-auditlogging-operator

The ibm-auditlogging-operator generates the following secret and configmap, and uses these default names.

Note: Audit-logging version 3.6 does not provide BindInfo support.

Table 7. ibm-auditlogging-operator bindings
Secret or configmap default name	Description	Default identity of the shared secret or configmap
`audit-server-certs` secret	Stores the fluentd TLS secret.	`ibm-auditlogging-bindinfo-audit-server-certs`
`audit-logging-fluentd-ds-http-ingest-url` configmap	Provides Audit logging HTTP ingest URL.	`ibm-auditlogging-bindinfo-audit-logging-fluentd-ds-http-ingest-url`

Bindings for the ibm-auditlogging-operator

spec:
  requests:
    - operands:
        - name: ibm-auditlogging-operator
          bindings:
            public:
              secret: <custom-name-of-audit-server-certs-secret>
              configmap: <custom-name-of-audit-logging-fluentd-ds-http-ingest-url>
      registry: common-service
      registryNamespace: ibm-common-services

ibm-user-data-services-operator

The ibm-user-data-services-operatorr generates the following secrets and configmap, and uses these default names.

Table 8. ibm-user-data-services-operator bindings
Secret or configmap default name	Description	Default identity of the shared secret or configmap
`event-api-secret` secret	Contains the API keys to access UDS endpoints.	`ibm-uds-bindinfo-event-api-secret`
`submodule-api-secret` secret	Contains the API keys to access submodule endpoints.	`ibm-uds-bindinfo-submodule-api-secret`
`endpoint-cm` configmap	Contains endpoints URLs.	`ibm-uds-bindinfo-endpoint-cm`

Bindings for the ibm-user-data-services-operator

operand: ibm-user-data-services-operator
registry: common-service
description: Binding information that should be accessible to UDS adopters
bindings:
  public-uds-event-apikey:
    secret: event-api-secret
  public-uds-submodule-apikey:
    secret: submodule-api-secret
  public-uds-url-map:
    configmap: endpoint-cm