ConnectorClass
TOC
Overview
ConnectorClass is a cluster-level resource that defines the access modes and behavior specifications for specific types of tools.
The following example defines a hello-git type connector that supports basic authentication:
In the ConnectorClass, the access modes and behavior specifications for connecting tools to the platform are defined by describing the following information:
- The format of the tool's access address
- Supported authentication methods
- How to check the tool's accessibility
- How to verify the validity of authentication
- How the tool provides API capabilities
- What configuration capabilities the tool offers
- Metadata for readability display
This document also provides examples to help readers better understand how to customize ConnectorClass. Examples
Address Information
Address information defines the format for accessing the tool. Currently, string-type address configurations are supported. This address information restricts the field type constraints that the current type of tool must meet.
At this point, it indicates that the address information for connecting the tool to the platform must be of string type.
Authentication Information
Authentication Type
The authentication type defines the type of credentials used for tool authentication. A tool can support multiple authentication types, allowing users to choose one when using the tool.
Users can uniquely name the current authentication type via
spec.auth.types[].name, which must be unique and cannot be repeated.spec.auth.types[].secretType, which specifies the type ofSecretneeded for authentication, corresponding to a Kubernetes Secret Type.
Example:
In the built-in K8S Secret Type, all types except Opaque have field constraints. When providing a Secret, the user must ensure that the Secret's fields match the type constraints.
When using the Opaque type, you must declare authentication parameters.
Like k8s, you can also use your own Secret Type. At this point, you must declare authentication parameters.
Authentication Parameters
Parameters required for credentials during authentication are defined by spec.auth.types[].params.
For standard Kubernetes secret types with clearly defined data fields, parameters can be omitted. For example:
kubernetes.io/basic-auth: username and password authenticationkubernetes.io/ssh-auth: SSH key authentication
For custom authentication types, you can define the required authentication parameters, at this point secretType is marked as Opaque or a custom name.
For example, for GitLab's Personal Access Token (PAT) authentication:
This definition requires that the credentials used in the tool connector include the fields specified in params.
Optional Authentication
Some tools support access without authentication, marked by the optional field indicating whether authentication is optional:
For example, the following indicates that credentials for basicAuth are optional while sshAuth credentials are mandatory.
At this point, when connecting this type of tool to the platform, the basicAuth type of authentication can be omitted.
Accessibility Check
Accessibility checks are used to verify if the tool can be accessed normally. The configuration of how this type is conducted is done through the livenessProbe field.
For example, the following snippet indicates that detection is performed using HTTP requests.
When the tool returns a 200 status, it is considered accessible.
Authentication Checking
Authentication checking is used to verify how the validity of the authentication information for tools of this type is checked. If authentication checking is not needed, authProbes can be omitted.
For example, the following YAML indicates that during the authentication check of the tool, an http GET request will be initiated with the injected Authorization: abc header.
authNameindicates the authentication type being used, needing to align withspec.auth.types[].name.- During the authentication check, the address information of the connector tool will be directly used.
spec.authProbes[].probe.http.methodspecifies the HTTP method used for authentication, supporting GET and POST. Defaults to GET.spec.authProbes[].probe.http.disableRedirectspecifies whether to disable redirection during authentication. Defaults to allow automatic redirection.
Custom Authentication Check Parameters
Some authentication checks may require additional parameters, such as specifying the repository name when checking access to a Git repository. These can be specified via spec.authProbes[].params.
Authentication Check Expressions
When configuring authProbes, expressions can dynamically obtain credential information or Connector information.
For example,
- Expressions can be used in
httpHeadersandpathfields. - The expression format is go template
- Supported top-level fields are:
.Connector: The information of the Connector itself.Secret: The Secret information used for Connector data.
- The methods available within expressions can be referenced in the sprig documentation
- For example:
b64enc: Base64 encoding for strings,trimPrefixto remove string prefixes
- For example:
Example
- Basic Auth authentication checking
The connector will perform validity checks based on the information in the ConnectorClass.
The above yaml indicates the authentication checking for basic auth:
path: Utilizes therepositoryvalue set inauth.paramswithin theConnectorinformation, concatenated as/<repository>/info/refs?service=git-upload-packAuthorization: If the Connector is configured with a Secret, theusernameandpasswordfields from the Secret will be returned in base64.
Rego-based Authentication Logic Configuration
When tool connectors require more complex authentication logic, you can use Rego-based authentication logic configuration.
Rego is a declarative policy language that allows you to define authentication logic. In ConnectorClass, Rego policies are specified in the auth.types[].generator.rego field:
The Rego policy must follow these rules:
- Define rules under the proxy package
- Produce an auth object with the following structure:
- position: Where to inject authentication, such as "header", "query", or "body"
- contentType: Content type for body injection (optional, used with "body" position)
- auth: Map of authentication key-value pairs
Example Rego Policies
Basic Authentication
API Key Authentication
JSON Body Authentication
Advanced Rego Techniques
You can use Rego's conditional logic for different authentication methods:
Conditional Authentication
Time-based Authentication
For more Rego language details, refer to:
ConnectorClass API
Provides a RESTful API for the current ConnectorClass, allowing clients to easily access resources within the tools when using Connectors.
If there is no need to provide API capabilities for the tool, spec.api can be left undefined.
The ConnectorClass API needs to be configured in the spec.api field, for example:
You can specify the API's Service information through spec.api.ref. If the API address of the ConnectorClass has a fixed prefix, it can be specified using spec.api.uri. For example:
Additionally, you can use spec.api.uri to specify the absolute path of the API. For example:
Regardless of the form, the final resolved API address will be stored in status.api.address.url. For example:
Specifying the connectorclass API through service:
Specifying the connectorclass API through uri:
Specifying the connectorclass API through svc while using spec.api.uri to specify the API path:
For more information, refer to:
Configuration Capabilities
Configuration capabilities are used to define the configuration information for this type of tool. This configuration information can be mounted into Pods in conjunction with connectors-csi-driver.
If the client does not need to rely on configuration information when accessing the tool, spec.configurations can be left undefined.
Configuration information is specified through spec.configurations. For example:
Typically, we can specify a certain type of configuration information for a class of tools to facilitate configuration during use. For example:
- For
gittype tools, provide configuration for.gitconfig - For
oci registrytype tools, provide configuration forconfig.json
The configuration content supports the use of variables, which can be dynamically rendered during mounting. For details, refer to the description of "Configuration File Rendering" in connectors-csi-driver.
Example
The following ConnectorClass provides a file named .gitconfig, which is used to ignore SSL verification during git clone.
The following ConnectorClass provides a file named .gitconfig, which automatically injects headers and replaces the git URL during git clone.
More Information
Metadata Information for Readability Display
ConnectorClass is a standard k8s resource that can be tagged with custom information using labels and annotations.
For example:
| Key | Description |
|---|---|
ui.cpaas.io/icon | The icon for ConnectorClass, optional. Format: data:image/svg+xml;base64,PD94bWwgdmVyc2... |
cpaas.io/display-name | The display name for ConnectorClass, optional. |
cpaas.io/description | The description for ConnectorClass, optional. |
connectors.cpaas.io/readme | Usage instructions for ConnectorClass, optional. Typically used for custom scenarios when docs-link cannot be provided. Supports Markdown format. |
connectors.cpaas.io/docs-link | Documentation link for ConnectorClass, optional. Relative or absolute path. |
For example:
ConnectorClass Proxy
The ConnectorClass Proxy is used to configure the proxy address for the ConnectorClass.
The ConnectorClass Proxy is configured through spec.proxy. For example:
The Connector will use the proxy address to proxy the request to the ConnectorClass. More information
Resolver Type
The proxy address of the ConnectorClass will be resolved according to the specified resolver type.
The resolver type is configured through annotations connectors.cpaas.io/proxy-resolver. For example:
This field is a convention between ConnectorClass-Proxy and Connector. Optional.
Supported values: host, path. Default is host.
hostformat:http://{.ConnectorClass.Status.ProxyAddress.URL}pathformat:http://{.ConnectorClass.Status.ProxyAddress.URL}/namespaces/{namespace}/connectors/{connector-name}
Status Information
Once you have defined the ConnectorClass resource, the status information of the resource will be stored in status.
The status.conditions type includes:
APIReady: Status information of the API capabilityProxyReady: Status information of the Proxy capabilityReady: Marks the overall status of the current ConnectorClass
Ready Condition
The Ready Condition is used to mark the status of the current ConnectorClass. It aggregates the status of other conditions.
- When other Conditions are True, the current Condition is True.
- When any other Condition is False, the current Condition is False.
- When any other Condition is Unknown, the current Condition is Unknown.
APIReady Condition
Indicates the status information of the API service configured for the ConnectorClass. The API service is configured through ConnectorClass's spec.api.
| Status | Reason | Description |
|---|---|---|
| True | NonAPI | spec.api not configured, the current ConnectorClass has no API capability |
| True | spec.api defined, API service is normal | |
| False | spec.api defined, API capability is abnormal or detection itself is abnormal | |
| Unknown | API capability detection in progress |
Note:
- The API detection will only attempt to request the link and will not make any HTTP return value judgments. The health check of the API service should rely on the health check mechanism of the API service itself.
- Since the API service may change at any time, the status information of the API cannot reflect real-time information. It is recommended that clients use this status information as a hint rather than relying on it to block client behavior.
ProxyReady Condition
Indicates the status information of the Proxy service configured for the ConnectorClass. The Proxy service is configured through ConnectorClass's spec.proxy.
| Status | Reason | Description |
|---|---|---|
| True | NonProxy | spec.proxy not configured, the current ConnectorClass has no Proxy capability |
| True | spec.proxy defined, Proxy service is normal | |
| False | spec.proxy defined, Proxy capability is abnormal or detection itself is abnormal | |
| Unknown | Proxy capability detection in progress |
Compatibility
Updates to the ConnectorClass may affect existing Connectors. If there are incompatible changes to the ConnectorClass, it may cause previously created Connectors to become invalid. Here are some possible changes that may lead to incompatibility:
-
Changes in authentication information: If the ConnectorClass modifies the supported authentication types or methods, it may cause Connectors using the old authentication method to malfunction.
-
Changes in configuration information: If the configuration information of the ConnectorClass changes, such as removing an existing configuration, it may cause Kubernetes workloads that depend on the old configuration to malfunction.
It is recommended to confirm the scope of impact when updating the ConnectorClass, or if necessary, create a new ConnectorClass.
More Examples
- ConnectorClass supporting
basic-authauthentication type
- Custom authentication type ConnectorClass
- ConnectorClass configured with
liveness probe
- ConnectorClass configured with
auth probe
- Complete Git connector configuration example: