Connect Deployment Operator

The Connect Deployment Operator manages Connect deployables as Kubernetes objects. It supports Connect Service Accounts.

Deploy GridOS Connect Service Accounts

The Connect Deployment Operator supports managing Service Accounts in Kubernetes by using the ConnectServiceAccount Custom Resource Definition (CRD). The service account properties are stored in a Kubernetes Secret, including generated credentials for the BasicAuthentication and ApiKey credential types.

ConnectServiceAccount CR example

The following is an example of a ConnectServiceAccount custom resource in Kubernetes:

apiVersion: connect.gridos.com/v1
kind: ConnectServiceAccount
metadata:
  name: your-service-account
  namespace: foundation-env-default
spec:
  organizationId: gridos
  userName: test-user
  credentialsType: BasicAuthentication
  serviceAccountSecretRef:
    name: your-service-account-secret

ConnectServiceAccount CR configuration

The following specification properties are required when creating a ConnectServiceAccount custom resource:

organizationId: The ID of the organization that the deployment belongs to.
userName: The username associated with the Connect service account. This value must be unique within the Connect organization.
credentialsType: The authentication supported by the Connect service account. Supported values are BasicAuthentication, ApiKey, Poller, mTLS, and OIDC.
serviceAccountSecretRef: A reference to the Kubernetes Secret where the Connect service account details are stored after the resource is created.

The Secret contains all specification properties defined on this custom resource, along with the serviceAccountId assigned by Connect during creation. Depending on the selected credentialsType, the Secret also includes additional fields:
- For BasicAuthentication: password - The generated password for the service account.
- For ApiKey: apiKey - The generated API key for the service account.
Once the service account has been reconciled, the current Secret reference is stored in the status subresource under the property status.lastServiceAccountSecretRef. When the operator detects a change to serviceAccountSecretRef, it automatically moves the Secret to the new location.

The following specification properties are optional:

jwtClaimsMatchJsoniqScript: A JSONiq script used to match JWT claims. This property is required when credentialsType is set to OIDC and is ignored for all other credential types.
credentialResetId: An identifier that can be updated to trigger regeneration of credentials for Connect service accounts that use BasicAuthentication or ApiKey.

Once the service account has been reconciled, the current value is stored in the status subresource under the property status.lastCredentialResetId. When the operator detects a change to this value, it triggers a credential reset in Connect and updates the associated Kubernetes Secret with the new credentials. The default value is init.

The ConnectServiceAccount custom resource results in the creation of a new Connect service account only if a service account with the specified userName and organizationId does not already exist in Connect. The operator sets the following standard Kubernetes status conditions (metav1.Condition) on the resource to reflect reconciliation state:
- The Ready condition is set to True with the reason Reconciled when the Connect service account is confirmed to exist and the Kubernetes Secret referenced by serviceAccountSecretRef is confirmed to exist.
- While reconciliation is in progress, the Ready condition is set to False with the reason Reconciling.
- If reconciliation fails, the Ready condition is set to False with the reason ReconciliationFailed.

Tooling such as Argo CD can observe these conditions through the status subresource to determine when the service account is available.

Service account reconciliation is one-way. When a Connect service account is managed through this custom resource, any manual changes made directly in the Connect Console or through the Connect management API are not reflected in the corresponding Connect Service Account Kubernetes resource.