Merge branch 'main' into features/bindings-schema

docs/user/05-60-kyma-bindings.md

@@ -20,4 +20,4 @@ The Broker returns a kubeconfig file in the response body. The kubeconfig file c
 | Name                   | Default | Description                                                                                                                                                                                                                                                                                                                                                          |
 |------------------------|---------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | **service_account**      | `false` | If set to `true`, the Broker returns a kubeconfig with a JWT token used as a user authentication mechanism. The token is generated using Kubernetes TokenRequest attached to a ServiceAccount, ClusterRole, and ClusterRoleBinding, all named `kyma-binding-{{binding_id}}`. Such an approach allows for easily modifying the permissions granted to the kubeconfig. |
-| **expiration_seconds** | `600`   | Specifies the duration (in seconds) for which the generated kubeconfig is valid. If not provided, the default value of `600` seconds (10 minutes) is used.                                                                                                                                                                                                             |
+| **expiration_seconds** | `600`   | Specifies the duration (in seconds) for which the generated kubeconfig is valid. If not provided, the default value of `600` seconds (10 minutes) is used, which is also the minimum value that can be set. The maximum value that can be set is `7200` seconds (2 hours).                                             |

internal/broker/bind_create.go

@@ -19,9 +19,11 @@ import (
 )
 
 type BindingConfig struct {
-	Enabled           bool        `envconfig:"default=false"`
-	BindablePlans     EnablePlans `envconfig:"default=aws"`
-	ExpirationSeconds int         `envconfig:"default=600"`
+	Enabled              bool        `envconfig:"default=false"`
+	BindablePlans        EnablePlans `envconfig:"default=aws"`
+	ExpirationSeconds    int         `envconfig:"default=600"`
+	MaxExpirationSeconds int         `envconfig:"default=7200"`
+	MinExpirationSeconds int         `envconfig:"default=600"`
 }
 
 type BindEndpoint struct {
@@ -98,6 +100,14 @@ func (b *BindEndpoint) Bind(ctx context.Context, instanceID, bindingID string, d
 
 	expirationSeconds := b.config.ExpirationSeconds
 	if parameters.ExpirationSeconds != 0 {
+		if parameters.ExpirationSeconds > b.config.MaxExpirationSeconds {
+			message := fmt.Sprintf("expiration_seconds cannot be greater than %d", b.config.MaxExpirationSeconds)
+			return domain.Binding{}, apiresponses.NewFailureResponse(fmt.Errorf(message), http.StatusBadRequest, message)
+		}
+		if parameters.ExpirationSeconds < b.config.MinExpirationSeconds {
+			message := fmt.Sprintf("expiration_seconds cannot be less than %d", b.config.MinExpirationSeconds)
+			return domain.Binding{}, apiresponses.NewFailureResponse(fmt.Errorf(message), http.StatusBadRequest, message)
+		}
 		expirationSeconds = parameters.ExpirationSeconds
 	}
 

internal/broker/bind_create_test.go

@@ -51,6 +51,8 @@ type User struct {
 }
 
 const expirationSeconds = 10000
+const maxExpirationSeconds = 7200
+const minExpirationSeconds = 600
 
 func TestCreateBindingEndpoint(t *testing.T) {
 	t.Log("test create binding endpoint")
@@ -153,7 +155,9 @@ func TestCreateBindingEndpoint(t *testing.T) {
 		BindablePlans: EnablePlans{
 			fixture.PlanName,
 		},
-		ExpirationSeconds: expirationSeconds,
+		ExpirationSeconds:    expirationSeconds,
+		MaxExpirationSeconds: maxExpirationSeconds,
+		MinExpirationSeconds: minExpirationSeconds,
 	}
 
 	//// api handler
@@ -181,13 +185,14 @@ func TestCreateBindingEndpoint(t *testing.T) {
 	t.Run("should create a new service binding without error", func(t *testing.T) {
 
 		// When
-		response := CallAPI(httpServer, method, "v2/service_instances/1/service_bindings/binding-id?accepts_incomplete=true", fmt.Sprintf(`{
-  "service_id": "123",
-  "plan_id": "%s",
-  "parameters": {
-    "service_account": true
-  }
-}`, fixture.PlanId), t)
+		response := CallAPI(httpServer, method, "v2/service_instances/1/service_bindings/binding-id?accepts_incomplete=true", fmt.Sprintf(`
+		{
+			"service_id": "123",
+			"plan_id": "%s",
+			"parameters": {
+				"service_account": true
+			}
+		}`, fixture.PlanId), t)
 
 		binding := verifyResponse(t, response)
 
@@ -216,14 +221,15 @@ func TestCreateBindingEndpoint(t *testing.T) {
 		const customExpirationSeconds = 900
 
 		// When
-		response := CallAPI(httpServer, method, "v2/service_instances/1/service_bindings/binding-id2?accepts_incomplete=true", fmt.Sprintf(`{
-  "service_id": "123",
-  "plan_id": "%s",
-  "parameters": {
-    "service_account": true,
-	"expiration_seconds": %v
-  }
-}`, fixture.PlanId, customExpirationSeconds), t)
+		response := CallAPI(httpServer, method, "v2/service_instances/1/service_bindings/binding-id2?accepts_incomplete=true", fmt.Sprintf(`
+		{
+			"service_id": "123",
+			"plan_id": "%s",
+			"parameters": {
+				"service_account": true,
+				"expiration_seconds": %v
+			}
+		}`, fixture.PlanId, customExpirationSeconds), t)
 
 		binding := verifyResponse(t, response)
 
@@ -234,6 +240,38 @@ func TestCreateBindingEndpoint(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, customExpirationSeconds*time.Second, duration)
 	})
+	t.Run("should return error when expiration_seconds is greater than maxExpirationSeconds", func(t *testing.T) {
+		const customExpirationSeconds = 7201
+
+		// When
+		response := CallAPI(httpServer, method, "v2/service_instances/1/service_bindings/binding-id3?accepts_incomplete=true", fmt.Sprintf(`
+		{
+			"service_id": "123",
+			"plan_id": "%s",
+			"parameters": {
+				"service_account": true,
+				"expiration_seconds": %v
+
+			}
+		}`, fixture.PlanId, customExpirationSeconds), t)
+		require.Equal(t, http.StatusBadRequest, response.StatusCode)
+	})
+
+	t.Run("should return error when expiration_seconds is less than minExpirationSeconds", func(t *testing.T) {
+		const customExpirationSeconds = 60
+
+		// When
+		response := CallAPI(httpServer, method, "v2/service_instances/1/service_bindings/binding-id4?accepts_incomplete=true", fmt.Sprintf(`
+		{
+			"service_id": "123",
+			"plan_id": "%s",
+			"parameters": {	
+				"service_account": true,
+				"expiration_seconds": %v
+			}	
+		}`, fixture.PlanId, customExpirationSeconds), t)
+		require.Equal(t, http.StatusBadRequest, response.StatusCode)
+	})
 }
 
 func createKubeconfigFileForRestConfig(restConfig rest.Config) []byte {

resources/keb/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
-appVersion: "1.10.16"
+appVersion: "1.10.17"
 name: keb
 description:
 description: Kyma Environment Broker Helm chart for Kubernetes
-version: 1.10.16
+version: 1.10.17
 type: application

resources/keb/templates/deployment.yaml

@@ -86,6 +86,12 @@ spec:
               value: "{{ .Values.cleaning.dryRun }}"
             - name: APP_BROKER_BINDING_ENABLED
               value: "{{ .Values.binding.enabled}}"
+            - name: APP_BROKER_BINDING_BINDABLE_PLANS
+              value: "{{ .Values.binding.bindablePlans}}"
+            - name: APP_BROKER_BINDING_EXPIRATION_SECONDS
+              value: "{{ .Values.binding.expirationSeconds}}"
+            - name: APP_BROKER_BINDING_MAX_EXPIRATION_SECONDS
+              value: "{{ .Values.binding.maxExpirationSeconds}}"
             - name: APP_BROKER_ONLY_SINGLE_TRIAL_PER_GA
               value: "{{ .Values.onlySingleTrialPerGA }}"
             - name: APP_BROKER_URL

resources/keb/templates/globalaccounts.yaml

@@ -5,7 +5,7 @@ metadata:
   name: "{{- .Values.globalaccounts.name -}}"
   namespace: kcp-system
   labels:
-  name: "{{- .Values.globalaccounts.name -}}"
+    name: "{{- .Values.globalaccounts.name -}}"
 spec:
   replicas: 1
   selector:

resources/keb/values.yaml

@@ -13,28 +13,28 @@ global:
       version: "v20240612-83a7c0eb" # do not update along with the other images
     kyma_environment_broker:
       dir:
-      version: "1.10.16"
+      version: "1.10.17"
     kyma_environments_subaccount_cleanup_job:
       dir:
-      version: "1.10.16"
+      version: "1.10.17"
     kyma_environment_trial_cleanup_job:
       dir:
-      version: "1.10.16"
+      version: "1.10.17"
     kyma_environment_expirator_job:
       dir:
-      version: "1.10.16"
+      version: "1.10.17"
     kyma_environment_deprovision_retrigger_job:
       dir:
-      version: "1.10.16"
+      version: "1.10.17"
     kyma_environment_runtime_reconciler:
       dir:
-      version: "1.10.16"
+      version: "1.10.17"
     kyma_environment_subaccount_sync:
       dir:
-      version: "1.10.16"
+      version: "1.10.17"
     kyma_environment_globalaccounts:
       dir:
-      version: "1.10.16"
+      version: "1.10.17"
 
   kyma_environment_broker:
     enabled: false
@@ -250,6 +250,11 @@ broker:
 
 binding:
   enabled: false
+  bindablePlans: "aws"
+  expirationSeconds: 600
+  maxExpirationSeconds: 7200
+  # minExpirationSeconds can't be lower than 600 seconds. Forced by Gardener
+  minExpirationSeconds: 600
 
 service:
   type: ClusterIP

sec-scanners-config.yaml

@@ -1,15 +1,15 @@
 module-name: kyma-environment-broker
-rc-tag: 1.10.16
+rc-tag: 1.10.17
 protecode:
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-broker:1.10.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-deprovision-retrigger-job:1.10.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environments-cleanup-job:1.10.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-runtime-reconciler:1.10.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-archiver-job:1.10.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-expirator-job:1.10.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-subaccount-cleanup-job:1.10.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-subaccount-sync:1.10.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-broker-globalaccounts:1.10.16
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-broker:1.10.17
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-deprovision-retrigger-job:1.10.17
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environments-cleanup-job:1.10.17
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-runtime-reconciler:1.10.17
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-archiver-job:1.10.17
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-expirator-job:1.10.17
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-subaccount-cleanup-job:1.10.17
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-subaccount-sync:1.10.17
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-broker-globalaccounts:1.10.17
 whitesource:
   language: golang-mod
   subprojects: false

utils/archiver/kyma-environment-broker-archiver.yaml

@@ -74,4 +74,4 @@ spec:
       template:
         spec:
           containers:
-            - image: europe-docker.pkg.dev/kyma-project/prod/kyma-environment-archiver-job:1.10.16
+            - image: europe-docker.pkg.dev/kyma-project/prod/kyma-environment-archiver-job:1.10.17

utils/kyma-environments-cleanup-job/kyma-environments-cleanup-job.yaml

@@ -28,7 +28,7 @@ spec:
           containers:
             - name: kyma-environments-cleanup
               command: ["/bin/main"]
-              image: europe-docker.pkg.dev/kyma-project/prod/kyma-environments-cleanup-job:1.10.16
+              image: europe-docker.pkg.dev/kyma-project/prod/kyma-environments-cleanup-job:1.10.17
               imagePullPolicy: IfNotPresent
               env:
                 - name: DATABASE_EMBEDDED