kyma-project · ralikio · Jan 16, 2025
@@ -18,6 +18,7 @@ import (
 	imv1 "github.com/kyma-project/infrastructure-manager/api/v1"
 
 	"github.com/kyma-project/kyma-environment-broker/internal/expiration"
+	"github.com/kyma-project/kyma-environment-broker/internal/hap"
 	"github.com/kyma-project/kyma-environment-broker/internal/metricsv2"
 	"github.com/kyma-project/kyma-environment-broker/internal/whitelist"
 
@@ -142,6 +143,7 @@ type Config struct {
 	Events events.Config
 
 	MetricsV2 metricsv2.Config
+	Hap       hap.Config
 
 	Provisioning    process.StagedManagerConfiguration
 	Deprovisioning  process.StagedManagerConfiguration

@@ -68,7 +68,7 @@ func NewProvisioningProcessingQueue(ctx context.Context, provisionManager *proce
 		},
 		{
 			stage:     createRuntimeStageName,
-			step:      provisioning.NewResolveCredentialsStep(db.Operations(), accountProvider),
+			step:      provisioning.NewResolveCredentialsStep(db.Operations(), accountProvider, cfg.Hap),
 			condition: provisioning.SkipForOwnClusterPlan,
 		},
 		{

@@ -0,0 +1,12 @@
+package hap
+
+import (
+	"github.com/kyma-project/kyma-environment-broker/internal/utils"
+)
+
+type Config struct {
+	SharedRule utils.Whitelist `envconfig`
+	euAccessRule utils.Whitelist `envconfig`
+	clusterRegionRule utils.Whitelist `envconfig`
+	platformRegionRule utils.Whitelist `envconfig`
+}
@@ -0,0 +1,37 @@
+package hap
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/vrischmann/envconfig"
+)
+
+func TestHyperscalerConfigs(t *testing.T) {
+
+	t.Run("should read default values from env variables", func(t *testing.T) {
+		// given
+		var cfg Config
+		err := envconfig.InitWithPrefix(&cfg, "APP_HAP")
+		require.NoError(t, err)
+
+		require.True(t, cfg.SharedSecretPlans.Contains("trial:*"))
+		require.True(t, cfg.SharedSecretPlans.Contains("sap-converged-cloud:*"))
+	})
+
+	t.Run("should read single values from env variables", func(t *testing.T) {
+		err := os.Setenv("APP_HAP_SHARED_SECRET_PLANS", "aws:*;azure:*;gcp:eu1")
+		require.NoError(t, err)
+
+		// given
+		var cfg Config
+		err = envconfig.InitWithPrefix(&cfg, "APP_HAP")
+		require.NoError(t, err)
+
+		require.True(t, cfg.SharedSecretPlans.Contains("aws:*"))
+		require.False(t, cfg.SharedSecretPlans.Contains("azure"))
+		require.True(t, cfg.SharedSecretPlans.Contains("azure:*"))
+		require.True(t, cfg.SharedSecretPlans.Contains("gcp:eu1"))
+	})
+}
@@ -23,12 +23,14 @@
 	accountProvider  hyperscaler.AccountProvider
 	opStorage        storage.Operations
 	tenant           string
+	hapConfig        *hap.Config
 }
 
-func NewResolveCredentialsStep(os storage.Operations, accountProvider hyperscaler.AccountProvider) *ResolveCredentialsStep {
+func NewResolveCredentialsStep(os storage.Operations, accountProvider hyperscaler.AccountProvider, hapConfig hap.Config) *ResolveCredentialsStep {
 	step := &ResolveCredentialsStep{
 		opStorage:       os,
 		accountProvider: accountProvider,
+		hapConfig:       &hapConfig,
 	}
 	step.operationManager = process.NewOperationManager(os, step.Name(), kebError.AccountPoolDependency)
 	return step

@@ -8,6 +8,8 @@ import (
 	"github.com/kyma-project/kyma-environment-broker/common/gardener"
 	pkg "github.com/kyma-project/kyma-environment-broker/common/runtime"
 	"github.com/kyma-project/kyma-environment-broker/internal/fixture"
+	"github.com/kyma-project/kyma-environment-broker/internal/hap"
+	"github.com/kyma-project/kyma-environment-broker/internal/utils"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 
@@ -41,7 +43,7 @@ func TestResolveCredentialsStepHappyPath_Run(t *testing.T) {
 	accountProviderMock := &hyperscalerMocks.AccountProvider{}
 	accountProviderMock.On("GardenerSecretName", hyperscaler.GCP("westeurope"), statusGlobalAccountID, false).Return("gardener-secret-gcp", nil)
 
-	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProviderMock)
+	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProviderMock, hap.Config{})
 
 	// when
 	operation, repeat, err := step.Run(operation, fixLogger())
@@ -68,7 +70,7 @@ func TestResolveCredentialsEUStepHappyPath_Run(t *testing.T) {
 	accountProviderMock := &hyperscalerMocks.AccountProvider{}
 	accountProviderMock.On("GardenerSecretName", hyperscaler.AWS(), statusGlobalAccountID, true).Return("gardener-secret-aws", nil)
 
-	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProviderMock)
+	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProviderMock, hap.Config{})
 
 	// when
 	operation, repeat, err := step.Run(operation, fixLogger())
@@ -95,7 +97,7 @@ func TestResolveCredentialsCHStepHappyPath_Run(t *testing.T) {
 	accountProviderMock := &hyperscalerMocks.AccountProvider{}
 	accountProviderMock.On("GardenerSecretName", hyperscaler.Azure(), statusGlobalAccountID, true).Return("gardener-secret-az", nil)
 
-	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProviderMock)
+	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProviderMock, hap.Config{})
 
 	// when
 	operation, repeat, err := step.Run(operation, fixLogger())
@@ -121,7 +123,7 @@ func TestResolveCredentialsStepHappyPathTrialDefaultProvider_Run(t *testing.T) {
 	accountProviderMock := &hyperscalerMocks.AccountProvider{}
 	accountProviderMock.On("GardenerSharedSecretName", hyperscaler.Azure(), false).Return("gardener-secret-azure", nil)
 
-	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProviderMock)
+	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProviderMock, hap.Config{})
 
 	// when
 	operation, repeat, err := step.Run(operation, fixLogger())
@@ -148,7 +150,7 @@ func TestResolveCredentialsStepHappyPathTrialGivenProvider_Run(t *testing.T) {
 	accountProviderMock := &hyperscalerMocks.AccountProvider{}
 	accountProviderMock.On("GardenerSharedSecretName", hyperscaler.GCP("westeurope"), false).Return("gardener-secret-gcp", nil)
 
-	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProviderMock)
+	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProviderMock, hap.Config{})
 
 	// when
 	operation, repeat, err := step.Run(operation, fixLogger())
@@ -174,7 +176,7 @@ func TestResolveCredentialsStepRetry_Run(t *testing.T) {
 	accountProviderMock := &hyperscalerMocks.AccountProvider{}
 	accountProviderMock.On("GardenerSecretName", hyperscaler.GCP("westeurope"), statusGlobalAccountID, false).Return("", fmt.Errorf("Failed!"))
 
-	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProviderMock)
+	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProviderMock, hap.Config{})
 
 	operation.UpdatedAt = time.Now()
 
@@ -208,7 +210,7 @@ func TestResolveCredentials_IntegrationAWS(t *testing.T) {
 	op := fixOperationWithPlatformRegion("cf-us10", pkg.AWS)
 	err := memoryStorage.Operations().InsertOperation(op)
 	assert.NoError(t, err)
-	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProvider)
+	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProvider, hap.Config{})
 
 	// when
 	operation, backoff, err := step.Run(op, fixLogger())
@@ -232,7 +234,7 @@ func TestResolveCredentials_IntegrationAWSEuAccess(t *testing.T) {
 	op := fixOperationWithPlatformRegion("cf-eu11", pkg.AWS)
 	err := memoryStorage.Operations().InsertOperation(op)
 	assert.NoError(t, err)
-	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProvider)
+	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProvider, hap.Config{})
 
 	// when
 	operation, backoff, err := step.Run(op, fixLogger())
@@ -254,7 +256,7 @@ func TestResolveCredentials_IntegrationAzure(t *testing.T) {
 	op := fixOperationWithPlatformRegion("cf-eu21", pkg.Azure)
 	err := memoryStorage.Operations().InsertOperation(op)
 	assert.NoError(t, err)
-	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProvider)
+	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProvider, hap.Config{})
 
 	// when
 	operation, backoff, err := step.Run(op, fixLogger())
@@ -278,7 +280,7 @@ func TestResolveCredentials_IntegrationAzureEuAccess(t *testing.T) {
 	op := fixOperationWithPlatformRegion("cf-ch20", pkg.Azure)
 	err := memoryStorage.Operations().InsertOperation(op)
 	assert.NoError(t, err)
-	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProvider)
+	step := NewResolveCredentialsStep(memoryStorage.Operations(), accountProvider, hap.Config{})
 
 	// when
 	operation, backoff, err := step.Run(op, fixLogger())

@@ -0,0 +1,39 @@
+package utils
+
+import (
+	"sort"
+	"strings"
+)
+
+type Whitelist map[string]struct{}
+
+func (t *Whitelist) Unmarshal(s string) error {
+	*t = make(Whitelist)
+
+	for _, item := range strings.Split(s, ";") {
+		(*t)[item] = struct{}{}
+	}
+
+	return nil
+}
+
+func (t *Whitelist) Contains(item string) bool {
+	_, found := (*t)[item]
+	return found
+}
+
+func (t Whitelist) String() string {
+	keys := make([]string, 0, len(t))
+	for item := range t {
+		keys = append(keys, item)
+	}
+
+	sort.Strings(keys)
+
+	output := ""
+	for _, item := range keys {
+		output += item + ";"
+	}
+
+	return output
+}
@@ -0,0 +1,34 @@
+package utils
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestWhitelist(t *testing.T) {
+
+	t.Run("should unmarshal from string representation", func(t *testing.T) {
+		// given
+		whitelist := Whitelist{}
+
+		// when
+		err := whitelist.Unmarshal("key1;key2")
+		require.NoError(t, err)
+
+		// then
+		require.True(t, whitelist.Contains("key1"))
+		require.True(t, whitelist.Contains("key2"))
+		require.False(t, whitelist.Contains("key3"))
+	})
+
+	t.Run("should print all values", func(t *testing.T) {
+		// given
+		whitelist := Whitelist{"key1": struct{}{}, "key2": struct{}{}}
+
+		// then
+		require.Equal(t, "key1;key2;", whitelist.String())
+		require.Equal(t, "key1;key2;", fmt.Sprint(whitelist))
+	})
+}
@@ -287,6 +287,14 @@ spec:
               value: "{{ .Values.broker.subaccountMovementEnabled }}"
             - name: APP_BROKER_UPDATE_CUSTOM_RESOURCES_LABELS_ON_ACCOUNT_MOVE
               value: "{{ .Values.broker.updateCustomResourcesLabelsOnAccountMove }}"
+            - name: APP_HAP_PLATFORM_REGION_RULE
+              value: "{{ .Values.hap.platformRegionRule }}"
+            - name: APP_HAP_CLUSTER_REGION_RULE
+              value: "{{ .Values.hap.clusterRegionRule }}"
+            - name: APP_HAP_SHARED_RULE
+              value: "{{ .Values.hap.sharedRule }}"
+            - name: APP_HAP_EU_ACCESS_RULE
+              value: "{{ .Values.hap.euAccessRule }}"
           ports:
             - name: http
               containerPort: {{ .Values.broker.port }}

@@ -242,6 +242,11 @@ sapConvergedCloudPlanRegionMappings: |-
 disableSapConvergedCloud: false
 disableProcessOperationsInProgress: "false"
 enablePlans: "azure,gcp,azure_lite,trial"
+hap: 
+  platformRegionRule: "gcp:cf-sa30"
+  clusterRegionRule: "sap-converged-cloud"
+  sharedRule: "trial;sap-converged-cloud"
+  euAccessRule: "azure:cf-ch20;aws:cf-eu11"
 onlySingleTrialPerGA: "true"
 enableKubeconfigURLLabel: "false"
 includeAdditionalParamsInSchema: "false"