New Release v1.3.2 for OCI Service Broker

- Minor Documentation Fixes

Co-authored-by: Ashokkumar Kannan ashokkumar.kannan@oracle.com
Co-authored-by: Jayasheelan Kumar jayasheelan.kumar@oracle.com

CHANGELOG.md

@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+[1.3.2]
+
+- Minor documentation fixes
+
 [1.3.1]
 
 - Minor Bug Fixes

README.md

@@ -29,7 +29,7 @@ See the [Documentation](charts/oci-service-broker/README.md#oci-service-broker)
 The OCI Service Broker is packaged as Helm chart for making it easy to install in Kubernetes Clusters. The chart can be downloaded from below URL.
 
 ```
-https://github.com/oracle/oci-service-broker/releases/download/v1.3.1/oci-service-broker-1.3.1.tgz
+https://github.com/oracle/oci-service-broker/releases/download/v1.3.2/oci-service-broker-1.3.2.tgz
 ```
 
 ## Samples

charts/oci-service-broker/Chart.yaml

@@ -5,4 +5,4 @@
 apiVersion: v1
 description: A Helm chart for installing OCI Service Broker into a Kubernetes cluster
 name: oci-service-broker
-version: 1.3.1
+version: 1.3.2

charts/oci-service-broker/docs/adw.md

@@ -51,18 +51,18 @@ Allow group <SERVICE_BROKER_GROUP> to manage autonomous-data-warehouse in compar
 
 To provision, an ADW service user needs to provide the following details:
 
-| Parameter        | Description                                                         | Type   | Mandatory |
-| ---------------- | ------------------------------------------------------------------- | ------ | --------- |
-| `name`           | The display name for the ADW instance.                              | string | yes       |
-| `dbName`         | Database Name.                                                      | string | yes       |
-| `compartmentId`  | The OCI compartment where the ADW instance will be provisioned.     | string | yes       |
-| `cpuCount`       | Number of CPU cores to have.                                        | int    | yes       |
-| `storageSizeTBs` | Size of the DB Storage in Terrabytes.                               | int    | yes       |
-| `password`       | ADW Service will pre-provision a DB Admin user when it provisions an ADW instance. The user needs to provide a password to be set for this Admin user.<br>The OCI ADW service requires the password to satisfy the below rules.<br><ul><li>The length should be 12 to 18 characters.</li><li>A password must include an upper case, lower case, and special character.</li></ul> | string | yes       |
-| `licenseType`    | Use your existing database software licenses(BYOL) or Subscribe to new database software licenses and the Database Cloud Service.<br>Valid values are:<ul><li>BYOL</li><li>NEW</li></ul>.                         | string | yes       |
-| `autoScaling`    | The flag to enable auto-scaling in ADW Instance. Allows system to use up to three times the provisioned number of cores as the workload increases. By default, this flag is set to false.                   | boolean| no        |
-| `freeFormTags`   | free form tags that are to be used for tagging the ADW instance.    | object | no        |
-| `definedTags`    | The defined tags that are to be used for tagging the ADW instance.  | object | no        |
+| Parameter            | Description                                                         | Type   | Mandatory |
+| -------------------- | ------------------------------------------------------------------- | ------ | --------- |
+| `name`               | The display name for the ADW instance.                              | string | yes       |
+| `dbName`             | Database Name.                                                      | string | yes       |
+| `compartmentId`      | The OCI compartment where the ADW instance will be provisioned.     | string | yes       |
+| `cpuCount`           | Number of CPU cores to have.                                        | int    | yes       |
+| `storageSizeTBs`     | Size of the DB Storage in Terrabytes.                               | int    | yes       |
+| `password`           | ADW Service will pre-provision a DB Admin user when it provisions an ADW instance. The user needs to provide a password to be set for this Admin user. The update of password using OCI Service Broker is not supported. Any changes to password after instance provisioning is ignored. <br>The OCI ADW service requires the password to satisfy the below rules.<br><ul><li>The length should be 12 to 18 characters.</li><li>A password must include an upper case, lower case, and special character.</li></ul> | string | yes       |
+| `licenseType`        | Use your existing database software licenses(BYOL) or Subscribe to new database software licenses and the Database Cloud Service.<br>Valid values are:<ul><li>BYOL</li><li>NEW</li></ul>.                         | string | yes       |
+| `autoScaling`        | The flag to enable auto-scaling in ADW Instance. Allows system to use up to three times the provisioned number of cores as the workload increases. By default, this flag is set to false.                   | boolean| no        |
+| `freeFormTags`       | free form tags that are to be used for tagging the ADW instance.    | object | no        |
+| `definedTags`        | The defined tags that are to be used for tagging the ADW instance.  | object | no        |
 
 ## Using an Existing ADW Service Instance
 

charts/oci-service-broker/docs/atp.md

@@ -51,18 +51,18 @@ Allow group <SERVICE_BROKER_GROUP> to manage autonomous-database in compartment
 
 To provision, an ATP service user needs to provide the following details:
 
-| Parameter        | Description                                                         | Type   | Mandatory |
-| ---------------- | ------------------------------------------------------------------- | ------ | --------- |
-| `name`           | The display name for the ATP instance.                              | string | yes       |
-| `dbName`         | Database Name.                                                      | string | yes       |
-| `compartmentId`  | The OCI compartment where the ATP instance will be provisioned.     | string | yes       |
-| `cpuCount`       | Number of CPU cores to have.                                        | int    | yes       |
-| `storageSizeTBs` | Size of the DB Storage in Terrabytes.                               | int    | yes       |
-| `password`       | ATP Service will pre-provision a DB Admin user when it provisions an ATP instance. The user needs to provide a password to be set for this Admin user.<br>The OCI ATP service requires the password to satisfy the below rules.<br><ul><li>The length should be 12 to 18 characters.</li><li>A password must include an upper case, lower case, and special character.</li></ul> | string | yes       |
-| `licenseType`    | Use your existing database software licenses(BYOL) or Subscribe to new database software licenses and the Database Cloud Service.<br>Valid values are:<ul><li>BYOL</li><li>NEW</li></ul>.                         | string | yes       |
-| `autoScaling`    | The flag to enable auto-scaling in ATP Instance. Allows system to use up to three times the provisioned number of cores as the workload increases. By default, this flag is set to false.                    | boolean| no        |
-| `freeFormTags`   | free form tags that are to be used for tagging the ATP instance.    | object | no        |
-| `definedTags`    | The defined tags that are to be used for tagging the ATP instance.  | object | no        |
+| Parameter             | Description                                                         | Type   | Mandatory |
+| --------------------- | ------------------------------------------------------------------- | ------ | --------- |
+| `name`                | The display name for the ATP instance.                              | string | yes       |
+| `dbName`              | Database Name.                                                      | string | yes       |
+| `compartmentId`       | The OCI compartment where the ATP instance will be provisioned.     | string | yes       |
+| `cpuCount`            | Number of CPU cores to have.                                        | int    | yes       |
+| `storageSizeTBs`      | Size of the DB Storage in Terrabytes.                               | int    | yes       |
+| `password`            | ATP Service will pre-provision a DB Admin user when it provisions an ATP instance. The user needs to provide a password to be set for this Admin user. The update of password using OCI Service Broker is not supported. Any changes to password after instance provisioning is ignored. <br>The OCI ATP service requires the password to satisfy the below rules.<br><ul><li>The length should be 12 to 18 characters.</li><li>A password must include an upper case, lower case, and special character.</li></ul> | string | yes       |
+| `licenseType`         | Use your existing database software licenses(BYOL) or Subscribe to new database software licenses and the Database Cloud Service.<br>Valid values are:<ul><li>BYOL</li><li>NEW</li></ul>.                         | string | yes       |
+| `autoScaling`         | The flag to enable auto-scaling in ATP Instance. Allows system to use up to three times the provisioned number of cores as the workload increases. By default, this flag is set to false.                    | boolean| no        |
+| `freeFormTags`        | free form tags that are to be used for tagging the ATP instance.    | object | no        |
+| `definedTags`         | The defined tags that are to be used for tagging the ATP instance.  | object | no        |
 
 ## Using an Existing ATP Service Instance
 

charts/oci-service-broker/docs/installation.md

@@ -69,7 +69,7 @@ brew update && brew install kubernetes-service-catalog-client
 The OCI Service Broker is packaged as Helm chart for making it easy to install in Kubernetes. The chart is available at [charts/oci-service-broker](../) directory.
 
 ```plain
-https://github.com/oracle/oci-service-broker/releases/download/v1.3.1/oci-service-broker-1.3.1.tgz
+https://github.com/oracle/oci-service-broker/releases/download/v1.3.2/oci-service-broker-1.3.2.tgz
 ```
 
 ### OCI credentials
@@ -107,7 +107,7 @@ The value for `ociCredentials.secretName` should contain the name of the Kuberne
 For quickly testing out OCI Service Broker, TLS can be disabled and an embedded etcd container can be used. This can be used for quickly setting up the Broker but not recommended in PRODUCTION environments. Please refer to [Recommended Setup](#recommended-setup) for PRODUCTION environments
 
 ```bash
- helm install https://github.com/oracle/oci-service-broker/releases/download/v1.3.1/oci-service-broker-1.3.1.tgz  --name oci-service-broker \
+ helm install https://github.com/oracle/oci-service-broker/releases/download/v1.3.2/oci-service-broker-1.3.2.tgz  --name oci-service-broker \
   --set ociCredentials.secretName=ocicredentials \
   --set storage.etcd.useEmbedded=true \
   --set tls.enabled=false
@@ -200,7 +200,7 @@ Please note that the names in keys i.e. keyStore.password and keyStore must not
 
 Replace the values of --set arguments with your appropriate values to install the OCI Service Broker. User needs to point docker images either from OCIR or from their repository.
 ```bash
- helm install https://github.com/oracle/oci-service-broker/releases/download/v1.3.1/oci-service-broker-1.3.1.tgz  --name oci-service-broker \
+ helm install https://github.com/oracle/oci-service-broker/releases/download/v1.3.2/oci-service-broker-1.3.2.tgz  --name oci-service-broker \
   --set ociCredentials.secretName=ocicredentials \
   --set tls.secretName=certsecret \
   --set storage.etcd.servers=<comma separated list of etcd servers>
@@ -245,7 +245,7 @@ Refer [Restrict access to Service Catalog resources using RBAC](security.md#rest
 Sample files for various services are available under [`oci-service-broker/samples`](../samples) directory inside the charts. The below command extracts chart that contains the sample files.
 
 ```bash
-curl https://github.com/oracle/oci-service-broker/releases/download/v1.3.1/oci-service-broker-1.3.1.tgz | tar xz
+curl https://github.com/oracle/oci-service-broker/releases/download/v1.3.2/oci-service-broker-1.3.2.tgz | tar xz
 ```
 
 Create a `ClusterServiceBroker` resource with OCI Service Broker URL to register the broker. Use the below register yaml file after updating the namespace of the OCI Service Broker.

charts/oci-service-broker/docs/object-storage.md

@@ -83,7 +83,7 @@ Service Binding is optional in case of this service. OCI User credentials can be
 
 | Parameter        | Description                                                  | Type   |
 | ---------------- | ------------------------------------------------------------ | ------ |
-| preAuthAccessUri | The [Pre-Authenticated Access URI](https://docs.cloud.oracle.com/iaas/Content/Object/Tasks/usingpreauthenticatedrequests.htm?tocpath=Services%7CObject%20Storage%7C_____5) of the bucket | string |
+| preAuthAccessUri | The [Pre-Authenticated Access URI](https://docs.cloud.oracle.com/iaas/Content/Object/Tasks/usingpreauthenticatedrequests.htm?tocpath=Services%7CObject%20Storage%7C_____5) of the bucket. This URI does not include the oci endpoint URL which needs to appended by the user before making the call. | string |
 
 ## Example
 

charts/oci-service-broker/docs/security.md

@@ -85,23 +85,25 @@ OCI Service Broker uses the OCI user credentials only for authenticating the cal
 
 ### Policies to allow access to Services
 
-In OCI by default, access to all resources for an user is denied. The tenancy administrator is required to explicitly whitelist a user to have access for the required resources. Below table lists the services supported by OCI Service Broker and the policy statement required in order for the service broker to manage the service.
+In OCI by default, access to all resources for an user is denied. The tenancy administrator is required to explicitly whitelist a user to have access for the required resources. It is strongly recommended to restrict access for the user used by OCI Service Broker to only region in which OCI Service Broker is expected to manage resources.
+
+Below table lists the services supported by OCI Service Broker and the policy statement required in order for the service broker to manage the service.
 
 | Service-Name | [Verbs](https://docs.cloud.oracle.com/iaas/Content/Identity/Reference/policyreference.htm?Highlight=policy#Verbs) | [Resources-Types](https://docs.cloud.oracle.com/iaas/Content/Identity/Reference/policyreference.htm?Highlight=policy#Resource) | Sample Policy Statement |
 | ------------ | ----- | --------------- | ----------------------- |
-| Autonomous Transaction Processing (ATP) |`manage` |`autonomous-database` |Allow group service-broker-group to manage  autonomous-database |
-| Autonomous Data Warehouse (ADW) |`manage` |`autonomous-data-warehouse` |Allow group service-broker-group to manage autonomous-data-warehouse |
-| Objectstore Buckets |`manage` |`buckets` |Allow group service-broker-group to manage buckets |  
+| Autonomous Database (ATP/ADW) |`manage` |`autonomous-database` |Allow group service-broker-group to manage  autonomous-database where request.region='<region_short_id>'|
+| Objectstore Buckets |`manage` |`buckets` |Allow group service-broker-group to manage buckets where request.region='<region_short_id>'|
+| Streaming | `manage` | `streams` | Allow group service-broker-group to manage streams where request.region='<region_short_id>'|
 
-### Restrict the permissions only to the required Compartments
+### Restrict the permissions only to the required Compartments and Region
 
-While creating the policies to allow OCI Service Broker user to manage services, it is important to consider restricting those permissions to only the required compartment(s).  This can be done by adding compartment name in the policy.
+While creating the policies to allow OCI Service Broker user to manage services, it is important to consider restricting those permissions to only the required compartment(s) and region.  This can be done by adding compartment name and region in the policy.
 
 **Example:**
 
-`Allow group service-broker-group to manage autonomous-database in compartment service-broker`
+`Allow group service-broker-group to manage autonomous-database in compartment service-broker where request.region='phx''`
 
-The above policy provides access for group `service-broker-group` to manage ATP only in compartment `service-broker`.
+The above policy provides access for group `service-broker-group` to manage ATP only in compartment `service-broker` in region `US West (Phoenix)`.
 
 ## Limit access to OCI Service Broker endpoint using Networkpolicy
 

charts/oci-service-broker/values.yaml

@@ -14,7 +14,7 @@ image:
   repository: iad.ocir.io/oracle/oci-service-broker
 
   # Tag of the image
-  tag:  1.3.1
+  tag:  1.3.2
 
   # The image pull policy
   pullPolicy: Always

oci-service-broker/build.gradle

@@ -30,7 +30,7 @@ apply plugin: 'maven-publish'
 archivesBaseName = 'oci-service-broker'
 
 // Sometimes, the version has to be overridden from command line
-version = project.hasProperty('version_num') ? project.getProperty('version_num') : '1.3.1'
+version = project.hasProperty('version_num') ? project.getProperty('version_num') : '1.3.2'
 ext.dockerGroup = 'iad.ocir.io/oci-cnp-dev'
 mainClassName = 'com.oracle.oci.osb.Broker'