From 1528c465c472f87a78837841fa42aa00581e764d Mon Sep 17 00:00:00 2001 From: Jayasheelan Kumar Date: Thu, 28 Nov 2019 12:41:00 +0530 Subject: [PATCH] New Release v1.3.2 for OCI Service Broker - Minor Documentation Fixes Co-authored-by: Ashokkumar Kannan ashokkumar.kannan@oracle.com Co-authored-by: Jayasheelan Kumar jayasheelan.kumar@oracle.com --- CHANGELOG.md | 4 ++++ README.md | 2 +- charts/oci-service-broker/Chart.yaml | 2 +- charts/oci-service-broker/docs/adw.md | 24 +++++++++---------- charts/oci-service-broker/docs/atp.md | 24 +++++++++---------- .../oci-service-broker/docs/installation.md | 8 +++---- .../oci-service-broker/docs/object-storage.md | 2 +- charts/oci-service-broker/docs/security.md | 18 +++++++------- charts/oci-service-broker/values.yaml | 2 +- oci-service-broker/build.gradle | 2 +- 10 files changed, 47 insertions(+), 41 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5301bd8..baf8027 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +[1.3.2] + +- Minor documentation fixes + [1.3.1] - Minor Bug Fixes diff --git a/README.md b/README.md index 64db02e..56dc557 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ See the [Documentation](charts/oci-service-broker/README.md#oci-service-broker) The OCI Service Broker is packaged as Helm chart for making it easy to install in Kubernetes Clusters. The chart can be downloaded from below URL. ``` -https://github.com/oracle/oci-service-broker/releases/download/v1.3.1/oci-service-broker-1.3.1.tgz +https://github.com/oracle/oci-service-broker/releases/download/v1.3.2/oci-service-broker-1.3.2.tgz ``` ## Samples diff --git a/charts/oci-service-broker/Chart.yaml b/charts/oci-service-broker/Chart.yaml index e4e5f05..953bcd0 100644 --- a/charts/oci-service-broker/Chart.yaml +++ b/charts/oci-service-broker/Chart.yaml @@ -5,4 +5,4 @@ apiVersion: v1 description: A Helm chart for installing OCI Service Broker into a Kubernetes cluster name: oci-service-broker -version: 1.3.1 +version: 1.3.2 diff --git a/charts/oci-service-broker/docs/adw.md b/charts/oci-service-broker/docs/adw.md index 9b61dcd..94c9ff0 100644 --- a/charts/oci-service-broker/docs/adw.md +++ b/charts/oci-service-broker/docs/adw.md @@ -51,18 +51,18 @@ Allow group to manage autonomous-data-warehouse in compar To provision, an ADW service user needs to provide the following details: -| Parameter | Description | Type | Mandatory | -| ---------------- | ------------------------------------------------------------------- | ------ | --------- | -| `name` | The display name for the ADW instance. | string | yes | -| `dbName` | Database Name. | string | yes | -| `compartmentId` | The OCI compartment where the ADW instance will be provisioned. | string | yes | -| `cpuCount` | Number of CPU cores to have. | int | yes | -| `storageSizeTBs` | Size of the DB Storage in Terrabytes. | int | yes | -| `password` | ADW Service will pre-provision a DB Admin user when it provisions an ADW instance. The user needs to provide a password to be set for this Admin user.
The OCI ADW service requires the password to satisfy the below rules.
| string | yes | -| `licenseType` | Use your existing database software licenses(BYOL) or Subscribe to new database software licenses and the Database Cloud Service.
Valid values are:. | string | yes | -| `autoScaling` | The flag to enable auto-scaling in ADW Instance. Allows system to use up to three times the provisioned number of cores as the workload increases. By default, this flag is set to false. | boolean| no | -| `freeFormTags` | free form tags that are to be used for tagging the ADW instance. | object | no | -| `definedTags` | The defined tags that are to be used for tagging the ADW instance. | object | no | +| Parameter | Description | Type | Mandatory | +| -------------------- | ------------------------------------------------------------------- | ------ | --------- | +| `name` | The display name for the ADW instance. | string | yes | +| `dbName` | Database Name. | string | yes | +| `compartmentId` | The OCI compartment where the ADW instance will be provisioned. | string | yes | +| `cpuCount` | Number of CPU cores to have. | int | yes | +| `storageSizeTBs` | Size of the DB Storage in Terrabytes. | int | yes | +| `password` | ADW Service will pre-provision a DB Admin user when it provisions an ADW instance. The user needs to provide a password to be set for this Admin user. The update of password using OCI Service Broker is not supported. Any changes to password after instance provisioning is ignored.
The OCI ADW service requires the password to satisfy the below rules.
| string | yes | +| `licenseType` | Use your existing database software licenses(BYOL) or Subscribe to new database software licenses and the Database Cloud Service.
Valid values are:. | string | yes | +| `autoScaling` | The flag to enable auto-scaling in ADW Instance. Allows system to use up to three times the provisioned number of cores as the workload increases. By default, this flag is set to false. | boolean| no | +| `freeFormTags` | free form tags that are to be used for tagging the ADW instance. | object | no | +| `definedTags` | The defined tags that are to be used for tagging the ADW instance. | object | no | ## Using an Existing ADW Service Instance diff --git a/charts/oci-service-broker/docs/atp.md b/charts/oci-service-broker/docs/atp.md index 604b42b..32fe1a3 100644 --- a/charts/oci-service-broker/docs/atp.md +++ b/charts/oci-service-broker/docs/atp.md @@ -51,18 +51,18 @@ Allow group to manage autonomous-database in compartment To provision, an ATP service user needs to provide the following details: -| Parameter | Description | Type | Mandatory | -| ---------------- | ------------------------------------------------------------------- | ------ | --------- | -| `name` | The display name for the ATP instance. | string | yes | -| `dbName` | Database Name. | string | yes | -| `compartmentId` | The OCI compartment where the ATP instance will be provisioned. | string | yes | -| `cpuCount` | Number of CPU cores to have. | int | yes | -| `storageSizeTBs` | Size of the DB Storage in Terrabytes. | int | yes | -| `password` | ATP Service will pre-provision a DB Admin user when it provisions an ATP instance. The user needs to provide a password to be set for this Admin user.
The OCI ATP service requires the password to satisfy the below rules.
  • The length should be 12 to 18 characters.
  • A password must include an upper case, lower case, and special character.
| string | yes | -| `licenseType` | Use your existing database software licenses(BYOL) or Subscribe to new database software licenses and the Database Cloud Service.
Valid values are:
  • BYOL
  • NEW
. | string | yes | -| `autoScaling` | The flag to enable auto-scaling in ATP Instance. Allows system to use up to three times the provisioned number of cores as the workload increases. By default, this flag is set to false. | boolean| no | -| `freeFormTags` | free form tags that are to be used for tagging the ATP instance. | object | no | -| `definedTags` | The defined tags that are to be used for tagging the ATP instance. | object | no | +| Parameter | Description | Type | Mandatory | +| --------------------- | ------------------------------------------------------------------- | ------ | --------- | +| `name` | The display name for the ATP instance. | string | yes | +| `dbName` | Database Name. | string | yes | +| `compartmentId` | The OCI compartment where the ATP instance will be provisioned. | string | yes | +| `cpuCount` | Number of CPU cores to have. | int | yes | +| `storageSizeTBs` | Size of the DB Storage in Terrabytes. | int | yes | +| `password` | ATP Service will pre-provision a DB Admin user when it provisions an ATP instance. The user needs to provide a password to be set for this Admin user. The update of password using OCI Service Broker is not supported. Any changes to password after instance provisioning is ignored.
The OCI ATP service requires the password to satisfy the below rules.
  • The length should be 12 to 18 characters.
  • A password must include an upper case, lower case, and special character.
| string | yes | +| `licenseType` | Use your existing database software licenses(BYOL) or Subscribe to new database software licenses and the Database Cloud Service.
Valid values are:
  • BYOL
  • NEW
. | string | yes | +| `autoScaling` | The flag to enable auto-scaling in ATP Instance. Allows system to use up to three times the provisioned number of cores as the workload increases. By default, this flag is set to false. | boolean| no | +| `freeFormTags` | free form tags that are to be used for tagging the ATP instance. | object | no | +| `definedTags` | The defined tags that are to be used for tagging the ATP instance. | object | no | ## Using an Existing ATP Service Instance diff --git a/charts/oci-service-broker/docs/installation.md b/charts/oci-service-broker/docs/installation.md index 9c89eab..37a4032 100644 --- a/charts/oci-service-broker/docs/installation.md +++ b/charts/oci-service-broker/docs/installation.md @@ -69,7 +69,7 @@ brew update && brew install kubernetes-service-catalog-client The OCI Service Broker is packaged as Helm chart for making it easy to install in Kubernetes. The chart is available at [charts/oci-service-broker](../) directory. ```plain -https://github.com/oracle/oci-service-broker/releases/download/v1.3.1/oci-service-broker-1.3.1.tgz +https://github.com/oracle/oci-service-broker/releases/download/v1.3.2/oci-service-broker-1.3.2.tgz ``` ### OCI credentials @@ -107,7 +107,7 @@ The value for `ociCredentials.secretName` should contain the name of the Kuberne For quickly testing out OCI Service Broker, TLS can be disabled and an embedded etcd container can be used. This can be used for quickly setting up the Broker but not recommended in PRODUCTION environments. Please refer to [Recommended Setup](#recommended-setup) for PRODUCTION environments ```bash - helm install https://github.com/oracle/oci-service-broker/releases/download/v1.3.1/oci-service-broker-1.3.1.tgz --name oci-service-broker \ + helm install https://github.com/oracle/oci-service-broker/releases/download/v1.3.2/oci-service-broker-1.3.2.tgz --name oci-service-broker \ --set ociCredentials.secretName=ocicredentials \ --set storage.etcd.useEmbedded=true \ --set tls.enabled=false @@ -200,7 +200,7 @@ Please note that the names in keys i.e. keyStore.password and keyStore must not Replace the values of --set arguments with your appropriate values to install the OCI Service Broker. User needs to point docker images either from OCIR or from their repository. ```bash - helm install https://github.com/oracle/oci-service-broker/releases/download/v1.3.1/oci-service-broker-1.3.1.tgz --name oci-service-broker \ + helm install https://github.com/oracle/oci-service-broker/releases/download/v1.3.2/oci-service-broker-1.3.2.tgz --name oci-service-broker \ --set ociCredentials.secretName=ocicredentials \ --set tls.secretName=certsecret \ --set storage.etcd.servers= @@ -245,7 +245,7 @@ Refer [Restrict access to Service Catalog resources using RBAC](security.md#rest Sample files for various services are available under [`oci-service-broker/samples`](../samples) directory inside the charts. The below command extracts chart that contains the sample files. ```bash -curl https://github.com/oracle/oci-service-broker/releases/download/v1.3.1/oci-service-broker-1.3.1.tgz | tar xz +curl https://github.com/oracle/oci-service-broker/releases/download/v1.3.2/oci-service-broker-1.3.2.tgz | tar xz ``` Create a `ClusterServiceBroker` resource with OCI Service Broker URL to register the broker. Use the below register yaml file after updating the namespace of the OCI Service Broker. diff --git a/charts/oci-service-broker/docs/object-storage.md b/charts/oci-service-broker/docs/object-storage.md index d89f895..a9a6353 100644 --- a/charts/oci-service-broker/docs/object-storage.md +++ b/charts/oci-service-broker/docs/object-storage.md @@ -83,7 +83,7 @@ Service Binding is optional in case of this service. OCI User credentials can be | Parameter | Description | Type | | ---------------- | ------------------------------------------------------------ | ------ | -| preAuthAccessUri | The [Pre-Authenticated Access URI](https://docs.cloud.oracle.com/iaas/Content/Object/Tasks/usingpreauthenticatedrequests.htm?tocpath=Services%7CObject%20Storage%7C_____5) of the bucket | string | +| preAuthAccessUri | The [Pre-Authenticated Access URI](https://docs.cloud.oracle.com/iaas/Content/Object/Tasks/usingpreauthenticatedrequests.htm?tocpath=Services%7CObject%20Storage%7C_____5) of the bucket. This URI does not include the oci endpoint URL which needs to appended by the user before making the call. | string | ## Example diff --git a/charts/oci-service-broker/docs/security.md b/charts/oci-service-broker/docs/security.md index 5a750ec..147836f 100644 --- a/charts/oci-service-broker/docs/security.md +++ b/charts/oci-service-broker/docs/security.md @@ -85,23 +85,25 @@ OCI Service Broker uses the OCI user credentials only for authenticating the cal ### Policies to allow access to Services -In OCI by default, access to all resources for an user is denied. The tenancy administrator is required to explicitly whitelist a user to have access for the required resources. Below table lists the services supported by OCI Service Broker and the policy statement required in order for the service broker to manage the service. +In OCI by default, access to all resources for an user is denied. The tenancy administrator is required to explicitly whitelist a user to have access for the required resources. It is strongly recommended to restrict access for the user used by OCI Service Broker to only region in which OCI Service Broker is expected to manage resources. + +Below table lists the services supported by OCI Service Broker and the policy statement required in order for the service broker to manage the service. | Service-Name | [Verbs](https://docs.cloud.oracle.com/iaas/Content/Identity/Reference/policyreference.htm?Highlight=policy#Verbs) | [Resources-Types](https://docs.cloud.oracle.com/iaas/Content/Identity/Reference/policyreference.htm?Highlight=policy#Resource) | Sample Policy Statement | | ------------ | ----- | --------------- | ----------------------- | -| Autonomous Transaction Processing (ATP) |`manage` |`autonomous-database` |Allow group service-broker-group to manage autonomous-database | -| Autonomous Data Warehouse (ADW) |`manage` |`autonomous-data-warehouse` |Allow group service-broker-group to manage autonomous-data-warehouse | -| Objectstore Buckets |`manage` |`buckets` |Allow group service-broker-group to manage buckets | +| Autonomous Database (ATP/ADW) |`manage` |`autonomous-database` |Allow group service-broker-group to manage autonomous-database where request.region=''| +| Objectstore Buckets |`manage` |`buckets` |Allow group service-broker-group to manage buckets where request.region=''| +| Streaming | `manage` | `streams` | Allow group service-broker-group to manage streams where request.region=''| -### Restrict the permissions only to the required Compartments +### Restrict the permissions only to the required Compartments and Region -While creating the policies to allow OCI Service Broker user to manage services, it is important to consider restricting those permissions to only the required compartment(s). This can be done by adding compartment name in the policy. +While creating the policies to allow OCI Service Broker user to manage services, it is important to consider restricting those permissions to only the required compartment(s) and region. This can be done by adding compartment name and region in the policy. **Example:** -`Allow group service-broker-group to manage autonomous-database in compartment service-broker` +`Allow group service-broker-group to manage autonomous-database in compartment service-broker where request.region='phx''` -The above policy provides access for group `service-broker-group` to manage ATP only in compartment `service-broker`. +The above policy provides access for group `service-broker-group` to manage ATP only in compartment `service-broker` in region `US West (Phoenix)`. ## Limit access to OCI Service Broker endpoint using Networkpolicy diff --git a/charts/oci-service-broker/values.yaml b/charts/oci-service-broker/values.yaml index 7a2c44f..8b21a0d 100644 --- a/charts/oci-service-broker/values.yaml +++ b/charts/oci-service-broker/values.yaml @@ -14,7 +14,7 @@ image: repository: iad.ocir.io/oracle/oci-service-broker # Tag of the image - tag: 1.3.1 + tag: 1.3.2 # The image pull policy pullPolicy: Always diff --git a/oci-service-broker/build.gradle b/oci-service-broker/build.gradle index 4254f9e..1856fd6 100644 --- a/oci-service-broker/build.gradle +++ b/oci-service-broker/build.gradle @@ -30,7 +30,7 @@ apply plugin: 'maven-publish' archivesBaseName = 'oci-service-broker' // Sometimes, the version has to be overridden from command line -version = project.hasProperty('version_num') ? project.getProperty('version_num') : '1.3.1' +version = project.hasProperty('version_num') ? project.getProperty('version_num') : '1.3.2' ext.dockerGroup = 'iad.ocir.io/oci-cnp-dev' mainClassName = 'com.oracle.oci.osb.Broker'