Merge branch 'main' into features/refactored-hap-doc

internal/broker/instance_create.go

@@ -303,10 +303,12 @@ func (b *ProvisionEndpoint) validateAndExtract(details domain.ProvisionDetails,
 
 	if parameters.AdditionalWorkerNodePools != nil {
 		if !supportsAdditionalWorkerNodePools(details.PlanID) {
-			return ersContext, parameters, fmt.Errorf("additional worker node pools are not supported for plan ID: %s", details.PlanID)
+			message := fmt.Sprintf("additional worker node pools are not supported for plan ID: %s", details.PlanID)
+			return ersContext, parameters, apiresponses.NewFailureResponse(fmt.Errorf(message), http.StatusUnprocessableEntity, message)
 		}
 		if !AreNamesUnique(parameters.AdditionalWorkerNodePools) {
-			return ersContext, parameters, fmt.Errorf("names of additional worker node pools must be unique")
+			message := "names of additional worker node pools must be unique"
+			return ersContext, parameters, apiresponses.NewFailureResponse(fmt.Errorf(message), http.StatusUnprocessableEntity, message)
 		}
 		for _, additionalWorkerNodePool := range parameters.AdditionalWorkerNodePools {
 			if err := additionalWorkerNodePool.Validate(); err != nil {

internal/broker/instance_update.go

@@ -266,10 +266,12 @@ func (b *UpdateEndpoint) processUpdateParameters(instance *internal.Instance, de
 
 	if params.AdditionalWorkerNodePools != nil {
 		if !supportsAdditionalWorkerNodePools(details.PlanID) {
-			return domain.UpdateServiceSpec{}, fmt.Errorf("additional worker node pools are not supported for plan ID: %s", details.PlanID)
+			message := fmt.Sprintf("additional worker node pools are not supported for plan ID: %s", details.PlanID)
+			return domain.UpdateServiceSpec{}, apiresponses.NewFailureResponse(fmt.Errorf(message), http.StatusBadRequest, message)
 		}
 		if !AreNamesUnique(params.AdditionalWorkerNodePools) {
-			return domain.UpdateServiceSpec{}, fmt.Errorf("names of additional worker node pools must be unique")
+			message := "names of additional worker node pools must be unique"
+			return domain.UpdateServiceSpec{}, apiresponses.NewFailureResponse(fmt.Errorf(message), http.StatusBadRequest, message)
 		}
 		for _, additionalWorkerNodePool := range params.AdditionalWorkerNodePools {
 			if err := additionalWorkerNodePool.Validate(); err != nil {

resources/keb/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
-appVersion: "1.11.16"
+appVersion: "1.11.18"
 name: keb
 description:
 description: Kyma Environment Broker Helm chart for Kubernetes
-version: 1.11.16
+version: 1.11.18
 type: application

resources/keb/templates/runtime-reconciler-deployment.yaml

@@ -15,6 +15,7 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: runtime-reconciler
+        app.kubernetes.io/instance: {{ .Values.namePrefix }}
     spec:
       serviceAccountName: {{ .Values.global.kyma_environment_broker.serviceAccountName }}
       {{- with .Values.deployment.securityContext }}

resources/keb/templates/subaccount-sync-deployment.yaml

@@ -15,6 +15,7 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: subaccount-sync
+        app.kubernetes.io/instance: {{ .Values.namePrefix }}
     spec:
       serviceAccountName: {{ .Values.global.kyma_environment_broker.serviceAccountName }}
       {{- with .Values.deployment.securityContext }}

resources/keb/values.yaml

@@ -9,34 +9,34 @@ global:
       path: europe-docker.pkg.dev/kyma-project/prod
     kyma_environment_broker:
       dir:
-      version: "1.11.16"
+      version: "1.11.18"
     kyma_environment_broker_schema_migrator:
       dir:
-      version: 1.11.16
+      version: 1.11.18
     kyma_environments_subaccount_cleanup_job:
       dir:
-      version: "1.11.16"
+      version: "1.11.18"
     kyma_environment_trial_cleanup_job:
       dir:
-      version: "1.11.16"
+      version: "1.11.18"
     kyma_environment_expirator_job:
       dir:
-      version: "1.11.16"
+      version: "1.11.18"
     kyma_environment_deprovision_retrigger_job:
       dir:
-      version: "1.11.16"
+      version: "1.11.18"
     kyma_environment_runtime_reconciler:
       dir:
-      version: "1.11.16"
+      version: "1.11.18"
     kyma_environment_subaccount_sync:
       dir:
-      version: "1.11.16"
+      version: "1.11.18"
     kyma_environment_globalaccounts:
       dir:
-      version: "1.11.16"
+      version: "1.11.18"
     kyma_environment_service_binding_cleanup_job:
       dir:
-      version: 1.11.16
+      version: 1.11.18
 
   kyma_environment_broker:
     serviceAccountName: "kcp-kyma-environment-broker"

sec-scanners-config.yaml

@@ -1,17 +1,17 @@
 module-name: kyma-environment-broker
-rc-tag: 1.11.16
+rc-tag: 1.11.18
 protecode:
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-broker:1.11.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-deprovision-retrigger-job:1.11.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environments-cleanup-job:1.11.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-runtime-reconciler:1.11.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-archiver-job:1.11.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-expirator-job:1.11.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-subaccount-cleanup-job:1.11.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-subaccount-sync:1.11.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-broker-globalaccounts:1.11.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-broker-schema-migrator:1.11.16
-  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-service-binding-cleanup-job:1.11.16
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-broker:1.11.18
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-deprovision-retrigger-job:1.11.18
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environments-cleanup-job:1.11.18
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-runtime-reconciler:1.11.18
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-archiver-job:1.11.18
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-expirator-job:1.11.18
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-subaccount-cleanup-job:1.11.18
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-subaccount-sync:1.11.18
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-broker-globalaccounts:1.11.18
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-broker-schema-migrator:1.11.18
+  - europe-docker.pkg.dev/kyma-project/prod/kyma-environment-service-binding-cleanup-job:1.11.18
 whitesource:
   language: golang-mod
   subprojects: false

testing/e2e/skr-tester/pkg/command/assert.go

@@ -33,6 +33,7 @@ type AssertCommand struct {
 	editBtpManagerSecret   bool
 	deleteBtpManagerSecret bool
 	suspensionInProgress   bool
+	endpointsSecured       bool
 }
 
 func NewAsertCmd() *cobra.Command {
@@ -49,7 +50,8 @@ func NewAsertCmd() *cobra.Command {
   skr-tester assert -i instanceID -b                                     Checks if the BTP manager secret exists in the instance.
   skr-tester assert -i instanceID -e                                     Edits the BTP manager secret in the instance and checks if the secret is reconciled.
   skr-tester assert -i instanceID -d                                     Deletes the BTP manager secret in the instance and checks if the secret is reconciled.
-  skr-tester assert -i instanceID -s                                     Checks if the suspension operation is in progress for the instance.`,
+  skr-tester assert -i instanceID -s                                     Checks if the suspension operation is in progress for the instance.
+  skr-tester assert -i instanceID -n                                     Checks if KEB endpoints require authentication.`,
 
 		PreRunE: func(_ *cobra.Command, _ []string) error { return cmd.Validate() },
 		RunE:    func(_ *cobra.Command, _ []string) error { return cmd.Run() },
@@ -65,6 +67,7 @@ func NewAsertCmd() *cobra.Command {
 	cobraCmd.Flags().BoolVarP(&cmd.editBtpManagerSecret, "editBtpManagerSecret", "e", false, "Edits the BTP manager secret in the instance and checks if the secret is reconciled.")
 	cobraCmd.Flags().BoolVarP(&cmd.deleteBtpManagerSecret, "deleteBtpManagerSecret", "d", false, "Deletes the BTP manager secret in the instance and checks if the secret is reconciled.")
 	cobraCmd.Flags().BoolVarP(&cmd.suspensionInProgress, "suspensionInProgress", "s", false, "Checks if the suspension operation is in progress for the instance.")
+	cobraCmd.Flags().BoolVarP(&cmd.endpointsSecured, "endpointsSecured", "n", false, "Tests the KEB endpoints without authorization.")
 
 	return cobraCmd
 }
@@ -283,7 +286,34 @@ func (cmd *AssertCommand) Run() error {
 		}
 		fmt.Println("Suspension operation is in progress")
 		fmt.Printf("Suspension operationID: %s\n", *operationID)
+	} else if cmd.endpointsSecured {
+		brokerClient := broker.NewBrokerClient(broker.NewBrokerConfig())
+		platformRegion := brokerClient.GetPlatformRegion()
+		testData := []struct {
+			payload  interface{}
+			endpoint string
+			method   string
+		}{
+			{payload: nil, endpoint: fmt.Sprintf("oauth/v2/service_instances/%s", cmd.instanceID), method: "GET"},
+			{payload: nil, endpoint: "runtimes", method: "GET"},
+			{payload: nil, endpoint: "info/runtimes", method: "GET"},
+			{payload: nil, endpoint: "orchestrations", method: "GET"},
+			{payload: nil, endpoint: fmt.Sprintf("oauth/%sv2/service_instances/%s", platformRegion, cmd.instanceID), method: "PUT"},
+			{payload: nil, endpoint: "upgrade/cluster", method: "POST"},
+			{payload: nil, endpoint: "upgrade/kyma", method: "POST"},
+			{payload: nil, endpoint: fmt.Sprintf("oauth/v2/service_instances/%s", cmd.instanceID), method: "PATCH"},
+			{payload: nil, endpoint: fmt.Sprintf("oauth/v2/service_instances/%s", cmd.instanceID), method: "DELETE"},
+		}
+
+		for _, test := range testData {
+			err := brokerClient.CallBrokerWithoutToken(test.payload, test.endpoint, test.method)
+			if err != nil {
+				return fmt.Errorf("error while calling KEB endpoint %q without authorization: %v", test.endpoint, err)
+			}
+		}
+		fmt.Println("KEB endpoints test passed")
 	}
+
 	return nil
 }
 
@@ -316,8 +346,11 @@ func (cmd *AssertCommand) Validate() error {
 	if cmd.suspensionInProgress {
 		count++
 	}
+	if cmd.endpointsSecured {
+		count++
+	}
 	if count != 1 {
-		return fmt.Errorf("you must use exactly one of machineType, clusterOIDCConfig, kubeconfigOIDCConfig, admins, btpManagerSecretExists, editBtpManagerSecret, deleteBtpManagerSecret, or suspensionInProgress")
+		return fmt.Errorf("you must use exactly one of machineType, clusterOIDCConfig, kubeconfigOIDCConfig, admins, btpManagerSecretExists, editBtpManagerSecret, deleteBtpManagerSecret, suspensionInProgress, or endpointsSecured")
 	}
 	return nil
 }

utils/archiver/kyma-environment-broker-archiver.yaml

@@ -74,4 +74,4 @@ spec:
       template:
         spec:
           containers:
-            - image: europe-docker.pkg.dev/kyma-project/prod/kyma-environment-archiver-job:1.11.16
+            - image: europe-docker.pkg.dev/kyma-project/prod/kyma-environment-archiver-job:1.11.18

utils/kyma-environments-cleanup-job/kyma-environments-cleanup-job.yaml

@@ -28,7 +28,7 @@ spec:
           containers:
             - name: kyma-environments-cleanup
               command: ["/bin/main"]
-              image: europe-docker.pkg.dev/kyma-project/prod/kyma-environments-cleanup-job:1.11.16
+              image: europe-docker.pkg.dev/kyma-project/prod/kyma-environments-cleanup-job:1.11.18
               imagePullPolicy: IfNotPresent
               env:
                 - name: DATABASE_EMBEDDED