Initial commit

2025-11-30 08:55:15 +08:00
commit 0e7a2dc56e
16 changed files with 4431 additions and 0 deletions
--- a/templates/oauth-token-request.sh
+++ b/templates/oauth-token-request.sh
@@ -0,0 +1,137 @@
+#!/bin/bash
+# OAuth2 Access Token Retrieval Script
+# Documentation: https://github.com/SAP-docs/sap-btp-service-manager/blob/main/docs/Service-Consumption/SAP-Service-Manager/retrieve-an-oauth2-access-token-b6822e6.md
+#
+# Usage:
+#   ./oauth-token-request.sh <uaa_url> <clientid> <clientsecret>
+#   ./oauth-token-request.sh -f credentials.json
+#
+# Environment Variables:
+#   TOKEN_OUTPUT_FILE - Custom path for token response (default: token_response.json)
+#
+# Output:
+#   Prints access token to stdout
+#   Full response saved to $TOKEN_OUTPUT_FILE (default: token_response.json in cwd)
+#
+# Security Note:
+#   Token response file contains sensitive credentials. Ensure it is stored
+#   securely and deleted after use. For production, set TOKEN_OUTPUT_FILE to
+#   a secure location with restricted permissions.
+
+set -e
+
+# Function to display usage
+usage() {
+    echo "Usage: $0 <uaa_url> <clientid> <clientsecret>"
+    echo "   or: $0 -f <credentials.json>"
+    echo ""
+    echo "Examples:"
+    echo "  $0 https://xxx.authentication.eu10.hana.ondemand.com sb-client-id client-secret"
+    echo "  $0 -f binding-credentials.json"
+    exit 1
+}
+
+# Parse arguments
+if [ "$1" == "-f" ]; then
+    # Load from JSON file
+    if [ -z "$2" ] || [ ! -f "$2" ]; then
+        echo "Error: Credentials file not found: $2"
+        usage
+    fi
+
+    CREDENTIALS_FILE="$2"
+    UAA_URL=$(jq -r '.url // .uaa_url // .certurl' "$CREDENTIALS_FILE")
+    CLIENT_ID=$(jq -r '.clientid' "$CREDENTIALS_FILE")
+    CLIENT_SECRET=$(jq -r '.clientsecret // empty' "$CREDENTIALS_FILE")
+    CERTIFICATE=$(jq -r '.certificate // empty' "$CREDENTIALS_FILE")
+    KEY=$(jq -r '.key // empty' "$CREDENTIALS_FILE")
+
+    if [ -z "$UAA_URL" ] || [ -z "$CLIENT_ID" ]; then
+        echo "Error: Could not extract UAA URL or client ID from credentials file"
+        exit 1
+    fi
+else
+    # Use command line arguments
+    if [ $# -lt 3 ]; then
+        usage
+    fi
+
+    UAA_URL="$1"
+    CLIENT_ID="$2"
+    CLIENT_SECRET="$3"
+fi
+
+# Remove trailing slash from URL
+UAA_URL="${UAA_URL%/}"
+TOKEN_ENDPOINT="${UAA_URL}/oauth/token"
+
+echo "Requesting token from: $TOKEN_ENDPOINT" >&2
+echo "Client ID: $CLIENT_ID" >&2
+
+# Make token request
+if [ -n "$CERTIFICATE" ] && [ -n "$KEY" ]; then
+    # X.509 certificate authentication
+    echo "Using X.509 certificate authentication" >&2
+
+    # Write certificate and key to temp files
+    CERT_FILE=$(mktemp)
+    KEY_FILE=$(mktemp)
+    echo "$CERTIFICATE" > "$CERT_FILE"
+    echo "$KEY" > "$KEY_FILE"
+
+    RESPONSE=$(curl -s -X POST "$TOKEN_ENDPOINT" \
+        --cert "$CERT_FILE" \
+        --key "$KEY_FILE" \
+        -H "Accept: application/json" \
+        --data-urlencode "grant_type=client_credentials" \
+        --data-urlencode "client_id=$CLIENT_ID")
+
+    # Clean up temp files
+    rm -f "$CERT_FILE" "$KEY_FILE"
+else
+    # Client secret authentication
+    echo "Using client credentials authentication" >&2
+
+    RESPONSE=$(curl -s -X POST "$TOKEN_ENDPOINT" \
+        -H "Accept: application/json" \
+        --data-urlencode "grant_type=client_credentials" \
+        --data-urlencode "client_id=$CLIENT_ID" \
+        --data-urlencode "client_secret=$CLIENT_SECRET")
+fi
+
+# Save full response
+# WARNING: Token response is written to current working directory.
+# For production use, consider using a secure temporary directory or
+# specifying an explicit output path with appropriate permissions.
+TOKEN_OUTPUT_FILE="${TOKEN_OUTPUT_FILE:-token_response.json}"
+echo "$RESPONSE" > "$TOKEN_OUTPUT_FILE"
+echo "Full response saved to $TOKEN_OUTPUT_FILE" >&2
+echo "WARNING: Token file contains sensitive credentials - secure or delete after use" >&2
+
+# Check for errors
+ERROR=$(echo "$RESPONSE" | jq -r '.error // empty')
+if [ -n "$ERROR" ]; then
+    ERROR_DESC=$(echo "$RESPONSE" | jq -r '.error_description // "Unknown error"')
+    echo "Error: $ERROR - $ERROR_DESC" >&2
+    exit 1
+fi
+
+# Extract and display token info
+ACCESS_TOKEN=$(echo "$RESPONSE" | jq -r '.access_token')
+TOKEN_TYPE=$(echo "$RESPONSE" | jq -r '.token_type')
+EXPIRES_IN=$(echo "$RESPONSE" | jq -r '.expires_in')
+SCOPE=$(echo "$RESPONSE" | jq -r '.scope')
+
+echo "" >&2
+echo "Token Type: $TOKEN_TYPE" >&2
+echo "Expires In: $EXPIRES_IN seconds" >&2
+echo "Scopes: $SCOPE" >&2
+echo "" >&2
+
+# Output just the access token
+echo "$ACCESS_TOKEN"
+
+# Usage hint
+echo "" >&2
+echo "Use this token with:" >&2
+echo "  curl -H 'Authorization: Bearer <token>' https://service-manager.cfapps.region.hana.ondemand.com/v1/..." >&2
--- a/templates/service-binding-cf.json
+++ b/templates/service-binding-cf.json
@@ -0,0 +1,76 @@
+{
+  "_comment": "Cloud Foundry Service Binding Parameters Template",
+  "_documentation": "https://github.com/SAP-docs/sap-btp-service-manager/blob/main/docs/Service-Consumption/SAP-Service-Manager/bind-f53ff26.md",
+  "_usage": "smctl bind <instance> <binding> -c service-binding-cf.json",
+
+  "default_credentials": {
+    "_description": "Standard OAuth2 client credentials (default)",
+    "_note": "No parameters needed for default credentials"
+  },
+
+  "x509_credentials": {
+    "_description": "X.509 certificate-based credentials",
+    "credential-type": "x509"
+  },
+
+  "x509_custom_validity": {
+    "_description": "X.509 with custom certificate validity",
+    "credential-type": "x509",
+    "key-length": 4096,
+    "validity-type": "MONTHS",
+    "validity": 6,
+    "_validity_type_options": ["DAYS", "MONTHS", "YEARS"],
+    "_key_length_default": 2048,
+    "_validity_default": "7 DAYS"
+  },
+
+  "x509_short_lived": {
+    "_description": "Short-lived X.509 certificate (7 days)",
+    "credential-type": "x509",
+    "key-length": 2048,
+    "validity-type": "DAYS",
+    "validity": 7
+  },
+
+  "x509_production": {
+    "_description": "Production X.509 certificate (1 year)",
+    "credential-type": "x509",
+    "key-length": 4096,
+    "validity-type": "YEARS",
+    "validity": 1
+  },
+
+  "xsuaa_binding": {
+    "_description": "XSUAA-specific binding parameters",
+    "credential-type": "x509",
+    "x509": {
+      "key-length": 4096,
+      "validity": 30,
+      "validity-type": "DAYS"
+    }
+  },
+
+  "destination_binding": {
+    "_description": "Destination service binding parameters",
+    "_note": "Usually no parameters needed"
+  },
+
+  "service_manager_binding": {
+    "_description": "Service Manager binding for API access",
+    "_default_credentials_response": {
+      "clientid": "sb-xxx",
+      "clientsecret": "xxx",
+      "sm_url": "https://service-manager.cfapps.region.hana.ondemand.com",
+      "url": "https://xxx.authentication.region.hana.ondemand.com",
+      "xsappname": "xxx"
+    },
+    "_x509_credentials_response": {
+      "clientid": "sb-xxx",
+      "certificate": "-----BEGIN CERTIFICATE-----...",
+      "key": "-----BEGIN RSA PRIVATE KEY-----...",
+      "certurl": "https://xxx.authentication.cert.region.hana.ondemand.com",
+      "sm_url": "https://service-manager.cfapps.region.hana.ondemand.com",
+      "xsappname": "xxx"
+    }
+  }
+}
--- a/templates/service-binding-k8s.yaml
+++ b/templates/service-binding-k8s.yaml
@@ -0,0 +1,185 @@
+# Kubernetes ServiceBinding CRD Template
+# Documentation: https://github.com/SAP/sap-btp-service-operator
+# Usage: kubectl apply -f service-binding-k8s.yaml
+
+---
+# Basic Service Binding
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceBinding
+metadata:
+  name: my-binding
+  namespace: default
+spec:
+  # Required: Reference to ServiceInstance
+  serviceInstanceName: my-service-instance
+
+---
+# Binding with External Name
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceBinding
+metadata:
+  name: xsuaa-binding
+  namespace: default
+spec:
+  serviceInstanceName: xsuaa-instance
+  externalName: xsuaa-binding-external
+
+---
+# Binding with X.509 Credentials
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceBinding
+metadata:
+  name: xsuaa-binding-x509
+  namespace: default
+spec:
+  serviceInstanceName: xsuaa-instance
+  parameters:
+    credential-type: x509
+
+---
+# Binding with X.509 Custom Validity
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceBinding
+metadata:
+  name: xsuaa-binding-x509-custom
+  namespace: default
+spec:
+  serviceInstanceName: xsuaa-instance
+  parameters:
+    credential-type: x509
+    key-length: 4096
+    validity-type: MONTHS
+    validity: 6
+
+---
+# Binding with Custom Secret Name
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceBinding
+metadata:
+  name: custom-secret-binding
+  namespace: default
+spec:
+  serviceInstanceName: my-service-instance
+  # Secret will be created with this name instead of binding name
+  secretName: my-custom-secret
+
+---
+# Binding with Secret Root Key
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceBinding
+metadata:
+  name: binding-with-root-key
+  namespace: default
+spec:
+  serviceInstanceName: my-service-instance
+  # All credentials nested under this key in secret
+  secretRootKey: credentials
+
+---
+# Binding with Parameters from Secret
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceBinding
+metadata:
+  name: binding-with-secret-params
+  namespace: default
+spec:
+  serviceInstanceName: my-service-instance
+  parametersFrom:
+    - secretKeyRef:
+        name: binding-parameters
+        key: params
+
+---
+# Secret for binding parameters
+apiVersion: v1
+kind: Secret
+metadata:
+  name: binding-parameters
+  namespace: default
+type: Opaque
+stringData:
+  params: |
+    {
+      "credential-type": "x509",
+      "key-length": 4096
+    }
+
+---
+# Example: Using binding credentials in a Pod (Environment Variables)
+apiVersion: v1
+kind: Pod
+metadata:
+  name: app-with-env-credentials
+  namespace: default
+spec:
+  containers:
+    - name: app
+      image: my-app:latest
+      env:
+        - name: XSUAA_CLIENTID
+          valueFrom:
+            secretKeyRef:
+              name: xsuaa-binding
+              key: clientid
+        - name: XSUAA_CLIENTSECRET
+          valueFrom:
+            secretKeyRef:
+              name: xsuaa-binding
+              key: clientsecret
+        - name: XSUAA_URL
+          valueFrom:
+            secretKeyRef:
+              name: xsuaa-binding
+              key: url
+
+---
+# Example: Using binding credentials in a Pod (Volume Mount)
+apiVersion: v1
+kind: Pod
+metadata:
+  name: app-with-mounted-credentials
+  namespace: default
+spec:
+  containers:
+    - name: app
+      image: my-app:latest
+      volumeMounts:
+        - name: xsuaa-credentials
+          mountPath: /etc/secrets/xsuaa
+          readOnly: true
+  volumes:
+    - name: xsuaa-credentials
+      secret:
+        secretName: xsuaa-binding
+
+---
+# Example: Deployment with binding credentials
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-app-deployment
+  namespace: default
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: my-app
+  template:
+    metadata:
+      labels:
+        app: my-app
+    spec:
+      containers:
+        - name: app
+          image: my-app:latest
+          envFrom:
+            - secretRef:
+                name: xsuaa-binding
+          volumeMounts:
+            - name: destination-credentials
+              mountPath: /etc/secrets/destination
+              readOnly: true
+      volumes:
+        - name: destination-credentials
+          secret:
+            secretName: destination-binding
--- a/templates/service-instance-cf.json
+++ b/templates/service-instance-cf.json
@@ -0,0 +1,72 @@
+{
+  "_comment": "Cloud Foundry Service Instance Parameters Template",
+  "_documentation": "https://github.com/SAP-docs/sap-btp-service-manager/blob/main/docs/Service-Consumption/SAP-Service-Manager/creating-service-instances-in-cloud-foundry-6d6846d.md",
+  "_usage": "cf create-service <service> <plan> <instance-name> -c service-instance-cf.json",
+
+  "xsuaa_example": {
+    "_description": "XSUAA service instance parameters",
+    "xsappname": "my-application",
+    "tenant-mode": "dedicated",
+    "scopes": [
+      {
+        "name": "$XSAPPNAME.read",
+        "description": "Read access"
+      },
+      {
+        "name": "$XSAPPNAME.write",
+        "description": "Write access"
+      }
+    ],
+    "role-templates": [
+      {
+        "name": "Viewer",
+        "description": "View-only access",
+        "scope-references": ["$XSAPPNAME.read"]
+      },
+      {
+        "name": "Editor",
+        "description": "Full access",
+        "scope-references": ["$XSAPPNAME.read", "$XSAPPNAME.write"]
+      }
+    ]
+  },
+
+  "hana_hdi_example": {
+    "_description": "HANA HDI Container parameters",
+    "database_id": "<hana-database-guid>",
+    "schema": "MY_SCHEMA"
+  },
+
+  "destination_example": {
+    "_description": "Destination service parameters",
+    "HTML5Runtime_enabled": true,
+    "init_data": {
+      "subaccount": {
+        "existing_destinations_policy": "update",
+        "destinations": [
+          {
+            "Name": "my-destination",
+            "Type": "HTTP",
+            "URL": "https://api.example.com",
+            "Authentication": "NoAuthentication",
+            "ProxyType": "Internet"
+          }
+        ]
+      }
+    }
+  },
+
+  "service_manager_example": {
+    "_description": "Service Manager instance parameters",
+    "_plans": "subaccount-admin | subaccount-audit | container | service-operator-access"
+  },
+
+  "generic_template": {
+    "_instructions": "Replace with service-specific parameters",
+    "parameter1": "value1",
+    "parameter2": "value2",
+    "nested": {
+      "key": "value"
+    }
+  }
+}
--- a/templates/service-instance-k8s.yaml
+++ b/templates/service-instance-k8s.yaml
@@ -0,0 +1,142 @@
+# Kubernetes ServiceInstance CRD Template
+# Documentation: https://github.com/SAP/sap-btp-service-operator
+# Usage: kubectl apply -f service-instance-k8s.yaml
+
+---
+# Basic Service Instance
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceInstance
+metadata:
+  name: my-service-instance
+  namespace: default
+  labels:
+    app: my-app
+    environment: development
+spec:
+  # Required: Service offering name from SAP BTP marketplace
+  serviceOfferingName: xsuaa
+
+  # Required: Service plan name
+  servicePlanName: application
+
+  # Optional: External name visible in BTP cockpit
+  externalName: my-service-instance-external
+
+  # Optional: Service-specific parameters
+  parameters:
+    xsappname: my-app
+    tenant-mode: dedicated
+
+---
+# XSUAA Service Instance with Full Configuration
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceInstance
+metadata:
+  name: xsuaa-instance
+  namespace: default
+spec:
+  serviceOfferingName: xsuaa
+  servicePlanName: application
+  externalName: xsuaa-instance
+  parameters:
+    xsappname: my-application
+    tenant-mode: dedicated
+    scopes:
+      - name: $XSAPPNAME.read
+        description: Read access
+      - name: $XSAPPNAME.write
+        description: Write access
+    role-templates:
+      - name: Viewer
+        description: View-only access
+        scope-references:
+          - $XSAPPNAME.read
+      - name: Editor
+        description: Full access
+        scope-references:
+          - $XSAPPNAME.read
+          - $XSAPPNAME.write
+
+---
+# Service Manager Instance (for service-operator-access)
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceInstance
+metadata:
+  name: service-manager-instance
+  namespace: default
+spec:
+  serviceOfferingName: service-manager
+  servicePlanName: service-operator-access
+  externalName: sm-operator-instance
+
+---
+# HANA Cloud HDI Container
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceInstance
+metadata:
+  name: hana-hdi-instance
+  namespace: default
+spec:
+  serviceOfferingName: hana
+  servicePlanName: hdi-shared
+  externalName: hana-hdi-container
+  parameters:
+    database_id: "<hana-database-guid>"
+    schema: "MY_SCHEMA"
+
+---
+# Destination Service Instance
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceInstance
+metadata:
+  name: destination-instance
+  namespace: default
+spec:
+  serviceOfferingName: destination
+  servicePlanName: lite
+  externalName: destination-service
+
+---
+# Instance with Parameters from Secret
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceInstance
+metadata:
+  name: instance-with-secret-params
+  namespace: default
+spec:
+  serviceOfferingName: xsuaa
+  servicePlanName: application
+  parametersFrom:
+    - secretKeyRef:
+        name: instance-parameters
+        key: parameters
+
+---
+# Secret containing instance parameters
+apiVersion: v1
+kind: Secret
+metadata:
+  name: instance-parameters
+  namespace: default
+type: Opaque
+stringData:
+  parameters: |
+    {
+      "xsappname": "my-app",
+      "tenant-mode": "dedicated"
+    }
+
+---
+# Instance with Custom Tags
+apiVersion: services.cloud.sap.com/v1alpha1
+kind: ServiceInstance
+metadata:
+  name: tagged-instance
+  namespace: default
+spec:
+  serviceOfferingName: xsuaa
+  servicePlanName: application
+  customTags:
+    - environment:production
+    - team:platform
+    - cost-center:12345