cloudfoundry
diff --git a/‎orgs/branchprotection.yml‎
Lines changed: 582 additions & 0 deletions b/‎orgs/branchprotection.yml‎
Lines changed: 582 additions & 0 deletions
diff --git a/‎orgs/contributors.yml‎
Lines changed: 4 additions & 4 deletions b/‎orgs/contributors.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎orgs/org_management.py‎
Lines changed: 5 additions & 6 deletions b/‎orgs/org_management.py‎
Lines changed: 5 additions & 6 deletions
diff --git a/‎orgs/test_org_management.py‎
Lines changed: 3 additions & 8 deletions b/‎orgs/test_org_management.py‎
Lines changed: 3 additions & 8 deletions
diff --git a/‎toc/rfc/rfc-0015-branch-protection.md‎
Lines changed: 8 additions & 0 deletions b/‎toc/rfc/rfc-0015-branch-protection.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎toc/rfc/rfc-0040-service-binding-rotation.md‎
Lines changed: 131 additions & 0 deletions b/‎toc/rfc/rfc-0040-service-binding-rotation.md‎
Lines changed: 131 additions & 0 deletions
diff --git a/‎toc/rfc/rfc-0041-shared-concourse.md‎
Lines changed: 56 additions & 0 deletions b/‎toc/rfc/rfc-0041-shared-concourse.md‎
Lines changed: 56 additions & 0 deletions
@@ -13,6 +13,7 @@ orgs:
     - anshrupani
     - anthonydahanne
     - ANUGRAHG
+    - anujc25
     - app-autoscaler-ci-bot
     - aqstack
     - aramprice
@@ -52,14 +53,12 @@ orgs:
     - danail-branekov
     - davewalter
     - dennisjbell
+    - dilipmighty245
     - dlresende
     - dmikusa
-    - domdom82
     - Dray56
-    - dsabeti
     - duanemay
     - ebroberson
-    - emalm
     - emmjohnson
     - evanfarrar
     - FelisiaM
@@ -93,7 +92,6 @@ orgs:
     - joemahady-comm
     - joergdw
     - johha
-    - jrussett
     - julian-hj
     - kathap
     - KauzClay
@@ -214,4 +212,6 @@ orgs:
     - Milena-Encheva
     - AttilaAlmasi
     - dtasSap
+    - ireneGonzalezRuiz
     - praveenkalluri18
+    - Jobsby
@@ -192,18 +192,17 @@ def generate_teams(self):
 
     def generate_branch_protection(self):
         # basis is static config in self.branch_protection which is never overwritten
-        # generate RFC0015 branch protection rules for every WG+TOC that opted in
+        # generate RFC0015 branch protection rules for every WG+TOC by default
         for org in OrgGenerator._MANAGED_ORGS:
             branch_protection_repos = self.branch_protection["branch-protection"]["orgs"][org]["repos"]
             wgs = self.working_groups[org]
             if org == self.toc["org"]:
                 wgs.append(self.toc)
             for wg in wgs:
-                if wg.get("config", {}).get("generate_rfc0015_branch_protection_rules", False):  # config is optional
-                    repo_rules = self._generate_wg_branch_protection(wg)
-                    for repo in repo_rules:
-                        if repo not in branch_protection_repos:
-                            branch_protection_repos[repo] = repo_rules[repo]
+                repo_rules = self._generate_wg_branch_protection(wg)
+                for repo in repo_rules:
+                    if repo not in branch_protection_repos:
+                        branch_protection_repos[repo] = repo_rules[repo]
 
     def write_org_config(self, path: str):
         print(f"Writing org configuration to {path}")
 
@@ -164,8 +164,6 @@
   bots:
   - github: bot-wg1-a5
     name: WG3 Area5 Bot
-config:
-  generate_rfc0015_branch_protection_rules: true
 """
 
 wg4_other_org = """
@@ -206,8 +204,6 @@
   - cloudfoundry2/repo3
   - cloudfoundry2/repo4
   - cloudfoundry/repo5
-config:
-  generate_rfc0015_branch_protection_rules: true
 """
 
 toc = """
@@ -231,7 +227,6 @@
   repositories:
   - cloudfoundry/community
 config:
-  generate_rfc0015_branch_protection_rules: true
   github_project_sync:
     mapping:
       cloudfoundry: 31
@@ -732,8 +727,8 @@ def test_generate_branch_protection(self):
         bp_repos = o.branch_protection["branch-protection"]["orgs"]["cloudfoundry"]["repos"]
         # TOC and wg3 opted in, wg1 and wg2 not
         # note: repo1..4 are shared between wg1 (opt out) and wg3 (opt in) - wg3 wins
-        self.assertSetEqual({f"repo{i}" for i in range(1, 6)} | {"community"}, set(bp_repos.keys()))
-        # repo1 has static config that wins over generated branch protection rules
+        self.assertSetEqual({f"repo{i}" for i in list(range(1, 6)) + [10, 11]} | {"community"}, set(bp_repos.keys()))
+        # repo1 has static config that wins over generated branch protection rulesp
         self.assertTrue(bp_repos["repo1"]["protect"])
         self.assertNotIn("required_pull_request_reviews", bp_repos["repo1"])
 
@@ -749,7 +744,7 @@ def test_generate_branch_protection_multiple_orgs(self):
         bp_repos = o.branch_protection["branch-protection"]["orgs"]["cloudfoundry"]["repos"]
         # TOC and wg3 opted in, wg1 and wg2 not
         # note: repo1..4 are shared between wg1 (opt out) and wg3 (opt in) - wg3 wins
-        self.assertSetEqual({f"repo{i}" for i in range(1, 6)} | {"community"}, set(bp_repos.keys()))
+        self.assertSetEqual({f"repo{i}" for i in list(range(1, 6)) + [10, 11]} | {"community"}, set(bp_repos.keys()))
         # repo1 has static config that wins over generated branch protection rules
         self.assertTrue(bp_repos["repo1"]["protect"])
         self.assertNotIn("required_pull_request_reviews", bp_repos["repo1"])
 
@@ -37,3 +37,11 @@ With respect to the approval of pull requests, we propose that the number of app
 * 1 approval will be required when a working group has 4 or more people in the approver role.
 
 The automation should allow to override the standard branch protection per respository using a configuration file maintained in this community repository. This allows working group leads e.g. to reduce the number of required approvals if several approvers are temporarily not available.
+
+## Amendments
+
+### Protection by Default
+
+To improve the security posture of the foundation, the branch protection rules defined in this RFC are applied by default to all repositories of all Working Groups. The previous opt-in mechanism via a flag in Working Group charters is removed.
+
+Working Groups can request exceptions for specific repositories by creating a pull request against `orgs/branchprotection.yml`. The pull request description MUST contain a justification for the exception.
@@ -0,0 +1,131 @@
+# Meta
+[meta]: #meta
+- Name: Service Credential Binding Rotation for Applications
+- Start Date: 2025-06-10
+- Authors: @beyhan, @stephanme
+- Status: Accepted
+- RFC Pull Request: [community#1198](https://github.com/cloudfoundry/community/pull/1198)
+
+## Summary
+
+Cloud Controller does not support creating a second binding between an application and a service instance, which prevents seamless rotation of credential bindings.  As a result, the only current method to rotate service credential bindings is through blue-green deployments, a process that many developers are hesitant to use solely for credential rotation. That is why, this RFC proposes to add support for multiple service credential bindings per service instance and application. To simplify the rotation process the RFC suggests a new CF API endpoint and CF CLI extensions.
+
+## Problem
+
+Cloud Controller does not support creation of a second binding for a service instance and application which would enable seamless binding credential rotation. Attempting to create a second binding using the CF CLI results in the following error:
+
+```
+cf bind-service myApp myService --binding-name second-binding
+Binding service instance myService to app myApp in org myOrg / space mySpace as ...
+App myApp is already bound to service instance myService.
+OK
+```
+This limitation is not due to the CF CLI but rather a restriction in the CC API, which prevents multiple bindings for the same application. Attempting to create the binding directly via the CF API results in a similar error:
+
+```
+cf curl -X POST "/v3/service_credential_bindings" -d '{
+    "name": "test-second-binding",
+    "relationships": {
+        "app": {
+            "data": {
+                "guid": "<myApp-guid>"
+            }
+        },
+        "service_instance": {
+            "data": {
+                "guid": "<mySerivce-guid>"
+            }
+        }
+    },
+    "type": "app"
+}'
+
+{"errors":[{"detail":"The app is already bound to the service instance","title":"CF-UnprocessableEntity","code":10008}]}
+```
+As a result, the only way to rotate service credential bindings currently is by performing blue-green deployments. However, many CF application developers are reluctant to push a new version of their application solely for the purpose of credential rotation.
+
+## Proposal
+
+The CC should allow multiple service credential bindings per service instance and application. Only the newest one should be visible in the application VCAP_SERVICES env var (or file-based service binding information) so that existing applications don’t need to change.
+
+### CF Cloud Controller
+
+#### POST /v3/service_credential_bindings
+
+Shall allow the creation of multiple service credential bindings for the same app and service instance under the following conditions:
+- service credential bindings are of type `app`
+  - bindings of type `key` don't have a reference to an application
+  - multiple service keys for a service instance are already supported
+- service credential binding name is not changed
+  - multiple bindings to the same service instance are intended for credential rotation
+  - VCAP_SERVICES structure doesn't allow multiple bindings to the same service instance so different binding names don't make sense
+
+The number of multiple service credential bindings for the same app and service instance should be limited. The limit prevents a DoS threat and eventually reminds users to clean up old, likely outdated bindings.
+
+#### GET /v3/service_credential_bindings
+
+The API `GET /v3/service_credential_bindings` will return all service credential bindings of an application including multiple bindings to the same service instance.
+
+### Mapping of service credential bindings into application containers
+
+When creating the service credential binding information like VCAP_SERVICES or file-based one the CC must select the newest one per service instance only that is in state `succeeded`. This must be based on the `created_at` and `last_operation.state` fields from the credential binding.
+
+An application restart or restage as today will be required to activate the new binding.
+
+### CF CLI
+
+Users can create multiple service credential bindings by invoking the `bind-service` command with a `--strategy multiple` option. The default strategy `single` ensures backward compatibility of the `cf bind-service` command.
+
+Example:
+```
+cf bind-service myApp myService  # create initial binding
+cf bind-service myApp myService  # succeeds with message "App myApp is already bound to service instance myService." No secondary binding is added.
+cf bind-service myApp myService --strategy single  # same as previous command, 'single' is the default strategy 
+
+cf bind-service myApp myService --strategy multiple  # adds a secondary binding to the same service instance
+cf bind-service myApp myService --strategy multiple  # adds a third binding to the same service instance
+```
+
+The exact parameter naming can be finalized at implementation time. A `strategy` parameter allows future extension, e.g. for OSBAPI 2.17 support mention in section "Possible Future Work".
+
+`cf unbind-service myApp myService` shall delete all existing service credential bindings for `myApp` to `myService`.
+An additional parameter `cf unbind-service --guid <guid>` should support the deletion of a single service credential binding.
+
+`cf service myService` should list all bindings to apps including their `guid` and `created_at` timestamp. This information is helpful to understand which binding will be mapped into the application container.
+
+The cleanup of old service credential bindings should be supported by a new CF CLI command:
+```
+cf cleanup-outdated-service-bindings myApp [--service-instance myService] [--keep-last 1]
+```
+The CLI will use the  CF API `GET /v3/service_credential_bindings?app_guids=:guid` to list the service instance bindings for an application and should delete all old bindings based on the creation date leaving the newest service bindings. With the `keep-last` parameter, users can keep the x newest bindings per app and service instance. If no service instance name is provided, the CLI should delete the old bindings of all services currently bound to the application.
+It is in the responsibility of the user to invoke `cf cleanup-outdated-service-bindings myApp` only after a successfully restage/restart of the app, i.e. when old service credential bindings are not used anymore by any app container. 
+
+A full service binding rotation flow with the CF CLI could look like:
+```
+cf bind-service myApp myService -c {<parameters>} --strategy multiple
+cf bind-service myApp myService2 -c {<parameters>} --strategy multiple
+cf restage myApp --strategy rolling
+cf cleanup-outdated-service-bindings myApp
+```
+
+## Possible Future Work
+
+### CC adoption of OSBAPI 2.17
+
+The CC could use the service binding rotation functionality introduced with the OSBAPI 2.17 and introduce a dedicated API endpoint for rotation, e.g. `POST /v3/service_credential_bindings/:guid/actions/duplicate` (good naming to be found).
+
+### Integrate Service Binding Recreation into Rolling Deployment
+
+Here an example how this could look with the CF CLI:
+```
+cf restage myApp –strategy rolling-with-binding-rotation
+```
+The result should be that all bindings of the application are recreated after a successful restage.
+
+### Binding Recreation with no App Restart
+
+With the adoption of file-based service bindings in Diego it is technically possible to update a service instance binding for a running application container at runtime without requiring an application restart. Things to consider:
+- This will require an extension of the CC and Diego API (https://github.com/cloudfoundry/bbs/blob/main/docs/053-actions.md )
+- CF application will need support for service binding credential updates during runtime
+- Some service bindings requiring restage can’t be supported
+- CC will need a trigger to update the service binding information for the corresponding LRP(s)
@@ -0,0 +1,56 @@
+# Meta
+[meta]: #meta
+- Name: Shared Concourse Instance
+- Start Date: 2025-07-07
+- Author(s): @drich10
+- Status: Accepted
+- RFC Pull Request: [community#1238](https://github.com/cloudfoundry/community/pull/1238)
+
+## Summary
+
+Provide a shared Concourse instance for CI/CD workloads within the CFF.
+
+## Problem
+
+Currently, _most_ teams using Concourse are deploying and managing their own instance. This creates overhead in both engineering time and cloud costs.
+
+## Proposal
+
+The Concourse WG MUST host a shared Concourse for working groups to leverage for CI/CD. This MUST reduce both engineering and cloud expenses. Consolidating Concourse spend into a singular account MAY make it easier to manage the spend and usage. Additionally centralizing management of CI maintenance, MAY remove load on members/leads of working groups managing their own instance(s). Working groups MAY use this instance if they choose to.
+
+### Access
+Concourse can use Github teams to manage access control within pipelines and credential systems. As such, working group areas and membership MUST determine roles within the system:
+* New role in the Concourse WG to administrate.
+* WG execution leads that are onboarded are given adminstration permissions.
+* WGs must identify area(s) to give access to.
+
+### Credential Management
+Credential access and management MUST be segmented so that WGs cannot access one another's secrets.
+  * Vault MAY be the secret manager to allow consistent management and separation of secrets between teams on the shared instance.
+  * We believe most teams currently use Credhub which does not easily allow us to implement the separation that MUST exist between teams.
+
+### Cost Reduction
+* Removes the overhead from additional Web and DB instances that come from running multiple instances of Concourse.
+* Enables sharing of lesser used worker types such like Windows Workers. Reducing the number of these workers that MUST exist.
+
+### Expectations and Agreements
+* Concourse WG leads will be primarily responsible for system availability during the business hours for each individual.
+* Concourse WG leads will be responsible for system upgrades.
+* WGs onboarded to the shared instance MUST be given sufficient access to operate the system. This includes, but is not limited to:
+  * IaaS access
+  * Runbooks and tooling for Concourse deployment
+* Support Issues MUST be shared between the Concourse working group maintainers and the concourse supporters
+
+### Timeline
+#### Phase 1
+* Concourse team creates the new, shared, instance and migrates itself (4-6 weeks from acceptance of this proposal)
+
+#### Phase 2
+* Onboard 1 working group to the new instance and refine deployment and operational strategies from initial learnings (4-6 weeks).
+* Shut down the concourse owned by the working group.
+
+#### Phase 3
+* Open onboarding to the rest of the working groups and migrate their pipelines. Shut down the concourse owned by the working group(s).
+* Success criteria:
+  * 2 or more teams leveraging this instance.
+  * Each team onboarding MUST either reduce or maintain the current level of infrastructure costs.