feat: add K8s ingress for Mgmt API (#33)

.github/workflows/deployment-test.yaml

@@ -88,4 +88,8 @@ jobs:
             if [ "$code" -ne "401" ]; then
               echo "BDRS Directory API not ready, status = $code"
               exit 1;
-            fi
+            fi
+            
+            # verify management API is reachable as well. 
+            # in production scenarios, the Managment API should NEVER be on the same ingress as the public API
+            curl -X GET --fail -k -L http://localhost/api/management/bpn-directory -H "content-type: application/json" -H "x-api-key: password" -o -

charts/bdrs-server-memory/README.md

@@ -76,10 +76,20 @@ helm install my-release tractusx-edc/bdrs-server --version 0.0.2 \
 | server.ingresses[0].className | string | `""` | Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)  to use |
 | server.ingresses[0].enabled | bool | `false` |  |
 | server.ingresses[0].endpoints | list | `["directory"]` | EDC endpoints exposed by this ingress resource |
-| server.ingresses[0].hostname | string | `"bdrs-server.local"` | The hostname to be used to precisely map incoming traffic onto the underlying network service |
+| server.ingresses[0].hostname | string | `"bdrs-server.directory.local"` | The hostname to be used to precisely map incoming traffic onto the underlying network service |
 | server.ingresses[0].tls | object | `{"enabled":false,"secretName":""}` | TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource |
 | server.ingresses[0].tls.enabled | bool | `false` | Enables TLS on the ingress resource |
 | server.ingresses[0].tls.secretName | string | `""` | If present overwrites the default secret name |
+| server.ingresses[1].annotations | object | `{}` | Additional ingress annotations to add |
+| server.ingresses[1].certManager.clusterIssuer | string | `""` | If preset enables certificate generation via cert-manager cluster-wide issuer |
+| server.ingresses[1].certManager.issuer | string | `""` | If preset enables certificate generation via cert-manager namespace scoped issuer |
+| server.ingresses[1].className | string | `""` | Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)  to use |
+| server.ingresses[1].enabled | bool | `false` |  |
+| server.ingresses[1].endpoints | list | `["management"]` | EDC endpoints exposed by this ingress resource |
+| server.ingresses[1].hostname | string | `"bdrs-server.mgmt.local"` | The hostname to be used to precisely map incoming traffic onto the underlying network service |
+| server.ingresses[1].tls | object | `{"enabled":false,"secretName":""}` | TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource |
+| server.ingresses[1].tls.enabled | bool | `false` | Enables TLS on the ingress resource |
+| server.ingresses[1].tls.secretName | string | `""` | If present overwrites the default secret name |
 | server.initContainers | list | `[]` |  |
 | server.limits.cpu | float | `1.5` |  |
 | server.limits.memory | string | `"512Mi"` |  |

charts/bdrs-server-memory/values.yaml

@@ -158,7 +158,7 @@ server:
     ## Public / Internet facing Ingress
     - enabled: false
       # -- The hostname to be used to precisely map incoming traffic onto the underlying network service
-      hostname: "bdrs-server.local"
+      hostname: "bdrs-server.directory.local"
       # -- Additional ingress annotations to add
       annotations: {}
       # -- EDC endpoints exposed by this ingress resource
@@ -178,6 +178,29 @@ server:
         issuer: ""
         # -- If preset enables certificate generation via cert-manager cluster-wide issuer
         clusterIssuer: ""
+    ## Ingress for the Management API, should not be internet facing
+    - enabled: false
+      # -- The hostname to be used to precisely map incoming traffic onto the underlying network service
+      hostname: "bdrs-server.mgmt.local"
+      # -- Additional ingress annotations to add
+      annotations: {}
+      # -- EDC endpoints exposed by this ingress resource
+      endpoints:
+        - management
+      # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)  to use
+      className: ""
+      # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource
+      tls:
+        # -- Enables TLS on the ingress resource
+        enabled: false
+        # -- If present overwrites the default secret name
+        secretName: ""
+      ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource
+      certManager:
+        # -- If preset enables certificate generation via cert-manager namespace scoped issuer
+        issuer: ""
+        # -- If preset enables certificate generation via cert-manager cluster-wide issuer
+        clusterIssuer: ""
   # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container
   volumeMounts: []
   # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories

charts/bdrs-server/README.md

@@ -86,10 +86,20 @@ helm install my-release tractusx-edc/bdrs-server --version 0.0.2 \
 | server.ingresses[0].className | string | `""` | Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)  to use |
 | server.ingresses[0].enabled | bool | `false` |  |
 | server.ingresses[0].endpoints | list | `["directory"]` | EDC endpoints exposed by this ingress resource |
-| server.ingresses[0].hostname | string | `"bdrs-server.local"` | The hostname to be used to precisely map incoming traffic onto the underlying network service |
+| server.ingresses[0].hostname | string | `"bdrs-server.directory.local"` | The hostname to be used to precisely map incoming traffic onto the underlying network service |
 | server.ingresses[0].tls | object | `{"enabled":false,"secretName":""}` | TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource |
 | server.ingresses[0].tls.enabled | bool | `false` | Enables TLS on the ingress resource |
 | server.ingresses[0].tls.secretName | string | `""` | If present overwrites the default secret name |
+| server.ingresses[1].annotations | object | `{}` | Additional ingress annotations to add |
+| server.ingresses[1].certManager.clusterIssuer | string | `""` | If preset enables certificate generation via cert-manager cluster-wide issuer |
+| server.ingresses[1].certManager.issuer | string | `""` | If preset enables certificate generation via cert-manager namespace scoped issuer |
+| server.ingresses[1].className | string | `""` | Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)  to use |
+| server.ingresses[1].enabled | bool | `false` |  |
+| server.ingresses[1].endpoints | list | `["management"]` | EDC endpoints exposed by this ingress resource |
+| server.ingresses[1].hostname | string | `"bdrs-server.mgmt.local"` | The hostname to be used to precisely map incoming traffic onto the underlying network service |
+| server.ingresses[1].tls | object | `{"enabled":false,"secretName":""}` | TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource |
+| server.ingresses[1].tls.enabled | bool | `false` | Enables TLS on the ingress resource |
+| server.ingresses[1].tls.secretName | string | `""` | If present overwrites the default secret name |
 | server.initContainers | list | `[]` |  |
 | server.limits.cpu | float | `1.5` |  |
 | server.limits.memory | string | `"512Mi"` |  |

charts/bdrs-server/values.yaml

@@ -162,7 +162,7 @@ server:
     ## Public / Internet facing Ingress
     - enabled: false
       # -- The hostname to be used to precisely map incoming traffic onto the underlying network service
-      hostname: "bdrs-server.local"
+      hostname: "bdrs-server.directory.local"
       # -- Additional ingress annotations to add
       annotations: {}
       # -- EDC endpoints exposed by this ingress resource
@@ -182,6 +182,29 @@ server:
         issuer: ""
         # -- If preset enables certificate generation via cert-manager cluster-wide issuer
         clusterIssuer: ""
+    ## Ingress for the Management API, should not be internet facing
+    - enabled: false
+      # -- The hostname to be used to precisely map incoming traffic onto the underlying network service
+      hostname: "bdrs-server.mgmt.local"
+      # -- Additional ingress annotations to add
+      annotations: {}
+      # -- EDC endpoints exposed by this ingress resource
+      endpoints:
+        - management
+      # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)  to use
+      className: ""
+      # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource
+      tls:
+        # -- Enables TLS on the ingress resource
+        enabled: false
+        # -- If present overwrites the default secret name
+        secretName: ""
+      ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource
+      certManager:
+        # -- If preset enables certificate generation via cert-manager namespace scoped issuer
+        issuer: ""
+        # -- If preset enables certificate generation via cert-manager cluster-wide issuer
+        clusterIssuer: ""
   # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container
   volumeMounts: []
   # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories

system-tests/helm/values-test.yaml

@@ -24,6 +24,7 @@ server:
       hostname: "localhost"
       endpoints:
         - directory
+        - management
       className: "nginx"
       tls:
         enabled: true