diff --git a/DEPENDENCIES b/DEPENDENCIES index 110a160..53b1cbf 100644 --- a/DEPENDENCIES +++ b/DEPENDENCIES @@ -213,8 +213,8 @@ maven/mavencentral/org.eclipse.jetty/jetty-servlet/11.0.15, EPL-2.0 OR Apache-2. maven/mavencentral/org.eclipse.jetty/jetty-util/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-webapp/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty maven/mavencentral/org.eclipse.jetty/jetty-xml/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty -maven/mavencentral/org.eclipse.tractusx.agents.edc.agent-plane/agent-plane-protocol/1.9.5-SNAPSHOT, Apache-2.0, approved, automotive.tractusx -maven/mavencentral/org.eclipse.tractusx.edc/auth-jwt/1.9.5-SNAPSHOT, Apache-2.0, approved, automotive.tractusx +maven/mavencentral/org.eclipse.tractusx.agents.edc.agent-plane/agent-plane-protocol/1.9.5-20230831.070321-5, Apache-2.0, approved, automotive.tractusx +maven/mavencentral/org.eclipse.tractusx.edc/auth-jwt/1.9.5-20230831.070252-7, Apache-2.0, approved, automotive.tractusx maven/mavencentral/org.eclipse.tractusx.edc/core-spi/0.5.0, Apache-2.0, approved, automotive.tractusx maven/mavencentral/org.eclipse.tractusx.edc/edc-dataplane-azure-vault/0.5.0, Apache-2.0, approved, automotive.tractusx maven/mavencentral/org.eclipse.tractusx.edc/edc-dataplane-base/0.5.0, Apache-2.0, approved, automotive.tractusx diff --git a/charts/agent-connector-azure-vault/Chart.yaml b/charts/agent-connector-azure-vault/Chart.yaml index b430856..574b98f 100644 --- a/charts/agent-connector-azure-vault/Chart.yaml +++ b/charts/agent-connector-azure-vault/Chart.yaml @@ -42,7 +42,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.9.7-SNAPSHOT +version: 1.9.8-SNAPSHOT # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. diff --git a/charts/agent-connector-azure-vault/README.md b/charts/agent-connector-azure-vault/README.md index a58f99c..97ed480 100644 --- a/charts/agent-connector-azure-vault/README.md +++ b/charts/agent-connector-azure-vault/README.md @@ -20,7 +20,7 @@ # agent-connector-azure-vault -![Version: 1.9.7-SNAPSHOT](https://img.shields.io/badge/Version-1.9.7--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.5-SNAPSHOT](https://img.shields.io/badge/AppVersion-1.9.5--SNAPSHOT-informational?style=flat-square) +![Version: 1.9.8-SNAPSHOT](https://img.shields.io/badge/Version-1.9.8--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.5-SNAPSHOT](https://img.shields.io/badge/AppVersion-1.9.5--SNAPSHOT-informational?style=flat-square) A Helm chart for an Agent-Enabled Tractus-X Eclipse Data Space Connector configured against Azure Vault. This is a variant of [the Tractus-X Azure Vault Connector Helm Chart](https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector-azure-vault) which allows to deal with several data (and agent) planes. The connector deployment consists of at least two runtime consists of a @@ -46,6 +46,15 @@ You should set your BPNL in the folloing property: - 'vault.azure.tenant': Id of the subscription that the vault runs into - 'vault.azure.secret' or 'vault.azure.certificate': the secret/credential to use when interacting with Azure Vault +### Setting up the transfer token encryption + +Transfer tokens handed out from the provider to the consumer should be signed and encrypted. For that purpose +you should setup a private/public certificate as well as a symmetric AES key. + +- 'vault.secretNames.transferProxyTokenSignerPrivateKey': +- 'vault.secretNames.transferProxyTokenSignerPublicKey': +- 'vault.secretNames.transferProxyTokenEncryptionAesKey': + ## Setting up SSI ### Preconditions @@ -103,7 +112,7 @@ Combined, run this shell command to start the in-memory Tractus-X EDC runtime: ```shell helm repo add eclipse-tractusx https://eclipse-tractusx.github.io/charts/dev -helm install my-release eclipse-tractusx/agent-connector-azure-vault --version 1.9.7-SNAPSHOT\ +helm install my-release eclipse-tractusx/agent-connector-azure-vault --version 1.9.8-SNAPSHOT\ -f /tractusx-connector-azure-vault-test.yaml \ --set vault.azure.name=$AZURE_VAULT_NAME \ --set vault.azure.client=$AZURE_CLIENT_ID \ @@ -222,7 +231,7 @@ helm install my-release eclipse-tractusx/agent-connector-azure-vault --version 1 | controlplane.ssi.miw.authorityId | string | `""` | The BPN of the issuer authority | | controlplane.ssi.miw.url | string | `""` | MIW URL | | controlplane.ssi.oauth.client.id | string | `""` | The client ID for KeyCloak | -| controlplane.ssi.oauth.client.secretAlias | string | `"client-secret"` | The alias under which the client secret is stored in the vault. | +| controlplane.ssi.oauth.client.secretAlias | string | `""` | The alias under which the client secret is stored in the vault. | | controlplane.ssi.oauth.tokenurl | string | `""` | The URL (of KeyCloak), where access tokens can be obtained | | controlplane.tolerations | list | `[]` | | | controlplane.url.protocol | string | `""` | Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) | @@ -344,7 +353,7 @@ helm install my-release eclipse-tractusx/agent-connector-azure-vault --version 1 | networkPolicy.dataplane.from | list | `[{"namespaceSelector":{}}]` | Specify from rule network policy for dp (defaults to all namespaces) | | networkPolicy.enabled | bool | `false` | If `true` network policy will be created to restrict access to control- and dataplane | | participant.id | string | `""` | BPN Number | -| postgresql | object | `{"auth":{"database":"edc","password":"password","username":"user"},"jdbcUrl":"jdbc:postgresql://postgresql:5432/edc","primary":{"persistence":{"enabled":false}},"readReplicas":{"persistence":{"enabled":false}}}` | Standard settings for persistence, "jdbcUrl", "username" and "password" need to be overridden | +| postgresql | object | `{"auth":{"database":"edc","password":"password","username":"user"},"jdbcUrl":"jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc","primary":{"persistence":{"enabled":false}},"readReplicas":{"persistence":{"enabled":false}}}` | Standard settings for persistence, "jdbcUrl", "username" and "password" need to be overridden | | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.imagePullSecrets | list | `[]` | Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | @@ -356,7 +365,7 @@ helm install my-release eclipse-tractusx/agent-connector-azure-vault --version 1 | vault.azure.name | string | `""` | | | vault.azure.secret | string | `nil` | | | vault.azure.tenant | string | `""` | | -| vault.secretNames.transferProxyTokenEncryptionAesKey | string | `"transfer-proxy-token-encryption-aes-key"` | | +| vault.secretNames.transferProxyTokenEncryptionAesKey | string | `nil` | | | vault.secretNames.transferProxyTokenSignerPrivateKey | string | `nil` | | | vault.secretNames.transferProxyTokenSignerPublicKey | string | `nil` | | diff --git a/charts/agent-connector-azure-vault/README.md.gotmpl b/charts/agent-connector-azure-vault/README.md.gotmpl index 3b097e7..2aa860f 100644 --- a/charts/agent-connector-azure-vault/README.md.gotmpl +++ b/charts/agent-connector-azure-vault/README.md.gotmpl @@ -44,6 +44,15 @@ You should set your BPNL in the folloing property: - 'vault.azure.tenant': Id of the subscription that the vault runs into - 'vault.azure.secret' or 'vault.azure.certificate': the secret/credential to use when interacting with Azure Vault +### Setting up the transfer token encryption + +Transfer tokens handed out from the provider to the consumer should be signed and encrypted. For that purpose +you should setup a private/public certificate as well as a symmetric AES key. + +- 'vault.secretNames.transferProxyTokenSignerPrivateKey': +- 'vault.secretNames.transferProxyTokenSignerPublicKey': +- 'vault.secretNames.transferProxyTokenEncryptionAesKey': + ## Setting up SSI ### Preconditions diff --git a/charts/agent-connector-azure-vault/ci/integration-values.yaml b/charts/agent-connector-azure-vault/ci/integration-values.yaml new file mode 100644 index 0000000..37cc28c --- /dev/null +++ b/charts/agent-connector-azure-vault/ci/integration-values.yaml @@ -0,0 +1,57 @@ +# +# Copyright (c) 2023 T-Systems International GmbH +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +install: + postgresql: true + +controlplane: + endpoints: + management: + authKey: "bla" + ssi: + miw: + url: "https://managed-identity-wallets.int" + authorityId: "BPNL0000000DUMMY" + oauth: + tokenurl: "https://keycloak/auth/realms/REALM/protocol/openid-connect/token" + client: + id: "serviceaccount" + secretAlias: "miw-secret" + +vault: + azure: + name: "AZURE_NAME" + tenant: "AZURE_TENANT" + client: "AZURE_CLIENT" + secret: "AZURE_SECRET" + hashicorp: + url: "https://vault.demo" + token: "VAULT_TOKEN" + paths: + secret: "/v1/secrets" + secretNames: + transferProxyTokenSignerPrivateKey: "key" + transferProxyTokenSignerPublicKey: "cert" + transferProxyTokenEncryptionAesKey: "symmetric-key" +participant: + id: "BPNL0000000DUMMY" diff --git a/charts/agent-connector-azure-vault/templates/deployment-controlplane.yaml b/charts/agent-connector-azure-vault/templates/deployment-controlplane.yaml index 59487db..3fc16f0 100644 --- a/charts/agent-connector-azure-vault/templates/deployment-controlplane.yaml +++ b/charts/agent-connector-azure-vault/templates/deployment-controlplane.yaml @@ -176,7 +176,7 @@ spec: - name: "EDC_DATASOURCE_ASSET_PASSWORD" value: {{ .Values.postgresql.auth.password | required ".Values.postgresql.auth.password is required" | quote }} - name: "EDC_DATASOURCE_ASSET_URL" - value: {{ .Values.postgresql.jdbcUrl | quote }} + value: {{ tpl .Values.postgresql.jdbcUrl . | quote }} # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/store/sql/contract-definition-store-sql - name: "EDC_DATASOURCE_CONTRACTDEFINITION_NAME" diff --git a/charts/agent-connector-azure-vault/templates/tests/test-dataplane-readiness.yaml b/charts/agent-connector-azure-vault/templates/tests/test-dataplane-readiness.yaml index 72336a0..2147c74 100644 --- a/charts/agent-connector-azure-vault/templates/tests/test-dataplane-readiness.yaml +++ b/charts/agent-connector-azure-vault/templates/tests/test-dataplane-readiness.yaml @@ -19,7 +19,7 @@ {{- $root := . -}} {{- $allcommands := (dict "commands" (list)) -}} {{- range $dataplane_name, $dataplane := .Values.dataplanes -}} -{{- printf "curl http://%s-%s:%v%s/check/readiness" $dataplane.name (include "txdc.fullname" $root ) $dataplane.endpoints.default.port $dataplane.endpoints.default.path | append $allcommands.commands | set $allcommands "commands" -}} +{{- printf "curl http://%s-%s:%v%s/check/readiness" (include "txdc.fullname" $root ) $dataplane.name $dataplane.endpoints.default.port $dataplane.endpoints.default.path | append $allcommands.commands | set $allcommands "commands" -}} {{- end }} --- @@ -36,6 +36,6 @@ spec: containers: - name: wget image: curlimages/curl - command: [ '/bin/bash','-c' ] + command: [ '/bin/sh','-c' ] args: [ {{ join "&&" $allcommands.commands | quote }} ] restartPolicy: Never diff --git a/charts/agent-connector-azure-vault/values.yaml b/charts/agent-connector-azure-vault/values.yaml index 49d095c..a7e1628 100644 --- a/charts/agent-connector-azure-vault/values.yaml +++ b/charts/agent-connector-azure-vault/values.yaml @@ -134,7 +134,7 @@ controlplane: # -- The client ID for KeyCloak id: "" # -- The alias under which the client secret is stored in the vault. - secretAlias: "client-secret" + secretAlias: "" service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. @@ -561,7 +561,7 @@ dataplanes: # -- Standard settings for persistence, "jdbcUrl", "username" and "password" need to be overridden postgresql: - jdbcUrl: "jdbc:postgresql://postgresql:5432/edc" + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" primary: persistence: enabled: false @@ -579,11 +579,10 @@ vault: tenant: "" secret: certificate: - secretNames: transferProxyTokenSignerPrivateKey: transferProxyTokenSignerPublicKey: - transferProxyTokenEncryptionAesKey: transfer-proxy-token-encryption-aes-key + transferProxyTokenEncryptionAesKey: backendService: httpProxyTokenReceiverUrl: "" diff --git a/charts/agent-connector-memory/Chart.yaml b/charts/agent-connector-memory/Chart.yaml index 8a8d8d4..160e11e 100644 --- a/charts/agent-connector-memory/Chart.yaml +++ b/charts/agent-connector-memory/Chart.yaml @@ -42,7 +42,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.9.7-SNAPSHOT +version: 1.9.8-SNAPSHOT # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. diff --git a/charts/agent-connector-memory/README.md b/charts/agent-connector-memory/README.md index 1eef6fe..6a0b908 100644 --- a/charts/agent-connector-memory/README.md +++ b/charts/agent-connector-memory/README.md @@ -20,7 +20,7 @@ # agent-connector-memory -![Version: 1.9.7-SNAPSHOT](https://img.shields.io/badge/Version-1.9.7--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.5-SNAPSHOT](https://img.shields.io/badge/AppVersion-1.9.5--SNAPSHOT-informational?style=flat-square) +![Version: 1.9.8-SNAPSHOT](https://img.shields.io/badge/Version-1.9.8--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.5-SNAPSHOT](https://img.shields.io/badge/AppVersion-1.9.5--SNAPSHOT-informational?style=flat-square) A Helm chart for an Agent-Enabled Tractus-X Eclipse Data Space Connector using In-Memory Persistence. This is a variant of [the Tractus-X In-Memory Connector Helm Chart](https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector-memory) which allows to deal with several data (and agent) planes. The connector deployment consists of at least two runtime consists of a @@ -40,9 +40,19 @@ You should set your BPNL in the folloing property: ## Setting up Hashicorp Vault -You should set your BPNL in the folloing property: +You should set configure access to required secrets as follows: - 'vault.hashicorp.url': URL of the vault API - 'vault.hashicorp.token': A valid, generated access token. +- 'vault.hashicorp.paths.secret': Api path to the folder hosting the secrets (usually prepended with /v1) + +### Setting up the transfer token encryption + +Transfer tokens handed out from the provider to the consumer should be signed and encrypted. For that purpose +you should setup a private/public certificate as well as a symmetric AES key. + +- 'vault.secretNames.transferProxyTokenSignerPrivateKey': +- 'vault.secretNames.transferProxyTokenSignerPublicKey': +- 'vault.secretNames.transferProxyTokenEncryptionAesKey': ## Setting up SSI @@ -98,7 +108,7 @@ Combined, run this shell command to start the in-memory Tractus-X EDC runtime: ```shell helm repo add eclipse-tractusx https://eclipse-tractusx.github.io/charts/dev -helm install my-release eclipse-tractusx/agent-connector --version 1.9.7-SNAPSHOT +helm install my-release eclipse-tractusx/agent-connector --version 1.9.8-SNAPSHOT ``` ## Maintainers @@ -212,7 +222,7 @@ helm install my-release eclipse-tractusx/agent-connector --version 1.9.7-SNAPSHO | controlplane.ssi.miw.authorityId | string | `""` | The BPN of the issuer authority | | controlplane.ssi.miw.url | string | `""` | MIW URL | | controlplane.ssi.oauth.client.id | string | `""` | The client ID for KeyCloak | -| controlplane.ssi.oauth.client.secretAlias | string | `"client-secret"` | The alias under which the client secret is stored in the vault. | +| controlplane.ssi.oauth.client.secretAlias | string | `""` | The alias under which the client secret is stored in the vault. | | controlplane.ssi.oauth.tokenurl | string | `""` | The URL (of KeyCloak), where access tokens can be obtained | | controlplane.tolerations | list | `[]` | | | controlplane.url.protocol | string | `""` | Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) | @@ -340,7 +350,14 @@ helm install my-release eclipse-tractusx/agent-connector --version 1.9.7-SNAPSHO | serviceAccount.name | string | `""` | | | tests | object | `{"hookDeletePolicy":"before-hook-creation,hook-succeeded"}` | Configurations for Helm tests | | tests.hookDeletePolicy | string | `"before-hook-creation,hook-succeeded"` | Configure the hook-delete-policy for Helm tests | -| vault | object | `{"hashicorp":{"healthCheck":{"enabled":true,"standbyOk":true},"paths":{"health":"/v1/sys/health","secret":"/v1/secret"},"timeout":30,"token":"","url":"http://{{ .Release.Name }}-vault:8200"},"injector":{"enabled":false},"secretNames":{"transferProxyTokenEncryptionAesKey":"transfer-proxy-token-encryption-aes-key","transferProxyTokenSignerPrivateKey":null,"transferProxyTokenSignerPublicKey":null},"server":{"dev":{"devRootToken":"root","enabled":true},"postStart":null}}` | Standard settings for persistence, "jdbcUrl", "username" and "password" need to be overridden | +| vault | object | `{"hashicorp":{"healthCheck":{"enabled":true,"standbyOk":true},"paths":{"health":"/v1/sys/health","secret":"/v1/secret"},"timeout":30,"token":"","url":"http://{{ .Release.Name }}-vault:8200"},"injector":{"enabled":false},"secretNames":{"transferProxyTokenEncryptionAesKey":null,"transferProxyTokenSignerPrivateKey":null,"transferProxyTokenSignerPublicKey":null},"server":{"dev":{"devRootToken":"root","enabled":true},"postStart":null}}` | Standard settings for persistence, "jdbcUrl", "username" and "password" need to be overridden | +| vault.hashicorp.paths.health | string | `"/v1/sys/health"` | Default health api | +| vault.hashicorp.paths.secret | string | `"/v1/secret"` | Path to secrets needs to be changed if install.vault=false | +| vault.hashicorp.token | string | `""` | Access token to the vault service needs to be changed if install.vault=false | +| vault.hashicorp.url | string | `"http://{{ .Release.Name }}-vault:8200"` | URL to the vault service, needs to be changed if install.vault=false | +| vault.secretNames.transferProxyTokenEncryptionAesKey | string | `nil` | encrypt handed out tokens with this symmetric key | +| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `nil` | sign handed out tokens with this key | +| vault.secretNames.transferProxyTokenSignerPublicKey | string | `nil` | sign handed out tokens with this certificate | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/agent-connector-memory/README.md.gotmpl b/charts/agent-connector-memory/README.md.gotmpl index 28b82b6..fcba606 100644 --- a/charts/agent-connector-memory/README.md.gotmpl +++ b/charts/agent-connector-memory/README.md.gotmpl @@ -38,9 +38,19 @@ You should set your BPNL in the folloing property: ## Setting up Hashicorp Vault -You should set your BPNL in the folloing property: +You should set configure access to required secrets as follows: - 'vault.hashicorp.url': URL of the vault API - 'vault.hashicorp.token': A valid, generated access token. +- 'vault.hashicorp.paths.secret': Api path to the folder hosting the secrets (usually prepended with /v1) + +### Setting up the transfer token encryption + +Transfer tokens handed out from the provider to the consumer should be signed and encrypted. For that purpose +you should setup a private/public certificate as well as a symmetric AES key. + +- 'vault.secretNames.transferProxyTokenSignerPrivateKey': +- 'vault.secretNames.transferProxyTokenSignerPublicKey': +- 'vault.secretNames.transferProxyTokenEncryptionAesKey': ## Setting up SSI @@ -58,7 +68,6 @@ You should set your BPNL in the folloing property: - store your KeyCloak client secret in the HashiCorp vault. The exact procedure will depend on your deployment of HashiCorp Vault and is out of scope of this document. But by default, Tractus-X EDC expects to find the secret under `secret/client-secret`. - ### Configure the chart Be sure to provide the following configuration entries to your Tractus-X EDC Helm chart: diff --git a/charts/agent-connector-memory/ci/integration-values.yaml b/charts/agent-connector-memory/ci/integration-values.yaml new file mode 100644 index 0000000..37cc28c --- /dev/null +++ b/charts/agent-connector-memory/ci/integration-values.yaml @@ -0,0 +1,57 @@ +# +# Copyright (c) 2023 T-Systems International GmbH +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +install: + postgresql: true + +controlplane: + endpoints: + management: + authKey: "bla" + ssi: + miw: + url: "https://managed-identity-wallets.int" + authorityId: "BPNL0000000DUMMY" + oauth: + tokenurl: "https://keycloak/auth/realms/REALM/protocol/openid-connect/token" + client: + id: "serviceaccount" + secretAlias: "miw-secret" + +vault: + azure: + name: "AZURE_NAME" + tenant: "AZURE_TENANT" + client: "AZURE_CLIENT" + secret: "AZURE_SECRET" + hashicorp: + url: "https://vault.demo" + token: "VAULT_TOKEN" + paths: + secret: "/v1/secrets" + secretNames: + transferProxyTokenSignerPrivateKey: "key" + transferProxyTokenSignerPublicKey: "cert" + transferProxyTokenEncryptionAesKey: "symmetric-key" +participant: + id: "BPNL0000000DUMMY" diff --git a/charts/agent-connector-memory/templates/tests/test-dataplane-readiness.yaml b/charts/agent-connector-memory/templates/tests/test-dataplane-readiness.yaml index 72336a0..2147c74 100644 --- a/charts/agent-connector-memory/templates/tests/test-dataplane-readiness.yaml +++ b/charts/agent-connector-memory/templates/tests/test-dataplane-readiness.yaml @@ -19,7 +19,7 @@ {{- $root := . -}} {{- $allcommands := (dict "commands" (list)) -}} {{- range $dataplane_name, $dataplane := .Values.dataplanes -}} -{{- printf "curl http://%s-%s:%v%s/check/readiness" $dataplane.name (include "txdc.fullname" $root ) $dataplane.endpoints.default.port $dataplane.endpoints.default.path | append $allcommands.commands | set $allcommands "commands" -}} +{{- printf "curl http://%s-%s:%v%s/check/readiness" (include "txdc.fullname" $root ) $dataplane.name $dataplane.endpoints.default.port $dataplane.endpoints.default.path | append $allcommands.commands | set $allcommands "commands" -}} {{- end }} --- @@ -36,6 +36,6 @@ spec: containers: - name: wget image: curlimages/curl - command: [ '/bin/bash','-c' ] + command: [ '/bin/sh','-c' ] args: [ {{ join "&&" $allcommands.commands | quote }} ] restartPolicy: Never diff --git a/charts/agent-connector-memory/values.yaml b/charts/agent-connector-memory/values.yaml index 7ca72d0..805c06f 100644 --- a/charts/agent-connector-memory/values.yaml +++ b/charts/agent-connector-memory/values.yaml @@ -21,7 +21,6 @@ # SPDX-License-Identifier: Apache-2.0 # - --- # Default values for agent-connector. # This is a YAML-formatted file. @@ -134,7 +133,7 @@ controlplane: # -- The client ID for KeyCloak id: "" # -- The alias under which the client secret is stored in the vault. - secretAlias: "client-secret" + secretAlias: "" service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. @@ -566,19 +565,26 @@ vault: devRootToken: "root" postStart: # must be set externally! hashicorp: + # -- URL to the vault service, needs to be changed if install.vault=false url: "http://{{ .Release.Name }}-vault:8200" + # -- Access token to the vault service needs to be changed if install.vault=false token: "" timeout: 30 healthCheck: enabled: true standbyOk: true paths: + # -- Path to secrets needs to be changed if install.vault=false secret: /v1/secret + # -- Default health api health: /v1/sys/health secretNames: + # -- sign handed out tokens with this key transferProxyTokenSignerPrivateKey: + # -- sign handed out tokens with this certificate transferProxyTokenSignerPublicKey: - transferProxyTokenEncryptionAesKey: transfer-proxy-token-encryption-aes-key + # -- encrypt handed out tokens with this symmetric key + transferProxyTokenEncryptionAesKey: backendService: httpProxyTokenReceiverUrl: "" diff --git a/charts/agent-connector/Chart.yaml b/charts/agent-connector/Chart.yaml index 921ebb0..aee27b3 100644 --- a/charts/agent-connector/Chart.yaml +++ b/charts/agent-connector/Chart.yaml @@ -41,7 +41,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.9.7-SNAPSHOT +version: 1.9.8-SNAPSHOT # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. diff --git a/charts/agent-connector/README.md b/charts/agent-connector/README.md index 14e296e..4b2fac7 100644 --- a/charts/agent-connector/README.md +++ b/charts/agent-connector/README.md @@ -20,7 +20,7 @@ # agent-connector -![Version: 1.9.7-SNAPSHOT](https://img.shields.io/badge/Version-1.9.7--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.5-SNAPSHOT](https://img.shields.io/badge/AppVersion-1.9.5--SNAPSHOT-informational?style=flat-square) +![Version: 1.9.8-SNAPSHOT](https://img.shields.io/badge/Version-1.9.8--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.5-SNAPSHOT](https://img.shields.io/badge/AppVersion-1.9.5--SNAPSHOT-informational?style=flat-square) A Helm chart for an Agent-Enabled Tractus-X Eclipse Data Space Connector. This is a variant of [the Tractus-X Connector Helm Chart](https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector) which allows to deal with several data (and agent) planes. The connector deployment consists of at least two runtime consists of a @@ -40,9 +40,19 @@ You should set your BPNL in the folloing property: ## Setting up Hashicorp Vault -You should set your BPNL in the folloing property: +You should set configure access to required secrets as follows: - 'vault.hashicorp.url': URL of the vault API - 'vault.hashicorp.token': A valid, generated access token. +- 'vault.hashicorp.paths.secret': Api path to the folder hosting the secrets (usually prepended with /v1) + +### Setting up the transfer token encryption + +Transfer tokens handed out from the provider to the consumer should be signed and encrypted. For that purpose +you should setup a private/public certificate as well as a symmetric AES key. + +- 'vault.secretNames.transferProxyTokenSignerPrivateKey': +- 'vault.secretNames.transferProxyTokenSignerPublicKey': +- 'vault.secretNames.transferProxyTokenEncryptionAesKey': ## Setting up SSI @@ -98,7 +108,7 @@ Combined, run this shell command to start the in-memory Tractus-X EDC runtime: ```shell helm repo add eclipse-tractusx https://eclipse-tractusx.github.io/charts/dev -helm install my-release eclipse-tractusx/agent-connector --version 1.9.7-SNAPSHOT +helm install my-release eclipse-tractusx/agent-connector --version 1.9.8-SNAPSHOT ``` ## Maintainers @@ -213,7 +223,7 @@ helm install my-release eclipse-tractusx/agent-connector --version 1.9.7-SNAPSHO | controlplane.ssi.miw.authorityId | string | `""` | The BPN of the issuer authority | | controlplane.ssi.miw.url | string | `""` | MIW URL | | controlplane.ssi.oauth.client.id | string | `""` | The client ID for KeyCloak | -| controlplane.ssi.oauth.client.secretAlias | string | `"client-secret"` | The alias under which the client secret is stored in the vault. | +| controlplane.ssi.oauth.client.secretAlias | string | `""` | The alias under which the client secret is stored in the vault. | | controlplane.ssi.oauth.tokenurl | string | `""` | The URL (of KeyCloak), where access tokens can be obtained | | controlplane.tolerations | list | `[]` | | | controlplane.url.protocol | string | `""` | Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) | @@ -336,7 +346,7 @@ helm install my-release eclipse-tractusx/agent-connector --version 1.9.7-SNAPSHO | networkPolicy.dataplane.from | list | `[{"namespaceSelector":{}}]` | Specify from rule network policy for dp (defaults to all namespaces) | | networkPolicy.enabled | bool | `false` | If `true` network policy will be created to restrict access to control- and dataplane | | participant.id | string | `""` | BPN Number | -| postgresql | object | `{"auth":{"database":"edc","password":"password","username":"user"},"jdbcUrl":"jdbc:postgresql://postgresql:5432/edc","primary":{"persistence":{"enabled":false}},"readReplicas":{"persistence":{"enabled":false}}}` | Standard settings for persistence, "jdbcUrl", "username" and "password" need to be overridden | +| postgresql | object | `{"auth":{"database":"edc","password":"password","username":"user"},"jdbcUrl":"jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc","primary":{"persistence":{"enabled":false}},"readReplicas":{"persistence":{"enabled":false}}}` | Standard settings for persistence, "jdbcUrl", "username" and "password" need to be overridden | | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.imagePullSecrets | list | `[]` | Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | @@ -345,15 +355,15 @@ helm install my-release eclipse-tractusx/agent-connector --version 1.9.7-SNAPSHO | tests.hookDeletePolicy | string | `"before-hook-creation,hook-succeeded"` | Configure the hook-delete-policy for Helm tests | | vault.hashicorp.healthCheck.enabled | bool | `true` | | | vault.hashicorp.healthCheck.standbyOk | bool | `true` | | -| vault.hashicorp.paths.health | string | `"/v1/sys/health"` | | -| vault.hashicorp.paths.secret | string | `"/v1/secret"` | | +| vault.hashicorp.paths.health | string | `"/v1/sys/health"` | Default health api | +| vault.hashicorp.paths.secret | string | `"/v1/secret"` | Path to secrets needs to be changed if install.vault=false | | vault.hashicorp.timeout | int | `30` | | -| vault.hashicorp.token | string | `""` | | -| vault.hashicorp.url | string | `"http://{{ .Release.Name }}-vault:8200"` | | +| vault.hashicorp.token | string | `""` | Access token to the vault service needs to be changed if install.vault=false | +| vault.hashicorp.url | string | `"http://{{ .Release.Name }}-vault:8200"` | URL to the vault service, needs to be changed if install.vault=false | | vault.injector.enabled | bool | `false` | | -| vault.secretNames.transferProxyTokenEncryptionAesKey | string | `"transfer-proxy-token-encryption-aes-key"` | | -| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `nil` | | -| vault.secretNames.transferProxyTokenSignerPublicKey | string | `nil` | | +| vault.secretNames.transferProxyTokenEncryptionAesKey | string | `nil` | encrypt handed out tokens with this symmetric key | +| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `nil` | sign handed out tokens with this key | +| vault.secretNames.transferProxyTokenSignerPublicKey | string | `nil` | sign handed out tokens with this certificate | | vault.server.dev.devRootToken | string | `"root"` | | | vault.server.dev.enabled | bool | `true` | | | vault.server.postStart | string | `nil` | | diff --git a/charts/agent-connector/README.md.gotmpl b/charts/agent-connector/README.md.gotmpl index 1ebc203..fcba606 100644 --- a/charts/agent-connector/README.md.gotmpl +++ b/charts/agent-connector/README.md.gotmpl @@ -38,9 +38,19 @@ You should set your BPNL in the folloing property: ## Setting up Hashicorp Vault -You should set your BPNL in the folloing property: +You should set configure access to required secrets as follows: - 'vault.hashicorp.url': URL of the vault API - 'vault.hashicorp.token': A valid, generated access token. +- 'vault.hashicorp.paths.secret': Api path to the folder hosting the secrets (usually prepended with /v1) + +### Setting up the transfer token encryption + +Transfer tokens handed out from the provider to the consumer should be signed and encrypted. For that purpose +you should setup a private/public certificate as well as a symmetric AES key. + +- 'vault.secretNames.transferProxyTokenSignerPrivateKey': +- 'vault.secretNames.transferProxyTokenSignerPublicKey': +- 'vault.secretNames.transferProxyTokenEncryptionAesKey': ## Setting up SSI diff --git a/charts/agent-connector/ci/integration-values.yaml b/charts/agent-connector/ci/integration-values.yaml new file mode 100644 index 0000000..37cc28c --- /dev/null +++ b/charts/agent-connector/ci/integration-values.yaml @@ -0,0 +1,57 @@ +# +# Copyright (c) 2023 T-Systems International GmbH +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +install: + postgresql: true + +controlplane: + endpoints: + management: + authKey: "bla" + ssi: + miw: + url: "https://managed-identity-wallets.int" + authorityId: "BPNL0000000DUMMY" + oauth: + tokenurl: "https://keycloak/auth/realms/REALM/protocol/openid-connect/token" + client: + id: "serviceaccount" + secretAlias: "miw-secret" + +vault: + azure: + name: "AZURE_NAME" + tenant: "AZURE_TENANT" + client: "AZURE_CLIENT" + secret: "AZURE_SECRET" + hashicorp: + url: "https://vault.demo" + token: "VAULT_TOKEN" + paths: + secret: "/v1/secrets" + secretNames: + transferProxyTokenSignerPrivateKey: "key" + transferProxyTokenSignerPublicKey: "cert" + transferProxyTokenEncryptionAesKey: "symmetric-key" +participant: + id: "BPNL0000000DUMMY" diff --git a/charts/agent-connector/templates/deployment-controlplane.yaml b/charts/agent-connector/templates/deployment-controlplane.yaml index 903bfb0..15b642d 100644 --- a/charts/agent-connector/templates/deployment-controlplane.yaml +++ b/charts/agent-connector/templates/deployment-controlplane.yaml @@ -176,7 +176,7 @@ spec: - name: "EDC_DATASOURCE_ASSET_PASSWORD" value: {{ .Values.postgresql.auth.password | required ".Values.postgresql.auth.password is required" | quote }} - name: "EDC_DATASOURCE_ASSET_URL" - value: {{ .Values.postgresql.jdbcUrl | quote }} + value: {{ tpl .Values.postgresql.jdbcUrl . | quote }} # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/store/sql/contract-definition-store-sql - name: "EDC_DATASOURCE_CONTRACTDEFINITION_NAME" diff --git a/charts/agent-connector/templates/tests/test-dataplane-readiness.yaml b/charts/agent-connector/templates/tests/test-dataplane-readiness.yaml index 72336a0..2147c74 100644 --- a/charts/agent-connector/templates/tests/test-dataplane-readiness.yaml +++ b/charts/agent-connector/templates/tests/test-dataplane-readiness.yaml @@ -19,7 +19,7 @@ {{- $root := . -}} {{- $allcommands := (dict "commands" (list)) -}} {{- range $dataplane_name, $dataplane := .Values.dataplanes -}} -{{- printf "curl http://%s-%s:%v%s/check/readiness" $dataplane.name (include "txdc.fullname" $root ) $dataplane.endpoints.default.port $dataplane.endpoints.default.path | append $allcommands.commands | set $allcommands "commands" -}} +{{- printf "curl http://%s-%s:%v%s/check/readiness" (include "txdc.fullname" $root ) $dataplane.name $dataplane.endpoints.default.port $dataplane.endpoints.default.path | append $allcommands.commands | set $allcommands "commands" -}} {{- end }} --- @@ -36,6 +36,6 @@ spec: containers: - name: wget image: curlimages/curl - command: [ '/bin/bash','-c' ] + command: [ '/bin/sh','-c' ] args: [ {{ join "&&" $allcommands.commands | quote }} ] restartPolicy: Never diff --git a/charts/agent-connector/values.yaml b/charts/agent-connector/values.yaml index a4bc3fb..c41c2a6 100644 --- a/charts/agent-connector/values.yaml +++ b/charts/agent-connector/values.yaml @@ -133,7 +133,7 @@ controlplane: # -- The client ID for KeyCloak id: "" # -- The alias under which the client secret is stored in the vault. - secretAlias: "client-secret" + secretAlias: "" service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. @@ -558,7 +558,7 @@ dataplanes: # -- Standard settings for persistence, "jdbcUrl", "username" and "password" need to be overridden postgresql: - jdbcUrl: "jdbc:postgresql://postgresql:5432/edc" + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" primary: persistence: enabled: false @@ -578,19 +578,26 @@ vault: devRootToken: "root" postStart: # must be set externally! hashicorp: + # -- URL to the vault service, needs to be changed if install.vault=false url: "http://{{ .Release.Name }}-vault:8200" + # -- Access token to the vault service needs to be changed if install.vault=false token: "" timeout: 30 healthCheck: enabled: true standbyOk: true paths: + # -- Path to secrets needs to be changed if install.vault=false secret: /v1/secret + # -- Default health api health: /v1/sys/health secretNames: + # -- sign handed out tokens with this key transferProxyTokenSignerPrivateKey: + # -- sign handed out tokens with this certificate transferProxyTokenSignerPublicKey: - transferProxyTokenEncryptionAesKey: transfer-proxy-token-encryption-aes-key + # -- encrypt handed out tokens with this symmetric key + transferProxyTokenEncryptionAesKey: backendService: httpProxyTokenReceiverUrl: "" diff --git a/charts/config/chart-integration-config.yaml b/charts/config/chart-integration-config.yaml new file mode 100644 index 0000000..175364a --- /dev/null +++ b/charts/config/chart-integration-config.yaml @@ -0,0 +1,24 @@ +# Copyright (c) 2022,2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +# Config for testing charts +validate-maintainers: false +helm-extra-args: +chart-repos: + - helm=https://helm.releases.hashicorp.com + - bitnami=https://charts.bitnami.com/bitnami diff --git a/pom.xml b/pom.xml index bf85360..7994e1b 100644 --- a/pom.xml +++ b/pom.xml @@ -271,6 +271,16 @@ + + + dash-licenses-snapshots + https://repo.eclipse.org/content/repositories/dash-licenses-snapshots/ + + true + + + + github