diff --git a/.github/workflows/chart-test.yml b/.github/workflows/chart-test.yml index 9f09d671..5ac00284 100644 --- a/.github/workflows/chart-test.yml +++ b/.github/workflows/chart-test.yml @@ -120,8 +120,8 @@ jobs: - name: Run chart-testing (lint) run: ct lint --validate-maintainers=false --check-version-increment=false --target-branch ${{ github.event.repository.default_branch }} - - name: Run service chart-testing (install) - run: ct install --charts charts/ssi-credential-issuer --config charts/chart-testing-config.yaml --helm-extra-set-args "--set=issuer.image=kind-registry:5000/credential-issuer-service:testing --set=issuermigrations.image=kind-registry:5000/credential-issuer-migrations:testing --set=processesworker.image=kind-registry:5000/credential-issuer-processes-worker --set=credentialexpiry.image=kind-registry:5000/credential-expiry-app" + - name: Run chart-testing (install) + run: ct install --charts charts/ssi-credential-issuer --config charts/chart-testing-config.yaml --helm-extra-set-args "--set=issuer.image.name=kind-registry:5000/credential-issuer-service --set=issuer.image.tag=testing --set=issuermigrations.image.name=kind-registry:5000/credential-issuer-migrations --set=issuermigrations.image.tag=testing --set=processesworker.image.name=kind-registry:5000/credential-issuer-processes-worker --set=processesworker.image.tag=testing --set=credentialExpiry.image.name=kind-registry:5000/credential-expiry-app --set=credentialExpiry.image.tag=testing" if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true' # TODO: re-add the step after the first version release @@ -133,5 +133,5 @@ jobs: # helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev # helm install ssi-credential-issuer tractusx-dev/ssi-credential-issuer --version ${{ github.event.inputs.upgrade_from || 'tbd' }} --namespace upgrade --create-namespace # helm dependency update charts/ssi-credential-issuer - # helm upgrade ssi-credential-issuer charts/ssi-credential-issuer --set issuer.image=kind-registry:5000/service:testing --set=issuermigrations.image=kind-registry:5000/migrations:testing --namespace upgrade + # helm upgrade ssi-credential-issuer charts/ssi-credential-issuer --set issuer.image.name=kind-registry:5000/service:testing --set=issuermigrations.image.name=kind-registry:5000/migrations:testing --namespace upgrade # if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true' diff --git a/.github/workflows/owasp-zap.yml b/.github/workflows/owasp-zap.yml index 24f3b49f..74aa893a 100644 --- a/.github/workflows/owasp-zap.yml +++ b/.github/workflows/owasp-zap.yml @@ -107,7 +107,7 @@ jobs: helm dependency build - name: Install the chart on KinD cluster - run: helm install testing -n apps --create-namespace --wait --set issuer.image=kind-registry:5000/credential-issuer-service:testing --set=issuermigrations.image=kind-registry:5000/credential-issuer-migrations:testing --set=processesworker.image=kind-registry:5000/credential-issuer-processes-worker:testing --set=credentialexpiry.image=kind-registry:5000/credential-expiry-app:testing --set=issuer.swaggerEnabled=true charts/ssi-credential-issuer + run: helm install testing -n apps --create-namespace --wait --set issuer.image=kind-registry:5000/credential-issuer-service:testing --set=issuermigrations.image=kind-registry:5000/credential-issuer-migrations:testing --set=processesworker.image=kind-registry:5000/credential-issuer-processes-worker:testing --set=credentialExpiry.image=kind-registry:5000/credential-expiry-app:testing --set=issuer.swaggerEnabled=true charts/ssi-credential-issuer - name: Configure port forward to app in KinD run: | diff --git a/README.md b/README.md index 186d3821..bfd1b8ad 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ This repository contains the backend code for the SSI Credential Issuer written ## How to build and run -Install [the .NET 8.0 SDK](https://www.microsoft.com/net/download). +Install the [.NET 7.0 SDK](https://www.microsoft.com/net/download). Run the following command from the CLI: @@ -19,6 +19,17 @@ Run the following command from the CLI in the directory of the service you want dotnet run ``` +## Notice for Docker image + +This application provides container images for demonstration purposes. + +See Docker notice files for more information: + +- [credential-issuer-service](./docker//notice-credential-issuer-service.md) +- [credential-issuer-processes-worker](./docker/notice-credential-issuer-processes-worker.md) +- [notice-credential-expiry-app](./docker/notice-credential-expiry-app.md) +- [credential-issuer-migrations](./docker/notice-credential-issuer-migrations.md) + ## License Distributed under the Apache 2.0 License. diff --git a/charts/ssi-credential-issuer/Chart.yaml b/charts/ssi-credential-issuer/Chart.yaml index 2cf71c8b..678f6b2d 100644 --- a/charts/ssi-credential-issuer/Chart.yaml +++ b/charts/ssi-credential-issuer/Chart.yaml @@ -20,8 +20,8 @@ apiVersion: v2 name: ssi-credential-issuer type: application -version: 0.1.0-rc.1 -appVersion: 0.1.0-rc.1 +version: 1.0.0-rc.1 +appVersion: 1.0.0-rc.1 description: Helm chart for Catena-X SSI Credential Issuer home: https://github.com/eclipse-tractusx/ssi-credential-issuer dependencies: diff --git a/charts/ssi-credential-issuer/README.md b/charts/ssi-credential-issuer/README.md index ecfc2df0..59756a05 100644 --- a/charts/ssi-credential-issuer/README.md +++ b/charts/ssi-credential-issuer/README.md @@ -27,7 +27,7 @@ To use the helm chart as a dependency: dependencies: - name: ssi-credential-issuer repository: https://eclipse-tractusx.github.io/charts/dev - version: 0.1.0-rc.1 + version: 1.0.0-rc.1 ``` ## Requirements @@ -40,65 +40,104 @@ dependencies: | Key | Type | Default | Description | |-----|------|---------|-------------| -| centralidpAddress | string | `"https://centralidp.example.org"` | Provide centralidp base address (CX IAM), without trailing '/auth'. | -| ingress.enabled | bool | `false` | Policy Hub ingress parameters, enable ingress record generation for policy-hub. | -| ingress.name | string | `"policy-hub"` | | -| ingress.className | string | `"nginx"` | | -| ingress.annotations."nginx.ingress.kubernetes.io/use-regex" | string | `"true"` | | -| ingress.annotations."nginx.ingress.kubernetes.io/enable-cors" | string | `"true"` | | -| ingress.annotations."nginx.ingress.kubernetes.io/proxy-body-size" | string | `"8m"` | | -| ingress.annotations."nginx.ingress.kubernetes.io/cors-allow-origin" | string | `"https://*.example.org"` | Provide CORS allowed origin. | -| ingress.tls[0] | object | `{"hosts":["policy-hub.example.org"],"secretName":""}` | Provide tls secret. | -| ingress.tls[0].hosts | list | `["policy-hub.example.org"]` | Provide host for tls secret. | -| ingress.hosts[0] | object | `{"host":"policy-hub.example.org","paths":[{"backend":{"port":8080},"path":"/api/policy-hub","pathType":"Prefix"}]}` | Provide default path for the ingress record. | +| issuer.image.name | string | `"docker.io/tractusx/credential-issuer-service"` | | +| issuer.image.tag | string | `""` | | +| issuer.imagePullPolicy | string | `"IfNotPresent"` | | +| issuer.resources | object | `{"limits":{"cpu":"45m","memory":"400M"},"requests":{"cpu":"15m","memory":"300M"}}` | We recommend to review the default resource limits as this should a conscious choice. | +| issuer.logging.businessLogic | string | `"Information"` | | +| issuer.logging.default | string | `"Information"` | | +| issuer.healthChecks.startup.path | string | `"/health/startup"` | | +| issuer.healthChecks.startup.tags[0].name | string | `"HEALTHCHECKS__0__TAGS__1"` | | +| issuer.healthChecks.startup.tags[0].value | string | `"issuerdb"` | | +| issuer.healthChecks.liveness.path | string | `"/healthz"` | | +| issuer.healthChecks.readyness.path | string | `"/ready"` | | +| issuer.swaggerEnabled | bool | `false` | | +| issuer.portal.scope | string | `"openid"` | | +| issuer.portal.grantType | string | `"client_credentials"` | | +| issuer.portal.clientId | string | `"portal-client-id"` | Provide portal client-id from CX IAM centralidp. | +| issuer.portal.clientSecret | string | `""` | Client-secret for portal client-id. Secret-key 'portal-client-secret'. | +| issuer.credential.issuerDid | string | `""` | | +| issuer.credential.encryptionConfigIndex | int | `0` | | +| issuer.credential.encryptionConfigs.index0.index | int | `0` | | +| issuer.credential.encryptionConfigs.index0.cipherMode | string | `"CBC"` | | +| issuer.credential.encryptionConfigs.index0.paddingMode | string | `"PKCS7"` | | +| issuer.credential.encryptionConfigs.index0.encryptionKey | string | `""` | EncryptionKey for wallet. Secret-key 'credential-encryption-key0'. Expected format is 256 bit (64 digits) hex. | +| issuermigrations.name | string | `"migrations"` | | +| issuermigrations.image.name | string | `"docker.io/tractusx/credential-issuer-migrations"` | | +| issuermigrations.image.tag | string | `""` | | +| issuermigrations.imagePullPolicy | string | `"IfNotPresent"` | | +| issuermigrations.resources | object | `{"limits":{"cpu":"45m","memory":"105M"},"requests":{"cpu":"15m","memory":"105M"}}` | We recommend to review the default resource limits as this should a conscious choice. | +| issuermigrations.seeding.testDataEnvironments | string | `""` | | +| issuermigrations.seeding.testDataPaths | string | `"Seeder/Data"` | | +| issuermigrations.logging.default | string | `"Information"` | | +| processesworker.name | string | `"processesworker"` | | +| processesworker.image.name | string | `"docker.io/tractusx/credential-issuer-processes-worker"` | | +| processesworker.image.tag | string | `""` | | +| processesworker.imagePullPolicy | string | `"IfNotPresent"` | | +| processesworker.resources | object | `{"limits":{"cpu":"45m","memory":"105M"},"requests":{"cpu":"15m","memory":"105M"}}` | We recommend to review the default resource limits as this should a conscious choice. | +| processesworker.logging.default | string | `"Information"` | | +| processesworker.portal.scope | string | `"openid"` | | +| processesworker.portal.grantType | string | `"client_credentials"` | | +| processesworker.portal.clientId | string | `"portal-client-id"` | Provide portal client-id from CX IAM centralidp. | +| processesworker.portal.clientSecret | string | `""` | Client-secret for portal client-id. Secret-key 'portal-client-secret'. | +| processesworker.processIdentity.identityId | string | `"d21d2e8a-fe35-483c-b2b8-4100ed7f0953"` | | +| processesworker.wallet.scope | string | `"openid"` | | +| processesworker.wallet.grantType | string | `"client_credentials"` | | +| processesworker.wallet.clientId | string | `"wallet-client-id"` | Provide wallet client-id from CX IAM centralidp. | +| processesworker.wallet.clientSecret | string | `""` | Client-secret for wallet client-id. Secret-key 'wallet-client-secret'. | +| processesworker.wallet.encryptionConfigIndex | int | `0` | | +| processesworker.wallet.encryptionConfigs.index0.index | int | `0` | | +| processesworker.wallet.encryptionConfigs.index0.cipherMode | string | `"CBC"` | | +| processesworker.wallet.encryptionConfigs.index0.paddingMode | string | `"PKCS7"` | | +| processesworker.wallet.encryptionConfigs.index0.encryptionKey | string | `""` | EncryptionKey for wallet. Secret-key 'process-wallet-encryption-key0'. Expected format is 256 bit (64 digits) hex. | +| credentialExpiry.name | string | `"expiry"` | | +| credentialExpiry.image.name | string | `"docker.io/tractusx/credential-expiry-app"` | | +| credentialExpiry.image.tag | string | `""` | | +| credentialExpiry.imagePullPolicy | string | `"IfNotPresent"` | | +| credentialExpiry.resources | object | `{"limits":{"cpu":"45m","memory":"105M"},"requests":{"cpu":"15m","memory":"105M"}}` | We recommend to review the default resource limits as this should a conscious choice. | +| credentialExpiry.processIdentity.identityId | string | `"d21d2e8a-fe35-483c-b2b8-4100ed7f0953"` | | +| credentialExpiry.logging.default | string | `"Information"` | | +| credentialExpiry.expiry.expiredVcsToDeleteInMonth | int | `12` | | +| credentialExpiry.expiry.inactiveVcsToDeleteInWeeks | int | `12` | | +| existingSecret | string | `""` | Secret containing the client-secrets for the connection to portal and wallet as well as encryptionKeys for issuer.credential and processesworker.wallet | | dotnetEnvironment | string | `"Production"` | | -| dbConnection.schema | string | `"hub"` | | +| centralidp.address | string | `"https://centralidp.example.org"` | Provide centralidp base address (CX IAM), without trailing '/auth'. | +| centralidp.authRealm | string | `"CX-Central"` | | +| centralidp.jwtBearerOptions.requireHttpsMetadata | string | `"true"` | | +| centralidp.jwtBearerOptions.metadataPath | string | `"/auth/realms/CX-Central/.well-known/openid-configuration"` | | +| centralidp.jwtBearerOptions.tokenValidationParameters.validIssuerPath | string | `"/auth/realms/CX-Central"` | | +| centralidp.jwtBearerOptions.tokenValidationParameters.validAudience | string | `"ClXX-CX-SSI"` | TODO: Add Client | +| centralidp.jwtBearerOptions.refreshInterval | string | `"00:00:30"` | | +| centralidp.tokenPath | string | `"/auth/realms/CX-Central/protocol/openid-connect/token"` | | +| centralidp.useAuthTrail | bool | `true` | Flag if the api should be used with an leading /auth path | +| ingress.enabled | bool | `false` | SSI Credential Issuer ingress parameters, enable ingress record generation for ssi-credential-issuer. | +| ingress.tls[0] | object | `{"hosts":[""],"secretName":""}` | Provide tls secret. | +| ingress.tls[0].hosts | list | `[""]` | Provide host for tls secret. | +| ingress.hosts[0] | object | `{"host":"","paths":[{"backend":{"port":8080},"path":"/api/issuer","pathType":"Prefix"}]}` | Provide default path for the ingress record. | +| dbConnection.schema | string | `"issuer"` | | | dbConnection.sslMode | string | `"Disable"` | | -| keycloak.central.authRealm | string | `"CX-Central"` | | -| keycloak.central.jwtBearerOptions.requireHttpsMetadata | string | `"true"` | | -| keycloak.central.jwtBearerOptions.metadataPath | string | `"/auth/realms/CX-Central/.well-known/openid-configuration"` | | -| keycloak.central.jwtBearerOptions.tokenValidationParameters.validIssuerPath | string | `"/auth/realms/CX-Central"` | | -| keycloak.central.jwtBearerOptions.tokenValidationParameters.validAudience | string | `"Cl23-CX-Policy-Hub"` | | -| keycloak.central.jwtBearerOptions.refreshInterval | string | `"00:00:30"` | | -| keycloak.central.tokenPath | string | `"/auth/realms/CX-Central/protocol/openid-connect/token"` | | -| keycloak.central.useAuthTrail | bool | `true` | Flag if the api should be used with an leading /auth path | -| healthChecks.startup.path | string | `"/health/startup"` | | -| healthChecks.liveness.path | string | `"/healthz"` | | -| healthChecks.readyness.path | string | `"/ready"` | | -| policyhub.image | string | `"docker.io/tractusx/policy-hub-service:0.1.0-rc.3"` | | -| policyhub.imagePullPolicy | string | `"IfNotPresent"` | | -| policyhub.resources | object | `{"requests":{"cpu":"15m","memory":"300M"}}` | We recommend not to specify default resource limits and to leave this as a conscious choice for the user. If you do want to specify resource limits, uncomment the following lines and adjust them as necessary. | -| policyhub.logging.businessLogic | string | `"Information"` | | -| policyhub.logging.default | string | `"Information"` | | -| policyhub.healthChecks.startup.tags[0].name | string | `"HEALTHCHECKS__0__TAGS__1"` | | -| policyhub.healthChecks.startup.tags[0].value | string | `"policyhubdb"` | | -| policyhub.swaggerEnabled | bool | `false` | | -| policyhubmigrations.image | string | `"docker.io/tractusx/policy-hub-migrations:0.1.0-rc.3"` | | -| policyhubmigrations.imagePullPolicy | string | `"IfNotPresent"` | | -| policyhubmigrations.resources | object | `{"requests":{"cpu":"15m","memory":"105M"}}` | We recommend not to specify default resource limits and to leave this as a conscious choice for the user. If you do want to specify resource limits, uncomment the following lines and adjust them as necessary. | -| policyhubmigrations.seeding.testDataEnvironments | string | `""` | | -| policyhubmigrations.seeding.testDataPaths | string | `"Seeder/Data"` | | -| policyhubmigrations.logging.default | string | `"Information"` | | -| postgresql.enabled | bool | `true` | PostgreSQL chart configuration; default configurations: host: "policy-hub-postgresql-primary", port: 5432; Switch to enable or disable the PostgreSQL helm chart. | -| postgresql.auth.username | string | `"hub"` | Non-root username. | -| postgresql.auth.database | string | `"policy-hub"` | Database name. | -| postgresql.auth.existingSecret | string | `"{{ .Release.Name }}-phub-postgres"` | Secret containing the passwords for root usernames postgres and non-root username hub. Should not be changed without changing the "phub-postgresSecretName" template as well. | +| postgresql.enabled | bool | `true` | PostgreSQL chart configuration; default configurations: host: "issuer-postgresql-primary", port: 5432; Switch to enable or disable the PostgreSQL helm chart. | +| postgresql.image | object | `{"tag":"15-debian-12"}` | Setting image tag to major to get latest minor updates | +| postgresql.commonLabels."app.kubernetes.io/version" | string | `"15"` | | +| postgresql.auth.username | string | `"issuer"` | Non-root username. | +| postgresql.auth.database | string | `"issuer"` | Database name. | +| postgresql.auth.existingSecret | string | `"{{ .Release.Name }}-issuer-postgres"` | Secret containing the passwords for root usernames postgres and non-root username issuer. Should not be changed without changing the "issuer-postgresSecretName" template as well. | +| postgresql.auth.postgrespassword | string | `""` | Password for the root username 'postgres'. Secret-key 'postgres-password'. | +| postgresql.auth.password | string | `""` | Password for the non-root username 'issuer'. Secret-key 'password'. | +| postgresql.auth.replicationPassword | string | `""` | Password for the non-root username 'repl_user'. Secret-key 'replication-password'. | | postgresql.architecture | string | `"replication"` | | | postgresql.audit.pgAuditLog | string | `"write, ddl"` | | | postgresql.audit.logLinePrefix | string | `"%m %u %d "` | | | postgresql.primary.extendedConfiguration | string | `""` | Extended PostgreSQL Primary configuration (increase of max_connections recommended - default is 100) | -| postgresql.primary.initdb.scriptsConfigMap | string | `"{{ .Release.Name }}-phub-cm-postgres"` | | +| postgresql.primary.initdb.scriptsConfigMap | string | `"{{ .Release.Name }}-issuer-cm-postgres"` | | | postgresql.readReplicas.extendedConfiguration | string | `""` | Extended PostgreSQL read only replicas configuration (increase of max_connections recommended - default is 100) | -| externalDatabase.host | string | `"phub-postgres-ext"` | External PostgreSQL configuration IMPORTANT: non-root db user needs to be created beforehand on external database. And the init script (02-init-db.sql) available in templates/configmap-postgres-init.yaml needs to be executed beforehand. Database host ('-primary' is added as postfix). | +| externalDatabase.host | string | `"issuer-postgres-ext"` | External PostgreSQL configuration IMPORTANT: non-root db user needs to be created beforehand on external database. And the init script (02-init-db.sql) available in templates/configmap-postgres-init.yaml needs to be executed beforehand. Database host ('-primary' is added as postfix). | | externalDatabase.port | int | `5432` | Database port number. | -| externalDatabase.user | string | `"hub"` | Non-root username for policy-hub. | -| externalDatabase.database | string | `"policy-hub"` | Database name. | -| externalDatabase.password | string | `""` | Password for the non-root username (default 'hub'). Secret-key 'password'. | -| externalDatabase.existingSecret | string | `"policy-hub-external-db"` | Secret containing the password non-root username, (default 'hub'). | +| externalDatabase.user | string | `"issuer"` | Non-root username for issuer. | +| externalDatabase.database | string | `"issuer"` | Database name. | +| externalDatabase.password | string | `""` | Password for the non-root username (default 'issuer'). Secret-key 'password'. | +| externalDatabase.existingSecret | string | `"issuer-external-db"` | Secret containing the password non-root username, (default 'issuer'). | | externalDatabase.existingSecretPasswordKey | string | `"password"` | Name of an existing secret key containing the database credentials. | -| secrets.postgresql.auth.existingSecret.postgrespassword | string | `""` | Password for the root username 'postgres'. Secret-key 'postgres-password'. | -| secrets.postgresql.auth.existingSecret.password | string | `""` | Password for the non-root username 'hub'. Secret-key 'password'. | -| secrets.postgresql.auth.existingSecret.replicationPassword | string | `""` | Password for the non-root username 'repl_user'. Secret-key 'replication-password'. | | portContainer | int | `8080` | | | portService | int | `8080` | | | replicaCount | int | `3` | | diff --git a/charts/ssi-credential-issuer/templates/_helpers.tpl b/charts/ssi-credential-issuer/templates/_helpers.tpl index 412bcaf7..82f4dc42 100644 --- a/charts/ssi-credential-issuer/templates/_helpers.tpl +++ b/charts/ssi-credential-issuer/templates/_helpers.tpl @@ -30,6 +30,17 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} +{{/* +Determine secret name. +*/}} +{{- define "issuer.secretName" -}} +{{- if .Values.existingSecret -}} +{{- .Values.existingSecret }} +{{- else -}} +{{- include "issuer.fullname" . -}} +{{- end -}} +{{- end -}} + {{/* Define secret name of postgres dependency. */}} @@ -72,19 +83,19 @@ Create the name of the service account to use Determine database hostname for subchart */}} -{{- define "postgresql.primary.fullname" -}} +{{- define "issuer.postgresql.primary.fullname" -}} {{- if eq .Values.postgresql.architecture "replication" }} -{{- printf "%s-primary" (include "chart-name-postgresql-dependency" .) | trunc 63 | trimSuffix "-" -}} +{{- printf "%s-primary" (include "issuer.chart.name.postgresql.dependency" .) | trunc 63 | trimSuffix "-" -}} {{- else -}} - {{- include "chart-name-postgresql-dependency" . -}} + {{- include "issuer.chart.name.postgresql.dependency" . -}} {{- end -}} {{- end -}} -{{- define "postgresql.readReplica.fullname" -}} -{{- printf "%s-read" (include "chart-name-postgresql-dependency" .) | trunc 63 | trimSuffix "-" -}} +{{- define "issuer.postgresql.readReplica.fullname" -}} +{{- printf "%s-read" (include "issuer.chart.name.postgresql.dependency" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "chart-name-postgresql-dependency" -}} +{{- define "issuer.chart.name.postgresql.dependency" -}} {{- if .Values.postgresql.fullnameOverride -}} {{- .Values.postgresql.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} diff --git a/charts/ssi-credential-issuer/templates/cronjob-expiry-app.yaml b/charts/ssi-credential-issuer/templates/cronjob-expiry-app.yaml index 34255855..6c97f306 100644 --- a/charts/ssi-credential-issuer/templates/cronjob-expiry-app.yaml +++ b/charts/ssi-credential-issuer/templates/cronjob-expiry-app.yaml @@ -20,61 +20,61 @@ apiVersion: batch/v1 kind: CronJob metadata: - name: {{ include "issuer.fullname" . }}-expiry - annotations: - "batch.kubernetes.io/job-tracking": "true" - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "-5" + name: {{ include "issuer.fullname" . }}-{{ .Values.credentialExpiry.name }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "issuer.labels" . | nindent 4 }} spec: schedule: "0 0 * * *" concurrencyPolicy: Forbid jobTemplate: metadata: - labels: - {{- include "issuer.selectorLabels" . | nindent 8 }} + name: {{ include "issuer.fullname" . }}-{{ .Values.credentialExpiry.name }} spec: - restartPolicy: OnFailure - containers: - - name: {{ include "issuer.fullname" . }}-expiry - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: "{{ .Values.credentialexpiry.image }}" - imagePullPolicy: "{{ .Values.credentialexpiry.imagePullPolicy }}" - env: - - name: DOTNET_ENVIRONMENT - value: "{{ .Values.dotnetEnvironment }}" - {{- if .Values.postgresql.enabled }} - - name: "ISSUER_PASSWORD" - valueFrom: - secretKeyRef: - name: "{{ .Values.postgresql.auth.existingSecret }}" - key: "issuer-password" - - name: "CONNECTIONSTRINGS__ISSUERDB" - value: "Server={{ template "postgresql.primary.fullname" . }};Database={{ .Values.postgresql.auth.database }};Port={{ .Values.postgresql.auth.port }};User Id={{ .Values.postgresql.auth.issuerUser }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};" - {{- end }} - {{- if not .Values.postgresql.enabled }} - - name: "ISSUER_PASSWORD" - valueFrom: - secretKeyRef: - name: "{{ .Values.externalDatabase.secret }}" - key: "issuer-password" - - name: "CONNECTIONSTRINGS__ISSUERDB" - value: "Server={{ .Values.externalDatabase.host }};Database={{ .Values.externalDatabase.database }};Port={{ .Values.externalDatabase.port }};User Id={{ .Values.externalDatabase.issuerUser }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};" - {{- end }} - - name: "EXPIRY__EXPIREDVCSTODELETEINMONTH" - value: "{{ .Values.credentialexpiry.expiry.expiredVcsToDeleteInMonth }}" - - name: "EXPIRY__INACTIVEVCSTODELETEINWEEKS" - value: "{{ .Values.credentialexpiry.expiry.inactiveVcsToDeleteInWeeks }}" - - name: "PROCESSES__IDENTITYID" - value: "{{ .Values.credentialexpiry.processIdentity.identityId }}" - ports: - - name: http - containerPort: {{ .Values.portContainer }} - protocol: TCP - resources: - {{- toYaml .Values.credentialexpiry.resources | nindent 14 }} + template: + spec: + restartPolicy: OnFailure + containers: + - name: {{ include "issuer.fullname" . }}-{{ .Values.credentialExpiry.name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "{{ .Values.credentialExpiry.image.name }}:{{ .Values.credentialExpiry.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.credentialExpiry.imagePullPolicy }}" + env: + - name: DOTNET_ENVIRONMENT + value: "{{ .Values.dotnetEnvironment }}" + {{- if .Values.postgresql.enabled }} + - name: "ISSUER_PASSWORD" + valueFrom: + secretKeyRef: + name: "{{ .Values.postgresql.auth.existingSecret }}" + key: "issuer-password" + - name: "CONNECTIONSTRINGS__ISSUERDB" + value: "Server={{ template "issuer.postgresql.primary.fullname" . }};Database={{ .Values.postgresql.auth.database }};Port={{ .Values.postgresql.auth.port }};User Id={{ .Values.postgresql.auth.issuerUser }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};" + {{- end }} + {{- if not .Values.postgresql.enabled }} + - name: "ISSUER_PASSWORD" + valueFrom: + secretKeyRef: + name: "{{ .Values.externalDatabase.secret }}" + key: "issuer-password" + - name: "CONNECTIONSTRINGS__ISSUERDB" + value: "Server={{ .Values.externalDatabase.host }};Database={{ .Values.externalDatabase.database }};Port={{ .Values.externalDatabase.port }};User Id={{ .Values.externalDatabase.issuerUser }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};" + {{- end }} + - name: "EXPIRY__EXPIREDVCSTODELETEINMONTH" + value: "{{ .Values.credentialExpiry.expiry.expiredVcsToDeleteInMonth }}" + - name: "EXPIRY__INACTIVEVCSTODELETEINWEEKS" + value: "{{ .Values.credentialExpiry.expiry.inactiveVcsToDeleteInWeeks }}" + - name: "PROCESSES__IDENTITYID" + value: "{{ .Values.credentialExpiry.processIdentity.identityId }}" + ports: + - name: http + containerPort: {{ .Values.portContainer }} + protocol: TCP + resources: + {{- toYaml .Values.credentialExpiry.resources | nindent 14 }} diff --git a/charts/ssi-credential-issuer/templates/cronjob-issuer-processes.yaml b/charts/ssi-credential-issuer/templates/cronjob-issuer-processes.yaml index b8c11b01..b86f0d87 100644 --- a/charts/ssi-credential-issuer/templates/cronjob-issuer-processes.yaml +++ b/charts/ssi-credential-issuer/templates/cronjob-issuer-processes.yaml @@ -20,106 +20,106 @@ apiVersion: batch/v1 kind: CronJob metadata: - name: {{ include "processesworker.fullname" . }}-worker - annotations: - "batch.kubernetes.io/job-tracking": "true" - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "-5" + name: {{ include "issuer.fullname" . }}-{{ .Values.processesworker.name }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "issuer.labels" . | nindent 4 }} spec: schedule: "*/5 * * * *" concurrencyPolicy: Forbid jobTemplate: metadata: - labels: - {{- include "issuer.selectorLabels" . | nindent 8 }} + name: {{ include "issuer.fullname" . }}-{{ .Values.processesworker.name }} spec: - restartPolicy: OnFailure - containers: - - name: {{ include "issuer.fullname" . }}-worker - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - image: "{{ .Values.processesworker.image }}" - imagePullPolicy: "{{ .Values.processesworker.imagePullPolicy }}" - env: - - name: DOTNET_ENVIRONMENT - value: "{{ .Values.dotnetEnvironment }}" - {{- if .Values.postgresql.enabled }} - - name: "ISSUER_PASSWORD" - valueFrom: - secretKeyRef: - name: "{{ .Values.postgresql.auth.existingSecret }}" - key: "issuer-password" - - name: "CONNECTIONSTRINGS__ISSUERDB" - value: "Server={{ template "postgresql.primary.fullname" . }};Database={{ .Values.postgresql.auth.database }};Port={{ .Values.postgresql.auth.port }};User Id={{ .Values.postgresql.auth.issuerUser }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};" - {{- end }} - {{- if not .Values.postgresql.enabled }} - - name: "ISSUER_PASSWORD" - valueFrom: - secretKeyRef: - name: "{{ .Values.externalDatabase.secret }}" - key: "issuer-password" - - name: "CONNECTIONSTRINGS__ISSUERDB" - value: "Server={{ .Values.externalDatabase.host }};Database={{ .Values.externalDatabase.database }};Port={{ .Values.externalDatabase.port }};User Id={{ .Values.externalDatabase.issuerUser }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};" - {{- end }} - - name: "PORTAL__CLIENTSECRET" - valueFrom: - secretKeyRef: - name: "{{ .Values.interfaces.secret }}" - key: "portal-client-secret" - - name: "PORTAL__GRANTTYPE" - value: "{{ .Values.processesworker.portal.grantType }}" - - name: "PORTAL__TOKENADDRESS" - value: "{{ .Values.centralidpAddress }}{{ .Values.keycloak.central.tokenPath }}" - - name: "PORTAL__PASSWORD" - value: "{{ .Values.placeholder }}" - - name: "PORTAL__SCOPE" - value: "{{ .Values.processesworker.portal.scope }}" - - name: "PORTAL__USERNAME" - value: "{{ .Values.placeholder }}" - - name: "WALLET__BASEADDRESS" - value: "{{ .Values.walletAddress }}" - - name: "WALLET__CLIENTID" - value: "{{ .Values.processesworker.wallet.clientId }}" - - name: "WALLET__CLIENTSECRET" - valueFrom: - secretKeyRef: - name: "{{ .Values.interfaces.secret }}" - key: "wallet-client-secret" - - name: "WALLET__GRANTTYPE" - value: "{{ .Values.processesworker.wallet.grantType }}" - - name: "WALLET__TOKENADDRESS" - value: "{{ .Values.walletTokenAddress }}" - - name: "WALLET__PASSWORD" - value: "{{ .Values.placeholder }}" - - name: "WALLET__SCOPE" - value: "{{ .Values.processesworker.wallet.scope }}" - - name: "WALLET__USERNAME" - value: "{{ .Values.placeholder }}" - - name: "WALLET__ENCRYPTIONCONFIG__ENCRYPTIONCONFIGINDEX" - value: "{{ .Values.processesworker.wallet.encryptionConfigIndex }}" - - name: "WALLET__ENCRYPTIONCONFIGS__0__INDEX" - value: "{{ .Values.processesworker.wallet.encryptionConfigs.index0.index}}" - - name: "WALLET__ENCRYPTIONCONFIGS__0__CIPHERMODE" - value: "{{ .Values.processesworker.wallet.encryptionConfigs.index0.cipherMode}}" - - name: "WALLET__ENCRYPTIONCONFIGS__0__PADDINGMODE" - value: "{{ .Values.processesworker.wallet.encryptionConfigs.index0.paddingMode}}" - - name: "WALLET__ENCRYPTIONCONFIGS__0__ENCRYPTIONKEY" - valueFrom: - secretKeyRef: - name: "{{ .Values.interfaces.secret }}" - key: "process-wallet-encryption-key0" - - name: "SERILOG__MINIMUMLEVEL__Default" - value: "{{ .Values.processesworker.logging.default }}" - - name: "PROCESSES__IDENTITYID" - value: "{{ .Values.processesworker.processIdentity.identityId }}" - ports: - - name: http - containerPort: {{ .Values.portContainer }} - protocol: TCP - resources: - {{- toYaml .Values.processesworker.resources | nindent 14 }} + template: + spec: + restartPolicy: OnFailure + containers: + - name: {{ include "issuer.fullname" . }}-{{ .Values.processesworker.name }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + image: "{{ .Values.processesworker.image.name }}:{{ .Values.processesworker.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.processesworker.imagePullPolicy }}" + env: + - name: DOTNET_ENVIRONMENT + value: "{{ .Values.dotnetEnvironment }}" + {{- if .Values.postgresql.enabled }} + - name: "ISSUER_PASSWORD" + valueFrom: + secretKeyRef: + name: "{{ .Values.postgresql.auth.existingSecret }}" + key: "issuer-password" + - name: "CONNECTIONSTRINGS__ISSUERDB" + value: "Server={{ template "issuer.postgresql.primary.fullname" . }};Database={{ .Values.postgresql.auth.database }};Port={{ .Values.postgresql.auth.port }};User Id={{ .Values.postgresql.auth.issuerUser }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};" + {{- end }} + {{- if not .Values.postgresql.enabled }} + - name: "ISSUER_PASSWORD" + valueFrom: + secretKeyRef: + name: "{{ .Values.externalDatabase.secret }}" + key: "issuer-password" + - name: "CONNECTIONSTRINGS__ISSUERDB" + value: "Server={{ .Values.externalDatabase.host }};Database={{ .Values.externalDatabase.database }};Port={{ .Values.externalDatabase.port }};User Id={{ .Values.externalDatabase.issuerUser }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};" + {{- end }} + - name: "PORTAL__CLIENTSECRET" + valueFrom: + secretKeyRef: + name: "{{ template "issuer.secretName" . }}" + key: "portal-client-secret" + - name: "PORTAL__GRANTTYPE" + value: "{{ .Values.processesworker.portal.grantType }}" + - name: "PORTAL__TOKENADDRESS" + value: "{{ .Values.centralidp.address }}{{ .Values.centralidp.tokenPath }}" + - name: "PORTAL__PASSWORD" + value: "empty" + - name: "PORTAL__SCOPE" + value: "{{ .Values.processesworker.portal.scope }}" + - name: "PORTAL__USERNAME" + value: "empty" + - name: "WALLET__BASEADDRESS" + value: "{{ .Values.walletAddress }}" + - name: "WALLET__CLIENTID" + value: "{{ .Values.processesworker.wallet.clientId }}" + - name: "WALLET__CLIENTSECRET" + valueFrom: + secretKeyRef: + name: "{{ template "issuer.secretName" . }}" + key: "wallet-client-secret" + - name: "WALLET__GRANTTYPE" + value: "{{ .Values.processesworker.wallet.grantType }}" + - name: "WALLET__TOKENADDRESS" + value: "{{ .Values.walletTokenAddress }}" + - name: "WALLET__PASSWORD" + value: "empty" + - name: "WALLET__SCOPE" + value: "{{ .Values.processesworker.wallet.scope }}" + - name: "WALLET__USERNAME" + value: "empty" + - name: "WALLET__ENCRYPTIONCONFIG__ENCRYPTIONCONFIGINDEX" + value: "{{ .Values.processesworker.wallet.encryptionConfigIndex }}" + - name: "WALLET__ENCRYPTIONCONFIGS__0__INDEX" + value: "{{ .Values.processesworker.wallet.encryptionConfigs.index0.index}}" + - name: "WALLET__ENCRYPTIONCONFIGS__0__CIPHERMODE" + value: "{{ .Values.processesworker.wallet.encryptionConfigs.index0.cipherMode}}" + - name: "WALLET__ENCRYPTIONCONFIGS__0__PADDINGMODE" + value: "{{ .Values.processesworker.wallet.encryptionConfigs.index0.paddingMode}}" + - name: "WALLET__ENCRYPTIONCONFIGS__0__ENCRYPTIONKEY" + valueFrom: + secretKeyRef: + name: "{{ template "issuer.secretName" . }}" + key: "process-wallet-encryption-key0" + - name: "SERILOG__MINIMUMLEVEL__Default" + value: "{{ .Values.processesworker.logging.default }}" + - name: "PROCESSES__IDENTITYID" + value: "{{ .Values.processesworker.processIdentity.identityId }}" + ports: + - name: http + containerPort: {{ .Values.portContainer }} + protocol: TCP + resources: + {{- toYaml .Values.processesworker.resources | nindent 14 }} diff --git a/charts/ssi-credential-issuer/templates/deployment-issuer-service.yaml b/charts/ssi-credential-issuer/templates/deployment-issuer-service.yaml index 9091ff8e..dba0cb92 100644 --- a/charts/ssi-credential-issuer/templates/deployment-issuer-service.yaml +++ b/charts/ssi-credential-issuer/templates/deployment-issuer-service.yaml @@ -21,7 +21,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "issuer.fullname" . }} - namespace: {{ .Values.namespace }} + namespace: {{ .Release.Namespace }} labels: {{- include "issuer.labels" . | nindent 4 }} spec: @@ -37,7 +37,7 @@ spec: {{- include "issuer.selectorLabels" . | nindent 8 }} spec: containers: - - name: {{ .Chart.Name }} + - name: {{ include "issuer.fullname" . }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -45,7 +45,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "{{ .Values.issuer.image }}" + image: "{{ .Values.issuer.image.name }}:{{ .Values.issuer.image.tag | default .Chart.AppVersion }}" imagePullPolicy: "{{ .Values.issuer.imagePullPolicy }}" env: - name: DOTNET_ENVIRONMENT @@ -57,7 +57,7 @@ spec: name: "{{ template "issuer.postgresSecretName" . }}" key: "password" - name: "CONNECTIONSTRINGS__ISSUERDB" - value: "Server={{ template "postgresql.primary.fullname" . }};Database={{ .Values.postgresql.auth.database }};Port={{ .Values.postgresql.auth.port }};User Id={{ .Values.postgresql.auth.username }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};" + value: "Server={{ template "issuer.postgresql.primary.fullname" . }};Database={{ .Values.postgresql.auth.database }};Port={{ .Values.postgresql.auth.port }};User Id={{ .Values.postgresql.auth.username }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};" {{- end }} {{- if not .Values.postgresql.enabled }} - name: "ISSUER_PASSWORD" @@ -69,24 +69,24 @@ spec: value: "Server={{ .Values.externalDatabase.host }};Database={{ .Values.externalDatabase.database }};Port={{ .Values.externalDatabase.port }};User Id={{ .Values.externalDatabase.username }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};" {{- end }} - name: "HEALTHCHECKS__0__PATH" - value: "{{ .Values.healthChecks.startup.path}}" + value: "{{ .Values.issuer.healthChecks.startup.path}}" {{- if .Values.issuer.healthChecks.startup.tags }} {{- toYaml .Values.issuer.healthChecks.startup.tags | nindent 8 }} {{- end }} - name: "HEALTHCHECKS__1__PATH" - value: "{{ .Values.healthChecks.readyness.path}}" + value: "{{ .Values.issuer.healthChecks.readyness.path}}" - name: "HEALTHCHECKS__2__PATH" - value: "{{ .Values.healthChecks.liveness.path}}" + value: "{{ .Values.issuer.healthChecks.liveness.path}}" - name: "JWTBEAREROPTIONS__METADATAADDRESS" - value: "{{ .Values.centralidpAddress }}{{ .Values.keycloak.central.jwtBearerOptions.metadataPath }}" + value: "{{ .Values.centralidp.address }}{{ .Values.centralidp.jwtBearerOptions.metadataPath }}" - name: "JWTBEAREROPTIONS__REQUIREHTTPSMETADATA" - value: "{{ .Values.keycloak.central.jwtBearerOptions.requireHttpsMetadata }}" + value: "{{ .Values.centralidp.jwtBearerOptions.requireHttpsMetadata }}" - name: "JWTBEAREROPTIONS__TOKENVALIDATIONPARAMETERS__VALIDAUDIENCE" - value: "{{ .Values.keycloak.central.jwtBearerOptions.tokenValidationParameters.validAudience }}" + value: "{{ .Values.centralidp.jwtBearerOptions.tokenValidationParameters.validAudience }}" - name: "JWTBEAREROPTIONS__TOKENVALIDATIONPARAMETERS__VALIDISSUER" - value: "{{ .Values.centralidpAddress }}{{ .Values.keycloak.central.jwtBearerOptions.tokenValidationParameters.validIssuerPath }}" + value: "{{ .Values.centralidp.address }}{{ .Values.centralidp.jwtBearerOptions.tokenValidationParameters.validIssuerPath }}" - name: "JWTBEAREROPTIONS__REFRESHINTERVAL" - value: "{{ .Values.keycloak.central.jwtBearerOptions.refreshInterval }}" + value: "{{ .Values.centralidp.jwtBearerOptions.refreshInterval }}" - name: "SERILOG__MINIMUMLEVEL__Default" value: "{{ .Values.issuer.logging.default }}" - name: "SERILOG__MINIMUMLEVEL__OVERRIDE__Org.Eclipse.TractusX.SsiCredentialIssuer.Service" @@ -96,18 +96,18 @@ spec: - name: "PORTAL__CLIENTSECRET" valueFrom: secretKeyRef: - name: "{{ .Values.interfaces.secret }}" + name: "{{ template "issuer.secretName" . }}" key: "portal-client-secret" - name: "PORTAL__GRANTTYPE" value: "{{ .Values.issuer.portal.grantType }}" - name: "PORTAL__TOKENADDRESS" - value: "{{ .Values.centralidpAddress }}{{ .Values.keycloak.central.tokenPath }}" + value: "{{ .Values.centralidp.address }}{{ .Values.centralidp.tokenPath }}" - name: "PORTAL__PASSWORD" - value: "{{ .Values.placeholder }}" + value: "empty" - name: "PORTAL__SCOPE" value: "{{ .Values.issuer.portal.scope }}" - name: "PORTAL__USERNAME" - value: "{{ .Values.placeholder }}" + value: "empty" - name: "CREDENTIAL__ENCRYPTIONCONFIG__ENCRYPTIONCONFIGINDEX" value: "{{ .Values.issuer.credential.encryptionConfigIndex }}" - name: "CREDENTIAL__ENCRYPTIONCONFIGS__0__INDEX" @@ -119,7 +119,7 @@ spec: - name: "CREDENTIAL__ENCRYPTIONCONFIGS__0__ENCRYPTIONKEY" valueFrom: secretKeyRef: - name: "{{ .Values.interfaces.secret }}" + name: "{{ template "issuer.secretName" . }}" key: "credential-encryption-key0" ports: - name: http @@ -127,7 +127,7 @@ spec: protocol: TCP startupProbe: httpGet: - path: {{ .Values.healthChecks.startup.path }} + path: {{ .Values.issuer.healthChecks.startup.path }} port: {{ .Values.portContainer }} scheme: HTTP initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} @@ -137,7 +137,7 @@ spec: failureThreshold: {{ .Values.startupProbe.failureThreshold }} livenessProbe: httpGet: - path: {{ .Values.healthChecks.liveness.path }} + path: {{ .Values.issuer.healthChecks.liveness.path }} port: {{ .Values.portContainer }} scheme: HTTP initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} @@ -147,7 +147,7 @@ spec: failureThreshold: {{ .Values.livenessProbe.failureThreshold }} readinessProbe: httpGet: - path: {{ .Values.healthChecks.readyness.path }} + path: {{ .Values.issuer.healthChecks.readyness.path }} port: {{ .Values.portContainer }} scheme: HTTP initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} @@ -156,7 +156,7 @@ spec: successThreshold: {{ .Values.readinessProbe.successThreshold }} failureThreshold: {{ .Values.readinessProbe.failureThreshold }} resources: - {{- toYaml .Values.policyhub.resources | nindent 10 }} + {{- toYaml .Values.issuer.resources | nindent 10 }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/ssi-credential-issuer/templates/job-issuer-migrations.yaml b/charts/ssi-credential-issuer/templates/job-issuer-migrations.yaml index 483942d7..fa831dc1 100644 --- a/charts/ssi-credential-issuer/templates/job-issuer-migrations.yaml +++ b/charts/ssi-credential-issuer/templates/job-issuer-migrations.yaml @@ -20,7 +20,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "issuer.fullname" . }}-migrations + name: {{ include "issuer.fullname" . }}-{{ .Values.issuermigrations.name }} annotations: "batch.kubernetes.io/job-tracking": "true" "helm.sh/hook": post-install,post-upgrade @@ -28,12 +28,11 @@ metadata: spec: template: metadata: - labels: - {{- include "issuer.selectorLabels" . | nindent 8 }} + name: {{ include "issuer.fullname" . }}-{{ .Values.issuermigrations.name }} spec: restartPolicy: Never containers: - - name: {{ include "issuer.fullname" . }}-migrations + - name: {{ include "issuer.fullname" . }}-{{ .Values.issuermigrations.name }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -41,7 +40,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "{{ .Values.issuermigrations.image }}" + image: "{{ .Values.issuermigrations.image.name }}:{{ .Values.issuermigrations.image.tag | default .Chart.AppVersion }}" imagePullPolicy: "{{ .Values.issuermigrations.imagePullPolicy }}" env: - name: DOTNET_ENVIRONMENT @@ -53,7 +52,7 @@ spec: name: "{{ template "issuer.postgresSecretName" . }}" key: "password" - name: "CONNECTIONSTRINGS__ISSUERDB" - value: "Server={{ template "postgresql.primary.fullname" . }};Database={{ .Values.postgresql.auth.database }};Port={{ .Values.postgresql.auth.port }};User Id={{ .Values.postgresql.auth.username }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};" + value: "Server={{ template "issuer.postgresql.primary.fullname" . }};Database={{ .Values.postgresql.auth.database }};Port={{ .Values.postgresql.auth.port }};User Id={{ .Values.postgresql.auth.username }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};" {{- end }} {{- if not .Values.postgresql.enabled }} - name: "ISSUER_PASSWORD" diff --git a/charts/ssi-credential-issuer/templates/secret-postgres.yaml b/charts/ssi-credential-issuer/templates/secret-postgres.yaml index 62c6cf82..c1058572 100644 --- a/charts/ssi-credential-issuer/templates/secret-postgres.yaml +++ b/charts/ssi-credential-issuer/templates/secret-postgres.yaml @@ -32,14 +32,14 @@ data: # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too - postgres-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.postgrespassword | b64enc ) | default ( index $secret.data "postgres-password" ) | quote }} - password: {{ ( .Values.secrets.postgresql.auth.existingSecret.password | b64enc ) | default $secret.data.password | quote }} - replication-password: {{ ( .Values.secrets.postgresql.auth.existingSecret.replicationPassword | b64enc ) | default ( index $secret.data "replication-password" ) | quote}} + postgres-password: {{ ( .Values.postgresql.auth.postgrespassword | b64enc ) | default ( index $secret.data "postgres-password" ) | quote }} + password: {{ ( .Values.postgresql.auth.password | b64enc ) | default $secret.data.password | quote }} + replication-password: {{ ( .Values.postgresql.auth.replicationPassword | b64enc ) | default ( index $secret.data "replication-password" ) | quote}} {{ else -}} stringData: # if secret doesn't exist, use provided value from values file or generate a random one - postgres-password: {{ .Values.secrets.postgresql.auth.existingSecret.postgrespassword | default ( randAlphaNum 32 ) | quote }} - password: {{ .Values.secrets.postgresql.auth.existingSecret.password | default ( randAlphaNum 32 ) | quote }} - replication-password: {{ .Values.secrets.postgresql.auth.existingSecret.replicationPassword | default ( randAlphaNum 32 ) | quote }} + postgres-password: {{ .Values.postgresql.auth.postgrespassword | default ( randAlphaNum 32 ) | quote }} + password: {{ .Values.postgresql.auth.password | default ( randAlphaNum 32 ) | quote }} + replication-password: {{ .Values.postgresql.auth.replicationPassword | default ( randAlphaNum 32 ) | quote }} {{ end }} {{- end -}} diff --git a/charts/ssi-credential-issuer/templates/secret-interfaces.yaml b/charts/ssi-credential-issuer/templates/secret.yaml similarity index 63% rename from charts/ssi-credential-issuer/templates/secret-interfaces.yaml rename to charts/ssi-credential-issuer/templates/secret.yaml index 07b7e859..e3315e49 100644 --- a/charts/ssi-credential-issuer/templates/secret-interfaces.yaml +++ b/charts/ssi-credential-issuer/templates/secret.yaml @@ -1,32 +1,34 @@ -############################################################### -# Copyright (c) 2024 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################### +{{- /* +* Copyright (c) 2024 Contributors to the Eclipse Foundation +* +* See the NOTICE file(s) distributed with this work for additional +* information regarding copyright ownership. +* +* This program and the accompanying materials are made available under the +* terms of the Apache License, Version 2.0 which is available at +* https://www.apache.org/licenses/LICENSE-2.0. +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +* License for the specific language governing permissions and limitations +* under the License. +* +* SPDX-License-Identifier: Apache-2.0 +*/}} +{{- if not .Values.existingSecret }} +{{- $secretName := include "issuer.secretName" . -}} apiVersion: v1 kind: Secret metadata: - name: {{ .Values.interfaces.secret }} + name: {{ include "issuer.secretName" . }} namespace: {{ .Release.Namespace }} labels: - {{- include "portal.labels" . | nindent 4 }} + {{- include "issuer.labels" . | nindent 4 }} type: Opaque # use lookup function to check if secret exists -{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.interfaces.secret) }} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} {{ if $secret -}} data: # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret or generate a random one (if keys are added later on) @@ -41,6 +43,7 @@ stringData: # if secret doesn't exist, use provided value from values file or generate a random one portal-client-secret: {{ .Values.processesworker.portal.clientSecret | default ( randAlphaNum 32 ) | quote }} wallet-client-secret: {{ .Values.processesworker.wallet.clientSecret | default ( randAlphaNum 32 ) | quote }} - credential-encryption-key0: {{ .Values.service.credential.encryptionConfigs.index0.encryptionKey | default ( randAlphaNum 32 ) | quote }} + credential-encryption-key0: {{ .Values.issuer.credential.encryptionConfigs.index0.encryptionKey | default ( randAlphaNum 32 ) | quote }} process-wallet-encryption-key0: {{ .Values.processesworker.wallet.encryptionConfigs.index0.encryptionKey | default ( randAlphaNum 32 ) | quote }} {{ end }} +{{- end -}} diff --git a/charts/ssi-credential-issuer/templates/service-credential-issuer.yaml b/charts/ssi-credential-issuer/templates/service-credential-issuer.yaml index 58a131e3..1adab307 100644 --- a/charts/ssi-credential-issuer/templates/service-credential-issuer.yaml +++ b/charts/ssi-credential-issuer/templates/service-credential-issuer.yaml @@ -21,7 +21,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "issuer.fullname" . }} - namespace: {{ .Values.namespace }} + namespace: {{ .Release.Namespace }} labels: {{- include "issuer.labels" . | nindent 4 }} spec: diff --git a/charts/ssi-credential-issuer/values.yaml b/charts/ssi-credential-issuer/values.yaml index 14703db5..87e1b09b 100644 --- a/charts/ssi-credential-issuer/values.yaml +++ b/charts/ssi-credential-issuer/values.yaml @@ -17,84 +17,32 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################### -# -- Provide centralidp base address (CX IAM), without trailing '/auth'. -centralidpAddress: "https://centralidp.example.org" - -ingress: - # -- SSI Credential Issuer ingress parameters, - # enable ingress record generation for ssi-credential-issuer. - enabled: false - name: "ssi-credential-issuer" - className: "nginx" - annotations: - nginx.ingress.kubernetes.io/use-regex: "true" - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "8m" - # -- Provide CORS allowed origin. - nginx.ingress.kubernetes.io/cors-allow-origin: "https://*.example.org" - tls: - # -- Provide tls secret. - - secretName: "" - # -- Provide host for tls secret. - hosts: - - "ssi-credential-issuer.example.org" - hosts: - # -- Provide default path for the ingress record. - - host: "ssi-credential-issuer.example.org" - paths: - - path: "/api/issuer" - pathType: "Prefix" - backend: - port: 8080 -dotnetEnvironment: "Production" -dbConnection: - schema: "issuer" - sslMode: "Disable" - -placeholder: "empty" - -keycloak: - central: - authRealm: "CX-Central" - jwtBearerOptions: - requireHttpsMetadata: "true" - metadataPath: "/auth/realms/CX-Central/.well-known/openid-configuration" - tokenValidationParameters: - validIssuerPath: "/auth/realms/CX-Central" - # -- TODO: Add Client - validAudience: "ClXX-CX-SSI" - refreshInterval: "00:00:30" - tokenPath: "/auth/realms/CX-Central/protocol/openid-connect/token" - # -- Flag if the api should be used with an leading /auth path - useAuthTrail: true -healthChecks: - startup: - path: "/health/startup" - liveness: - path: "/healthz" - readyness: - path: "/ready" - issuer: - image: "docker.io/tractusx/credential-issuer-service:0.1.0-rc.1" + image: + name: "docker.io/tractusx/credential-issuer-service" + tag: "" imagePullPolicy: "IfNotPresent" - # -- We recommend not to specify default resource limits and to leave this as a conscious choice for the user. - # If you do want to specify resource limits, uncomment the following lines and adjust them as necessary. + # -- We recommend to review the default resource limits as this should a conscious choice. resources: requests: cpu: 15m - memory: 300M - # limits: - # cpu: 45m - # memory: 400M + memory: 400M + limits: + cpu: 45m + memory: 400M logging: businessLogic: "Information" default: "Information" healthChecks: startup: + path: "/health/startup" tags: - name: "HEALTHCHECKS__0__TAGS__1" value: "issuerdb" + liveness: + path: "/healthz" + readyness: + path: "/ready" swaggerEnabled: false portal: scope: "openid" @@ -116,17 +64,19 @@ issuer: encryptionKey: "" issuermigrations: - image: "docker.io/tractusx/credential-issuer-migrations:0.1.0-rc.1" + name: "migrations" + image: + name: "docker.io/tractusx/credential-issuer-migrations" + tag: "" imagePullPolicy: "IfNotPresent" - # -- We recommend not to specify default resource limits and to leave this as a conscious choice for the user. - # If you do want to specify resource limits, uncomment the following lines and adjust them as necessary. + # -- We recommend to review the default resource limits as this should a conscious choice. resources: requests: cpu: 15m memory: 105M - # limits: - # cpu: 45m - # memory: 105M + limits: + cpu: 45m + memory: 105M seeding: testDataEnvironments: "" testDataPaths: "Seeder/Data" @@ -134,17 +84,19 @@ issuermigrations: default: "Information" processesworker: - image: "docker.io/tractusx/credential-issuer-processes-worker:0.1.0-rc.1" + name: "processesworker" + image: + name: "docker.io/tractusx/credential-issuer-processes-worker" + tag: "" imagePullPolicy: "IfNotPresent" - # -- We recommend not to specify default resource limits and to leave this as a conscious choice for the user. - # If you do want to specify resource limits, uncomment the following lines and adjust them as necessary. + # -- We recommend to review the default resource limits as this should a conscious choice. resources: requests: cpu: 15m memory: 105M - # limits: - # cpu: 45m - # memory: 105M + limits: + cpu: 45m + memory: 105M logging: default: "Information" portal: @@ -173,18 +125,20 @@ processesworker: # Expected format is 256 bit (64 digits) hex. encryptionKey: "" -credentialexpiry: - image: "docker.io/tractusx/credential-expiry-app:0.1.0-rc.1" +credentialExpiry: + name: "expiry" + image: + name: "docker.io/tractusx/credential-expiry-app" + tag: "" imagePullPolicy: "IfNotPresent" - # -- We recommend not to specify default resource limits and to leave this as a conscious choice for the user. - # If you do want to specify resource limits, uncomment the following lines and adjust them as necessary. + # -- We recommend to review the default resource limits as this should a conscious choice. resources: requests: cpu: 15m memory: 105M - # limits: - # cpu: 45m - # memory: 105M + limits: + cpu: 45m + memory: 105M processIdentity: identityId: d21d2e8a-fe35-483c-b2b8-4100ed7f0953 logging: @@ -193,6 +147,59 @@ credentialexpiry: expiredVcsToDeleteInMonth: 12 inactiveVcsToDeleteInWeeks: 12 +# -- Secret containing the client-secrets for the connection to portal and wallet +# as well as encryptionKeys for issuer.credential and processesworker.wallet +existingSecret: "" + +dotnetEnvironment: "Production" + +centralidp: + # -- Provide centralidp base address (CX IAM), without trailing '/auth'. + address: "https://centralidp.example.org" + authRealm: "CX-Central" + jwtBearerOptions: + requireHttpsMetadata: "true" + metadataPath: "/auth/realms/CX-Central/.well-known/openid-configuration" + tokenValidationParameters: + validIssuerPath: "/auth/realms/CX-Central" + # -- TODO: Add Client + validAudience: "ClXX-CX-SSI" + refreshInterval: "00:00:30" + tokenPath: "/auth/realms/CX-Central/protocol/openid-connect/token" + # -- Flag if the api should be used with an leading /auth path + useAuthTrail: true + +ingress: + # -- SSI Credential Issuer ingress parameters, + # enable ingress record generation for ssi-credential-issuer. + enabled: false + # className: "nginx" + ## Optional annotations when using the nginx ingress class + # annotations: + # nginx.ingress.kubernetes.io/use-regex: "true" + # nginx.ingress.kubernetes.io/enable-cors: "true" + # nginx.ingress.kubernetes.io/proxy-body-size: "8m" + # # -- Provide CORS allowed origin. + # nginx.ingress.kubernetes.io/cors-allow-origin: "https://*.example.org" + tls: + # -- Provide tls secret. + - secretName: "" + # -- Provide host for tls secret. + hosts: + - "" + hosts: + # -- Provide default path for the ingress record. + - host: "" + paths: + - path: "/api/issuer" + pathType: "Prefix" + backend: + port: 8080 + +dbConnection: + schema: "issuer" + sslMode: "Disable" + postgresql: # -- PostgreSQL chart configuration; # default configurations: @@ -200,6 +207,11 @@ postgresql: # port: 5432; # Switch to enable or disable the PostgreSQL helm chart. enabled: true + # -- Setting image tag to major to get latest minor updates + image: + tag: "15-debian-12" + commonLabels: + app.kubernetes.io/version: "15" auth: # -- Non-root username. username: issuer @@ -208,6 +220,12 @@ postgresql: # -- Secret containing the passwords for root usernames postgres and non-root username issuer. # Should not be changed without changing the "issuer-postgresSecretName" template as well. existingSecret: "{{ .Release.Name }}-issuer-postgres" + # -- Password for the root username 'postgres'. Secret-key 'postgres-password'. + postgrespassword: "" + # -- Password for the non-root username 'issuer'. Secret-key 'password'. + password: "" + # -- Password for the non-root username 'repl_user'. Secret-key 'replication-password'. + replicationPassword: "" architecture: replication audit: pgAuditLog: "write, ddl" @@ -241,21 +259,6 @@ externalDatabase: # -- Name of an existing secret key containing the database credentials. existingSecretPasswordKey: "password" -secrets: - postgresql: - auth: - existingSecret: - # -- Password for the root username 'postgres'. Secret-key 'postgres-password'. - postgrespassword: "" - # -- Password for the non-root username 'issuer'. Secret-key 'password'. - password: "" - # -- Password for the non-root username 'repl_user'. Secret-key 'replication-password'. - replicationPassword: "" - -interfaces: - # -- Secret containing the client-secrets for the connection to portal and wallet. - secret: "secret-interfaces" - portContainer: 8080 portService: 8080 diff --git a/consortia/argocd-app-templates/appsetup-int.yaml b/consortia/argocd-app-templates/appsetup-int.yaml index 4935920b..45a42a45 100644 --- a/consortia/argocd-app-templates/appsetup-int.yaml +++ b/consortia/argocd-app-templates/appsetup-int.yaml @@ -28,7 +28,7 @@ spec: source: path: charts/ssi-credential-issuer repoURL: 'https://github.com/eclipse-tractusx/ssi-credential-issuer.git' - targetRevision: ssi-credential-issuer-0.1.0-rc.1 + targetRevision: ssi-credential-issuer-1.0.0-rc.1 plugin: env: - name: AVP_SECRET diff --git a/consortia/argocd-app-templates/appsetup-pen.yaml b/consortia/argocd-app-templates/appsetup-pen.yaml index d0080389..b869af9b 100644 --- a/consortia/argocd-app-templates/appsetup-pen.yaml +++ b/consortia/argocd-app-templates/appsetup-pen.yaml @@ -28,7 +28,7 @@ spec: source: path: charts/ssi-credential-issuer repoURL: 'https://github.com/eclipse-tractusx/ssi-credential-issuer.git' - targetRevision: ssi-credential-issuer-0.1.0-rc.1 + targetRevision: ssi-credential-issuer-1.0.0-rc.1 plugin: env: - name: AVP_SECRET diff --git a/consortia/argocd-app-templates/appsetup-stable.yaml b/consortia/argocd-app-templates/appsetup-stable.yaml index 431a5c5b..6152c557 100644 --- a/consortia/argocd-app-templates/appsetup-stable.yaml +++ b/consortia/argocd-app-templates/appsetup-stable.yaml @@ -29,7 +29,7 @@ spec: source: path: '' repoURL: 'https://eclipse-tractusx.github.io/charts/dev' - targetRevision: ssi-credential-issuer-0.1.0-rc.1 + targetRevision: ssi-credential-issuer-1.0.0-rc.1 plugin: env: - name: HELM_VALUES diff --git a/consortia/environments/values-beta.yaml b/consortia/environments/values-beta.yaml index d6daf091..bebf34e2 100644 --- a/consortia/environments/values-beta.yaml +++ b/consortia/environments/values-beta.yaml @@ -17,8 +17,6 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################### -centralidpAddress: "https://centralidp.beta.demo.catena-x.net" - ingress: enabled: true className: "nginx" @@ -54,10 +52,14 @@ credentialexpiry: logging: default: "Debug" -secrets: - postgresql: - auth: - existingSecret: - postgrespassword: "" - password: "" - replicationPassword: "" +centralidp: + address: "https://centralidp.beta.demo.catena-x.net" + jwtBearerOptions: + tokenValidationParameters: + validAudience: "ClXX-CX-ISSUER" + +postgresql: + auth: + postgrespassword: "" + password: "" + replicationPassword: "" diff --git a/consortia/environments/values-dev.yaml b/consortia/environments/values-dev.yaml index 71435d3a..bc9331b8 100644 --- a/consortia/environments/values-dev.yaml +++ b/consortia/environments/values-dev.yaml @@ -17,8 +17,6 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################### -centralidpAddress: "https://centralidp.dev.demo.catena-x.net" - ingress: enabled: true className: "nginx" @@ -39,39 +37,41 @@ ingress: backend: port: 8080 -keycloak: - central: - jwtBearerOptions: - tokenValidationParameters: - validAudience: "ClXX-CX-ISSUER" - issuer: - image: "docker.io/tractusx/ssi-credential-issuer-service:dev" + image: + tag: "dev" imagePullPolicy: "Always" swaggerEnabled: true issuermigrations: - image: "docker.io/tractusx/ssi-credential-issuer-migrations:dev" + image: + tag: "dev" imagePullPolicy: "Always" logging: default: "Debug" processesworker: - image: "docker.io/tractusx/ssi-credential-issuer-processes-worker:dev" + image: + tag: "dev" imagePullPolicy: "Always" logging: default: "Debug" credentialexpiry: - image: "docker.io/tractusx/ssi-credential-expiry-app:dev" + image: + tag: "dev" imagePullPolicy: "Always" logging: default: "Debug" -secrets: - postgresql: - auth: - existingSecret: - postgrespassword: "" - password: "" - replicationPassword: "" +centralidp: + address: "https://centralidp.dev.demo.catena-x.net" + jwtBearerOptions: + tokenValidationParameters: + validAudience: "ClXX-CX-ISSUER" + +postgresql: + auth: + postgrespassword: "" + password: "" + replicationPassword: "" diff --git a/consortia/environments/values-int.yaml b/consortia/environments/values-int.yaml index 591f698f..b7d99614 100644 --- a/consortia/environments/values-int.yaml +++ b/consortia/environments/values-int.yaml @@ -17,9 +17,6 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################### - -centralidpAddress: "https://centralidp.int.demo.catena-x.net" - ingress: enabled: true className: "nginx" @@ -40,12 +37,6 @@ ingress: backend: port: 8080 -keycloak: - central: - jwtBearerOptions: - tokenValidationParameters: - validAudience: "ClXX-CX-Issuer" - issuer: swaggerEnabled: true @@ -61,10 +52,14 @@ credentialexpiry: logging: default: "Debug" -secrets: - postgresql: - auth: - existingSecret: - postgrespassword: "" - password: "" - replicationPassword: "" +centralidp: + address: "https://centralidp.int.demo.catena-x.net" + jwtBearerOptions: + tokenValidationParameters: + validAudience: "ClXX-CX-ISSUER" + +postgresql: + auth: + postgrespassword: "" + password: "" + replicationPassword: "" diff --git a/consortia/environments/values-pen.yaml b/consortia/environments/values-pen.yaml index 2d364dfd..98f162a4 100644 --- a/consortia/environments/values-pen.yaml +++ b/consortia/environments/values-pen.yaml @@ -17,8 +17,6 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################### -centralidpAddress: "https://centralidp-pen.dev.demo.catena-x.net" - ingress: enabled: true className: "nginx" @@ -54,10 +52,14 @@ credentialexpiry: logging: default: "Debug" -secrets: - postgresql: - auth: - existingSecret: - postgrespassword: "" - password: "" - replicationPassword: "" +centralidp: + address: "https://centralidp-pen.dev.demo.catena-x.net" + jwtBearerOptions: + tokenValidationParameters: + validAudience: "ClXX-CX-ISSUER" + +postgresql: + auth: + postgrespassword: "" + password: "" + replicationPassword: "" diff --git a/consortia/environments/values-rc.yaml b/consortia/environments/values-rc.yaml index d620f21a..9c1618f8 100644 --- a/consortia/environments/values-rc.yaml +++ b/consortia/environments/values-rc.yaml @@ -17,8 +17,6 @@ # SPDX-License-Identifier: Apache-2.0 ############################################################### -centralidpAddress: "https://centralidp-rc.dev.demo.catena-x.net" - ingress: enabled: true className: "nginx" @@ -40,32 +38,40 @@ ingress: port: 8080 issuer: - image: "docker.io/tractusx/ssi-credential-issuer-service:rc" + image: + tag: "rc" imagePullPolicy: "Always" swaggerEnabled: true issuermigrations: - image: "docker.io/tractusx/ssi-credential-issuer-migrations:rc" + image: + tag: "rc" imagePullPolicy: "Always" logging: default: "Debug" processesworker: - image: "docker.io/tractusx/ssi-credential-issuer-processes-worker:rc" + image: + tag: "rc" imagePullPolicy: "Always" logging: default: "Debug" credentialexpiry: - image: "docker.io/tractusx/ssi-credential-expiry-app:rc" + image: + tag: "rc" imagePullPolicy: "Always" logging: default: "Debug" -secrets: - postgresql: - auth: - existingSecret: - postgrespassword: "" - password: "" - replicationPassword: "" +centralidp: + address: "https://centralidp.dev.demo.catena-x.net" + jwtBearerOptions: + tokenValidationParameters: + validAudience: "ClXX-CX-ISSUER" + +postgresql: + auth: + postgrespassword: "" + password: "" + replicationPassword: "" diff --git a/consortia/environments/values-upgrade.yaml b/consortia/environments/values-upgrade.yaml deleted file mode 100644 index 6acf1c37..00000000 --- a/consortia/environments/values-upgrade.yaml +++ /dev/null @@ -1,28 +0,0 @@ -############################################################### -# Copyright (c) 2024 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -############################################################### - -replicaCount: 0 - -secrets: - postgresql: - auth: - existingSecret: - postgrespassword: "" - password: "" - replicationPassword: "" diff --git a/src/Directory.Build.props b/src/Directory.Build.props index 8f19d9c4..ae93adb6 100644 --- a/src/Directory.Build.props +++ b/src/Directory.Build.props @@ -19,7 +19,7 @@ - 0.1.0 + 1.0.0 rc.1