From c713c2b6ca87a5f9ad891025de285e093cc90369 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 27 Jun 2022 14:15:32 +0200 Subject: [PATCH] Release version 0.0.4 (#230) --- .github/dependabot.yml | 13 +- .github/workflows/build.yaml | 330 ++++++++++------ .github/workflows/checkov.yaml | 51 +++ .github/workflows/draft-new-release.yaml | 14 +- .github/workflows/helm-lint.yaml | 2 +- .github/workflows/publish-new-release.yml | 131 ++++--- .github/workflows/trivy.yaml | 211 +++++++++++ .mvn/jvm.config | 1 + CHANGELOG.md | 20 +- NOTICE.md | 48 ++- README.md | 16 +- checkov.yaml | 9 + deployment/helm/README.md | 2 +- deployment/helm/edc-controlplane/.helmignore | 2 + deployment/helm/edc-controlplane/Chart.yaml | 4 +- deployment/helm/edc-controlplane/README.md | 22 +- .../helm/edc-controlplane/README.md.gotmpl | 2 +- .../templates/configmap-env.yaml | 1 + .../edc-controlplane/templates/configmap.yaml | 1 + .../templates/deployment.yaml | 6 +- .../helm/edc-controlplane/templates/hpa.yaml | 1 + .../templates/imagepullsecret.yaml | 1 + .../edc-controlplane/templates/ingress.yaml | 2 + .../edc-controlplane/templates/service.yaml | 1 + .../templates/serviceaccount.yaml | 1 + deployment/helm/edc-controlplane/values.yaml | 73 ++-- deployment/helm/edc-dataplane/.helmignore | 2 + deployment/helm/edc-dataplane/Chart.yaml | 4 +- deployment/helm/edc-dataplane/README.md | 22 +- .../helm/edc-dataplane/README.md.gotmpl | 2 +- .../templates/configmap-env.yaml | 1 + .../edc-dataplane/templates/configmap.yaml | 1 + .../edc-dataplane/templates/deployment.yaml | 6 +- .../helm/edc-dataplane/templates/hpa.yaml | 1 + .../templates/imagepullsecret.yaml | 1 + .../helm/edc-dataplane/templates/ingress.yaml | 2 + .../helm/edc-dataplane/templates/service.yaml | 1 + .../templates/serviceaccount.yaml | 1 + deployment/helm/edc-dataplane/values.yaml | 70 ++-- edc | 2 +- edc-controlplane/README.md | 41 +- .../edc-controlplane-base/README.md | 7 + .../edc-controlplane-base/pom.xml | 150 ++++++++ .../edc-controlplane-cosmosdb/README.md | 180 --------- .../edc-controlplane-cosmosdb/pom.xml | 358 ------------------ .../edc-controlplane-memory/README.md | 8 +- .../edc-controlplane-memory/pom.xml | 129 +------ .../src/main/docker/Dockerfile | 2 +- .../README.md | 176 +++++++++ .../pom.xml | 161 ++++++++ .../src/main/docker/Dockerfile | 2 +- .../edc-controlplane-postgresql/README.md | 8 +- .../edc-controlplane-postgresql/pom.xml | 131 +------ .../src/main/docker/Dockerfile | 2 +- edc-controlplane/pom.xml | 15 +- .../{ => edc-dataplane-azure-vault}/README.md | 14 +- .../edc-dataplane-azure-vault/pom.xml | 173 +++++++++ .../src/main/docker/Dockerfile | 2 +- edc-dataplane/edc-dataplane-base/README.md | 7 + edc-dataplane/edc-dataplane-base/pom.xml | 97 +++++ .../edc-dataplane-hashicorp-vault/README.md | 92 +++++ .../edc-dataplane-hashicorp-vault/pom.xml | 155 ++++++++ .../src/main/docker/Dockerfile | 37 ++ edc-dataplane/pom.xml | 214 +---------- edc-extensions/aas-controller/README.md | 3 - edc-extensions/aas-controller/pom.xml | 71 ---- .../controlplane/ControlPlaneController.java | 135 ------- .../controlplane/ControlPlaneExtension.java | 46 --- .../business-partner-validation/pom.xml | 44 ++- ...usinessPartnerValidationExtensionTest.java | 13 +- ...AbstractBusinessPartnerValidationTest.java | 16 +- edc-extensions/hashicorp-vault/README.md | 9 + edc-extensions/hashicorp-vault/pom.xml | 218 +++++++++++ .../HashicorpCertificateResolver.java | 53 +++ .../edc/hashicorpvault/HashicorpVault.java | 52 +++ .../hashicorpvault/HashicorpVaultClient.java | 162 ++++++++ .../HashicorpVaultClientConfig.java | 29 ++ ...shicorpVaultCreateEntryRequestPayload.java | 47 +++ ...hicorpVaultCreateEntryResponsePayload.java | 33 ++ .../HashicorpVaultEntryMetadata.java | 40 ++ .../HashicorpVaultException.java | 28 ++ .../HashicorpVaultExtension.java | 111 ++++++ ...HashicorpVaultGetEntryResponsePayload.java | 48 +++ .../catenax/edc/hashicorpvault/PemUtil.java | 57 +++ ...aspaceconnector.spi.system.VaultExtension} | 3 +- .../hashicorpvault/AbstractHashicorpIT.java | 89 +++++ .../HashicorpCertificateResolverIT.java | 54 +++ .../HashicorpCertificateResolverTest.java | 52 +++ .../HashicorpVaultClientTest.java | 146 +++++++ .../edc/hashicorpvault/HashicorpVaultIT.java | 89 +++++ .../hashicorpvault/HashicorpVaultTest.java | 90 +++++ .../X509CertificateTestUtil.java | 132 +++++++ .../src/test/resources/logback.xml | 23 ++ edc-extensions/pom.xml | 12 +- edc-extensions/postgresql-migration/pom.xml | 20 +- misc/license-mappings.xml | 6 + pom.xml | 200 +++++++--- settings.xml | 4 +- 98 files changed, 3679 insertions(+), 1698 deletions(-) create mode 100644 .github/workflows/checkov.yaml create mode 100644 .github/workflows/trivy.yaml create mode 100644 .mvn/jvm.config create mode 100644 checkov.yaml create mode 100644 edc-controlplane/edc-controlplane-base/README.md create mode 100644 edc-controlplane/edc-controlplane-base/pom.xml delete mode 100644 edc-controlplane/edc-controlplane-cosmosdb/README.md delete mode 100644 edc-controlplane/edc-controlplane-cosmosdb/pom.xml create mode 100644 edc-controlplane/edc-controlplane-postgresql-hashicorp-vault/README.md create mode 100644 edc-controlplane/edc-controlplane-postgresql-hashicorp-vault/pom.xml rename edc-controlplane/{edc-controlplane-cosmosdb => edc-controlplane-postgresql-hashicorp-vault}/src/main/docker/Dockerfile (97%) rename edc-dataplane/{ => edc-dataplane-azure-vault}/README.md (91%) create mode 100644 edc-dataplane/edc-dataplane-azure-vault/pom.xml rename edc-dataplane/{ => edc-dataplane-azure-vault}/src/main/docker/Dockerfile (97%) create mode 100644 edc-dataplane/edc-dataplane-base/README.md create mode 100644 edc-dataplane/edc-dataplane-base/pom.xml create mode 100644 edc-dataplane/edc-dataplane-hashicorp-vault/README.md create mode 100644 edc-dataplane/edc-dataplane-hashicorp-vault/pom.xml create mode 100644 edc-dataplane/edc-dataplane-hashicorp-vault/src/main/docker/Dockerfile delete mode 100644 edc-extensions/aas-controller/README.md delete mode 100644 edc-extensions/aas-controller/pom.xml delete mode 100644 edc-extensions/aas-controller/src/main/java/net/catenax/edc/controlplane/ControlPlaneController.java delete mode 100644 edc-extensions/aas-controller/src/main/java/net/catenax/edc/controlplane/ControlPlaneExtension.java create mode 100644 edc-extensions/hashicorp-vault/README.md create mode 100644 edc-extensions/hashicorp-vault/pom.xml create mode 100644 edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpCertificateResolver.java create mode 100644 edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVault.java create mode 100644 edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultClient.java create mode 100644 edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultClientConfig.java create mode 100644 edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultCreateEntryRequestPayload.java create mode 100644 edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultCreateEntryResponsePayload.java create mode 100644 edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultEntryMetadata.java create mode 100644 edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultException.java create mode 100644 edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultExtension.java create mode 100644 edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultGetEntryResponsePayload.java create mode 100644 edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/PemUtil.java rename edc-extensions/{aas-controller/src/main/resources/META-INF/services/org.eclipse.dataspaceconnector.spi.system.ServiceExtension => hashicorp-vault/src/main/resources/META-INF/services/org.eclipse.dataspaceconnector.spi.system.VaultExtension} (87%) create mode 100644 edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/AbstractHashicorpIT.java create mode 100644 edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpCertificateResolverIT.java create mode 100644 edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpCertificateResolverTest.java create mode 100644 edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpVaultClientTest.java create mode 100644 edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpVaultIT.java create mode 100644 edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpVaultTest.java create mode 100644 edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/X509CertificateTestUtil.java create mode 100644 edc-extensions/hashicorp-vault/src/test/resources/logback.xml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fe7de904a..74c476660 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -22,7 +22,7 @@ updates: - package-ecosystem: "docker" target-branch: develop - directory: "edc-dataplane/src/main/docker" + directory: "edc-dataplane/edc-dataplane-azure-vault/src/main/docker" labels: - "dependabot" - "docker" @@ -31,7 +31,7 @@ updates: - package-ecosystem: "docker" target-branch: develop - directory: "edc-controlplane/edc-controlplane-cosmosdb/src/main/docker" + directory: "edc-dataplane/edc-dataplane-hashicorp-vault/src/main/docker" labels: - "dependabot" - "docker" @@ -55,6 +55,15 @@ updates: - "docker" schedule: interval: "daily" + - + package-ecosystem: "docker" + target-branch: develop + directory: "edc-controlplane/edc-controlplane-postgresql-hashicorp-vault/src/main/docker" + labels: + - "dependabot" + - "docker" + schedule: + interval: "daily" - package-ecosystem: "maven" target-branch: develop diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f16603612..c25a0b621 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -12,6 +12,8 @@ on: types: - released pull_request: + paths-ignore: + - 'deployment/helm/**' branches: - '*' @@ -31,11 +33,30 @@ jobs: [ ! -z "${{ secrets.ORG_VERACODE_API_KEY }}" ] && echo "::set-output name=ORG_VERACODE_API_KEY::true" exit 0 - ##################### - ### edc-dataplane ### - ##################### - build-edc-dataplane: - needs: [ secret-presence ] + verify-formatting: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - + name: Set up JDK 11 + uses: actions/setup-java@v3.4.0 + with: + java-version: '11' + distribution: 'adopt' + cache: 'maven' + - + name: Verify proper formatting + run: ./mvnw spotless:check + + ################################# + ### edc-dataplane-azure-vault ### + ################################# + build-edc-dataplane-azure-vault: + needs: [ secret-presence, verify-formatting ] runs-on: ubuntu-latest steps: # Set-Up @@ -55,7 +76,7 @@ jobs: password: ${{ secrets.CXNG_GHCR_PAT }} - name: Set up JDK 11 - uses: actions/setup-java@v3.3.0 + uses: actions/setup-java@v3.4.0 with: java-version: '11' distribution: 'adopt' @@ -66,19 +87,19 @@ jobs: working-directory: edc # Build - - name: Build edc-dataplane + name: Build edc-dataplane-azure-vault run: |- - ./mvnw -s settings.xml -B -pl .,edc-dataplane -am verify + ./mvnw -Pfailsafe -s settings.xml -B -pl .,edc-dataplane/edc-dataplane-azure-vault -am verify env: GITHUB_PACKAGE_USERNAME: ${{ github.actor }} GITHUB_PACKAGE_PASSWORD: ${{ secrets.CXNG_GHCR_PAT }} - - name: edc-dataplane Docker Metadata - id: edc_dataplane_meta + name: edc-dataplane-azure-vault Docker Metadata + id: edc_dataplane_azure_vault_meta uses: docker/metadata-action@v4 with: images: | - ghcr.io/${{ github.repository }}/edc-dataplane + ghcr.io/${{ github.repository }}/edc-dataplane-azure-vault tags: | type=ref,event=branch type=ref,event=pr @@ -86,18 +107,18 @@ jobs: type=match,pattern=\d.\d.\d type=sha - - name: Build edc-dataplane Docker Image + name: Build edc-dataplane-azure-vault Docker Image uses: docker/build-push-action@v3 with: context: . - file: edc-dataplane/src/main/docker/Dockerfile + file: edc-dataplane/edc-dataplane-azure-vault/src/main/docker/Dockerfile build-args: | - JAR=edc-dataplane/target/edc-dataplane.jar - LIB=edc-dataplane/target/lib + JAR=edc-dataplane/edc-dataplane-azure-vault/target/edc-dataplane-azure-vault.jar + LIB=edc-dataplane/edc-dataplane-azure-vault/target/lib push: | ${{ (needs.secret-presence.outputs.CXNG_GHCR_PAT && github.event_name != 'pull_request' && 'true') || 'false' }} - tags: ${{ steps.edc_dataplane_meta.outputs.tags }} - labels: ${{ steps.edc_dataplane_meta.outputs.labels }} + tags: ${{ steps.edc_dataplane_azure_vault_meta.outputs.tags }} + labels: ${{ steps.edc_dataplane_azure_vault_meta.outputs.labels }} - name: Veracode Upload And Scan uses: veracode/veracode-uploadandscan-action@v1.0 @@ -109,18 +130,103 @@ jobs: refs/heads/main', github.ref) continue-on-error: true with: - appname: 'product-edc/edc-dataplane' + appname: 'product-edc/edc-dataplane-azure-vault' createprofile: true version: ${{ github.ref }}-${{ github.sha }} - filepath: edc-dataplane/target/edc-dataplane.jar + filepath: edc-dataplane/edc-dataplane-azure-vault/target/edc-dataplane-azure-vault.jar vid: ${{ secrets.ORG_VERACODE_API_ID }} vkey: ${{ secrets.ORG_VERACODE_API_KEY }} - ################################# + ##################################### + ### edc-dataplane-hashicorp-vault ### + ##################################### + build-edc-dataplane-hashicorp-vault: + needs: [ secret-presence, verify-formatting ] + runs-on: ubuntu-latest + steps: + # Set-Up + - + name: Checkout + uses: actions/checkout@v3 + with: + submodules: recursive + - + name: Login to GitHub Container Registry + if: | + needs.secret-presence.outputs.CXNG_GHCR_PAT && github.event_name != 'pull_request' + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.CXNG_GHCR_PAT }} + - + name: Set up JDK 11 + uses: actions/setup-java@v3.4.0 + with: + java-version: '11' + distribution: 'adopt' + cache: 'maven' + - + name: Build edc with Gradle to get latest snapshots + run: ./gradlew publishToMavenLocal + working-directory: edc + # Build + - + name: Build edc-dataplane-hashicorp-vault + run: |- + ./mvnw -Pfailsafe -s settings.xml -B -pl .,edc-dataplane/edc-dataplane-hashicorp-vault -am verify + env: + GITHUB_PACKAGE_USERNAME: ${{ github.actor }} + GITHUB_PACKAGE_PASSWORD: ${{ secrets.CXNG_GHCR_PAT }} + - + name: edc-dataplane-hashicorp-vault Docker Metadata + id: edc_dataplane_hashicorp_vault_metadata + uses: docker/metadata-action@v4 + with: + images: | + ghcr.io/${{ github.repository }}/edc-dataplane-hashicorp-vault + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{raw}} + type=match,pattern=\d.\d.\d + type=sha + - + name: Build edc-dataplane-hashicorp-vault Docker Image + uses: docker/build-push-action@v3 + with: + context: . + file: edc-dataplane/edc-dataplane-hashicorp-vault/src/main/docker/Dockerfile + build-args: | + JAR=edc-dataplane/edc-dataplane-hashicorp-vault/target/edc-dataplane-hashicorp-vault.jar + LIB=edc-dataplane/edc-dataplane-hashicorp-vault/target/lib + push: | + ${{ (needs.secret-presence.outputs.CXNG_GHCR_PAT && github.event_name != 'pull_request' && 'true') || 'false' }} + tags: ${{ steps.edc_dataplane_hashicorp_vault_metadata.outputs.tags }} + labels: ${{ steps.edc_dataplane_hashicorp_vault_metadata.outputs.labels }} + - + name: Veracode Upload And Scan + uses: veracode/veracode-uploadandscan-action@v1.0 + if: | + needs.secret-presence.outputs.ORG_VERACODE_API_ID && needs.secret-presence.outputs.ORG_VERACODE_API_KEY && contains(' + refs/heads/develop + refs/heads/release/ + refs/tags/ + refs/heads/main', github.ref) + continue-on-error: true + with: + appname: 'product-edc/edc-dataplane-hashicorp-vault' + createprofile: true + version: ${{ github.ref }}-${{ github.sha }} + filepath: edc-dataplane/edc-dataplane-hashicorp-vault/target/edc-dataplane-hashicorp-vault.jar + vid: ${{ secrets.ORG_VERACODE_API_ID }} + vkey: ${{ secrets.ORG_VERACODE_API_KEY }} + + ############################### ### edc-controlplane-memory ### - ################################# + ############################### build-edc-controlplane-memory: - needs: [ secret-presence ] + needs: [ secret-presence, verify-formatting ] runs-on: ubuntu-latest steps: # Set-Up @@ -140,7 +246,7 @@ jobs: password: ${{ secrets.CXNG_GHCR_PAT }} - name: Set up JDK 11 - uses: actions/setup-java@v3.3.0 + uses: actions/setup-java@v3.4.0 with: java-version: '11' distribution: 'adopt' @@ -153,7 +259,7 @@ jobs: - name: Build edc-controlplane-memory run: |- - ./mvnw -s settings.xml -B -pl .,edc-controlplane/edc-controlplane-memory -am verify + ./mvnw -Pfailsafe -s settings.xml -B -pl .,edc-controlplane/edc-controlplane-memory -am verify env: GITHUB_PACKAGE_USERNAME: ${{ github.actor }} GITHUB_PACKAGE_PASSWORD: ${{ secrets.CXNG_GHCR_PAT }} @@ -201,96 +307,11 @@ jobs: vid: ${{ secrets.ORG_VERACODE_API_ID }} vkey: ${{ secrets.ORG_VERACODE_API_KEY }} - ################################# - ### edc-controlplane-cosmosdb ### - ################################# - build-edc-controlplane-cosmosdb: - needs: [ secret-presence ] - runs-on: ubuntu-latest - steps: - # Set-Up - - - name: Checkout - uses: actions/checkout@v3 - with: - submodules: recursive - - - name: Login to GitHub Container Registry - if: | - needs.secret-presence.outputs.CXNG_GHCR_PAT && github.event_name != 'pull_request' - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.CXNG_GHCR_PAT }} - - - name: Set up JDK 11 - uses: actions/setup-java@v3.3.0 - with: - java-version: '11' - distribution: 'adopt' - cache: 'maven' - - - name: Build edc with Gradle to get latest snapshots - run: ./gradlew publishToMavenLocal - working-directory: edc - # Build - - - name: Build edc-controlplane-cosmosdb - run: |- - ./mvnw -s settings.xml -B -pl .,edc-controlplane/edc-controlplane-cosmosdb -am verify - env: - GITHUB_PACKAGE_USERNAME: ${{ github.actor }} - GITHUB_PACKAGE_PASSWORD: ${{ secrets.CXNG_GHCR_PAT }} - - - name: edc-controlplane-cosmosdb Docker Metadata - id: edc_controlplane_cosmosdb_meta - uses: docker/metadata-action@v4 - with: - images: | - ghcr.io/${{ github.repository }}/edc-controlplane-cosmosdb - tags: | - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{raw}} - type=match,pattern=\d.\d.\d - type=sha - - - name: Build edc-controlplane-cosmosdb Docker Image - uses: docker/build-push-action@v3 - with: - context: . - file: edc-controlplane/edc-controlplane-cosmosdb/src/main/docker/Dockerfile - build-args: | - JAR=edc-controlplane/edc-controlplane-cosmosdb/target/edc-controlplane-cosmosdb.jar - LIB=edc-controlplane/edc-controlplane-cosmosdb/target/lib - push: | - ${{ (needs.secret-presence.outputs.CXNG_GHCR_PAT && github.event_name != 'pull_request' && 'true') || 'false' }} - tags: ${{ steps.edc_controlplane_cosmosdb_meta.outputs.tags }} - labels: ${{ steps.edc_controlplane_cosmosdb_meta.outputs.labels }} - - - name: Veracode Upload And Scan - uses: veracode/veracode-uploadandscan-action@v1.0 - if: | - needs.secret-presence.outputs.ORG_VERACODE_API_ID && needs.secret-presence.outputs.ORG_VERACODE_API_KEY && contains(' - refs/heads/develop - refs/heads/release/ - refs/tags/ - refs/heads/main', github.ref) - continue-on-error: true - with: - appname: 'product-edc/edc-controlplane-cosmosdb' - createprofile: true - filepath: edc-controlplane/edc-controlplane-cosmosdb/target/edc-controlplane-cosmosdb.jar - version: ${{ github.ref }}-${{ github.sha }} - vid: ${{ secrets.ORG_VERACODE_API_ID }} - vkey: ${{ secrets.ORG_VERACODE_API_KEY }} - ################################### ### edc-controlplane-postgresql ### ################################### build-edc-controlplane-postgresql: - needs: [ secret-presence ] + needs: [ secret-presence, verify-formatting ] runs-on: ubuntu-latest steps: # Set-Up @@ -310,7 +331,7 @@ jobs: password: ${{ secrets.CXNG_GHCR_PAT }} - name: Set up JDK 11 - uses: actions/setup-java@v3.3.0 + uses: actions/setup-java@v3.4.0 with: java-version: '11' distribution: 'adopt' @@ -323,7 +344,7 @@ jobs: - name: Build edc-controlplane-postgresql run: |- - ./mvnw -s settings.xml -B -pl .,edc-controlplane/edc-controlplane-postgresql -am verify + ./mvnw -Pfailsafe -s settings.xml -B -pl .,edc-controlplane/edc-controlplane-postgresql -am verify env: GITHUB_PACKAGE_USERNAME: ${{ github.actor }} GITHUB_PACKAGE_PASSWORD: ${{ secrets.CXNG_GHCR_PAT }} @@ -370,3 +391,88 @@ jobs: version: ${{ github.ref_name }}-${{ github.sha }} vid: ${{ secrets.ORG_VERACODE_API_ID }} vkey: ${{ secrets.ORG_VERACODE_API_KEY }} + + ################################################### + ### edc-controlplane-postgresql-hashicorp-vault ### + ################################################### + build-edc-controlplane-postgresql-hashicorp-vault: + needs: [ secret-presence, verify-formatting ] + runs-on: ubuntu-latest + steps: + # Set-Up + - + name: Checkout + uses: actions/checkout@v3 + with: + submodules: recursive + - + name: Login to Github Packages + if: | + needs.secret-presence.outputs.CXNG_GHCR_PAT && github.event_name != 'pull_request' + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.CXNG_GHCR_PAT }} + - + name: Set up JDK 11 + uses: actions/setup-java@v3.4.0 + with: + java-version: '11' + distribution: 'adopt' + cache: 'maven' + - + name: Build edc with Gradle to get latest snapshots + run: ./gradlew publishToMavenLocal + working-directory: edc + # Build + - + name: Build edc-controlplane-postgresql-hashicorp-vault + run: |- + ./mvnw -Pfailsafe -s settings.xml -B -pl .,edc-controlplane/edc-controlplane-postgresql-hashicorp-vault -am verify + env: + GITHUB_PACKAGE_USERNAME: ${{ github.actor }} + GITHUB_PACKAGE_PASSWORD: ${{ secrets.CXNG_GHCR_PAT }} + - + name: edc-controlplane-postgresql-hashicorp-vault Docker Metadata + id: edc_controlplane_postgresql_hashicorp_vault_meta + uses: docker/metadata-action@v4 + with: + images: | + ghcr.io/${{ github.repository }}/edc-controlplane-postgresql-hashicorp-vault + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{raw}} + type=match,pattern=\d.\d.\d + type=sha + - + name: Build edc-controlplane-postgresql-hashicorp-vault Docker Image + uses: docker/build-push-action@v3 + with: + context: . + file: edc-controlplane/edc-controlplane-postgresql-hashicorp-vault/src/main/docker/Dockerfile + build-args: | + JAR=edc-controlplane/edc-controlplane-postgresql-hashicorp-vault/target/edc-controlplane-postgresql-hashicorp-vault.jar + LIB=edc-controlplane/edc-controlplane-postgresql-hashicorp-vault/target/lib + push: | + ${{ (needs.secret-presence.outputs.CXNG_GHCR_PAT && github.event_name != 'pull_request' && 'true') || 'false' }} + tags: ${{ steps.edc_controlplane_postgresql_hashicorp_vault_meta.outputs.tags }} + labels: ${{ steps.edc_controlplane_postgresql_hashicorp_vault_meta.outputs.labels }} + - + name: Veracode Upload And Scan + uses: veracode/veracode-uploadandscan-action@v1.0 + if: | + needs.secret-presence.outputs.ORG_VERACODE_API_ID && needs.secret-presence.outputs.ORG_VERACODE_API_KEY && contains(' + refs/heads/develop + refs/heads/release/ + refs/tags/ + refs/heads/main', github.ref) + continue-on-error: true + with: + appname: 'product-edc/edc-controlplane-postgresql-hashicorp-vault' + createprofile: true + filepath: edc-controlplane/edc-controlplane-postgresql-hashicorp-vault/target/edc-controlplane-postgresql-hashicorp-vault.jar + version: ${{ github.ref_name }}-${{ github.sha }} + vid: ${{ secrets.ORG_VERACODE_API_ID }} + vkey: ${{ secrets.ORG_VERACODE_API_KEY }} diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml new file mode 100644 index 000000000..5bdc9aeb0 --- /dev/null +++ b/.github/workflows/checkov.yaml @@ -0,0 +1,51 @@ +--- +name: "Checkov" + +on: + push: + branches: + - main + - develop + tags: + - '[0-9]+.[0-9]+.[0-9]+' + paths-ignore: + - '**' + - '!deployment/helm/**' + pull_request: + branches: + - '*' + paths-ignore: + - '**' + - '!deployment/helm/**' + +jobs: + analyze: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + name: checkov-action + steps: + - + name: Checkout repo + uses: actions/checkout@master + - + name: Run Checkov action + id: checkov + uses: bridgecrewio/checkov-action@master + with: + directory: deployment/helm + quiet: true # optional: display only failed checks + soft_fail: false # optional: do not return an error code if there are failed checks + framework: helm # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all} + output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif + download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry + log_level: DEBUG # optional: set log level. Default WARNING + config_file: checkov.yaml + - + name: Upload Checkov scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: "results.sarif" diff --git a/.github/workflows/draft-new-release.yaml b/.github/workflows/draft-new-release.yaml index d298ab174..7acc3be1c 100644 --- a/.github/workflows/draft-new-release.yaml +++ b/.github/workflows/draft-new-release.yaml @@ -29,7 +29,7 @@ jobs: git config user.email noreply@github.com - name: Set up JDK 11 - uses: actions/setup-java@v3.3.0 + uses: actions/setup-java@v3.4.0 with: java-version: '11' distribution: 'adopt' @@ -43,15 +43,23 @@ jobs: GITHUB_PACKAGE_PASSWORD: ${{ secrets.CXNG_GHCR_PAT }} - name: Bump version in deployment/helm - uses: mikefarah/yq@v4.25.1 + uses: mikefarah/yq@v4.25.3 with: cmd: |- find deployment/helm -name Chart.yaml | xargs -n1 yq -i '.appVersion = "${{ github.event.inputs.version }}" | .version = "${{ github.event.inputs.version }}"' + - + name: Update Chart READMEs + uses: addnab/docker-run-action@v3 + with: + image: jnorwood/helm-docs:v1.10.0 + options: -v ${{ github.workspace }}/deployment/helm:/helm-docs + run: | + helm-docs --log-level debug - name: Commit changelog and manifest files id: make-commit run: | - git add CHANGELOG.md $(find -name pom.xml) $(find deployment/helm -name Chart.yaml) + git add CHANGELOG.md $(find -name pom.xml) $(find deployment/helm -name Chart.yaml) $(find deployment/helm -name README.md) git commit --message "Prepare release ${{ github.event.inputs.version }}" echo "::set-output name=commit::$(git rev-parse HEAD)" diff --git a/.github/workflows/helm-lint.yaml b/.github/workflows/helm-lint.yaml index 8b49c30b7..cd366ea2d 100644 --- a/.github/workflows/helm-lint.yaml +++ b/.github/workflows/helm-lint.yaml @@ -37,7 +37,7 @@ jobs: version: v3.8.1 - name: python (setup) - uses: actions/setup-python@v3 + uses: actions/setup-python@v4 with: python-version: 3.7 - diff --git a/.github/workflows/publish-new-release.yml b/.github/workflows/publish-new-release.yml index 2a8b33e72..bedaf133a 100644 --- a/.github/workflows/publish-new-release.yml +++ b/.github/workflows/publish-new-release.yml @@ -9,19 +9,22 @@ on: - closed jobs: + # Gate: Check secret presence secret-presence: name: Determine secret presence runs-on: ubuntu-latest outputs: + CXNG_GHCR_PAT: ${{ steps.secret-presence.outputs.CXNG_GHCR_PAT }} CXNG_RELEASE_PAT: ${{ steps.secret-presence.outputs.CXNG_RELEASE_PAT }} steps: - name: Check whether secrets exist id: secret-presence run: | + [ ! -z "${{ secrets.CXNG_GHCR_PAT }}" ] && echo "::set-output name=CXNG_GHCR_PAT::true" [ ! -z "${{ secrets.CXNG_RELEASE_PAT }}" ] && echo "::set-output name=CXNG_RELEASE_PAT::true" exit 0 - + # Gate: Check release version presence release-version: name: Determine release version runs-on: ubuntu-latest @@ -50,6 +53,88 @@ jobs: run: | echo "::set-output name=RELEASE_VERSION::${{ env.RELEASE_VERSION }}" + # Release: Maven Artifacts + maven-release: + name: Publish extension's release version to maven repository + needs: [ secret-presence, release-version ] + runs-on: ubuntu-latest + if: github.event.pull_request.merged == true && needs.secret-presence.outputs.CXNG_GHCR_PAT && needs.release-version.outputs.RELEASE_VERSION + steps: + - + name: Export RELEASE_VERSION env + run: | + echo "RELEASE_VERSION=${{ needs.release-version.outputs.RELEASE_VERSION }}" >> $GITHUB_ENV + - + name: Checkout + uses: actions/checkout@v3 + with: + submodules: recursive + - + name: Set up JDK 11 + uses: actions/setup-java@v3.4.0 + with: + java-version: '11' + distribution: 'adopt' + cache: 'maven' + - + name: Build edc with Gradle to get latest snapshots + run: ./gradlew publishToMavenLocal + working-directory: edc + - + name: Deploy + run: |- + ./mvnw -s settings.xml \ + -Pdelombok -pl '!edc-controlplane,!edc-controlplane/edc-controlplane-memory,!edc-controlplane/edc-controlplane-postgresql,!edc-controlplane/edc-controlplane-postgresql-hashicorp-vault,!edc-dataplane/edc-dataplane-azure-vault,!edc-dataplane/edc-dataplane-hashicorp-vault' \ + -DaltReleaseDeploymentRepository=github::https://maven.pkg.github.com/${{ github.repository }} \ + -Dmaven.test.skip=true -B package deploy:deploy + env: + GITHUB_PACKAGE_USERNAME: ${{ github.actor }} + GITHUB_PACKAGE_PASSWORD: ${{ secrets.CXNG_GHCR_PAT }} + + # Release: Helm Charts + helm-release: + name: Publish new helm release + needs: [ release-version ] + runs-on: ubuntu-latest + if: github.event.pull_request.merged == true && needs.release-version.outputs.RELEASE_VERSION + steps: + - + name: Export RELEASE_VERSION env + run: | + echo "RELEASE_VERSION=${{ needs.release-version.outputs.RELEASE_VERSION }}" >> $GITHUB_ENV + - + name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - + name: Install Helm + uses: azure/setup-helm@v1 + with: + version: v3.8.1 + - + name: Package helm, update index.yaml and push to gh-pages + run: | + # Prepare git env + git config user.name "GitHub actions" + git config user.email noreply@github.com + + # Package all charts + find -name Chart.yaml | xargs -n1 dirname | xargs -n1 helm package -u -d helm-charts + + git checkout gh-pages || git checkout -b gh-pages + git pull --rebase origin gh-pages + + # Generate helm repo index.yaml + helm repo index . --merge index.yaml --url https://${GITHUB_REPOSITORY_OWNER}.github.io/${GITHUB_REPOSITORY#*/}/ + + # Commit and push to gh-pages + git add index.yaml helm-charts + git commit -s -m "Release ${{ env.RELEASE_VERSION }}" + + git push origin gh-pages + + # Release: GitHub tag & release; Merges back main into develop; Starts a new development cycle; github-release: name: Publish new github release needs: [ secret-presence, release-version ] @@ -95,7 +180,7 @@ jobs: prerelease: false - name: Set up JDK 11 - uses: actions/setup-java@v3.3.0 + uses: actions/setup-java@v3.4.0 with: java-version: '11' distribution: 'adopt' @@ -124,45 +209,3 @@ jobs: git commit --message "Introduce new snapshot version $SNAPSHOT_VERSION" git push origin develop - - helm-release: - name: Publish new helm release - needs: [ release-version ] - runs-on: ubuntu-latest - if: github.event.pull_request.merged == true && needs.release-version.outputs.RELEASE_VERSION - steps: - - - name: Export RELEASE_VERSION env - run: | - echo "RELEASE_VERSION=${{ needs.release-version.outputs.RELEASE_VERSION }}" >> $GITHUB_ENV - - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Install Helm - uses: azure/setup-helm@v1 - with: - version: v3.8.1 - - - name: Package helm, update index.yaml and push to gh-pages - run: | - # Prepare git env - git config user.name "GitHub actions" - git config user.email noreply@github.com - - # Package all charts - find -name Chart.yaml | xargs -n1 dirname | xargs -n1 helm package -u -d helm-charts - - git checkout gh-pages || git checkout -b gh-pages - git pull --rebase origin gh-pages - - # Generate helm repo index.yaml - helm repo index . --merge index.yaml --url https://${GITHUB_REPOSITORY_OWNER}.github.io/${GITHUB_REPOSITORY#*/}/ - - # Commit and push to gh-pages - git add index.yaml helm-charts - git commit -s -m "Release ${{ env.RELEASE_VERSION }}" - - git push origin gh-pages diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 000000000..d5fdb5cfa --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,211 @@ +--- +name: "Trivy" + +on: + workflow_run: + workflows: ["Build"] + branches: + - main + - develop + - release/* + - hotfix/* + tags: + - '[0-9]+.[0-9]+.[0-9]+' + types: + - completed + +jobs: + git-sha7: + name: Determine short git sha + runs-on: ubuntu-latest + outputs: + value: ${{ steps.git-sha7.outputs.SHA7 }} + steps: + - + name: Resolve git 7-chars sha + id: git-sha7 + run: | + echo "::set-output name=SHA7::${GITHUB_SHA::7}" + + analyze-config: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - + name: Checkout repository + uses: actions/checkout@v2 + - + name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: "config" + # ignore-unfixed: true + exit-code: "1" + hide-progress: false + format: "sarif" + output: "trivy-results-config.sarif" + severity: "CRITICAL,HIGH" + - + name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: "trivy-results-config.sarif" + + ############################### + ### edc-controlplane-memory ### + ############################### + analyze-edc-controlplane-memory: + needs: [ git-sha7 ] + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - + name: Checkout repository + uses: actions/checkout@v2 + - + name: Run Trivy vulnerability scanner + if: always() + uses: aquasecurity/trivy-action@master + with: + image-ref: "ghcr.io/${{ github.repository }}/edc-controlplane-memory:sha-${{ needs.git-sha7.outputs.value }}" + format: "sarif" + output: "trivy-results-edc-controlplane-memory.sarif" + exit-code: "1" + severity: "CRITICAL,HIGH" + - + name: Upload Trivy scan results to GitHub Security tab + if: always() + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results-edc-controlplane-memory.sarif" + + ################################### + ### edc-controlplane-postgresql ### + ################################### + analyze-edc-controlplane-postgresql: + needs: [ git-sha7 ] + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - + name: Checkout repository + uses: actions/checkout@v2 + - + name: Run Trivy vulnerability scanner + if: always() + uses: aquasecurity/trivy-action@master + with: + image-ref: "ghcr.io/${{ github.repository }}/edc-controlplane-postgresql:sha-${{ needs.git-sha7.outputs.value }}" + format: "sarif" + output: "trivy-results-edc-controlplane-postgresql.sarif" + exit-code: "1" + severity: "CRITICAL,HIGH" + - + name: Upload Trivy scan results to GitHub Security tab + if: always() + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results-edc-controlplane-postgresql.sarif" + + ################################################### + ### edc-controlplane-postgresql-hashicorp-vault ### + ################################################### + analyze-edc-controlplane-postgresql-hashicorp-vault: + needs: [ git-sha7 ] + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - + name: Checkout repository + uses: actions/checkout@v2 + - + name: Run Trivy vulnerability scanner + if: always() + uses: aquasecurity/trivy-action@master + with: + image-ref: "ghcr.io/${{ github.repository }}/edc-controlplane-postgresql-hashicorp-vault:sha-${{ needs.git-sha7.outputs.value }}" + format: "sarif" + output: "trivy-results-edc-controlplane-postgresql-hashicorp-vault.sarif" + exit-code: "1" + severity: "CRITICAL,HIGH" + - + name: Upload Trivy scan results to GitHub Security tab + if: always() + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results-edc-controlplane-postgresql-hashicorp-vault.sarif" + + ################################# + ### edc-dataplane-azure-vault ### + ################################# + analyze-edc-dataplane-azure-vault: + needs: [ git-sha7 ] + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - + name: Checkout repository + uses: actions/checkout@v2 + - + name: Run Trivy vulnerability scanner + if: always() + uses: aquasecurity/trivy-action@master + with: + image-ref: "ghcr.io/${{ github.repository }}/edc-dataplane-azure-vault:sha-${{ needs.git-sha7.outputs.value }}" + format: "sarif" + output: "trivy-results-edc-dataplane-azure-vault.sarif" + exit-code: "1" + severity: "CRITICAL,HIGH" + - + name: Upload Trivy scan results to GitHub Security tab + if: always() + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results-edc-dataplane-azure-vault.sarif" + + ##################################### + ### edc-dataplane-hashicorp-vault ### + ##################################### + analyze-edc-dataplane-hashicorp-vault: + needs: [ git-sha7 ] + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - + name: Checkout repository + uses: actions/checkout@v2 + - + name: Run Trivy vulnerability scanner + if: always() + uses: aquasecurity/trivy-action@master + with: + image-ref: "ghcr.io/${{ github.repository }}/edc-dataplane-hashicorp-vault:sha-${{ needs.git-sha7.outputs.value }}" + format: "sarif" + output: "trivy-results-edc-dataplane-hashicorp-vault.sarif" + exit-code: "1" + severity: "CRITICAL,HIGH" + - + name: Upload Trivy scan results to GitHub Security tab + if: always() + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results-edc-dataplane-hashicorp-vault.sarif" diff --git a/.mvn/jvm.config b/.mvn/jvm.config new file mode 100644 index 000000000..79ecf9292 --- /dev/null +++ b/.mvn/jvm.config @@ -0,0 +1 @@ +--add-exports jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED diff --git a/CHANGELOG.md b/CHANGELOG.md index db6371e39..aecbcee2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,13 +7,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.0.4] - 2022-06-27 + +### Added +- HashiCorp Vault Extension +- Control Plane with HashiCorp Vault and PostgreSQL support + +### Changed +- Release Worklow now publishes Product EDC Extensions as Maven Artifacts + +### Fixed +- [#1515](https://github.com/eclipse-dataspaceconnector/DataSpaceConnector/issues/1515) SQL: Connector sends out 50 contract offers max. + +### Removed +- CosmosDB Control Plane +- Control API Extension for all Control Planes + ## [0.0.3] - 2022-05-23 ## [0.0.2] - 2022-05-20 ## [0.0.1] - 2022-05-13 -[Unreleased]: https://github.com/catenax-ng/product-edc/compare/0.0.3...HEAD +[Unreleased]: https://github.com/catenax-ng/product-edc/compare/0.0.4...HEAD + +[0.0.4]: https://github.com/catenax-ng/product-edc/compare/0.0.3...0.0.4 [0.0.3]: https://github.com/catenax-ng/product-edc/compare/0.0.2...0.0.3 diff --git a/NOTICE.md b/NOTICE.md index 2886d7b03..25d95db3f 100644 --- a/NOTICE.md +++ b/NOTICE.md @@ -18,9 +18,8 @@ The project maintains the following source code repositoriy: ## Third-party Content (Overarching All Modules) -* aas-controller under Apache License 2.0 * aopalliance version 1.0 repackaged as a module under EPL 2.0 or GPL2 w/ CPE -* Apache Commons Codec under Apache License, Version 2.0 +* Apache Commons Compress under Apache License, Version 2.0 * Apache Commons Lang under Apache License, Version 2.0 * Apache Commons Pool under Apache License, Version 2.0 * apache-commons-pool-sql under Apache License, Version 2.0 @@ -33,7 +32,6 @@ The project maintains the following source code repositoriy: * asm-tree under BSD-3-Clause * asset-api under Apache License, Version 2.0 * asset-index-sql under Apache License, Version 2.0 -* assetindex-cosmos under Apache License, Version 2.0 * auth-spi under Apache License, Version 2.0 * auth-tokenbased under Apache License, Version 2.0 * azure-vault under Apache License, Version 2.0 @@ -42,6 +40,8 @@ The project maintains the following source code repositoriy: * Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs under Bouncy Castle Licence * Bouncy Castle Provider under Bouncy Castle Licence * business-partner-validation under Apache License 2.0 +* Byte Buddy (without dependencies) under Apache License, Version 2.0 +* Byte Buddy agent under Apache License, Version 2.0 * catalog-api under Apache License, Version 2.0 * catalog-spi under Apache License, Version 2.0 * Checker Qual under The MIT License @@ -49,8 +49,6 @@ The project maintains the following source code repositoriy: * common-sql under Apache License, Version 2.0 * common-util under Apache License, Version 2.0 * contract under Apache License, Version 2.0 -* contract-definition-store-cosmos under Apache License, Version 2.0 -* contract-negotiation-store-cosmos under Apache License, Version 2.0 * contract-spi under Apache License, Version 2.0 * contractagreement-api under Apache License, Version 2.0 * contractdefinition-api under Apache License, Version 2.0 @@ -64,7 +62,6 @@ The project maintains the following source code repositoriy: * core-defaults under Apache License, Version 2.0 * core-micrometer under Apache License, Version 2.0 * core-spi under Apache License, Version 2.0 -* cosmos-common under Apache License, Version 2.0 * data-management-api under Apache License, Version 2.0 * data-plane-api under Apache License, Version 2.0 * data-plane-framework under Apache License, Version 2.0 @@ -73,15 +70,24 @@ The project maintains the following source code repositoriy: * data-plane-transfer-spi under Apache License, Version 2.0 * data-plane-transfer-sync under Apache License, Version 2.0 * dataloading under Apache License, Version 2.0 +* docker-java-api under The Apache Software License, Version 2.0 +* docker-java-transport under The Apache Software License, Version 2.0 +* docker-java-transport-zerodep under The Apache Software License, Version 2.0 +* Duct Tape under MIT * edc-controlplane under Apache License 2.0 -* edc-controlplane-cosmosdb under Apache License 2.0 * edc-controlplane-memory under Apache License 2.0 * edc-controlplane-postgresql under Apache License 2.0 +* edc-controlplane-postgresql-hashicorp-vault under Apache License 2.0 * edc-dataplane under Apache License 2.0 +* edc-dataplane-azure-vault under Apache License 2.0 +* edc-dataplane-hashicorp-vault under Apache License 2.0 * edc-extensions under Apache License 2.0 * Failsafe under Apache License, Version 2.0 * filesystem-configuration under Apache License, Version 2.0 * flyway-core under Apache License, Version 2.0 +* Hamcrest under BSD License 3 +* Hamcrest Core under New BSD License +* hashicorp-vault under Apache License 2.0 * HdrHistogram under Public Domain, per Creative Commons CC0 or BSD-2-Clause * HK2 API module under EPL 2.0 or GPL2 w/ CPE * HK2 Implementation Utilities under EPL 2.0 or GPL2 w/ CPE @@ -89,7 +95,6 @@ The project maintains the following source code repositoriy: * HTTP functionality for the Reactor Netty library under The Apache Software License, Version 2.0 * http-receiver under Apache License, Version 2.0 * iam-daps under Apache License, Version 2.0 -* iam-mock under Apache License, Version 2.0 * ids-api-configuration under Apache License, Version 2.0 * ids-api-multipart-dispatcher-v1 under Apache License, Version 2.0 * ids-api-multipart-endpoint-v1 under Apache License, Version 2.0 @@ -99,7 +104,6 @@ The project maintains the following source code repositoriy: * ids-token-validation under Apache License, Version 2.0 * IntelliJ IDEA Annotations under The Apache Software License, Version 2.0 * Jackson datatype: JSR310 under The Apache Software License, Version 2.0 -* Jackson module: Afterburner under The Apache Software License, Version 2.0 * Jackson module: Jakarta XML Bind Annotations (jakarta.xml.bind) under The Apache Software License, Version 2.0 * Jackson-annotations under The Apache Software License, Version 2.0 * Jackson-core under The Apache Software License, Version 2.0 @@ -110,11 +114,10 @@ The project maintains the following source code repositoriy: * Jakarta Annotations API under EPL 2.0 or GPL2 w/ CPE * Jakarta Bean Validation API under Apache License 2.0 * Jakarta Dependency Injection under The Apache Software License, Version 2.0 -* Jakarta RESTful WS API under EPL-2.0 or GPL-2.0-with-classpath-exception * Jakarta XML Binding API under Eclipse Distribution License - v 1.0 * jakarta.transaction API under EPL 2.0 or GPL2 w/ CPE +* jakarta.ws.rs-api under EPL-2.0 or GPL-2.0-with-classpath-exception * java under Apache License, Version 2.0 -* java jwt under The MIT License (MIT) * Java Native Access under LGPL, version 2.1 or Apache License v2.0 * Java Native Access Platform under LGPL, version 2.1 or Apache License v2.0 * Javassist under MPL 1.1 or LGPL 2.1 or Apache License 2.0 @@ -156,27 +159,27 @@ The project maintains the following source code repositoriy: * Jetty :: XML utilities under Eclipse Public License - Version 2.0 or Apache Software License - Version 2.0 * jetty-micrometer under Apache License, Version 2.0 * JSON Small and Fast Parser under The Apache Software License, Version 2.0 +* JUL to SLF4J bridge under MIT License +* JUnit under Eclipse Public License 1.0 +* JUnit Jupiter (Aggregator) under Eclipse Public License v2.0 * JUnit Jupiter API under Eclipse Public License v2.0 * JUnit Jupiter Engine under Eclipse Public License v2.0 * JUnit Jupiter Params under Eclipse Public License v2.0 * JUnit Platform Commons under Eclipse Public License v2.0 * JUnit Platform Engine API under Eclipse Public License v2.0 -* JUnit Platform Launcher under Eclipse Public License v2.0 -* JUnit Platform Suite (Aggregator) under Eclipse Public License v2.0 -* JUnit Platform Suite API under Eclipse Public License v2.0 -* JUnit Platform Suite Commons under Eclipse Public License v2.0 -* JUnit Platform Suite Engine under Eclipse Public License v2.0 +* junit-extension under Apache License, Version 2.0 * LatencyUtils under Public Domain, per Creative Commons CC0 * lease-sql under Apache License, Version 2.0 -* Metrics Core under Apache License 2.0 +* Logback Classic Module under Eclipse Public License - v 1.0 or GNU Lesser General Public License +* Logback Core Module under Eclipse Public License - v 1.0 or GNU Lesser General Public License * micrometer-core under The Apache Software License, Version 2.0 * Microsoft Azure client library for Identity under The MIT License (MIT) * Microsoft Azure client library for KeyVault Secrets under The MIT License (MIT) * Microsoft Azure Java Core Library under The MIT License (MIT) * Microsoft Azure Netty HTTP Client Library under The MIT License (MIT) -* Microsoft Azure SDK for SQL API of Azure Cosmos DB Service under The MIT License (MIT) * MIME streaming extension under Eclipse Distribution License - v 1.0 -* Mockito under The MIT License +* mockito-core under The MIT License +* mockito-inline under The MIT License * msal4j under MIT License * msal4j-persistence-extension under MIT License * Netty/Buffer under Apache License, Version 2.0 @@ -207,6 +210,7 @@ The project maintains the following source code repositoriy: * OAuth 2.0 SDK with OpenID Connect extensions under Apache License, version 2.0 * oauth2-core under Apache License, Version 2.0 * oauth2-spi under Apache License, Version 2.0 +* Objenesis under Apache License, Version 2.0 * observability-api under Apache License, Version 2.0 * okhttp under The Apache Software License, Version 2.0 * Okio under The Apache Software License, Version 2.0 @@ -219,12 +223,12 @@ The project maintains the following source code repositoriy: * policy-engine under Apache License, Version 2.0 * policy-evaluator under Apache License, Version 2.0 * policy-spi under Apache License, Version 2.0 -* policy-store-cosmos under Apache License, Version 2.0 * policy-store-sql under Apache License, Version 2.0 * policydefinition-api under Apache License, Version 2.0 * PostgreSQL JDBC Driver under BSD-2-Clause * postgresql-migration under Apache License 2.0 * product-edc-parent under Apache License 2.0 +* Project Lombok under The MIT License * reactive-streams under CC0 * ServiceLocator Default Implementation under EPL 2.0 or GPL2 w/ CPE * SLF4J API Module under MIT License @@ -237,13 +241,15 @@ The project maintains the following source code repositoriy: * swagger-integration-jakarta under Apache License 2.0 * swagger-jaxrs2-jakarta under Apache License 2.0 * swagger-models-jakarta under Apache License 2.0 +* Testcontainers :: JUnit Jupiter Extension under MIT +* Testcontainers :: Vault under MIT +* Testcontainers Core under MIT * token-generation-lib under Apache License, Version 2.0 * token-validation-lib under Apache License, Version 2.0 * transaction-datasource-spi under Apache License, Version 2.0 * transaction-local under Apache License, Version 2.0 * transaction-spi under Apache License, Version 2.0 * transfer under Apache License, Version 2.0 -* transfer-process-store-cosmos under Apache License, Version 2.0 * transfer-process-store-sql under Apache License, Version 2.0 * transfer-spi under Apache License, Version 2.0 * transferprocess-api under Apache License, Version 2.0 diff --git a/README.md b/README.md index 9cb72a662..41728e38f 100644 --- a/README.md +++ b/README.md @@ -10,13 +10,21 @@ The Data-Plane does the heavy lifting of transferring and receiving data streams Depending on your environment there are different derivatives of the control-plane prepared: -* [edc-controlplane-cosmosdb](edc-controlplane/edc-controlplane-cosmosdb) -* [edc-controlplane-memory](edc-controlplane/edc-controlplane-memory) -* [edc-controlplane-postgresql](edc-controlplane/edc-controlplane-postgresql) +* [edc-controlplane-memory](edc-controlplane/edc-controlplane-memory) with dependency onto + * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) +* [edc-controlplane-postgresql](edc-controlplane/edc-controlplane-postgresql) with dependency onto + * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) + * [PostgreSQL 8.2 or newer](https://www.postgresql.org/) +* [edc-controlplane-postgresql-hashicorp-vault](edc-controlplane/edc-controlplane-postgresql-hashicorp-vault) with dependency onto + * [Hashicorp Vault](https://www.vaultproject.io/) + * [PostgreSQL 8.2 or newer](https://www.postgresql.org/) Derivatives of the Data-Plane can be found here -* [edc-dataplane](edc-dataplane) +* [edc-dataplane-azure-vault](edc-dataplane/edc-dataplane-azure-vault) with dependency onto + * [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) +* [edc-dataplane-hashicorp-vault](edc-dataplane/edc-dataplane-hashicorp-vault) with dependency onto + * [Hashicorp Vault](https://www.vaultproject.io/) ## Prerequisites diff --git a/checkov.yaml b/checkov.yaml new file mode 100644 index 000000000..5f5d0d107 --- /dev/null +++ b/checkov.yaml @@ -0,0 +1,9 @@ +--- +skip-check: + - CKV_K8S_10 # CPU requests should be set, https://docs.bridgecrew.io/docs/bc_k8s_9 + - CKV_K8S_11 # CPU limits should be set, https://docs.bridgecrew.io/docs/bc_k8s_10 + - CKV_K8S_12 # Memory requests should be set, https://docs.bridgecrew.io/docs/bc_k8s_11 + - CKV_K8S_13 # Memory limits should be set, https://docs.bridgecrew.io/docs/bc_k8s_12 + - CKV_K8S_15 # Image Pull Policy should be Always, https://docs.bridgecrew.io/docs/bc_k8s_14 + - CKV_K8S_21 # The default namespace should not be used, https://docs.bridgecrew.io/docs/bc_k8s_20 + - CKV_K8S_43 # Image should use digest, https://docs.bridgecrew.io/docs/bc_k8s_39 diff --git a/deployment/helm/README.md b/deployment/helm/README.md index 895b9eb2e..111df59d1 100644 --- a/deployment/helm/README.md +++ b/deployment/helm/README.md @@ -9,5 +9,5 @@ Configuration files for [CT](../../ct.yaml), [Yamale](../../chart_schema.yaml) a To generate chart README.md files from its respective values.yaml file we use the [helm-docs tool](https://github.com/norwoodj/helm-docs): ```shell -docker run --rm --volume "$(pwd):/helm-docs" -u $(id -u) jnorwood/helm-docs:latest +docker run --rm --volume "$(pwd):/helm-docs" -u $(id -u) jnorwood/helm-docs:v1.10.0 ``` diff --git a/deployment/helm/edc-controlplane/.helmignore b/deployment/helm/edc-controlplane/.helmignore index 0e8a0eb36..00ca644b2 100644 --- a/deployment/helm/edc-controlplane/.helmignore +++ b/deployment/helm/edc-controlplane/.helmignore @@ -21,3 +21,5 @@ .idea/ *.tmproj .vscode/ + +README.md.gotmpl diff --git a/deployment/helm/edc-controlplane/Chart.yaml b/deployment/helm/edc-controlplane/Chart.yaml index 95772effe..937f3da53 100644 --- a/deployment/helm/edc-controlplane/Chart.yaml +++ b/deployment/helm/edc-controlplane/Chart.yaml @@ -5,6 +5,6 @@ description: >- EDC Control-Plane - The Eclipse DataSpaceConnector administration layer with responsibility of resource management and govern contracts and data transfers home: https://github.com/catenax-ng/product-edc/deployment/helm/edc-controlplane type: application -appVersion: "0.0.3" -version: 0.0.3 +appVersion: "0.0.4" +version: 0.0.4 maintainers: [] diff --git a/deployment/helm/edc-controlplane/README.md b/deployment/helm/edc-controlplane/README.md index b4003b326..14f891d77 100644 --- a/deployment/helm/edc-controlplane/README.md +++ b/deployment/helm/edc-controlplane/README.md @@ -1,6 +1,6 @@ # edc-controlplane -![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square) +![Version: 0.0.4](https://img.shields.io/badge/Version-0.0.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.4](https://img.shields.io/badge/AppVersion-0.0.4-informational?style=flat-square) EDC Control-Plane - The Eclipse DataSpaceConnector administration layer with responsibility of resource management and govern contracts and data transfers @@ -9,7 +9,7 @@ EDC Control-Plane - The Eclipse DataSpaceConnector administration layer with res ## TL;DR ```shell $ helm repo add catenax-ng-product-edc https://catenax-ng.github.io/product-edc -$ helm install my-release catenax-ng-product-edc/edc-controlplane +$ helm install my-release catenax-ng-product-edc/edc-controlplane --version 0.0.4 ``` ## Values @@ -17,12 +17,13 @@ $ helm install my-release catenax-ng-product-edc/edc-controlplane | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) constrains which nodes the Pod can be scheduled on based on node labels. | +| automountServiceAccountToken | bool | `false` | Whether to [automount kubernetes API credentials](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) into the pod | | autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | | autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | | autoscaling.minReplicas | int | `1` | Minimal replicas if resource consumption falls below resource threshholds | | autoscaling.targetCPUUtilizationPercentage | int | `80` | targetAverageUtilization of cpu provided to a pod | | autoscaling.targetMemoryUtilizationPercentage | int | `80` | targetAverageUtilization of memory provided to a pod | -| configuration.properties | string | `"# edc.api.auth.key=\n# edc.api.control.auth.apikey.key=\n# edc.api.control.auth.apikey.value=\n# edc.assetindex.cosmos.account-name=\n# edc.assetindex.cosmos.container-name=\n# edc.assetindex.cosmos.database-name=\n# edc.assetindex.cosmos.preferred-region=\n# edc.atomikos.checkpoint.interval=\n# edc.atomikos.directory=\n# edc.atomikos.logging=\n# edc.atomikos.threaded2pc=\n# edc.atomikos.timeout=\n# edc.aws.access.key=\n# edc.aws.provision.retry.retries.max=\n# edc.aws.provision.role.duration.session.max=\n# edc.aws.secret.access.key=\n# edc.blobstore.endpoint=\n# edc.contractdefinitionstore.cosmos.account-name=\n# edc.contractdefinitionstore.cosmos.container-name=\n# edc.contractdefinitionstore.cosmos.database-name=\n# edc.contractdefinitionstore.cosmos.preferred-region=\n# edc.contractnegotiationstore.cosmos.account-name=\n# edc.contractnegotiationstore.cosmos.container-name=\n# edc.contractnegotiationstore.cosmos.database-name=\n# edc.contractnegotiationstore.cosmos.preferred-region=\n# edc.controlplane.validation-endpoint=\n# edc.core.retry.backoff.max=\n# edc.core.retry.backoff.min=\n# edc.core.retry.retries.max=\n# edc.core.system.health.check.liveness-period=\n# edc.core.system.health.check.readiness-period=\n# edc.core.system.health.check.startup-period=\n# edc.core.system.health.check.threadpool-size=\n# edc.cosmos.partition-key=\n# edc.cosmos.query-metrics-enabled=\n# edc.dataplane.queue.capacity=\n# edc.dataplane.wait=\n# edc.dataplane.workers=\n# edc.datasource.asset.name=\"default\"\n# edc.datasource.contractdefinition.name=\"default\"\n# edc.datasource.contractnegotiation.name=\"default\"\n# edc.datasource.policy.name=\"default\"\n# edc.datasource.transferprocess.name=\"default\"\n# edc.datasource.default.pool.maxIdleConnections=\n# edc.datasource.default.pool.maxTotalConnections=\n# edc.datasource.default.pool.minIdleConnections=\n# edc.datasource.default.pool.testConnectionOnBorrow=\n# edc.datasource.default.pool.testConnectionOnCreate=\n# edc.datasource.default.pool.testConnectionOnReturn=\n# edc.datasource.default.pool.testConnectionWhileIdle=\n# edc.datasource.default.pool.testQuery=\n# edc.datasource.default.url=\n# edc.datasource.default.user=\n# edc.datasource.default.password=\n# edc.dpf.selector.url=\n# edc.events.topic.endpoint=\n# edc.events.topic.name=\n# edc.fs.config=\n# edc.hostname=\n# edc.identity.did.url=\n# edc.ids.catalog.id=\n# edc.ids.curator=\n# edc.ids.description=\n# edc.ids.endpoint=\n# edc.ids.id=\n# edc.ids.maintainer=\n# edc.ids.security.profile=\n# edc.ids.title=\n# edc.ids.validation.referringconnector=\n# edc.ion.crawler.did-type=\n# edc.ion.crawler.interval-minutes=\n# edc.ion.crawler.ion.url=\n# edc.metrics.enabled=\n# edc.metrics.executor.enabled=\n# edc.metrics.jersey.enabled=\n# edc.metrics.jetty.enabled=\n# edc.metrics.okhttp.enabled=\n# edc.metrics.system.enabled=\n# edc.negotiation.consumer.state-machine.batch-size=\n# edc.negotiation.provider.state-machine.batch-size=\n# edc.node.directory.cosmos.account.name=\n# edc.node.directory.cosmos.container.name=\n# edc.node.directory.cosmos.database.name=\n# edc.node.directory.cosmos.preferred.region=\n# edc.oauth.client.id=\n# edc.oauth.private.key.alias=\n# edc.oauth.provider.audience=\n# edc.oauth.provider.jwks.refresh=\n# edc.oauth.provider.jwks.url=\n# edc.oauth.public.key.alias=\n# edc.oauth.token.url=\n# edc.oauth.validation.nbf.leeway=\n# edc.receiver.http.auth-code=\n# edc.receiver.http.auth-key=\n# edc.receiver.http.endpoint=\n# edc.transfer.proxy.endpoint=\n# edc.transfer.dataplane.sync.token.validity=\n# edc.transfer.proxy.token.signer.privatekey.alias=\n# edc.transfer.functions.check.endpoint=\n# edc.transfer.functions.enabled.protocols=\n# edc.transfer.functions.transfer.endpoint=\n# edc.transfer-process-store.cosmos.account.name=\n# edc.transfer-process-store.cosmos.container-name=\n# edc.transfer-process-store.cosmos.preferred-region=\n# edc.transfer-process-store.database.name=\n# edc.transfer.state-machine.batch-size=\n# edc.vault=\n# edc.vault.certificate=\n# edc.vault.clientid=\n# edc.vault.clientsecret=\n# edc.vault.name=\n# edc.vault.tenantid=\n# edc.webdid.doh.url=\n# edc.web.rest.cors.enabled=\n# edc.web.rest.cors.headers=\n# edc.web.rest.cors.methods=\n# edc.web.rest.cors.origins="` | EDC configuration.properties configuring aspects of the [eclipse-dataspaceconnector](https://github.com/eclipse-dataspaceconnector/DataSpaceConnector) | +| configuration.properties | string | `"# edc.api.auth.key=\n# edc.atomikos.checkpoint.interval=\n# edc.atomikos.directory=\n# edc.atomikos.logging=\n# edc.atomikos.threaded2pc=\n# edc.atomikos.timeout=\n# edc.aws.access.key=\n# edc.aws.provision.retry.retries.max=\n# edc.aws.provision.role.duration.session.max=\n# edc.aws.secret.access.key=\n# edc.blobstore.endpoint=\n# edc.controlplane.validation-endpoint=\n# edc.core.retry.backoff.max=\n# edc.core.retry.backoff.min=\n# edc.core.retry.retries.max=\n# edc.core.system.health.check.liveness-period=\n# edc.core.system.health.check.readiness-period=\n# edc.core.system.health.check.startup-period=\n# edc.core.system.health.check.threadpool-size=\n# edc.dataplane.queue.capacity=\n# edc.dataplane.wait=\n# edc.dataplane.workers=\n# edc.datasource.asset.name=\"default\"\n# edc.datasource.contractdefinition.name=\"default\"\n# edc.datasource.contractnegotiation.name=\"default\"\n# edc.datasource.policy.name=\"default\"\n# edc.datasource.transferprocess.name=\"default\"\n# edc.datasource.default.pool.maxIdleConnections=\n# edc.datasource.default.pool.maxTotalConnections=\n# edc.datasource.default.pool.minIdleConnections=\n# edc.datasource.default.pool.testConnectionOnBorrow=\n# edc.datasource.default.pool.testConnectionOnCreate=\n# edc.datasource.default.pool.testConnectionOnReturn=\n# edc.datasource.default.pool.testConnectionWhileIdle=\n# edc.datasource.default.pool.testQuery=\n# edc.datasource.default.url=\n# edc.datasource.default.user=\n# edc.datasource.default.password=\n# edc.dpf.selector.url=\n# edc.events.topic.endpoint=\n# edc.events.topic.name=\n# edc.fs.config=\n# edc.hostname=\n# edc.identity.did.url=\n# edc.ids.catalog.id=\n# edc.ids.curator=\n# edc.ids.description=\n# edc.ids.endpoint=\n# edc.ids.id=\n# edc.ids.maintainer=\n# edc.ids.security.profile=\n# edc.ids.title=\n# edc.ids.validation.referringconnector=\n# edc.ion.crawler.did-type=\n# edc.ion.crawler.interval-minutes=\n# edc.ion.crawler.ion.url=\n# edc.metrics.enabled=\n# edc.metrics.executor.enabled=\n# edc.metrics.jersey.enabled=\n# edc.metrics.jetty.enabled=\n# edc.metrics.okhttp.enabled=\n# edc.metrics.system.enabled=\n# edc.negotiation.consumer.state-machine.batch-size=\n# edc.negotiation.provider.state-machine.batch-size=\n# edc.oauth.client.id=\n# edc.oauth.private.key.alias=\n# edc.oauth.provider.audience=\n# edc.oauth.provider.jwks.refresh=\n# edc.oauth.provider.jwks.url=\n# edc.oauth.public.key.alias=\n# edc.oauth.token.url=\n# edc.oauth.validation.nbf.leeway=\n# edc.receiver.http.auth-code=\n# edc.receiver.http.auth-key=\n# edc.receiver.http.endpoint=\n# edc.transfer.proxy.endpoint=\n# edc.transfer.dataplane.sync.token.validity=\n# edc.transfer.proxy.token.signer.privatekey.alias=\n# edc.transfer.functions.check.endpoint=\n# edc.transfer.functions.enabled.protocols=\n# edc.transfer.functions.transfer.endpoint=\n# edc.transfer-process-store.database.name=\n# edc.transfer.state-machine.batch-size=\n# edc.vault=\n# edc.vault.certificate=\n# edc.vault.clientid=\n# edc.vault.clientsecret=\n# edc.vault.name=\n# edc.vault.tenantid=\n# edc.vault.hashicorp.url=\n# edc.vault.hashicorp.token=\n# edc.vault.hashicorp.timeout.seconds=\n# edc.webdid.doh.url=\n# edc.web.rest.cors.enabled=\n# edc.web.rest.cors.headers=\n# edc.web.rest.cors.methods=\n# edc.web.rest.cors.origins="` | EDC configuration.properties configuring aspects of the [eclipse-dataspaceconnector](https://github.com/eclipse-dataspaceconnector/DataSpaceConnector) | | edc.endpoints.control.path | string | `"/api/controlplane/control"` | The path mapping the "control" api is going to be exposed at | | edc.endpoints.control.port | string | `"9999"` | The network port, which the "control" api is going to be exposed by the container, pod and service | | edc.endpoints.data.path | string | `"/data"` | The path mapping the "data" management api is going to be exposed at | @@ -38,7 +39,7 @@ $ helm install my-release catenax-ng-product-edc/edc-controlplane | env | object | `{}` | Container environment variables e.g. for configuring [JAVA_TOOL_OPTIONS](https://docs.oracle.com/javase/8/docs/technotes/guides/troubleshoot/envvars002.html) Ex.: JAVA_TOOL_OPTIONS: > -Dhttp.proxyHost=proxy -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts="localhost|127.*|[::1]" -Dhttps.proxyHost=proxy -Dhttps.proxyPort=443 | | fullnameOverride | string | `""` | Overrides the releases full name | | image.pullPolicy | string | `"IfNotPresent"` | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use | -| image.repository | string | `"ghcr.io/catenax-ng/product-edc/edc-controlplane-memory"` | Which derivate of the edc controlplane to use. One of: [ghcr.io/catenax-ng/product-edc/edc-controlplane-memory, , ghcr.io/catenax-ng/product-edc/edc-controlplane-postgresql, ghcr.io/catenax-ng/product-edc/edc-controlplane-cosmosdb] | +| image.repository | string | `"ghcr.io/catenax-ng/product-edc/edc-controlplane-postgresql-hashicorp-vault"` | Which derivate of the edc control-plane to use. One of: [ghcr.io/catenax-ng/product-edc/edc-controlplane-postgresql-hashicorp-vault, ghcr.io/catenax-ng/product-edc/edc-controlplane-postgresql, ghcr.io/catenax-ng/product-edc/edc-controlplane-memory] | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecret.dockerconfigjson | string | `""` | Image pull secret to create to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) Note: This value needs to adhere to the [(base64 encoded) .dockerconfigjson format](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials). Furthermore, if 'imagePullSecret.dockerconfigjson' is defined, it takes precedence over 'imagePullSecrets'. | | imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | @@ -64,17 +65,26 @@ $ helm install my-release catenax-ng-product-edc/edc-controlplane | nodeSelector | object | `{}` | [Node-Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain the Pod to nodes with specific labels. | | opentelemetry.properties | string | `"otel.javaagent.enabled=true\notel.javaagent.debug=false"` | opentelemetry.properties configuring the [opentelemetry agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) | | podAnnotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) added to deployed [pods](https://kubernetes.io/docs/concepts/workloads/pods/) | -| podSecurityContext | object | `{}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment | +| podSecurityContext.fsGroup | int | `10001` | The owner for volumes and any files created within volumes will belong to this guid | +| podSecurityContext.runAsGroup | int | `10001` | Processes within a pod will belong to this guid | +| podSecurityContext.runAsUser | int | `10001` | Runs all processes within a pod with a special uid | +| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Restrict a Container's Syscalls with seccomp | | readinessProbe.enabled | bool | `true` | Whether to enable kubernetes readiness-probes | | replicaCount | int | `1` | Specifies how many replicas of a deployed pod shall be created during the deployment Note: If horizontal pod autoscaling is enabled this setting has no effect | | resources | object | `{}` | [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) applied to the deployed pod | +| securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID | +| securityContext.capabilities.add | list | `[]` | Specifies which capabilities to add to issue specialized syscalls | +| securityContext.capabilities.drop | list | `["ALL"]` | Specifies which capabilities to drop to reduce syscall attack surface | +| securityContext.readOnlyRootFilesystem | bool | `true` | Whether the root filesystem is mounted in read-only mode | | securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges | -| securityContext.runAsUser | int | `1000` | The container's process will run with the specified uid | +| securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | | service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | | serviceAccount.annotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to add to the service account | | serviceAccount.create | bool | `true` | Specifies whether a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) should be created per release | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the release's fullname template | | startupProbe.enabled | bool | `true` | Whether to enable kubernetes startup-probes | +| startupProbe.failureThreshold | int | `12` | Minimum consecutive failures for the probe to be considered failed after having succeeded | +| startupProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before liveness probes are initiated. | | tolerations | list | `[]` | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) are applied to Pods to schedule onto nodes with matching taints. | ---------------------------------------------- diff --git a/deployment/helm/edc-controlplane/README.md.gotmpl b/deployment/helm/edc-controlplane/README.md.gotmpl index 95c28338e..429dd5bf2 100644 --- a/deployment/helm/edc-controlplane/README.md.gotmpl +++ b/deployment/helm/edc-controlplane/README.md.gotmpl @@ -11,7 +11,7 @@ ## TL;DR ```shell $ helm repo add catenax-ng-product-edc https://catenax-ng.github.io/product-edc -$ helm install my-release catenax-ng-product-edc/edc-controlplane +$ helm install my-release catenax-ng-product-edc/edc-controlplane --version {{ .Version }} ``` {{ template "chart.maintainersSection" . }} diff --git a/deployment/helm/edc-controlplane/templates/configmap-env.yaml b/deployment/helm/edc-controlplane/templates/configmap-env.yaml index f7f63f709..b457973b8 100644 --- a/deployment/helm/edc-controlplane/templates/configmap-env.yaml +++ b/deployment/helm/edc-controlplane/templates/configmap-env.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "edc-controlplane.fullname" . }}-env + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-controlplane.labels" . | nindent 4 }} data: diff --git a/deployment/helm/edc-controlplane/templates/configmap.yaml b/deployment/helm/edc-controlplane/templates/configmap.yaml index 34a745bfa..a2a200919 100644 --- a/deployment/helm/edc-controlplane/templates/configmap.yaml +++ b/deployment/helm/edc-controlplane/templates/configmap.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "edc-controlplane.fullname" . }}-configmap + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-controlplane.labels" . | nindent 4 }} data: diff --git a/deployment/helm/edc-controlplane/templates/deployment.yaml b/deployment/helm/edc-controlplane/templates/deployment.yaml index 7eb27a307..8b69aac9f 100644 --- a/deployment/helm/edc-controlplane/templates/deployment.yaml +++ b/deployment/helm/edc-controlplane/templates/deployment.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "edc-controlplane.fullname" . }} + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-controlplane.labels" . | nindent 4 }} spec: @@ -33,6 +34,7 @@ spec: {{- end }} {{- end }} serviceAccountName: {{ include "edc-controlplane.serviceAccountName" . }} + automountServiceAccountToken: {{ if .Values.automountServiceAccountToken }}true{{ else }}false{{ end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: @@ -77,8 +79,8 @@ spec: httpGet: path: {{ .Values.edc.endpoints.default.path }}/check/startup port: default - failureThreshold: 12 - initialDelaySeconds: 10 + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} {{- end }} envFrom: - configMapRef: diff --git a/deployment/helm/edc-controlplane/templates/hpa.yaml b/deployment/helm/edc-controlplane/templates/hpa.yaml index 0881a3ce2..ae80f5dc9 100644 --- a/deployment/helm/edc-controlplane/templates/hpa.yaml +++ b/deployment/helm/edc-controlplane/templates/hpa.yaml @@ -4,6 +4,7 @@ apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: {{ include "edc-controlplane.fullname" . }} + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-controlplane.labels" . | nindent 4 }} spec: diff --git a/deployment/helm/edc-controlplane/templates/imagepullsecret.yaml b/deployment/helm/edc-controlplane/templates/imagepullsecret.yaml index 663efd28a..caedb0710 100644 --- a/deployment/helm/edc-controlplane/templates/imagepullsecret.yaml +++ b/deployment/helm/edc-controlplane/templates/imagepullsecret.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "edc-controlplane.fullname" . }}-imagepullsecret + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-controlplane.labels" . | nindent 4 }} data: diff --git a/deployment/helm/edc-controlplane/templates/ingress.yaml b/deployment/helm/edc-controlplane/templates/ingress.yaml index f395970ff..e2586a7fc 100644 --- a/deployment/helm/edc-controlplane/templates/ingress.yaml +++ b/deployment/helm/edc-controlplane/templates/ingress.yaml @@ -2,6 +2,7 @@ {{- $labels := include "edc-controlplane.labels" . | nindent 4 }} {{- $gitVersion := .Capabilities.KubeVersion.GitVersion }} {{- $edcEndpoints := .Values.edc.endpoints }} +{{- $namespace := .Release.Namespace }} {{- range .Values.ingresses }} {{- if and .enabled .endpoints }} {{- $ingressName := printf "%s-%s" $fullName .hostname }} @@ -16,6 +17,7 @@ apiVersion: extensions/v1beta1 kind: Ingress metadata: name: {{ $ingressName }} + namespace: {{ $namespace | default "default" | quote }} labels: {{- $labels | nindent 2 }} annotations: diff --git a/deployment/helm/edc-controlplane/templates/service.yaml b/deployment/helm/edc-controlplane/templates/service.yaml index 7f6dafe1c..2992c7245 100644 --- a/deployment/helm/edc-controlplane/templates/service.yaml +++ b/deployment/helm/edc-controlplane/templates/service.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "edc-controlplane.fullname" . }} + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-controlplane.labels" . | nindent 4 }} spec: diff --git a/deployment/helm/edc-controlplane/templates/serviceaccount.yaml b/deployment/helm/edc-controlplane/templates/serviceaccount.yaml index 66568118b..0e15335ae 100644 --- a/deployment/helm/edc-controlplane/templates/serviceaccount.yaml +++ b/deployment/helm/edc-controlplane/templates/serviceaccount.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "edc-controlplane.serviceAccountName" . }} + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-controlplane.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/deployment/helm/edc-controlplane/values.yaml b/deployment/helm/edc-controlplane/values.yaml index 3be6dd27e..a13f729b1 100644 --- a/deployment/helm/edc-controlplane/values.yaml +++ b/deployment/helm/edc-controlplane/values.yaml @@ -8,9 +8,9 @@ replicaCount: 1 image: - # -- Which derivate of the edc controlplane to use. - # One of: [ghcr.io/catenax-ng/product-edc/edc-controlplane-memory, , ghcr.io/catenax-ng/product-edc/edc-controlplane-postgresql, ghcr.io/catenax-ng/product-edc/edc-controlplane-cosmosdb] - repository: ghcr.io/catenax-ng/product-edc/edc-controlplane-memory + # -- Which derivate of the edc control-plane to use. + # One of: [ghcr.io/catenax-ng/product-edc/edc-controlplane-postgresql-hashicorp-vault, ghcr.io/catenax-ng/product-edc/edc-controlplane-postgresql, ghcr.io/catenax-ng/product-edc/edc-controlplane-memory] + repository: ghcr.io/catenax-ng/product-edc/edc-controlplane-postgresql-hashicorp-vault # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. @@ -39,25 +39,40 @@ serviceAccount: # -- The name of the service account to use. If not set and create is true, a name is generated using the release's fullname template name: "" +# -- Whether to [automount kubernetes API credentials](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) into the pod +automountServiceAccountToken: false + # -- [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) added to deployed [pods](https://kubernetes.io/docs/concepts/workloads/pods/) podAnnotations: {} -# -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment -podSecurityContext: {} - # runAsUser: 1000 - # runAsGroup: 3000 - # fsGroup: 2000 +# The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment +podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod securityContext: - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false # -- Requires the container to run without root privileges runAsNonRoot: true # -- The container's process will run with the specified uid - runAsUser: 1000 + runAsUser: 10001 livenessProbe: # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) @@ -70,6 +85,10 @@ readinessProbe: startupProbe: # -- Whether to enable kubernetes startup-probes enabled: true + # -- Minimum consecutive failures for the probe to be considered failed after having succeeded + failureThreshold: 12 + # -- Number of seconds after the container has started before liveness probes are initiated. + initialDelaySeconds: 10 ## EDC endpoints exposed by the control-plane edc: @@ -219,12 +238,6 @@ configuration: # -- EDC configuration.properties configuring aspects of the [eclipse-dataspaceconnector](https://github.com/eclipse-dataspaceconnector/DataSpaceConnector) properties: |- # edc.api.auth.key= - # edc.api.control.auth.apikey.key= - # edc.api.control.auth.apikey.value= - # edc.assetindex.cosmos.account-name= - # edc.assetindex.cosmos.container-name= - # edc.assetindex.cosmos.database-name= - # edc.assetindex.cosmos.preferred-region= # edc.atomikos.checkpoint.interval= # edc.atomikos.directory= # edc.atomikos.logging= @@ -235,15 +248,6 @@ configuration: # edc.aws.provision.role.duration.session.max= # edc.aws.secret.access.key= # edc.blobstore.endpoint= - # edc.contractdefinitionstore.cosmos.account-name= - # edc.contractdefinitionstore.cosmos.container-name= - # edc.contractdefinitionstore.cosmos.database-name= - # edc.contractdefinitionstore.cosmos.preferred-region= - # edc.contractnegotiationstore.cosmos.account-name= - # edc.contractnegotiationstore.cosmos.container-name= - # edc.contractnegotiationstore.cosmos.database-name= - # edc.contractnegotiationstore.cosmos.preferred-region= - # edc.contractnegotiationstore.cosmos.allow.sproc.autoupload= # edc.controlplane.validation-endpoint= # edc.core.retry.backoff.max= # edc.core.retry.backoff.min= @@ -252,8 +256,6 @@ configuration: # edc.core.system.health.check.readiness-period= # edc.core.system.health.check.startup-period= # edc.core.system.health.check.threadpool-size= - # edc.cosmos.partition-key= - # edc.cosmos.query-metrics-enabled= # edc.dataplane.queue.capacity= # edc.dataplane.wait= # edc.dataplane.workers= @@ -299,10 +301,6 @@ configuration: # edc.metrics.system.enabled= # edc.negotiation.consumer.state-machine.batch-size= # edc.negotiation.provider.state-machine.batch-size= - # edc.node.directory.cosmos.account.name= - # edc.node.directory.cosmos.container.name= - # edc.node.directory.cosmos.database.name= - # edc.node.directory.cosmos.preferred.region= # edc.oauth.client.id= # edc.oauth.private.key.alias= # edc.oauth.provider.audience= @@ -320,10 +318,6 @@ configuration: # edc.transfer.functions.check.endpoint= # edc.transfer.functions.enabled.protocols= # edc.transfer.functions.transfer.endpoint= - # edc.transfer-process-store.cosmos.account.name= - # edc.transfer-process-store.cosmos.container-name= - # edc.transfer-process-store.cosmos.preferred-region= - # edc.transfer-process-store.cosmos.allow.sproc.autoupload= # edc.transfer-process-store.database.name= # edc.transfer.state-machine.batch-size= # edc.vault= @@ -332,6 +326,9 @@ configuration: # edc.vault.clientsecret= # edc.vault.name= # edc.vault.tenantid= + # edc.vault.hashicorp.url= + # edc.vault.hashicorp.token= + # edc.vault.hashicorp.timeout.seconds= # edc.webdid.doh.url= # edc.web.rest.cors.enabled= # edc.web.rest.cors.headers= diff --git a/deployment/helm/edc-dataplane/.helmignore b/deployment/helm/edc-dataplane/.helmignore index 0e8a0eb36..00ca644b2 100644 --- a/deployment/helm/edc-dataplane/.helmignore +++ b/deployment/helm/edc-dataplane/.helmignore @@ -21,3 +21,5 @@ .idea/ *.tmproj .vscode/ + +README.md.gotmpl diff --git a/deployment/helm/edc-dataplane/Chart.yaml b/deployment/helm/edc-dataplane/Chart.yaml index 17af89ecb..646da1999 100644 --- a/deployment/helm/edc-dataplane/Chart.yaml +++ b/deployment/helm/edc-dataplane/Chart.yaml @@ -5,6 +5,6 @@ description: >- EDC Data-Plane - The Eclipse DataSpaceConnector data layer with responsibility of transferring and receiving data streams home: https://github.com/catenax-ng/product-edc/deployment/helm/edc-dataplane type: application -appVersion: "0.0.3" -version: 0.0.3 +appVersion: "0.0.4" +version: 0.0.4 maintainers: [] diff --git a/deployment/helm/edc-dataplane/README.md b/deployment/helm/edc-dataplane/README.md index 1b634fa17..7f18a8705 100644 --- a/deployment/helm/edc-dataplane/README.md +++ b/deployment/helm/edc-dataplane/README.md @@ -1,6 +1,6 @@ # edc-dataplane -![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square) +![Version: 0.0.4](https://img.shields.io/badge/Version-0.0.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.4](https://img.shields.io/badge/AppVersion-0.0.4-informational?style=flat-square) EDC Data-Plane - The Eclipse DataSpaceConnector data layer with responsibility of transferring and receiving data streams @@ -9,7 +9,7 @@ EDC Data-Plane - The Eclipse DataSpaceConnector data layer with responsibility o ## TL;DR ```shell $ helm repo add catenax-ng-product-edc https://catenax-ng.github.io/product-edc -$ helm install my-release catenax-ng-product-edc/edc-dataplane +$ helm install my-release catenax-ng-product-edc/edc-dataplane --version 0.0.4 ``` ## Values @@ -17,12 +17,13 @@ $ helm install my-release catenax-ng-product-edc/edc-dataplane | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) constrains which nodes the Pod can be scheduled on based on node labels. | +| automountServiceAccountToken | bool | `false` | Whether to [automount kubernetes API credentials](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) into the pod | | autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | | autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | | autoscaling.minReplicas | int | `1` | Minimal replicas if resource consumption falls below resource threshholds | | autoscaling.targetCPUUtilizationPercentage | int | `80` | targetAverageUtilization of cpu provided to a pod | | autoscaling.targetMemoryUtilizationPercentage | int | `80` | targetAverageUtilization of memory provided to a pod | -| configuration.properties | string | `"# edc.api.control.auth.apikey.key=\n# edc.api.control.auth.apikey.value=\n# edc.assetindex.cosmos.account-name=\n# edc.assetindex.cosmos.container-name=\n# edc.assetindex.cosmos.database-name=\n# edc.assetindex.cosmos.preferred-region=\n# edc.atomikos.checkpoint.interval=\n# edc.atomikos.directory=\n# edc.atomikos.logging=\n# edc.atomikos.threaded2pc=\n# edc.atomikos.timeout=\n# edc.aws.access.key=\n# edc.aws.provision.retry.retries.max=\n# edc.aws.provision.role.duration.session.max=\n# edc.aws.secret.access.key=\n# edc.blobstore.endpoint=\n# edc.contractdefinitionstore.cosmos.account-name=\n# edc.contractdefinitionstore.cosmos.container-name=\n# edc.contractdefinitionstore.cosmos.database-name=\n# edc.contractdefinitionstore.cosmos.preferred-region=\n# edc.contractnegotiationstore.cosmos.account-name=\n# edc.contractnegotiationstore.cosmos.container-name=\n# edc.contractnegotiationstore.cosmos.database-name=\n# edc.contractnegotiationstore.cosmos.preferred-region=\n# edc.controlplane.validation-endpoint=\n# edc.core.retry.backoff.max=\n# edc.core.retry.backoff.min=\n# edc.core.retry.retries.max=\n# edc.core.system.health.check.liveness-period=\n# edc.core.system.health.check.readiness-period=\n# edc.core.system.health.check.startup-period=\n# edc.core.system.health.check.threadpool-size=\n# edc.cosmos.partition-key=\n# edc.cosmos.query-metrics-enabled=\n# edc.dataplane.queue.capacity=\n# edc.dataplane.wait=\n# edc.dataplane.workers=\n# edc.datasource.asset.name=\"default\"\n# edc.datasource.contractdefinition.name=\"default\"\n# edc.datasource.contractnegotiation.name=\"default\"\n# edc.datasource.policy.name=\"default\"\n# edc.datasource.transferprocess.name=\"default\"\n# edc.datasource.default.pool.maxIdleConnections=\n# edc.datasource.default.pool.maxTotalConnections=\n# edc.datasource.default.pool.minIdleConnections=\n# edc.datasource.default.pool.testConnectionOnBorrow=\n# edc.datasource.default.pool.testConnectionOnCreate=\n# edc.datasource.default.pool.testConnectionOnReturn=\n# edc.datasource.default.pool.testConnectionWhileIdle=\n# edc.datasource.default.pool.testQuery=\n# edc.datasource.default.url=\n# edc.datasource.default.user=\n# edc.datasource.default.password=\n# edc.dpf.selector.url=\n# edc.events.topic.endpoint=\n# edc.events.topic.name=\n# edc.fs.config=\n# edc.hostname=\n# edc.identity.did.url=\n# edc.ids.catalog.id=\n# edc.ids.curator=\n# edc.ids.description=\n# edc.ids.endpoint=\n# edc.ids.id=\n# edc.ids.maintainer=\n# edc.ids.security.profile=\n# edc.ids.title=\n# edc.ids.validation.referringconnector=\n# edc.ion.crawler.did-type=\n# edc.ion.crawler.interval-minutes=\n# edc.ion.crawler.ion.url=\n# edc.metrics.enabled=\n# edc.metrics.executor.enabled=\n# edc.metrics.jersey.enabled=\n# edc.metrics.jetty.enabled=\n# edc.metrics.okhttp.enabled=\n# edc.metrics.system.enabled=\n# edc.negotiation.consumer.state-machine.batch-size=\n# edc.negotiation.provider.state-machine.batch-size=\n# edc.node.directory.cosmos.account.name=\n# edc.node.directory.cosmos.container.name=\n# edc.node.directory.cosmos.database.name=\n# edc.node.directory.cosmos.preferred.region=\n# edc.oauth.client.id=\n# edc.oauth.private.key.alias=\n# edc.oauth.provider.audience=\n# edc.oauth.provider.jwks.refresh=\n# edc.oauth.provider.jwks.url=\n# edc.oauth.public.key.alias=\n# edc.oauth.token.url=\n# edc.oauth.validation.nbf.leeway=\n# edc.receiver.http.auth-code=\n# edc.receiver.http.auth-key=\n# edc.receiver.http.endpoint=\n# edc.transfer.proxy.endpoint=\n# edc.transfer.dataplane.sync.token.validity=\n# edc.transfer.proxy.token.signer.privatekey.alias=\n# edc.transfer.functions.check.endpoint=\n# edc.transfer.functions.enabled.protocols=\n# edc.transfer.functions.transfer.endpoint=\n# edc.transfer-process-store.cosmos.account.name=\n# edc.transfer-process-store.cosmos.container-name=\n# edc.transfer-process-store.cosmos.preferred-region=\n# edc.transfer-process-store.database.name=\n# edc.transfer.state-machine.batch-size=\n# edc.vault=\n# edc.vault.certificate=\n# edc.vault.clientid=\n# edc.vault.clientsecret=\n# edc.vault.name=\n# edc.vault.tenantid=\n# edc.webdid.doh.url=\n# edc.web.rest.cors.enabled=\n# edc.web.rest.cors.headers=\n# edc.web.rest.cors.methods=\n# edc.web.rest.cors.origins="` | EDC configuration.properties configuring aspects of the [eclipse-dataspaceconnector](https://github.com/eclipse-dataspaceconnector/DataSpaceConnector) | +| configuration.properties | string | `"# edc.atomikos.checkpoint.interval=\n# edc.atomikos.directory=\n# edc.atomikos.logging=\n# edc.atomikos.threaded2pc=\n# edc.atomikos.timeout=\n# edc.aws.access.key=\n# edc.aws.provision.retry.retries.max=\n# edc.aws.provision.role.duration.session.max=\n# edc.aws.secret.access.key=\n# edc.blobstore.endpoint=\n# edc.controlplane.validation-endpoint=\n# edc.core.retry.backoff.max=\n# edc.core.retry.backoff.min=\n# edc.core.retry.retries.max=\n# edc.core.system.health.check.liveness-period=\n# edc.core.system.health.check.readiness-period=\n# edc.core.system.health.check.startup-period=\n# edc.core.system.health.check.threadpool-size=\n# edc.dataplane.queue.capacity=\n# edc.dataplane.wait=\n# edc.dataplane.workers=\n# edc.datasource.asset.name=\"default\"\n# edc.datasource.contractdefinition.name=\"default\"\n# edc.datasource.contractnegotiation.name=\"default\"\n# edc.datasource.policy.name=\"default\"\n# edc.datasource.transferprocess.name=\"default\"\n# edc.datasource.default.pool.maxIdleConnections=\n# edc.datasource.default.pool.maxTotalConnections=\n# edc.datasource.default.pool.minIdleConnections=\n# edc.datasource.default.pool.testConnectionOnBorrow=\n# edc.datasource.default.pool.testConnectionOnCreate=\n# edc.datasource.default.pool.testConnectionOnReturn=\n# edc.datasource.default.pool.testConnectionWhileIdle=\n# edc.datasource.default.pool.testQuery=\n# edc.datasource.default.url=\n# edc.datasource.default.user=\n# edc.datasource.default.password=\n# edc.dpf.selector.url=\n# edc.events.topic.endpoint=\n# edc.events.topic.name=\n# edc.fs.config=\n# edc.hostname=\n# edc.identity.did.url=\n# edc.ids.catalog.id=\n# edc.ids.curator=\n# edc.ids.description=\n# edc.ids.endpoint=\n# edc.ids.id=\n# edc.ids.maintainer=\n# edc.ids.security.profile=\n# edc.ids.title=\n# edc.ids.validation.referringconnector=\n# edc.ion.crawler.did-type=\n# edc.ion.crawler.interval-minutes=\n# edc.ion.crawler.ion.url=\n# edc.metrics.enabled=\n# edc.metrics.executor.enabled=\n# edc.metrics.jersey.enabled=\n# edc.metrics.jetty.enabled=\n# edc.metrics.okhttp.enabled=\n# edc.metrics.system.enabled=\n# edc.negotiation.consumer.state-machine.batch-size=\n# edc.negotiation.provider.state-machine.batch-size=\n# edc.oauth.client.id=\n# edc.oauth.private.key.alias=\n# edc.oauth.provider.audience=\n# edc.oauth.provider.jwks.refresh=\n# edc.oauth.provider.jwks.url=\n# edc.oauth.public.key.alias=\n# edc.oauth.token.url=\n# edc.oauth.validation.nbf.leeway=\n# edc.receiver.http.auth-code=\n# edc.receiver.http.auth-key=\n# edc.receiver.http.endpoint=\n# edc.transfer.proxy.endpoint=\n# edc.transfer.dataplane.sync.token.validity=\n# edc.transfer.proxy.token.signer.privatekey.alias=\n# edc.transfer.functions.check.endpoint=\n# edc.transfer.functions.enabled.protocols=\n# edc.transfer.functions.transfer.endpoint=\n# edc.transfer-process-store.database.name=\n# edc.transfer.state-machine.batch-size=\n# edc.vault=\n# edc.vault.certificate=\n# edc.vault.clientid=\n# edc.vault.clientsecret=\n# edc.vault.name=\n# edc.vault.tenantid=\n# edc.vault.hashicorp.url=\n# edc.vault.hashicorp.token=\n# edc.vault.hashicorp.timeout.seconds=\n# edc.webdid.doh.url=\n# edc.web.rest.cors.enabled=\n# edc.web.rest.cors.headers=\n# edc.web.rest.cors.methods=\n# edc.web.rest.cors.origins="` | EDC configuration.properties configuring aspects of the [eclipse-dataspaceconnector](https://github.com/eclipse-dataspaceconnector/DataSpaceConnector) | | edc.endpoints.control.path | string | `"/api/dataplane/control"` | The path mapping the "control" api is going to be exposed by | | edc.endpoints.control.port | string | `"9999"` | The network port, which the "control" api is going to be exposed by the container, pod and service | | edc.endpoints.default.path | string | `"/api"` | The path mapping the "default" api is going to be exposed by | @@ -34,7 +35,7 @@ $ helm install my-release catenax-ng-product-edc/edc-dataplane | env | object | `{}` | Container environment variables e.g. for configuring [JAVA_TOOL_OPTIONS](https://docs.oracle.com/javase/8/docs/technotes/guides/troubleshoot/envvars002.html) Ex.: JAVA_TOOL_OPTIONS: > -Dhttp.proxyHost=proxy -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts="localhost|127.*|[::1]" -Dhttps.proxyHost=proxy -Dhttps.proxyPort=443 | | fullnameOverride | string | `""` | Overrides the releases full name | | image.pullPolicy | string | `"IfNotPresent"` | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use | -| image.repository | string | `"ghcr.io/catenax-ng/product-edc/edc-dataplane"` | Which edc-dataplane container image to use | +| image.repository | string | `"ghcr.io/catenax-ng/product-edc/edc-dataplane-hashicorp-vault"` | Which derivate of the edc data-plane to use. One of: [ghcr.io/catenax-ng/product-edc/edc-dataplane-hashicorp-vault, ghcr.io/catenax-ng/product-edc/edc-dataplane-azure-vault] | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | imagePullSecret.dockerconfigjson | string | `""` | Image pull secret to create to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) Note: This value needs to adhere to the [(base64 encoded) .dockerconfigjson format](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials). Furthermore, if 'imagePullSecret.dockerconfigjson' is defined, it takes precedence over 'imagePullSecrets'. | | imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | @@ -52,17 +53,26 @@ $ helm install my-release catenax-ng-product-edc/edc-dataplane | nodeSelector | object | `{}` | [Node-Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain the Pod to nodes with specific labels. | | opentelemetry.properties | string | `"otel.javaagent.enabled=true\notel.javaagent.debug=false"` | opentelemetry.properties configuring the [opentelemetry agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) | | podAnnotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) added to deployed [pods](https://kubernetes.io/docs/concepts/workloads/pods/) | -| podSecurityContext | object | `{}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment | +| podSecurityContext.fsGroup | int | `10001` | The owner for volumes and any files created within volumes will belong to this guid | +| podSecurityContext.runAsGroup | int | `10001` | Processes within a pod will belong to this guid | +| podSecurityContext.runAsUser | int | `10001` | Runs all processes within a pod with a special uid | +| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Restrict a Container's Syscalls with seccomp | | readinessProbe.enabled | bool | `true` | Whether to enable kubernetes readiness-probes | | replicaCount | int | `1` | Specifies how many replicas of a deployed pod shall be created during the deployment Note: If horizontal pod autoscaling is enabled this setting has no effect | | resources | object | `{}` | [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) applied to the deployed pod | +| securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID | +| securityContext.capabilities.add | list | `[]` | Specifies which capabilities to add to issue specialized syscalls | +| securityContext.capabilities.drop | list | `["ALL"]` | Specifies which capabilities to drop to reduce syscall attack surface | +| securityContext.readOnlyRootFilesystem | bool | `true` | Whether the root filesystem is mounted in read-only mode | | securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges | -| securityContext.runAsUser | int | `1000` | The container's process will run with the specified uid | +| securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | | service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | | serviceAccount.annotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to add to the service account | | serviceAccount.create | bool | `true` | Specifies whether a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) should be created per release | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the release's fullname template | | startupProbe.enabled | bool | `true` | Whether to enable kubernetes startup-probes | +| startupProbe.failureThreshold | int | `12` | Minimum consecutive failures for the probe to be considered failed after having succeeded | +| startupProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before liveness probes are initiated. | | tolerations | list | `[]` | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) are applied to Pods to schedule onto nodes with matching taints. | ---------------------------------------------- diff --git a/deployment/helm/edc-dataplane/README.md.gotmpl b/deployment/helm/edc-dataplane/README.md.gotmpl index 0e9ca3d5d..0b2e013b1 100644 --- a/deployment/helm/edc-dataplane/README.md.gotmpl +++ b/deployment/helm/edc-dataplane/README.md.gotmpl @@ -11,7 +11,7 @@ ## TL;DR ```shell $ helm repo add catenax-ng-product-edc https://catenax-ng.github.io/product-edc -$ helm install my-release catenax-ng-product-edc/edc-dataplane +$ helm install my-release catenax-ng-product-edc/edc-dataplane --version {{ .Version }} ``` {{ template "chart.maintainersSection" . }} diff --git a/deployment/helm/edc-dataplane/templates/configmap-env.yaml b/deployment/helm/edc-dataplane/templates/configmap-env.yaml index e23aba1a8..d8bf07df4 100644 --- a/deployment/helm/edc-dataplane/templates/configmap-env.yaml +++ b/deployment/helm/edc-dataplane/templates/configmap-env.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "edc-dataplane.fullname" . }}-env + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-dataplane.labels" . | nindent 4 }} data: diff --git a/deployment/helm/edc-dataplane/templates/configmap.yaml b/deployment/helm/edc-dataplane/templates/configmap.yaml index 5b32349ca..99a9ffa29 100644 --- a/deployment/helm/edc-dataplane/templates/configmap.yaml +++ b/deployment/helm/edc-dataplane/templates/configmap.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "edc-dataplane.fullname" . }}-configmap + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-dataplane.labels" . | nindent 4 }} data: diff --git a/deployment/helm/edc-dataplane/templates/deployment.yaml b/deployment/helm/edc-dataplane/templates/deployment.yaml index 3f1b284d8..914c78866 100644 --- a/deployment/helm/edc-dataplane/templates/deployment.yaml +++ b/deployment/helm/edc-dataplane/templates/deployment.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "edc-dataplane.fullname" . }} + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-dataplane.labels" . | nindent 4 }} spec: @@ -33,6 +34,7 @@ spec: {{- end }} {{- end }} serviceAccountName: {{ include "edc-dataplane.serviceAccountName" . }} + automountServiceAccountToken: {{ if .Values.automountServiceAccountToken }}true{{ else }}false{{ end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: @@ -71,8 +73,8 @@ spec: httpGet: path: {{ .Values.edc.endpoints.default.path }}/check/startup port: default - failureThreshold: 12 - initialDelaySeconds: 10 + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} {{- end }} envFrom: - configMapRef: diff --git a/deployment/helm/edc-dataplane/templates/hpa.yaml b/deployment/helm/edc-dataplane/templates/hpa.yaml index 3a481bccf..f996aa839 100644 --- a/deployment/helm/edc-dataplane/templates/hpa.yaml +++ b/deployment/helm/edc-dataplane/templates/hpa.yaml @@ -4,6 +4,7 @@ apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: {{ include "edc-dataplane.fullname" . }} + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-dataplane.labels" . | nindent 4 }} spec: diff --git a/deployment/helm/edc-dataplane/templates/imagepullsecret.yaml b/deployment/helm/edc-dataplane/templates/imagepullsecret.yaml index 45b7332f1..d7c1d31d7 100644 --- a/deployment/helm/edc-dataplane/templates/imagepullsecret.yaml +++ b/deployment/helm/edc-dataplane/templates/imagepullsecret.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "edc-dataplane.fullname" . }}-imagepullsecret + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-dataplane.labels" . | nindent 4 }} data: diff --git a/deployment/helm/edc-dataplane/templates/ingress.yaml b/deployment/helm/edc-dataplane/templates/ingress.yaml index 5558391ea..77a815083 100644 --- a/deployment/helm/edc-dataplane/templates/ingress.yaml +++ b/deployment/helm/edc-dataplane/templates/ingress.yaml @@ -2,6 +2,7 @@ {{- $labels := include "edc-dataplane.labels" . | nindent 4 }} {{- $gitVersion := .Capabilities.KubeVersion.GitVersion }} {{- $edcEndpoints := .Values.edc.endpoints }} +{{- $namespace := .Release.Namespace }} {{- range .Values.ingresses }} {{- if and .enabled .endpoints }} {{- $ingressName := printf "%s-%s" $fullName .hostname }} @@ -16,6 +17,7 @@ apiVersion: extensions/v1beta1 kind: Ingress metadata: name: {{ $ingressName }} + namespace: {{ $namespace | default "default" | quote }} labels: {{- $labels | nindent 2 }} annotations: diff --git a/deployment/helm/edc-dataplane/templates/service.yaml b/deployment/helm/edc-dataplane/templates/service.yaml index a29e2c125..7d2381634 100644 --- a/deployment/helm/edc-dataplane/templates/service.yaml +++ b/deployment/helm/edc-dataplane/templates/service.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "edc-dataplane.fullname" . }} + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-dataplane.labels" . | nindent 4 }} spec: diff --git a/deployment/helm/edc-dataplane/templates/serviceaccount.yaml b/deployment/helm/edc-dataplane/templates/serviceaccount.yaml index 7fbe537fb..6c997b64f 100644 --- a/deployment/helm/edc-dataplane/templates/serviceaccount.yaml +++ b/deployment/helm/edc-dataplane/templates/serviceaccount.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "edc-dataplane.serviceAccountName" . }} + namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "edc-dataplane.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/deployment/helm/edc-dataplane/values.yaml b/deployment/helm/edc-dataplane/values.yaml index a652f9530..7f3ac94d5 100644 --- a/deployment/helm/edc-dataplane/values.yaml +++ b/deployment/helm/edc-dataplane/values.yaml @@ -8,8 +8,9 @@ replicaCount: 1 image: - # -- Which edc-dataplane container image to use - repository: ghcr.io/catenax-ng/product-edc/edc-dataplane + # -- Which derivate of the edc data-plane to use. + # One of: [ghcr.io/catenax-ng/product-edc/edc-dataplane-hashicorp-vault, ghcr.io/catenax-ng/product-edc/edc-dataplane-azure-vault] + repository: ghcr.io/catenax-ng/product-edc/edc-dataplane-hashicorp-vault # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion @@ -38,25 +39,40 @@ serviceAccount: # -- The name of the service account to use. If not set and create is true, a name is generated using the release's fullname template name: "" +# -- Whether to [automount kubernetes API credentials](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) into the pod +automountServiceAccountToken: false + # -- [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) added to deployed [pods](https://kubernetes.io/docs/concepts/workloads/pods/) podAnnotations: {} -# -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment -podSecurityContext: {} - # runAsUser: 1000 - # runAsGroup: 3000 -# fsGroup: 2000 +# The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment +podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod securityContext: - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false # -- Requires the container to run without root privileges runAsNonRoot: true # -- The container's process will run with the specified uid - runAsUser: 1000 + runAsUser: 10001 livenessProbe: # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) @@ -69,6 +85,10 @@ readinessProbe: startupProbe: # -- Whether to enable kubernetes startup-probes enabled: true + # -- Minimum consecutive failures for the probe to be considered failed after having succeeded + failureThreshold: 12 + # -- Number of seconds after the container has started before liveness probes are initiated. + initialDelaySeconds: 10 ## EDC endpoints exposed by the data-plane edc: @@ -184,12 +204,6 @@ opentelemetry: configuration: # -- EDC configuration.properties configuring aspects of the [eclipse-dataspaceconnector](https://github.com/eclipse-dataspaceconnector/DataSpaceConnector) properties: |- - # edc.api.control.auth.apikey.key= - # edc.api.control.auth.apikey.value= - # edc.assetindex.cosmos.account-name= - # edc.assetindex.cosmos.container-name= - # edc.assetindex.cosmos.database-name= - # edc.assetindex.cosmos.preferred-region= # edc.atomikos.checkpoint.interval= # edc.atomikos.directory= # edc.atomikos.logging= @@ -200,14 +214,6 @@ configuration: # edc.aws.provision.role.duration.session.max= # edc.aws.secret.access.key= # edc.blobstore.endpoint= - # edc.contractdefinitionstore.cosmos.account-name= - # edc.contractdefinitionstore.cosmos.container-name= - # edc.contractdefinitionstore.cosmos.database-name= - # edc.contractdefinitionstore.cosmos.preferred-region= - # edc.contractnegotiationstore.cosmos.account-name= - # edc.contractnegotiationstore.cosmos.container-name= - # edc.contractnegotiationstore.cosmos.database-name= - # edc.contractnegotiationstore.cosmos.preferred-region= # edc.controlplane.validation-endpoint= # edc.core.retry.backoff.max= # edc.core.retry.backoff.min= @@ -216,8 +222,6 @@ configuration: # edc.core.system.health.check.readiness-period= # edc.core.system.health.check.startup-period= # edc.core.system.health.check.threadpool-size= - # edc.cosmos.partition-key= - # edc.cosmos.query-metrics-enabled= # edc.dataplane.queue.capacity= # edc.dataplane.wait= # edc.dataplane.workers= @@ -263,10 +267,6 @@ configuration: # edc.metrics.system.enabled= # edc.negotiation.consumer.state-machine.batch-size= # edc.negotiation.provider.state-machine.batch-size= - # edc.node.directory.cosmos.account.name= - # edc.node.directory.cosmos.container.name= - # edc.node.directory.cosmos.database.name= - # edc.node.directory.cosmos.preferred.region= # edc.oauth.client.id= # edc.oauth.private.key.alias= # edc.oauth.provider.audience= @@ -284,9 +284,6 @@ configuration: # edc.transfer.functions.check.endpoint= # edc.transfer.functions.enabled.protocols= # edc.transfer.functions.transfer.endpoint= - # edc.transfer-process-store.cosmos.account.name= - # edc.transfer-process-store.cosmos.container-name= - # edc.transfer-process-store.cosmos.preferred-region= # edc.transfer-process-store.database.name= # edc.transfer.state-machine.batch-size= # edc.vault= @@ -295,6 +292,9 @@ configuration: # edc.vault.clientsecret= # edc.vault.name= # edc.vault.tenantid= + # edc.vault.hashicorp.url= + # edc.vault.hashicorp.token= + # edc.vault.hashicorp.timeout.seconds= # edc.webdid.doh.url= # edc.web.rest.cors.enabled= # edc.web.rest.cors.headers= diff --git a/edc b/edc index acd02337a..1b3f3a86e 160000 --- a/edc +++ b/edc @@ -1 +1 @@ -Subproject commit acd02337a16d9498727bee12e49e715e9be960e3 +Subproject commit 1b3f3a86e3cef781d325788a30bf32efb18af98b diff --git a/edc-controlplane/README.md b/edc-controlplane/README.md index 9b5d4715f..98ab9d0c9 100644 --- a/edc-controlplane/README.md +++ b/edc-controlplane/README.md @@ -323,7 +323,7 @@ __apiKey=X-Api-Key __apiKeyValue=pwd __assetId=1 __assetDescription="Demo Asset" -__assetDataEndpoint=https://github.com/eclipse-dataspaceconnector +__assetDataEndpoint="https://jsonplaceholder.typicode.com/todos/3" __asset="{ \"asset\": { @@ -471,45 +471,6 @@ Get Contract Definition curl -X GET "$__connectorUrl/$__dataMgmtPath/contractdefinitions/$__contractDefinitionId" --header "$__apiKey: $__apiKeyValue" --header "Content-Type: application/json" | jq ``` -### 4. Get Contract Offer Catalog - -The last call is not (yet) part of the Data Management API. Instead, the deprecated Control API is used. The extension -for the control API is part of the Catena-X images and usable. - ----- - -**Please Note** - -Don't confuse the deprecated Control API with another Control API of the connector, that is not deprecated. - ----- - -#### Bash Script - -```bash -# Variables -__connectorUrl=http://localhost:8181 -__targetConnectorUrl=http://localhost:9292 -__targetConnectorIdsPath=api/v1/ids -__defaultApiPath=api -__apiKey=X-Api-Key -__apiKeyValue=pwd - -# Call Control API -curl -G -X GET $__connectorUrl/$__defaultApiPath/control/catalog --header "$__apiKey: $__apiKeyValue" --data-urlencode "provider=$__targetConnectorUrl/$__targetConnectorIdsPath/data" --header "Content-Type: application/json" -s | jq -``` - -#### Bash Parameters - -| Name | Description | -| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | -| $__connectorUrl | URL of the Connector with the Control API port configured in `web.http.default.port` | -| $__defaultApiPath | Path of the Control API as configured in `web.http.default.path` | -| $__apiKey | The API Key as configured in `edc.api.control.auth.apikey.key` | -| $__apiKeyValue | The API Key Value as configured in `edc.api.control.auth.apikey.value` | -| $__targetConnectorUrl | URL of the Connector of the target connector with the IDS API port configured in `web.http.ids.port`(in the configuration of the other connector) | -| $__targetConnectorIdsPath | The IDS Path as configured in `web.http.ids.path` (in the configuration of the other connector) | - # Secure your connector ## API Security diff --git a/edc-controlplane/edc-controlplane-base/README.md b/edc-controlplane/edc-controlplane-base/README.md new file mode 100644 index 000000000..98888200a --- /dev/null +++ b/edc-controlplane/edc-controlplane-base/README.md @@ -0,0 +1,7 @@ +# EDC Control-Plane Base Module + +### Building + +```shell +./mvnw -pl .,edc-controlplane/edc-controlplane-base -am package +``` diff --git a/edc-controlplane/edc-controlplane-base/pom.xml b/edc-controlplane/edc-controlplane-base/pom.xml new file mode 100644 index 000000000..f40fe54b9 --- /dev/null +++ b/edc-controlplane/edc-controlplane-base/pom.xml @@ -0,0 +1,150 @@ + + + + edc-controlplane + net.catenax.edc + 0.0.4 + + 4.0.0 + + edc-controlplane-base + jar + + + ${project.artifactId} + + + src/main/resources + + **/* + + + + ../../ + META-INF + + NOTICE.md + LICENSE + + + + + + + + + net.catenax.edc.extensions + business-partner-validation + + + + + org.eclipse.dataspaceconnector + filesystem-configuration + + + + + org.eclipse.dataspaceconnector + auth-tokenbased + + + + + org.eclipse.dataspaceconnector + data-management-api + + + org.eclipse.dataspaceconnector + observability-api + + + + + org.eclipse.dataspaceconnector + ids-api-configuration + + + org.eclipse.dataspaceconnector + ids-api-multipart-dispatcher-v1 + + + org.eclipse.dataspaceconnector + ids-api-multipart-endpoint-v1 + + + org.eclipse.dataspaceconnector + ids-api-transform-v1 + + + org.eclipse.dataspaceconnector + ids-core + + + org.eclipse.dataspaceconnector + ids-spi + + + org.eclipse.dataspaceconnector + ids-token-validation + + + + + org.eclipse.dataspaceconnector + core-base + + + org.eclipse.dataspaceconnector + core-boot + + + org.eclipse.dataspaceconnector + transfer + + + org.eclipse.dataspaceconnector + contract + + + + + org.eclipse.dataspaceconnector + data-plane-transfer-sync + + + + + org.eclipse.dataspaceconnector + core-micrometer + + + org.eclipse.dataspaceconnector + jersey-micrometer + + + org.eclipse.dataspaceconnector + jetty-micrometer + + + + + org.eclipse.dataspaceconnector + jdk-logger-monitor + + + + + + org.eclipse.dataspaceconnector + http + + + + org.eclipse.dataspaceconnector + http-receiver + + + \ No newline at end of file diff --git a/edc-controlplane/edc-controlplane-cosmosdb/README.md b/edc-controlplane/edc-controlplane-cosmosdb/README.md deleted file mode 100644 index 09c5dbef3..000000000 --- a/edc-controlplane/edc-controlplane-cosmosdb/README.md +++ /dev/null @@ -1,180 +0,0 @@ -# EDC Control-Plane backed by [Azure CosmosDB](https://docs.microsoft.com/en-us/azure/cosmos-db/introduction) - -### Building - -```shell -./mvnw -pl .,edc-controlplane/edc-controlplane-cosmosdb -am package -Pwith-docker-image -``` - -### Key Vault Setup - -The connector will lookup a secret in the key vault, that has the same alias as the `account-name` setting for CosmosDB (e.g. `edc.assetindex.cosmos.account-name`). -This secret must contain the primary or the secondard CosmosDB Read-write key. - -### Configuration - -Listed below are configuration keys needed to get the `edc-controlplane-cosmosdb` up and running. -Details regarding each configuration property can be found at the [documentary section of the EDC](https://github.com/eclipse-dataspaceconnector/DataSpaceConnector/tree/main/docs). - -| Key | Required | Example | Description | -|--- |--- |--- |--- | -| web.http.default.port | X | 8080 | | -| web.http.default.path | X | /api | | -| web.http.data.port | X | 8181 | | -| web.http.data.path | X | /data | | -| web.http.validation.port | X | 8182 | | -| web.http.validation.path | X | /validation | | -| web.http.control.port | X | 9999 | | -| web.http.control.path | X | /api/controlplane/control | | -| web.http.ids.port | X | 8282 | | -| web.http.ids.path | X | /api/v1/ids | | -| edc.receiver.http.endpoint | X | http://backend-service | | -| edc.ids.title | | Eclipse Dataspace Connector | | -| edc.ids.description | | Eclipse Dataspace Connector | | -| edc.ids.id | | urn:connector:edc | | -| edc.ids.security.profile | | base | | -| edc.ids.endpoint | | http://localhost:8282/api/v1/ids | | -| edc.ids.maintainer | | http://localhost | | -| edc.ids.curator | | http://localhost | | -| edc.ids.catalog.id | | urn:catalog:default | | -| ids.webhook.address | | http://localhost:8282/api/v1/ids | | -| edc.api.control.auth.apikey.key | | X-Api-Key | | -| edc.api.control.auth.apikey.value | | super-strong-api-key | | -| edc.hostname | | localhost | | -| edc.oauth.token.url | X | https://daps.catena-x.net | | -| edc.oauth.public.key.alias | X | key-to-daps-certificate-in-keyvault | | -| edc.oauth.private.key.alias | X | key-to-private-key-in-keyvault | | -| edc.oauth.client.id | X | daps-oauth-client-id | | -| edc.vault.clientid | X | 00000000-1111-2222-3333-444444444444 | | -| edc.vault.tenantid | X | 55555555-6666-7777-8888-999999999999 | | -| edc.vault.name | X | my-vault-name | | -| edc.vault.clientsecret | X | 34-chars-secret | | -| edc.assetindex.cosmos.account-name | X | cosmosdb-assetindex-account-name | | -| edc.assetindex.cosmos.database-name | X | asset-index | | -| edc.assetindex.cosmos.preferred-region | X | westeurope | | -| edc.assetindex.cosmos.container-name | X | cosmosdb-assetindex-container-name | | -| edc.contractdefinitionstore.cosmos.account-name | X | cosmosdb-contractdefinitionstore-account-name | | -| edc.contractdefinitionstore.cosmos.database-name | X | contract-definition-store | | -| edc.contractdefinitionstore.cosmos.preferred-region | X | westeurope | | -| edc.contractdefinitionstore.cosmos.container-name | X | cosmosdb-contractdefinitionstore-container-name | | -| edc.contractnegotiationstore.cosmos.account-name | X | cosmosdb-contractnegotiationstore-account-name | | -| edc.contractnegotiationstore.cosmos.database-name | X | contract-negotiation-store | | -| edc.contractnegotiationstore.cosmos.preferred-region | X | westeurope | | -| edc.contractnegotiationstore.cosmos.container-name | X | cosmosdb-contractnegotiationstore-container-name | | -| edc.contractnegotiationstore.cosmos.allow.sproc.autoupload | | true | | -| edc.transfer-process-store.cosmos.account.name | X | cosmosdb-contractnegotiationstore-account-name | | -| edc.transfer-process-store.database.name | X | transfer-process-store | | -| edc.transfer-process-store.cosmos.preferred-region | X | westeurope | | -| edc.transfer-process-store.cosmos.container-name | X | cosmosdb-transfer-process-store-container-name | | -| edc.transfer-process-store.cosmos.allow.sproc.autoupload | | true | | -| edc.transfer.proxy.endpoint | X | http://dataplane-public-endpoint/public | | -| edc.transfer.proxy.token.signer.privatekey.alias | X | key-of-private-key-in-keyvault-to-sign-transfer-token | | - -#### Example configuration.properties - -JDK properties-style configuration of the EDC Control-Plane is expected to be mounted to `/app/configuration.properties` within the container. - -```shell -# Create configuration.properties -export CONFIGURATION_PROPERTIES_FILE=$(mktemp /tmp/configuration.properties.XXXXXX) -cat << 'EOF' > ${CONFIGURATION_PROPERTIES_FILE} - -web.http.default.port=8080 -web.http.default.path=/api -web.http.data.port=8181 -web.http.data.path=/data -web.http.validation.port=8182 -web.http.validation.path=/validation -web.http.control.port=9999 -web.http.control.path=/api/controlplane/control -web.http.ids.port=8282 -web.http.ids.path=/api/v1/ids - -edc.receiver.http.endpoint=http://backend-service - -edc.ids.title=Eclipse Dataspace Connector -edc.ids.description=Eclipse Dataspace Connector -edc.ids.id=urn:connector:edc -edc.ids.security.profile=base -edc.ids.endpoint=http://localhost:8282/api/v1/ids -edc.ids.maintainer=http://localhost -edc.ids.curator=http://localhost -edc.ids.catalog.id=urn:catalog:default -ids.webhook.address=http://localhost:8282/api/v1/ids - -edc.api.control.auth.apikey.key=X-Api-Key -edc.api.control.auth.apikey.value=pass - -edc.hostname=localhost - -# OAuth / DAPS related configuration -edc.oauth.token.url=https://daps.catena-x.net -edc.oauth.public.key.alias=key-to-daps-certificate-in-keyvault -edc.oauth.private.key.alias=key-to-private-key-in-keyvault -edc.oauth.client.id=daps-oauth-client-id - -# Azure vault related configuration -edc.vault.clientid=00000000-1111-2222-3333-444444444444 -edc.vault.tenantid=55555555-6666-7777-8888-999999999999 -edc.vault.name=my-vault-name -edc.vault.clientsecret=34-chars-secret - -# Control- / Data- Plane configuration -edc.transfer.proxy.endpoint=http://dataplane-public-endpoint/public -edc.transfer.proxy.token.signer.privatekey.alias=azure-vault-token-signer-private-key - -# Azure CosmosDB related configuration -edc.assetindex.cosmos.account-name=cosmosdb-assetindex-account-name -edc.assetindex.cosmos.database-name=asset-index -edc.assetindex.cosmos.preferred-region=westeurope -edc.assetindex.cosmos.container-name=cosmosdb-assetindex-container-name -edc.contractdefinitionstore.cosmos.account-name=cosmosdb-contractdefinitionstore-account-name -edc.contractdefinitionstore.cosmos.database-name=contract-definition-store -edc.contractdefinitionstore.cosmos.preferred-region=westeurope -edc.contractdefinitionstore.cosmos.container-name=cosmosdb-contractdefinitionstore-container-name -edc.contractnegotiationstore.cosmos.account-name=cosmosdb-contractnegotiationstore-account-name -edc.contractnegotiationstore.cosmos.database-name=contract-negotiation-store -edc.contractnegotiationstore.cosmos.preferred-region=westeurope -edc.contractnegotiationstore.cosmos.container-name=cosmosdb-contractnegotiationstore-container-name -edc.transfer-process-store.cosmos.account.name=cosmosdb-contractnegotiationstore-account-name -edc.transfer-process-store.database.name=transfer-process-store -edc.transfer-process-store.cosmos.preferred-region=westeurope -edc.transfer-process-store.cosmos.container-name=cosmosdb-transfer-process-store-container-name - -EOF -``` - -#### Example logging.properties -```shell -# Create logging.properties -export LOGGING_PROPERTIES_FILE=$(mktemp /tmp/logging.properties.XXXXXX) -cat << 'EOF' > ${LOGGING_PROPERTIES_FILE} -.level=INFO -org.eclipse.dataspaceconnector.level=ALL -handlers=java.util.logging.ConsoleHandler -java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter -java.util.logging.ConsoleHandler.level=ALL -java.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n -EOF -``` - -#### Example opentelemetry.properties -```shell -# Create opentelemetry.properties -export OPENTELEMETRY_PROPERTIES_FILE=$(mktemp /tmp/opentelemetry.properties.XXXXXX) -cat << 'EOF' > ${OPENTELEMETRY_PROPERTIES_FILE} -otel.javaagent.enabled=true -otel.javaagent.debug=false -EOF -``` - -### Running - -```shell -docker run \ - -p 8080:8080 -p 8181:8181 -p 8182:8182 -p 8282:8282 -p 9090:9090 -p 9999:9999 \ - -v ${CONFIGURATION_PROPERTIES_FILE:-/dev/null}:/app/configuration.properties \ - -v ${LOGGING_PROPERTIES_FILE:-/dev/null}:/app/logging.properties \ - -v ${OPENTELEMETRY_PROPERTIES_FILE:-/dev/null}:/app/opentelemetry.properties \ - -i edc-controlplane-cosmosdb:latest -``` \ No newline at end of file diff --git a/edc-controlplane/edc-controlplane-cosmosdb/pom.xml b/edc-controlplane/edc-controlplane-cosmosdb/pom.xml deleted file mode 100644 index bcc16eef8..000000000 --- a/edc-controlplane/edc-controlplane-cosmosdb/pom.xml +++ /dev/null @@ -1,358 +0,0 @@ - - - - - net.catenax.edc - edc-controlplane - 0.0.3 - - 4.0.0 - - edc-controlplane-cosmosdb - jar - - - ${project.artifactId} - - - src/main/resources - - **/* - - - - ../../ - META-INF - - NOTICE.md - LICENSE - - - - - - - org.apache.maven.plugins - maven-jar-plugin - - - - true - lib/ - - org.eclipse.dataspaceconnector.boot.system.runtime.BaseRuntime - - - - - - - org.apache.maven.plugins - maven-dependency-plugin - - - package - - copy-dependencies - - - ${project.build.directory}/lib - - - - - - - - - - - - net.catenax.edc.extensions - aas-controller - - - net.catenax.edc.extensions - business-partner-validation - - - - - org.eclipse.dataspaceconnector - filesystem-configuration - - - - - org.eclipse.dataspaceconnector - auth-tokenbased - - - - - org.eclipse.dataspaceconnector - azure-vault - - - com.azure - azure-security-keyvault-secrets - - - com.azure - azure-identity - - - - - - - org.eclipse.dataspaceconnector - control-api - - - org.eclipse.dataspaceconnector - data-management-api - - - org.eclipse.dataspaceconnector - observability-api - - - - - org.eclipse.dataspaceconnector - ids-api-configuration - - - org.eclipse.dataspaceconnector - ids-api-multipart-dispatcher-v1 - - - org.eclipse.dataspaceconnector - ids-api-multipart-endpoint-v1 - - - org.eclipse.dataspaceconnector - ids-api-transform-v1 - - - org.eclipse.dataspaceconnector - ids-core - - - org.eclipse.dataspaceconnector - ids-spi - - - org.eclipse.dataspaceconnector - ids-token-validation - - - - - org.eclipse.dataspaceconnector - assetindex-cosmos - - - com.azure - azure-cosmos - - - - - org.eclipse.dataspaceconnector - contract-definition-store-cosmos - - - com.azure - azure-cosmos - - - - - org.eclipse.dataspaceconnector - contract-negotiation-store-cosmos - - - com.azure - azure-cosmos - - - - - org.eclipse.dataspaceconnector - policy-store-cosmos - - - com.azure - azure-cosmos - - - - - org.eclipse.dataspaceconnector - transfer-process-store-cosmos - - - com.azure - azure-cosmos - - - - - - - org.eclipse.dataspaceconnector - core-base - - - org.eclipse.dataspaceconnector - core-boot - - - org.eclipse.dataspaceconnector - transfer - - - org.eclipse.dataspaceconnector - contract - - - - - org.eclipse.dataspaceconnector - data-plane-transfer-sync - - - - - org.eclipse.dataspaceconnector - oauth2-core - - - org.eclipse.dataspaceconnector - iam-daps - - - - - org.eclipse.dataspaceconnector - core-micrometer - - - org.eclipse.dataspaceconnector - jersey-micrometer - - - org.eclipse.dataspaceconnector - jetty-micrometer - - - - - org.eclipse.dataspaceconnector - jdk-logger-monitor - - - - - - org.eclipse.dataspaceconnector - http - - - - - org.eclipse.dataspaceconnector - http-receiver - - - - - com.azure - azure-cosmos - - - com.azure - azure-identity - - - com.azure - azure-security-keyvault-secrets - - - - - - - with-docker-image - - - - org.codehaus.mojo - exec-maven-plugin - - - - docker-build-${project.artifactId}:${project.version} - package - - exec - - - docker - ${project.basedir} - - build - -f - src/main/docker/Dockerfile - --build-arg - JAR=target/${project.artifactId}.jar - --build-arg - LIB=target/lib - -t - ${project.artifactId}:${project.version} - . - - - - - docker-tag-${project.artifactId}:latest - package - - exec - - - docker - ${project.basedir} - - tag - ${project.artifactId}:${project.version} - ${project.artifactId}:latest - - - - - - - - - - \ No newline at end of file diff --git a/edc-controlplane/edc-controlplane-memory/README.md b/edc-controlplane/edc-controlplane-memory/README.md index bf617c21f..b3115a5c3 100644 --- a/edc-controlplane/edc-controlplane-memory/README.md +++ b/edc-controlplane/edc-controlplane-memory/README.md @@ -13,6 +13,7 @@ Details regarding each configuration property can be found at the [documentary s | Key | Required | Example | Description | |--- |--- |--- |--- | +| edc.api.auth.key | | password | default value: random UUID | | web.http.default.port | X | 8080 | | | web.http.default.path | X | /api | | | web.http.data.port | X | 8181 | | @@ -33,8 +34,6 @@ Details regarding each configuration property can be found at the [documentary s | edc.ids.curator | | http://localhost | | | edc.ids.catalog.id | | urn:catalog:default | | | ids.webhook.address | | http://localhost:8282/api/v1/ids | | -| edc.api.control.auth.apikey.key | | X-Api-Key | | -| edc.api.control.auth.apikey.value | | super-strong-api-key | | | edc.hostname | | localhost | | | edc.oauth.token.url | X | https://daps.catena-x.net | | | edc.oauth.public.key.alias | X | key-to-daps-certificate-in-keyvault | | @@ -79,11 +78,10 @@ edc.ids.curator=http://localhost edc.ids.catalog.id=urn:catalog:default ids.webhook.address=http://localhost:8282/api/v1/ids -edc.api.control.auth.apikey.key=X-Api-Key -edc.api.control.auth.apikey.value=pass - edc.hostname=localhost +edc.api.auth.key=password + # OAuth / DAPS related configuration edc.oauth.token.url=https://daps.catena-x.net edc.oauth.public.key.alias=key-to-daps-certificate-in-keyvault diff --git a/edc-controlplane/edc-controlplane-memory/pom.xml b/edc-controlplane/edc-controlplane-memory/pom.xml index 3e74214d7..b45d96436 100644 --- a/edc-controlplane/edc-controlplane-memory/pom.xml +++ b/edc-controlplane/edc-controlplane-memory/pom.xml @@ -14,9 +14,9 @@ --> - edc-controlplane net.catenax.edc - 0.0.3 + edc-controlplane + 0.0.4 4.0.0 @@ -77,26 +77,10 @@ - - - net.catenax.edc.extensions - aas-controller - + - net.catenax.edc.extensions - business-partner-validation - - - - - org.eclipse.dataspaceconnector - filesystem-configuration - - - - - org.eclipse.dataspaceconnector - auth-tokenbased + net.catenax.edc + edc-controlplane-base @@ -115,74 +99,6 @@ - - - org.eclipse.dataspaceconnector - control-api - - - org.eclipse.dataspaceconnector - data-management-api - - - org.eclipse.dataspaceconnector - observability-api - - - - - org.eclipse.dataspaceconnector - ids-api-configuration - - - org.eclipse.dataspaceconnector - ids-api-multipart-dispatcher-v1 - - - org.eclipse.dataspaceconnector - ids-api-multipart-endpoint-v1 - - - org.eclipse.dataspaceconnector - ids-api-transform-v1 - - - org.eclipse.dataspaceconnector - ids-core - - - org.eclipse.dataspaceconnector - ids-spi - - - org.eclipse.dataspaceconnector - ids-token-validation - - - - - org.eclipse.dataspaceconnector - core-base - - - org.eclipse.dataspaceconnector - core-boot - - - org.eclipse.dataspaceconnector - transfer - - - org.eclipse.dataspaceconnector - contract - - - - - org.eclipse.dataspaceconnector - data-plane-transfer-sync - - org.eclipse.dataspaceconnector @@ -193,40 +109,6 @@ iam-daps - - - org.eclipse.dataspaceconnector - core-micrometer - - - org.eclipse.dataspaceconnector - jersey-micrometer - - - org.eclipse.dataspaceconnector - jetty-micrometer - - - - - - org.eclipse.dataspaceconnector - jdk-logger-monitor - - - - - - org.eclipse.dataspaceconnector - http - - - - - org.eclipse.dataspaceconnector - http-receiver - - com.azure @@ -238,7 +120,6 @@ - + + + net.catenax.edc + edc-controlplane + 0.0.4 + + 4.0.0 + + edc-controlplane-postgresql-hashicorp-vault + jar + + + ${project.artifactId} + + + src/main/resources + + **/* + + + + ../../ + META-INF + + NOTICE.md + LICENSE + + + + + + + org.apache.maven.plugins + maven-jar-plugin + + + + true + lib/ + org.eclipse.dataspaceconnector.boot.system.runtime.BaseRuntime + + + + + + org.apache.maven.plugins + maven-dependency-plugin + + + package + + copy-dependencies + + + ${project.build.directory}/lib + + + + + + + + + + + + net.catenax.edc + edc-controlplane-postgresql + + + org.eclipse.dataspaceconnector + azure-vault + + + + + + + net.catenax.edc.extensions + hashicorp-vault + + + + + + + + with-docker-image + + + + org.codehaus.mojo + exec-maven-plugin + + + + docker-build-${project.artifactId}:${project.version} + package + + exec + + + docker + ${project.basedir} + + build + -f + src/main/docker/Dockerfile + --build-arg + JAR=target/${project.artifactId}.jar + --build-arg + LIB=target/lib + -t + ${project.artifactId}:${project.version} + . + + + + + docker-tag-${project.artifactId}:latest + package + + exec + + + docker + ${project.basedir} + + tag + ${project.artifactId}:${project.version} + ${project.artifactId}:latest + + + + + + + + + + diff --git a/edc-controlplane/edc-controlplane-cosmosdb/src/main/docker/Dockerfile b/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault/src/main/docker/Dockerfile similarity index 97% rename from edc-controlplane/edc-controlplane-cosmosdb/src/main/docker/Dockerfile rename to edc-controlplane/edc-controlplane-postgresql-hashicorp-vault/src/main/docker/Dockerfile index 2bb41f209..d4aa94d6b 100644 --- a/edc-controlplane/edc-controlplane-cosmosdb/src/main/docker/Dockerfile +++ b/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault/src/main/docker/Dockerfile @@ -10,7 +10,7 @@ # Contributors: # Mercedes-Benz Tech Innovation GmbH - Initial Dockerfile # -FROM alpine:3.15.4 as otel +FROM alpine:3.16.0 as otel ENV OTEL_AGENT_LOCATION "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v1.12.1/opentelemetry-javaagent.jar" diff --git a/edc-controlplane/edc-controlplane-postgresql/README.md b/edc-controlplane/edc-controlplane-postgresql/README.md index af44e6a12..b6f18f171 100644 --- a/edc-controlplane/edc-controlplane-postgresql/README.md +++ b/edc-controlplane/edc-controlplane-postgresql/README.md @@ -13,6 +13,7 @@ Details regarding each configuration property can be found at the [documentary s | Key | Required | Example | Description | |--- |--- |--- |--- | +| edc.api.auth.key | | password | default value: random UUID | | web.http.default.port | X | 8080 | | | web.http.default.path | X | /api | | | web.http.data.port | X | 8181 | | @@ -33,8 +34,6 @@ Details regarding each configuration property can be found at the [documentary s | edc.ids.curator | | http://localhost | | | edc.ids.catalog.id | | urn:catalog:default | | | ids.webhook.address | | http://localhost:8282/api/v1/ids | | -| edc.api.control.auth.apikey.key | | X-Api-Key | | -| edc.api.control.auth.apikey.value | | super-strong-api-key | | | edc.hostname | | localhost | | | edc.oauth.token.url | X | https://daps.catena-x.net | | | edc.oauth.public.key.alias | X | key-to-daps-certificate-in-keyvault | | @@ -99,11 +98,10 @@ edc.ids.curator=http://localhost edc.ids.catalog.id=urn:catalog:default ids.webhook.address=http://localhost:8282/api/v1/ids -edc.api.control.auth.apikey.key=X-Api-Key -edc.api.control.auth.apikey.value=pass - edc.hostname=localhost +edc.api.auth.key=password + # OAuth / DAPS related configuration edc.oauth.token.url=https://daps.catena-x.net edc.oauth.public.key.alias=key-to-daps-certificate-in-keyvault diff --git a/edc-controlplane/edc-controlplane-postgresql/pom.xml b/edc-controlplane/edc-controlplane-postgresql/pom.xml index 4bcf962f9..d88dc3b6b 100644 --- a/edc-controlplane/edc-controlplane-postgresql/pom.xml +++ b/edc-controlplane/edc-controlplane-postgresql/pom.xml @@ -12,11 +12,12 @@ Mercedes-Benz Tech Innovation GmbH - Initial POM --> - + - edc-controlplane net.catenax.edc - 0.0.3 + edc-controlplane + 0.0.4 4.0.0 @@ -78,32 +79,18 @@ - + - net.catenax.edc.extensions - aas-controller - - - net.catenax.edc.extensions - business-partner-validation + net.catenax.edc + edc-controlplane-base + + net.catenax.edc.extensions postgresql-migration - - - org.eclipse.dataspaceconnector - filesystem-configuration - - - - - org.eclipse.dataspaceconnector - auth-tokenbased - - org.eclipse.dataspaceconnector @@ -120,50 +107,6 @@ - - - org.eclipse.dataspaceconnector - control-api - - - org.eclipse.dataspaceconnector - data-management-api - - - org.eclipse.dataspaceconnector - observability-api - - - - - org.eclipse.dataspaceconnector - ids-api-configuration - - - org.eclipse.dataspaceconnector - ids-api-multipart-dispatcher-v1 - - - org.eclipse.dataspaceconnector - ids-api-multipart-endpoint-v1 - - - org.eclipse.dataspaceconnector - ids-api-transform-v1 - - - org.eclipse.dataspaceconnector - ids-core - - - org.eclipse.dataspaceconnector - ids-spi - - - org.eclipse.dataspaceconnector - ids-token-validation - - org.eclipse.dataspaceconnector @@ -186,30 +129,6 @@ policy-store-sql - - - org.eclipse.dataspaceconnector - core-base - - - org.eclipse.dataspaceconnector - core-boot - - - org.eclipse.dataspaceconnector - transfer - - - org.eclipse.dataspaceconnector - contract - - - - - org.eclipse.dataspaceconnector - data-plane-transfer-sync - - org.eclipse.dataspaceconnector @@ -220,33 +139,8 @@ iam-daps - - - org.eclipse.dataspaceconnector - core-micrometer - - - org.eclipse.dataspaceconnector - jersey-micrometer - - - org.eclipse.dataspaceconnector - jetty-micrometer - - - - - org.eclipse.dataspaceconnector - jdk-logger-monitor - - - - org.eclipse.dataspaceconnector - http - - org.eclipse.dataspaceconnector apache-commons-pool-sql @@ -256,12 +150,6 @@ transaction-local - - - org.eclipse.dataspaceconnector - http-receiver - - com.azure @@ -277,7 +165,6 @@ - - - 4.0.0 - + net.catenax.edc product-edc-parent - 0.0.3 + 0.0.4 + 4.0.0 edc-controlplane pom - edc-controlplane-cosmosdb + edc-controlplane-base + edc-controlplane-memory + edc-controlplane-postgresql + edc-controlplane-postgresql-hashicorp-vault - \ No newline at end of file + diff --git a/edc-dataplane/README.md b/edc-dataplane/edc-dataplane-azure-vault/README.md similarity index 91% rename from edc-dataplane/README.md rename to edc-dataplane/edc-dataplane-azure-vault/README.md index 76cb68245..c3947ca8e 100644 --- a/edc-dataplane/README.md +++ b/edc-dataplane/edc-dataplane-azure-vault/README.md @@ -1,14 +1,14 @@ -# EDC Data-Plane +# EDC Data-Plane with [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/#product-overview) ### Building ```shell -./mvnw -pl .,edc-dataplane -am package -Pwith-docker-image +./mvnw -pl .,edc-dataplane/edc-dataplane-azure-vault -am package -Pwith-docker-image ``` ### Configuration -Listed below are configuration keys needed to get the `edc-dataplane` up and running. +Listed below are configuration keys needed to get the `edc-dataplane-azure-vault` up and running. Details regarding each configuration property can be found at the [documentary section of the EDC](https://github.com/eclipse-dataspaceconnector/DataSpaceConnector/tree/main/docs). | Key | Required | Example | Description | @@ -26,7 +26,7 @@ Details regarding each configuration property can be found at the [documentary s | edc.vault.tenantid | X | 55555555-6666-7777-8888-999999999999 | | | edc.vault.name | X | my-vault-name | | | edc.vault.clientsecret | X | 34-chars-secret | | -| edc.controlplane.validation-endpoint | X | http://controlplane:8182/validation | | +| edc.controlplane.validation-endpoint | X | http://controlplane:8182/validation/token | | #### Example configuration.properties @@ -45,7 +45,7 @@ web.http.control.port=9999 web.http.control.path=/api/dataplane/control # Validation endpoint of controlplane -edc.controlplane.validation-endpoint=http://controlplane:8182/validation +edc.controlplane.validation-endpoint=http://controlplane:8182/validation/token # EDC hostname edc.hostname=localhost @@ -90,5 +90,5 @@ docker run \ -v ${CONFIGURATION_PROPERTIES_FILE:-/dev/null}:/app/configuration.properties \ -v ${LOGGING_PROPERTIES_FILE:-/dev/null}:/app/logging.properties \ -v ${OPENTELEMETRY_PROPERTIES_FILE:-/dev/null}:/app/opentelemetry.properties \ - -i edc-dataplane:latest -``` \ No newline at end of file + -i edc-dataplane-azure-vault:latest +``` diff --git a/edc-dataplane/edc-dataplane-azure-vault/pom.xml b/edc-dataplane/edc-dataplane-azure-vault/pom.xml new file mode 100644 index 000000000..183008653 --- /dev/null +++ b/edc-dataplane/edc-dataplane-azure-vault/pom.xml @@ -0,0 +1,173 @@ + + + + + net.catenax.edc + edc-dataplane + 0.0.4 + + 4.0.0 + + edc-dataplane-azure-vault + jar + + + ${project.artifactId} + + + src/main/resources + + **/* + + + + ../../ + META-INF + + NOTICE.md + LICENSE + + + + + + + org.apache.maven.plugins + maven-jar-plugin + + + + true + lib/ + org.eclipse.dataspaceconnector.boot.system.runtime.BaseRuntime + + + + + + org.apache.maven.plugins + maven-dependency-plugin + + + package + + copy-dependencies + + + ${project.build.directory}/lib + + + + + + + + + + + net.catenax.edc + edc-dataplane-base + + + + + org.eclipse.dataspaceconnector + azure-vault + + + com.azure + azure-security-keyvault-secrets + + + com.azure + azure-identity + + + + + + + com.azure + azure-identity + + + com.azure + azure-security-keyvault-secrets + + + + + + + with-docker-image + + + + org.codehaus.mojo + exec-maven-plugin + + + + docker-build-${project.artifactId}:${project.version} + package + + exec + + + docker + ${project.basedir} + + build + -f + src/main/docker/Dockerfile + --build-arg + JAR=target/${project.artifactId}.jar + --build-arg + LIB=target/lib + -t + ${project.artifactId}:${project.version} + . + + + + + docker-tag-${project.artifactId}:latest + package + + exec + + + docker + ${project.basedir} + + tag + ${project.artifactId}:${project.version} + ${project.artifactId}:latest + + + + + + + + + + diff --git a/edc-dataplane/src/main/docker/Dockerfile b/edc-dataplane/edc-dataplane-azure-vault/src/main/docker/Dockerfile similarity index 97% rename from edc-dataplane/src/main/docker/Dockerfile rename to edc-dataplane/edc-dataplane-azure-vault/src/main/docker/Dockerfile index be19ac944..0af3e0b55 100644 --- a/edc-dataplane/src/main/docker/Dockerfile +++ b/edc-dataplane/edc-dataplane-azure-vault/src/main/docker/Dockerfile @@ -10,7 +10,7 @@ # Contributors: # Mercedes-Benz Tech Innovation GmbH - Initial Dockerfile # -FROM alpine:3.15.4 as otel +FROM alpine:3.16.0 as otel ENV OTEL_AGENT_LOCATION "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v1.12.1/opentelemetry-javaagent.jar" diff --git a/edc-dataplane/edc-dataplane-base/README.md b/edc-dataplane/edc-dataplane-base/README.md new file mode 100644 index 000000000..448937507 --- /dev/null +++ b/edc-dataplane/edc-dataplane-base/README.md @@ -0,0 +1,7 @@ +# EDC Data-Plane Base Module + +### Building + +```shell +./mvnw -pl .,edc-dataplane/edc-dataplane-base -am package +``` diff --git a/edc-dataplane/edc-dataplane-base/pom.xml b/edc-dataplane/edc-dataplane-base/pom.xml new file mode 100644 index 000000000..383dd4243 --- /dev/null +++ b/edc-dataplane/edc-dataplane-base/pom.xml @@ -0,0 +1,97 @@ + + + + edc-dataplane + net.catenax.edc + 0.0.4 + + 4.0.0 + + edc-dataplane-base + jar + + + ${project.artifactId} + + + src/main/resources + + **/* + + + + ../../ + META-INF + + NOTICE.md + LICENSE + + + + + + + + + org.eclipse.dataspaceconnector + filesystem-configuration + + + + + org.eclipse.dataspaceconnector + data-plane-framework + + + org.eclipse.dataspaceconnector + data-plane-http + + + org.eclipse.dataspaceconnector + data-plane-api + + + org.eclipse.dataspaceconnector + observability-api + + + + + org.eclipse.dataspaceconnector + core-base + + + org.eclipse.dataspaceconnector + core-boot + + + + + org.eclipse.dataspaceconnector + core-micrometer + + + org.eclipse.dataspaceconnector + jersey-micrometer + + + org.eclipse.dataspaceconnector + jetty-micrometer + + + + + org.eclipse.dataspaceconnector + jdk-logger-monitor + + + + + + org.eclipse.dataspaceconnector + http + + + diff --git a/edc-dataplane/edc-dataplane-hashicorp-vault/README.md b/edc-dataplane/edc-dataplane-hashicorp-vault/README.md new file mode 100644 index 000000000..22a8d4d60 --- /dev/null +++ b/edc-dataplane/edc-dataplane-hashicorp-vault/README.md @@ -0,0 +1,92 @@ +# EDC Data-Plane [Hashicorp Vault](https://www.vaultproject.io/) + +### Building + +```shell +./mvnw -pl .,edc-dataplane/edc-dataplane-hashicorp-vault -am package -Pwith-docker-image +``` + +### Configuration + +Listed below are configuration keys needed to get the `edc-dataplane-hashicorp-vault` up and running. +Details regarding each configuration property can be found at the [documentary section of the EDC](https://github.com/eclipse-dataspaceconnector/DataSpaceConnector/tree/main/docs). + +| Key | Required | Example | Description | +|--- |--- |--- |--- | +| web.http.default.port | X | 8080 | | +| web.http.default.path | X | /api | | +| web.http.public.port | X | 8181 | | +| web.http.public.path | X | | | +| web.http.control.port | X | 9999 | | +| web.http.control.path | X | /api/controlplane/control | | +| edc.receiver.http.endpoint | X | http://backend-service | | +| edc.hostname | | localhost | | +| edc.oauth.client.id | X | daps-oauth-client-id | | +| edc.vault.hashicorp.url | X | http://vault | | +| edc.vault.hashicorp.token | X | 55555555-6666-7777-8888-999999999999 | | +| edc.vault.hashicorp.timeout.seconds | | 30 | | +| edc.controlplane.validation-endpoint | X | http://controlplane:8182/validation/token | | + +#### Example configuration.properties + +JDK properties-style configuration of the EDC Control-Plane is expected to be mounted to `/app/configuration.properties` within the container. + +```shell +# Create configuration.properties +export CONFIGURATION_PROPERTIES_FILE=$(mktemp /tmp/configuration.properties.XXXXXX) +cat << 'EOF' > ${CONFIGURATION_PROPERTIES_FILE} + +web.http.default.port=8080 +web.http.default.path=/api +web.http.public.port=8185 +web.http.public.path=/public +web.http.control.port=9999 +web.http.control.path=/api/dataplane/control + +# Validation endpoint of controlplane +edc.controlplane.validation-endpoint=http://controlplane:8182/validation/token + +# EDC hostname +edc.hostname=localhost + +# HashiCorp vault related configuration +edc.vault.hashicorp.url=http://vault +edc.vault.hashicorp.token=55555555-6666-7777-8888-999999999999 +edc.vault.hashicorp.timeout.seconds=30 +EOF +``` + +#### Example logging.properties +```shell +# Create logging.properties +export LOGGING_PROPERTIES_FILE=$(mktemp /tmp/logging.properties.XXXXXX) +cat << 'EOF' > ${LOGGING_PROPERTIES_FILE} +.level=INFO +org.eclipse.dataspaceconnector.level=ALL +handlers=java.util.logging.ConsoleHandler +java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter +java.util.logging.ConsoleHandler.level=ALL +java.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n +EOF +``` + +#### Example opentelemetry.properties +```shell +# Create opentelemetry.properties +export OPENTELEMETRY_PROPERTIES_FILE=$(mktemp /tmp/opentelemetry.properties.XXXXXX) +cat << 'EOF' > ${OPENTELEMETRY_PROPERTIES_FILE} +otel.javaagent.enabled=true +otel.javaagent.debug=false +EOF +``` + +### Running + +```shell +docker run \ + -p 8080:8080 -p 8185:8185 -p 9999:9999 -p 9090:9090 \ + -v ${CONFIGURATION_PROPERTIES_FILE:-/dev/null}:/app/configuration.properties \ + -v ${LOGGING_PROPERTIES_FILE:-/dev/null}:/app/logging.properties \ + -v ${OPENTELEMETRY_PROPERTIES_FILE:-/dev/null}:/app/opentelemetry.properties \ + -i edc-dataplane-hashicorp-vault:latest +``` \ No newline at end of file diff --git a/edc-dataplane/edc-dataplane-hashicorp-vault/pom.xml b/edc-dataplane/edc-dataplane-hashicorp-vault/pom.xml new file mode 100644 index 000000000..ae237fef1 --- /dev/null +++ b/edc-dataplane/edc-dataplane-hashicorp-vault/pom.xml @@ -0,0 +1,155 @@ + + + + + net.catenax.edc + edc-dataplane + 0.0.4 + + 4.0.0 + + edc-dataplane-hashicorp-vault + jar + + + ${project.artifactId} + + + src/main/resources + + **/* + + + + ../../ + META-INF + + NOTICE.md + LICENSE + + + + + + + org.apache.maven.plugins + maven-jar-plugin + + + + true + lib/ + + org.eclipse.dataspaceconnector.boot.system.runtime.BaseRuntime + + + + + + + org.apache.maven.plugins + maven-dependency-plugin + + + package + + copy-dependencies + + + ${project.build.directory}/lib + + + + + + + + + + + net.catenax.edc + edc-dataplane-base + + + + + net.catenax.edc.extensions + hashicorp-vault + + + + + + + with-docker-image + + + + org.codehaus.mojo + exec-maven-plugin + + + + docker-build-${project.artifactId}:${project.version} + package + + exec + + + docker + ${project.basedir} + + build + -f + src/main/docker/Dockerfile + --build-arg + JAR=target/${project.artifactId}.jar + --build-arg + LIB=target/lib + -t + ${project.artifactId}:${project.version} + . + + + + + docker-tag-${project.artifactId}:latest + package + + exec + + + docker + ${project.basedir} + + tag + ${project.artifactId}:${project.version} + ${project.artifactId}:latest + + + + + + + + + + diff --git a/edc-dataplane/edc-dataplane-hashicorp-vault/src/main/docker/Dockerfile b/edc-dataplane/edc-dataplane-hashicorp-vault/src/main/docker/Dockerfile new file mode 100644 index 000000000..0af3e0b55 --- /dev/null +++ b/edc-dataplane/edc-dataplane-hashicorp-vault/src/main/docker/Dockerfile @@ -0,0 +1,37 @@ +# +# Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# SPDX-License-Identifier: Apache-2.0 +# +# Contributors: +# Mercedes-Benz Tech Innovation GmbH - Initial Dockerfile +# +FROM alpine:3.16.0 as otel + +ENV OTEL_AGENT_LOCATION "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v1.12.1/opentelemetry-javaagent.jar" + +RUN wget ${OTEL_AGENT_LOCATION} -O /tmp/opentelemetry-javaagent.jar + +FROM gcr.io/distroless/java11-debian11 +ARG JAR +ARG LIB + +WORKDIR /app + +COPY --from=otel /tmp/opentelemetry-javaagent.jar . +COPY ${JAR} edc-dataplane.jar +COPY ${LIB} ./lib/ + +CMD ["-javaagent:/app/opentelemetry-javaagent.jar", \ + "-Dedc.fs.config=/app/configuration.properties", \ + "-Djava.util.logging.config.file=/app/logging.properties", \ + "-Dotel.javaagent.configuration-file=/app/opentelemetry.properties", \ + "-Dotel.metrics.exporter=prometheus", \ + "-Dotel.exporter.prometheus.port=9090", \ + "-Djava.security.edg=file:/dev/.urandom", \ + "-jar", \ + "edc-dataplane.jar"] diff --git a/edc-dataplane/pom.xml b/edc-dataplane/pom.xml index 46fa869e8..b95e04970 100644 --- a/edc-dataplane/pom.xml +++ b/edc-dataplane/pom.xml @@ -18,212 +18,16 @@ net.catenax.edc product-edc-parent - 0.0.3 + 0.0.4 - edc-dataplane - jar - - - ${project.artifactId} - - - src/main/resources - - **/* - - - - ../ - META-INF - - NOTICE.md - LICENSE - - - - - - - org.apache.maven.plugins - maven-jar-plugin - - - - true - lib/ - - org.eclipse.dataspaceconnector.boot.system.runtime.BaseRuntime - - - - - - - org.apache.maven.plugins - maven-dependency-plugin - - - package - - copy-dependencies - - - ${project.build.directory}/lib - - - - - - - - - - - org.eclipse.dataspaceconnector - filesystem-configuration - - - - - org.eclipse.dataspaceconnector - azure-vault - - - com.azure - azure-security-keyvault-secrets - - - com.azure - azure-identity - - - - - - org.eclipse.dataspaceconnector - data-plane-framework - - - org.eclipse.dataspaceconnector - data-plane-http - - - org.eclipse.dataspaceconnector - data-plane-api - - - org.eclipse.dataspaceconnector - observability-api - - - - - org.eclipse.dataspaceconnector - core-base - - - org.eclipse.dataspaceconnector - core-boot - - - - - org.eclipse.dataspaceconnector - core-micrometer - - - org.eclipse.dataspaceconnector - jersey-micrometer - - - org.eclipse.dataspaceconnector - jetty-micrometer - - - - - org.eclipse.dataspaceconnector - jdk-logger-monitor - - - - - - org.eclipse.dataspaceconnector - http - + edc-dataplane + pom - - - com.azure - azure-identity - - - com.azure - azure-security-keyvault-secrets - - + + edc-dataplane-base - - - - with-docker-image - - - - org.codehaus.mojo - exec-maven-plugin - - - - docker-build-${project.artifactId}:${project.version} - package - - exec - - - docker - ${project.basedir} - - build - -f - src/main/docker/Dockerfile - --build-arg - JAR=target/${project.artifactId}.jar - --build-arg - LIB=target/lib - -t - ${project.artifactId}:${project.version} - . - - - - - docker-tag-${project.artifactId}:latest - package - - exec - - - docker - ${project.basedir} - - tag - ${project.artifactId}:${project.version} - ${project.artifactId}:latest - - - - - - - - - - \ No newline at end of file + edc-dataplane-azure-vault + edc-dataplane-hashicorp-vault + + diff --git a/edc-extensions/aas-controller/README.md b/edc-extensions/aas-controller/README.md deleted file mode 100644 index f32ad27e5..000000000 --- a/edc-extensions/aas-controller/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Asset Administration Shell Controller - -This EDC extension implements a custom controller for the 'Asset Administration Shell'-Wrapper. \ No newline at end of file diff --git a/edc-extensions/aas-controller/pom.xml b/edc-extensions/aas-controller/pom.xml deleted file mode 100644 index e813b744e..000000000 --- a/edc-extensions/aas-controller/pom.xml +++ /dev/null @@ -1,71 +0,0 @@ - - - - 4.0.0 - - - net.catenax.edc.extensions - edc-extensions - 0.0.3 - - - aas-controller - jar - - - - - src/main/resources - - **/* - - - - ../../ - META-INF - - NOTICE.md - LICENSE - - - - - - - - - org.eclipse.dataspaceconnector - web-spi - - - org.eclipse.dataspaceconnector - transfer-spi - - - org.eclipse.dataspaceconnector - contract-spi - - - org.eclipse.dataspaceconnector - dataloading - - - - - jakarta.ws.rs - jakarta.ws.rs-api - - - \ No newline at end of file diff --git a/edc-extensions/aas-controller/src/main/java/net/catenax/edc/controlplane/ControlPlaneController.java b/edc-extensions/aas-controller/src/main/java/net/catenax/edc/controlplane/ControlPlaneController.java deleted file mode 100644 index f8f510e74..000000000 --- a/edc-extensions/aas-controller/src/main/java/net/catenax/edc/controlplane/ControlPlaneController.java +++ /dev/null @@ -1,135 +0,0 @@ -/* - * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH - * - * This program and the accompanying materials are made available under the - * terms of the Apache License, Version 2.0 which is available at - * https://www.apache.org/licenses/LICENSE-2.0 - * - * SPDX-License-Identifier: Apache-2.0 - * - * Contributors: - * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation - * - */ - -package net.catenax.edc.controlplane; - -import jakarta.ws.rs.Consumes; -import jakarta.ws.rs.GET; -import jakarta.ws.rs.POST; -import jakarta.ws.rs.Path; -import jakarta.ws.rs.PathParam; -import jakarta.ws.rs.Produces; -import jakarta.ws.rs.core.MediaType; -import java.util.Map; -import org.eclipse.dataspaceconnector.dataloading.AssetLoader; -import org.eclipse.dataspaceconnector.spi.contract.offer.store.ContractDefinitionStore; -import org.eclipse.dataspaceconnector.spi.monitor.Monitor; -import org.eclipse.dataspaceconnector.spi.transfer.store.TransferProcessStore; -import org.eclipse.dataspaceconnector.spi.types.domain.DataAddress; -import org.eclipse.dataspaceconnector.spi.types.domain.asset.Asset; -import org.eclipse.dataspaceconnector.spi.types.domain.contract.offer.ContractDefinition; -import org.eclipse.dataspaceconnector.spi.types.domain.transfer.TransferProcess; - -@Consumes({MediaType.APPLICATION_JSON}) -@Produces({MediaType.APPLICATION_JSON}) -@Path("/v1") -public class ControlPlaneController { - private final Monitor monitor; - private final AssetLoader assetLoader; - private final ContractDefinitionStore contractDefinitionStore; - private final TransferProcessStore transferProcessStore; - - public ControlPlaneController( - Monitor monitor, - AssetLoader assetLoader, - ContractDefinitionStore contractDefinitionStore, - TransferProcessStore transferProcessStore) { - this.monitor = monitor; - this.assetLoader = assetLoader; - this.contractDefinitionStore = contractDefinitionStore; - this.transferProcessStore = transferProcessStore; - } - - // TODO: most of these api will be replaced by data management api - @Path("/assets") - @POST - public String createAsset(AssetEntryDto assetEntry) { - var assetProperties = assetEntry.asset.properties; - var asset = Asset.Builder.newInstance().properties(assetProperties).build(); - - var dataAddressProperties = assetEntry.dataAddress.properties; - var dataAddress = DataAddress.Builder.newInstance().properties(dataAddressProperties).build(); - monitor.debug("Create asset: " + asset.getId()); - assetLoader.accept(asset, dataAddress); - return asset.getId(); - } - - @Path("/contractdefinitions") - @POST - public void createContractDefinition(ContractDefinition definition) { - monitor.debug("Create contract definition: " + definition.getId()); - contractDefinitionStore.save(definition); - } - - @Path("/transfers/{id}") - @GET - public TransferProcess getTransferProcess(@PathParam("id") String id) { - return transferProcessStore.find(id); - } - - private static class AssetDto { - - public AssetDto() {} - - Map properties; - - public Map getProperties() { - return properties; - } - - public void setProperties(Map properties) { - this.properties = properties; - } - } - - private static class DataAddressDto { - - public DataAddressDto() {} - - Map properties; - - public Map getProperties() { - return properties; - } - - public void setProperties(Map properties) { - this.properties = properties; - } - } - - private static class AssetEntryDto { - - public AssetEntryDto() {} - - private AssetDto asset; - - private DataAddressDto dataAddress; - - public AssetDto getAsset() { - return asset; - } - - public void setAsset(AssetDto asset) { - this.asset = asset; - } - - public DataAddressDto getDataAddress() { - return dataAddress; - } - - public void setDataAddress(DataAddressDto dataAddress) { - this.dataAddress = dataAddress; - } - } -} diff --git a/edc-extensions/aas-controller/src/main/java/net/catenax/edc/controlplane/ControlPlaneExtension.java b/edc-extensions/aas-controller/src/main/java/net/catenax/edc/controlplane/ControlPlaneExtension.java deleted file mode 100644 index 4e5791c26..000000000 --- a/edc-extensions/aas-controller/src/main/java/net/catenax/edc/controlplane/ControlPlaneExtension.java +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH - * - * This program and the accompanying materials are made available under the - * terms of the Apache License, Version 2.0 which is available at - * https://www.apache.org/licenses/LICENSE-2.0 - * - * SPDX-License-Identifier: Apache-2.0 - * - * Contributors: - * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation - * - */ - -package net.catenax.edc.controlplane; - -import org.eclipse.dataspaceconnector.dataloading.AssetLoader; -import org.eclipse.dataspaceconnector.spi.WebService; -import org.eclipse.dataspaceconnector.spi.contract.offer.store.ContractDefinitionStore; -import org.eclipse.dataspaceconnector.spi.system.Inject; -import org.eclipse.dataspaceconnector.spi.system.ServiceExtension; -import org.eclipse.dataspaceconnector.spi.system.ServiceExtensionContext; -import org.eclipse.dataspaceconnector.spi.transfer.store.TransferProcessStore; - -public class ControlPlaneExtension implements ServiceExtension { - - @Inject private WebService webService; - - @Inject private AssetLoader assetLoader; - - @Inject private ContractDefinitionStore contractDefinitionStore; - - @Inject private TransferProcessStore transferProcessStore; - - @Override - public String name() { - return "Control Plane"; - } - - @Override - public void initialize(ServiceExtensionContext context) { - webService.registerResource( - new ControlPlaneController( - context.getMonitor(), assetLoader, contractDefinitionStore, transferProcessStore)); - } -} diff --git a/edc-extensions/business-partner-validation/pom.xml b/edc-extensions/business-partner-validation/pom.xml index 54e2360f0..0da4b1757 100644 --- a/edc-extensions/business-partner-validation/pom.xml +++ b/edc-extensions/business-partner-validation/pom.xml @@ -12,14 +12,15 @@ Mercedes-Benz Tech Innovation GmbH - Initial POM --> - - 4.0.0 - + net.catenax.edc.extensions edc-extensions - 0.0.3 + 0.0.4 + 4.0.0 + business-partner-validation jar @@ -40,6 +41,21 @@ + + + + org.apache.maven.plugins + maven-source-plugin + + + attach-sources + + jar + + + + + @@ -52,23 +68,13 @@ org.junit.jupiter - junit-jupiter-engine - - - org.junit.jupiter - junit-jupiter-api - - - org.junit.jupiter - junit-jupiter-params - - - org.junit.platform - junit-platform-suite + junit-jupiter + test org.mockito - mockito-all + mockito-core + test - \ No newline at end of file + diff --git a/edc-extensions/business-partner-validation/src/test/java/net/catenax/edc/validation/businesspartner/BusinessPartnerValidationExtensionTest.java b/edc-extensions/business-partner-validation/src/test/java/net/catenax/edc/validation/businesspartner/BusinessPartnerValidationExtensionTest.java index 44086fc39..79dd839d8 100644 --- a/edc-extensions/business-partner-validation/src/test/java/net/catenax/edc/validation/businesspartner/BusinessPartnerValidationExtensionTest.java +++ b/edc-extensions/business-partner-validation/src/test/java/net/catenax/edc/validation/businesspartner/BusinessPartnerValidationExtensionTest.java @@ -25,20 +25,19 @@ import org.junit.jupiter.api.Test; import org.mockito.Mockito; -public class BusinessPartnerValidationExtensionTest { +class BusinessPartnerValidationExtensionTest { private BusinessPartnerValidationExtension extension; // mocks private ServiceExtensionContext serviceExtensionContext; private PolicyEngine policyEngine; - private RuleBindingRegistry ruleBindingRegistry; @BeforeEach - public void setup() { + void setup() { policyEngine = Mockito.mock(PolicyEngine.class); - ruleBindingRegistry = Mockito.mock(RuleBindingRegistry.class); + RuleBindingRegistry ruleBindingRegistry = Mockito.mock(RuleBindingRegistry.class); final Monitor monitor = Mockito.mock(Monitor.class); serviceExtensionContext = Mockito.mock(ServiceExtensionContext.class); @@ -52,7 +51,7 @@ public void setup() { } @Test - public void testRegisterDutyFunction() { + void testRegisterDutyFunction() { // invoke extension.initialize(serviceExtensionContext); @@ -67,7 +66,7 @@ public void testRegisterDutyFunction() { } @Test - public void testRegisterPermissionFunction() { + void testRegisterPermissionFunction() { // invoke extension.initialize(serviceExtensionContext); @@ -82,7 +81,7 @@ public void testRegisterPermissionFunction() { } @Test - public void testRegisterProhibitionFunction() { + void testRegisterProhibitionFunction() { // invoke extension.initialize(serviceExtensionContext); diff --git a/edc-extensions/business-partner-validation/src/test/java/net/catenax/edc/validation/businesspartner/functions/AbstractBusinessPartnerValidationTest.java b/edc-extensions/business-partner-validation/src/test/java/net/catenax/edc/validation/businesspartner/functions/AbstractBusinessPartnerValidationTest.java index 8bf70c247..451e79868 100644 --- a/edc-extensions/business-partner-validation/src/test/java/net/catenax/edc/validation/businesspartner/functions/AbstractBusinessPartnerValidationTest.java +++ b/edc-extensions/business-partner-validation/src/test/java/net/catenax/edc/validation/businesspartner/functions/AbstractBusinessPartnerValidationTest.java @@ -27,7 +27,7 @@ import org.junit.jupiter.params.provider.EnumSource; import org.mockito.Mockito; -public class AbstractBusinessPartnerValidationTest { +class AbstractBusinessPartnerValidationTest { private AbstractBusinessPartnerValidation validation; @@ -37,7 +37,7 @@ public class AbstractBusinessPartnerValidationTest { private ParticipantAgent participantAgent; @BeforeEach - public void BeforeEach() { + void BeforeEach() { this.monitor = Mockito.mock(Monitor.class); this.policyContext = Mockito.mock(PolicyContext.class); this.participantAgent = Mockito.mock(ParticipantAgent.class); @@ -49,7 +49,7 @@ public void BeforeEach() { @ParameterizedTest @EnumSource(Operator.class) - public void testThrowsOnUnsupportedOperations(Operator operator) { + void testThrowsOnUnsupportedOperations(Operator operator) { if (operator == Operator.EQ) { // only allowed operator return; @@ -66,7 +66,7 @@ public void testThrowsOnUnsupportedOperations(Operator operator) { } @Test - public void testThrowsOnUnsupportedRightValue() { + void testThrowsOnUnsupportedRightValue() { // prepare prepareContextProblems(null); @@ -82,7 +82,7 @@ public void testThrowsOnUnsupportedRightValue() { } @Test - public void testValidationFailsWhenClaimMissing() { + void testValidationFailsWhenClaimMissing() { // prepare prepareContextProblems(null); @@ -95,7 +95,7 @@ public void testValidationFailsWhenClaimMissing() { } @Test - public void testValidationSuccedesWhenClaimContainsNumber() { + void testValidationSuccedesWhenClaimContainsNumber() { // prepare prepareContextProblems(null); @@ -114,7 +114,7 @@ public void testValidationSuccedesWhenClaimContainsNumber() { } @Test - public void testValidationWhenParticipantHasProblems() { + void testValidationWhenParticipantHasProblems() { // prepare prepareContextProblems(Collections.singletonList("big problem")); @@ -128,7 +128,7 @@ public void testValidationWhenParticipantHasProblems() { } @Test - public void testValidationWhenParticipantIsValid() { + void testValidationWhenParticipantIsValid() { // prepare prepareContextProblems(null); diff --git a/edc-extensions/hashicorp-vault/README.md b/edc-extensions/hashicorp-vault/README.md new file mode 100644 index 000000000..5eea7a23c --- /dev/null +++ b/edc-extensions/hashicorp-vault/README.md @@ -0,0 +1,9 @@ +# [HashiCorp Vault](https://www.vaultproject.io/) Extension + +## Configuration + +| Key | Description | Mandatory | +|:---|:---|---| +| edc.vault.hashicorp.url | URL to connect to the HashiCorp Vault | X | +| edc.vault.hashicorp.token | Value for [Token Authentication](https://www.vaultproject.io/docs/auth/token) with the vault | X | +| edc.vault.hashicorp.timeout.seconds | Request timeout in seconds when contacting the vault (default: 30) | | diff --git a/edc-extensions/hashicorp-vault/pom.xml b/edc-extensions/hashicorp-vault/pom.xml new file mode 100644 index 000000000..62d392c2f --- /dev/null +++ b/edc-extensions/hashicorp-vault/pom.xml @@ -0,0 +1,218 @@ + + + + + net.catenax.edc.extensions + edc-extensions + 0.0.4 + + 4.0.0 + + hashicorp-vault + jar + + + ${project.basedir}/src/main/java + ${originalSourceDirectory} + ${project.build.directory}/delombok + + + + ${sourceDirectory} + + + + src/main/resources + + **/* + + + + ../../ + META-INF + + NOTICE.md + LICENSE + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + + ${maven.compiler.source} + ${maven.compiler.target} + ${project.build.sourceEncoding} + + + org.projectlombok + lombok + ${org.projectlombok.lombok.version} + + + + + + + org.projectlombok + lombok-maven-plugin + ${org.projectlombok.lombok.maven.plugin.version} + + + generate-sources + + delombok + + + + + ${originalSourceDirectory} + ${delombokSourceDirectory} + false + UTF-8 + + skip + + + + + org.apache.maven.plugins + maven-source-plugin + + + attach-sources + + jar + + + + + + + + + + + org.eclipse.dataspaceconnector + core-spi + + + org.eclipse.dataspaceconnector + junit-extension + test + + + org.eclipse.dataspaceconnector + junit-extension + test-fixtures + test + + + + + org.projectlombok + lombok + + + org.bouncycastle + bcpkix-jdk15on + + + com.squareup.okhttp3 + okhttp + + + + + org.junit.jupiter + junit-jupiter + test + + + org.mockito + mockito-core + test + + + org.mockito + mockito-inline + test + + + org.testcontainers + junit-jupiter + test + + + org.testcontainers + vault + ${org.testcontainers.version} + test + + + ch.qos.logback + logback-core + test + + + org.slf4j + slf4j-api + test + + + org.slf4j + jul-to-slf4j + test + + + org.hamcrest + hamcrest + 2.2 + test + + + + + + delombok + + ${delombokSourceDirectory} + + + + + failsafe + + + + org.apache.maven.plugins + maven-failsafe-plugin + + + + integration-test + verify + + + + + + + + + diff --git a/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpCertificateResolver.java b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpCertificateResolver.java new file mode 100644 index 000000000..f067aec92 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpCertificateResolver.java @@ -0,0 +1,53 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation + * + */ + +package net.catenax.edc.hashicorpvault; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.security.cert.X509Certificate; +import lombok.NonNull; +import lombok.RequiredArgsConstructor; +import org.eclipse.dataspaceconnector.spi.EdcException; +import org.eclipse.dataspaceconnector.spi.monitor.Monitor; +import org.eclipse.dataspaceconnector.spi.security.CertificateResolver; +import org.eclipse.dataspaceconnector.spi.security.Vault; + +/** Resolves an X.509 certificate in Hashicorp vault. */ +@RequiredArgsConstructor +public class HashicorpCertificateResolver implements CertificateResolver { + @NonNull private final Vault vault; + @NonNull private final Monitor monitor; + + @Override + public X509Certificate resolveCertificate(@NonNull String id) { + String certificateRepresentation = vault.resolveSecret(id); + if (certificateRepresentation == null) { + return null; + } + try (InputStream inputStream = + new ByteArrayInputStream(certificateRepresentation.getBytes(StandardCharsets.UTF_8))) { + X509Certificate x509Certificate = PemUtil.readX509Certificate(inputStream); + if (x509Certificate == null) { + monitor.warning( + String.format("Expected PEM certificate on key %s, but value not PEM.", id)); + } + return x509Certificate; + } catch (IOException e) { + throw new EdcException(e.getMessage(), e); + } + } +} diff --git a/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVault.java b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVault.java new file mode 100644 index 000000000..6fe484081 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVault.java @@ -0,0 +1,52 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation + * + */ + +package net.catenax.edc.hashicorpvault; + +import lombok.NonNull; +import lombok.RequiredArgsConstructor; +import org.eclipse.dataspaceconnector.spi.monitor.Monitor; +import org.eclipse.dataspaceconnector.spi.result.Result; +import org.eclipse.dataspaceconnector.spi.security.Vault; +import org.jetbrains.annotations.NotNull; +import org.jetbrains.annotations.Nullable; + +/** Implements a vault backed by Hashicorp Vault. */ +@RequiredArgsConstructor +class HashicorpVault implements Vault { + + @NonNull private final HashicorpVaultClient hashicorpVaultClient; + @NonNull private final Monitor monitor; + + @Override + public @Nullable String resolveSecret(@NonNull String key) { + Result result = hashicorpVaultClient.getSecretValue(key); + + return result.succeeded() ? result.getContent() : null; + } + + @Override + @NotNull + public Result storeSecret(@NotNull @NonNull String key, @NotNull @NonNull String value) { + Result result = + hashicorpVaultClient.setSecret(key, value); + + return result.succeeded() ? Result.success() : Result.failure(result.getFailureMessages()); + } + + @Override + public Result deleteSecret(@NotNull @NonNull String key) { + return hashicorpVaultClient.destroySecret(key); + } +} diff --git a/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultClient.java b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultClient.java new file mode 100644 index 000000000..251633c5a --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultClient.java @@ -0,0 +1,162 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation + * + */ + +package net.catenax.edc.hashicorpvault; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import java.io.IOException; +import java.net.URI; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; +import java.util.Collections; +import java.util.Objects; +import lombok.NonNull; +import lombok.RequiredArgsConstructor; +import okhttp3.Headers; +import okhttp3.MediaType; +import okhttp3.OkHttpClient; +import okhttp3.Request; +import okhttp3.RequestBody; +import okhttp3.Response; +import org.eclipse.dataspaceconnector.spi.result.Result; +import org.jetbrains.annotations.NotNull; + +@RequiredArgsConstructor +class HashicorpVaultClient { + static final String VAULT_DATA_ENTRY_NAME = "content"; + private static final String VAULT_TOKEN_HEADER = "X-Vault-Token"; + private static final String VAULT_REQUEST_HEADER = "X-Vault-Request"; + private static final MediaType MEDIA_TYPE_APPLICATION_JSON = MediaType.get("application/json"); + private static final String VAULT_API_VERSION = "v1"; + private static final String VAULT_SECRET_PATH = "secret"; + private static final String VAULT_SECRET_DATA_PATH = "data"; + private static final String VAULT_SECRET_METADATA_PATH = "metadata"; + private static final String CALL_UNSUCCESSFUL_ERROR_TEMPLATE = "Call unsuccessful: %s"; + @NonNull private final HashicorpVaultClientConfig config; + @NonNull private final OkHttpClient okHttpClient; + @NonNull private final ObjectMapper objectMapper; + + Result getSecretValue(@NonNull String key) { + String requestURI = getSecretUrl(key, VAULT_SECRET_DATA_PATH); + Headers headers = getHeaders(); + Request request = new Request.Builder().url(requestURI).headers(headers).get().build(); + + try (Response response = okHttpClient.newCall(request).execute()) { + + if (response.isSuccessful()) { + if (response.code() == 404) { + return Result.failure( + String.format(CALL_UNSUCCESSFUL_ERROR_TEMPLATE, "Secret not found")); + } + + String responseBody = Objects.requireNonNull(response.body()).string(); + HashicorpVaultGetEntryResponsePayload payload = + objectMapper.readValue(responseBody, HashicorpVaultGetEntryResponsePayload.class); + String value = + Objects.requireNonNull(payload.getData().getData().get(VAULT_DATA_ENTRY_NAME)); + + return Result.success(value); + } else { + return Result.failure(String.format(CALL_UNSUCCESSFUL_ERROR_TEMPLATE, response.code())); + } + + } catch (IOException e) { + return Result.failure(e.getMessage()); + } + } + + Result setSecret( + @NonNull String key, @NonNull String value) { + String requestURI = getSecretUrl(key, VAULT_SECRET_DATA_PATH); + Headers headers = getHeaders(); + HashicorpVaultCreateEntryRequestPayload requestPayload = + HashicorpVaultCreateEntryRequestPayload.builder() + .data(Collections.singletonMap(VAULT_DATA_ENTRY_NAME, value)) + .build(); + Request request = + new Request.Builder() + .url(requestURI) + .headers(headers) + .post(createRequestBody(requestPayload)) + .build(); + + try (Response response = okHttpClient.newCall(request).execute()) { + if (response.isSuccessful()) { + String responseBody = Objects.requireNonNull(response.body()).string(); + HashicorpVaultCreateEntryResponsePayload responsePayload = + objectMapper.readValue(responseBody, HashicorpVaultCreateEntryResponsePayload.class); + return Result.success(responsePayload); + } else { + return Result.failure(String.format(CALL_UNSUCCESSFUL_ERROR_TEMPLATE, response.code())); + } + } catch (IOException e) { + return Result.failure(e.getMessage()); + } + } + + Result destroySecret(@NonNull String key) { + String requestURI = getSecretUrl(key, VAULT_SECRET_METADATA_PATH); + Headers headers = getHeaders(); + Request request = new Request.Builder().url(requestURI).headers(headers).delete().build(); + + try (Response response = okHttpClient.newCall(request).execute()) { + return response.isSuccessful() || response.code() == 404 + ? Result.success() + : Result.failure(String.format(CALL_UNSUCCESSFUL_ERROR_TEMPLATE, response.code())); + } catch (IOException e) { + return Result.failure(e.getMessage()); + } + } + + @NotNull + private Headers getHeaders() { + Headers.Builder headersBuilder = + new Headers.Builder().add(VAULT_REQUEST_HEADER, Boolean.toString(true)); + if (config.getVaultToken() != null) { + headersBuilder = headersBuilder.add(VAULT_TOKEN_HEADER, config.getVaultToken()); + } + return headersBuilder.build(); + } + + private String getBaseUrl() { + String baseUrl = config.getVaultUrl(); + + if (baseUrl.endsWith("/")) { + baseUrl = baseUrl.substring(0, baseUrl.length() - 1); + } + + return baseUrl; + } + + private String getSecretUrl(String key, String entryType) { + + key = URLEncoder.encode(key, StandardCharsets.UTF_8); + return URI.create( + String.format( + "%s/%s/%s/%s/%s", + getBaseUrl(), VAULT_API_VERSION, VAULT_SECRET_PATH, entryType, key)) + .toString(); + } + + private RequestBody createRequestBody(Object requestPayload) { + String jsonRepresentation; + try { + jsonRepresentation = objectMapper.writeValueAsString(requestPayload); + } catch (JsonProcessingException e) { + throw new HashicorpVaultException(e.getMessage(), e); + } + return RequestBody.create(jsonRepresentation, MEDIA_TYPE_APPLICATION_JSON); + } +} diff --git a/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultClientConfig.java b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultClientConfig.java new file mode 100644 index 000000000..2b3c886f7 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultClientConfig.java @@ -0,0 +1,29 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation + * + */ + +package net.catenax.edc.hashicorpvault; + +import java.time.Duration; +import lombok.Builder; +import lombok.Getter; +import lombok.RequiredArgsConstructor; + +@Builder +@Getter +@RequiredArgsConstructor +class HashicorpVaultClientConfig { + private final String vaultUrl; + private final String vaultToken; + private final Duration timeout; +} diff --git a/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultCreateEntryRequestPayload.java b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultCreateEntryRequestPayload.java new file mode 100644 index 000000000..4882c5477 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultCreateEntryRequestPayload.java @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation + * + */ + +package net.catenax.edc.hashicorpvault; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import java.util.Map; +import lombok.AllArgsConstructor; +import lombok.Builder; +import lombok.Data; +import lombok.NoArgsConstructor; + +@Builder +@NoArgsConstructor +@AllArgsConstructor +@Data +@JsonIgnoreProperties(ignoreUnknown = true) +class HashicorpVaultCreateEntryRequestPayload { + + @JsonProperty("options") + private Options options; + + @JsonProperty("data") + private Map data; + + @Builder + @NoArgsConstructor + @AllArgsConstructor + @Data + @JsonIgnoreProperties(ignoreUnknown = true) + static class Options { + @JsonProperty("cas") + private Integer cas; + } +} diff --git a/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultCreateEntryResponsePayload.java b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultCreateEntryResponsePayload.java new file mode 100644 index 000000000..0818c77a7 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultCreateEntryResponsePayload.java @@ -0,0 +1,33 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation + * + */ + +package net.catenax.edc.hashicorpvault; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import lombok.AllArgsConstructor; +import lombok.Builder; +import lombok.Data; +import lombok.NoArgsConstructor; + +@Builder +@NoArgsConstructor +@AllArgsConstructor +@Data +@JsonIgnoreProperties(ignoreUnknown = true) +class HashicorpVaultCreateEntryResponsePayload { + + @JsonProperty("data") + private HashicorpVaultEntryMetadata data; +} diff --git a/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultEntryMetadata.java b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultEntryMetadata.java new file mode 100644 index 000000000..ce9f16b7b --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultEntryMetadata.java @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation + * + */ + +package net.catenax.edc.hashicorpvault; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import java.util.Map; +import lombok.AllArgsConstructor; +import lombok.Builder; +import lombok.Data; +import lombok.NoArgsConstructor; + +@Builder +@NoArgsConstructor +@AllArgsConstructor +@Data +@JsonIgnoreProperties(ignoreUnknown = true) +class HashicorpVaultEntryMetadata { + + @JsonProperty("custom_metadata") + private Map customMetadata; + + @JsonProperty("destroyed") + private Boolean destroyed; + + @JsonProperty("version") + private Integer version; +} diff --git a/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultException.java b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultException.java new file mode 100644 index 000000000..af106bb58 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultException.java @@ -0,0 +1,28 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation + * + */ + +package net.catenax.edc.hashicorpvault; + +import org.eclipse.dataspaceconnector.spi.EdcException; + +public class HashicorpVaultException extends EdcException { + + public HashicorpVaultException(String message) { + super(message); + } + + public HashicorpVaultException(String message, Throwable cause) { + super(message, cause); + } +} diff --git a/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultExtension.java b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultExtension.java new file mode 100644 index 000000000..6d886ac06 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultExtension.java @@ -0,0 +1,111 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation + * + */ + +package net.catenax.edc.hashicorpvault; + +import java.time.Duration; +import okhttp3.OkHttpClient; +import org.eclipse.dataspaceconnector.spi.EdcException; +import org.eclipse.dataspaceconnector.spi.EdcSetting; +import org.eclipse.dataspaceconnector.spi.security.CertificateResolver; +import org.eclipse.dataspaceconnector.spi.security.PrivateKeyResolver; +import org.eclipse.dataspaceconnector.spi.security.Vault; +import org.eclipse.dataspaceconnector.spi.security.VaultPrivateKeyResolver; +import org.eclipse.dataspaceconnector.spi.system.ServiceExtensionContext; +import org.eclipse.dataspaceconnector.spi.system.VaultExtension; + +public class HashicorpVaultExtension implements VaultExtension { + + @EdcSetting(required = true) + public static final String VAULT_URL = "edc.vault.hashicorp.url"; + + @EdcSetting(required = true) + public static final String VAULT_TOKEN = "edc.vault.hashicorp.token"; + + @EdcSetting + private static final String VAULT_TIMEOUT_SECONDS = "edc.vault.hashicorp.timeout.seconds"; + + private Vault vault; + private CertificateResolver certificateResolver; + private PrivateKeyResolver privateKeyResolver; + + @Override + public String name() { + return "Hashicorp Vault"; + } + + @Override + public Vault getVault() { + return vault; + } + + @Override + public PrivateKeyResolver getPrivateKeyResolver() { + return privateKeyResolver; + } + + @Override + public CertificateResolver getCertificateResolver() { + return certificateResolver; + } + + @Override + public void initializeVault(ServiceExtensionContext context) { + HashicorpVaultClientConfig config = loadHashicorpVaultClientConfig(context); + + OkHttpClient okHttpClient = createOkHttpClient(config); + HashicorpVaultClient client = + new HashicorpVaultClient(config, okHttpClient, context.getTypeManager().getMapper()); + + vault = new HashicorpVault(client, context.getMonitor()); + certificateResolver = new HashicorpCertificateResolver(vault, context.getMonitor()); + privateKeyResolver = new VaultPrivateKeyResolver(vault); + + context.getMonitor().info("HashicorpVaultExtension: authentication/initialization complete."); + } + + private OkHttpClient createOkHttpClient(HashicorpVaultClientConfig config) { + OkHttpClient.Builder builder = + new OkHttpClient.Builder() + .callTimeout(config.getTimeout()) + .readTimeout(config.getTimeout()); + + return builder.build(); + } + + private HashicorpVaultClientConfig loadHashicorpVaultClientConfig( + ServiceExtensionContext context) { + + String vaultUrl = context.getSetting(VAULT_URL, null); + if (vaultUrl == null) { + throw new HashicorpVaultException(String.format("Vault URL (%s) must be defined", VAULT_URL)); + } + + int vaultTimeoutSeconds = Math.max(0, context.getSetting(VAULT_TIMEOUT_SECONDS, 30)); + Duration vaultTimeoutDuration = Duration.ofSeconds(vaultTimeoutSeconds); + + String vaultToken = context.getSetting(VAULT_TOKEN, null); + + if (vaultToken == null) { + throw new EdcException( + String.format("For Vault authentication [%s] is required", VAULT_TOKEN)); + } + + return HashicorpVaultClientConfig.builder() + .vaultUrl(vaultUrl) + .vaultToken(vaultToken) + .timeout(vaultTimeoutDuration) + .build(); + } +} diff --git a/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultGetEntryResponsePayload.java b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultGetEntryResponsePayload.java new file mode 100644 index 000000000..712c92421 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/HashicorpVaultGetEntryResponsePayload.java @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation + * + */ + +package net.catenax.edc.hashicorpvault; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import java.util.Map; +import lombok.AllArgsConstructor; +import lombok.Builder; +import lombok.Data; +import lombok.NoArgsConstructor; + +@Builder +@NoArgsConstructor +@AllArgsConstructor +@Data +@JsonIgnoreProperties(ignoreUnknown = true) +class HashicorpVaultGetEntryResponsePayload { + + @JsonProperty("data") + private GetVaultEntryData data; + + @Builder + @NoArgsConstructor + @AllArgsConstructor + @Data + @JsonIgnoreProperties(ignoreUnknown = true) + static class GetVaultEntryData { + + @JsonProperty("data") + private Map data; + + @JsonProperty("metadata") + private HashicorpVaultEntryMetadata metadata; + } +} diff --git a/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/PemUtil.java b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/PemUtil.java new file mode 100644 index 000000000..8e72fdfb1 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/main/java/net/catenax/edc/hashicorpvault/PemUtil.java @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation + * + */ + +package net.catenax.edc.hashicorpvault; + +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.Reader; +import java.security.Provider; +import java.security.cert.X509Certificate; +import lombok.NonNull; +import lombok.SneakyThrows; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.openssl.PEMParser; +import org.jetbrains.annotations.NotNull; + +final class PemUtil { + + private PemUtil() { + throw new IllegalStateException("Private constructor invocation disallowed"); + } + + private static final Provider PROVIDER = new BouncyCastleProvider(); + private static final JcaX509CertificateConverter X509_CONVERTER = + new JcaX509CertificateConverter().setProvider(PROVIDER); + + @SneakyThrows + public static X509Certificate readX509Certificate(@NotNull @NonNull InputStream inputStream) { + X509CertificateHolder x509CertificateHolder = parsePem(inputStream); + if (x509CertificateHolder == null) { + return null; + } + return X509_CONVERTER.getCertificate(x509CertificateHolder); + } + + @SuppressWarnings("unchecked") + private static T parsePem(@NotNull @NonNull InputStream inputStream) throws IOException { + try (Reader reader = new InputStreamReader(inputStream)) { + PEMParser pemParser = new PEMParser(reader); + return (T) pemParser.readObject(); + } + } +} diff --git a/edc-extensions/aas-controller/src/main/resources/META-INF/services/org.eclipse.dataspaceconnector.spi.system.ServiceExtension b/edc-extensions/hashicorp-vault/src/main/resources/META-INF/services/org.eclipse.dataspaceconnector.spi.system.VaultExtension similarity index 87% rename from edc-extensions/aas-controller/src/main/resources/META-INF/services/org.eclipse.dataspaceconnector.spi.system.ServiceExtension rename to edc-extensions/hashicorp-vault/src/main/resources/META-INF/services/org.eclipse.dataspaceconnector.spi.system.VaultExtension index 80375f38d..4c244ca16 100644 --- a/edc-extensions/aas-controller/src/main/resources/META-INF/services/org.eclipse.dataspaceconnector.spi.system.ServiceExtension +++ b/edc-extensions/hashicorp-vault/src/main/resources/META-INF/services/org.eclipse.dataspaceconnector.spi.system.VaultExtension @@ -10,5 +10,4 @@ # Contributors: # Mercedes-Benz Tech Innovation GmbH - Initial ServiceExtension file # -# -net.catenax.edc.controlplane.ControlPlaneExtension \ No newline at end of file +net.catenax.edc.hashicorpvault.HashicorpVaultExtension diff --git a/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/AbstractHashicorpIT.java b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/AbstractHashicorpIT.java new file mode 100644 index 000000000..e7b4279e3 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/AbstractHashicorpIT.java @@ -0,0 +1,89 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial Test + * + */ + +package net.catenax.edc.hashicorpvault; + +import static net.catenax.edc.hashicorpvault.HashicorpVaultClient.VAULT_DATA_ENTRY_NAME; +import static net.catenax.edc.hashicorpvault.HashicorpVaultExtension.VAULT_TOKEN; +import static net.catenax.edc.hashicorpvault.HashicorpVaultExtension.VAULT_URL; + +import java.util.HashMap; +import java.util.UUID; +import lombok.Getter; +import org.eclipse.dataspaceconnector.junit.launcher.EdcExtension; +import org.eclipse.dataspaceconnector.spi.security.CertificateResolver; +import org.eclipse.dataspaceconnector.spi.security.Vault; +import org.eclipse.dataspaceconnector.spi.system.ServiceExtension; +import org.eclipse.dataspaceconnector.spi.system.ServiceExtensionContext; +import org.junit.ClassRule; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.extension.ExtendWith; +import org.testcontainers.junit.jupiter.Container; +import org.testcontainers.junit.jupiter.Testcontainers; +import org.testcontainers.utility.DockerImageName; +import org.testcontainers.vault.VaultContainer; + +@Testcontainers +@ExtendWith(EdcExtension.class) +class AbstractHashicorpIT { + static final String DOCKER_IMAGE_NAME = "vault:1.9.6"; + static final String VAULT_ENTRY_KEY = "testing"; + static final String VAULT_ENTRY_VALUE = UUID.randomUUID().toString(); + static final String TOKEN = UUID.randomUUID().toString(); + + private final TestExtension testExtension = new TestExtension(); + + protected Vault getVault() { + return testExtension.getVault(); + } + + protected CertificateResolver getCertificateResolver() { + return testExtension.getCertificateResolver(); + } + + @Container @ClassRule + private static final VaultContainer vaultContainer = + new VaultContainer<>(DockerImageName.parse(DOCKER_IMAGE_NAME)) + .withVaultToken(TOKEN) + .withSecretInVault( + "secret/" + VAULT_ENTRY_KEY, + String.format("%s=%s", VAULT_DATA_ENTRY_NAME, VAULT_ENTRY_VALUE)); + + @BeforeEach + final void beforeEach(EdcExtension extension) { + extension.setConfiguration( + new HashMap<>() { + { + put( + VAULT_URL, + String.format( + "http://%s:%s", vaultContainer.getHost(), vaultContainer.getFirstMappedPort())); + put(VAULT_TOKEN, TOKEN); + } + }); + extension.registerSystemExtension(ServiceExtension.class, testExtension); + } + + @Getter + private static class TestExtension implements ServiceExtension { + private Vault vault; + private CertificateResolver certificateResolver; + + @Override + public void initialize(ServiceExtensionContext context) { + vault = context.getService(Vault.class); + certificateResolver = context.getService(CertificateResolver.class); + } + } +} diff --git a/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpCertificateResolverIT.java b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpCertificateResolverIT.java new file mode 100644 index 000000000..77d26e6df --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpCertificateResolverIT.java @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial Test + * + */ + +package net.catenax.edc.hashicorpvault; + +import java.security.cert.X509Certificate; +import java.util.UUID; +import lombok.SneakyThrows; +import org.eclipse.dataspaceconnector.spi.security.CertificateResolver; +import org.eclipse.dataspaceconnector.spi.security.Vault; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.Test; + +class HashicorpCertificateResolverIT extends AbstractHashicorpIT { + + @Test + @SneakyThrows + void resolveCertificate_success() { + String key = UUID.randomUUID().toString(); + X509Certificate certificateExpected = X509CertificateTestUtil.generateCertificate(5, "Test"); + String pem = X509CertificateTestUtil.convertToPem(certificateExpected); + + Vault vault = getVault(); + vault.storeSecret(key, pem); + CertificateResolver resolver = getCertificateResolver(); + X509Certificate certificateResult = resolver.resolveCertificate(key); + + Assertions.assertEquals(certificateExpected, certificateResult); + } + + @Test + @SneakyThrows + void resolveCertificate_malformed() { + String key = UUID.randomUUID().toString(); + String value = UUID.randomUUID().toString(); + Vault vault = getVault(); + vault.storeSecret(key, value); + + CertificateResolver resolver = getCertificateResolver(); + X509Certificate certificateResult = resolver.resolveCertificate(key); + Assertions.assertNull(certificateResult); + } +} diff --git a/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpCertificateResolverTest.java b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpCertificateResolverTest.java new file mode 100644 index 000000000..ca86d71fa --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpCertificateResolverTest.java @@ -0,0 +1,52 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial Test + * + */ + +package net.catenax.edc.hashicorpvault; + +import java.security.cert.X509Certificate; +import lombok.SneakyThrows; +import org.eclipse.dataspaceconnector.spi.monitor.Monitor; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.mockito.Mockito; + +class HashicorpCertificateResolverTest { + private static final String key = "key"; + + // mocks + private HashicorpCertificateResolver certificateResolver; + private HashicorpVault vault; + + @BeforeEach + void setup() { + vault = Mockito.mock(HashicorpVault.class); + final Monitor monitor = Mockito.mock(Monitor.class); + certificateResolver = new HashicorpCertificateResolver(vault, monitor); + } + + @Test + @SneakyThrows + void resolveCertificate() { + // prepare + X509Certificate certificateExpected = X509CertificateTestUtil.generateCertificate(5, "Test"); + String pem = X509CertificateTestUtil.convertToPem(certificateExpected); + Mockito.when(vault.resolveSecret(key)).thenReturn(pem); + + // invoke + certificateResolver.resolveCertificate(key); + + // verify + Mockito.verify(vault, Mockito.times(1)).resolveSecret(key); + } +} diff --git a/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpVaultClientTest.java b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpVaultClientTest.java new file mode 100644 index 000000000..ae0ca69c8 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpVaultClientTest.java @@ -0,0 +1,146 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial Test + * + */ + +package net.catenax.edc.hashicorpvault; + +import com.fasterxml.jackson.databind.ObjectMapper; +import java.util.UUID; +import lombok.SneakyThrows; +import okhttp3.Call; +import okhttp3.OkHttpClient; +import okhttp3.Request; +import okhttp3.Response; +import okhttp3.ResponseBody; +import org.eclipse.dataspaceconnector.spi.result.Result; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.Test; +import org.mockito.Mockito; + +class HashicorpVaultClientTest { + private static final String key = "key"; + private static final ObjectMapper objectMapper = new ObjectMapper(); + + @Test + @SneakyThrows + void getSecretValue() { + // prepare + String vaultUrl = "https://mock.url"; + String vaultToken = UUID.randomUUID().toString(); + HashicorpVaultClientConfig hashicorpVaultClientConfig = + HashicorpVaultClientConfig.builder().vaultUrl(vaultUrl).vaultToken(vaultToken).build(); + + OkHttpClient okHttpClient = Mockito.mock(OkHttpClient.class); + HashicorpVaultClient vaultClient = + new HashicorpVaultClient(hashicorpVaultClientConfig, okHttpClient, objectMapper); + Call call = Mockito.mock(Call.class); + Response response = Mockito.mock(Response.class); + ResponseBody body = Mockito.mock(ResponseBody.class); + HashicorpVaultGetEntryResponsePayload payload = new HashicorpVaultGetEntryResponsePayload(); + + Mockito.when(okHttpClient.newCall(Mockito.any(Request.class))).thenReturn(call); + Mockito.when(call.execute()).thenReturn(response); + Mockito.when(response.code()).thenReturn(200); + Mockito.when(response.body()).thenReturn(body); + Mockito.when(body.string()).thenReturn(payload.toString()); + + // invoke + Result result = vaultClient.getSecretValue(key); + + // verify + Assertions.assertNotNull(result); + Mockito.verify(okHttpClient, Mockito.times(1)) + .newCall( + Mockito.argThat( + request -> + request.method().equalsIgnoreCase("GET") + && request.url().encodedPath().contains("/v1/secret/data") + && request.url().encodedPathSegments().contains(key))); + } + + @Test + @SneakyThrows + void setSecretValue() { + // prepare + String vaultUrl = "https://mock.url"; + String vaultToken = UUID.randomUUID().toString(); + String secretValue = UUID.randomUUID().toString(); + HashicorpVaultClientConfig hashicorpVaultClientConfig = + HashicorpVaultClientConfig.builder().vaultUrl(vaultUrl).vaultToken(vaultToken).build(); + + OkHttpClient okHttpClient = Mockito.mock(OkHttpClient.class); + HashicorpVaultClient vaultClient = + new HashicorpVaultClient(hashicorpVaultClientConfig, okHttpClient, objectMapper); + HashicorpVaultCreateEntryResponsePayload payload = + new HashicorpVaultCreateEntryResponsePayload(); + + Call call = Mockito.mock(Call.class); + Response response = Mockito.mock(Response.class); + ResponseBody body = Mockito.mock(ResponseBody.class); + + Mockito.when(okHttpClient.newCall(Mockito.any(Request.class))).thenReturn(call); + Mockito.when(call.execute()).thenReturn(response); + Mockito.when(response.code()).thenReturn(200); + Mockito.when(response.body()).thenReturn(body); + Mockito.when(body.string()).thenReturn(payload.toString()); + + // invoke + Result result = + vaultClient.setSecret(key, secretValue); + + // verify + Assertions.assertNotNull(result); + Mockito.verify(okHttpClient, Mockito.times(1)) + .newCall( + Mockito.argThat( + request -> + request.method().equalsIgnoreCase("POST") + && request.url().encodedPath().contains("/v1/secret/data") + && request.url().encodedPathSegments().contains(key))); + } + + @Test + @SneakyThrows + void destroySecretValue() { + // prepare + String vaultUrl = "https://mock.url"; + String vaultToken = UUID.randomUUID().toString(); + HashicorpVaultClientConfig hashicorpVaultClientConfig = + HashicorpVaultClientConfig.builder().vaultUrl(vaultUrl).vaultToken(vaultToken).build(); + + OkHttpClient okHttpClient = Mockito.mock(OkHttpClient.class); + HashicorpVaultClient vaultClient = + new HashicorpVaultClient(hashicorpVaultClientConfig, okHttpClient, objectMapper); + + Call call = Mockito.mock(Call.class); + Response response = Mockito.mock(Response.class); + ResponseBody body = Mockito.mock(ResponseBody.class); + Mockito.when(okHttpClient.newCall(Mockito.any(Request.class))).thenReturn(call); + Mockito.when(call.execute()).thenReturn(response); + Mockito.when(response.code()).thenReturn(200); + Mockito.when(response.body()).thenReturn(body); + + // invoke + Result result = vaultClient.destroySecret(key); + + // verify + Assertions.assertNotNull(result); + Mockito.verify(okHttpClient, Mockito.times(1)) + .newCall( + Mockito.argThat( + request -> + request.method().equalsIgnoreCase("DELETE") + && request.url().encodedPath().contains("/v1/secret/metadata") + && request.url().encodedPathSegments().contains(key))); + } +} diff --git a/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpVaultIT.java b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpVaultIT.java new file mode 100644 index 000000000..e23c5a9f0 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpVaultIT.java @@ -0,0 +1,89 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial Test + * + */ + +package net.catenax.edc.hashicorpvault; + +import java.util.UUID; +import org.eclipse.dataspaceconnector.spi.security.Vault; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Test; + +class HashicorpVaultIT extends AbstractHashicorpIT { + + @Test + @DisplayName("Resolve a secret that exists") + void testResolveSecret_exists() { + Vault vault = getVault(); + String secretValue = vault.resolveSecret(VAULT_ENTRY_KEY); + Assertions.assertEquals(VAULT_ENTRY_VALUE, secretValue); + } + + @Test + @DisplayName("Resolve a secret that does not exist") + void testResolveSecret_doesNotExist() { + Vault vault = getVault(); + Assertions.assertNull(vault.resolveSecret("wrong_key")); + } + + @Test + @DisplayName("Update a secret that exists") + void testSetSecret_exists() { + String key = UUID.randomUUID().toString(); + String value1 = UUID.randomUUID().toString(); + String value2 = UUID.randomUUID().toString(); + + Vault vault = getVault(); + vault.storeSecret(key, value1); + vault.storeSecret(key, value2); + String secretValue = vault.resolveSecret(key); + Assertions.assertEquals(value2, secretValue); + } + + @Test + @DisplayName("Create a secret that does not exist") + void testSetSecret_doesNotExist() { + String key = UUID.randomUUID().toString(); + String value = UUID.randomUUID().toString(); + + Vault vault = getVault(); + vault.storeSecret(key, value); + String secretValue = vault.resolveSecret(key); + Assertions.assertEquals(value, secretValue); + } + + @Test + @DisplayName("Delete a secret that exists") + void testDeleteSecret_exists() { + String key = UUID.randomUUID().toString(); + String value = UUID.randomUUID().toString(); + + Vault vault = getVault(); + vault.storeSecret(key, value); + vault.deleteSecret(key); + + Assertions.assertNull(vault.resolveSecret(key)); + } + + @Test + @DisplayName("Try to delete a secret that does not exist") + void testDeleteSecret_doesNotExist() { + String key = UUID.randomUUID().toString(); + + Vault vault = getVault(); + vault.deleteSecret(key); + + Assertions.assertNull(vault.resolveSecret(key)); + } +} diff --git a/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpVaultTest.java b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpVaultTest.java new file mode 100644 index 000000000..c082b76e9 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/HashicorpVaultTest.java @@ -0,0 +1,90 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial Test + * + */ + +package net.catenax.edc.hashicorpvault; + +import java.util.UUID; +import lombok.SneakyThrows; +import org.eclipse.dataspaceconnector.spi.monitor.Monitor; +import org.eclipse.dataspaceconnector.spi.result.Result; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.mockito.Mockito; + +class HashicorpVaultTest { + private static final String key = "key"; + + // mocks + private HashicorpVaultClient vaultClient; + private HashicorpVault vault; + + @BeforeEach + void setup() { + vaultClient = Mockito.mock(HashicorpVaultClient.class); + final Monitor monitor = Mockito.mock(Monitor.class); + vault = new HashicorpVault(vaultClient, monitor); + } + + @Test + @SneakyThrows + void getSecret() { + // prepare + String value = UUID.randomUUID().toString(); + Result result = Mockito.mock(Result.class); + Mockito.when(vaultClient.getSecretValue(key)).thenReturn(result); + Mockito.when(result.getContent()).thenReturn(value); + Mockito.when(result.succeeded()).thenReturn(true); + + // invoke + String returnValue = vault.resolveSecret(key); + + // verify + Mockito.verify(vaultClient, Mockito.times(1)).getSecretValue(key); + Assertions.assertEquals(value, returnValue); + } + + @Test + @SneakyThrows + void setSecret() { + // prepare + String value = UUID.randomUUID().toString(); + Result result = Mockito.mock(Result.class); + Mockito.when(vaultClient.setSecret(key, value)).thenReturn(result); + Mockito.when(result.succeeded()).thenReturn(true); + + // invoke + Result returnValue = vault.storeSecret(key, value); + + // verify + Mockito.verify(vaultClient, Mockito.times(1)).setSecret(key, value); + Assertions.assertTrue(returnValue.succeeded()); + } + + @Test + @SneakyThrows + void destroySecret() { + // prepare + Result result = Mockito.mock(Result.class); + Mockito.when(vaultClient.destroySecret(key)).thenReturn(result); + Mockito.when(result.succeeded()).thenReturn(true); + + // invoke + Result returnValue = vault.deleteSecret(key); + + // verify + Mockito.verify(vaultClient, Mockito.times(1)).destroySecret(key); + Assertions.assertTrue(returnValue.succeeded()); + } +} diff --git a/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/X509CertificateTestUtil.java b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/X509CertificateTestUtil.java new file mode 100644 index 000000000..210928a88 --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/test/java/net/catenax/edc/hashicorpvault/X509CertificateTestUtil.java @@ -0,0 +1,132 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * SPDX-License-Identifier: Apache-2.0 + * + * Contributors: + * Mercedes-Benz Tech Innovation GmbH - Initial API and Implementation + * + */ + +package net.catenax.edc.hashicorpvault; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.OutputStreamWriter; +import java.math.BigInteger; +import java.nio.charset.StandardCharsets; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; +import java.security.Provider; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.time.Duration; +import java.time.Instant; +import java.util.Date; +import java.util.Optional; +import lombok.SneakyThrows; +import lombok.experimental.UtilityClass; +import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier; +import org.bouncycastle.asn1.x509.BasicConstraints; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.SubjectKeyIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.cert.X509ExtensionUtils; +import org.bouncycastle.cert.X509v3CertificateBuilder; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.DigestCalculator; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.bc.BcDigestCalculatorProvider; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.testcontainers.shaded.org.bouncycastle.openssl.jcajce.JcaPEMWriter; + +@UtilityClass +final class X509CertificateTestUtil { + private static final String SIGNATURE_ALGORITHM = "SHA256WithRSAEncryption"; + private static final Provider PROVIDER = new BouncyCastleProvider(); + private static final JcaX509CertificateConverter JCA_X509_CERTIFICATE_CONVERTER = + new JcaX509CertificateConverter().setProvider(PROVIDER); + + static X509Certificate generateCertificate(int validity, String cn) + throws CertificateException, OperatorCreationException, IOException, + NoSuchAlgorithmException { + + KeyPair keyPair = generateKeyPair(); + + Instant now = Instant.now(); + ContentSigner contentSigner = + new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).build(keyPair.getPrivate()); + X500Name issuer = + new X500Name( + String.format( + "CN=%s", + Optional.ofNullable(cn) + .map(String::trim) + .filter(s -> !s.isEmpty()) + .orElse("rootCA"))); + BigInteger serial = BigInteger.valueOf(now.toEpochMilli()); + Date notBefore = Date.from(now); + Date notAfter = Date.from(now.plus(Duration.ofDays(validity))); + PublicKey publicKey = keyPair.getPublic(); + X509v3CertificateBuilder certificateBuilder = + new JcaX509v3CertificateBuilder(issuer, serial, notBefore, notAfter, issuer, publicKey); + certificateBuilder = + certificateBuilder.addExtension( + Extension.subjectKeyIdentifier, false, createSubjectKeyId(publicKey)); + certificateBuilder = + certificateBuilder.addExtension( + Extension.authorityKeyIdentifier, false, createAuthorityKeyId(publicKey)); + certificateBuilder = + certificateBuilder.addExtension( + Extension.basicConstraints, true, new BasicConstraints(true)); + return JCA_X509_CERTIFICATE_CONVERTER.getCertificate(certificateBuilder.build(contentSigner)); + } + + private static KeyPair generateKeyPair() throws NoSuchAlgorithmException { + KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", PROVIDER); + keyPairGenerator.initialize(1024, new SecureRandom()); + + return keyPairGenerator.generateKeyPair(); + } + + private static SubjectKeyIdentifier createSubjectKeyId(PublicKey publicKey) + throws OperatorCreationException { + SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()); + DigestCalculator digCalc = + new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); + return new X509ExtensionUtils(digCalc).createSubjectKeyIdentifier(publicKeyInfo); + } + + private static AuthorityKeyIdentifier createAuthorityKeyId(PublicKey publicKey) + throws OperatorCreationException { + SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()); + DigestCalculator digCalc = + new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); + return new X509ExtensionUtils(digCalc).createAuthorityKeyIdentifier(publicKeyInfo); + } + + @SneakyThrows + static String convertToPem(X509Certificate certificate) { + try (ByteArrayOutputStream stream = new ByteArrayOutputStream()) { + try (OutputStreamWriter writer = new OutputStreamWriter(stream)) { + JcaPEMWriter pemWriter = new JcaPEMWriter(writer); + pemWriter.writeObject(certificate); + pemWriter.flush(); + } + return stream.toString(StandardCharsets.UTF_8); + } + } +} diff --git a/edc-extensions/hashicorp-vault/src/test/resources/logback.xml b/edc-extensions/hashicorp-vault/src/test/resources/logback.xml new file mode 100644 index 000000000..3347fcbae --- /dev/null +++ b/edc-extensions/hashicorp-vault/src/test/resources/logback.xml @@ -0,0 +1,23 @@ + + + + + + %d{HH:mm:ss.SSS} [%thread] sdfsfs %-5level %logger{36} - %msg%n + + + + + + diff --git a/edc-extensions/pom.xml b/edc-extensions/pom.xml index 6c76c4177..adf47caa8 100644 --- a/edc-extensions/pom.xml +++ b/edc-extensions/pom.xml @@ -12,14 +12,14 @@ Mercedes-Benz Tech Innovation GmbH - Initial POM --> - - 4.0.0 - + net.catenax.edc product-edc-parent - 0.0.3 + 0.0.4 + 4.0.0 net.catenax.edc.extensions edc-extensions @@ -27,8 +27,8 @@ business-partner-validation - aas-controller postgresql-migration + hashicorp-vault - \ No newline at end of file + diff --git a/edc-extensions/postgresql-migration/pom.xml b/edc-extensions/postgresql-migration/pom.xml index e88c32560..74f575149 100644 --- a/edc-extensions/postgresql-migration/pom.xml +++ b/edc-extensions/postgresql-migration/pom.xml @@ -12,11 +12,12 @@ Mercedes-Benz Tech Innovation GmbH - Initial POM --> - + edc-extensions net.catenax.edc.extensions - 0.0.3 + 0.0.4 4.0.0 @@ -40,6 +41,21 @@ + + + + org.apache.maven.plugins + maven-source-plugin + + + attach-sources + + jar + + + + + diff --git a/misc/license-mappings.xml b/misc/license-mappings.xml index f26375c3e..e173088a7 100644 --- a/misc/license-mappings.xml +++ b/misc/license-mappings.xml @@ -752,4 +752,10 @@ Apache License, Version 2.0 0.0.1-SNAPSHOT + + org.eclipse.dataspaceconnector + junit-extension + Apache License, Version 2.0 + 0.0.1-SNAPSHOT + diff --git a/pom.xml b/pom.xml index 841f9922d..1a8584712 100644 --- a/pom.xml +++ b/pom.xml @@ -18,7 +18,7 @@ net.catenax.edc product-edc-parent - 0.0.3 + 0.0.4 pom @@ -44,31 +44,37 @@ 3.3.0 3.2.2 - 2.22.5 + 2.22.8 3.0.0 - 1.5 + 3.4.0 + 2.0.0 + 2.22.2 + 3.0.0-M2 + 3.2.1 + 3.0.0-M7 + 3.10.1 + 3.2.0 + 1.18.20.0 + 1.1.0 0.0.1-SNAPSHOT - 1.2.1 - 3.1.0 - 42.3.5 - 8.5.11 + 1.2.2 + 42.4.0 + 8.5.13 5.8.2 1.8.2 - 1.10.19 + 4.6.1 + 1.18.24 + 1.70 + 4.9.3 + 1.17.2 + 2.0.0-alpha1 + 1.2.11 - - - github-catenax-ng - Catena-X NG: Github Packages - https://maven.pkg.github.com/catenax-ng/product-edc - - - central @@ -85,6 +91,19 @@ + + org.apache.maven.plugins + maven-javadoc-plugin + ${org.apache.maven.plugins.javadoc.version} + + + attach-javadocs + + jar + + + + org.codehaus.mojo exec-maven-plugin @@ -95,21 +114,26 @@ commons-build-plugin 1.12 - - org.codehaus.mojo - license-maven-plugin - 2.0.0 - org.apache.maven.plugins maven-jar-plugin ${org.apache.maven.plugins.maven.jar.plugin.version} + + org.apache.maven.plugins + maven-resources-plugin + ${org.apache.maven.plugins.resources.version} + org.apache.maven.plugins maven-dependency-plugin ${org.apache.maven.plugins.maven.dependency.plugin.version} + + org.apache.maven.plugins + maven-deploy-plugin + ${org.apache.maven.plugins.deploy.version} + com.diffplug.spotless spotless-maven-plugin @@ -117,7 +141,7 @@ - 1.8 + 1.15.0 @@ -133,8 +157,29 @@ + org.apache.maven.plugins + maven-source-plugin + ${org.apache.maven.plugins.source.version} + + + org.apache.maven.plugins + maven-compiler-plugin + ${org.apache.maven.plugins.compiler.version} + + + org.projectlombok + lombok-maven-plugin + ${org.projectlombok.lombok.maven.plugin.version} + + + org.apache.maven.plugins + maven-failsafe-plugin + ${org.apache.maven.plugins.failsafe.version} + + + org.apache.maven.plugins maven-surefire-plugin - 2.22.2 + ${org.apache.maven.plugins.surefire.version} org.codehaus.mojo @@ -221,26 +266,38 @@ net.catenax.edc.extensions - aas-controller + business-partner-validation ${project.version} net.catenax.edc.extensions - business-partner-validation + postgresql-migration ${project.version} net.catenax.edc.extensions - postgresql-migration + hashicorp-vault ${project.version} - + + + net.catenax.edc + edc-controlplane-base + ${project.version} + + + net.catenax.edc + edc-controlplane-postgresql + ${project.version} + - jakarta.ws.rs - jakarta.ws.rs-api - ${jakarta.ws.rs.api.version} + net.catenax.edc + edc-dataplane-base + ${project.version} + + org.postgresql postgresql @@ -251,6 +308,36 @@ flyway-core ${org.flywaydb.version} + + org.projectlombok + lombok + ${org.projectlombok.lombok.version} + + + org.bouncycastle + bcpkix-jdk15on + ${org.bouncycastle.bcpkix-jdk15on.version} + + + com.squareup.okhttp3 + okhttp + ${com.squareup.okhttp3.okhttp.version} + + + org.slf4j + slf4j-api + ${org.slf4j.version} + + + org.slf4j + jul-to-slf4j + ${org.slf4j.version} + + + ch.qos.logback + logback-core + ${ch.qos.logback.logback-core.version} + @@ -878,6 +965,17 @@ web-spi ${org.eclipse.dataspaceconnector.version} + + org.eclipse.dataspaceconnector + junit-extension + ${org.eclipse.dataspaceconnector.version} + + + org.eclipse.dataspaceconnector + junit-extension + ${org.eclipse.dataspaceconnector.version} + test-fixtures + @@ -887,36 +985,26 @@ pom import - - - - org.junit.jupiter - junit-jupiter-engine - ${junit.jupiter.version} - test - - org.junit.jupiter - junit-jupiter-api + org.junit + junit-bom ${junit.jupiter.version} - test - - - org.junit.jupiter - junit-jupiter-params - ${junit.jupiter.version} - test - - - org.junit.platform - junit-platform-suite - ${junit.platform.version} - test + pom + import org.mockito - mockito-all + mockito-bom ${mockito.version} + pom + import + + + + + org.testcontainers + junit-jupiter + ${org.testcontainers.version} test @@ -933,7 +1021,7 @@ --> org.jasig.maven maven-notice-plugin - 1.1.0 + ${org.jasig.maven.notice.plugin.version} jakarta.xml.bind @@ -943,7 +1031,7 @@ org.glassfish.jaxb jaxb-runtime - 3.0.2 + 2.3.3 diff --git a/settings.xml b/settings.xml index 34ab44077..805b7a95c 100644 --- a/settings.xml +++ b/settings.xml @@ -11,9 +11,9 @@ - github-catenax-ng + github ${env.GITHUB_PACKAGE_USERNAME} ${env.GITHUB_PACKAGE_PASSWORD} - \ No newline at end of file +