Updated example-dataspace

charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml

@@ -1,24 +1,24 @@
 #
-#  Copyright (c) 2023 ZF Friedrichshafen AG
-#  Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH
-#  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
-#  Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
-#
-#  See the NOTICE file(s) distributed with this work for additional
-#  information regarding copyright ownership.
-#
-#  This program and the accompanying materials are made available under the
-#  terms of the Apache License, Version 2.0 which is available at
-#  https://www.apache.org/licenses/LICENSE-2.0
-#
-#  Unless required by applicable law or agreed to in writing, software
-#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#  License for the specific language governing permissions and limitations
-#  under the License.
-#
-#  SPDX-License-Identifier: Apache-2.0
-#
+  #  Copyright (c) 2023 ZF Friedrichshafen AG
+  #  Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH
+  #  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+  #  Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
+  #
+  #  See the NOTICE file(s) distributed with this work for additional
+  #  information regarding copyright ownership.
+  #
+  #  This program and the accompanying materials are made available under the
+  #  terms of the Apache License, Version 2.0 which is available at
+  #  https://www.apache.org/licenses/LICENSE-2.0
+  #
+  #  Unless required by applicable law or agreed to in writing, software
+  #  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+  #  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+  #  License for the specific language governing permissions and limitations
+  #  under the License.
+  #
+  #  SPDX-License-Identifier: Apache-2.0
+  #
 
 ---
 apiVersion: apps/v1
@@ -129,7 +129,7 @@ spec:
             - name: "TX_SSI_OAUTH_CLIENT_SECRET_ALIAS"
               value: {{ .Values.controlplane.ssi.oauth.client.secretAlias }}
             - name: "TX_SSI_ENDPOINT_AUDIENCE"
-              value: {{ .Values.controlplane.ssi.endpoint.audience}}
+              value: {{ printf "%s%s" (include "txdc.controlplane.url.protocol" .) .Values.controlplane.endpoints.protocol.path | quote }}
 
             #######
             # API #

charts/tractusx-connector-memory/templates/deployment-runtime.yaml

@@ -129,7 +129,7 @@ spec:
             - name: "TX_SSI_OAUTH_CLIENT_SECRET_ALIAS"
               value: {{ .Values.runtime.ssi.oauth.client.secretAlias }}
             - name: "TX_SSI_ENDPOINT_AUDIENCE"
-              value: {{ .Values.runtime.ssi.endpoint.audience}}
+              value: {{ printf "%s%s" (include "txdc.runtime.url.protocol" .) .Values.runtime.endpoints.protocol.path | quote }}
 
 
             #######

charts/tractusx-connector/templates/deployment-controlplane.yaml

@@ -1,24 +1,24 @@
 #
-#  Copyright (c) 2023 ZF Friedrichshafen AG
-#  Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH
-#  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
-#  Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
-#
-#  See the NOTICE file(s) distributed with this work for additional
-#  information regarding copyright ownership.
-#
-#  This program and the accompanying materials are made available under the
-#  terms of the Apache License, Version 2.0 which is available at
-#  https://www.apache.org/licenses/LICENSE-2.0
-#
-#  Unless required by applicable law or agreed to in writing, software
-#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#  License for the specific language governing permissions and limitations
-#  under the License.
-#
-#  SPDX-License-Identifier: Apache-2.0
-#
+  #  Copyright (c) 2023 ZF Friedrichshafen AG
+  #  Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH
+  #  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+  #  Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
+  #
+  #  See the NOTICE file(s) distributed with this work for additional
+  #  information regarding copyright ownership.
+  #
+  #  This program and the accompanying materials are made available under the
+  #  terms of the Apache License, Version 2.0 which is available at
+  #  https://www.apache.org/licenses/LICENSE-2.0
+  #
+  #  Unless required by applicable law or agreed to in writing, software
+  #  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+  #  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+  #  License for the specific language governing permissions and limitations
+  #  under the License.
+  #
+  #  SPDX-License-Identifier: Apache-2.0
+  #
 
 ---
 apiVersion: apps/v1
@@ -129,7 +129,7 @@ spec:
             - name: "TX_SSI_OAUTH_CLIENT_SECRET_ALIAS"
               value: {{ .Values.controlplane.ssi.oauth.client.secretAlias }}
             - name: "TX_SSI_ENDPOINT_AUDIENCE"
-              value: {{ .Values.controlplane.ssi.endpoint.audience}}
+              value: {{ printf "%s%s" (include "txdc.controlplane.url.protocol" .) .Values.controlplane.endpoints.protocol.path | quote }}
 
             #######
             # API #

docs/samples/example-dataspace/README.md

@@ -8,6 +8,12 @@ Vault, PostgreSQL) and a DAPS instance that both share.
 We've tested this setup with [KinD](https://kind.sigs.k8s.io/), but other runtimes such
 as [Minikube](https://minikube.sigs.k8s.io/docs/start/) may work as well, we just haven't tested them.
 
+This version of Tractus-X EDC _requires_ a running instance of the Managed Identity Wallet and KeyCloak, a connector
+will not be able to communicate to another connector without it.
+
+Installation instructions for those are beyond the scope of this document, please refer to the respective manuals and
+guides for information on how to set them up.
+
 Furthermore, this guide assumes:
 
 - the Tractus-X EDC repository is checked out, the working directory for this guide is `docs/samples/example-dataspace`
@@ -16,39 +22,40 @@ Furthermore, this guide assumes:
 - the following tools are available: `yq`, `openssl`, `base64`
 - a POSIX-compliant shell, e.g. `bash` or `zsh` unless stated otherwise
 
-### 1.1 Create certificates for both runtimes
+### 1.1 Create secrets for both runtimes
 
 We'll need a x509 certificate in order to communicate with DAPS, as well as a private key and a Data Encryption signing
 key.
 
 ```shell
-# SOKRATES key/cert for daps
-openssl req -newkey rsa:2048 -new -nodes -x509 -days 1 -keyout sokrates.key -out sokrates.cert -subj "/CN=test"
+# SOKRATES aes encryption key
 echo "aes_enckey_test" | base64 > sokrates.aes.key
 
-# PLATO key/cert for daps
-openssl req -newkey rsa:2048 -new -nodes -x509 -days 1 -keyout plato.key -out plato.cert -subj "/CN=test"
+# PLATO aes encryption key
 echo "aes_enckey_test" | base64 > plato.aes.key
 ```
 
 Any arbitrary string can be used for the AES key, but it has to be 16, 24, or 32 characters in length, assuming UTF-8
 encoding.
 
-### 1.2 Modify the DAPS's `values.yaml` located at `daps/values.yaml`
+### 1.2 Obtain configuration for MiW and KeyCloak
 
-With the following command, we "inject" the previously created certificates and client ids into the DAPS's config:
+> The following information is _required_, your connectors will **not** work properly unless you
+> modify the `ssi:` section of `sokrates-values.yaml` and `plato-values.yaml` accordingly!
 
-```shell
-VALUES_FILE=daps/values.yaml
+For communication with KeyCloak we need the following information
 
-# Add both public keys to daps
-yq -i ".connectors[0].certificate=\"$(cat sokrates.cert)\"" "$VALUES_FILE"
-yq -i ".connectors[1].certificate=\"$(cat plato.cert)\"" "$VALUES_FILE"
-```
+- the `tokenurl`: URL where access tokens can be obtained
+- the `client.id`: KeyCloak identifier of the connector
 
-### 1.3 Install/Launch DAPS
+Note that the OAuth2 client secret will be stored in the vault under the alias `client-secret`.
 
-`helm install daps daps/`
+In order to use MiW as credential backend we need the following information:
+
+- `url`: a URL where MiW is reachable
+- `authorityId`: this is the `issuerIdentifier` for MiW REST requests, please refer to the respective documentation.
+
+Furthermore, we need the `endpoint.audience`, which is used to verify the `aud` claim of incoming requests. This does **not** have to be set explicitly, it defaults to each connector's callback address.
 
 ## 2. Prepare Connectors
 
@@ -58,17 +65,19 @@ a `postStart` element to the chart's configuration file:
 ```shell
 # for sokrates
 CONFIG_FILE=sokrates-values.yaml
+CLIENT_SECRET=<sokrates-oauth-client-secret>
 
-yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n\ncat << EOF | /bin/vault kv put secret/daps-crt content=-\n$(cat sokrates.cert)\nEOF\n\n
-cat << EOF | /bin/vault kv put secret/daps-key content=-\n$(cat sokrates.key)\nEOF\n\n
-/bin/vault kv put secret/aes-keys content=$(cat sokrates.aes.key)\n\n}\"]" "$CONFIG_FILE"
+yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n
+/bin/vault kv put secret/client-secret content=$CLIENT_SECRET\n
+/bin/vault kv put secret/aes-keys content=$AES_KEY\n}\"]" "$VALUES_FILE"
 
 # for plato
 CONFIG_FILE=plato-values.yaml
+CLIENT_SECRET=<plato-oauth-client-secret>
 
-yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n\ncat << EOF | /bin/vault kv put secret/daps-crt content=-\n$(cat plato.cert)\nEOF\n\n
-cat << EOF | /bin/vault kv put secret/daps-key content=-\n$(cat plato.key)\nEOF\n\n
-/bin/vault kv put secret/aes-keys content=$(cat plato.aes.key)\n\n}\"]" "$CONFIG_FILE"
+yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n
+/bin/vault kv put secret/client-secret content=$CLIENT_SECRET\n
+/bin/vault kv put secret/aes-keys content=$AES_KEY\n}\"]" "$VALUES_FILE"
 ```
 
 ## 3 Install the connectors
@@ -108,12 +117,12 @@ There is several ways of making sure everything worked out well:
   ```shell
   stern tx-sokrates
   ```
-  
+
   then look out for something similar to:
 
   ```shell
   tx-sokrates-controlplane-b9456f97b-s5jts tractusx-connector INFO 2023-05-31T07:24:53.020975888 tx-sokrates-controlplane ready
   ```
-  
+
 - wait for the Kubernetes rollout to be successful, e.g. `kubectl rollout status deployment tx-plato-controlplane`
 - use `helm test` to execute tests: `helm test tx-plato`