From e7957c7546a41964c71dcaf25618afa0eab32331 Mon Sep 17 00:00:00 2001 From: Paul Latzelsperger Date: Tue, 20 Jun 2023 22:09:02 +0200 Subject: [PATCH] Updated example-dataspace --- .../templates/deployment-controlplane.yaml | 42 ++--- .../templates/deployment-runtime.yaml | 2 +- .../templates/deployment-controlplane.yaml | 42 ++--- docs/samples/example-dataspace/README.md | 55 +++--- .../example-dataspace/daps/.helmignore | 23 --- .../samples/example-dataspace/daps/Chart.yaml | 43 ----- docs/samples/example-dataspace/daps/README.md | 39 ---- .../daps/templates/_helpers.tpl | 62 ------- .../daps/templates/configmap.yaml | 92 ---------- .../daps/templates/deployment.yaml | 168 ------------------ .../example-dataspace/daps/templates/hpa.yaml | 47 ----- .../daps/templates/imagepullsecret.yaml | 31 ---- .../daps/templates/service.yaml | 34 ---- .../daps/templates/serviceaccount.yaml | 31 ---- .../example-dataspace/daps/values.yaml | 96 ---------- .../example-dataspace/plato-values.yaml | 19 +- .../example-dataspace/sokrates-values.yaml | 19 +- 17 files changed, 95 insertions(+), 750 deletions(-) delete mode 100644 docs/samples/example-dataspace/daps/.helmignore delete mode 100644 docs/samples/example-dataspace/daps/Chart.yaml delete mode 100644 docs/samples/example-dataspace/daps/README.md delete mode 100644 docs/samples/example-dataspace/daps/templates/_helpers.tpl delete mode 100644 docs/samples/example-dataspace/daps/templates/configmap.yaml delete mode 100644 docs/samples/example-dataspace/daps/templates/deployment.yaml delete mode 100644 docs/samples/example-dataspace/daps/templates/hpa.yaml delete mode 100644 docs/samples/example-dataspace/daps/templates/imagepullsecret.yaml delete mode 100644 docs/samples/example-dataspace/daps/templates/service.yaml delete mode 100644 docs/samples/example-dataspace/daps/templates/serviceaccount.yaml delete mode 100644 docs/samples/example-dataspace/daps/values.yaml diff --git a/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml b/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml index 0184d6803..362594114 100644 --- a/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml +++ b/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml @@ -1,24 +1,24 @@ # -# Copyright (c) 2023 ZF Friedrichshafen AG -# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH -# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# + # Copyright (c) 2023 ZF Friedrichshafen AG + # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH + # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) + # Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License, Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + # License for the specific language governing permissions and limitations + # under the License. + # + # SPDX-License-Identifier: Apache-2.0 + # --- apiVersion: apps/v1 @@ -129,7 +129,7 @@ spec: - name: "TX_SSI_OAUTH_CLIENT_SECRET_ALIAS" value: {{ .Values.controlplane.ssi.oauth.client.secretAlias }} - name: "TX_SSI_ENDPOINT_AUDIENCE" - value: {{ .Values.controlplane.ssi.endpoint.audience}} + value: {{ printf "%s%s" (include "txdc.controlplane.url.protocol" .) .Values.controlplane.endpoints.protocol.path | quote }} ####### # API # diff --git a/charts/tractusx-connector-memory/templates/deployment-runtime.yaml b/charts/tractusx-connector-memory/templates/deployment-runtime.yaml index d02855d78..c2a1d61b7 100644 --- a/charts/tractusx-connector-memory/templates/deployment-runtime.yaml +++ b/charts/tractusx-connector-memory/templates/deployment-runtime.yaml @@ -129,7 +129,7 @@ spec: - name: "TX_SSI_OAUTH_CLIENT_SECRET_ALIAS" value: {{ .Values.runtime.ssi.oauth.client.secretAlias }} - name: "TX_SSI_ENDPOINT_AUDIENCE" - value: {{ .Values.runtime.ssi.endpoint.audience}} + value: {{ printf "%s%s" (include "txdc.runtime.url.protocol" .) .Values.runtime.endpoints.protocol.path | quote }} ####### diff --git a/charts/tractusx-connector/templates/deployment-controlplane.yaml b/charts/tractusx-connector/templates/deployment-controlplane.yaml index 75b1bfd42..27eafea69 100644 --- a/charts/tractusx-connector/templates/deployment-controlplane.yaml +++ b/charts/tractusx-connector/templates/deployment-controlplane.yaml @@ -1,24 +1,24 @@ # -# Copyright (c) 2023 ZF Friedrichshafen AG -# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH -# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# + # Copyright (c) 2023 ZF Friedrichshafen AG + # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH + # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) + # Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License, Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + # License for the specific language governing permissions and limitations + # under the License. + # + # SPDX-License-Identifier: Apache-2.0 + # --- apiVersion: apps/v1 @@ -129,7 +129,7 @@ spec: - name: "TX_SSI_OAUTH_CLIENT_SECRET_ALIAS" value: {{ .Values.controlplane.ssi.oauth.client.secretAlias }} - name: "TX_SSI_ENDPOINT_AUDIENCE" - value: {{ .Values.controlplane.ssi.endpoint.audience}} + value: {{ printf "%s%s" (include "txdc.controlplane.url.protocol" .) .Values.controlplane.endpoints.protocol.path | quote }} ####### # API # diff --git a/docs/samples/example-dataspace/README.md b/docs/samples/example-dataspace/README.md index 9842186cd..0b28e1fd9 100644 --- a/docs/samples/example-dataspace/README.md +++ b/docs/samples/example-dataspace/README.md @@ -8,6 +8,12 @@ Vault, PostgreSQL) and a DAPS instance that both share. We've tested this setup with [KinD](https://kind.sigs.k8s.io/), but other runtimes such as [Minikube](https://minikube.sigs.k8s.io/docs/start/) may work as well, we just haven't tested them. +This version of Tractus-X EDC _requires_ a running instance of the Managed Identity Wallet and KeyCloak, a connector +will not be able to communicate to another connector without it. + +Installation instructions for those are beyond the scope of this document, please refer to the respective manuals and +guides for information on how to set them up. + Furthermore, this guide assumes: - the Tractus-X EDC repository is checked out, the working directory for this guide is `docs/samples/example-dataspace` @@ -16,39 +22,40 @@ Furthermore, this guide assumes: - the following tools are available: `yq`, `openssl`, `base64` - a POSIX-compliant shell, e.g. `bash` or `zsh` unless stated otherwise -### 1.1 Create certificates for both runtimes +### 1.1 Create secrets for both runtimes We'll need a x509 certificate in order to communicate with DAPS, as well as a private key and a Data Encryption signing key. ```shell -# SOKRATES key/cert for daps -openssl req -newkey rsa:2048 -new -nodes -x509 -days 1 -keyout sokrates.key -out sokrates.cert -subj "/CN=test" +# SOKRATES aes encryption key echo "aes_enckey_test" | base64 > sokrates.aes.key -# PLATO key/cert for daps -openssl req -newkey rsa:2048 -new -nodes -x509 -days 1 -keyout plato.key -out plato.cert -subj "/CN=test" +# PLATO aes encryption key echo "aes_enckey_test" | base64 > plato.aes.key ``` Any arbitrary string can be used for the AES key, but it has to be 16, 24, or 32 characters in length, assuming UTF-8 encoding. -### 1.2 Modify the DAPS's `values.yaml` located at `daps/values.yaml` +### 1.2 Obtain configuration for MiW and KeyCloak -With the following command, we "inject" the previously created certificates and client ids into the DAPS's config: +> The following information is _required_, your connectors will **not** work properly unless you +> modify the `ssi:` section of `sokrates-values.yaml` and `plato-values.yaml` accordingly! -```shell -VALUES_FILE=daps/values.yaml +For communication with KeyCloak we need the following information -# Add both public keys to daps -yq -i ".connectors[0].certificate=\"$(cat sokrates.cert)\"" "$VALUES_FILE" -yq -i ".connectors[1].certificate=\"$(cat plato.cert)\"" "$VALUES_FILE" -``` +- the `tokenurl`: URL where access tokens can be obtained +- the `client.id`: KeyCloak identifier of the connector -### 1.3 Install/Launch DAPS +Note that the OAuth2 client secret will be stored in the vault under the alias `client-secret`. -`helm install daps daps/` +In order to use MiW as credential backend we need the following information: + +- `url`: a URL where MiW is reachable +- `authorityId`: this is the `issuerIdentifier` for MiW REST requests, please refer to the respective documentation. + +Furthermore, we need the `endpoint.audience`, which is used to verify the `aud` claim of incoming requests. This does **not** have to be set explicitly, it defaults to each connector's callback address. ## 2. Prepare Connectors @@ -58,17 +65,19 @@ a `postStart` element to the chart's configuration file: ```shell # for sokrates CONFIG_FILE=sokrates-values.yaml +CLIENT_SECRET= -yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n\ncat << EOF | /bin/vault kv put secret/daps-crt content=-\n$(cat sokrates.cert)\nEOF\n\n -cat << EOF | /bin/vault kv put secret/daps-key content=-\n$(cat sokrates.key)\nEOF\n\n -/bin/vault kv put secret/aes-keys content=$(cat sokrates.aes.key)\n\n}\"]" "$CONFIG_FILE" +yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n +/bin/vault kv put secret/client-secret content=$CLIENT_SECRET\n +/bin/vault kv put secret/aes-keys content=$AES_KEY\n}\"]" "$VALUES_FILE" # for plato CONFIG_FILE=plato-values.yaml +CLIENT_SECRET= -yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n\ncat << EOF | /bin/vault kv put secret/daps-crt content=-\n$(cat plato.cert)\nEOF\n\n -cat << EOF | /bin/vault kv put secret/daps-key content=-\n$(cat plato.key)\nEOF\n\n -/bin/vault kv put secret/aes-keys content=$(cat plato.aes.key)\n\n}\"]" "$CONFIG_FILE" +yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n +/bin/vault kv put secret/client-secret content=$CLIENT_SECRET\n +/bin/vault kv put secret/aes-keys content=$AES_KEY\n}\"]" "$VALUES_FILE" ``` ## 3 Install the connectors @@ -108,12 +117,12 @@ There is several ways of making sure everything worked out well: ```shell stern tx-sokrates ``` - + then look out for something similar to: ```shell tx-sokrates-controlplane-b9456f97b-s5jts tractusx-connector INFO 2023-05-31T07:24:53.020975888 tx-sokrates-controlplane ready ``` - + - wait for the Kubernetes rollout to be successful, e.g. `kubectl rollout status deployment tx-plato-controlplane` - use `helm test` to execute tests: `helm test tx-plato` diff --git a/docs/samples/example-dataspace/daps/.helmignore b/docs/samples/example-dataspace/daps/.helmignore deleted file mode 100644 index 0e8a0eb36..000000000 --- a/docs/samples/example-dataspace/daps/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/docs/samples/example-dataspace/daps/Chart.yaml b/docs/samples/example-dataspace/daps/Chart.yaml deleted file mode 100644 index f0a4e6e4e..000000000 --- a/docs/samples/example-dataspace/daps/Chart.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: v2 -name: daps -description: A Helm chart for Kubernetes - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.0.1 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.0.1" diff --git a/docs/samples/example-dataspace/daps/README.md b/docs/samples/example-dataspace/daps/README.md deleted file mode 100644 index 1f0c20e36..000000000 --- a/docs/samples/example-dataspace/daps/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# daps - -![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square) - -A Helm chart for Kubernetes - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) constrains which nodes the Pod can be scheduled on based on node labels. | -| automountServiceAccountToken | bool | `false` | Whether to [automount kubernetes API credentials](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) into the pod | -| autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | -| autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | -| autoscaling.minReplicas | int | `1` | Minimal replicas if resource consumption falls below resource threshholds | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | targetAverageUtilization of cpu provided to a pod | -| autoscaling.targetMemoryUtilizationPercentage | int | `80` | targetAverageUtilization of memory provided to a pod | -| connectors | list | `[]` | | -| fullnameOverride | string | `""` | Overrides the releases full name | -| image.pullPolicy | string | `"IfNotPresent"` | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use | -| image.repository | string | `"ghcr.io/fraunhofer-aisec/omejdn-server"` | Which omjedn container image to use | -| image.tag | string | `"1.7.1"` | Overrides the image tag whose default is the chart appVersion | -| imagePullSecret.dockerconfigjson | string | `""` | Image pull secret to create to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) Note: This value needs to adhere to the [(base64 encoded) .dockerconfigjson format](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials). Furthermore, if 'imagePullSecret.dockerconfigjson' is defined, it takes precedence over 'imagePullSecrets'. | -| nameOverride | string | `""` | Overrides the charts name | -| nodeSelector | object | `{}` | [Node-Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain the Pod to nodes with specific labels. | -| podAnnotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) added to deployed [pods](https://kubernetes.io/docs/concepts/workloads/pods/) | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | Specifies how many replicas of a deployed pod shall be created during the deployment Note: If horizontal pod autoscaling is enabled this setting has no effect | -| resources | object | `{}` | [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) applied to the deployed pod | -| securityContext | object | `{}` | | -| service.port | int | `4567` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service) to expose the running application on a set of Pods as a network service. | -| service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | -| serviceAccount.annotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) should be created per release | -| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the release's fullname template | -| tolerations | list | `[]` | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) are applied to Pods to schedule onto nodes with matching taints. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) diff --git a/docs/samples/example-dataspace/daps/templates/_helpers.tpl b/docs/samples/example-dataspace/daps/templates/_helpers.tpl deleted file mode 100644 index 95b115eee..000000000 --- a/docs/samples/example-dataspace/daps/templates/_helpers.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "omejdn.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "omejdn.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "omejdn.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "omejdn.labels" -}} -helm.sh/chart: {{ include "omejdn.chart" . }} -{{ include "omejdn.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "omejdn.selectorLabels" -}} -app.kubernetes.io/name: {{ include "omejdn.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "omejdn.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "omejdn.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/docs/samples/example-dataspace/daps/templates/configmap.yaml b/docs/samples/example-dataspace/daps/templates/configmap.yaml deleted file mode 100644 index 0f007ed8d..000000000 --- a/docs/samples/example-dataspace/daps/templates/configmap.yaml +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -data: - scope_mapping.yml: |- - --- - idsc:IDS_CONNECTOR_ATTRIBUTES_ALL: - - referringConnector - - omejdn.yml: |- - --- - host: http://{{ .Release.Name }}-daps:4567/ - path_prefix: '' - bind_to: 0.0.0.0 - allow_origin: "*" - app_env: debug - openid: false - user_backend: - - yaml - user_backend_default: yaml - accept_audience: idsc:IDS_CONNECTORS_ALL - issuer: http://{{ .Release.Name }}-daps:4567/ - environment: development - default_audience: - - idsc:IDS_CONNECTORS_ALL - access_token: - expiration: 3600 - algorithm: RS256 - id_token: - expiration: 3600 - algorithm: RS256 - - plugins.yml: |- - --- - plugins: - token_user_attributes: - - clients.yml: |- - --- - - client_id: data-plane-oauth2 - client_secret: supersecret - name: provision oauth2 - grant_types: - - client_credentials - token_endpoint_auth_method: client_secret_post - scope: openid -{{- range $i, $val := .Values.connectors }} - - client_id: {{ quote $val.id }} - name: {{ quote $val.name }} - token_endpoint_auth_method: private_key_jwt - grant_types: - - client_credentials - scope: - - idsc:IDS_CONNECTOR_ATTRIBUTES_ALL - attributes: - - key: idsc - value: IDS_CONNECTOR_ATTRIBUTES_ALL - - key: securityProfile - value: idsc:BASE_SECURITY_PROFILE - {{- range $key, $value := $val.attributes }} - - key: {{ $key }} - value: {{ $value }} - {{- end }} - redirect_uri: http://localhost:4200 -{{ end -}} - - -{{- range $i, $val := .Values.connectors }} - {{ $val.name }}: {{ quote $val.certificate | toString }} -{{ end -}} diff --git a/docs/samples/example-dataspace/daps/templates/deployment.yaml b/docs/samples/example-dataspace/daps/templates/deployment.yaml deleted file mode 100644 index 58bfff105..000000000 --- a/docs/samples/example-dataspace/daps/templates/deployment.yaml +++ /dev/null @@ -1,168 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "omejdn.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "omejdn.selectorLabels" . | nindent 8 }} - spec: - {{- if .Values.imagePullSecret.dockerconfigjson }} - imagePullSecrets: - - name: {{ include "omejdn.fullname" . }}-imagepullsecret - {{- else }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - serviceAccountName: {{ include "omejdn.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - initContainers: - - name: init-daps-pvc - image: alpine - command: - - "sh" - - "-c" - args: - - | - cp /opt/config/omejdn.yml /etc/daps/omejdn.yml - cp /opt/config/clients.yml /etc/daps/clients.yml - cp /opt/config/plugins.yml /etc/daps/plugins.yml - cp /opt/config/scope_mapping.yml /etc/daps/scope_mapping.yml - apk add --update openssl - openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /etc/keys/omejdn/omejdn.key \ - -subj "/C=DE/ST=Berlin/L=Berlin/O=Tractus-X-EDC-Test, Inc./OU=DE" - volumeMounts: - - mountPath: /etc/daps - name: config-dir - - mountPath: /etc/keys/omejdn - name: omejdn-key-dir - - mountPath: /opt/config/omejdn.yml - name: omejdn-config - subPath: omejdn.yml - - mountPath: /opt/config/scope_mapping.yml - name: scope-mapping - subPath: scope_mapping.yml - - mountPath: /opt/config/clients.yml - name: clients-config - subPath: clients.yml - - mountPath: /opt/config/plugins.yml - name: plugins-config - subPath: plugins.yml - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - volumeMounts: - - mountPath: /opt/config/ - name: config-dir - - mountPath: /opt/keys/omejdn/omejdn.key - name: omejdn-key-dir - subPath: omejdn.key - - mountPath: /opt/keys/clients/ - name: client-certificates - ports: - - name: http - containerPort: 4567 - protocol: TCP - livenessProbe: - httpGet: - path: /jwks.json - port: http - readinessProbe: - httpGet: - path: /jwks.json - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - env: - - name: OMEJDN_JWT_AUD_OVERRIDE - value: "idsc:IDS_CONNECTORS_ALL" - - name: OMEJDN_PLUGINS - value: "config/plugins.yml" - volumes: - - name: config-dir - emptyDir: { } - - name: omejdn-key-dir - emptyDir: { } - - name: omejdn-config - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: omejdn.yml - path: omejdn.yml - - name: scope-mapping - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: scope_mapping.yml - path: scope_mapping.yml - - name: clients-config - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: clients.yml - path: clients.yml - - name: plugins-config - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: plugins.yml - path: plugins.yml - - name: client-certificates - configMap: - name: {{ include "omejdn.fullname" . }} - items: - {{- range $i, $val := .Values.connectors }} - - key: {{ $val.name }} - path: {{ $val.id }}.cert - {{- end }} diff --git a/docs/samples/example-dataspace/daps/templates/hpa.yaml b/docs/samples/example-dataspace/daps/templates/hpa.yaml deleted file mode 100644 index f1f072f6c..000000000 --- a/docs/samples/example-dataspace/daps/templates/hpa.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation - # - # See the NOTICE file(s) distributed with this work for additional - # information regarding copyright ownership. - # - # This program and the accompanying materials are made available under the - # terms of the Apache License, Version 2.0 which is available at - # https://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - # License for the specific language governing permissions and limitations - # under the License. - # - # SPDX-License-Identifier: Apache-2.0 - # - -{{- if .Values.autoscaling.enabled }} ---- -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "omejdn.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/docs/samples/example-dataspace/daps/templates/imagepullsecret.yaml b/docs/samples/example-dataspace/daps/templates/imagepullsecret.yaml deleted file mode 100644 index 44f573e0f..000000000 --- a/docs/samples/example-dataspace/daps/templates/imagepullsecret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation - # - # See the NOTICE file(s) distributed with this work for additional - # information regarding copyright ownership. - # - # This program and the accompanying materials are made available under the - # terms of the Apache License, Version 2.0 which is available at - # https://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - # License for the specific language governing permissions and limitations - # under the License. - # - # SPDX-License-Identifier: Apache-2.0 - # - -{{- if .Values.imagePullSecret.dockerconfigjson }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "edc-dataplane.fullname" . }}-imagepullsecret - namespace: {{ .Release.Namespace | default "default" | quote }} - labels: - {{- include "edc-dataplane.labels" . | nindent 4 }} -data: - .dockerconfigjson: {{ .Values.imagePullSecret.dockerconfigjson }} -type: kubernetes.io/dockerconfigjson -{{- end }} diff --git a/docs/samples/example-dataspace/daps/templates/service.yaml b/docs/samples/example-dataspace/daps/templates/service.yaml deleted file mode 100644 index 947e69742..000000000 --- a/docs/samples/example-dataspace/daps/templates/service.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "omejdn.selectorLabels" . | nindent 4 }} diff --git a/docs/samples/example-dataspace/daps/templates/serviceaccount.yaml b/docs/samples/example-dataspace/daps/templates/serviceaccount.yaml deleted file mode 100644 index 536f31871..000000000 --- a/docs/samples/example-dataspace/daps/templates/serviceaccount.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - -{{- if .Values.serviceAccount.create -}} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "omejdn.serviceAccountName" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/docs/samples/example-dataspace/daps/values.yaml b/docs/samples/example-dataspace/daps/values.yaml deleted file mode 100644 index 3553dcc86..000000000 --- a/docs/samples/example-dataspace/daps/values.yaml +++ /dev/null @@ -1,96 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -# Default values for omejdn. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# -- Specifies how many replicas of a deployed pod shall be created during the deployment -# Note: If horizontal pod autoscaling is enabled this setting has no effect -replicaCount: 1 -image: - # -- Which omjedn container image to use - repository: ghcr.io/fraunhofer-aisec/omejdn-server - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "1.7.1" -imagePullSecret: - # -- Image pull secret to create to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) - # Note: This value needs to adhere to the [(base64 encoded) .dockerconfigjson format](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials). - # Furthermore, if 'imagePullSecret.dockerconfigjson' is defined, it takes precedence over 'imagePullSecrets'. - dockerconfigjson: "" -# -- Overrides the charts name -nameOverride: "" -# -- Overrides the releases full name -serviceAccount: - # -- Specifies whether a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) should be created per release - create: true - # -- [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to add to the service account - annotations: { } - # -- The name of the service account to use. If not set and create is true, a name is generated using the release's fullname template - name: "" -# -- Whether to [automount kubernetes API credentials](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) into the pod -automountServiceAccountToken: false -# -- [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) added to deployed [pods](https://kubernetes.io/docs/concepts/workloads/pods/) -podAnnotations: { } -# The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment -podSecurityContext: { } -# The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod -securityContext: { } -service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service) to expose the running application on a set of Pods as a network service. - port: 4567 -# -- [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) applied to the deployed pod -resources: { } -autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 -# -- [Node-Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain the Pod to nodes with specific labels. -nodeSelector: { } -# -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) are applied to Pods to schedule onto nodes with matching taints. -tolerations: [ ] -# -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) constrains which nodes the Pod can be scheduled on based on node labels. -affinity: { } -# List of connector clients. Certificate and Client-ID must be configured in parallel. -fullnameOverride: "daps" -url: "" -clientId: "" -paths: - jwks: /jwks.json - token: /token -connectors: - - id: E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65 - name: sokrates - attributes: - referringConnector: http://sokrates-controlplane/BPNSOKRATES - - id: E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:69 - name: plato - attributes: - referringConnector: http://plato-controlplane/BPNPLATO diff --git a/docs/samples/example-dataspace/plato-values.yaml b/docs/samples/example-dataspace/plato-values.yaml index 21c5675d7..92bc09ce9 100644 --- a/docs/samples/example-dataspace/plato-values.yaml +++ b/docs/samples/example-dataspace/plato-values.yaml @@ -39,6 +39,16 @@ controlplane: securityContext: # avoids some errors in the log: cannot write temp files of large multipart requests when R/O readOnlyRootFilesystem: false + # SSI configuration + ssi: + miw: + url: "" + authorityId: "" + oauth: + tokenurl: "" + client: + id: "" + secretAlias: "client-secret" dataplane: image: pullPolicy: Never @@ -62,17 +72,8 @@ vault: url: http://plato-vault:8200 token: root secretNames: - transferProxyTokenSignerPublicKey: daps-crt - transferProxyTokenSignerPrivateKey: daps-key transferProxyTokenEncryptionAesKey: aes-keys - dapsPrivateKey: daps-key - dapsPublicKey: daps-crt - # this must be set through CLI args: --set vault.secrets=$YOUR_VAULT_SECRETS where YOUR_VAULT_SECRETS should - # be a string in the format "key1:secret1;key2:secret2;..." secrets: server: -daps: - url: "http://daps:4567" - clientId: "E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:69" backendService: httpProxyTokenReceiverUrl: "http://backend:8080" diff --git a/docs/samples/example-dataspace/sokrates-values.yaml b/docs/samples/example-dataspace/sokrates-values.yaml index 086eefde5..e05bf87a5 100644 --- a/docs/samples/example-dataspace/sokrates-values.yaml +++ b/docs/samples/example-dataspace/sokrates-values.yaml @@ -38,6 +38,16 @@ controlplane: securityContext: # avoids some errors in the log: cannot write temp files of large multipart requests when R/O readOnlyRootFilesystem: false + # SSI configuration + ssi: + miw: + url: "" + authorityId: "" + oauth: + tokenurl: "" + client: + id: "" + secretAlias: "client-secret" dataplane: image: pullPolicy: Never @@ -61,17 +71,8 @@ vault: url: http://sokrates-vault:8200 token: root secretNames: - transferProxyTokenSignerPublicKey: daps-crt - transferProxyTokenSignerPrivateKey: daps-key transferProxyTokenEncryptionAesKey: aes-keys - dapsPrivateKey: daps-key - dapsPublicKey: daps-crt - # this must be set through CLI args: --set vault.secrets=$YOUR_VAULT_SECRETS where YOUR_VAULT_SECRETS should - # be a string in the format "key1:secret1;key2:secret2;..." secrets: server: -daps: - url: "http://daps:4567" - clientId: "E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65" backendService: httpProxyTokenReceiverUrl: "http://backend:8080"