diff --git a/.github/workflows/deployment-test.yaml b/.github/workflows/deployment-test.yaml index 9071de487..83bc15d08 100644 --- a/.github/workflows/deployment-test.yaml +++ b/.github/workflows/deployment-test.yaml @@ -83,7 +83,7 @@ jobs: helm_command: |- helm install tx-inmem charts/tractusx-connector-memory \ -f edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml \ - --set vault.secrets="daps-crt:$(cat daps.cert);daps-key:$(cat daps.key)" \ + --set vault.secrets="client-secret:$(cat client.secret)" \ --wait-for-jobs --timeout=120s --dependency-update # wait for the pod to become ready @@ -135,9 +135,8 @@ jobs: rootDir: "." values_file: edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml helm_command: |- - az keyvault secret set --vault-name ${{ secrets.AZURE_VAULT_NAME }} --name daps-crt --value "$(cat daps.cert)" > /dev/null - az keyvault secret set --vault-name ${{ secrets.AZURE_VAULT_NAME }} --name daps-key --value "$(cat daps.key)" > /dev/null az keyvault secret set --vault-name ${{ secrets.AZURE_VAULT_NAME }} --name aes-keys --value "$(cat aes.key)" > /dev/null + az keyvault secret set --vault-name ${{ secrets.AZURE_VAULT_NAME }} --name client-secret --value "$(cat client.secret)" > /dev/null helm install tx-prod charts/tractusx-connector-azure-vault \ -f edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml \ diff --git a/charts/tractusx-connector-azure-vault/Chart.yaml b/charts/tractusx-connector-azure-vault/Chart.yaml index 7b2802934..ca0ecaa02 100644 --- a/charts/tractusx-connector-azure-vault/Chart.yaml +++ b/charts/tractusx-connector-azure-vault/Chart.yaml @@ -50,12 +50,6 @@ home: https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx sources: - https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector dependencies: - # IDS Dynamic Attribute Provisioning Service (IAM) - - name: daps - version: 0.0.1 - repository: "file://./subcharts/omejdn" - alias: daps - condition: install.daps # PostgreSQL - name: postgresql alias: postgresql diff --git a/charts/tractusx-connector-azure-vault/README.md b/charts/tractusx-connector-azure-vault/README.md index 7802c057f..22fd29a2a 100644 --- a/charts/tractusx-connector-azure-vault/README.md +++ b/charts/tractusx-connector-azure-vault/README.md @@ -50,13 +50,12 @@ Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the pri ## Source Code - +* ## Requirements | Repository | Name | Version | |------------|------|---------| -| file://./subcharts/omejdn | daps(daps) | 0.0.1 | | https://charts.bitnami.com/bitnami | postgresql(postgresql) | 12.1.6 | ## Values @@ -161,20 +160,17 @@ Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the pri | controlplane.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | | controlplane.service.annotations | object | `{}` | | | controlplane.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | +| controlplane.ssi.endpoint.audience | string | `"http://this.audience"` | | +| controlplane.ssi.miw.authorityId | string | `""` | | +| controlplane.ssi.miw.url | string | `""` | | +| controlplane.ssi.oauth.client.id | string | `""` | | +| controlplane.ssi.oauth.client.secretAlias | string | `"client-secret"` | | +| controlplane.ssi.oauth.tokenurl | string | `""` | | | controlplane.tolerations | list | `[]` | | | controlplane.url.ids | string | `""` | Explicitly declared url for reaching the ids api (e.g. if ingresses not used) | | controlplane.volumeMounts | list | `[]` | declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container | | controlplane.volumes | list | `[]` | [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories | | customLabels | object | `{}` | | -| daps.clientId | string | `""` | | -| daps.connectors[0].attributes.referringConnector | string | `"http://sokrates-controlplane/BPNSOKRATES"` | | -| daps.connectors[0].certificate | string | `""` | | -| daps.connectors[0].id | string | `"E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65"` | | -| daps.connectors[0].name | string | `"sokrates"` | | -| daps.fullnameOverride | string | `"daps"` | | -| daps.paths.jwks | string | `"/jwks.json"` | | -| daps.paths.token | string | `"/token"` | | -| daps.url | string | `""` | | | dataplane.affinity | object | `{}` | | | dataplane.autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | | dataplane.autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | @@ -255,9 +251,7 @@ Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the pri | dataplane.volumeMounts | list | `[]` | declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container | | dataplane.volumes | list | `[]` | [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories | | fullnameOverride | string | `""` | | -| idsdaps.connectors[0].certificate | string | `""` | | | imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | -| install.daps | bool | `true` | | | install.postgresql | bool | `true` | | | nameOverride | string | `""` | | | participant.id | string | `""` | | @@ -265,24 +259,23 @@ Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the pri | postgresql.auth.password | string | `"password"` | | | postgresql.auth.username | string | `"user"` | | | postgresql.enabled | bool | `false` | | -| postgresql.fullnameOverride | string | `"postgresql"` | | -| postgresql.jdbcUrl | string | `""` | | +| postgresql.jdbcUrl | string | `"jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc"` | | | postgresql.primary.persistence | string | `nil` | | | postgresql.readReplicas.persistence.enabled | bool | `false` | | | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.imagePullSecrets | list | `[]` | Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | | serviceAccount.name | string | `""` | | +| tests | object | `{"hookDeletePolicy":"before-hook-creation,hook-succeeded"}` | Configurations for Helm tests | +| tests.hookDeletePolicy | string | `"before-hook-creation,hook-succeeded"` | Configure the hook-delete-policy for Helm tests | | vault.azure.certificate | string | `nil` | | | vault.azure.client | string | `""` | | | vault.azure.name | string | `""` | | | vault.azure.secret | string | `nil` | | | vault.azure.tenant | string | `""` | | -| vault.secretNames.dapsPrivateKey | string | `"daps-private-key"` | | -| vault.secretNames.dapsPublicKey | string | `"daps-public-key"` | | | vault.secretNames.transferProxyTokenEncryptionAesKey | string | `"transfer-proxy-token-encryption-aes-key"` | | -| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `"transfer-proxy-token-signer-private-key"` | | -| vault.secretNames.transferProxyTokenSignerPublicKey | string | `"transfer-proxy-token-signer-public-key"` | | +| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `nil` | | +| vault.secretNames.transferProxyTokenSignerPublicKey | string | `nil` | | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) diff --git a/charts/tractusx-connector-azure-vault/subcharts/omejdn/README.md b/charts/tractusx-connector-azure-vault/subcharts/omejdn/README.md deleted file mode 100644 index d23a9f9fa..000000000 --- a/charts/tractusx-connector-azure-vault/subcharts/omejdn/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# daps - -![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.1](https://img.shields.io/badge/AppVersion-0.4.1-informational?style=flat-square) - -A Helm chart for Kubernetes - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) constrains which nodes the Pod can be scheduled on based on node labels. | -| automountServiceAccountToken | bool | `false` | Whether to [automount kubernetes API credentials](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) into the pod | -| autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | -| autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | -| autoscaling.minReplicas | int | `1` | Minimal replicas if resource consumption falls below resource threshholds | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | targetAverageUtilization of cpu provided to a pod | -| autoscaling.targetMemoryUtilizationPercentage | int | `80` | targetAverageUtilization of memory provided to a pod | -| connectors | list | `[]` | | -| fullnameOverride | string | `""` | Overrides the releases full name | -| image.pullPolicy | string | `"IfNotPresent"` | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use | -| image.repository | string | `"ghcr.io/fraunhofer-aisec/omejdn-server"` | Which omjedn container image to use | -| image.tag | string | `"1.7.1"` | Overrides the image tag whose default is the chart appVersion | -| imagePullSecret.dockerconfigjson | string | `""` | Image pull secret to create to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) Note: This value needs to adhere to the [(base64 encoded) .dockerconfigjson format](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials). Furthermore, if 'imagePullSecret.dockerconfigjson' is defined, it takes precedence over 'imagePullSecrets'. | -| nameOverride | string | `""` | Overrides the charts name | -| nodeSelector | object | `{}` | [Node-Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain the Pod to nodes with specific labels. | -| podAnnotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) added to deployed [pods](https://kubernetes.io/docs/concepts/workloads/pods/) | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | Specifies how many replicas of a deployed pod shall be created during the deployment Note: If horizontal pod autoscaling is enabled this setting has no effect | -| resources | object | `{}` | [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) applied to the deployed pod | -| securityContext | object | `{}` | | -| service.port | int | `4567` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service) to expose the running application on a set of Pods as a network service. | -| service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | -| serviceAccount.annotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) should be created per release | -| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the release's fullname template | -| tolerations | list | `[]` | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) are applied to Pods to schedule onto nodes with matching taints. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) diff --git a/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml b/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml index 2084543db..362594114 100644 --- a/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml +++ b/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml @@ -1,24 +1,24 @@ # -# Copyright (c) 2023 ZF Friedrichshafen AG -# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH -# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# + # Copyright (c) 2023 ZF Friedrichshafen AG + # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH + # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) + # Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License, Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + # License for the specific language governing permissions and limitations + # under the License. + # + # SPDX-License-Identifier: Apache-2.0 + # --- apiVersion: apps/v1 @@ -115,21 +115,21 @@ spec: - name: EDC_PARTICIPANT_ID value: {{ .Values.participant.id | required ".Values.participant.id is required" | quote }} - ######################## - ## DAPS CONFIGURATION ## - ######################## - - # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/iam/oauth2/oauth2-core - - name: EDC_OAUTH_CLIENT_ID - value: {{ .Values.daps.clientId | required ".Values.daps.clientId is required" | quote }} - - name: EDC_OAUTH_PROVIDER_JWKS_URL - value: {{ printf "%s%s" (tpl .Values.daps.url .) .Values.daps.paths.jwks }} - - name: EDC_OAUTH_TOKEN_URL - value: {{ printf "%s%s" (tpl .Values.daps.url .) .Values.daps.paths.token }} - - name: EDC_OAUTH_PRIVATE_KEY_ALIAS - value: {{ .Values.vault.secretNames.dapsPrivateKey | required ".Values.vault.secretNames.dapsPrivateKey is required" | quote }} - - name: EDC_OAUTH_CERTIFICATE_ALIAS - value: {{ .Values.vault.secretNames.dapsPublicKey | required ".Values.vault.secretNames.dapsPublicKey is required" | quote }} + ########################## + # SSI / MIW CONFIGURATION + ########################## + - name: "TX_SSI_MIW_URL" + value: {{ .Values.controlplane.ssi.miw.url }} + - name: "TX_SSI_MIW_AUTHORITY_ID" + value: {{ .Values.controlplane.ssi.miw.authorityId }} + - name: "TX_SSI_OAUTH_TOKEN_URL" + value: {{ .Values.controlplane.ssi.oauth.tokenurl }} + - name: "TX_SSI_OAUTH_CLIENT_ID" + value: {{ .Values.controlplane.ssi.oauth.client.id }} + - name: "TX_SSI_OAUTH_CLIENT_SECRET_ALIAS" + value: {{ .Values.controlplane.ssi.oauth.client.secretAlias }} + - name: "TX_SSI_ENDPOINT_AUDIENCE" + value: {{ printf "%s%s" (include "txdc.controlplane.url.protocol" .) .Values.controlplane.endpoints.protocol.path | quote }} ####### # API # @@ -252,10 +252,14 @@ spec: # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/data-plane-transfer - name: "EDC_TRANSFER_PROXY_ENDPOINT" value: {{ include "txdc.dataplane.url.public" . }} + {{- if .Values.vault.secretNames.transferProxyTokenSignerPrivateKey }} - name: "EDC_TRANSFER_PROXY_TOKEN_SIGNER_PRIVATEKEY_ALIAS" value: {{ .Values.vault.secretNames.transferProxyTokenSignerPrivateKey | quote }} + {{- end }} + {{- if .Values.vault.secretNames.transferProxyTokenSignerPublicKey }} - name: "EDC_TRANSFER_PROXY_TOKEN_VERIFIER_PUBLICKEY_ALIAS" value: {{ .Values.vault.secretNames.transferProxyTokenSignerPublicKey | quote }} + {{- end }} # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/transfer/transfer-pull-http-dynamic-receiver diff --git a/charts/tractusx-connector-azure-vault/values.yaml b/charts/tractusx-connector-azure-vault/values.yaml index 163117b02..f9758ecaf 100644 --- a/charts/tractusx-connector-azure-vault/values.yaml +++ b/charts/tractusx-connector-azure-vault/values.yaml @@ -27,14 +27,12 @@ # Declare variables to be passed into your templates. install: - daps: true postgresql: true fullnameOverride: "" nameOverride: "" # -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) imagePullSecrets: [] - customLabels: {} participant: @@ -131,6 +129,18 @@ controlplane: businessPartnerValidation: log: agreementValidation: true + # SSI configuration + ssi: + miw: + url: "" + authorityId: "" + oauth: + tokenurl: "" + client: + id: "" + secretAlias: "client-secret" + endpoint: + audience: "http://this.audience" service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. type: ClusterIP @@ -515,25 +525,10 @@ vault: certificate: secretNames: - transferProxyTokenSignerPrivateKey: transfer-proxy-token-signer-private-key - transferProxyTokenSignerPublicKey: transfer-proxy-token-signer-public-key + transferProxyTokenSignerPrivateKey: + transferProxyTokenSignerPublicKey: transferProxyTokenEncryptionAesKey: transfer-proxy-token-encryption-aes-key - dapsPrivateKey: daps-private-key - dapsPublicKey: daps-public-key -daps: - url: "http://{{ .Release.Name }}-daps:4567" - clientId: "" - paths: - jwks: /jwks.json - token: /token - connectors: - - id: E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65 - name: sokrates - attributes: - referringConnector: http://sokrates-controlplane/BPNSOKRATES - # Must be the same certificate that is stores in section 'sokrates-vault' - certificate: "" # must be set externally! backendService: httpProxyTokenReceiverUrl: "" serviceAccount: @@ -546,10 +541,6 @@ serviceAccount: name: "" # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) imagePullSecrets: [] -idsdaps: - connectors: - - certificate: |- - # -- Configurations for Helm tests tests: # -- Configure the hook-delete-policy for Helm tests diff --git a/docs/samples/example-dataspace/daps/Chart.yaml b/charts/tractusx-connector-legacy/Chart.yaml similarity index 51% rename from docs/samples/example-dataspace/daps/Chart.yaml rename to charts/tractusx-connector-legacy/Chart.yaml index f0a4e6e4e..17be6d601 100644 --- a/docs/samples/example-dataspace/daps/Chart.yaml +++ b/charts/tractusx-connector-legacy/Chart.yaml @@ -1,4 +1,8 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation +# +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -18,8 +22,16 @@ --- apiVersion: v2 -name: daps -description: A Helm chart for Kubernetes +name: tractusx-connector-legacy +deprecated: true +description: | + A Helm chart for Tractus-X Eclipse Data Space Connector. The connector deployment consists of two runtime consists of a + Control Plane and a Data Plane. Note that _no_ external dependencies such as a PostgreSQL database and HashiCorp Vault are included. + + This chart is intended for use with an _existing_ PostgreSQL database and an _existing_ HashiCorp Vault. + + Deprecation notice: this chart uses DAPS, which was replaced with an SSI solution in v0.5.0 of Tractus-X EDC and is thus deprecated. + It will not be maintained, supported or tested anymore and it will be removed in future versions. # A chart can be either an 'application' or a 'library' chart. # @@ -30,14 +42,34 @@ description: A Helm chart for Kubernetes # a dependency of application charts to inject those utilities and functions into the rendering # pipeline. Library charts do not define any templates and therefore cannot be deployed. type: application - # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.0.1 - +version: 0.4.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.0.1" +appVersion: "0.4.1" +home: https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector-legacy +sources: + - https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector-legacy +dependencies: + # IDS Dynamic Attribute Provisioning Service (IAM) + - name: daps + version: 0.0.1 + repository: "file://./subcharts/omejdn" + alias: daps + condition: install.daps + # HashiCorp Vault + - name: vault + alias: vault + version: 0.20.0 + repository: https://helm.releases.hashicorp.com + condition: install.vault + # PostgreSQL + - name: postgresql + alias: postgresql + version: 12.1.6 + repository: https://charts.bitnami.com/bitnami + condition: install.postgresql diff --git a/charts/tractusx-connector-legacy/README.md b/charts/tractusx-connector-legacy/README.md new file mode 100644 index 000000000..e96ca60ea --- /dev/null +++ b/charts/tractusx-connector-legacy/README.md @@ -0,0 +1,298 @@ +# tractusx-connector-legacy + +> **:exclamation: This Helm Chart is deprecated!** + +![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.1](https://img.shields.io/badge/AppVersion-0.4.1-informational?style=flat-square) + +A Helm chart for Tractus-X Eclipse Data Space Connector. The connector deployment consists of two runtime consists of a +Control Plane and a Data Plane. Note that _no_ external dependencies such as a PostgreSQL database and HashiCorp Vault are included. + +This chart is intended for use with an _existing_ PostgreSQL database and an _existing_ HashiCorp Vault. + +Deprecation notice: this chart uses DAPS, which was replaced with an SSI solution in v0.5.0 of Tractus-X EDC and is thus deprecated. +It will not be maintained, supported or tested anymore and it will be removed in future versions. + +**Homepage:** + +This chart uses Hashicorp Vault, which is expected to contain the following secrets on application start: + +- `daps-cert`: contains the x509 certificate of the connector. +- `daps-key`: the private key of the x509 certificate +- `aes-keys`: a 128bit, 256bit or 512bit string used to encrypt data. Must be stored in base64 format. + +These must be obtained from a DAPS instance, the process of which is out of the scope of this document. Alternatively, +self-signed certificates can be used for testing: + +```shell +openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout daps.key -out daps.cert -subj "/CN=test" +export DAPS_KEY="$(cat daps.key)" +export DAPS_CERT="$(cat daps.cert)" +``` + +## Launching the application + +The following requirements must be met before launching the application: + +- Write access to a HashiCorp Vault instance is required to run this chart +- Secrets are seeded in advance + +Please also consider using [this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml) +to launch the application. +Combined, run this shell command to start the in-memory Tractus-X EDC runtime: + +```shell +helm repo add tractusx-edc https://eclipse-tractusx.github.io/charts/dev +helm install my-release tractusx-edc/tractusx-connector --version 0.4.1 \ + -f /tractusx-connector-test.yaml +``` + +## Source Code + +* + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://./subcharts/omejdn | daps(daps) | 0.0.1 | +| https://charts.bitnami.com/bitnami | postgresql(postgresql) | 12.1.6 | +| https://helm.releases.hashicorp.com | vault(vault) | 0.20.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| backendService.httpProxyTokenReceiverUrl | string | `""` | | +| controlplane.affinity | object | `{}` | | +| controlplane.autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | +| controlplane.autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | +| controlplane.autoscaling.minReplicas | int | `1` | Minimal replicas if resource consumption falls below resource threshholds | +| controlplane.autoscaling.targetCPUUtilizationPercentage | int | `80` | targetAverageUtilization of cpu provided to a pod | +| controlplane.autoscaling.targetMemoryUtilizationPercentage | int | `80` | targetAverageUtilization of memory provided to a pod | +| controlplane.businessPartnerValidation.log.agreementValidation | bool | `true` | | +| controlplane.debug.enabled | bool | `false` | | +| controlplane.debug.port | int | `1044` | | +| controlplane.debug.suspendOnStart | bool | `false` | | +| controlplane.endpoints | object | `{"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"observability":{"insecure":true,"path":"/observability","port":8085},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane | +| controlplane.endpoints.control | object | `{"path":"/control","port":8083}` | control api, used for internal control calls. can be added to the internal ingress, but should probably not | +| controlplane.endpoints.control.path | string | `"/control"` | path for incoming api calls | +| controlplane.endpoints.control.port | int | `8083` | port for incoming api calls | +| controlplane.endpoints.default | object | `{"path":"/api","port":8080}` | default api for health checks, should not be added to any ingress | +| controlplane.endpoints.default.path | string | `"/api"` | path for incoming api calls | +| controlplane.endpoints.default.port | int | `8080` | port for incoming api calls | +| controlplane.endpoints.management | object | `{"authKey":"","path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing | +| controlplane.endpoints.management.authKey | string | `""` | authentication key, must be attached to each 'X-Api-Key' request header | +| controlplane.endpoints.management.path | string | `"/management"` | path for incoming api calls | +| controlplane.endpoints.management.port | int | `8081` | port for incoming api calls | +| controlplane.endpoints.metrics | object | `{"path":"/metrics","port":9090}` | metrics api, used for application metrics, must not be internet facing | +| controlplane.endpoints.metrics.path | string | `"/metrics"` | path for incoming api calls | +| controlplane.endpoints.metrics.port | int | `9090` | port for incoming api calls | +| controlplane.endpoints.observability | object | `{"insecure":true,"path":"/observability","port":8085}` | observability api with unsecured access, must not be internet facing | +| controlplane.endpoints.observability.insecure | bool | `true` | allow or disallow insecure access, i.e. access without authentication | +| controlplane.endpoints.observability.path | string | `"/observability"` | observability api, provides /health /readiness and /liveness endpoints | +| controlplane.endpoints.observability.port | int | `8085` | port for incoming API calls | +| controlplane.endpoints.protocol | object | `{"path":"/api/v1/dsp","port":8084}` | ids api, used for inter connector communication and must be internet facing | +| controlplane.endpoints.protocol.path | string | `"/api/v1/dsp"` | path for incoming api calls | +| controlplane.endpoints.protocol.port | int | `8084` | port for incoming api calls | +| controlplane.env | object | `{}` | | +| controlplane.envConfigMapNames | list | `[]` | | +| controlplane.envSecretNames | list | `[]` | | +| controlplane.envValueFrom | object | `{}` | | +| controlplane.image.pullPolicy | string | `"IfNotPresent"` | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use | +| controlplane.image.repository | string | `""` | Which derivate of the control plane to use. when left empty the deployment will select the correct image automatically | +| controlplane.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | +| controlplane.ingresses[0].annotations | object | `{}` | Additional ingress annotations to add | +| controlplane.ingresses[0].certManager.clusterIssuer | string | `""` | If preset enables certificate generation via cert-manager cluster-wide issuer | +| controlplane.ingresses[0].certManager.issuer | string | `""` | If preset enables certificate generation via cert-manager namespace scoped issuer | +| controlplane.ingresses[0].className | string | `""` | Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use | +| controlplane.ingresses[0].enabled | bool | `false` | | +| controlplane.ingresses[0].endpoints | list | `["protocol"]` | EDC endpoints exposed by this ingress resource | +| controlplane.ingresses[0].hostname | string | `"edc-control.local"` | The hostname to be used to precisely map incoming traffic onto the underlying network service | +| controlplane.ingresses[0].tls | object | `{"enabled":false,"secretName":""}` | TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource | +| controlplane.ingresses[0].tls.enabled | bool | `false` | Enables TLS on the ingress resource | +| controlplane.ingresses[0].tls.secretName | string | `""` | If present overwrites the default secret name | +| controlplane.ingresses[1].annotations | object | `{}` | Additional ingress annotations to add | +| controlplane.ingresses[1].certManager.clusterIssuer | string | `""` | If preset enables certificate generation via cert-manager cluster-wide issuer | +| controlplane.ingresses[1].certManager.issuer | string | `""` | If preset enables certificate generation via cert-manager namespace scoped issuer | +| controlplane.ingresses[1].className | string | `""` | Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use | +| controlplane.ingresses[1].enabled | bool | `false` | | +| controlplane.ingresses[1].endpoints | list | `["management","control"]` | EDC endpoints exposed by this ingress resource | +| controlplane.ingresses[1].hostname | string | `"edc-control.intranet"` | The hostname to be used to precisely map incoming traffic onto the underlying network service | +| controlplane.ingresses[1].tls | object | `{"enabled":false,"secretName":""}` | TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource | +| controlplane.ingresses[1].tls.enabled | bool | `false` | Enables TLS on the ingress resource | +| controlplane.ingresses[1].tls.secretName | string | `""` | If present overwrites the default secret name | +| controlplane.initContainers | list | `[]` | | +| controlplane.internationalDataSpaces.catalogId | string | `"TXDC-Catalog"` | | +| controlplane.internationalDataSpaces.curator | string | `""` | | +| controlplane.internationalDataSpaces.description | string | `"Tractus-X Eclipse IDS Data Space Connector"` | | +| controlplane.internationalDataSpaces.id | string | `"TXDC"` | | +| controlplane.internationalDataSpaces.maintainer | string | `""` | | +| controlplane.internationalDataSpaces.title | string | `""` | | +| controlplane.livenessProbe.enabled | bool | `true` | Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | +| controlplane.livenessProbe.failureThreshold | int | `6` | when a probe fails kubernetes will try 6 times before giving up | +| controlplane.livenessProbe.initialDelaySeconds | int | `30` | seconds to wait before performing the first liveness check | +| controlplane.livenessProbe.periodSeconds | int | `10` | this fields specifies that kubernetes should perform a liveness check every 10 seconds | +| controlplane.livenessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | +| controlplane.livenessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | +| controlplane.logging | string | `".level=INFO\norg.eclipse.edc.level=ALL\nhandlers=java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter\njava.util.logging.ConsoleHandler.level=ALL\njava.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n"` | configuration of the [Java Util Logging Facade](https://docs.oracle.com/javase/7/docs/technotes/guides/logging/overview.html) | +| controlplane.nodeSelector | object | `{}` | | +| controlplane.opentelemetry | string | `"otel.javaagent.enabled=false\notel.javaagent.debug=false"` | configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics | +| controlplane.podAnnotations | object | `{}` | additional annotations for the pod | +| controlplane.podLabels | object | `{}` | additional labels for the pod | +| controlplane.podSecurityContext | object | `{"fsGroup":10001,"runAsGroup":10001,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment | +| controlplane.podSecurityContext.fsGroup | int | `10001` | The owner for volumes and any files created within volumes will belong to this guid | +| controlplane.podSecurityContext.runAsGroup | int | `10001` | Processes within a pod will belong to this guid | +| controlplane.podSecurityContext.runAsUser | int | `10001` | Runs all processes within a pod with a special uid | +| controlplane.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Restrict a Container's Syscalls with seccomp | +| controlplane.readinessProbe.enabled | bool | `true` | Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | +| controlplane.readinessProbe.failureThreshold | int | `6` | when a probe fails kubernetes will try 6 times before giving up | +| controlplane.readinessProbe.initialDelaySeconds | int | `30` | seconds to wait before performing the first readiness check | +| controlplane.readinessProbe.periodSeconds | int | `10` | this fields specifies that kubernetes should perform a readiness check every 10 seconds | +| controlplane.readinessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | +| controlplane.readinessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | +| controlplane.replicaCount | int | `1` | | +| controlplane.resources | object | `{}` | [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container | +| controlplane.securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID | +| controlplane.securityContext.capabilities.add | list | `[]` | Specifies which capabilities to add to issue specialized syscalls | +| controlplane.securityContext.capabilities.drop | list | `["ALL"]` | Specifies which capabilities to drop to reduce syscall attack surface | +| controlplane.securityContext.readOnlyRootFilesystem | bool | `true` | Whether the root filesystem is mounted in read-only mode | +| controlplane.securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges | +| controlplane.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | +| controlplane.service.annotations | object | `{}` | | +| controlplane.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | +| controlplane.tolerations | list | `[]` | | +| controlplane.url.ids | string | `""` | Explicitly declared url for reaching the ids api (e.g. if ingresses not used) | +| controlplane.volumeMounts | list | `[]` | declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container | +| controlplane.volumes | list | `[]` | [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories | +| customLabels | object | `{}` | | +| daps.clientId | string | `""` | | +| daps.connectors[0].attributes.referringConnector | string | `"http://sokrates-controlplane/BPNSOKRATES"` | | +| daps.connectors[0].certificate | string | `""` | | +| daps.connectors[0].id | string | `"E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65"` | | +| daps.connectors[0].name | string | `"sokrates"` | | +| daps.paths.jwks | string | `"/jwks.json"` | | +| daps.paths.token | string | `"/token"` | | +| daps.url | string | `"http://{{ .Release.Name }}-daps:4567"` | | +| dataplane.affinity | object | `{}` | | +| dataplane.autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | +| dataplane.autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | +| dataplane.autoscaling.minReplicas | int | `1` | Minimal replicas if resource consumption falls below resource threshholds | +| dataplane.autoscaling.targetCPUUtilizationPercentage | int | `80` | targetAverageUtilization of cpu provided to a pod | +| dataplane.autoscaling.targetMemoryUtilizationPercentage | int | `80` | targetAverageUtilization of memory provided to a pod | +| dataplane.aws.accessKeyId | string | `""` | | +| dataplane.aws.endpointOverride | string | `""` | | +| dataplane.aws.secretAccessKey | string | `""` | | +| dataplane.debug.enabled | bool | `false` | | +| dataplane.debug.port | int | `1044` | | +| dataplane.debug.suspendOnStart | bool | `false` | | +| dataplane.endpoints.control.path | string | `"/api/dataplane/control"` | | +| dataplane.endpoints.control.port | int | `8083` | | +| dataplane.endpoints.default.path | string | `"/api"` | | +| dataplane.endpoints.default.port | int | `8080` | | +| dataplane.endpoints.metrics.path | string | `"/metrics"` | | +| dataplane.endpoints.metrics.port | int | `9090` | | +| dataplane.endpoints.observability.insecure | bool | `true` | allow or disallow insecure access, i.e. access without authentication | +| dataplane.endpoints.observability.path | string | `"/observability"` | observability api, provides /health /readiness and /liveness endpoints | +| dataplane.endpoints.observability.port | int | `8085` | port for incoming API calls | +| dataplane.endpoints.proxy.path | string | `"/proxy"` | | +| dataplane.endpoints.proxy.port | int | `8186` | | +| dataplane.endpoints.public.path | string | `"/api/public"` | | +| dataplane.endpoints.public.port | int | `8081` | | +| dataplane.env | object | `{}` | | +| dataplane.envConfigMapNames | list | `[]` | | +| dataplane.envSecretNames | list | `[]` | | +| dataplane.envValueFrom | object | `{}` | | +| dataplane.image.pullPolicy | string | `"IfNotPresent"` | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use | +| dataplane.image.repository | string | `""` | Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically | +| dataplane.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | +| dataplane.ingresses[0].annotations | object | `{}` | Additional ingress annotations to add | +| dataplane.ingresses[0].certManager.clusterIssuer | string | `""` | If preset enables certificate generation via cert-manager cluster-wide issuer | +| dataplane.ingresses[0].certManager.issuer | string | `""` | If preset enables certificate generation via cert-manager namespace scoped issuer | +| dataplane.ingresses[0].className | string | `""` | Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use | +| dataplane.ingresses[0].enabled | bool | `false` | | +| dataplane.ingresses[0].endpoints | list | `["public"]` | EDC endpoints exposed by this ingress resource | +| dataplane.ingresses[0].hostname | string | `"edc-data.local"` | The hostname to be used to precisely map incoming traffic onto the underlying network service | +| dataplane.ingresses[0].tls | object | `{"enabled":false,"secretName":""}` | TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource | +| dataplane.ingresses[0].tls.enabled | bool | `false` | Enables TLS on the ingress resource | +| dataplane.ingresses[0].tls.secretName | string | `""` | If present overwrites the default secret name | +| dataplane.initContainers | list | `[]` | | +| dataplane.livenessProbe.enabled | bool | `true` | Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | +| dataplane.livenessProbe.failureThreshold | int | `6` | when a probe fails kubernetes will try 6 times before giving up | +| dataplane.livenessProbe.initialDelaySeconds | int | `30` | seconds to wait before performing the first liveness check | +| dataplane.livenessProbe.periodSeconds | int | `10` | this fields specifies that kubernetes should perform a liveness check every 10 seconds | +| dataplane.livenessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | +| dataplane.livenessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | +| dataplane.logging | string | `".level=INFO\norg.eclipse.edc.level=ALL\nhandlers=java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter\njava.util.logging.ConsoleHandler.level=ALL\njava.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n"` | configuration of the [Java Util Logging Facade](https://docs.oracle.com/javase/7/docs/technotes/guides/logging/overview.html) | +| dataplane.nodeSelector | object | `{}` | | +| dataplane.opentelemetry | string | `"otel.javaagent.enabled=false\notel.javaagent.debug=false"` | configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics | +| dataplane.podAnnotations | object | `{}` | additional annotations for the pod | +| dataplane.podLabels | object | `{}` | additional labels for the pod | +| dataplane.podSecurityContext | object | `{"fsGroup":10001,"runAsGroup":10001,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment | +| dataplane.podSecurityContext.fsGroup | int | `10001` | The owner for volumes and any files created within volumes will belong to this guid | +| dataplane.podSecurityContext.runAsGroup | int | `10001` | Processes within a pod will belong to this guid | +| dataplane.podSecurityContext.runAsUser | int | `10001` | Runs all processes within a pod with a special uid | +| dataplane.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Restrict a Container's Syscalls with seccomp | +| dataplane.readinessProbe.enabled | bool | `true` | Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | +| dataplane.readinessProbe.failureThreshold | int | `6` | when a probe fails kubernetes will try 6 times before giving up | +| dataplane.readinessProbe.initialDelaySeconds | int | `30` | seconds to wait before performing the first readiness check | +| dataplane.readinessProbe.periodSeconds | int | `10` | this fields specifies that kubernetes should perform a liveness check every 10 seconds | +| dataplane.readinessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | +| dataplane.readinessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | +| dataplane.replicaCount | int | `1` | | +| dataplane.resources | object | `{}` | [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container | +| dataplane.securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID | +| dataplane.securityContext.capabilities.add | list | `[]` | Specifies which capabilities to add to issue specialized syscalls | +| dataplane.securityContext.capabilities.drop | list | `["ALL"]` | Specifies which capabilities to drop to reduce syscall attack surface | +| dataplane.securityContext.readOnlyRootFilesystem | bool | `true` | Whether the root filesystem is mounted in read-only mode | +| dataplane.securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges | +| dataplane.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | +| dataplane.service.port | int | `80` | | +| dataplane.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | +| dataplane.tolerations | list | `[]` | | +| dataplane.url.public | string | `""` | Explicitly declared url for reaching the public api (e.g. if ingresses not used) | +| dataplane.volumeMounts | list | `[]` | declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container | +| dataplane.volumes | list | `[]` | [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories | +| fullnameOverride | string | `""` | | +| idsdaps.connectors[0].certificate | string | `""` | | +| imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | +| install.daps | bool | `true` | | +| install.postgresql | bool | `true` | | +| install.vault | bool | `true` | | +| nameOverride | string | `""` | | +| networkPolicy.controlplane | object | `{"from":[{"namespaceSelector":{}}]}` | Configuration of the controlplane component | +| networkPolicy.controlplane.from | list | `[{"namespaceSelector":{}}]` | Specify from rule network policy for cp (defaults to all namespaces) | +| networkPolicy.dataplane | object | `{"from":[{"namespaceSelector":{}}]}` | Configuration of the dataplane component | +| networkPolicy.dataplane.from | list | `[{"namespaceSelector":{}}]` | Specify from rule network policy for dp (defaults to all namespaces) | +| networkPolicy.enabled | bool | `false` | If `true` network policy will be created to restrict access to control- and dataplane | +| participant.id | string | `""` | | +| postgresql.auth.database | string | `"edc"` | | +| postgresql.auth.password | string | `"password"` | | +| postgresql.auth.username | string | `"user"` | | +| postgresql.jdbcUrl | string | `"jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc"` | | +| postgresql.primary.persistence.enabled | bool | `false` | | +| postgresql.readReplicas.persistence.enabled | bool | `false` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.imagePullSecrets | list | `[]` | Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | +| serviceAccount.name | string | `""` | | +| tests | object | `{"hookDeletePolicy":"before-hook-creation,hook-succeeded"}` | Configurations for Helm tests | +| tests.hookDeletePolicy | string | `"before-hook-creation,hook-succeeded"` | Configure the hook-delete-policy for Helm tests | +| vault.hashicorp.healthCheck.enabled | bool | `true` | | +| vault.hashicorp.healthCheck.standbyOk | bool | `true` | | +| vault.hashicorp.paths.health | string | `"/v1/sys/health"` | | +| vault.hashicorp.paths.secret | string | `"/v1/secret"` | | +| vault.hashicorp.timeout | int | `30` | | +| vault.hashicorp.token | string | `""` | | +| vault.hashicorp.url | string | `"http://{{ .Release.Name }}-vault:8200"` | | +| vault.injector.enabled | bool | `false` | | +| vault.secretNames.dapsPrivateKey | string | `"daps-private-key"` | | +| vault.secretNames.dapsPublicKey | string | `"daps-public-key"` | | +| vault.secretNames.transferProxyTokenEncryptionAesKey | string | `"transfer-proxy-token-encryption-aes-key"` | | +| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `"transfer-proxy-token-signer-private-key"` | | +| vault.secretNames.transferProxyTokenSignerPublicKey | string | `"transfer-proxy-token-signer-public-key"` | | +| vault.server.dev.devRootToken | string | `"root"` | | +| vault.server.dev.enabled | bool | `true` | | +| vault.server.postStart | string | `nil` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) diff --git a/charts/tractusx-connector-legacy/README.md.gotmpl b/charts/tractusx-connector-legacy/README.md.gotmpl new file mode 100644 index 000000000..210216e6c --- /dev/null +++ b/charts/tractusx-connector-legacy/README.md.gotmpl @@ -0,0 +1,51 @@ +{{ template "chart.header" . }} + +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.badgesSection" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +This chart uses Hashicorp Vault, which is expected to contain the following secrets on application start: + +- `daps-cert`: contains the x509 certificate of the connector. +- `daps-key`: the private key of the x509 certificate +- `aes-keys`: a 128bit, 256bit or 512bit string used to encrypt data. Must be stored in base64 format. + +These must be obtained from a DAPS instance, the process of which is out of the scope of this document. Alternatively, +self-signed certificates can be used for testing: + +```shell +openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout daps.key -out daps.cert -subj "/CN=test" +export DAPS_KEY="$(cat daps.key)" +export DAPS_CERT="$(cat daps.cert)" +``` + +## Launching the application + +The following requirements must be met before launching the application: + +- Write access to a HashiCorp Vault instance is required to run this chart +- Secrets are seeded in advance + +Please also consider using [this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml) +to launch the application. +Combined, run this shell command to start the in-memory Tractus-X EDC runtime: + +```shell +helm repo add tractusx-edc https://eclipse-tractusx.github.io/charts/dev +helm install my-release tractusx-edc/tractusx-connector --version {{ .Version }} \ + -f /tractusx-connector-test.yaml +``` + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/tractusx-connector-legacy/example.values.yaml b/charts/tractusx-connector-legacy/example.values.yaml new file mode 100644 index 000000000..d2b082afa --- /dev/null +++ b/charts/tractusx-connector-legacy/example.values.yaml @@ -0,0 +1,97 @@ +# +# Copyright (c) 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +fullnameOverride: tx-prod +################################ +# EDC ControlPlane + DataPlane # +################################ +participant: + id: "test-participant" +controlplane: + service: + type: NodePort + endpoints: + management: + authKey: password + image: + pullPolicy: Never + tag: "latest" + repository: "edc-controlplane-postgresql-hashicorp-vault-legacy" + securityContext: + # avoids some errors in the log: cannot write temp files of large multipart requests when R/O + readOnlyRootFilesystem: false +dataplane: + image: + pullPolicy: Never + tag: "latest" + repository: "edc-dataplane-hashicorp-vault" + securityContext: + # avoids some errors in the log: cannot write temp files of large multipart requests when R/O + readOnlyRootFilesystem: false + aws: + endpointOverride: http://minio:9000 + secretAccessKey: qwerty123 + accessKeyId: qwerty123 +postgresql: + jdbcUrl: jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc + auth: + username: user + password: password +vault: + hashicorp: + url: http://{{ .Release.Name }}-vault:8200 + token: root + secretNames: + transferProxyTokenSignerPublicKey: daps-crt + transferProxyTokenSignerPrivateKey: daps-key + transferProxyTokenEncryptionAesKey: aes-keys + dapsPrivateKey: daps-key + dapsPublicKey: daps-crt + server: + postStart: + - sh + - -c + - |- + { + sleep 5 + + cat << EOF | /bin/vault kv put secret/daps-crt content=- + <<< ENTER CERTIFICATE CONTENT HERE!!! >>> + EOF + + + cat << EOF | /bin/vault kv put secret/daps-key content=- + <<< ENTER PRIVATE KEY CONTENT HERE !!! >>> + EOF + + + /bin/vault kv put secret/aes-keys content=YWVzX2VuY2tleV90ZXN0Cg== + + } +daps: + url: "http://{{ .Release.Name }}-daps:4567" + clientId: "E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65" +backendService: + httpProxyTokenReceiverUrl: "http://backend:8080" +tests: + hookDeletePolicy: before-hook-creation +idsdaps: + connectors: + - certificate: |- + <<< ENTER CERTIFICATE CONTENT HERE!!! >>> diff --git a/charts/tractusx-connector-azure-vault/subcharts/omejdn/.helmignore b/charts/tractusx-connector-legacy/subcharts/omejdn/.helmignore similarity index 100% rename from charts/tractusx-connector-azure-vault/subcharts/omejdn/.helmignore rename to charts/tractusx-connector-legacy/subcharts/omejdn/.helmignore diff --git a/charts/tractusx-connector-azure-vault/subcharts/omejdn/Chart.yaml b/charts/tractusx-connector-legacy/subcharts/omejdn/Chart.yaml similarity index 100% rename from charts/tractusx-connector-azure-vault/subcharts/omejdn/Chart.yaml rename to charts/tractusx-connector-legacy/subcharts/omejdn/Chart.yaml diff --git a/docs/samples/example-dataspace/daps/README.md b/charts/tractusx-connector-legacy/subcharts/omejdn/README.md similarity index 100% rename from docs/samples/example-dataspace/daps/README.md rename to charts/tractusx-connector-legacy/subcharts/omejdn/README.md diff --git a/charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/_helpers.tpl b/charts/tractusx-connector-legacy/subcharts/omejdn/templates/_helpers.tpl similarity index 100% rename from charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/_helpers.tpl rename to charts/tractusx-connector-legacy/subcharts/omejdn/templates/_helpers.tpl diff --git a/charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/configmap.yaml b/charts/tractusx-connector-legacy/subcharts/omejdn/templates/configmap.yaml similarity index 100% rename from charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/configmap.yaml rename to charts/tractusx-connector-legacy/subcharts/omejdn/templates/configmap.yaml diff --git a/charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/deployment.yaml b/charts/tractusx-connector-legacy/subcharts/omejdn/templates/deployment.yaml similarity index 100% rename from charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/deployment.yaml rename to charts/tractusx-connector-legacy/subcharts/omejdn/templates/deployment.yaml diff --git a/charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/hpa.yaml b/charts/tractusx-connector-legacy/subcharts/omejdn/templates/hpa.yaml similarity index 100% rename from charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/hpa.yaml rename to charts/tractusx-connector-legacy/subcharts/omejdn/templates/hpa.yaml diff --git a/charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/imagepullsecret.yaml b/charts/tractusx-connector-legacy/subcharts/omejdn/templates/imagepullsecret.yaml similarity index 100% rename from charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/imagepullsecret.yaml rename to charts/tractusx-connector-legacy/subcharts/omejdn/templates/imagepullsecret.yaml diff --git a/charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/service.yaml b/charts/tractusx-connector-legacy/subcharts/omejdn/templates/service.yaml similarity index 100% rename from charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/service.yaml rename to charts/tractusx-connector-legacy/subcharts/omejdn/templates/service.yaml diff --git a/charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/serviceaccount.yaml b/charts/tractusx-connector-legacy/subcharts/omejdn/templates/serviceaccount.yaml similarity index 100% rename from charts/tractusx-connector-azure-vault/subcharts/omejdn/templates/serviceaccount.yaml rename to charts/tractusx-connector-legacy/subcharts/omejdn/templates/serviceaccount.yaml diff --git a/charts/tractusx-connector-azure-vault/subcharts/omejdn/values.yaml b/charts/tractusx-connector-legacy/subcharts/omejdn/values.yaml similarity index 100% rename from charts/tractusx-connector-azure-vault/subcharts/omejdn/values.yaml rename to charts/tractusx-connector-legacy/subcharts/omejdn/values.yaml diff --git a/charts/tractusx-connector-legacy/templates/NOTES.txt b/charts/tractusx-connector-legacy/templates/NOTES.txt new file mode 100644 index 000000000..254cf9c67 --- /dev/null +++ b/charts/tractusx-connector-legacy/templates/NOTES.txt @@ -0,0 +1,45 @@ +1. Get the control plane URL by running these commands: +{{ with index .Values.controlplane.ingresses 0}} +{{- if .enabled }} +{{- range .paths }} + http{{ if .tls }}s{{ end }}://{{ .hostname }}{{ .path }} +{{- end }} +{{- else if contains "NodePort" $.Values.controlplane.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ $.Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "txdc.fullname" $ }}) + export NODE_IP=$(kubectl get nodes --namespace {{ $.Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" $.Values.controlplane.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "txdc.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "txdc.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ $.Values.controlplane.service.port }} +{{- else if contains "ClusterIP" $.Values.controlplane.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ $.Release.Namespace }} -l "app.kubernetes.io/name={{ include "txdc.name" $ }},app.kubernetes.io/instance={{ $.Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ $.Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ $.Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} +{{- end }} + +2. Get the data plane URL by running these commands: +{{ with index .Values.controlplane.ingresses 0}} +{{- if .enabled }} +{{- range .paths }} + http{{ if .tls }}s{{ end }}://{{ .hostname }}{{ .path }} +{{- end }} +{{- else if contains "NodePort" $.Values.dataplane.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ $.Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "txdc.fullname" $ }}) + export NODE_IP=$(kubectl get nodes --namespace {{ $.Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" $.Values.dataplane.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ $.Release.Namespace }} svc -w {{ include "txdc.fullname" $ }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "txdc.fullname" $ }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" $.Values.dataplane.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ $.Release.Namespace }} -l "app.kubernetes.io/name={{ include "txdc.name" $ }},app.kubernetes.io/instance={{ $.Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ $.Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ $.Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} +{{- end }} diff --git a/charts/tractusx-connector-legacy/templates/_helpers.tpl b/charts/tractusx-connector-legacy/templates/_helpers.tpl new file mode 100644 index 000000000..701e6fc75 --- /dev/null +++ b/charts/tractusx-connector-legacy/templates/_helpers.tpl @@ -0,0 +1,175 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "txdc.name" -}} +{{- default .Chart.Name .Values.nameOverride | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "txdc.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "txdc.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Control Common labels +*/}} +{{- define "txdc.labels" -}} +helm.sh/chart: {{ include "txdc.chart" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Control Common labels +*/}} +{{- define "txdc.controlplane.labels" -}} +helm.sh/chart: {{ include "txdc.chart" . }} +{{ include "txdc.controlplane.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/component: edc-controlplane +app.kubernetes.io/part-of: edc +{{- end }} + +{{/* +Data Common labels +*/}} +{{- define "txdc.dataplane.labels" -}} +helm.sh/chart: {{ include "txdc.chart" . }} +{{ include "txdc.dataplane.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/component: edc-dataplane +app.kubernetes.io/part-of: edc +{{- end }} + +{{/* +Control Selector labels +*/}} +{{- define "txdc.controlplane.selectorLabels" -}} +app.kubernetes.io/name: {{ include "txdc.name" . }}-controlplane +app.kubernetes.io/instance: {{ .Release.Name }}-controlplane +{{- end }} + +{{/* +Data Selector labels +*/}} +{{- define "txdc.dataplane.selectorLabels" -}} +app.kubernetes.io/name: {{ include "txdc.name" . }}-dataplane +app.kubernetes.io/instance: {{ .Release.Name }}-dataplane +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "txdc.controlplane.serviceaccount.name" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "txdc.fullname" . ) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "txdc.dataplane.serviceaccount.name" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "txdc.fullname" . ) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Control IDS URL +*/}} +{{- define "txdc.controlplane.url.protocol" -}} +{{- if .Values.controlplane.url.protocol }}{{/* if ids api url has been specified explicitly */}} +{{- .Values.controlplane.url.protocol }} +{{- else }}{{/* else when ids api url has not been specified explicitly */}} +{{- with (index .Values.controlplane.ingresses 0) }} +{{- if .enabled }}{{/* if ingress enabled */}} +{{- if .tls.enabled }}{{/* if TLS enabled */}} +{{- printf "https://%s" .hostname -}} +{{- else }}{{/* else when TLS not enabled */}} +{{- printf "http://%s" .hostname -}} +{{- end }}{{/* end if tls */}} +{{- else }}{{/* else when ingress not enabled */}} +{{- printf "http://%s-controlplane:%v" ( include "txdc.fullname" $ ) $.Values.controlplane.endpoints.protocol.port -}} +{{- end }}{{/* end if ingress */}} +{{- end }}{{/* end with ingress */}} +{{- end }}{{/* end if .Values.controlplane.url.protocol */}} +{{- end }} + +{{/* +Validation URL +*/}} +{{- define "txdc.controlplane.url.validation" -}} +{{- printf "http://%s-controlplane:%v%s/token" ( include "txdc.fullname" $ ) $.Values.controlplane.endpoints.control.port $.Values.controlplane.endpoints.control.path -}} +{{- end }} + +{{/* +Data Control URL +*/}} +{{- define "txdc.dataplane.url.control" -}} +{{- printf "http://%s-dataplane:%v%s" (include "txdc.fullname" . ) .Values.dataplane.endpoints.control.port .Values.dataplane.endpoints.control.path -}} +{{- end }} + +{{/* +Data Public URL +*/}} +{{- define "txdc.dataplane.url.public" -}} +{{- if .Values.dataplane.url.public }}{{/* if public api url has been specified explicitly */}} +{{- .Values.dataplane.url.public }} +{{- else }}{{/* else when public api url has not been specified explicitly */}} +{{- with (index .Values.dataplane.ingresses 0) }} +{{- if .enabled }}{{/* if ingress enabled */}} +{{- if .tls.enabled }}{{/* if TLS enabled */}} +{{- printf "https://%s%s" .hostname $.Values.dataplane.endpoints.public.path -}} +{{- else }}{{/* else when TLS not enabled */}} +{{- printf "http://%s%s" .hostname $.Values.dataplane.endpoints.public.path -}} +{{- end }}{{/* end if tls */}} +{{- else }}{{/* else when ingress not enabled */}} +{{- printf "http://%s-dataplane:%v%s" (include "txdc.fullname" $ ) $.Values.dataplane.endpoints.public.port $.Values.dataplane.endpoints.public.path -}} +{{- end }}{{/* end if ingress */}} +{{- end }}{{/* end with ingress */}} +{{- end }}{{/* end if .Values.dataplane.url.public */}} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "txdc.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "txdc.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/tractusx-connector-memory/subcharts/omejdn/templates/service.yaml b/charts/tractusx-connector-legacy/templates/configmap-controlplane.yaml similarity index 53% rename from charts/tractusx-connector-memory/subcharts/omejdn/templates/service.yaml rename to charts/tractusx-connector-legacy/templates/configmap-controlplane.yaml index 947e69742..42f2a493f 100644 --- a/charts/tractusx-connector-memory/subcharts/omejdn/templates/service.yaml +++ b/charts/tractusx-connector-legacy/templates/configmap-controlplane.yaml @@ -1,4 +1,8 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation +# +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -15,20 +19,18 @@ # # SPDX-License-Identifier: Apache-2.0 # - + --- apiVersion: v1 -kind: Service +kind: ConfigMap metadata: - name: {{ include "omejdn.fullname" . }} + name: {{ include "txdc.fullname" . }}-controlplane + namespace: {{ .Release.Namespace | default "default" | quote }} labels: - {{- include "omejdn.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "omejdn.selectorLabels" . | nindent 4 }} + {{- include "txdc.controlplane.labels" . | nindent 4 }} +data: + opentelemetry.properties: |- + {{- .Values.controlplane.opentelemetry | nindent 4 }} + + logging.properties: |- + {{- .Values.controlplane.logging | nindent 4 }} diff --git a/charts/tractusx-connector/subcharts/omejdn/templates/service.yaml b/charts/tractusx-connector-legacy/templates/configmap-dataplane.yaml similarity index 54% rename from charts/tractusx-connector/subcharts/omejdn/templates/service.yaml rename to charts/tractusx-connector-legacy/templates/configmap-dataplane.yaml index 947e69742..87fd401c3 100644 --- a/charts/tractusx-connector/subcharts/omejdn/templates/service.yaml +++ b/charts/tractusx-connector-legacy/templates/configmap-dataplane.yaml @@ -1,4 +1,8 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation +# +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -18,17 +22,15 @@ --- apiVersion: v1 -kind: Service +kind: ConfigMap metadata: - name: {{ include "omejdn.fullname" . }} + name: {{ include "txdc.fullname" . }}-dataplane + namespace: {{ .Release.Namespace | default "default" | quote }} labels: - {{- include "omejdn.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "omejdn.selectorLabels" . | nindent 4 }} + {{- include "txdc.dataplane.labels" . | nindent 4 }} +data: + opentelemetry.properties: |- + {{- .Values.dataplane.opentelemetry | nindent 4 }} + + logging.properties: |- + {{- .Values.dataplane.logging | nindent 4 }} diff --git a/charts/tractusx-connector-legacy/templates/deployment-controlplane.yaml b/charts/tractusx-connector-legacy/templates/deployment-controlplane.yaml new file mode 100644 index 000000000..35f84ea15 --- /dev/null +++ b/charts/tractusx-connector-legacy/templates/deployment-controlplane.yaml @@ -0,0 +1,361 @@ +# + # Copyright (c) 2023 ZF Friedrichshafen AG + # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH + # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) + # Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License, Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + # License for the specific language governing permissions and limitations + # under the License. + # + # SPDX-License-Identifier: Apache-2.0 + # + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "txdc.fullname" . }}-controlplane + labels: + {{- include "txdc.controlplane.labels" . | nindent 4 }} +spec: + {{- if not .Values.controlplane.autoscaling.enabled }} + replicas: {{ .Values.controlplane.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "txdc.controlplane.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.controlplane.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "txdc.controlplane.selectorLabels" . | nindent 8 }} + {{- with .Values.controlplane.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "txdc.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.controlplane.podSecurityContext | nindent 8 }} + initContainers: + {{- toYaml .Values.controlplane.initContainers | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.controlplane.securityContext | nindent 12 }} + + # either use the specified image, or use the default one + {{- if .Values.controlplane.image.repository }} + image: "{{ .Values.controlplane.image.repository }}:{{ .Values.controlplane.image.tag | default .Chart.AppVersion }}" + {{- else }} + image: "tractusx/edc-controlplane-postgresql-hashicorp-vault-legacy:{{ .Values.controlplane.image.tag | default .Chart.AppVersion }}" + {{- end }} + imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }} + ports: + {{- range $key,$value := .Values.controlplane.endpoints }} + - name: {{ $key }} + containerPort: {{ $value.port }} + protocol: TCP + {{- end }} + {{- if .Values.controlplane.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.controlplane.endpoints.observability.path }}/check/liveness + port: {{ .Values.controlplane.endpoints.observability.port }} + initialDelaySeconds: {{ .Values.controlplane.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controlplane.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controlplane.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.controlplane.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.controlplane.livenessProbe.successThreshold }} + {{- end }} + {{- if .Values.controlplane.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.controlplane.endpoints.observability.path }}/check/readiness + port: {{ .Values.controlplane.endpoints.observability.port }} + initialDelaySeconds: {{ .Values.controlplane.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controlplane.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controlplane.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.controlplane.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.controlplane.readinessProbe.successThreshold }} + {{- end }} + resources: + {{- toYaml .Values.controlplane.resources | nindent 12 }} + env: + {{- if .Values.controlplane.debug.enabled }} + - name: "JAVA_TOOL_OPTIONS" + {{- if .Values.controlplane.debug.suspendOnStart }} + value: >- + {{ printf "-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=%v" .Values.controlplane.debug.port }} + {{- else }} + value: >- + {{ printf "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=%v" .Values.controlplane.debug.port }} + {{- end }} + {{- end }} + + ######################## + ## ID CONFIGURATION ## + ######################## + - name: EDC_PARTICIPANT_ID + value: {{ .Values.participant.id | required ".Values.participant.id is required" | quote }} + + ######################## + ## DAPS CONFIGURATION ## + ######################## + + # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/iam/oauth2/oauth2-core + - name: EDC_OAUTH_CLIENT_ID + value: {{ .Values.daps.clientId | required ".Values.daps.clientId is required" | quote }} + - name: EDC_OAUTH_PROVIDER_JWKS_URL + value: {{ printf "%s%s" (tpl .Values.daps.url .) .Values.daps.paths.jwks }} + - name: EDC_OAUTH_TOKEN_URL + value: {{ printf "%s%s" (tpl .Values.daps.url .) .Values.daps.paths.token }} + - name: EDC_OAUTH_PRIVATE_KEY_ALIAS + value: {{ .Values.vault.secretNames.dapsPrivateKey | required ".Values.vault.secretNames.dapsPrivateKey is required" | quote }} + - name: EDC_OAUTH_CERTIFICATE_ALIAS + value: {{ .Values.vault.secretNames.dapsPublicKey | required ".Values.vault.secretNames.dapsPublicKey is required" | quote }} + + ####### + # API # + ####### + - name: "EDC_API_AUTH_KEY" + value: {{ .Values.controlplane.endpoints.management.authKey | required ".Values.controlplane.endpoints.management.authKey is required" | quote }} + - name: "WEB_HTTP_DEFAULT_PORT" + value: {{ .Values.controlplane.endpoints.default.port | quote }} + - name: "WEB_HTTP_DEFAULT_PATH" + value: {{ .Values.controlplane.endpoints.default.path | quote }} + - name: "WEB_HTTP_MANAGEMENT_PORT" + value: {{ .Values.controlplane.endpoints.management.port | quote }} + - name: "WEB_HTTP_MANAGEMENT_PATH" + value: {{ .Values.controlplane.endpoints.management.path | quote }} + - name: "WEB_HTTP_CONTROL_PORT" + value: {{ .Values.controlplane.endpoints.control.port | quote }} + - name: "WEB_HTTP_CONTROL_PATH" + value: {{ .Values.controlplane.endpoints.control.path | quote }} + - name: "WEB_HTTP_PROTOCOL_PORT" + value: {{ .Values.controlplane.endpoints.protocol.port | quote }} + - name: "WEB_HTTP_PROTOCOL_PATH" + value: {{ .Values.controlplane.endpoints.protocol.path | quote }} + - name: "WEB_HTTP_OBSERVABILITY_PORT" + value: {{ .Values.controlplane.endpoints.observability.port | quote}} + - name: "WEB_HTTP_OBSERVABILITY_PATH" + value: {{ .Values.controlplane.endpoints.observability.path | quote}} + - name: "TRACTUSX_API_OBSERVABILITY_ALLOW-INSECURE" + value: {{ .Values.controlplane.endpoints.observability.insecure | quote }} + + ######### + ## DSP ## + ######### + + - name: "EDC_DSP_CALLBACK_ADDRESS" + value: {{ printf "%s%s" (include "txdc.controlplane.url.protocol" .) .Values.controlplane.endpoints.protocol.path | quote }} + - name: "EDC_OAUTH_PROVIDER_AUDIENCE" + value: "idsc:IDS_CONNECTORS_ALL" + - name: "EDC_OAUTH_ENDPOINT_AUDIENCE" + value: {{ printf "%s%s" (include "txdc.controlplane.url.protocol" . ) .Values.controlplane.endpoints.protocol.path | quote }} + + ################ + ## POSTGRESQL ## + ################ + + # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/store/sql/asset-index-sql + - name: "EDC_DATASOURCE_ASSET_NAME" + value: "asset" + - name: "EDC_DATASOURCE_ASSET_USER" + value: {{ .Values.postgresql.auth.username | required ".Values.postgresql.auth.username is required" | quote }} + - name: "EDC_DATASOURCE_ASSET_PASSWORD" + value: {{ .Values.postgresql.auth.password | required ".Values.postgresql.auth.password is required" | quote }} + - name: "EDC_DATASOURCE_ASSET_URL" + value: {{ tpl .Values.postgresql.jdbcUrl . | quote }} + + # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/store/sql/contract-definition-store-sql + - name: "EDC_DATASOURCE_CONTRACTDEFINITION_NAME" + value: "contractdefinition" + - name: "EDC_DATASOURCE_CONTRACTDEFINITION_USER" + value: {{ .Values.postgresql.auth.username | required ".Values.postgresql.auth.username is required" | quote }} + - name: "EDC_DATASOURCE_CONTRACTDEFINITION_PASSWORD" + value: {{ .Values.postgresql.auth.password | required ".Values.postgresql.auth.password is required" | quote }} + - name: "EDC_DATASOURCE_CONTRACTDEFINITION_URL" + value: {{ tpl .Values.postgresql.jdbcUrl . | quote }} + + # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/store/sql/contract-negotiation-store-sql + - name: "EDC_DATASOURCE_CONTRACTNEGOTIATION_NAME" + value: "contractnegotiation" + - name: "EDC_DATASOURCE_CONTRACTNEGOTIATION_USER" + value: {{ .Values.postgresql.auth.username | required ".Values.postgresql.auth.username is required" | quote }} + - name: "EDC_DATASOURCE_CONTRACTNEGOTIATION_PASSWORD" + value: {{ .Values.postgresql.auth.password | required ".Values.postgresql.auth.password is required" | quote }} + - name: "EDC_DATASOURCE_CONTRACTNEGOTIATION_URL" + value: {{ tpl .Values.postgresql.jdbcUrl . | quote }} + + # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/store/sql/policy-store-sql + - name: "EDC_DATASOURCE_POLICY_NAME" + value: "policy" + - name: "EDC_DATASOURCE_POLICY_USER" + value: {{ .Values.postgresql.auth.username | required ".Values.postgresql.auth.username is required" | quote }} + - name: "EDC_DATASOURCE_POLICY_PASSWORD" + value: {{ .Values.postgresql.auth.password | required ".Values.postgresql.auth.password is required" | quote }} + - name: "EDC_DATASOURCE_POLICY_URL" + value: {{ tpl .Values.postgresql.jdbcUrl . | quote }} + + # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/store/sql/transfer-process-store-sql + - name: "EDC_DATASOURCE_TRANSFERPROCESS_NAME" + value: "transferprocess" + - name: "EDC_DATASOURCE_TRANSFERPROCESS_USER" + value: {{ .Values.postgresql.auth.username | required ".Values.postgresql.auth.username is required" | quote }} + - name: "EDC_DATASOURCE_TRANSFERPROCESS_PASSWORD" + value: {{ .Values.postgresql.auth.password | required ".Values.postgresql.auth.password is required" | quote }} + - name: "EDC_DATASOURCE_TRANSFERPROCESS_URL" + value: {{ tpl .Values.postgresql.jdbcUrl . | quote }} + + # see extension https://github.com/eclipse-tractusx/tractusx-edc/tree/main/edc-extensions/edr-cache-sql + - name: "EDC_DATASOURCE_EDR_NAME" + value: "edr" + - name: "EDC_DATASOURCE_EDR_USER" + value: {{ .Values.postgresql.auth.username | required ".Values.postgresql.auth.username is required" | quote }} + - name: "EDC_DATASOURCE_EDR_PASSWORD" + value: {{ .Values.postgresql.auth.password | required ".Values.postgresql.auth.password is required" | quote }} + - name: "EDC_DATASOURCE_EDR_URL" + value: {{ tpl .Values.postgresql.jdbcUrl . | quote }} + + ################ + ## DATA PLANE ## + ################ + + # see extension https://github.com/eclipse-tractusx/tractusx-edc/tree/main/edc-extensions/dataplane-selector-configuration + - name: "EDC_DATAPLANE_SELECTOR_DEFAULTPLANE_URL" + value: {{ include "txdc.dataplane.url.control" . }}/transfer + - name: "EDC_DATAPLANE_SELECTOR_DEFAULTPLANE_SOURCETYPES" + value: "HttpData,AmazonS3" + - name: "EDC_DATAPLANE_SELECTOR_DEFAULTPLANE_DESTINATIONTYPES" + value: "HttpProxy,AmazonS3" + - name: "EDC_DATAPLANE_SELECTOR_DEFAULTPLANE_PROPERTIES" + value: |- + {{ printf "{ \"publicApiUrl\": \"%s\" }" (include "txdc.dataplane.url.public" . ) }} + + # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/data-plane-transfer + - name: "EDC_TRANSFER_PROXY_ENDPOINT" + value: {{ include "txdc.dataplane.url.public" . }} + - name: "EDC_TRANSFER_PROXY_TOKEN_SIGNER_PRIVATEKEY_ALIAS" + value: {{ .Values.vault.secretNames.transferProxyTokenSignerPrivateKey | quote }} + - name: "EDC_TRANSFER_PROXY_TOKEN_VERIFIER_PUBLICKEY_ALIAS" + value: {{ .Values.vault.secretNames.transferProxyTokenSignerPublicKey | quote }} + + # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/transfer/transfer-pull-http-dynamic-receiver + + - name: "EDC_RECEIVER_HTTP_DYNAMIC_ENDPOINT" + value: {{ .Values.backendService.httpProxyTokenReceiverUrl | required ".Values.backendService.httpProxyTokenReceiverUrl is required" | quote }} + + ########### + ## VAULT ## + ########### + + # see extension https://github.com/eclipse-tractusx/tractusx-edc/tree/main/edc-extensions/hashicorp-vault + - name: "EDC_VAULT_HASHICORP_URL" + value: {{ tpl .Values.vault.hashicorp.url . | quote }} + - name: "EDC_VAULT_HASHICORP_TOKEN" + value: {{ .Values.vault.hashicorp.token | required ".Values.vault.hashicorp.token is required" | quote }} + - name: "EDC_VAULT_HASHICORP_TIMEOUT_SECONDS" + value: {{ .Values.vault.hashicorp.timeout | quote }} + - name: "EDC_VAULT_HASHICORP_HEALTH_CHECK_ENABLED" + value: {{ .Values.vault.hashicorp.healthCheck.enabled | quote }} + - name: "EDC_VAULT_HASHICORP_HEALTH_CHECK_STANDBY_OK" + value: {{ .Values.vault.hashicorp.healthCheck.standbyOk | quote }} + - name: "EDC_VAULT_HASHICORP_API_SECRET_PATH" + value: {{ .Values.vault.hashicorp.paths.secret | quote }} + - name: "EDC_VAULT_HASHICORP_API_HEALTH_CHECK_PATH" + value: {{ .Values.vault.hashicorp.paths.health | quote }} + + ##################### + ## DATA ENCRYPTION ## + ##################### + + # see extension https://github.com/eclipse-tractusx/tractusx-edc/tree/main/edc-extensions/data-encryption + - name: "EDC_DATA_ENCRYPTION_KEYS_ALIAS" + value: {{ .Values.vault.secretNames.transferProxyTokenEncryptionAesKey | quote }} + - name: "EDC_DATA_ENCRYPTION_ALGORITHM" + value: "AES" + + ########################### + ## AAS WRAPPER EXTENSION ## + ########################### + - name: "EDC_CP_ADAPTER_CACHE_CATALOG_EXPIRE_AFTER" + value: "0" + - name: "EDC_CP_ADAPTER_REUSE_CONTRACT_AGREEMENT" + value: "0" + + ########################### + ## BUSINESS PARTNER NUMBER VALIDATION EXTENSION ## + ########################### + - name: "TRACTUSX_BUSINESSPARTNERVALIDATION_LOG_AGREEMENT_VALIDATION" + value: {{ .Values.controlplane.businessPartnerValidation.log.agreementValidation | quote }} + + ###################################### + ## Additional environment variables ## + ###################################### + - name: "EDC_CONNECTOR_NAME" + value: {{ include "txdc.fullname" .}}-controlplane + {{- range $key, $value := .Values.controlplane.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 16 }} + {{- end }} + {{- range $key, $value := .Values.controlplane.env }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + {{- if and (or .Values.controlplane.envSecretNames .Values.controlplane.envConfigMapNames) (or (gt (len .Values.controlplane.envSecretNames) 0) (gt (len .Values.controlplane.envConfigMapNames) 0)) }} + envFrom: + {{- range $value := .Values.controlplane.envSecretNames }} + - secretRef: + name: {{ $value | quote }} + {{- end }} + {{- range $value := .Values.controlplane.envConfigMapNames }} + - configMapRef: + name: {{ $value | quote }} + {{- end }} + {{- end }} + volumeMounts: + - name: "configuration" + mountPath: "/app/opentelemetry.properties" + subPath: "opentelemetry.properties" + - name: "configuration" + mountPath: "/app/logging.properties" + subPath: "logging.properties" + volumes: + - name: "configuration" + configMap: + name: {{ include "txdc.fullname" . }}-controlplane + items: + - key: "opentelemetry.properties" + path: "opentelemetry.properties" + - key: "logging.properties" + path: "logging.properties" + {{- with .Values.controlplane.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controlplane.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controlplane.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/tractusx-connector-legacy/templates/deployment-dataplane.yaml b/charts/tractusx-connector-legacy/templates/deployment-dataplane.yaml new file mode 100644 index 000000000..01ef5ca33 --- /dev/null +++ b/charts/tractusx-connector-legacy/templates/deployment-dataplane.yaml @@ -0,0 +1,236 @@ +# +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "txdc.fullname" . }}-dataplane + labels: + {{- include "txdc.dataplane.labels" . | nindent 4 }} +spec: + {{- if not .Values.dataplane.autoscaling.enabled }} + replicas: {{ .Values.dataplane.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "txdc.dataplane.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.dataplane.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "txdc.dataplane.selectorLabels" . | nindent 8 }} + {{- with .Values.dataplane.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "txdc.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.dataplane.podSecurityContext | nindent 8 }} + initContainers: + {{- toYaml .Values.dataplane.initContainers | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.dataplane.securityContext | nindent 12 }} + {{- if .Values.dataplane.image.repository }} + image: "{{ .Values.dataplane.image.repository }}:{{ .Values.dataplane.image.tag | default .Chart.AppVersion }}" + {{- else }} + image: "tractusx/edc-dataplane-hashicorp-vault:{{ .Values.dataplane.image.tag | default .Chart.AppVersion }}" + {{- end }} + imagePullPolicy: {{ .Values.dataplane.image.pullPolicy }} + ports: + {{- range $key,$value := .Values.dataplane.endpoints }} + - name: {{ $key }} + containerPort: {{ $value.port }} + protocol: TCP + {{- end }} + {{- if .Values.dataplane.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.dataplane.endpoints.observability.path }}/check/liveness + port: {{ .Values.dataplane.endpoints.observability.port }} + initialDelaySeconds: {{ .Values.dataplane.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.dataplane.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.dataplane.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.dataplane.livenessProbe.failureThreshold }} + successThreshold: {{ .Values.dataplane.livenessProbe.successThreshold }} + {{- end }} + {{- if .Values.dataplane.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.dataplane.endpoints.observability.path }}/check/readiness + port: {{ .Values.dataplane.endpoints.observability.port }} + initialDelaySeconds: {{ .Values.dataplane.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.dataplane.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.dataplane.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.dataplane.readinessProbe.failureThreshold }} + successThreshold: {{ .Values.dataplane.readinessProbe.successThreshold }} + {{- end }} + resources: + {{- toYaml .Values.dataplane.resources | nindent 12 }} + env: + {{- if .Values.dataplane.debug.enabled }} + - name: "JAVA_TOOL_OPTIONS" + {{- if .Values.dataplane.debug.suspendOnStart }} + value: >- + {{ printf "-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=%v" .Values.dataplane.debug.port }} + {{- else }} + value: >- + {{ printf "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=%v" .Values.dataplane.debug.port }} + {{- end }} + {{- end }} + + ####### + # API # + ####### + - name: "WEB_HTTP_DEFAULT_PORT" + value: {{ .Values.dataplane.endpoints.default.port | quote }} + - name: "WEB_HTTP_DEFAULT_PATH" + value: {{ .Values.dataplane.endpoints.default.path | quote }} + - name: "WEB_HTTP_CONTROL_PORT" + value: {{ .Values.dataplane.endpoints.control.port | quote }} + - name: "WEB_HTTP_CONTROL_PATH" + value: {{ .Values.dataplane.endpoints.control.path | quote }} + - name: "WEB_HTTP_PUBLIC_PORT" + value: {{ .Values.dataplane.endpoints.public.port | quote }} + - name: "WEB_HTTP_PUBLIC_PATH" + value: {{ .Values.dataplane.endpoints.public.path | quote }} + - name: "EDC_DATAPLANE_TOKEN_VALIDATION_ENDPOINT" + value: {{ include "txdc.controlplane.url.validation" .}} + - name: "WEB_HTTP_OBSERVABILITY_PORT" + value: {{ .Values.dataplane.endpoints.observability.port | quote }} + - name: "WEB_HTTP_OBSERVABILITY_PATH" + value: {{ .Values.dataplane.endpoints.observability.path | quote }} + - name: "TRACTUSX_API_OBSERVABILITY_ALLOW-INSECURE" + value: {{ .Values.dataplane.endpoints.observability.insecure | quote }} + + ####### + # AWS # + ####### + {{- if .Values.dataplane.aws.endpointOverride }} + - name: "EDC_AWS_ENDPOINT_OVERRIDE" + value: {{ .Values.dataplane.aws.endpointOverride | quote }} + {{- end }} + {{- if .Values.dataplane.aws.secretAccessKey }} + - name: "AWS_SECRET_ACCESS_KEY" + value: {{ .Values.dataplane.aws.secretAccessKey | quote }} + {{- end }} + {{- if .Values.dataplane.aws.accessKeyId }} + - name: "AWS_ACCESS_KEY_ID" + value: {{ .Values.dataplane.aws.accessKeyId | quote }} + {{- end }} + + ############### + ## EDR CACHE ## + ############### + + # see extension https://github.com/eclipse-tractusx/tractusx-edc/tree/main/edc-extensions/edr-cache-sql + - name: "EDC_DATASOURCE_EDR_NAME" + value: "edr" + - name: "EDC_DATASOURCE_EDR_USER" + value: {{ .Values.postgresql.auth.username | required ".Values.postgresql.auth.username is required" | quote }} + - name: "EDC_DATASOURCE_EDR_PASSWORD" + value: {{ .Values.postgresql.auth.password | required ".Values.postgresql.auth.password is required" | quote }} + - name: "EDC_DATASOURCE_EDR_URL" + value: {{ tpl .Values.postgresql.jdbcUrl . | quote }} + + ########### + ## VAULT ## + ########### + + # see extension https://github.com/eclipse-tractusx/tractusx-edc/tree/main/edc-extensions/hashicorp-vault + - name: "EDC_VAULT_HASHICORP_URL" + value: {{ tpl .Values.vault.hashicorp.url . | quote }} + - name: "EDC_VAULT_HASHICORP_TOKEN" + value: {{ .Values.vault.hashicorp.token | required ".Values.vault.hashicorp.token is required" | quote }} + - name: "EDC_VAULT_HASHICORP_TIMEOUT_SECONDS" + value: {{ .Values.vault.hashicorp.timeout | quote }} + - name: "EDC_VAULT_HASHICORP_HEALTH_CHECK_ENABLED" + value: {{ .Values.vault.hashicorp.healthCheck.enabled | quote }} + - name: "EDC_VAULT_HASHICORP_HEALTH_CHECK_STANDBY_OK" + value: {{ .Values.vault.hashicorp.healthCheck.standbyOk | quote }} + - name: "EDC_VAULT_HASHICORP_API_SECRET_PATH" + value: {{ .Values.vault.hashicorp.paths.secret | quote }} + - name: "EDC_VAULT_HASHICORP_API_HEALTH_CHECK_PATH" + value: {{ .Values.vault.hashicorp.paths.health | quote }} + + ###################################### + ## Additional environment variables ## + ###################################### + - name: "EDC_CONNECTOR_NAME" + value: {{ include "txdc.fullname" .}}-dataplane + {{- range $key, $value := .Values.dataplane.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 16 }} + {{- end }} + {{- range $key, $value := .Values.dataplane.env }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + {{- if and (or .Values.dataplane.envSecretNames .Values.dataplane.envConfigMapNames) (or (gt (len .Values.dataplane.envSecretNames) 0) (gt (len .Values.dataplane.envConfigMapNames) 0)) }} + envFrom: + {{- range $value := .Values.dataplane.envSecretNames }} + - secretRef: + name: {{ $value | quote }} + {{- end }} + {{- range $value := .Values.dataplane.envConfigMapNames }} + - configMapRef: + name: {{ $value | quote }} + {{- end }} + {{- end }} + volumeMounts: + - name: "configuration" + mountPath: "/app/opentelemetry.properties" + subPath: "opentelemetry.properties" + - name: "configuration" + mountPath: "/app/logging.properties" + subPath: "logging.properties" + volumes: + - name: "configuration" + configMap: + name: {{ include "txdc.fullname" . }}-dataplane + items: + - key: "opentelemetry.properties" + path: "opentelemetry.properties" + - key: "logging.properties" + path: "logging.properties" + {{- with .Values.dataplane.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dataplane.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dataplane.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/tractusx-connector-legacy/templates/hpa-controlplane.yaml b/charts/tractusx-connector-legacy/templates/hpa-controlplane.yaml new file mode 100644 index 000000000..c52ed9152 --- /dev/null +++ b/charts/tractusx-connector-legacy/templates/hpa-controlplane.yaml @@ -0,0 +1,51 @@ +# +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +{{- if .Values.controlplane.autoscaling.enabled }} +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "txdc.fullname" . }}-controlplane + labels: + {{- include "txdc.controlplane.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "txdc.fullname" . }}-controlplane + minReplicas: {{ .Values.controlplane.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controlplane.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controlplane.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.controlplane.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controlplane.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.controlplane.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/tractusx-connector-legacy/templates/hpa-dataplane.yaml b/charts/tractusx-connector-legacy/templates/hpa-dataplane.yaml new file mode 100644 index 000000000..519c0e526 --- /dev/null +++ b/charts/tractusx-connector-legacy/templates/hpa-dataplane.yaml @@ -0,0 +1,51 @@ +# +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +{{- if .Values.controlplane.autoscaling.enabled }} +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "txdc.fullname" . }}-dataplane + labels: + {{- include "txdc.dataplane.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "txdc.fullname" . }}-dataplane + minReplicas: {{ .Values.dataplane.autoscaling.minReplicas }} + maxReplicas: {{ .Values.dataplane.autoscaling.maxReplicas }} + metrics: + {{- if .Values.dataplane.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.dataplane.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.dataplane.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.dataplane.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/tractusx-connector-legacy/templates/ingress-controlplane.yaml b/charts/tractusx-connector-legacy/templates/ingress-controlplane.yaml new file mode 100644 index 000000000..abc90106e --- /dev/null +++ b/charts/tractusx-connector-legacy/templates/ingress-controlplane.yaml @@ -0,0 +1,100 @@ +# +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +{{- $fullName := include "txdc.fullname" . }} +{{- $controlLabels := include "txdc.controlplane.labels" . }} +{{- $controlEdcEndpoints := .Values.controlplane.endpoints }} +{{- $gitVersion := .Capabilities.KubeVersion.GitVersion }} +{{- $namespace := .Release.Namespace }} + +{{- range .Values.controlplane.ingresses }} +{{- if and .enabled .endpoints }} +{{- $controlIngressName := printf "%s-controlplane-%s" $fullName .hostname }} +{{- $annotations := .annotations | default dict }} +--- +{{- if semverCompare ">=1.19-0" $gitVersion }} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" $gitVersion }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $controlIngressName }} + namespace: {{ $namespace | default "default" | quote }} + labels: + {{- $controlLabels | nindent 4 }} + annotations: + {{- if and .className (not (semverCompare ">=1.18-0" $gitVersion)) }} + {{- if not (hasKey $annotations "kubernetes.io/ingress.class") }} + {{- $_ := set $annotations "kubernetes.io/ingress.class" .className}} + {{- end }} + {{- end }} + {{- if .certManager }} + {{- if .certManager.issuer }} + {{- $_ := set $annotations "cert-manager.io/issuer" .certManager.issuer}} + {{- end }} + {{- if .certManager.clusterIssuer }} + {{- $_ := set $annotations "cert-manager.io/cluster-issuer" .certManager.clusterIssuer}} + {{- end }} + {{- end }} + {{- with $annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .className (semverCompare ">=1.18-0" $gitVersion) }} + ingressClassName: {{ .className }} + {{- end }} + {{- if .hostname }} + {{- if .tls.enabled }} + tls: + - hosts: + - {{ .hostname }} + {{- if .tls.secretName }} + secretName: {{ .tls.secretName }} + {{- else }} + secretName: {{ $controlIngressName }}-tls + {{- end }} + {{- end }} + rules: + - host: {{ .hostname }} + http: + paths: + {{- $ingressEdcEndpoints := .endpoints }} + {{- range $name, $mapping := $controlEdcEndpoints }} + {{- if (has $name $ingressEdcEndpoints) }} + - path: {{ $mapping.path }} + pathType: Prefix + backend: + {{- if semverCompare ">=1.19-0" $gitVersion }} + service: + name: {{ $fullName }}-controlplane + port: + number: {{ $mapping.port }} + {{- else }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} +{{- end }}{{- /* end: if .enabled */}} +{{- end }}{{- /* end: range .Values.ingresses */}} diff --git a/charts/tractusx-connector-legacy/templates/ingress-dataplane.yaml b/charts/tractusx-connector-legacy/templates/ingress-dataplane.yaml new file mode 100644 index 000000000..4777a55d4 --- /dev/null +++ b/charts/tractusx-connector-legacy/templates/ingress-dataplane.yaml @@ -0,0 +1,100 @@ +# +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +{{- $fullName := include "txdc.fullname" . }} +{{- $dataLabels := include "txdc.dataplane.labels" . }} +{{- $dataEdcEndpoints := .Values.dataplane.endpoints }} +{{- $gitVersion := .Capabilities.KubeVersion.GitVersion }} +{{- $namespace := .Release.Namespace }} + +{{- range .Values.dataplane.ingresses }} +{{- if and .enabled .endpoints }} +{{- $dataIngressName := printf "%s-dataplane-%s" $fullName .hostname }} +{{- $annotations := .annotations | default dict }} +--- +{{- if semverCompare ">=1.19-0" $gitVersion }} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" $gitVersion }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $dataIngressName }} + namespace: {{ $namespace | default "default" | quote }} + labels: + {{- $dataLabels | nindent 4 }} + annotations: + {{- if and .className (not (semverCompare ">=1.18-0" $gitVersion)) }} + {{- if not (hasKey $annotations "kubernetes.io/ingress.class") }} + {{- $_ := set $annotations "kubernetes.io/ingress.class" .className}} + {{- end }} + {{- end }} + {{- if .certManager }} + {{- if .certManager.issuer }} + {{- $_ := set $annotations "cert-manager.io/issuer" .certManager.issuer}} + {{- end }} + {{- if .certManager.clusterIssuer }} + {{- $_ := set $annotations "cert-manager.io/cluster-issuer" .certManager.clusterIssuer}} + {{- end }} + {{- end }} + {{- with $annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .className (semverCompare ">=1.18-0" $gitVersion) }} + ingressClassName: {{ .className }} + {{- end }} + {{- if .hostname }} + {{- if .tls.enabled }} + tls: + - hosts: + - {{ .hostname }} + {{- if .tls.secretName }} + secretName: {{ .tls.secretName }} + {{- else }} + secretName: {{ $dataIngressName }}-tls + {{- end }} + {{- end }} + rules: + - host: {{ .hostname }} + http: + paths: + {{- $ingressEdcEndpoints := .endpoints }} + {{- range $name, $mapping := $dataEdcEndpoints }} + {{- if (has $name $ingressEdcEndpoints) }} + - path: {{ $mapping.path }} + pathType: Prefix + backend: + {{- if semverCompare ">=1.19-0" $gitVersion }} + service: + name: {{ $fullName }}-dataplane + port: + number: {{ $mapping.port }} + {{- else }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} +{{- end }}{{- /* end: if .enabled */}} +{{- end }}{{- /* end: range .Values.ingresses */}} diff --git a/charts/tractusx-connector-legacy/templates/networkpolicy.yaml b/charts/tractusx-connector-legacy/templates/networkpolicy.yaml new file mode 100644 index 000000000..7a40cb6a3 --- /dev/null +++ b/charts/tractusx-connector-legacy/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +# +# Copyright (c) 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +{{- if eq (.Values.networkPolicy.enabled | toString) "true" }} +{{- range tuple "controlplane" "dataplane" }} +{{- $name := . }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "txdc.fullname" $ }}-{{ $name }} + labels: + {{- include (printf "txdc.%s.labels" $name) $ | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include (printf "txdc.%s.selectorLabels" $name) $ | nindent 6 }} + ingress: + - from: + {{- toYaml (index $.Values.networkPolicy $name "from") | nindent 6 }} + ports: + {{- range $key,$value := (index $.Values $name "endpoints") }} + - port: {{ $value.port }} + protocol: TCP + {{- end }} + policyTypes: + - Ingress +--- +{{- end }} +{{- end }} diff --git a/charts/tractusx-connector-legacy/templates/service-controlplane.yaml b/charts/tractusx-connector-legacy/templates/service-controlplane.yaml new file mode 100644 index 000000000..acab58343 --- /dev/null +++ b/charts/tractusx-connector-legacy/templates/service-controlplane.yaml @@ -0,0 +1,59 @@ +# +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "txdc.fullname" . }}-controlplane + namespace: {{ .Release.Namespace | default "default" | quote }} + labels: + {{- include "txdc.controlplane.labels" . | nindent 4 }} +spec: + type: {{ .Values.controlplane.service.type }} + ports: + - port: {{ .Values.controlplane.endpoints.default.port }} + targetPort: default + protocol: TCP + name: default + - port: {{ .Values.controlplane.endpoints.control.port }} + targetPort: control + protocol: TCP + name: control + - port: {{ .Values.controlplane.endpoints.management.port }} + targetPort: management + protocol: TCP + name: management + - port: {{ .Values.controlplane.endpoints.protocol.port }} + targetPort: protocol + protocol: TCP + name: protocol + - port: {{ .Values.controlplane.endpoints.metrics.port }} + targetPort: metrics + protocol: TCP + name: metrics + - port: {{ .Values.controlplane.endpoints.observability.port}} + targetPort: observability + protocol: TCP + name: observability + selector: + {{- include "txdc.controlplane.selectorLabels" . | nindent 4 }} diff --git a/charts/tractusx-connector-legacy/templates/service-dataplane.yaml b/charts/tractusx-connector-legacy/templates/service-dataplane.yaml new file mode 100644 index 000000000..14c2181b7 --- /dev/null +++ b/charts/tractusx-connector-legacy/templates/service-dataplane.yaml @@ -0,0 +1,60 @@ +# +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "txdc.fullname" . }}-dataplane + namespace: {{ .Release.Namespace | default "default" | quote }} + labels: + {{- include "txdc.dataplane.labels" . | nindent 4 }} +spec: + type: {{ .Values.dataplane.service.type }} + ports: + - port: {{ .Values.dataplane.endpoints.default.port }} + targetPort: default + protocol: TCP + name: default + - port: {{ .Values.dataplane.endpoints.control.port }} + targetPort: control + protocol: TCP + name: control + - port: {{ .Values.dataplane.endpoints.public.port }} + targetPort: public + protocol: TCP + name: public + - port: {{ .Values.dataplane.endpoints.observability.port }} + targetPort: observability + protocol: TCP + name: observability + - port: {{ .Values.dataplane.endpoints.metrics.port }} + targetPort: metrics + protocol: TCP + name: metrics + - port: {{ .Values.dataplane.endpoints.proxy.port }} + targetPort: proxy + protocol: TCP + name: proxy + + selector: + {{- include "txdc.dataplane.selectorLabels" . | nindent 4 }} diff --git a/charts/tractusx-connector-memory/subcharts/omejdn/templates/serviceaccount.yaml b/charts/tractusx-connector-legacy/templates/serviceaccount.yaml similarity index 66% rename from charts/tractusx-connector-memory/subcharts/omejdn/templates/serviceaccount.yaml rename to charts/tractusx-connector-legacy/templates/serviceaccount.yaml index 536f31871..4a6e1ac07 100644 --- a/charts/tractusx-connector-memory/subcharts/omejdn/templates/serviceaccount.yaml +++ b/charts/tractusx-connector-legacy/templates/serviceaccount.yaml @@ -1,4 +1,8 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation +# +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -21,11 +25,15 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "omejdn.serviceAccountName" . }} + name: {{ include "txdc.serviceAccountName" . }} labels: - {{- include "omejdn.labels" . | nindent 4 }} + {{- include "txdc.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} +{{- with .Values.serviceAccount.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end }} {{- end }} diff --git a/docs/samples/example-dataspace/daps/templates/serviceaccount.yaml b/charts/tractusx-connector-legacy/templates/tests/test-controlplane-readiness.yaml similarity index 58% rename from docs/samples/example-dataspace/daps/templates/serviceaccount.yaml rename to charts/tractusx-connector-legacy/templates/tests/test-controlplane-readiness.yaml index 536f31871..694084ded 100644 --- a/docs/samples/example-dataspace/daps/templates/serviceaccount.yaml +++ b/charts/tractusx-connector-legacy/templates/tests/test-controlplane-readiness.yaml @@ -1,3 +1,4 @@ +# # Copyright (c) 2023 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional @@ -16,16 +17,20 @@ # SPDX-License-Identifier: Apache-2.0 # -{{- if .Values.serviceAccount.create -}} --- apiVersion: v1 -kind: ServiceAccount +kind: Pod metadata: - name: {{ include "omejdn.serviceAccountName" . }} + name: "{{include "txdc.fullname" .}}test-controlplane-readiness" labels: - {{- include "omejdn.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} + {{- include "txdc.controlplane.labels" . | nindent 4 }} annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} + "helm.sh/hook": test + "helm.sh/hook-delete-policy": {{ .Values.tests.hookDeletePolicy }} +spec: + containers: + - name: wget + image: curlimages/curl + command: [ 'curl' ] + args: [ '{{- printf "http://%s-controlplane:%v%s/check/readiness" (include "txdc.fullname" $ ) $.Values.controlplane.endpoints.observability.port $.Values.controlplane.endpoints.observability.path -}}' ] + restartPolicy: Never diff --git a/charts/tractusx-connector/subcharts/omejdn/templates/serviceaccount.yaml b/charts/tractusx-connector-legacy/templates/tests/test-dataplane-readiness.yaml similarity index 59% rename from charts/tractusx-connector/subcharts/omejdn/templates/serviceaccount.yaml rename to charts/tractusx-connector-legacy/templates/tests/test-dataplane-readiness.yaml index 536f31871..0ecc0ce32 100644 --- a/charts/tractusx-connector/subcharts/omejdn/templates/serviceaccount.yaml +++ b/charts/tractusx-connector-legacy/templates/tests/test-dataplane-readiness.yaml @@ -1,3 +1,4 @@ +# # Copyright (c) 2023 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional @@ -16,16 +17,20 @@ # SPDX-License-Identifier: Apache-2.0 # -{{- if .Values.serviceAccount.create -}} --- apiVersion: v1 -kind: ServiceAccount +kind: Pod metadata: - name: {{ include "omejdn.serviceAccountName" . }} + name: "{{include "txdc.fullname" .}}test-dataplane-readiness" labels: - {{- include "omejdn.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} + {{- include "txdc.dataplane.labels" . | nindent 4 }} annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} + "helm.sh/hook": test + "helm.sh/hook-delete-policy": {{ .Values.tests.hookDeletePolicy }} +spec: + containers: + - name: wget + image: curlimages/curl + command: [ 'curl' ] + args: [ '{{- printf "http://%s-dataplane:%v%s/check/readiness" (include "txdc.fullname" $ ) $.Values.dataplane.endpoints.observability.port $.Values.dataplane.endpoints.observability.path -}}' ] + restartPolicy: Never diff --git a/charts/tractusx-connector-legacy/values.yaml b/charts/tractusx-connector-legacy/values.yaml new file mode 100644 index 000000000..f19493f45 --- /dev/null +++ b/charts/tractusx-connector-legacy/values.yaml @@ -0,0 +1,575 @@ +# +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + + +--- +# Default values for eclipse-dataspace-connector. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +install: + daps: true + postgresql: true + vault: true +fullnameOverride: "" +nameOverride: "" +# -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) +imagePullSecrets: [] +customLabels: {} + +participant: + id: "" + +controlplane: + image: + # -- Which derivate of the control plane to use. when left empty the deployment will select the correct image automatically + repository: "" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "" + initContainers: [] + debug: + enabled: false + port: 1044 + suspendOnStart: false + internationalDataSpaces: + id: TXDC + description: Tractus-X Eclipse IDS Data Space Connector + title: "" + maintainer: "" + curator: "" + catalogId: TXDC-Catalog + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # -- endpoints of the control plane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8080 + # -- path for incoming api calls + path: /api + # -- data management api, used by internal users, can be added to an ingress and must not be internet facing + management: + # -- port for incoming api calls + port: 8081 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each 'X-Api-Key' request header + authKey: "" + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 8083 + # -- path for incoming api calls + path: /control + # -- ids api, used for inter connector communication and must be internet facing + protocol: + # -- port for incoming api calls + port: 8084 + # -- path for incoming api calls + path: /api/v1/dsp + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + # -- observability api with unsecured access, must not be internet facing + observability: + # -- port for incoming API calls + port: 8085 + # -- observability api, provides /health /readiness and /liveness endpoints + path: /observability + # -- allow or disallow insecure access, i.e. access without authentication + insecure: true + businessPartnerValidation: + log: + agreementValidation: true + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + annotations: {} + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + # Extra environment variables that will be pass onto deployment pods + env: {} + # ENV_NAME: value + + # "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-control.local" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - protocol + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + ## Private / Intranet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-control.intranet" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - management + - control + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: [] + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: [] + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + replicaCount: 1 + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + # -- configuration of the [Java Util Logging Facade](https://docs.oracle.com/javase/7/docs/technotes/guides/logging/overview.html) + logging: |- + .level=INFO + org.eclipse.edc.level=ALL + handlers=java.util.logging.ConsoleHandler + java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter + java.util.logging.ConsoleHandler.level=ALL + java.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n + # [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the ids api (e.g. if ingresses not used) + ids: "" +dataplane: + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "" + initContainers: [] + debug: + enabled: false + port: 1044 + suspendOnStart: false + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + port: 80 + endpoints: + default: + port: 8080 + path: /api + public: + port: 8081 + path: /api/public + control: + port: 8083 + path: /api/dataplane/control + proxy: + port: 8186 + path: /proxy + observability: + # -- port for incoming API calls + port: 8085 + # -- observability api, provides /health /readiness and /liveness endpoints + path: /observability + # -- allow or disallow insecure access, i.e. access without authentication + insecure: true + metrics: + port: 9090 + path: /metrics + aws: + endpointOverride: "" + accessKeyId: "" + secretAccessKey: "" + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + # Extra environment variables that will be pass onto deployment pods + env: {} + # ENV_NAME: value + + # "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-data.local" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: [] + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: [] + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + replicaCount: 1 + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + # -- configuration of the [Java Util Logging Facade](https://docs.oracle.com/javase/7/docs/technotes/guides/logging/overview.html) + logging: |- + .level=INFO + org.eclipse.edc.level=ALL + handlers=java.util.logging.ConsoleHandler + java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter + java.util.logging.ConsoleHandler.level=ALL + java.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n + # [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) + public: "" +postgresql: + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" + primary: + persistence: + enabled: false + readReplicas: + persistence: + enabled: false + auth: + database: "edc" + username: "user" + password: "password" +vault: + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: "root" + # Must be the same certificate that is configured in section 'daps' + postStart: # must be set externally! + hashicorp: + url: "http://{{ .Release.Name }}-vault:8200" + token: "" + timeout: 30 + healthCheck: + enabled: true + standbyOk: true + paths: + secret: /v1/secret + health: /v1/sys/health + secretNames: + transferProxyTokenSignerPrivateKey: transfer-proxy-token-signer-private-key + transferProxyTokenSignerPublicKey: transfer-proxy-token-signer-public-key + transferProxyTokenEncryptionAesKey: transfer-proxy-token-encryption-aes-key + dapsPrivateKey: daps-private-key + dapsPublicKey: daps-public-key +daps: + url: "http://{{ .Release.Name }}-daps:4567" + clientId: "" + paths: + jwks: /jwks.json + token: /token + connectors: + - id: E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65 + name: sokrates + attributes: + referringConnector: http://sokrates-controlplane/BPNSOKRATES + # Must be the same certificate that is stores in section 'sokrates-vault' + certificate: "" # must be set externally! +backendService: + httpProxyTokenReceiverUrl: "" + +networkPolicy: + # -- If `true` network policy will be created to restrict access to control- and dataplane + enabled: false + # -- Configuration of the controlplane component + controlplane: + # -- Specify from rule network policy for cp (defaults to all namespaces) + from: + - namespaceSelector: {} + # -- Configuration of the dataplane component + dataplane: + # -- Specify from rule network policy for dp (defaults to all namespaces) + from: + - namespaceSelector: {} + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) + imagePullSecrets: [] +idsdaps: + connectors: + - certificate: |- + +# -- Configurations for Helm tests +tests: + # -- Configure the hook-delete-policy for Helm tests + hookDeletePolicy: before-hook-creation,hook-succeeded diff --git a/charts/tractusx-connector-memory/Chart.yaml b/charts/tractusx-connector-memory/Chart.yaml index 5612b3523..3e88b708d 100644 --- a/charts/tractusx-connector-memory/Chart.yaml +++ b/charts/tractusx-connector-memory/Chart.yaml @@ -43,10 +43,3 @@ appVersion: "0.4.1" home: https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector-memory sources: - https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector-memory -dependencies: - # IDS Dynamic Attribute Provisioning Service (IAM) - - name: daps - version: 0.0.1 - repository: "file://./subcharts/omejdn" - alias: daps - condition: install.daps diff --git a/charts/tractusx-connector-memory/README.md b/charts/tractusx-connector-memory/README.md index e257f78cc..2b0a76966 100644 --- a/charts/tractusx-connector-memory/README.md +++ b/charts/tractusx-connector-memory/README.md @@ -25,7 +25,7 @@ export DAPS_CERT="$(cat daps.cert)" The in-memory vault can be seeded directly with secrets that are passed in `:;:;...` format. This config value can be passed to the runtime using the `vault.secrets` parameter. In addition, the runtime requires a couple of configuration parameters, all of which can be found in the section below. Please also consider using -[this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/charts/tractusx-connector-memory/example.yaml) +[this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml) to launch the application. Combined, run this shell command to start the in-memory Tractus-X EDC runtime: @@ -33,7 +33,7 @@ Combined, run this shell command to start the in-memory Tractus-X EDC runtime: ```shell helm repo add tractusx-edc https://eclipse-tractusx.github.io/charts/dev helm install my-release tractusx-edc/tractusx-connector-memory --version 0.4.1 \ - -f /example.yaml \ + -f /tractusx-connector-memory-test.yaml \ --set vault.secrets="daps-cert:$DAPS_CERT;daps-key:$DAPS_KEY" \ ``` @@ -41,13 +41,7 @@ Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the pri ## Source Code - - -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| file://./subcharts/omejdn | daps(daps) | 0.0.1 | +* ## Values @@ -60,14 +54,11 @@ Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the pri | daps.connectors[0].certificate | string | `""` | | | daps.connectors[0].id | string | `"E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65"` | | | daps.connectors[0].name | string | `"sokrates"` | | -| daps.fullnameOverride | string | `"daps"` | | | daps.paths.jwks | string | `"/jwks.json"` | | | daps.paths.token | string | `"/token"` | | -| daps.url | string | `""` | | +| daps.url | string | `"http://{{ .Release.Name }}-daps:4567"` | | | fullnameOverride | string | `""` | | -| idsdaps.connectors[0].certificate | string | `""` | | | imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | -| install.daps | bool | `true` | | | nameOverride | string | `""` | | | participant.id | string | `""` | | | runtime.affinity | object | `{}` | | @@ -166,6 +157,12 @@ Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the pri | runtime.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | | runtime.service.annotations | object | `{}` | | | runtime.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | +| runtime.ssi.endpoint.audience | string | `"http://this.audience"` | | +| runtime.ssi.miw.authorityId | string | `""` | | +| runtime.ssi.miw.url | string | `""` | | +| runtime.ssi.oauth.client.id | string | `""` | | +| runtime.ssi.oauth.client.secretAlias | string | `"client-secret"` | | +| runtime.ssi.oauth.tokenurl | string | `""` | | | runtime.tolerations | list | `[]` | | | runtime.url.ids | string | `""` | Explicitly declared url for reaching the ids api (e.g. if ingresses not used) | | runtime.url.public | string | `""` | | @@ -176,11 +173,9 @@ Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the pri | serviceAccount.create | bool | `true` | | | serviceAccount.imagePullSecrets | list | `[]` | Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | | serviceAccount.name | string | `""` | | -| vault.secretNames.dapsPrivateKey | string | `"daps-private-key"` | | -| vault.secretNames.dapsPublicKey | string | `"daps-public-key"` | | +| tests | object | `{"hookDeletePolicy":"before-hook-creation,hook-succeeded"}` | Configurations for Helm tests | +| tests.hookDeletePolicy | string | `"before-hook-creation,hook-succeeded"` | Configure the hook-delete-policy for Helm tests | | vault.secretNames.transferProxyTokenEncryptionAesKey | string | `"transfer-proxy-token-encryption-aes-key"` | | -| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `"transfer-proxy-token-signer-private-key"` | | -| vault.secretNames.transferProxyTokenSignerPublicKey | string | `"transfer-proxy-token-signer-public-key"` | | | vault.secrets | string | `""` | | | vault.server.postStart | string | `""` | | diff --git a/charts/tractusx-connector-memory/subcharts/omejdn/.helmignore b/charts/tractusx-connector-memory/subcharts/omejdn/.helmignore deleted file mode 100644 index 0e8a0eb36..000000000 --- a/charts/tractusx-connector-memory/subcharts/omejdn/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/tractusx-connector-memory/subcharts/omejdn/Chart.yaml b/charts/tractusx-connector-memory/subcharts/omejdn/Chart.yaml deleted file mode 100644 index f0a4e6e4e..000000000 --- a/charts/tractusx-connector-memory/subcharts/omejdn/Chart.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: v2 -name: daps -description: A Helm chart for Kubernetes - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.0.1 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.0.1" diff --git a/charts/tractusx-connector-memory/subcharts/omejdn/README.md b/charts/tractusx-connector-memory/subcharts/omejdn/README.md deleted file mode 100644 index d23a9f9fa..000000000 --- a/charts/tractusx-connector-memory/subcharts/omejdn/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# daps - -![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.1](https://img.shields.io/badge/AppVersion-0.4.1-informational?style=flat-square) - -A Helm chart for Kubernetes - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) constrains which nodes the Pod can be scheduled on based on node labels. | -| automountServiceAccountToken | bool | `false` | Whether to [automount kubernetes API credentials](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) into the pod | -| autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | -| autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | -| autoscaling.minReplicas | int | `1` | Minimal replicas if resource consumption falls below resource threshholds | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | targetAverageUtilization of cpu provided to a pod | -| autoscaling.targetMemoryUtilizationPercentage | int | `80` | targetAverageUtilization of memory provided to a pod | -| connectors | list | `[]` | | -| fullnameOverride | string | `""` | Overrides the releases full name | -| image.pullPolicy | string | `"IfNotPresent"` | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use | -| image.repository | string | `"ghcr.io/fraunhofer-aisec/omejdn-server"` | Which omjedn container image to use | -| image.tag | string | `"1.7.1"` | Overrides the image tag whose default is the chart appVersion | -| imagePullSecret.dockerconfigjson | string | `""` | Image pull secret to create to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) Note: This value needs to adhere to the [(base64 encoded) .dockerconfigjson format](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials). Furthermore, if 'imagePullSecret.dockerconfigjson' is defined, it takes precedence over 'imagePullSecrets'. | -| nameOverride | string | `""` | Overrides the charts name | -| nodeSelector | object | `{}` | [Node-Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain the Pod to nodes with specific labels. | -| podAnnotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) added to deployed [pods](https://kubernetes.io/docs/concepts/workloads/pods/) | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | Specifies how many replicas of a deployed pod shall be created during the deployment Note: If horizontal pod autoscaling is enabled this setting has no effect | -| resources | object | `{}` | [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) applied to the deployed pod | -| securityContext | object | `{}` | | -| service.port | int | `4567` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service) to expose the running application on a set of Pods as a network service. | -| service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | -| serviceAccount.annotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) should be created per release | -| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the release's fullname template | -| tolerations | list | `[]` | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) are applied to Pods to schedule onto nodes with matching taints. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) diff --git a/charts/tractusx-connector-memory/subcharts/omejdn/templates/_helpers.tpl b/charts/tractusx-connector-memory/subcharts/omejdn/templates/_helpers.tpl deleted file mode 100644 index 95b115eee..000000000 --- a/charts/tractusx-connector-memory/subcharts/omejdn/templates/_helpers.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "omejdn.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "omejdn.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "omejdn.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "omejdn.labels" -}} -helm.sh/chart: {{ include "omejdn.chart" . }} -{{ include "omejdn.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "omejdn.selectorLabels" -}} -app.kubernetes.io/name: {{ include "omejdn.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "omejdn.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "omejdn.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/charts/tractusx-connector-memory/subcharts/omejdn/templates/configmap.yaml b/charts/tractusx-connector-memory/subcharts/omejdn/templates/configmap.yaml deleted file mode 100644 index 0f007ed8d..000000000 --- a/charts/tractusx-connector-memory/subcharts/omejdn/templates/configmap.yaml +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -data: - scope_mapping.yml: |- - --- - idsc:IDS_CONNECTOR_ATTRIBUTES_ALL: - - referringConnector - - omejdn.yml: |- - --- - host: http://{{ .Release.Name }}-daps:4567/ - path_prefix: '' - bind_to: 0.0.0.0 - allow_origin: "*" - app_env: debug - openid: false - user_backend: - - yaml - user_backend_default: yaml - accept_audience: idsc:IDS_CONNECTORS_ALL - issuer: http://{{ .Release.Name }}-daps:4567/ - environment: development - default_audience: - - idsc:IDS_CONNECTORS_ALL - access_token: - expiration: 3600 - algorithm: RS256 - id_token: - expiration: 3600 - algorithm: RS256 - - plugins.yml: |- - --- - plugins: - token_user_attributes: - - clients.yml: |- - --- - - client_id: data-plane-oauth2 - client_secret: supersecret - name: provision oauth2 - grant_types: - - client_credentials - token_endpoint_auth_method: client_secret_post - scope: openid -{{- range $i, $val := .Values.connectors }} - - client_id: {{ quote $val.id }} - name: {{ quote $val.name }} - token_endpoint_auth_method: private_key_jwt - grant_types: - - client_credentials - scope: - - idsc:IDS_CONNECTOR_ATTRIBUTES_ALL - attributes: - - key: idsc - value: IDS_CONNECTOR_ATTRIBUTES_ALL - - key: securityProfile - value: idsc:BASE_SECURITY_PROFILE - {{- range $key, $value := $val.attributes }} - - key: {{ $key }} - value: {{ $value }} - {{- end }} - redirect_uri: http://localhost:4200 -{{ end -}} - - -{{- range $i, $val := .Values.connectors }} - {{ $val.name }}: {{ quote $val.certificate | toString }} -{{ end -}} diff --git a/charts/tractusx-connector-memory/subcharts/omejdn/templates/deployment.yaml b/charts/tractusx-connector-memory/subcharts/omejdn/templates/deployment.yaml deleted file mode 100644 index 58bfff105..000000000 --- a/charts/tractusx-connector-memory/subcharts/omejdn/templates/deployment.yaml +++ /dev/null @@ -1,168 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "omejdn.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "omejdn.selectorLabels" . | nindent 8 }} - spec: - {{- if .Values.imagePullSecret.dockerconfigjson }} - imagePullSecrets: - - name: {{ include "omejdn.fullname" . }}-imagepullsecret - {{- else }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - serviceAccountName: {{ include "omejdn.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - initContainers: - - name: init-daps-pvc - image: alpine - command: - - "sh" - - "-c" - args: - - | - cp /opt/config/omejdn.yml /etc/daps/omejdn.yml - cp /opt/config/clients.yml /etc/daps/clients.yml - cp /opt/config/plugins.yml /etc/daps/plugins.yml - cp /opt/config/scope_mapping.yml /etc/daps/scope_mapping.yml - apk add --update openssl - openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /etc/keys/omejdn/omejdn.key \ - -subj "/C=DE/ST=Berlin/L=Berlin/O=Tractus-X-EDC-Test, Inc./OU=DE" - volumeMounts: - - mountPath: /etc/daps - name: config-dir - - mountPath: /etc/keys/omejdn - name: omejdn-key-dir - - mountPath: /opt/config/omejdn.yml - name: omejdn-config - subPath: omejdn.yml - - mountPath: /opt/config/scope_mapping.yml - name: scope-mapping - subPath: scope_mapping.yml - - mountPath: /opt/config/clients.yml - name: clients-config - subPath: clients.yml - - mountPath: /opt/config/plugins.yml - name: plugins-config - subPath: plugins.yml - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - volumeMounts: - - mountPath: /opt/config/ - name: config-dir - - mountPath: /opt/keys/omejdn/omejdn.key - name: omejdn-key-dir - subPath: omejdn.key - - mountPath: /opt/keys/clients/ - name: client-certificates - ports: - - name: http - containerPort: 4567 - protocol: TCP - livenessProbe: - httpGet: - path: /jwks.json - port: http - readinessProbe: - httpGet: - path: /jwks.json - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - env: - - name: OMEJDN_JWT_AUD_OVERRIDE - value: "idsc:IDS_CONNECTORS_ALL" - - name: OMEJDN_PLUGINS - value: "config/plugins.yml" - volumes: - - name: config-dir - emptyDir: { } - - name: omejdn-key-dir - emptyDir: { } - - name: omejdn-config - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: omejdn.yml - path: omejdn.yml - - name: scope-mapping - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: scope_mapping.yml - path: scope_mapping.yml - - name: clients-config - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: clients.yml - path: clients.yml - - name: plugins-config - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: plugins.yml - path: plugins.yml - - name: client-certificates - configMap: - name: {{ include "omejdn.fullname" . }} - items: - {{- range $i, $val := .Values.connectors }} - - key: {{ $val.name }} - path: {{ $val.id }}.cert - {{- end }} diff --git a/charts/tractusx-connector-memory/subcharts/omejdn/templates/hpa.yaml b/charts/tractusx-connector-memory/subcharts/omejdn/templates/hpa.yaml deleted file mode 100644 index f1f072f6c..000000000 --- a/charts/tractusx-connector-memory/subcharts/omejdn/templates/hpa.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation - # - # See the NOTICE file(s) distributed with this work for additional - # information regarding copyright ownership. - # - # This program and the accompanying materials are made available under the - # terms of the Apache License, Version 2.0 which is available at - # https://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - # License for the specific language governing permissions and limitations - # under the License. - # - # SPDX-License-Identifier: Apache-2.0 - # - -{{- if .Values.autoscaling.enabled }} ---- -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "omejdn.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/charts/tractusx-connector-memory/subcharts/omejdn/templates/imagepullsecret.yaml b/charts/tractusx-connector-memory/subcharts/omejdn/templates/imagepullsecret.yaml deleted file mode 100644 index 44f573e0f..000000000 --- a/charts/tractusx-connector-memory/subcharts/omejdn/templates/imagepullsecret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation - # - # See the NOTICE file(s) distributed with this work for additional - # information regarding copyright ownership. - # - # This program and the accompanying materials are made available under the - # terms of the Apache License, Version 2.0 which is available at - # https://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - # License for the specific language governing permissions and limitations - # under the License. - # - # SPDX-License-Identifier: Apache-2.0 - # - -{{- if .Values.imagePullSecret.dockerconfigjson }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "edc-dataplane.fullname" . }}-imagepullsecret - namespace: {{ .Release.Namespace | default "default" | quote }} - labels: - {{- include "edc-dataplane.labels" . | nindent 4 }} -data: - .dockerconfigjson: {{ .Values.imagePullSecret.dockerconfigjson }} -type: kubernetes.io/dockerconfigjson -{{- end }} diff --git a/charts/tractusx-connector-memory/subcharts/omejdn/values.yaml b/charts/tractusx-connector-memory/subcharts/omejdn/values.yaml deleted file mode 100644 index f411b8774..000000000 --- a/charts/tractusx-connector-memory/subcharts/omejdn/values.yaml +++ /dev/null @@ -1,109 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -# Default values for omejdn. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# -- Specifies how many replicas of a deployed pod shall be created during the deployment -# Note: If horizontal pod autoscaling is enabled this setting has no effect -replicaCount: 1 - -image: - # -- Which omjedn container image to use - repository: ghcr.io/fraunhofer-aisec/omejdn-server - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "1.7.1" - -imagePullSecret: - # -- Image pull secret to create to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) - # Note: This value needs to adhere to the [(base64 encoded) .dockerconfigjson format](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials). - # Furthermore, if 'imagePullSecret.dockerconfigjson' is defined, it takes precedence over 'imagePullSecrets'. - dockerconfigjson: "" - -# -- Overrides the charts name -nameOverride: "" - -# -- Overrides the releases full name -fullnameOverride: "" - -serviceAccount: - # -- Specifies whether a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) should be created per release - create: true - # -- [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to add to the service account - annotations: {} - # -- The name of the service account to use. If not set and create is true, a name is generated using the release's fullname template - name: "" - -# -- Whether to [automount kubernetes API credentials](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) into the pod -automountServiceAccountToken: false - -# -- [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) added to deployed [pods](https://kubernetes.io/docs/concepts/workloads/pods/) -podAnnotations: {} - -# The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment -podSecurityContext: {} - -# The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod -securityContext: {} - -service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service) to expose the running application on a set of Pods as a network service. - port: 4567 - -# -- [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) applied to the deployed pod -resources: {} - -autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - -# -- [Node-Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain the Pod to nodes with specific labels. -nodeSelector: {} - -# -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) are applied to Pods to schedule onto nodes with matching taints. -tolerations: [] - -# -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) constrains which nodes the Pod can be scheduled on based on node labels. -affinity: {} - -# List of connector clients. Certificate and Client-ID must be configured in parallel. -#
-# Example Connector: -# - id: grMsEz3EcsS3ENYJufNgUIeg4QsaL49M0gWxSexPdC4pon96Nvju90D8RlvAJB21 -# name: my-connector -# attributes: -# issuerConnector: http://localhost:8080/ -# certificate: |- -# -----BEGIN CERTIFICATE----- -# foo -# -----END CERTIFICATE----- -connectors: [] diff --git a/charts/tractusx-connector-memory/templates/deployment-runtime.yaml b/charts/tractusx-connector-memory/templates/deployment-runtime.yaml index 8f35e0b46..c2a1d61b7 100644 --- a/charts/tractusx-connector-memory/templates/deployment-runtime.yaml +++ b/charts/tractusx-connector-memory/templates/deployment-runtime.yaml @@ -115,21 +115,22 @@ spec: - name: EDC_PARTICIPANT_ID value: {{ .Values.participant.id | required ".Values.participant.id is required" | quote }} - ######################## - ## DAPS CONFIGURATION ## - ######################## + ########################## + # SSI / MIW CONFIGURATION + ########################## + - name: "TX_SSI_MIW_URL" + value: {{ .Values.runtime.ssi.miw.url }} + - name: "TX_SSI_MIW_AUTHORITY_ID" + value: {{ .Values.runtime.ssi.miw.authorityId }} + - name: "TX_SSI_OAUTH_TOKEN_URL" + value: {{ .Values.runtime.ssi.oauth.tokenurl }} + - name: "TX_SSI_OAUTH_CLIENT_ID" + value: {{ .Values.runtime.ssi.oauth.client.id }} + - name: "TX_SSI_OAUTH_CLIENT_SECRET_ALIAS" + value: {{ .Values.runtime.ssi.oauth.client.secretAlias }} + - name: "TX_SSI_ENDPOINT_AUDIENCE" + value: {{ printf "%s%s" (include "txdc.runtime.url.protocol" .) .Values.runtime.endpoints.protocol.path | quote }} - # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/iam/oauth2/oauth2-core - - name: EDC_OAUTH_CLIENT_ID - value: {{ .Values.daps.clientId | required ".Values.daps.clientId is required" | quote }} - - name: EDC_OAUTH_PROVIDER_JWKS_URL - value: {{ printf "%s%s" (tpl .Values.daps.url .) .Values.daps.paths.jwks }} - - name: EDC_OAUTH_TOKEN_URL - value: {{ printf "%s%s" (tpl .Values.daps.url .) .Values.daps.paths.token }} - - name: EDC_OAUTH_PRIVATE_KEY_ALIAS - value: {{ .Values.vault.secretNames.dapsPrivateKey | required ".Values.vault.secretNames.dapsPrivateKey is required" | quote }} - - name: EDC_OAUTH_PUBLIC_KEY_ALIAS - value: {{ .Values.vault.secretNames.dapsPublicKey | required ".Values.vault.secretNames.dapsPublicKey is required" | quote }} ####### # API # @@ -209,10 +210,14 @@ spec: # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/data-plane-transfer - name: "EDC_TRANSFER_PROXY_ENDPOINT" value: {{ include "txdc.dataplane.url.public" . }} + {{- if .Values.vault.secretNames.transferProxyTokenSignerPrivateKey }} - name: "EDC_TRANSFER_PROXY_TOKEN_SIGNER_PRIVATEKEY_ALIAS" value: {{ .Values.vault.secretNames.transferProxyTokenSignerPrivateKey | quote }} + {{- end }} + {{- if .Values.vault.secretNames.transferProxyTokenSignerPublicKey }} - name: "EDC_TRANSFER_PROXY_TOKEN_VERIFIER_PUBLICKEY_ALIAS" value: {{ .Values.vault.secretNames.transferProxyTokenSignerPublicKey | quote }} + {{- end }} # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/http-receiver - name: "EDC_RECEIVER_HTTP_ENDPOINT" diff --git a/charts/tractusx-connector-memory/values.yaml b/charts/tractusx-connector-memory/values.yaml index 0f77e9913..b0b9b2351 100644 --- a/charts/tractusx-connector-memory/values.yaml +++ b/charts/tractusx-connector-memory/values.yaml @@ -23,8 +23,6 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -install: - daps: true fullnameOverride: "" nameOverride: "" # -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) @@ -130,6 +128,19 @@ runtime: businessPartnerValidation: log: agreementValidation: true + # SSI configuration + ssi: + miw: + url: "" + authorityId: "" + oauth: + tokenurl: "" + client: + id: "" + secretAlias: "client-secret" + endpoint: + audience: "http://this.audience" + service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. type: ClusterIP @@ -290,11 +301,7 @@ vault: # secrets can be seeded by supplying them in a comma separated list key1:secret2,key2:secret2 secrets: "" secretNames: - transferProxyTokenSignerPrivateKey: transfer-proxy-token-signer-private-key - transferProxyTokenSignerPublicKey: transfer-proxy-token-signer-public-key transferProxyTokenEncryptionAesKey: transfer-proxy-token-encryption-aes-key - dapsPrivateKey: daps-private-key - dapsPublicKey: daps-public-key server: postStart: |- daps: @@ -322,10 +329,6 @@ serviceAccount: name: "" # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) imagePullSecrets: [] -idsdaps: - connectors: - - certificate: |- - # -- Configurations for Helm tests tests: # -- Configure the hook-delete-policy for Helm tests diff --git a/charts/tractusx-connector/Chart.yaml b/charts/tractusx-connector/Chart.yaml index 307be2907..1d8fb1ab1 100644 --- a/charts/tractusx-connector/Chart.yaml +++ b/charts/tractusx-connector/Chart.yaml @@ -50,12 +50,6 @@ home: https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx sources: - https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector dependencies: - # IDS Dynamic Attribute Provisioning Service (IAM) - - name: daps - version: 0.0.1 - repository: "file://./subcharts/omejdn" - alias: daps - condition: install.daps # HashiCorp Vault - name: vault alias: vault diff --git a/charts/tractusx-connector/README.md b/charts/tractusx-connector/README.md index 7a464a983..35155261e 100644 --- a/charts/tractusx-connector/README.md +++ b/charts/tractusx-connector/README.md @@ -37,19 +37,18 @@ Combined, run this shell command to start the in-memory Tractus-X EDC runtime: ```shell helm repo add tractusx-edc https://eclipse-tractusx.github.io/charts/dev -helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0.4.1 \ +helm install my-release tractusx-edc/tractusx-connector --version 0.4.1 \ -f /tractusx-connector-test.yaml ``` ## Source Code - +* ## Requirements | Repository | Name | Version | |------------|------|---------| -| file://./subcharts/omejdn | daps(daps) | 0.0.1 | | https://charts.bitnami.com/bitnami | postgresql(postgresql) | 12.1.6 | | https://helm.releases.hashicorp.com | vault(vault) | 0.20.0 | @@ -155,20 +154,17 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | controlplane.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | | controlplane.service.annotations | object | `{}` | | | controlplane.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | +| controlplane.ssi.endpoint.audience | string | `"http://this.audience"` | | +| controlplane.ssi.miw.authorityId | string | `""` | | +| controlplane.ssi.miw.url | string | `""` | | +| controlplane.ssi.oauth.client.id | string | `""` | | +| controlplane.ssi.oauth.client.secretAlias | string | `"client-secret"` | | +| controlplane.ssi.oauth.tokenurl | string | `""` | | | controlplane.tolerations | list | `[]` | | | controlplane.url.ids | string | `""` | Explicitly declared url for reaching the ids api (e.g. if ingresses not used) | | controlplane.volumeMounts | list | `[]` | declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container | | controlplane.volumes | list | `[]` | [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories | | customLabels | object | `{}` | | -| daps.clientId | string | `""` | | -| daps.connectors[0].attributes.referringConnector | string | `"http://sokrates-controlplane/BPNSOKRATES"` | | -| daps.connectors[0].certificate | string | `""` | | -| daps.connectors[0].id | string | `"E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65"` | | -| daps.connectors[0].name | string | `"sokrates"` | | -| daps.fullnameOverride | string | `"daps"` | | -| daps.paths.jwks | string | `"/jwks.json"` | | -| daps.paths.token | string | `"/token"` | | -| daps.url | string | `""` | | | dataplane.affinity | object | `{}` | | | dataplane.autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | | dataplane.autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | @@ -249,38 +245,39 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | dataplane.volumeMounts | list | `[]` | declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container | | dataplane.volumes | list | `[]` | [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories | | fullnameOverride | string | `""` | | -| idsdaps.connectors[0].certificate | string | `""` | | | imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | -| install.daps | bool | `true` | | | install.postgresql | bool | `true` | | | install.vault | bool | `true` | | | nameOverride | string | `""` | | +| networkPolicy.controlplane | object | `{"from":[{"namespaceSelector":{}}]}` | Configuration of the controlplane component | +| networkPolicy.controlplane.from | list | `[{"namespaceSelector":{}}]` | Specify from rule network policy for cp (defaults to all namespaces) | +| networkPolicy.dataplane | object | `{"from":[{"namespaceSelector":{}}]}` | Configuration of the dataplane component | +| networkPolicy.dataplane.from | list | `[{"namespaceSelector":{}}]` | Specify from rule network policy for dp (defaults to all namespaces) | +| networkPolicy.enabled | bool | `false` | If `true` network policy will be created to restrict access to control- and dataplane | | participant.id | string | `""` | | | postgresql.auth.database | string | `"edc"` | | | postgresql.auth.password | string | `"password"` | | | postgresql.auth.username | string | `"user"` | | -| postgresql.fullnameOverride | string | `"postgresql"` | | -| postgresql.jdbcUrl | string | `""` | | +| postgresql.jdbcUrl | string | `"jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc"` | | | postgresql.primary.persistence.enabled | bool | `false` | | | postgresql.readReplicas.persistence.enabled | bool | `false` | | | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.imagePullSecrets | list | `[]` | Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | | serviceAccount.name | string | `""` | | -| vault.fullnameOverride | string | `"vault"` | | +| tests | object | `{"hookDeletePolicy":"before-hook-creation,hook-succeeded"}` | Configurations for Helm tests | +| tests.hookDeletePolicy | string | `"before-hook-creation,hook-succeeded"` | Configure the hook-delete-policy for Helm tests | | vault.hashicorp.healthCheck.enabled | bool | `true` | | | vault.hashicorp.healthCheck.standbyOk | bool | `true` | | | vault.hashicorp.paths.health | string | `"/v1/sys/health"` | | | vault.hashicorp.paths.secret | string | `"/v1/secret"` | | | vault.hashicorp.timeout | int | `30` | | | vault.hashicorp.token | string | `""` | | -| vault.hashicorp.url | string | `""` | | +| vault.hashicorp.url | string | `"http://{{ .Release.Name }}-vault:8200"` | | | vault.injector.enabled | bool | `false` | | -| vault.secretNames.dapsPrivateKey | string | `"daps-private-key"` | | -| vault.secretNames.dapsPublicKey | string | `"daps-public-key"` | | | vault.secretNames.transferProxyTokenEncryptionAesKey | string | `"transfer-proxy-token-encryption-aes-key"` | | -| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `"transfer-proxy-token-signer-private-key"` | | -| vault.secretNames.transferProxyTokenSignerPublicKey | string | `"transfer-proxy-token-signer-public-key"` | | +| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `nil` | | +| vault.secretNames.transferProxyTokenSignerPublicKey | string | `nil` | | | vault.server.dev.devRootToken | string | `"root"` | | | vault.server.dev.enabled | bool | `true` | | | vault.server.postStart | string | `nil` | | diff --git a/charts/tractusx-connector/subcharts/omejdn/.helmignore b/charts/tractusx-connector/subcharts/omejdn/.helmignore deleted file mode 100644 index 0e8a0eb36..000000000 --- a/charts/tractusx-connector/subcharts/omejdn/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/tractusx-connector/subcharts/omejdn/Chart.yaml b/charts/tractusx-connector/subcharts/omejdn/Chart.yaml deleted file mode 100644 index a41ff8bd4..000000000 --- a/charts/tractusx-connector/subcharts/omejdn/Chart.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: v2 -name: daps -description: A Helm chart for Kubernetes -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.0.1 -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.0.1" diff --git a/charts/tractusx-connector/subcharts/omejdn/README.md b/charts/tractusx-connector/subcharts/omejdn/README.md deleted file mode 100644 index d23a9f9fa..000000000 --- a/charts/tractusx-connector/subcharts/omejdn/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# daps - -![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.1](https://img.shields.io/badge/AppVersion-0.4.1-informational?style=flat-square) - -A Helm chart for Kubernetes - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) constrains which nodes the Pod can be scheduled on based on node labels. | -| automountServiceAccountToken | bool | `false` | Whether to [automount kubernetes API credentials](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) into the pod | -| autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | -| autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | -| autoscaling.minReplicas | int | `1` | Minimal replicas if resource consumption falls below resource threshholds | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | targetAverageUtilization of cpu provided to a pod | -| autoscaling.targetMemoryUtilizationPercentage | int | `80` | targetAverageUtilization of memory provided to a pod | -| connectors | list | `[]` | | -| fullnameOverride | string | `""` | Overrides the releases full name | -| image.pullPolicy | string | `"IfNotPresent"` | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use | -| image.repository | string | `"ghcr.io/fraunhofer-aisec/omejdn-server"` | Which omjedn container image to use | -| image.tag | string | `"1.7.1"` | Overrides the image tag whose default is the chart appVersion | -| imagePullSecret.dockerconfigjson | string | `""` | Image pull secret to create to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) Note: This value needs to adhere to the [(base64 encoded) .dockerconfigjson format](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials). Furthermore, if 'imagePullSecret.dockerconfigjson' is defined, it takes precedence over 'imagePullSecrets'. | -| nameOverride | string | `""` | Overrides the charts name | -| nodeSelector | object | `{}` | [Node-Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain the Pod to nodes with specific labels. | -| podAnnotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) added to deployed [pods](https://kubernetes.io/docs/concepts/workloads/pods/) | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | Specifies how many replicas of a deployed pod shall be created during the deployment Note: If horizontal pod autoscaling is enabled this setting has no effect | -| resources | object | `{}` | [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) applied to the deployed pod | -| securityContext | object | `{}` | | -| service.port | int | `4567` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service) to expose the running application on a set of Pods as a network service. | -| service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | -| serviceAccount.annotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) should be created per release | -| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the release's fullname template | -| tolerations | list | `[]` | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) are applied to Pods to schedule onto nodes with matching taints. | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) diff --git a/charts/tractusx-connector/subcharts/omejdn/templates/_helpers.tpl b/charts/tractusx-connector/subcharts/omejdn/templates/_helpers.tpl deleted file mode 100644 index 95b115eee..000000000 --- a/charts/tractusx-connector/subcharts/omejdn/templates/_helpers.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "omejdn.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "omejdn.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "omejdn.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "omejdn.labels" -}} -helm.sh/chart: {{ include "omejdn.chart" . }} -{{ include "omejdn.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "omejdn.selectorLabels" -}} -app.kubernetes.io/name: {{ include "omejdn.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "omejdn.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "omejdn.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/charts/tractusx-connector/subcharts/omejdn/templates/configmap.yaml b/charts/tractusx-connector/subcharts/omejdn/templates/configmap.yaml deleted file mode 100644 index 0f007ed8d..000000000 --- a/charts/tractusx-connector/subcharts/omejdn/templates/configmap.yaml +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -data: - scope_mapping.yml: |- - --- - idsc:IDS_CONNECTOR_ATTRIBUTES_ALL: - - referringConnector - - omejdn.yml: |- - --- - host: http://{{ .Release.Name }}-daps:4567/ - path_prefix: '' - bind_to: 0.0.0.0 - allow_origin: "*" - app_env: debug - openid: false - user_backend: - - yaml - user_backend_default: yaml - accept_audience: idsc:IDS_CONNECTORS_ALL - issuer: http://{{ .Release.Name }}-daps:4567/ - environment: development - default_audience: - - idsc:IDS_CONNECTORS_ALL - access_token: - expiration: 3600 - algorithm: RS256 - id_token: - expiration: 3600 - algorithm: RS256 - - plugins.yml: |- - --- - plugins: - token_user_attributes: - - clients.yml: |- - --- - - client_id: data-plane-oauth2 - client_secret: supersecret - name: provision oauth2 - grant_types: - - client_credentials - token_endpoint_auth_method: client_secret_post - scope: openid -{{- range $i, $val := .Values.connectors }} - - client_id: {{ quote $val.id }} - name: {{ quote $val.name }} - token_endpoint_auth_method: private_key_jwt - grant_types: - - client_credentials - scope: - - idsc:IDS_CONNECTOR_ATTRIBUTES_ALL - attributes: - - key: idsc - value: IDS_CONNECTOR_ATTRIBUTES_ALL - - key: securityProfile - value: idsc:BASE_SECURITY_PROFILE - {{- range $key, $value := $val.attributes }} - - key: {{ $key }} - value: {{ $value }} - {{- end }} - redirect_uri: http://localhost:4200 -{{ end -}} - - -{{- range $i, $val := .Values.connectors }} - {{ $val.name }}: {{ quote $val.certificate | toString }} -{{ end -}} diff --git a/charts/tractusx-connector/subcharts/omejdn/templates/deployment.yaml b/charts/tractusx-connector/subcharts/omejdn/templates/deployment.yaml deleted file mode 100644 index 58bfff105..000000000 --- a/charts/tractusx-connector/subcharts/omejdn/templates/deployment.yaml +++ /dev/null @@ -1,168 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "omejdn.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "omejdn.selectorLabels" . | nindent 8 }} - spec: - {{- if .Values.imagePullSecret.dockerconfigjson }} - imagePullSecrets: - - name: {{ include "omejdn.fullname" . }}-imagepullsecret - {{- else }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - serviceAccountName: {{ include "omejdn.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - initContainers: - - name: init-daps-pvc - image: alpine - command: - - "sh" - - "-c" - args: - - | - cp /opt/config/omejdn.yml /etc/daps/omejdn.yml - cp /opt/config/clients.yml /etc/daps/clients.yml - cp /opt/config/plugins.yml /etc/daps/plugins.yml - cp /opt/config/scope_mapping.yml /etc/daps/scope_mapping.yml - apk add --update openssl - openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /etc/keys/omejdn/omejdn.key \ - -subj "/C=DE/ST=Berlin/L=Berlin/O=Tractus-X-EDC-Test, Inc./OU=DE" - volumeMounts: - - mountPath: /etc/daps - name: config-dir - - mountPath: /etc/keys/omejdn - name: omejdn-key-dir - - mountPath: /opt/config/omejdn.yml - name: omejdn-config - subPath: omejdn.yml - - mountPath: /opt/config/scope_mapping.yml - name: scope-mapping - subPath: scope_mapping.yml - - mountPath: /opt/config/clients.yml - name: clients-config - subPath: clients.yml - - mountPath: /opt/config/plugins.yml - name: plugins-config - subPath: plugins.yml - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - volumeMounts: - - mountPath: /opt/config/ - name: config-dir - - mountPath: /opt/keys/omejdn/omejdn.key - name: omejdn-key-dir - subPath: omejdn.key - - mountPath: /opt/keys/clients/ - name: client-certificates - ports: - - name: http - containerPort: 4567 - protocol: TCP - livenessProbe: - httpGet: - path: /jwks.json - port: http - readinessProbe: - httpGet: - path: /jwks.json - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - env: - - name: OMEJDN_JWT_AUD_OVERRIDE - value: "idsc:IDS_CONNECTORS_ALL" - - name: OMEJDN_PLUGINS - value: "config/plugins.yml" - volumes: - - name: config-dir - emptyDir: { } - - name: omejdn-key-dir - emptyDir: { } - - name: omejdn-config - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: omejdn.yml - path: omejdn.yml - - name: scope-mapping - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: scope_mapping.yml - path: scope_mapping.yml - - name: clients-config - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: clients.yml - path: clients.yml - - name: plugins-config - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: plugins.yml - path: plugins.yml - - name: client-certificates - configMap: - name: {{ include "omejdn.fullname" . }} - items: - {{- range $i, $val := .Values.connectors }} - - key: {{ $val.name }} - path: {{ $val.id }}.cert - {{- end }} diff --git a/charts/tractusx-connector/subcharts/omejdn/templates/hpa.yaml b/charts/tractusx-connector/subcharts/omejdn/templates/hpa.yaml deleted file mode 100644 index f1f072f6c..000000000 --- a/charts/tractusx-connector/subcharts/omejdn/templates/hpa.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation - # - # See the NOTICE file(s) distributed with this work for additional - # information regarding copyright ownership. - # - # This program and the accompanying materials are made available under the - # terms of the Apache License, Version 2.0 which is available at - # https://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - # License for the specific language governing permissions and limitations - # under the License. - # - # SPDX-License-Identifier: Apache-2.0 - # - -{{- if .Values.autoscaling.enabled }} ---- -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "omejdn.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/charts/tractusx-connector/subcharts/omejdn/templates/imagepullsecret.yaml b/charts/tractusx-connector/subcharts/omejdn/templates/imagepullsecret.yaml deleted file mode 100644 index 44f573e0f..000000000 --- a/charts/tractusx-connector/subcharts/omejdn/templates/imagepullsecret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation - # - # See the NOTICE file(s) distributed with this work for additional - # information regarding copyright ownership. - # - # This program and the accompanying materials are made available under the - # terms of the Apache License, Version 2.0 which is available at - # https://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - # License for the specific language governing permissions and limitations - # under the License. - # - # SPDX-License-Identifier: Apache-2.0 - # - -{{- if .Values.imagePullSecret.dockerconfigjson }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "edc-dataplane.fullname" . }}-imagepullsecret - namespace: {{ .Release.Namespace | default "default" | quote }} - labels: - {{- include "edc-dataplane.labels" . | nindent 4 }} -data: - .dockerconfigjson: {{ .Values.imagePullSecret.dockerconfigjson }} -type: kubernetes.io/dockerconfigjson -{{- end }} diff --git a/charts/tractusx-connector/subcharts/omejdn/values.yaml b/charts/tractusx-connector/subcharts/omejdn/values.yaml deleted file mode 100644 index f411b8774..000000000 --- a/charts/tractusx-connector/subcharts/omejdn/values.yaml +++ /dev/null @@ -1,109 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -# Default values for omejdn. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# -- Specifies how many replicas of a deployed pod shall be created during the deployment -# Note: If horizontal pod autoscaling is enabled this setting has no effect -replicaCount: 1 - -image: - # -- Which omjedn container image to use - repository: ghcr.io/fraunhofer-aisec/omejdn-server - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "1.7.1" - -imagePullSecret: - # -- Image pull secret to create to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) - # Note: This value needs to adhere to the [(base64 encoded) .dockerconfigjson format](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials). - # Furthermore, if 'imagePullSecret.dockerconfigjson' is defined, it takes precedence over 'imagePullSecrets'. - dockerconfigjson: "" - -# -- Overrides the charts name -nameOverride: "" - -# -- Overrides the releases full name -fullnameOverride: "" - -serviceAccount: - # -- Specifies whether a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) should be created per release - create: true - # -- [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to add to the service account - annotations: {} - # -- The name of the service account to use. If not set and create is true, a name is generated using the release's fullname template - name: "" - -# -- Whether to [automount kubernetes API credentials](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) into the pod -automountServiceAccountToken: false - -# -- [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) added to deployed [pods](https://kubernetes.io/docs/concepts/workloads/pods/) -podAnnotations: {} - -# The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment -podSecurityContext: {} - -# The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod -securityContext: {} - -service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service) to expose the running application on a set of Pods as a network service. - port: 4567 - -# -- [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) applied to the deployed pod -resources: {} - -autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - -# -- [Node-Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain the Pod to nodes with specific labels. -nodeSelector: {} - -# -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) are applied to Pods to schedule onto nodes with matching taints. -tolerations: [] - -# -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) constrains which nodes the Pod can be scheduled on based on node labels. -affinity: {} - -# List of connector clients. Certificate and Client-ID must be configured in parallel. -#
-# Example Connector: -# - id: grMsEz3EcsS3ENYJufNgUIeg4QsaL49M0gWxSexPdC4pon96Nvju90D8RlvAJB21 -# name: my-connector -# attributes: -# issuerConnector: http://localhost:8080/ -# certificate: |- -# -----BEGIN CERTIFICATE----- -# foo -# -----END CERTIFICATE----- -connectors: [] diff --git a/charts/tractusx-connector/templates/deployment-controlplane.yaml b/charts/tractusx-connector/templates/deployment-controlplane.yaml index 5455693e4..27eafea69 100644 --- a/charts/tractusx-connector/templates/deployment-controlplane.yaml +++ b/charts/tractusx-connector/templates/deployment-controlplane.yaml @@ -1,24 +1,24 @@ # -# Copyright (c) 2023 ZF Friedrichshafen AG -# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH -# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# + # Copyright (c) 2023 ZF Friedrichshafen AG + # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH + # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) + # Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License, Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + # License for the specific language governing permissions and limitations + # under the License. + # + # SPDX-License-Identifier: Apache-2.0 + # --- apiVersion: apps/v1 @@ -115,21 +115,21 @@ spec: - name: EDC_PARTICIPANT_ID value: {{ .Values.participant.id | required ".Values.participant.id is required" | quote }} - ######################## - ## DAPS CONFIGURATION ## - ######################## - - # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/iam/oauth2/oauth2-core - - name: EDC_OAUTH_CLIENT_ID - value: {{ .Values.daps.clientId | required ".Values.daps.clientId is required" | quote }} - - name: EDC_OAUTH_PROVIDER_JWKS_URL - value: {{ printf "%s%s" (tpl .Values.daps.url .) .Values.daps.paths.jwks }} - - name: EDC_OAUTH_TOKEN_URL - value: {{ printf "%s%s" (tpl .Values.daps.url .) .Values.daps.paths.token }} - - name: EDC_OAUTH_PRIVATE_KEY_ALIAS - value: {{ .Values.vault.secretNames.dapsPrivateKey | required ".Values.vault.secretNames.dapsPrivateKey is required" | quote }} - - name: EDC_OAUTH_CERTIFICATE_ALIAS - value: {{ .Values.vault.secretNames.dapsPublicKey | required ".Values.vault.secretNames.dapsPublicKey is required" | quote }} + ########################## + # SSI / MIW CONFIGURATION + ########################## + - name: "TX_SSI_MIW_URL" + value: {{ .Values.controlplane.ssi.miw.url }} + - name: "TX_SSI_MIW_AUTHORITY_ID" + value: {{ .Values.controlplane.ssi.miw.authorityId }} + - name: "TX_SSI_OAUTH_TOKEN_URL" + value: {{ .Values.controlplane.ssi.oauth.tokenurl }} + - name: "TX_SSI_OAUTH_CLIENT_ID" + value: {{ .Values.controlplane.ssi.oauth.client.id }} + - name: "TX_SSI_OAUTH_CLIENT_SECRET_ALIAS" + value: {{ .Values.controlplane.ssi.oauth.client.secretAlias }} + - name: "TX_SSI_ENDPOINT_AUDIENCE" + value: {{ printf "%s%s" (include "txdc.controlplane.url.protocol" .) .Values.controlplane.endpoints.protocol.path | quote }} ####### # API # @@ -252,11 +252,14 @@ spec: # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/data-plane-transfer - name: "EDC_TRANSFER_PROXY_ENDPOINT" value: {{ include "txdc.dataplane.url.public" . }} + {{- if .Values.vault.secretNames.transferProxyTokenSignerPrivateKey }} - name: "EDC_TRANSFER_PROXY_TOKEN_SIGNER_PRIVATEKEY_ALIAS" value: {{ .Values.vault.secretNames.transferProxyTokenSignerPrivateKey | quote }} + {{- end }} + {{- if .Values.vault.secretNames.transferProxyTokenSignerPublicKey }} - name: "EDC_TRANSFER_PROXY_TOKEN_VERIFIER_PUBLICKEY_ALIAS" value: {{ .Values.vault.secretNames.transferProxyTokenSignerPublicKey | quote }} - + {{- end }} # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/transfer/transfer-pull-http-dynamic-receiver - name: "EDC_RECEIVER_HTTP_DYNAMIC_ENDPOINT" diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index f19493f45..21b4a4edc 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -27,7 +27,6 @@ # Declare variables to be passed into your templates. install: - daps: true postgresql: true vault: true fullnameOverride: "" @@ -130,6 +129,20 @@ controlplane: businessPartnerValidation: log: agreementValidation: true + + # SSI configuration + ssi: + miw: + url: "" + authorityId: "" + oauth: + tokenurl: "" + client: + id: "" + secretAlias: "client-secret" + endpoint: + audience: "http://this.audience" + service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. type: ClusterIP @@ -507,7 +520,6 @@ vault: dev: enabled: true devRootToken: "root" - # Must be the same certificate that is configured in section 'daps' postStart: # must be set externally! hashicorp: url: "http://{{ .Release.Name }}-vault:8200" @@ -520,24 +532,9 @@ vault: secret: /v1/secret health: /v1/sys/health secretNames: - transferProxyTokenSignerPrivateKey: transfer-proxy-token-signer-private-key - transferProxyTokenSignerPublicKey: transfer-proxy-token-signer-public-key + transferProxyTokenSignerPrivateKey: + transferProxyTokenSignerPublicKey: transferProxyTokenEncryptionAesKey: transfer-proxy-token-encryption-aes-key - dapsPrivateKey: daps-private-key - dapsPublicKey: daps-public-key -daps: - url: "http://{{ .Release.Name }}-daps:4567" - clientId: "" - paths: - jwks: /jwks.json - token: /token - connectors: - - id: E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65 - name: sokrates - attributes: - referringConnector: http://sokrates-controlplane/BPNSOKRATES - # Must be the same certificate that is stores in section 'sokrates-vault' - certificate: "" # must be set externally! backendService: httpProxyTokenReceiverUrl: "" @@ -565,9 +562,6 @@ serviceAccount: name: "" # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) imagePullSecrets: [] -idsdaps: - connectors: - - certificate: |- # -- Configurations for Helm tests tests: diff --git a/docs/samples/example-dataspace/README.md b/docs/samples/example-dataspace/README.md index 9842186cd..11038e86b 100644 --- a/docs/samples/example-dataspace/README.md +++ b/docs/samples/example-dataspace/README.md @@ -8,6 +8,12 @@ Vault, PostgreSQL) and a DAPS instance that both share. We've tested this setup with [KinD](https://kind.sigs.k8s.io/), but other runtimes such as [Minikube](https://minikube.sigs.k8s.io/docs/start/) may work as well, we just haven't tested them. +This version of Tractus-X EDC _requires_ a running instance of the Managed Identity Wallet and KeyCloak, a connector +will not be able to communicate to another connector without it. + +Installation instructions for those are beyond the scope of this document, please refer to the respective manuals and +guides for information on how to set them up. + Furthermore, this guide assumes: - the Tractus-X EDC repository is checked out, the working directory for this guide is `docs/samples/example-dataspace` @@ -16,39 +22,40 @@ Furthermore, this guide assumes: - the following tools are available: `yq`, `openssl`, `base64` - a POSIX-compliant shell, e.g. `bash` or `zsh` unless stated otherwise -### 1.1 Create certificates for both runtimes +### 1.1 Create secrets for both runtimes We'll need a x509 certificate in order to communicate with DAPS, as well as a private key and a Data Encryption signing key. ```shell -# SOKRATES key/cert for daps -openssl req -newkey rsa:2048 -new -nodes -x509 -days 1 -keyout sokrates.key -out sokrates.cert -subj "/CN=test" +# SOKRATES aes encryption key echo "aes_enckey_test" | base64 > sokrates.aes.key -# PLATO key/cert for daps -openssl req -newkey rsa:2048 -new -nodes -x509 -days 1 -keyout plato.key -out plato.cert -subj "/CN=test" +# PLATO aes encryption key echo "aes_enckey_test" | base64 > plato.aes.key ``` Any arbitrary string can be used for the AES key, but it has to be 16, 24, or 32 characters in length, assuming UTF-8 encoding. -### 1.2 Modify the DAPS's `values.yaml` located at `daps/values.yaml` +### 1.2 Obtain configuration for MiW and KeyCloak -With the following command, we "inject" the previously created certificates and client ids into the DAPS's config: +> The following information is _required_, your connectors will **not** work properly unless you +> modify the `ssi:` section of `sokrates-values.yaml` and `plato-values.yaml` accordingly! -```shell -VALUES_FILE=daps/values.yaml +For communication with KeyCloak we need the following information -# Add both public keys to daps -yq -i ".connectors[0].certificate=\"$(cat sokrates.cert)\"" "$VALUES_FILE" -yq -i ".connectors[1].certificate=\"$(cat plato.cert)\"" "$VALUES_FILE" -``` +- the `tokenurl`: URL where access tokens can be obtained +- the `client.id`: KeyCloak identifier of the connector + +Note that the OAuth2 client secret will be stored in the vault under the alias `client-secret`. -### 1.3 Install/Launch DAPS +In order to use MiW as credential backend we need the following information: -`helm install daps daps/` +- `url`: a URL where MiW is reachable +- `authorityId`: this is the `issuerIdentifier` for MiW REST requests, please refer to the respective documentation. + +Furthermore, we need the `endpoint.audience`, which is used to verify the `aud` claim of incoming requests. This does **not** have to be set explicitly, it defaults to each connector's callback address. ## 2. Prepare Connectors @@ -57,18 +64,20 @@ a `postStart` element to the chart's configuration file: ```shell # for sokrates -CONFIG_FILE=sokrates-values.yaml - -yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n\ncat << EOF | /bin/vault kv put secret/daps-crt content=-\n$(cat sokrates.cert)\nEOF\n\n -cat << EOF | /bin/vault kv put secret/daps-key content=-\n$(cat sokrates.key)\nEOF\n\n -/bin/vault kv put secret/aes-keys content=$(cat sokrates.aes.key)\n\n}\"]" "$CONFIG_FILE" +VALUES_FILE=sokrates-values.yaml +CLIENT_SECRET= +AES_KEY=$(cat sokrates.aes.key) +yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n +/bin/vault kv put secret/client-secret content=$CLIENT_SECRET\n +/bin/vault kv put secret/aes-keys content=$AES_KEY\n}\"]" "$VALUES_FILE" # for plato -CONFIG_FILE=plato-values.yaml - -yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n\ncat << EOF | /bin/vault kv put secret/daps-crt content=-\n$(cat plato.cert)\nEOF\n\n -cat << EOF | /bin/vault kv put secret/daps-key content=-\n$(cat plato.key)\nEOF\n\n -/bin/vault kv put secret/aes-keys content=$(cat plato.aes.key)\n\n}\"]" "$CONFIG_FILE" +VALUES_FILE=plato-values.yaml +CLIENT_SECRET= +AES_KEY=$(cat plato.aes.key) +yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n +/bin/vault kv put secret/client-secret content=$CLIENT_SECRET\n +/bin/vault kv put secret/aes-keys content=$AES_KEY\n}\"]" "$VALUES_FILE" ``` ## 3 Install the connectors @@ -108,12 +117,12 @@ There is several ways of making sure everything worked out well: ```shell stern tx-sokrates ``` - + then look out for something similar to: ```shell tx-sokrates-controlplane-b9456f97b-s5jts tractusx-connector INFO 2023-05-31T07:24:53.020975888 tx-sokrates-controlplane ready ``` - + - wait for the Kubernetes rollout to be successful, e.g. `kubectl rollout status deployment tx-plato-controlplane` - use `helm test` to execute tests: `helm test tx-plato` diff --git a/docs/samples/example-dataspace/daps/.helmignore b/docs/samples/example-dataspace/daps/.helmignore deleted file mode 100644 index 0e8a0eb36..000000000 --- a/docs/samples/example-dataspace/daps/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/docs/samples/example-dataspace/daps/templates/_helpers.tpl b/docs/samples/example-dataspace/daps/templates/_helpers.tpl deleted file mode 100644 index 95b115eee..000000000 --- a/docs/samples/example-dataspace/daps/templates/_helpers.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "omejdn.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "omejdn.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "omejdn.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "omejdn.labels" -}} -helm.sh/chart: {{ include "omejdn.chart" . }} -{{ include "omejdn.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "omejdn.selectorLabels" -}} -app.kubernetes.io/name: {{ include "omejdn.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "omejdn.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "omejdn.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/docs/samples/example-dataspace/daps/templates/configmap.yaml b/docs/samples/example-dataspace/daps/templates/configmap.yaml deleted file mode 100644 index 0f007ed8d..000000000 --- a/docs/samples/example-dataspace/daps/templates/configmap.yaml +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -data: - scope_mapping.yml: |- - --- - idsc:IDS_CONNECTOR_ATTRIBUTES_ALL: - - referringConnector - - omejdn.yml: |- - --- - host: http://{{ .Release.Name }}-daps:4567/ - path_prefix: '' - bind_to: 0.0.0.0 - allow_origin: "*" - app_env: debug - openid: false - user_backend: - - yaml - user_backend_default: yaml - accept_audience: idsc:IDS_CONNECTORS_ALL - issuer: http://{{ .Release.Name }}-daps:4567/ - environment: development - default_audience: - - idsc:IDS_CONNECTORS_ALL - access_token: - expiration: 3600 - algorithm: RS256 - id_token: - expiration: 3600 - algorithm: RS256 - - plugins.yml: |- - --- - plugins: - token_user_attributes: - - clients.yml: |- - --- - - client_id: data-plane-oauth2 - client_secret: supersecret - name: provision oauth2 - grant_types: - - client_credentials - token_endpoint_auth_method: client_secret_post - scope: openid -{{- range $i, $val := .Values.connectors }} - - client_id: {{ quote $val.id }} - name: {{ quote $val.name }} - token_endpoint_auth_method: private_key_jwt - grant_types: - - client_credentials - scope: - - idsc:IDS_CONNECTOR_ATTRIBUTES_ALL - attributes: - - key: idsc - value: IDS_CONNECTOR_ATTRIBUTES_ALL - - key: securityProfile - value: idsc:BASE_SECURITY_PROFILE - {{- range $key, $value := $val.attributes }} - - key: {{ $key }} - value: {{ $value }} - {{- end }} - redirect_uri: http://localhost:4200 -{{ end -}} - - -{{- range $i, $val := .Values.connectors }} - {{ $val.name }}: {{ quote $val.certificate | toString }} -{{ end -}} diff --git a/docs/samples/example-dataspace/daps/templates/deployment.yaml b/docs/samples/example-dataspace/daps/templates/deployment.yaml deleted file mode 100644 index 58bfff105..000000000 --- a/docs/samples/example-dataspace/daps/templates/deployment.yaml +++ /dev/null @@ -1,168 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "omejdn.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "omejdn.selectorLabels" . | nindent 8 }} - spec: - {{- if .Values.imagePullSecret.dockerconfigjson }} - imagePullSecrets: - - name: {{ include "omejdn.fullname" . }}-imagepullsecret - {{- else }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - serviceAccountName: {{ include "omejdn.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - initContainers: - - name: init-daps-pvc - image: alpine - command: - - "sh" - - "-c" - args: - - | - cp /opt/config/omejdn.yml /etc/daps/omejdn.yml - cp /opt/config/clients.yml /etc/daps/clients.yml - cp /opt/config/plugins.yml /etc/daps/plugins.yml - cp /opt/config/scope_mapping.yml /etc/daps/scope_mapping.yml - apk add --update openssl - openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /etc/keys/omejdn/omejdn.key \ - -subj "/C=DE/ST=Berlin/L=Berlin/O=Tractus-X-EDC-Test, Inc./OU=DE" - volumeMounts: - - mountPath: /etc/daps - name: config-dir - - mountPath: /etc/keys/omejdn - name: omejdn-key-dir - - mountPath: /opt/config/omejdn.yml - name: omejdn-config - subPath: omejdn.yml - - mountPath: /opt/config/scope_mapping.yml - name: scope-mapping - subPath: scope_mapping.yml - - mountPath: /opt/config/clients.yml - name: clients-config - subPath: clients.yml - - mountPath: /opt/config/plugins.yml - name: plugins-config - subPath: plugins.yml - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - volumeMounts: - - mountPath: /opt/config/ - name: config-dir - - mountPath: /opt/keys/omejdn/omejdn.key - name: omejdn-key-dir - subPath: omejdn.key - - mountPath: /opt/keys/clients/ - name: client-certificates - ports: - - name: http - containerPort: 4567 - protocol: TCP - livenessProbe: - httpGet: - path: /jwks.json - port: http - readinessProbe: - httpGet: - path: /jwks.json - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - env: - - name: OMEJDN_JWT_AUD_OVERRIDE - value: "idsc:IDS_CONNECTORS_ALL" - - name: OMEJDN_PLUGINS - value: "config/plugins.yml" - volumes: - - name: config-dir - emptyDir: { } - - name: omejdn-key-dir - emptyDir: { } - - name: omejdn-config - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: omejdn.yml - path: omejdn.yml - - name: scope-mapping - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: scope_mapping.yml - path: scope_mapping.yml - - name: clients-config - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: clients.yml - path: clients.yml - - name: plugins-config - configMap: - name: {{ include "omejdn.fullname" . }} - items: - - key: plugins.yml - path: plugins.yml - - name: client-certificates - configMap: - name: {{ include "omejdn.fullname" . }} - items: - {{- range $i, $val := .Values.connectors }} - - key: {{ $val.name }} - path: {{ $val.id }}.cert - {{- end }} diff --git a/docs/samples/example-dataspace/daps/templates/hpa.yaml b/docs/samples/example-dataspace/daps/templates/hpa.yaml deleted file mode 100644 index f1f072f6c..000000000 --- a/docs/samples/example-dataspace/daps/templates/hpa.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation - # - # See the NOTICE file(s) distributed with this work for additional - # information regarding copyright ownership. - # - # This program and the accompanying materials are made available under the - # terms of the Apache License, Version 2.0 which is available at - # https://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - # License for the specific language governing permissions and limitations - # under the License. - # - # SPDX-License-Identifier: Apache-2.0 - # - -{{- if .Values.autoscaling.enabled }} ---- -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "omejdn.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/docs/samples/example-dataspace/daps/templates/imagepullsecret.yaml b/docs/samples/example-dataspace/daps/templates/imagepullsecret.yaml deleted file mode 100644 index 44f573e0f..000000000 --- a/docs/samples/example-dataspace/daps/templates/imagepullsecret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation - # - # See the NOTICE file(s) distributed with this work for additional - # information regarding copyright ownership. - # - # This program and the accompanying materials are made available under the - # terms of the Apache License, Version 2.0 which is available at - # https://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - # License for the specific language governing permissions and limitations - # under the License. - # - # SPDX-License-Identifier: Apache-2.0 - # - -{{- if .Values.imagePullSecret.dockerconfigjson }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "edc-dataplane.fullname" . }}-imagepullsecret - namespace: {{ .Release.Namespace | default "default" | quote }} - labels: - {{- include "edc-dataplane.labels" . | nindent 4 }} -data: - .dockerconfigjson: {{ .Values.imagePullSecret.dockerconfigjson }} -type: kubernetes.io/dockerconfigjson -{{- end }} diff --git a/docs/samples/example-dataspace/daps/templates/service.yaml b/docs/samples/example-dataspace/daps/templates/service.yaml deleted file mode 100644 index 947e69742..000000000 --- a/docs/samples/example-dataspace/daps/templates/service.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "omejdn.fullname" . }} - labels: - {{- include "omejdn.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "omejdn.selectorLabels" . | nindent 4 }} diff --git a/docs/samples/example-dataspace/daps/values.yaml b/docs/samples/example-dataspace/daps/values.yaml deleted file mode 100644 index 3553dcc86..000000000 --- a/docs/samples/example-dataspace/daps/values.yaml +++ /dev/null @@ -1,96 +0,0 @@ -# Copyright (c) 2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -# Default values for omejdn. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# -- Specifies how many replicas of a deployed pod shall be created during the deployment -# Note: If horizontal pod autoscaling is enabled this setting has no effect -replicaCount: 1 -image: - # -- Which omjedn container image to use - repository: ghcr.io/fraunhofer-aisec/omejdn-server - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "1.7.1" -imagePullSecret: - # -- Image pull secret to create to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) - # Note: This value needs to adhere to the [(base64 encoded) .dockerconfigjson format](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials). - # Furthermore, if 'imagePullSecret.dockerconfigjson' is defined, it takes precedence over 'imagePullSecrets'. - dockerconfigjson: "" -# -- Overrides the charts name -nameOverride: "" -# -- Overrides the releases full name -serviceAccount: - # -- Specifies whether a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) should be created per release - create: true - # -- [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to add to the service account - annotations: { } - # -- The name of the service account to use. If not set and create is true, a name is generated using the release's fullname template - name: "" -# -- Whether to [automount kubernetes API credentials](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) into the pod -automountServiceAccountToken: false -# -- [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) added to deployed [pods](https://kubernetes.io/docs/concepts/workloads/pods/) -podAnnotations: { } -# The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment -podSecurityContext: { } -# The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod -securityContext: { } -service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service) to expose the running application on a set of Pods as a network service. - port: 4567 -# -- [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) applied to the deployed pod -resources: { } -autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 -# -- [Node-Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain the Pod to nodes with specific labels. -nodeSelector: { } -# -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) are applied to Pods to schedule onto nodes with matching taints. -tolerations: [ ] -# -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) constrains which nodes the Pod can be scheduled on based on node labels. -affinity: { } -# List of connector clients. Certificate and Client-ID must be configured in parallel. -fullnameOverride: "daps" -url: "" -clientId: "" -paths: - jwks: /jwks.json - token: /token -connectors: - - id: E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65 - name: sokrates - attributes: - referringConnector: http://sokrates-controlplane/BPNSOKRATES - - id: E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:69 - name: plato - attributes: - referringConnector: http://plato-controlplane/BPNPLATO diff --git a/docs/samples/example-dataspace/plato-values.yaml b/docs/samples/example-dataspace/plato-values.yaml index 21c5675d7..92bc09ce9 100644 --- a/docs/samples/example-dataspace/plato-values.yaml +++ b/docs/samples/example-dataspace/plato-values.yaml @@ -39,6 +39,16 @@ controlplane: securityContext: # avoids some errors in the log: cannot write temp files of large multipart requests when R/O readOnlyRootFilesystem: false + # SSI configuration + ssi: + miw: + url: "" + authorityId: "" + oauth: + tokenurl: "" + client: + id: "" + secretAlias: "client-secret" dataplane: image: pullPolicy: Never @@ -62,17 +72,8 @@ vault: url: http://plato-vault:8200 token: root secretNames: - transferProxyTokenSignerPublicKey: daps-crt - transferProxyTokenSignerPrivateKey: daps-key transferProxyTokenEncryptionAesKey: aes-keys - dapsPrivateKey: daps-key - dapsPublicKey: daps-crt - # this must be set through CLI args: --set vault.secrets=$YOUR_VAULT_SECRETS where YOUR_VAULT_SECRETS should - # be a string in the format "key1:secret1;key2:secret2;..." secrets: server: -daps: - url: "http://daps:4567" - clientId: "E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:69" backendService: httpProxyTokenReceiverUrl: "http://backend:8080" diff --git a/docs/samples/example-dataspace/sokrates-values.yaml b/docs/samples/example-dataspace/sokrates-values.yaml index 086eefde5..e05bf87a5 100644 --- a/docs/samples/example-dataspace/sokrates-values.yaml +++ b/docs/samples/example-dataspace/sokrates-values.yaml @@ -38,6 +38,16 @@ controlplane: securityContext: # avoids some errors in the log: cannot write temp files of large multipart requests when R/O readOnlyRootFilesystem: false + # SSI configuration + ssi: + miw: + url: "" + authorityId: "" + oauth: + tokenurl: "" + client: + id: "" + secretAlias: "client-secret" dataplane: image: pullPolicy: Never @@ -61,17 +71,8 @@ vault: url: http://sokrates-vault:8200 token: root secretNames: - transferProxyTokenSignerPublicKey: daps-crt - transferProxyTokenSignerPrivateKey: daps-key transferProxyTokenEncryptionAesKey: aes-keys - dapsPrivateKey: daps-key - dapsPublicKey: daps-crt - # this must be set through CLI args: --set vault.secrets=$YOUR_VAULT_SECRETS where YOUR_VAULT_SECRETS should - # be a string in the format "key1:secret1;key2:secret2;..." secrets: server: -daps: - url: "http://daps:4567" - clientId: "E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65" backendService: httpProxyTokenReceiverUrl: "http://backend:8080" diff --git a/edc-controlplane/edc-controlplane-base/build.gradle.kts b/edc-controlplane/edc-controlplane-base/build.gradle.kts index cc39bf725..2cb3f57a3 100644 --- a/edc-controlplane/edc-controlplane-base/build.gradle.kts +++ b/edc-controlplane/edc-controlplane-base/build.gradle.kts @@ -27,17 +27,23 @@ dependencies { runtimeOnly(project(":edc-extensions:business-partner-validation")) runtimeOnly(project(":edc-extensions:dataplane-selector-configuration")) runtimeOnly(project(":edc-extensions:data-encryption")) - runtimeOnly(project(":edc-extensions:cx-oauth2")) + runtimeOnly(project(":edc-extensions:provision-additional-headers")) runtimeOnly(project(":edc-extensions:observability-api-customization")) runtimeOnly(project(":edc-extensions:control-plane-adapter-api")) runtimeOnly(project(":edc-extensions:control-plane-adapter-callback")) + // needed for SSI integration + runtimeOnly(project(":core:json-ld-core")) + runtimeOnly(project(":edc-extensions:ssi:ssi-identity-core")) + runtimeOnly(project(":edc-extensions:ssi:ssi-miw-credential-client")) + runtimeOnly(project(":edc-extensions:ssi:ssi-identity-extractor")) + runtimeOnly(project(":edc-extensions:cx-policy")) + runtimeOnly(libs.edc.core.controlplane) runtimeOnly(libs.edc.config.filesystem) runtimeOnly(libs.edc.auth.tokenbased) - runtimeOnly(libs.edc.auth.oauth2.core) - runtimeOnly(libs.edc.auth.oauth2.daps) + runtimeOnly(libs.edc.api.management) runtimeOnly(libs.edc.dsp) runtimeOnly(libs.edc.spi.jwt) diff --git a/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault-legacy/README.md b/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault-legacy/README.md new file mode 100644 index 000000000..4d73773fb --- /dev/null +++ b/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault-legacy/README.md @@ -0,0 +1,178 @@ +# EDC Control-Plane backed by [Postgresql](https://www.postgresql.org/) and [HashiCorp vault](https://www.vaultproject.io/docs) + +## Building + +```shell +./gardlew :edc-controlplane:edc-controlplane-postgresql-hashicorp-vault:dockerize +``` + +## Configuration + +Listed below are configuration keys needed to get the `edc-controlplane-postgresql-hashicorp-vault` up and running. +Details regarding each configuration property can be found at the [documentary section of the EDC](https://github.com/eclipse-edc/Connector/tree/main/docs). + +| Key | Required | Example | Description | +|--------------------------------------------------|----------|------------------------------------------------------------------------------|----------------------------| +| edc.api.auth.key | | password | default value: random UUID | +| web.http.default.port | X | 8080 | | +| web.http.default.path | X | /api | | +| web.http.data.port | X | 8181 | | +| web.http.data.path | X | /data | | +| web.http.validation.port | X | 8182 | | +| web.http.validation.path | X | /validation | | +| web.http.control.port | X | 9999 | | +| web.http.control.path | X | /api/controlplane/control | | +| web.http.ids.port | X | 8282 | | +| web.http.ids.path | X | /api/v1/ids | | +| edc.receiver.http.endpoint | X | | | +| edc.ids.title | | Eclipse Dataspace Connector | | +| edc.ids.description | | Eclipse Dataspace Connector | | +| edc.ids.id | | urn:connector:edc | | +| edc.ids.security.profile | | base | | +| edc.ids.endpoint | | | | +| edc.ids.maintainer | | | | +| edc.ids.curator | | | | +| edc.ids.catalog.id | | urn:catalog:default | | +| ids.webhook.address | | | | +| edc.hostname | | localhost | | +| edc.oauth.token.url | X | | | +| edc.oauth.public.key.alias | X | key-to-daps-certificate-in-keyvault | | +| edc.oauth.private.key.alias | X | key-to-private-key-in-keyvault | | +| edc.oauth.client.id | X | daps-oauth-client-id | | +| edc.vault.hashicorp.url | X | | | +| edc.vault.hashicorp.token | X | 55555555-6666-7777-8888-999999999999 | | +| edc.vault.hashicorp.timeout.seconds | | 30 | | +| edc.datasource.asset.name | X | asset | | +| edc.datasource.asset.url | X | jdbc:postgresql://postgres.svc.cluster.local:5432/edc_asset_db | | +| edc.datasource.asset.user | X | username | | +| edc.datasource.asset.password | X | password | | +| edc.datasource.contractdefinition.name | X | contractdefinition | | +| edc.datasource.contractdefinition.url | X | jdbc:postgresql://postgres.svc.cluster.local:5432/edc_contractdefinition_db | | +| edc.datasource.contractdefinition.user | X | username | | +| edc.datasource.contractdefinition.password | X | password | | +| edc.datasource.contractnegotiation.name | X | contractnegotiation | | +| edc.datasource.contractnegotiation.url | X | jdbc:postgresql://postgres.svc.cluster.local:5432/edc_contractnegotiation_db | | +| edc.datasource.contractnegotiation.user | X | username | | +| edc.datasource.contractnegotiation.password | X | password | | +| edc.datasource.policy.name | X | policy | | +| edc.datasource.policy.url | X | jdbc:postgresql://postgres.svc.cluster.local:5432/edc_policy_db | | +| edc.datasource.policy.user | X | username | | +| edc.datasource.policy.password | X | password | | +| edc.datasource.transferprocess.name | X | transferprocess | | +| edc.datasource.transferprocess.url | X | jdbc:postgresql://postgres.svc.cluster.local:5432/edc_transferprocess_db | | +| edc.datasource.transferprocess.user | X | username | | +| edc.datasource.transferprocess.password | X | password | | +| edc.transfer.proxy.endpoint | X | | | +| edc.transfer.proxy.token.signer.privatekey.alias | X | | | + +### Example configuration.properties + +JDK properties-style configuration of the EDC Control-Plane is expected to be mounted to `/app/configuration.properties` within the container. + +```shell +# Create configuration.properties +export CONFIGURATION_PROPERTIES_FILE=$(mktemp /tmp/configuration.properties.XXXXXX) +cat << 'EOF' > ${CONFIGURATION_PROPERTIES_FILE} + +web.http.default.port=8080 +web.http.default.path=/api +web.http.data.port=8181 +web.http.data.path=/data +web.http.validation.port=8182 +web.http.validation.path=/validation +web.http.control.port=9999 +web.http.control.path=/api/controlplane/control +web.http.ids.port=8282 +web.http.ids.path=/api/v1/ids + +edc.receiver.http.endpoint=http://backend-service + +edc.ids.title=Eclipse Dataspace Connector +edc.ids.description=Eclipse Dataspace Connector +edc.ids.id=urn:connector:edc +edc.ids.security.profile=base +edc.ids.endpoint=http://localhost:8282/api/v1/ids +edc.ids.maintainer=http://localhost +edc.ids.curator=http://localhost +edc.ids.catalog.id=urn:catalog:default +ids.webhook.address=http://localhost:8282/api/v1/ids + +edc.hostname=localhost + +edc.api.auth.key=password + +# OAuth / DAPS related configuration +edc.oauth.token.url=https://daps.example.net +edc.oauth.public.key.alias=key-to-daps-certificate-in-keyvault +edc.oauth.private.key.alias=key-to-private-key-in-keyvault +edc.oauth.client.id=daps-oauth-client-id + +# HashiCorp vault related configuration +edc.vault.hashicorp.url=http://vault +edc.vault.hashicorp.token=55555555-6666-7777-8888-999999999999 +edc.vault.hashicorp.timeout.seconds=30 + +# Control- / Data- Plane configuration +edc.transfer.proxy.endpoint=http://dataplane-public-endpoint/public +edc.transfer.proxy.token.signer.privatekey.alias=token-signer-private-key + +# Postgresql related configuration +edc.datasource.asset.name=asset +edc.datasource.asset.url=jdbc:postgresql://postgres.svc.cluster.local:5432/edc_asset +edc.datasource.asset.user=user +edc.datasource.asset.password=pass +edc.datasource.contractdefinition.name=contractdefinition +edc.datasource.contractdefinition.url=jdbc:postgresql://postgres.svc.cluster.local:5432/edc_contractdefinition +edc.datasource.contractdefinition.user=user +edc.datasource.contractdefinition.password=pass +edc.datasource.contractnegotiation.name=contractnegotiation +edc.datasource.contractnegotiation.url=jdbc:postgresql://postgres.svc.cluster.local:5432/edc_contractnegotiation +edc.datasource.contractnegotiation.user=user +edc.datasource.contractnegotiation.password=pass +edc.datasource.policy.name=policy +edc.datasource.policy.url=jdbc:postgresql://postgres.svc.cluster.local:5432/edc_policy +edc.datasource.policy.user=user +edc.datasource.policy.password=pass +edc.datasource.transferprocess.name=transferprocess +edc.datasource.transferprocess.url=jdbc:postgresql://postgres.svc.cluster.local:5432/edc_transferprocess +edc.datasource.transferprocess.user=user +edc.datasource.transferprocess.password=pass +EOF +``` + +### Example logging.properties + +```shell +# Create logging.properties +export LOGGING_PROPERTIES_FILE=$(mktemp /tmp/logging.properties.XXXXXX) +cat << 'EOF' > ${LOGGING_PROPERTIES_FILE} +.level=INFO +org.eclipse.edc.level=ALL +handlers=java.util.logging.ConsoleHandler +java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter +java.util.logging.ConsoleHandler.level=ALL +java.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n +EOF +``` + +### Example opentelemetry.properties + +```shell +# Create opentelemetry.properties +export OPENTELEMETRY_PROPERTIES_FILE=$(mktemp /tmp/opentelemetry.properties.XXXXXX) +cat << 'EOF' > ${OPENTELEMETRY_PROPERTIES_FILE} +otel.javaagent.enabled=false +otel.javaagent.debug=false +EOF +``` + +## Running + +```shell +docker run \ + -p 8080:8080 -p 8181:8181 -p 8182:8182 -p 8282:8282 -p 9090:9090 -p 9999:9999 \ + -v ${CONFIGURATION_PROPERTIES_FILE:-/dev/null}:/app/configuration.properties \ + -v ${LOGGING_PROPERTIES_FILE:-/dev/null}:/app/logging.properties \ + -v ${OPENTELEMETRY_PROPERTIES_FILE:-/dev/null}:/app/opentelemetry.properties \ + -i edc-controlplane-postgresql-hashicorp-vault:latest +``` diff --git a/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault-legacy/build.gradle.kts b/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault-legacy/build.gradle.kts new file mode 100644 index 000000000..a613fb262 --- /dev/null +++ b/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault-legacy/build.gradle.kts @@ -0,0 +1,82 @@ +/* + * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH + * Copyright (c) 2021,2022 Contributors to the Eclipse Foundation + * + * See the NOTICE file(s) distributed with this work for additional + * information regarding copyright ownership. + * + * This program and the accompanying materials are made available under the + * terms of the Apache License, Version 2.0 which is available at + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations + * under the License. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +import com.github.jengelman.gradle.plugins.shadow.tasks.ShadowJar + +plugins { + `java-library` + id("application") + id("com.github.johnrengelman.shadow") version "8.1.1" +} + +dependencies { + runtimeOnly(project(":core:edr-cache-core")) + runtimeOnly(project(":edc-extensions:business-partner-validation")) + runtimeOnly(project(":edc-extensions:dataplane-selector-configuration")) + runtimeOnly(project(":edc-extensions:data-encryption")) + runtimeOnly(project(":edc-extensions:cx-oauth2")) + runtimeOnly(project(":edc-extensions:provision-additional-headers")) + runtimeOnly(project(":edc-extensions:observability-api-customization")) + runtimeOnly(project(":edc-extensions:control-plane-adapter-api")) + runtimeOnly(project(":edc-extensions:control-plane-adapter-callback")) + + runtimeOnly(libs.edc.core.controlplane) + runtimeOnly(libs.edc.config.filesystem) + runtimeOnly(libs.edc.auth.tokenbased) + runtimeOnly(libs.edc.auth.oauth2.core) + runtimeOnly(libs.edc.auth.oauth2.daps) + runtimeOnly(libs.edc.api.management) + runtimeOnly(libs.edc.dsp) + runtimeOnly(libs.edc.spi.jwt) + runtimeOnly(libs.bundles.edc.dpf) + + runtimeOnly(libs.edc.ext.http) + runtimeOnly(libs.bundles.edc.monitoring) + runtimeOnly(libs.edc.transfer.dynamicreceiver) + runtimeOnly(libs.edc.controlplane.callback.dispatcher.event) + runtimeOnly(libs.edc.controlplane.callback.dispatcher.http) + + runtimeOnly(project(":edc-extensions:postgresql-migration")) + runtimeOnly(project(":edc-extensions:hashicorp-vault")) + runtimeOnly(project(":edc-extensions:edr-cache-sql")) + runtimeOnly(libs.bundles.edc.sqlstores) + runtimeOnly(libs.edc.transaction.local) + runtimeOnly(libs.edc.sql.pool) + runtimeOnly(libs.edc.core.controlplane) + runtimeOnly(libs.edc.dpf.transfer) + runtimeOnly(libs.postgres) + + // needed for DAPS - not officially supported anymore + runtimeOnly(project(":edc-extensions:cx-oauth2")) + runtimeOnly(libs.edc.auth.oauth2.core) + runtimeOnly(libs.edc.auth.oauth2.daps) +} + + +tasks.withType { + exclude("**/pom.properties", "**/pom.xm") + mergeServiceFiles() + archiveFileName.set("${project.name}.jar") +} + + +application { + mainClass.set("org.eclipse.edc.boot.system.runtime.BaseRuntime") +} diff --git a/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault-legacy/notice.md b/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault-legacy/notice.md new file mode 100644 index 000000000..381253ec9 --- /dev/null +++ b/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault-legacy/notice.md @@ -0,0 +1,28 @@ +# Notice for Docker image + +An EDC Control Plane using PostgreSQL as persistence backend, and HashiCorp Vault as secret store. + +DockerHub: https://hub.docker.com/r/tractusx/edc-controlplane-postgresql-hashicorp-vault + +Eclipse Tractus-X product(s) installed within the image: + +## Tractus-X EDC Control Plane + +- GitHub: https://github.com/eclipse-tractusx/tractusx-edc +- Project home: https://projects.eclipse.org/projects/automotive.tractusx +- Dockerfile: https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault/src/main/docker/Dockerfile +- Project license: [Apache License, Version 2.0](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/LICENSE) + +## Used base image + +- [eclipse-temurin:17.0.6_10-jre-alpine](https://github.com/adoptium/containers) +- Official Eclipse Temurin DockerHub page: https://hub.docker.com/_/eclipse-temurin +- Eclipse Temurin Project: https://projects.eclipse.org/projects/adoptium.temurin +- Additional information about the Eclipse Temurin + images: https://github.com/docker-library/repo-info/tree/master/repos/eclipse-temurin + +As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc +from the base distribution, along with any direct or indirect dependencies of the primary software being contained). + +As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies +with any relevant licenses for all software contained within. diff --git a/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault-legacy/src/main/docker/Dockerfile b/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault-legacy/src/main/docker/Dockerfile new file mode 100644 index 000000000..9d7fb7801 --- /dev/null +++ b/edc-controlplane/edc-controlplane-postgresql-hashicorp-vault-legacy/src/main/docker/Dockerfile @@ -0,0 +1,64 @@ +# +# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2022,2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2021,2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# +FROM alpine:3.18.2 AS otel + +ENV OTEL_AGENT_LOCATION "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v1.12.1/opentelemetry-javaagent.jar" + +HEALTHCHECK NONE + +RUN apk update && apk add curl=8.1.2-r0 --no-cache +RUN curl -L --proto "=https" -sSf ${OTEL_AGENT_LOCATION} --output /tmp/opentelemetry-javaagent.jar + +FROM eclipse-temurin:17.0.6_10-jre-alpine +ARG JAR + +ARG APP_USER=docker +ARG APP_UID=10100 + +RUN addgroup --system "$APP_USER" + +RUN adduser \ + --shell /sbin/nologin \ + --disabled-password \ + --gecos "" \ + --ingroup "$APP_USER" \ + --no-create-home \ + --uid "$APP_UID" \ + "$APP_USER" + +USER "$APP_USER" +WORKDIR /app + +COPY --from=otel /tmp/opentelemetry-javaagent.jar . +COPY ${JAR} edc-controlplane.jar + +HEALTHCHECK NONE + +CMD ["java", \ + "-javaagent:/app/opentelemetry-javaagent.jar", \ + "-Dedc.fs.config=/app/configuration.properties", \ + "-Djava.util.logging.config.file=/app/logging.properties", \ + "-Dotel.javaagent.configuration-file=/app/opentelemetry.properties", \ + "-Dotel.metrics.exporter=prometheus", \ + "-Dotel.exporter.prometheus.port=9090", \ + "-Djava.security.egd=file:/dev/urandom", \ + "-jar", \ + "edc-controlplane.jar"] diff --git a/edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml b/edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml index ea2a74c16..fe6821871 100644 --- a/edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml +++ b/edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml @@ -34,13 +34,11 @@ ## --set vault.azure.secret= fullnameOverride: tx-prod - ################################ # EDC ControlPlane + DataPlane # ################################ participant: id: "test-participant" - controlplane: service: type: NodePort @@ -54,28 +52,23 @@ controlplane: securityContext: # avoids some errors in the log: cannot write temp files of large multipart requests when R/O readOnlyRootFilesystem: false - dataplane: image: pullPolicy: Never tag: "latest" repository: "edc-dataplane-azure-vault" - securityContext: # avoids some errors in the log: cannot write temp files of large multipart requests when R/O readOnlyRootFilesystem: false - aws: endpointOverride: http://minio:9000 secretAccessKey: qwerty123 accessKeyId: qwerty123 - postgresql: jdbcUrl: jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc auth: username: user password: password - vault: azure: name: '' @@ -83,24 +76,14 @@ vault: tenant: '' secret: certificate: - secretNames: - transferProxyTokenSignerPublicKey: daps-crt - transferProxyTokenSignerPrivateKey: daps-key transferProxyTokenEncryptionAesKey: aes-keys - dapsPrivateKey: daps-key - dapsPublicKey: daps-crt - # this must be set through CLI args: --set vault.secrets=$YOUR_VAULT_SECRETS where YOUR_VAULT_SECRETS should # be a string in the format "key1:secret1;key2:secret2;..." secrets: - -daps: - url: "http://{{ .Release.Name }}-daps:4567" - clientId: "E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65" - + server: + postStart: backendService: httpProxyTokenReceiverUrl: "http://backend:8080" - tests: hookDeletePolicy: before-hook-creation diff --git a/edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml b/edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml index 9d42a876a..bf44b46f1 100644 --- a/edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml +++ b/edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml @@ -32,10 +32,8 @@ --- fullnameOverride: tx-inmem - participant: id: "test-participant" - runtime: service: type: NodePort @@ -49,25 +47,25 @@ runtime: securityContext: # avoids some errors in the log: cannot write temp files of large multipart requests when R/O readOnlyRootFilesystem: false - vault: secretNames: - transferProxyTokenSignerPublicKey: daps-crt - transferProxyTokenSignerPrivateKey: daps-key transferProxyTokenEncryptionAesKey: aes-keys - dapsPrivateKey: daps-key - dapsPublicKey: daps-crt - # this must be set through CLI args: --set vault.secrets=$YOUR_VAULT_SECRETS where YOUR_VAULT_SECRETS should # be a string in the format "key1:secret1;key2:secret2;..." secrets: + server: + postStart: + - sh + - -c + - |- + { + sleep 5 -daps: - url: "http://{{ .Release.Name }}-daps:4567" - clientId: "99:83:A7:17:86:FF:98:93:CE:A0:DD:A1:F1:36:FA:F6:0F:75:0A:23:keyid:99:83:A7:17:86:FF:98:93:CE:A0:DD:A1:F1:36:FA:F6:0F:75:0A:23" + /bin/vault kv put secret/client-secret content=4bDC8/uXB6o517zqqCdrPA== + /bin/vault kv put secret/aes-keys content=YWVzX2VuY2tleV90ZXN0Cg== + } backendService: httpProxyTokenReceiverUrl: "http://backend:8080" - tests: hookDeletePolicy: before-hook-creation diff --git a/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml b/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml index cabc85335..e622036d9 100644 --- a/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml +++ b/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml @@ -18,14 +18,11 @@ # fullnameOverride: tx-prod - ################################ # EDC ControlPlane + DataPlane # ################################ - participant: id: "test-participant" - controlplane: service: type: NodePort @@ -37,52 +34,39 @@ controlplane: tag: "latest" repository: "edc-controlplane-postgresql-hashicorp-vault" securityContext: - # avoids some errors in the log: cannot write temp files of large multipart requests when R/O - readOnlyRootFilesystem: false - + # avoids some errors in the log: cannot write temp files of large multipart requests when R/O + readOnlyRootFilesystem: false + ssi: + oauth: + client: + secretAlias: "client-secret" dataplane: image: pullPolicy: Never tag: "latest" repository: "edc-dataplane-hashicorp-vault" - securityContext: # avoids some errors in the log: cannot write temp files of large multipart requests when R/O readOnlyRootFilesystem: false - aws: - endpointOverride: http://minio:9000 - secretAccessKey: qwerty123 - accessKeyId: qwerty123 - + endpointOverride: http://minio:9000 + secretAccessKey: qwerty123 + accessKeyId: qwerty123 postgresql: jdbcUrl: jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc auth: username: user password: password - vault: hashicorp: url: http://{{ .Release.Name }}-vault:8200 token: root - secretNames: - transferProxyTokenSignerPublicKey: daps-crt - transferProxyTokenSignerPrivateKey: daps-key transferProxyTokenEncryptionAesKey: aes-keys - dapsPrivateKey: daps-key - dapsPublicKey: daps-crt - # this must be set through CLI args: --set vault.secrets=$YOUR_VAULT_SECRETS where YOUR_VAULT_SECRETS should # be a string in the format "key1:secret1;key2:secret2;..." secrets: - -daps: - url: "http://{{ .Release.Name }}-daps:4567" - clientId: "E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65" - backendService: httpProxyTokenReceiverUrl: "http://backend:8080" - tests: hookDeletePolicy: before-hook-creation diff --git a/edc-tests/deployment/src/main/resources/prepare-test.sh b/edc-tests/deployment/src/main/resources/prepare-test.sh index 51306abc8..ba3848a6b 100755 --- a/edc-tests/deployment/src/main/resources/prepare-test.sh +++ b/edc-tests/deployment/src/main/resources/prepare-test.sh @@ -25,21 +25,13 @@ if [ "$#" -lt 1 ]; then fi VALUES_FILE=$1 -KEY_FILE=daps.key -CERT_FILE=daps.cert -# generate a new short-lived certificate and export the private key -openssl req -newkey rsa:2048 -new -nodes -x509 -days 1 -keyout $KEY_FILE -out $CERT_FILE -subj "/CN=test" +CLIENT_SECRET=$(openssl rand -base64 16) +AES_KEY=$(echo aes_enckey_test | base64) +echo "$AES_KEY" > aes.key +echo "$CLIENT_SECRET" > client.secret -DAPSCRT=$(cat $CERT_FILE) -DAPSKEY=$(cat $KEY_FILE) -AES_KEY=$( echo aes_enckey_test | base64) -echo $AES_KEY > aes.key - -# replace the cert for DAPS -yq -i ".idsdaps.connectors[0].certificate=\"$DAPSCRT\"" "$VALUES_FILE" - -# add a "postStart" command to the vault config, that creates a daps-key, daps-cert and an aes-keys secret -yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n\ncat << EOF | /bin/vault kv put secret/daps-crt content=-\n$DAPSCRT\nEOF\n\n -cat << EOF | /bin/vault kv put secret/daps-key content=-\n$DAPSKEY\nEOF\n\n -/bin/vault kv put secret/aes-keys content=$AES_KEY\n\n}\"]" "$VALUES_FILE" \ No newline at end of file +# add a "postStart" command to the vault config, that creates a oauth client secret and an aes-keys secret +yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n +/bin/vault kv put secret/client-secret content=$CLIENT_SECRET\n +/bin/vault kv put secret/aes-keys content=$AES_KEY\n}\"]" "$VALUES_FILE" \ No newline at end of file diff --git a/edc-tests/e2e-tests/src/test/java/org/eclipse/tractusx/edc/tests/proxy/AbstractDataPlaneProxyTest.java b/edc-tests/e2e-tests/src/test/java/org/eclipse/tractusx/edc/tests/proxy/AbstractDataPlaneProxyTest.java index 176662720..c5eac1e49 100644 --- a/edc-tests/e2e-tests/src/test/java/org/eclipse/tractusx/edc/tests/proxy/AbstractDataPlaneProxyTest.java +++ b/edc-tests/e2e-tests/src/test/java/org/eclipse/tractusx/edc/tests/proxy/AbstractDataPlaneProxyTest.java @@ -47,10 +47,8 @@ public abstract class AbstractDataPlaneProxyTest { protected static final Participant SOKRATES = new Participant(SOKRATES_NAME, SOKRATES_BPN, sokratesConfiguration()); protected static final Participant PLATO = new Participant(PLATO_NAME, PLATO_BPN, platoConfiguration()); - - MockWebServer server = new MockWebServer(); - - ObjectMapper mapper = new ObjectMapper(); + private final ObjectMapper mapper = new ObjectMapper(); + private MockWebServer server; @Test @DisplayName("Verify E2E flow with Data Plane proxies and EDR") @@ -175,6 +173,7 @@ void httpPullDataTransfer_shouldFailForAsset_withTwoEdrAndProxy() throws IOExcep @BeforeEach void setup() throws IOException { + server = new MockWebServer(); server.start(PLATO_PROXIED_AAS_BACKEND_PORT); } @@ -183,7 +182,7 @@ void teardown() throws IOException { server.shutdown(); } - EventEnvelope waitForTransferCompletion() { + private EventEnvelope waitForTransferCompletion() { try { var request = server.takeRequest(20, TimeUnit.SECONDS); if (request != null) { diff --git a/edc-tests/runtime/runtime-memory/build.gradle.kts b/edc-tests/runtime/runtime-memory/build.gradle.kts index f339202e2..8c9eb38af 100644 --- a/edc-tests/runtime/runtime-memory/build.gradle.kts +++ b/edc-tests/runtime/runtime-memory/build.gradle.kts @@ -24,7 +24,18 @@ dependencies { implementation(project(":edc-controlplane:edc-controlplane-base")) { exclude("org.eclipse.edc", "oauth2-core") exclude("org.eclipse.edc", "oauth2-daps") + +// runtimeOnly(project(":core:json-ld-core")) +// runtimeOnly(project(":edc-extensions:ssi:ssi-identity-core")) +// runtimeOnly(project(":edc-extensions:ssi:ssi-miw-credential-client")) +// runtimeOnly(project(":edc-extensions:ssi:ssi-identity-extractor")) +// runtimeOnly(project(":edc-extensions:cx-policy")) exclude(module = "data-encryption") + exclude(module = "json-ld-core") + exclude(module = "ssi-identity-core") + exclude(module = "ssi-miw-credential-client") + exclude(module = "ssi-identity-extractor") + exclude(module = "cx-policy") } implementation(project(":edc-tests:runtime:extensions")) @@ -34,7 +45,7 @@ dependencies { exclude("org.eclipse.edc", "api-observability") } - + implementation(libs.edc.core.controlplane) // for the controller implementation(libs.jakarta.rsApi) diff --git a/edc-tests/runtime/runtime-postgresql/build.gradle.kts b/edc-tests/runtime/runtime-postgresql/build.gradle.kts index 74f8003ec..85a03d538 100644 --- a/edc-tests/runtime/runtime-postgresql/build.gradle.kts +++ b/edc-tests/runtime/runtime-postgresql/build.gradle.kts @@ -22,8 +22,12 @@ dependencies { // use basic (all in-mem) control plane implementation(project(":edc-controlplane:edc-controlplane-postgresql-hashicorp-vault")) { - exclude("org.eclipse.edc", "oauth2-core") - exclude("org.eclipse.edc", "oauth2-daps") + exclude(module = "data-encryption") + exclude(module = "json-ld-core") + exclude(module = "ssi-identity-core") + exclude(module = "ssi-miw-credential-client") + exclude(module = "ssi-identity-extractor") + exclude(module = "cx-policy") exclude(module = "data-encryption") exclude(module = "hashicorp-vault") } diff --git a/settings.gradle.kts b/settings.gradle.kts index b1efbe121..05e618e2a 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -66,6 +66,7 @@ include(":edc-controlplane:edc-runtime-memory") include(":edc-controlplane:edc-controlplane-memory-hashicorp-vault") include(":edc-controlplane:edc-controlplane-postgresql-azure-vault") include(":edc-controlplane:edc-controlplane-postgresql-hashicorp-vault") +include(":edc-controlplane:edc-controlplane-postgresql-hashicorp-vault-legacy") // modules for dataplane artifacts include(":edc-dataplane")