diff --git a/charts/vc-authn-oidc/Chart.yaml b/charts/vc-authn-oidc/Chart.yaml index a7f619a2..e97884e3 100644 --- a/charts/vc-authn-oidc/Chart.yaml +++ b/charts/vc-authn-oidc/Chart.yaml @@ -6,25 +6,25 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.7 +version: 0.1.8 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "2.0.0" +appVersion: "2.0.1-rc0" -# Charts the vc-authn-oidc service depends on +# Charts the vc-authn-oidc service depends on dependencies: -- name: mongodb - version: "13.13.1" - repository: "https://charts.bitnami.com/bitnami" -- name: postgresql - version: 11.9.13 - repository: https://charts.bitnami.com/bitnami/ - condition: postgresql.enabled -- name: common - repository: "https://charts.bitnami.com/bitnami" - tags: - - bitnami-common - version: 2.x.x + - name: mongodb + version: "13.13.1" + repository: "https://charts.bitnami.com/bitnami" + - name: postgresql + version: 11.9.13 + repository: https://charts.bitnami.com/bitnami/ + condition: postgresql.enabled + - name: common + repository: "https://charts.bitnami.com/bitnami" + tags: + - bitnami-common + version: 2.x.x diff --git a/charts/vc-authn-oidc/README.md b/charts/vc-authn-oidc/README.md index 4e8431d3..9fc62759 100644 --- a/charts/vc-authn-oidc/README.md +++ b/charts/vc-authn-oidc/README.md @@ -1,6 +1,6 @@ # VC-AuthN OIDC -![Version: 0.1.7](https://img.shields.io/badge/Version-0.1.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square) +![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.1-rc0](https://img.shields.io/badge/AppVersion-2.0.1-rc0-informational?style=flat-square) A Helm chart to deploy Verifiable Credential Identity Provider for OpenID Connect. @@ -39,14 +39,13 @@ The command deploys vc-authn-oidc with AcaPY agent, along with the MongoDB and P If necessary, vc-authn-oidc can be installed without AcaPY agent. This is accomplished by setting `acapy.enabled` to `false` and providing the necessary values to configure vc-authn-oidc to connect to an external AcaPy instance. - -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------- | -| `acapy.enabled` | Set to `false` to not deploy included AcaPy instance | `false` | -| `acapy.agentUrl` | Provide URL of the AcaPy agent instance || -| `acapy.adminUrl` | Provide URL of the AcaPy agent admin interface || -| `acapy.argfile.yml.wallet-name` | Provide the name of the wallet (`wallet-id`) || -| `acapy.existingSecret` | Provide the name of an existing secret containing the values for `adminApiKey` (otherwise set using `acapy.adminApiKey`), and `walletKey` || +| Name | Description | Value | +| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `acapy.enabled` | Set to `false` to not deploy included AcaPy instance | `false` | +| `acapy.agentUrl` | Provide URL of the AcaPy agent instance | | +| `acapy.adminUrl` | Provide URL of the AcaPy agent admin interface | | +| `acapy.argfile.yml.wallet-name` | Provide the name of the wallet (`wallet-id`) | | +| `acapy.existingSecret` | Provide the name of an existing secret containing the values for `adminApiKey` (otherwise set using `acapy.adminApiKey`), and `walletKey` | | To obtain the `controllerApiKey` to be used with the external AcaPy instance, run the following command: @@ -56,7 +55,6 @@ export WEBHOOK_API_KEY=$(kubectl get secret --namespace my-namespace my-release- echo $WEBHOOK_API_KEY ``` - ## Uninstalling the Chart To uninstall/delete the `my-release` deployment: @@ -86,7 +84,7 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release | `image.repository` | | `ghcr.io/bcgov/vc-authn-oidc` | | `image.pullPolicy` | | `IfNotPresent` | | `image.pullSecrets` | | `[]` | -| `image.tag` | Overrides the image tag which defaults to the chart appVersion. | `2.0.0-alpha2` | +| `image.tag` | Overrides the image tag which defaults to the chart appVersion. | `2.0.1-rc0` | | `ingressSuffix` | Domain suffix to be used for default hostpaths in ingress | `.apps.silver.devops.gov.bc.ca` | ### Controller Configuration @@ -94,7 +92,7 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release | Name | Description | Value | | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------- | | `acapyTenancyMode` | Agent tenancy mode, either `single` or `multi` | `single` | -| `setNonRevoked` | if True, the `non_revoked` attributed will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())` | `true` | +| `setNonRevoked` | if True, the `non_revoked` attributed will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())` | `true` | | `useOobPresentProof` | if True, the present-proof request will be provided as a an [out of band](https://github.com/hyperledger/aries-rfcs/tree/main/features/0434-outofband) invitation with a [present-proof](https://github.com/hyperledger/aries-rfcs/tree/main/features/0037-present-proof) request inside. If False, the present-proof request will be use the [service-decorator](https://github.com/hyperledger/aries-rfcs/tree/main/features/0056-service-decorator) | `false` | | `useOobLocalDIDService` | | `false` | | `controllerCameraRedirectUrl` | The redirect url can be a web link or the name of a template | `wallet_howto` | @@ -121,7 +119,7 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release | `resources.requests.memory` | The requested memory for the controller containers | `128Mi` | | `resources.requests.cpu` | The requested cpu for the controller containers | `10m` | | `replicaCount` | Number of controller replicas to deploy | `1` | -| `autoscaling.enabled` | Enable Horizontal POD autoscaling forthe controller | `true` | +| `autoscaling.enabled` | Enable Horizontal POD autoscaling forthe controller | `true` | | `autoscaling.minReplicas` | Minimum number of controller replicas | `1` | | `autoscaling.maxReplicas` | Maximum number of controller replicas | `2` | | `autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization percentage | `80` | @@ -140,7 +138,7 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release | Name | Description | Value | | ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------- | | `acapy.enabled` | Deploy AcaPy agent instance | `true` | -| `acapy.agentUrl` | Agent host, required if `enabled`` is `false`, otherwise ignored | `""` | +| `acapy.agentUrl` | Agent host, required if `enabled` is `false`, otherwise ignored | `""` | | `acapy.adminUrl` | Agent admin host, required if `enabled` is `false`, otherwise ignored | `""` | | `acapy.existingSecret` | Name of existing secret, required if `enabled` is `false`; Secret must contain `adminApiKey`, `walletKey`, and `webhookApiKey` keys. | `""` | | `acapy.agentSeed` | | `""` | @@ -185,7 +183,7 @@ Note: Secure values of the configuration are passed via equivalent environment v | `acapy.argfile.yml.public-invites` | Send invitations out using the public DID for the agent, and receive connection requests solicited by invitations which use the public DID. Default: false. | `true` | | `acapy.argfile.yml.read-only-ledger` | Sets ledger to read-only to prevent updates. Default: false. | `true` | | `acapy.argfile.yml.wallet-name` | Specifies the wallet name to be used by the agent. This is useful if your deployment has multiple wallets. | `askar-wallet` | -| `acapy.argfile.yml.wallet-storage-type` | Specifies the type of Indy wallet backend to use. Supported internal storage types are 'basic' (memory), 'default' (sqlite), and 'postgres_storage'. The default, if not specified, is 'default'. | `postgres_storage` | +| `acapy.argfile.yml.wallet-storage-type` | Specifies the type of Indy wallet backend to use. Supported internal storage types are 'basic' (memory), 'default' (sqlite), and 'postgres_storage'. The default, if not specified, is 'default'. | `postgres_storage` | | `acapy.argfile.yml.wallet-type` | Specifies the type of Indy wallet provider to use. Supported internal storage types are 'basic' (memory) and 'indy'. The default (if not specified) is 'basic'. | `askar` | | `acapy.argfile.yml.webhook-url` | Send webhooks containing internal state changes to the specified URL. Optional API key to be passed in the request body can be appended using a hash separator [#]. This is useful for a controller to monitor agent events and respond to those events using the admin API. If not specified, webhooks are not published by the agent. | `{{ include "vc-authn-oidc.host" . }}` | | `acapy.ledgers.yml` | | `{}` | @@ -201,14 +199,14 @@ Note: Secure values of the configuration are passed via equivalent environment v ### Wallet Storage Credentials -| Name | Description | Value | -| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | -| `acapy.walletStorageCredentials.json` | Raw json with database credentials. Overrides all other values including postgres subchart values. e.g.: '{"account":"postgres","password":"mysecretpassword","admin_account":"postgres","admin_password":"mysecretpassword"}' | `""` | -| `acapy.walletStorageCredentials.account` | Database account name. | `""` | -| `acapy.walletStorageCredentials.password` | Database password. | `""` | -| `acapy.walletStorageCredentials.admin_account` | Database account with CREATEDB role used to create additional databases per wallet. | `postgres` | -| `acapy.walletStorageCredentials.admin_password` | Database password for admin account. | `""` | -| `acapy.walletStorageCredentials.existingSecret` | Name of an existing secret containing 'database-user', 'database-password', 'admin-password' keys. | `""` | +| Name | Description | Value | +| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------- | +| `acapy.walletStorageCredentials.json` | Raw json with database credentials. Overrides all other values including postgres subchart values. e.g.: '{"account":"postgres","password":"mysecretpassword","admin_account":"postgres","admin_password":"mysecretpassword"}' | `""` | +| `acapy.walletStorageCredentials.account` | Database account name. | `""` | +| `acapy.walletStorageCredentials.password` | Database password. | `""` | +| `acapy.walletStorageCredentials.admin_account` | Database account with CREATEDB role used to create additional databases per wallet. | `postgres` | +| `acapy.walletStorageCredentials.admin_password` | Database password for admin account. | `""` | +| `acapy.walletStorageCredentials.existingSecret` | Name of an existing secret containing 'database-user', 'database-password', 'admin-password' keys. | `""` | ### Acapy tails persistence configuration @@ -224,19 +222,19 @@ Note: Secure values of the configuration are passed via equivalent environment v | Name | Description | Value | | --------------------------------- | --------------------------------------------- | ----------- | -| `acapy.resources.limits.memory` | The memory limit for the Acapy containers | `1000Mi` | -| `acapy.resources.limits.cpu` | The cpu limit for the Acapy containers | `1` | -| `acapy.resources.requests.memory` | The requested memory for the Acapy containers | `384Mi` | -| `acapy.resources.requests.cpu` | The requested cpu for the Acapy containers | `250m` | -| `acapy.podAnnotations` | Map of annotations to add to the acapy pods | `{}` | -| `acapy.podSecurityContext` | Pod Security Context | `{}` | -| `acapy.containerSecurityContext` | Container Security Context | `{}` | -| `acapy.service.type` | Kubernetes Service type | `ClusterIP` | -| `acapy.service.adminPort` | Port to expose for admin service | `8031` | -| `acapy.service.httpPort` | Port to expose for http service | `8030` | -| `acapy.affinity` | Affinity for acapy pods assignment | `{}` | -| `acapy.nodeSelector` | Node labels for acapy pods assignment | `{}` | -| `acapy.tolerations` | Tolerations for acapy pods assignment | `[]` | +| `acapy.resources.limits.memory` | The memory limit for the Acapy containers | `1000Mi` | +| `acapy.resources.limits.cpu` | The cpu limit for the Acapy containers | `1` | +| `acapy.resources.requests.memory` | The requested memory for the Acapy containers | `384Mi` | +| `acapy.resources.requests.cpu` | The requested cpu for the Acapy containers | `250m` | +| `acapy.podAnnotations` | Map of annotations to add to the acapy pods | `{}` | +| `acapy.podSecurityContext` | Pod Security Context | `{}` | +| `acapy.containerSecurityContext` | Container Security Context | `{}` | +| `acapy.service.type` | Kubernetes Service type | `ClusterIP` | +| `acapy.service.adminPort` | Port to expose for admin service | `8031` | +| `acapy.service.httpPort` | Port to expose for http service | `8030` | +| `acapy.affinity` | Affinity for acapy pods assignment | `{}` | +| `acapy.nodeSelector` | Node labels for acapy pods assignment | `{}` | +| `acapy.tolerations` | Tolerations for acapy pods assignment | `[]` | ### Acapy NetworkPolicy parameters @@ -308,9 +306,9 @@ Note: Secure values of the configuration are passed via equivalent environment v | `postgresql.primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `1300Mi` | | `postgresql.primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `300m` | | `postgresql.primary.service.ports.postgresql` | PostgreSQL service port | `5432` | -| `postgresql.primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `max_connections = 500 -` | +| `postgresql.primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `max_connections = 500` | | `postgresql-ha.enabled` | Deploy HA PostgreSQL chart. Not currently supported, provided for future use. | `false` | ----------------------------------------------- +--- + Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/vc-authn-oidc/values.yaml b/charts/vc-authn-oidc/values.yaml index d9d57dea..17834f7c 100644 --- a/charts/vc-authn-oidc/values.yaml +++ b/charts/vc-authn-oidc/values.yaml @@ -1,11 +1,11 @@ ## @section Common Configuration ## -## @param nameOverride +## @param nameOverride nameOverride: "" ## @param fullnameOverride fullnameOverride: "" -## @param image.repository +## @param image.repository ## @param image.pullPolicy ## @param image.pullSecrets [array] ## @param image.tag Overrides the image tag which defaults to the chart appVersion. @@ -53,12 +53,14 @@ podAnnotations: {} ## @param podSecurityContext Pod Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## -podSecurityContext: {} +podSecurityContext: + {} # fsGroup: 2000 ## @param containerSecurityContext Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## -containerSecurityContext: {} +containerSecurityContext: + {} # capabilities: # drop: # - ALL @@ -79,7 +81,7 @@ networkPolicy: enabled: true namespaceSelector: [] ## Example: - # network.openshift.io/policy-group: ingress + # network.openshift.io/policy-group: ingress podSelector: {} ## Service configuration @@ -108,9 +110,9 @@ ingress: ## annotations: [] ## Example: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - # route.openshift.io/termination: edge + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # route.openshift.io/termination: edge ## @param ingress.tls Enable TLS configuration for the host defined at ingress. tls: [] # - secretName: chart-example-tls @@ -150,7 +152,7 @@ autoscaling: minReplicas: 1 maxReplicas: 2 targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: '' + targetMemoryUtilizationPercentage: "" stabilizationWindowSeconds: 300 ## ServiceAccount configuration @@ -180,13 +182,12 @@ nodeSelector: {} ## tolerations: [] - ## @section Acapy Configuration ## acapy: ## @param acapy.enabled Deploy AcaPy agent instance enabled: true - ## @param acapy.agentUrl Agent host, required if `enabled`` is `false`, otherwise ignored + ## @param acapy.agentUrl Agent host, required if `enabled` is `false`, otherwise ignored agentUrl: "" ## @param acapy.adminUrl Agent admin host, required if `enabled` is `false`, otherwise ignored adminUrl: "" @@ -194,10 +195,10 @@ acapy: existingSecret: "" ## @param acapy.agentSeed agentSeed: "" - ## @param acapy.image.repository + ## @param acapy.image.repository ## @param acapy.image.pullPolicy ## @param acapy.image.pullSecrets [array] - ## @param acapy.image.tag + ## @param acapy.image.tag ## image: repository: ghcr.io/hyperledger/aries-cloudagent-python @@ -236,7 +237,7 @@ acapy: minReplicas: 1 maxReplicas: 100 targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: '' + targetMemoryUtilizationPercentage: "" stabilizationWindowSeconds: 300 ## @param acapy.labelOverride @@ -296,24 +297,24 @@ acapy: ledgers.yml: - id: BCovrinDev is_production: true - genesis_url: 'http://dev.bcovrin.vonx.io/genesis' + genesis_url: "http://dev.bcovrin.vonx.io/genesis" - id: BCovrinTest is_production: true - genesis_url: 'http://test.bcovrin.vonx.io/genesis' + genesis_url: "http://test.bcovrin.vonx.io/genesis" - id: SovrinStagingNet is_production: true - genesis_url: 'https://raw.githubusercontent.com/sovrin-foundation/sovrin/stable/sovrin/pool_transactions_sandbox_genesis' + genesis_url: "https://raw.githubusercontent.com/sovrin-foundation/sovrin/stable/sovrin/pool_transactions_sandbox_genesis" - id: CANdyDev is_production: true - genesis_url: 'https://raw.githubusercontent.com/ICCS-ISAC/dtrust-reconu/main/CANdy/dev/pool_transactions_genesis' + genesis_url: "https://raw.githubusercontent.com/ICCS-ISAC/dtrust-reconu/main/CANdy/dev/pool_transactions_genesis" - id: CANdyTest is_production: true is_write: true - genesis_url: 'https://raw.githubusercontent.com/ICCS-ISAC/dtrust-reconu/main/CANdy/test/pool_transactions_genesis' + genesis_url: "https://raw.githubusercontent.com/ICCS-ISAC/dtrust-reconu/main/CANdy/test/pool_transactions_genesis" ## @section Wallet Storage configuration - ## Specifies the storage configuration to use for the wallet. - ## This is required if you are for using 'postgres_storage' wallet 'storage type. + ## Specifies the storage configuration to use for the wallet. + ## This is required if you are for using 'postgres_storage' wallet 'storage type. ## For example, '{"url":"localhost:5432", "wallet_scheme":"MultiWalletSingleTable"}'. ## This configuration maps to the indy sdk postgres plugin (PostgresConfig). ## @@ -323,8 +324,8 @@ acapy: ## @param acapy.walletStorageConfig.wallet_scheme Wallet scheme. ## walletStorageConfig: - json: '' - url: '' + json: "" + url: "" max_connections: 10 wallet_scheme: DatabasePerWallet @@ -343,11 +344,11 @@ acapy: ## @param acapy.walletStorageCredentials.existingSecret Name of an existing secret containing 'database-user', 'database-password', 'admin-password' keys. ## walletStorageCredentials: - json: '' - account: '' - password: '' + json: "" + account: "" + password: "" admin_account: postgres - admin_password: '' + admin_password: "" existingSecret: "" ## @section Acapy tails persistence configuration persistence: @@ -382,7 +383,7 @@ acapy: ## resources: limits: - cpu: '1' + cpu: "1" memory: 1000Mi requests: cpu: 250m @@ -394,12 +395,14 @@ acapy: ## @param acapy.podSecurityContext Pod Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## - podSecurityContext: {} + podSecurityContext: + {} # fsGroup: 2000 ## @param acapy.containerSecurityContext Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## - containerSecurityContext: {} + containerSecurityContext: + {} # capabilities: # drop: # - ALL @@ -433,7 +436,7 @@ acapy: ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## tolerations: [] - + ## @section Acapy NetworkPolicy parameters ## Add networkpolicies @@ -535,8 +538,8 @@ mongodb: ## @param mongodb.auth.usernames List of custom users to be created during the initialization ## @param mongodb.auth.databases List of custom databases to be created during the initialization ## - usernames: ['vcauthn'] - databases: ['vcauthn'] + usernames: ["vcauthn"] + databases: ["vcauthn"] ## @param mongodb.commonLabels [array] Add labels to all the deployed resources (sub-charts are not considered). Evaluated as a template ## commonLabels: @@ -676,11 +679,12 @@ postgresql: service: ports: postgresql: 5432 - ## @param postgresql.primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) - ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf - ## - extendedConfiguration: | - max_connections = 500 + ## @param postgresql.primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf + ## + primary: + extendedConfiguration: | + max_connections = 500 ## @param postgresql-ha.enabled Deploy HA PostgreSQL chart. Not currently supported, provided for future use. postgresql-ha: