diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 9e0d8b8..8851755 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -18,7 +18,81 @@ jobs: sudo modprobe br_netfilter - name: Execute tests - id: test + id: test run: | mvn clean integration-test -Ptest - \ No newline at end of file + + - name: Post-mortem on failure + if: failure() + env: + KUBECONFIG: ${{ github.workspace }}/it/target/k3s.yaml + run: | + echo "==============================" + echo " CLUSTER POST-MORTEM REPORT " + echo "==============================" + + echo "" + echo "### NODE STATUS ###" + kubectl get nodes -o wide || true + + echo "" + echo "### NODE CAPACITY & ALLOCATABLE RESOURCES ###" + kubectl describe nodes | grep -A 10 -E "^(Name:|Capacity:|Allocatable:|Conditions:)" || true + + echo "" + echo "### ALL PODS (all namespaces) ###" + kubectl get pods --all-namespaces -o wide || true + + echo "" + echo "### PODS NOT RUNNING ###" + kubectl get pods --all-namespaces --field-selector='status.phase!=Running,status.phase!=Succeeded' -o wide || true + + echo "" + echo "### EVENTS (sorted by time, last 100) ###" + kubectl get events --all-namespaces --sort-by='.lastTimestamp' | tail -100 || true + + echo "" + echo "### EVENTS WARNING ###" + kubectl get events --all-namespaces --field-selector=type=Warning --sort-by='.lastTimestamp' || true + + echo "" + echo "### IMAGE PULL / BACKOFF ERRORS ###" + kubectl get pods --all-namespaces -o json \ + | jq -r '.items[] | select(.status.containerStatuses != null) | .metadata.namespace + "/" + .metadata.name + ": " + (.status.containerStatuses[].state | to_entries[] | .key + " -> " + (.value.reason // ""))' 2>/dev/null \ + | grep -iE "backoff|imagepull|errimagepull|crashloop|oomkill" || echo "No image pull / crash errors found" + + echo "" + echo "### DESCRIBE PODS NOT RUNNING ###" + kubectl get pods --all-namespaces --field-selector='status.phase!=Running,status.phase!=Succeeded' -o json \ + | jq -r '.items[].metadata | .namespace + "/" + .name' \ + | while read pod; do + ns=$(echo $pod | cut -d/ -f1) + name=$(echo $pod | cut -d/ -f2) + echo "--- Pod: $pod ---" + kubectl describe pod "$name" -n "$ns" || true + echo "" + done + + echo "" + echo "### LOGS OF FAILED/ERRORED PODS (last 100 lines each) ###" + kubectl get pods --all-namespaces -o json \ + | jq -r '.items[] | select(.status.phase == "Failed" or ((.status.containerStatuses // [])[] | .state.waiting.reason // "" | test("Error|BackOff|CrashLoop"))) | .metadata.namespace + "/" + .metadata.name' \ + | while read pod; do + ns=$(echo $pod | cut -d/ -f1) + name=$(echo $pod | cut -d/ -f2) + echo "--- Logs: $pod ---" + kubectl logs "$name" -n "$ns" --all-containers --tail=100 2>&1 || true + echo "" + done + + echo "" + echo "### DISK & MEMORY ON RUNNER ###" + df -h || true + free -h || true + + echo "" + echo "### DOCKER IMAGES PULLED ###" + docker images || true + + echo "" + echo "=== END OF POST-MORTEM ===" diff --git a/.gitignore b/.gitignore index 7620ead..dc3838c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,8 @@ Chart.lock /charts/**/charts .DS_Store -it/target \ No newline at end of file +it/target +helm +target +maven-status +.idea \ No newline at end of file diff --git a/README.md b/README.md index b001ef4..1afc520 100644 --- a/README.md +++ b/README.md @@ -19,27 +19,28 @@ recipes. -- [Overview](#overview) -- [Release Information](#release-information) -- [Components](#components) -- [Description of flows in a data space](#description-of-flows-in-a-data-space) - - [Onboarding of an organization in the data space](#onboarding-of-an-organization-in-the-data-space) - - [Consumer registration](#consumer-registration) - - [Contract management](#contract-management) - - [Service interaction](#service-interaction) - - [Service interaction (H2M)](#service-interaction-h2m) - - [Service interaction (M2M)](#service-interaction-m2m) - - [Integration with the Dataspace Protocol](#integration-with-the-dataspace-protocol) - - [Integration with the Gaia-X Trust Framework](#integration-with-the-gaia-x-trust-framework) -- [Deployment](#deployment) - - [Local Deployment](#local-deployment) - - [Deployment with Helm](#deployment-with-helm) -- [Testing](#testing) -- [Additional documentation and resources](#additional-documentation-and-resources) - - [Marketplace Integration](#marketplace-integration) - - [Ongoing Work](#ongoing-work) - - [Additional documentation](#additional-documentation) - - [Additional Resources](#additional-resources) +- [FIWARE Data Space Connector](#fiware-data-space-connector) + - [Overview](#overview) + - [Release Information](#release-information) + - [Components](#components) + - [Description of flows in a data space](#description-of-flows-in-a-data-space) + - [Onboarding of an organization in the data space](#onboarding-of-an-organization-in-the-data-space) + - [Consumer registration](#consumer-registration) + - [Contract management](#contract-management) + - [Service interaction](#service-interaction) + - [Service interaction (H2M)](#service-interaction-h2m) + - [Service interaction (M2M)](#service-interaction-m2m) + - [Integration with the Dataspace Protocol](#integration-with-the-dataspace-protocol) + - [Integration with the Gaia-X Trust Framework](#integration-with-the-gaia-x-trust-framework) + - [Deployment](#deployment) + - [Local Deployment](#local-deployment) + - [Deployment with Helm](#deployment-with-helm) + - [Testing](#testing) + - [Additional documentation and resources](#additional-documentation-and-resources) + - [Marketplace Integration](#marketplace-integration) + - [Ongoing Work](#ongoing-work) + - [Additional documentation](#additional-documentation) + - [Additional Resources](#additional-resources) @@ -94,21 +95,90 @@ Connector. Precisely, the connector bundles the following components: -| Component | Role | Diagram field | Link | -|-----------------|-----------------|---|------| -| VCVerifier | Validates VCs and exchanges them for tokens |Verifier | https://github.com/FIWARE/VCVerifier | -| credentials-config-service | Holds the information which VCs are required for accessing a service |PRP/PAP (authentication)| https://github.com/FIWARE/credentials-config-service | -| Keycloak | Issuer of VCs on the Consumer side | | https://www.keycloak.org | -| Scorpio | Context Broker | | https://github.com/ScorpioBroker/ScorpioBroker | -| trusted-issuers-list | Acts as Trusted Issuers List by providing an [EBSI Trusted Issuers Registry](https://api-pilot.ebsi.eu/docs/apis/trusted-issuers-registry) API |Local Trusted Issuers List| https://github.com/FIWARE/trusted-issuers-list | -| APISIX | APISIX as API-Gateway with a OPA plugin |PEP| https://apisix.apache.org/ / https://apisix.apache.org/docs/apisix/plugins/opa/ | -| OPA | OpenPolicyAgent as the API Gateway's Sidecar |PDP | https://www.openpolicyagent.org/ | -| odrl-pap | Allowing to configure ODRL policies to be used by the OPA | PRP/PAP (authorization) | https://github.com/wistefan/odrl-pap | -| tmforum-api | Implementation of the [TMForum APIs](https://www.tmforum.org/oda/open-apis/) for handling contracts|Contract Management| https://github.com/FIWARE/tmforum-api | -| contract-management | Notification listener for contract management events out of TMForum |Contract Management | https://github.com/FIWARE/contract-management | -| MySQL | Database | | https://www.mysql.com | -| PostgreSQL | Database | | https://www.postgresql.org | -| PostGIS | PostgreSQL Database with PostGIS extensions | | https://postgis.net/ | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Umbrella componentSub-umbrella componentComponentRoleDiagram field
decentralized-iamvc-authenticationVCVerifierValidates VCs and exchanges them for tokensVerifier
credentials-config-serviceHolds the information which VCs are required for accessing a servicePRP/PAP (authentication)
trusted-issuers-listActs as Trusted Issuers List by providing an EBSI Trusted Issuers + Registry APILocal Trusted Issuers List
odrl-authorizationAPISIXAPISIX as API-Gateway with a OPA pluginPEP
OPAOpenPolicyAgent as the API Gateway's SidecarPDP
odrl-papAllowing to configure ODRL policies to be used by the OPAPRP/PAP (authorization)
--KeycloakIssuer of VCs on the Consumer side
--ScorpioContext Broker
--tmforum-apiImplementation of the TMForum APIs for handling + contractsContract Management
--contract-managementNotification listener for contract management events out of TMForumContract Management
--PostgreSQLPostgreSQL Database with PostGIS extensions
**Note,** that some of the components shown in the diagram above are not implemented yet. diff --git a/charts/data-space-connector/Chart.yaml b/charts/data-space-connector/Chart.yaml index 78f13ed..92a4ae2 100644 --- a/charts/data-space-connector/Chart.yaml +++ b/charts/data-space-connector/Chart.yaml @@ -4,52 +4,17 @@ description: Umbrella Chart for the FIWARE Data Space Connector, combining all e type: application version: 8.5.0 dependencies: - - name: postgresql - condition: postgresql.enabled - repository: oci://registry-1.docker.io/bitnamicharts - version: 16.7.27 - # authentication - - name: vcverifier - condition: vcverifier.enabled - version: 4.3.8 - repository: https://fiware.github.io/helm-charts - - name: credentials-config-service - condition: credentials-config-service.enabled - version: 2.4.9 - repository: https://fiware.github.io/helm-charts - - name: trusted-issuers-list - condition: trusted-issuers-list.enabled - version: 0.16.0 - repository: https://fiware.github.io/helm-charts - - name: mysql - condition: mysql.enabled - version: 12.2.2 - repository: https://charts.bitnami.com/bitnami - - name: dss-validation-service - alias: dss - condition: dss.enabled - version: 0.0.18 - repository: https://fiware.github.io/helm-charts - # authorization - - name: odrl-pap - condition: odrl-pap.enabled - version: 2.3.8 - repository: https://fiware.github.io/helm-charts - - name: apisix - condition: apisix.enabled - version: 6.0.0 - repository: oci://registry-1.docker.io/bitnamicharts + - name: decentralized-iam + alias: decentralizedIam + condition: decentralized-iam.enabled + version: 2.0.0 + repository: https://fiware.github.io/decentralized-iam # data-service - name: scorpio-broker-aaio alias: scorpio condition: scorpio.enabled repository: https://fiware.github.io/helm-charts version: 0.4.12 - - name: postgresql - alias: postgis - condition: postgis.enabled - repository: oci://registry-1.docker.io/bitnamicharts - version: 16.7.27 # issuance - name: keycloak condition: keycloak.enabled @@ -58,11 +23,11 @@ dependencies: # contract management - name: tm-forum-api condition: tm-forum-api.enabled - version: 0.15.4 + version: 0.16.3 repository: https://fiware.github.io/helm-charts - name: contract-management condition: contract-management.enabled - version: 3.5.12 + version: 3.5.14 repository: https://fiware.github.io/helm-charts # marketplace - name: business-api-ecosystem diff --git a/charts/data-space-connector/templates/apisix-cm.yaml b/charts/data-space-connector/templates/apisix-cm.yaml deleted file mode 100644 index b624661..0000000 --- a/charts/data-space-connector/templates/apisix-cm.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: apisix-routes - namespace: {{ $.Release.Namespace | quote }} - labels: - {{- include "dsc.labels" . | nindent 4 }} -data: - apisix.yaml: |- - routes: - {{- if .Values.apisix.catchAllRoute.enabled }} - - uri: /* - upstream: - nodes: - {{ .Values.apisix.catchAllRoute.upstream.url}}: 1 - type: roundrobin - plugins: - openid-connect: - client_id: {{ .Values.apisix.catchAllRoute.oidc.clientId }} - client_secret: the-secret - bearer_only: true - use_jwks: true - discovery: {{ .Values.apisix.catchAllRoute.oidc.discoveryEndpoint }} - opa: - host: "http://localhost:{{ .Values.opa.port }}" - policy: policy/main - {{- end }} - {{- if .Values.apisix.routes }} - {{ .Values.apisix.routes | toYaml | nindent 6 }} - {{- end }} - #END \ No newline at end of file diff --git a/charts/data-space-connector/templates/apisix-routes-job.yaml b/charts/data-space-connector/templates/apisix-routes-job.yaml deleted file mode 100644 index b2f7cd2..0000000 --- a/charts/data-space-connector/templates/apisix-routes-job.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.apisix.enabled }} -apiVersion: batch/v1 -kind: Job -metadata: - name: apisix-routes-job - namespace: {{ $.Release.Namespace | quote }} - labels: - {{ include "dsc.labels" . | nindent 4 }} -spec: - template: - spec: - containers: - - name: register-routes - image: quay.io/curl/curl:8.1.2 - command: [ "/bin/sh", "-c", "/bin/create-routes.sh" ] - volumeMounts: - - name: apisix-routes - mountPath: /bin/create-routes.sh - subPath: create-routes.sh - volumes: - - name: apisix-routes - configMap: - name: apisix-routes - defaultMode: 0755 - - restartPolicy: Never - backoffLimit: 10 -{{- end }} \ No newline at end of file diff --git a/charts/data-space-connector/templates/apisix-routes-script.yaml b/charts/data-space-connector/templates/apisix-routes-script.yaml deleted file mode 100644 index fee3c08..0000000 --- a/charts/data-space-connector/templates/apisix-routes-script.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if (eq .Values.apisix.enabled true) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: apisix-routes - namespace: {{ $.Release.Namespace | quote }} - labels: - {{ include "dsc.labels" . | nindent 4 }} -data: - create-routes.sh: |- - set -e - {{- if .Values.apisix.catchAllRoute.enabled }} - curl -k -f -X POST {{ .Values.apisix.controlPlane.fullnameOverride }}/apisix/admin/routes \ - --header 'Accept: */*' \ - --header 'X-API-KEY: {{ .Values.apisix.controlPlane.apiTokenAdmin }}' \ - --header 'Content-Type: application/json' \ - --data-raw '{ - "uri": "/*", - "upstream": { - "type": "roundrobin", - "nodes": { - {{ .Values.apisix.catchAllRoute.upstream.url | quote }}: 1 - } - }, - "plugins": { - "openid-connect": { - "client_id": {{ .Values.apisix.catchAllRoute.oidc.clientId | quote }}, - "client_secret": "the-secret", - "bearer_only": true, - "use_jwks": true, - "discovery": {{ .Values.apisix.catchAllRoute.oidc.discoveryEndpoint | quote }} - }, - "opa": { - "host": "http://localhost:{{ .Values.opa.port }}", - "policy": "policy/main" - } - } - }' - {{- end }} - {{- if .Values.apisix.routes }} - - {{- $values := .Values -}} - {{- range $index, $route := .Values.apisix.routes }} - curl -k -f -X POST {{ $values.apisix.controlPlane.address }}/apisix/admin/routes \ - --header 'Accept: */*' \ - --header 'X-API-KEY: {{ $values.apisix.controlPlane.apiTokenAdmin }}' \ - --header 'Content-Type: application/json' \ - --data-raw '{{ $route | toJson }}' - {{- end }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/data-space-connector/templates/authentication-secrets.yaml b/charts/data-space-connector/templates/authentication-secrets.yaml deleted file mode 100644 index 9668711..0000000 --- a/charts/data-space-connector/templates/authentication-secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- $existing := lookup "v1" "Secret" $.Release.Namespace .Values.authentication.generatePasswords.secretName }} -{{- if .Values.authentication.generatePasswords.enabled }} -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: {{ .Values.authentication.generatePasswords.secretName }} - namespace: {{ $.Release.Namespace | quote }} - labels: - {{ include "dsc.labels" . | nindent 4 }} -data: - mysql-root-password: - {{- if $existing }} - {{ index $existing.data "mysql-root-password" | quote }} - {{- else }} - {{ randAlphaNum 30 | b64enc | quote }} - {{- end }} - mysql-replication-password: - {{- if $existing }} - {{ index $existing.data "mysql-replication-password" | quote }} - {{- else }} - {{ randAlphaNum 30 | b64enc | quote }} - {{- end }} - mysql-password: - {{- if $existing }} - {{ index $existing.data "mysql-password" | quote }} - {{- else }} - {{ randAlphaNum 30 | b64enc | quote }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/data-space-connector/templates/crl-provider-secret.yaml b/charts/data-space-connector/templates/crl-provider-secret.yaml deleted file mode 100644 index 86180b8..0000000 --- a/charts/data-space-connector/templates/crl-provider-secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if eq .Values.dss.crl.enabled true }} -apiVersion: v1 -kind: Secret -metadata: - name: crl-provider - namespace: {{ $.Release.Namespace | quote }} - labels: - {{ include "dsc.labels" . | nindent 4 }} -data: - {{- toYaml .Values.dss.crl.secret | nindent 2 }} -{{- end }} \ No newline at end of file diff --git a/charts/data-space-connector/templates/data-plane-secrets.yaml b/charts/data-space-connector/templates/data-plane-secrets.yaml deleted file mode 100644 index 970d0bf..0000000 --- a/charts/data-space-connector/templates/data-plane-secrets.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- $existing := lookup "v1" "Secret" $.Release.Namespace .Values.dataplane.generatePasswords.secretName }} -{{- if .Values.dataplane.generatePasswords.enabled }} -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: {{ .Values.dataplane.generatePasswords.secretName }} - namespace: {{ $.Release.Namespace | quote }} - labels: - {{ include "dsc.labels" . | nindent 4 }} -data: - postgres-user-password: - {{- if $existing }} - {{ index $existing.data "postgres-user-password" | quote }} - {{- else }} - {{ randAlphaNum 30 | b64enc | quote }} - {{- end }} - postgres-admin-password: - {{- if $existing }} - {{ index $existing.data "postgres-admin-password" | quote }} - {{- else }} - {{ randAlphaNum 30 | b64enc | quote }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/data-space-connector/templates/database-secrets.yaml b/charts/data-space-connector/templates/database-secrets.yaml deleted file mode 100644 index f443ca7..0000000 --- a/charts/data-space-connector/templates/database-secrets.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- $existing := lookup "v1" "Secret" $.Release.Namespace .Values.postgresql.generatePasswords.secretName }} -{{- if .Values.postgresql.generatePasswords.enabled }} -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: {{ .Values.postgresql.generatePasswords.secretName }} - namespace: {{ $.Release.Namespace | quote }} - labels: - {{ include "dsc.labels" . | nindent 4 }} -data: - postgres-user-password: - {{- if $existing }} - {{ index $existing.data "postgres-user-password" | quote }} - {{- else }} - {{ randAlphaNum 30 | b64enc | quote }} - {{- end }} - postgres-admin-password: - {{- if $existing }} - {{ index $existing.data "postgres-admin-password" | quote }} - {{- else }} - {{ randAlphaNum 30 | b64enc | quote }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/data-space-connector/templates/dsconfig-deployment.yaml b/charts/data-space-connector/templates/dsconfig-deployment.yaml index 77bb12c..df6d2dc 100644 --- a/charts/data-space-connector/templates/dsconfig-deployment.yaml +++ b/charts/data-space-connector/templates/dsconfig-deployment.yaml @@ -22,7 +22,7 @@ spec: serviceAccountName: default containers: - name: dsconfig-static - imagePullPolicy: Always + imagePullPolicy: IfNotPresent image: "lipanski/docker-static-website:2.1.0" ports: - name: http diff --git a/charts/data-space-connector/templates/identityhub-deployment.yaml b/charts/data-space-connector/templates/identityhub-deployment.yaml index b9d6675..94a71ff 100644 --- a/charts/data-space-connector/templates/identityhub-deployment.yaml +++ b/charts/data-space-connector/templates/identityhub-deployment.yaml @@ -57,9 +57,9 @@ spec: serviceAccountName: default securityContext: {{- toYaml .Values.identityhub.podSecurityContext | nindent 8 }} - {{- if .Values.identityhub.deployment.initContainers }} + {{- if .Values.identityhub.initContainers }} initContainers: - {{- with .Values.identityhub.deployment.initContainers }} + {{- with .Values.identityhub.initContainers }} {{- toYaml . | nindent 8 }} {{- end }} {{- end }} @@ -215,14 +215,14 @@ spec: subPath: logging.properties - name: logs mountPath: {{ .Values.identityhub.logging.path }} - {{- if .Values.identityhub.deployment.additionalVolumeMounts }} - {{- with .Values.identityhub.deployment.additionalVolumeMounts }} + {{- if .Values.identityhub.additionalVolumeMounts }} + {{- with .Values.identityhub.additionalVolumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} {{- end }} volumes: - {{- if .Values.identityhub.deployment.additionalVolumes }} - {{- with .Values.identityhub.deployment.additionalVolumes }} + {{- if .Values.identityhub.additionalVolumes }} + {{- with .Values.identityhub.additionalVolumes }} {{- toYaml . | nindent 8 }} {{- end }} {{- end }} diff --git a/charts/data-space-connector/templates/issuance-secrets.yaml b/charts/data-space-connector/templates/issuance-secrets.yaml index 5268b3d..9b67efa 100644 --- a/charts/data-space-connector/templates/issuance-secrets.yaml +++ b/charts/data-space-connector/templates/issuance-secrets.yaml @@ -9,18 +9,6 @@ metadata: labels: {{ include "dsc.labels" . | nindent 4 }} data: - postgres-user-password: - {{- if $existing }} - {{ index $existing.data "postgres-user-password" | quote }} - {{- else }} - {{ randAlphaNum 30 | b64enc | quote }} - {{- end }} - postgres-admin-password: - {{- if $existing }} - {{ index $existing.data "postgres-admin-password" | quote }} - {{- else }} - {{ randAlphaNum 30 | b64enc | quote }} - {{- end }} keycloak-admin: {{- if $existing }} {{ index $existing.data "keycloak-admin" | quote }} diff --git a/charts/data-space-connector/templates/opa-cm.yaml b/charts/data-space-connector/templates/opa-cm.yaml deleted file mode 100644 index 5a2979b..0000000 --- a/charts/data-space-connector/templates/opa-cm.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: opa-config - namespace: {{ $.Release.Namespace | quote }} - labels: - {{ include "dsc.labels" . | nindent 4 }} -data: - opa.yaml: |- - services: - - name: bundle-server - url: {{ .Values.opa.resourceUrl }} - bundles: - policies: - service: bundle-server - resource: policies.tar.gz - polling: - min_delay_seconds: {{ .Values.opa.policies.minDelay }} - max_delay_seconds: {{ .Values.opa.policies.maxDelay }} - methods: - service: bundle-server - resource: methods.tar.gz - polling: - min_delay_seconds: {{ .Values.opa.methods.minDelay }} - max_delay_seconds: {{ .Values.opa.methods.maxDelay }} - data: - service: bundle-server - resource: data.tar.gz - polling: - min_delay_seconds: {{ .Values.opa.data.minDelay }} - max_delay_seconds: {{ .Values.opa.data.maxDelay }} - default_decision: /policy/main/allow \ No newline at end of file diff --git a/charts/data-space-connector/templates/opa.yaml b/charts/data-space-connector/templates/opa.yaml deleted file mode 100644 index ac56375..0000000 --- a/charts/data-space-connector/templates/opa.yaml +++ /dev/null @@ -1,286 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: opa-lua - namespace: {{ $.Release.Namespace | quote }} - labels: - {{ include "dsc.labels" . | nindent 4 }} -data: - # extends the apisix opa-plugin to forward the http-body as part of the decision request. - opa.lua: |- - -- - -- Licensed to the Apache Software Foundation (ASF) under one or more - -- contributor license agreements. See the NOTICE file distributed with - -- this work for additional information regarding copyright ownership. - -- The ASF licenses this file to You under the Apache License, Version 2.0 - -- (the "License"); you may not use this file except in compliance with - -- the License. You may obtain a copy of the License at - -- - -- http://www.apache.org/licenses/LICENSE-2.0 - -- - -- Unless required by applicable law or agreed to in writing, software - -- distributed under the License is distributed on an "AS IS" BASIS, - -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - -- See the License for the specific language governing permissions and - -- limitations under the License. - -- - - local core = require("apisix.core") - local http = require("resty.http") - local helper = require("apisix.plugins.opa.helper") - local type = type - local ipairs = ipairs - - local schema = { - type = "object", - properties = { - host = {type = "string"}, - ssl_verify = { - type = "boolean", - default = true, - }, - policy = {type = "string"}, - timeout = { - type = "integer", - minimum = 1, - maximum = 60000, - default = 3000, - description = "timeout in milliseconds", - }, - keepalive = {type = "boolean", default = true}, - send_headers_upstream = { - type = "array", - minItems = 1, - items = { - type = "string" - }, - description = "list of headers to pass to upstream in request" - }, - keepalive_timeout = {type = "integer", minimum = 1000, default = 60000}, - keepalive_pool = {type = "integer", minimum = 1, default = 5}, - with_route = {type = "boolean", default = false}, - with_service = {type = "boolean", default = false}, - with_consumer = {type = "boolean", default = false}, - with_body = {type = "boolean", default = false}, - }, - required = {"host", "policy"} - } - - - local _M = { - version = 0.1, - priority = 2001, - name = "opa", - schema = schema, - } - - - function _M.check_schema(conf) - return core.schema.check(schema, conf) - end - - - function _M.access(conf, ctx) - local body = helper.build_opa_input(conf, ctx, "http") - - local params = { - method = "POST", - body = core.json.encode(body), - headers = { - ["Content-Type"] = "application/json", - }, - keepalive = conf.keepalive, - ssl_verify = conf.ssl_verify - } - - if conf.keepalive then - params.keepalive_timeout = conf.keepalive_timeout - params.keepalive_pool = conf.keepalive_pool - end - - local endpoint = conf.host .. "/v1/data/" .. conf.policy - - local httpc = http.new() - httpc:set_timeout(conf.timeout) - - local res, err = httpc:request_uri(endpoint, params) - - -- block by default when decision is unavailable - if not res then - core.log.error("failed to process OPA decision, err: ", err) - return 403 - end - - -- parse the results of the decision - local data, err = core.json.decode(res.body) - - if not data then - core.log.error("invalid response body: ", res.body, " err: ", err) - return 503 - end - - if not data.result then - core.log.error("invalid OPA decision format: ", res.body, - " err: `result` field does not exist") - return 503 - end - - local result = data.result - - if not result.allow then - if result.headers then - core.response.set_header(result.headers) - end - - local status_code = 403 - if result.status_code then - status_code = result.status_code - end - - local reason = nil - if result.reason then - reason = type(result.reason) == "table" - and core.json.encode(result.reason) - or result.reason - end - - return status_code, reason - else if result.headers and conf.send_headers_upstream then - for _, name in ipairs(conf.send_headers_upstream) do - local value = result.headers[name] - if value then - core.request.set_header(ctx, name, value) - end - end - end - end - end - - - return _M - - helper.lua: |- - -- - -- Licensed to the Apache Software Foundation (ASF) under one or more - -- contributor license agreements. See the NOTICE file distributed with - -- this work for additional information regarding copyright ownership. - -- The ASF licenses this file to You under the Apache License, Version 2.0 - -- (the "License"); you may not use this file except in compliance with - -- the License. You may obtain a copy of the License at - -- - -- http://www.apache.org/licenses/LICENSE-2.0 - -- - -- Unless required by applicable law or agreed to in writing, software - -- distributed under the License is distributed on an "AS IS" BASIS, - -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - -- See the License for the specific language governing permissions and - -- limitations under the License. - -- - - local core = require("apisix.core") - local get_service = require("apisix.http.service").get - local ngx_time = ngx.time - - local _M = {} - - - -- build a table of Nginx variables with some generality - -- between http subsystem and stream subsystem - local function build_var(conf, ctx) - return { - server_addr = ctx.var.server_addr, - server_port = ctx.var.server_port, - remote_addr = ctx.var.remote_addr, - remote_port = ctx.var.remote_port, - timestamp = ngx_time(), - } - end - - - local function build_http_request(conf, ctx) - - local http = { - scheme = core.request.get_scheme(ctx), - method = core.request.get_method(), - host = core.request.get_host(ctx), - port = core.request.get_port(ctx), - path = ctx.var.uri, - headers = core.request.headers(ctx), - query = core.request.get_uri_args(ctx), - } - - if conf.with_body then - http.body = core.json.decode(core.request.get_body()) - end - - return http - end - - - local function build_http_route(conf, ctx, remove_upstream) - local route = core.table.deepcopy(ctx.matched_route).value - - if remove_upstream and route and route.upstream then - -- unimportant to send upstream info to OPA - route.upstream = nil - end - - return route - end - - - local function build_http_service(conf, ctx) - local service_id = ctx.service_id - - -- possible that there is no service bound to the route - if service_id then - local service = core.table.clone(get_service(service_id)).value - - if service then - if service.upstream then - service.upstream = nil - end - return service - end - end - - return nil - end - - - local function build_http_consumer(conf, ctx) - -- possible that there is no consumer bound to the route - if ctx.consumer then - return core.table.clone(ctx.consumer) - end - - return nil - end - - - function _M.build_opa_input(conf, ctx, subsystem) - local data = { - type = subsystem, - request = build_http_request(conf, ctx), - var = build_var(conf, ctx) - } - - if conf.with_route then - data.route = build_http_route(conf, ctx, true) - end - - if conf.with_consumer then - data.consumer = build_http_consumer(conf, ctx) - end - - if conf.with_service then - data.service = build_http_service(conf, ctx) - end - - return { - input = data, - } - end - - - return _M diff --git a/charts/data-space-connector/templates/rainbow-deployment.yaml b/charts/data-space-connector/templates/rainbow-deployment.yaml index 7977993..bb682ad 100644 --- a/charts/data-space-connector/templates/rainbow-deployment.yaml +++ b/charts/data-space-connector/templates/rainbow-deployment.yaml @@ -32,7 +32,7 @@ spec: subPath: init.sh {{- end }} - name: rainbow-init - imagePullPolicy: Always + imagePullPolicy: IfNotPresent image: quay.io/wi_stefan/rainbow:0.0.3 args: [ "provider", "setup" ] env: @@ -53,7 +53,7 @@ spec: value: "5432" containers: - name: rainbow - imagePullPolicy: Always + imagePullPolicy: IfNotPresent image: quay.io/wi_stefan/rainbow:0.0.3 args: [ "provider", "start" ] env: diff --git a/charts/data-space-connector/templates/tpp-policy.yaml b/charts/data-space-connector/templates/tpp-policy.yaml index 40cd8e0..fe8064e 100644 --- a/charts/data-space-connector/templates/tpp-policy.yaml +++ b/charts/data-space-connector/templates/tpp-policy.yaml @@ -14,14 +14,14 @@ data: default allow := false - host = {{ .Values.tpp.transfers.host | quote }} - path = {{ .Values.tpp.transfers.path | quote }} + host = {{ .Values.decentralizedIam.odrlAuthorization.tpp.transfers.host | quote }} + path = {{ .Values.decentralizedIam.odrlAuthorization.tpp.transfers.path | quote }} url = sprintf("%v/%v/%v", [host, path, input.request.headers["transferid"]]) response := http.send({"method": "get", "url": url}) - {{- if .Values.tpp.checkMain }} + {{- if .Values.decentralizedIam.odrlAuthorization.tpp.checkMain }} allow if { response.body["dspace:state"] == "dspace:STARTED" main.allow == true diff --git a/charts/data-space-connector/values.yaml b/charts/data-space-connector/values.yaml index e35c46f..e7d0a17 100644 --- a/charts/data-space-connector/values.yaml +++ b/charts/data-space-connector/values.yaml @@ -1,19 +1,3 @@ -# -- configuration to be shared between the authentication components -authentication: - generatePasswords: - # -- should a password for the database connection of authentication components be generated in the cluster - enabled: true - #-- name of the secret to put the generated password into - secretName: authentication-database-secret - -# -- configuration to be shared between the dataplane components -dataplane: - generatePasswords: - # -- should a password for the database connection of dataplane components be generated in the cluster - enabled: true - #-- name of the secret to put the generated password into - secretName: data-service-secret - # -- configuration to be shared between the issuance components issuance: generatePasswords: @@ -22,379 +6,183 @@ issuance: #-- name of the secret to put the generated password into secretName: issuance-secret -# -- configuration for the mysql to be deployed as part of the connector, see https://github.com/bitnami/charts/tree/main/bitnami/mysql for all options -mysql: - kubeVersion: 1.34-1 - # -- should it be enabled? set to false if one outside the chart is used. +decentralizedIam: enabled: true - global: - security: - # allow the image from the legacy repo - allowInsecureImages: true - # -- configuration of the used image - image: - # -- repository where the image is held, see https://github.com/bitnami/charts/issues/35164 for further info - repository: bitnamilegacy/mysql - # -- allows to set a fixed name for the services - fullnameOverride: authentication-mysql - # -- configure authentication to mysql - auth: - # -- name of the secret to take the passowrds from - existingSecret: authentication-database-secret - # -- scripts to be executed on db startup - initdbScripts: - create.sql: | - CREATE DATABASE tildb; - CREATE DATABASE ccsdb; - -# -- configuration for the trusted-issuers-list to be deployed as part of the connector, see https://github.com/FIWARE/helm-charts/tree/main/charts/trusted-issuers-list for all options -trusted-issuers-list: - # -- should it be enabled? set to false if one outside the chart is used. - enabled: true - # -- allows to set a fixed name for the services - fullnameOverride: trusted-issuers-list - # -- connection to the database - database: - # -- should persistence be used? - persistence: true - # -- name of the db user - username: root - # -- configuration for the existing secret to get the passwords from - existingSecret: - enabled: true - name: authentication-database-secret - key: mysql-root-password - # -- host of the database - host: authentication-mysql - # -- name of the schema inside the db - name: tildb - -# -- configuration for the vcverifier to be deployed as part of the connector, see https://github.com/FIWARE/helm-charts/tree/main/charts/vcverifier for all options -vcverifier: - # -- should it be enabled? set to false if one outside the chart is used. - enabled: true - # -- allows to set a fixed name for the services - fullnameOverride: verifier - # -- configuration for the m2m flow, in case the tir is requiring authentication - m2m: - # -- we do not need authentication here - authEnabled: false - -# -- configuration for the digital-signature.service to be deployed as part of the connector in case of did:elsi support -dss: - # -- should it be enabled? - enabled: false - # -- allows to set a fixed name for the services - fullnameOverride: dss - # -- can be used to provide the crl for ca's provided as truststore to the dss - crl: - # -- should it be enabled? - enabled: false + # -- configuration for the vc-authentication to be deployed as part of the connector, see https://github.com/FIWARE/vc-authentication/tree/master + vcAuthentication: -# -- configuration for the credentials-config-service to be deployed as part of the connector, see https://github.com/FIWARE/helm-charts/tree/main/charts/credentials-config-service for all options -credentials-config-service: - # -- should it be enabled? set to false if one outside the chart is used. - enabled: true - # -- allows to set a fixed name for the services - fullnameOverride: credentials-config-service - # -- connection to the database - database: - # -- should persistence be used? - persistence: true - # -- name of the db user - username: root - # -- configuration for the existing secret to get the passwords from - existingSecret: + ## Usage of the postgres-operator - see https://github.com/zalando/postgres-operator + managedPostgres: + # -- should it be enabled? Requires the postgres-operator CRDs to be installed before applying the chart enabled: true - name: authentication-database-secret - key: mysql-root-password - # -- host of the database - host: authentication-mysql - # -- name of the schema inside the db - name: ccsdb - registration: - enabled: false -# -- configuration for the postgresql to be deployed as part of the connector, see https://github.com/bitnami/charts/tree/main/bitnami/postgresql for all options -postgresql: - kubeVersion: 1.34-1 - # -- should it be enabled? set to false if one outside the chart is used. - enabled: true - global: - security: - # allow the image from the legacy repo - allowInsecureImages: true - # -- configuration of the used image - image: - # -- repository where the image is held, see https://github.com/bitnami/charts/issues/35164 for further info - repository: bitnamilegacy/postgresql - # -- fixes the unpullable image referenced in the chart - tag: 13.18.0 - # -- allows to set a fixed name for the services - fullnameOverride: postgresql - generatePasswords: - # -- should a password for the database be generated in the cluster - enabled: true - # -- name of the secret to store the password in - secretName: database-secret - # -- configure authentication to mysql - auth: - # -- name of the secret to take the passowrds from - existingSecret: database-secret - # -- key of the secrets inside the secret - secretKeys: - adminPasswordKey: postgres-admin-password - userPasswordKey: postgres-user-password - # -- configuration for the primary of the db - primary: - # -- scripts to be run on intialization - initdb: - scripts: - create.sh: | - psql postgresql://postgres:${POSTGRES_PASSWORD}@localhost:5432 -c "CREATE DATABASE pap;" - psql postgresql://postgres:${POSTGRES_PASSWORD}@localhost:5432 -c "CREATE DATABASE keycloak;" - psql postgresql://postgres:${POSTGRES_PASSWORD}@localhost:5432 -c "CREATE DATABASE rainbow;" - psql postgresql://postgres:${POSTGRES_PASSWORD}@localhost:5432 -c "CREATE DATABASE ih;" - psql postgresql://postgres:${POSTGRES_PASSWORD}@localhost:5432 -c "CREATE DATABASE issuer;" - -# -- configuration for the odrl-pap to be deployed as part of the connector, see https://github.com/FIWARE/helm-charts/tree/main/charts/odrl-pap for all options -odrl-pap: - # -- should it be enabled? set to false if one outside the chart is used. - enabled: true - # -- allows to set a fixed name for the services - fullnameOverride: odrl-pap - # -- connection to the database - database: - # -- url to connect the db at - url: jdbc:postgresql://postgresql:5432/pap - # -- username to access the db - username: postgres - # -- secret to take the password from - existingSecret: + # -- config as defined in https://github.com/zalando/postgres-operator/blob/master/charts/postgres-operator/crds/postgresqls.yaml + config: + teamId: "dsc" + numberOfInstances: 1 + postgresql: + version: "16" + volume: + size: 1Gi + users: + admin: # maintainer + - superuser + - createdb + til: + - createdb + ccs: + - createdb + pap: + - createdb + keycloak: + - createdb + rainbow: + - createdb + ih: + - createdb + issuer: + - createdb + databases: + tildb: til + ccsdb: ccs + papdb: pap + keycloakdb: keycloak + rainbowdb: rainbow + ih: ih + issuer: issuer + + # -- configuration for the trusted-issuers-list to be deployed as part of the connector, see https://github.com/FIWARE/helm-charts/tree/main/charts/trusted-issuers-list for all options + trusted-issuers-list: + # -- should it be enabled? set to false if one outside the chart is used. + enabled: true + # -- allows to set a fixed name for the services + fullnameOverride: trusted-issuers-list + # -- connection to the database + database: + # -- should persistence be used? + persistence: true + # -- name of the db dialect + dialect: POSTGRES + # -- name of the db user + username: postgres + # -- configuration for the existing secret to get the passwords from + existingSecret: + enabled: true + name: postgres.postgres.credentials.postgresql.acid.zalan.do + key: password + # -- host of the database + host: postgres + # -- host of the database + port: 5432 + # -- name of the schema inside the db + name: tildb + + # -- configuration for the vcverifier to be deployed as part of the connector, see https://github.com/FIWARE/helm-charts/tree/main/charts/vcverifier for all options + vcverifier: + # -- should it be enabled? set to false if one outside the chart is used. + enabled: true + # -- allows to set a fixed name for the services + fullnameOverride: verifier + # -- configuration for the m2m flow, in case the tir is requiring authentication + m2m: + # -- we do not need authentication here + authEnabled: false + + # -- configuration for the credentials-config-service to be deployed as part of the connector, see https://github.com/FIWARE/helm-charts/tree/main/charts/credentials-config-service for all options + credentials-config-service: + # -- should it be enabled? set to false if one outside the chart is used. enabled: true - name: database-secret - key: postgres-admin-password + # -- allows to set a fixed name for the services + fullnameOverride: credentials-config-service + # -- connection to the database + database: + # -- should persistence be used? + persistence: true + # -- name of the db dialect + dialect: POSTGRES + # -- name of the db user + username: postgres + # -- configuration for the existing secret to get the passwords from + existingSecret: + enabled: true + name: postgres.postgres.credentials.postgresql.acid.zalan.do + key: password + # -- host of the database + host: postgres + # -- host of the database + port: 5432 + # -- name of the schema inside the db + name: ccsdb + registration: + enabled: false -# -- configuration for the open-policy-agent to be deployed as part of the connector fulfilling the role of the PDP, as a sidecar to apisix -opa: - # -- should an opa sidecar be deployed to apisix - enabled: true - # -- address of the pap to get the policies from - resourceUrl: http://odrl-pap:8080/bundles/service/v1 - # -- port to make opa available at - port: 8181 - # -- pull delays for the policies bundle - policies: - minDelay: 2 - maxDelay: 4 - # -- pull delays for the methods bundle - methods: - minDelay: 1 - maxDelay: 3 - # -- pull delays for the data bundle - data: - minDelay: 1 - maxDelay: 15 - - -# -- integration of checks for the transfer process protocol -tpp: - # -- should checking for a running transfer process be enabled - enabled: false - transfers: - # -- host of the endpoint to check the process id, e.g. rainbow - host: "" - # -- path to check the id at - path: /transfers - -# -- configuration for apisix to be deployed as part of the connector, see https://github.com/bitnami/charts/tree/main/bitnami/apisix for all options -apisix: - kubeVersion: 1.34-1 - global: - security: - # allow the image from the legacy repo - allowInsecureImages: true - # -- configuration of the used image - image: - # -- repository where the image is held, see https://github.com/bitnami/charts/issues/35164 for further info - repository: bitnamilegacy/apisix - debug: true - waitContainer: - # -- configuration of the used image - image: - # -- repository where the image is held, see https://github.com/bitnami/charts/issues/35164 for further info - repository: bitnamilegacy/os-shell - # -- should it be enabled? set to false if one outside the chart is used. - enabled: true - # -- configuration in regard to the apisix control plane - controlPlane: - # -- should it be enabled - enabled: true - # -- resource preset to have sufficient memory - resourcesPreset: small - # -- override the name to have a stable service address - fullnameOverride: apisix-controlplane - # -- provide a token for accessing the controlplane - apiTokenAdmin: admin - # -- disable tls for internal controlplane access - tls: + # -- configuration for the digital-signature.service to be deployed as part of the connector in case of did:elsi support + dss: + # -- should it be enabled? enabled: false - # -- configuration in regard to the apisix ingressController - ingressController: - # -- should it be enabled - enabled: false - # -- configuration of the used image - image: - # -- repository where the image is held, see https://github.com/bitnami/charts/issues/35164 for further info - repository: bitnamilegacy/apisix-ingress-controller - # -- configuration in regard to the apisix etcd - etcd: - kubeVersion: 1.34-1 - # -- should it be enabled - enabled: true - global: - security: - # allow the image from the legacy repo - allowInsecureImages: true - # -- configuration of the used image - image: - # -- repository where the image is held, see https://github.com/bitnami/charts/issues/35164 for further info - repository: bitnamilegacy/etcd - # -- persistence configuration of etcd - persistence: - # -- should it be enabled + # -- allows to set a fixed name for the services + fullnameOverride: dss + # -- can be used to provide the crl for ca's provided as truststore to the dss + crl: + # -- should it be enabled? + enabled: false + + # configuration for the odrl-authorization to be deployed as part of the connector, see https://github.com/FIWARE/odrl-authorization/tree/master + odrlAuthorization: + + # -- configuration for the odrl-pap to be deployed as part of the connector, see https://apisix.apache.org/ + apisix: + ingress-controller: + enabled: false + + # -- configuration for the odrl-pap to be deployed as part of the connector, see https://github.com/FIWARE/helm-charts/tree/main/charts/odrl-pap for all options + odrl-pap: + # -- should it be enabled? set to false if one outside the chart is used. + enabled: true + # -- allows to set a fixed name for the services + fullnameOverride: odrl-pap + # -- connection to the database + database: + # -- url to connect the db at + url: jdbc:postgresql://postgres:5432/papdb + # -- username to access the db + username: postgres + # -- secret to take the password from + existingSecret: + enabled: true + name: postgres.postgres.credentials.postgresql.acid.zalan.do + key: password + + # -- configuration for the open-policy-agent to be deployed as part of the connector fulfilling the role of the PDP, as a sidecar to apisix + opa: + # -- should an opa sidecar be deployed to apisix + enabled: true + # -- address of the pap to get the policies from + resourceUrl: http://odrl-pap:8080/bundles/service/v1 + # -- port to make opa available at + port: 8181 + # -- pull delays for the policies bundle + policies: + minDelay: 2 + maxDelay: 4 + # -- pull delays for the methods bundle + methods: + minDelay: 1 + maxDelay: 3 + # -- pull delays for the data bundle + data: + minDelay: 1 + maxDelay: 15 + + # -- integration of checks for the transfer process protocol + tpp: + # -- should checking for a running transfer process be enabled enabled: false - # -- configuration in regard to the apisix dataplane - dataPlane: - # -- resource preset to have sufficient memory - resourcesPreset: small - # -- configuration for extra configmaps to be deployed - extraConfig: - deployment: - # -- allows to configure apisix through a yaml file - role_data_plane: - config_provider: etcd - apisix: - extra_lua_path: /extra/apisix/plugins/?.lua - # -- extra volumes - # we need `routes` to declaratively configure the routes - # and the config for the opa sidecar - extraVolumes: - - name: routes - configMap: - name: apisix-routes - - name: opa-config - configMap: - name: opa-config - - name: opa-lua - configMap: - name: opa-lua - - name: tpp-policy - configMap: - name: tpp-policy - # -- extra volumes to be mounted - extraVolumeMounts: - - name: routes - mountPath: /usr/local/apisix/conf/apisix.yaml - subPath: apisix.yaml - - name: opa-lua - mountPath: /usr/local/apisix/apisix/plugins/opa/helper.lua - subPath: helper.lua - - name: opa-lua - mountPath: /usr/local/apisix/apisix/plugins/opa.lua - subPath: opa.lua - # -- sidecars to be deployed for apisix - sidecars: - # -- we want to deploy the open-policy-agent as a pdp - - name: open-policy-agent - image: openpolicyagent/opa:1.2.0 - imagePullPolicy: IfNotPresent - ports: - - name: http - containerPort: 8181 - protocol: TCP - # opa should be started to listen at 8181 and get its config from the mounted config yaml - args: - - "run" - - "--ignore=.*" # exclude hidden dirs created by Kubernetes - - "--server" - - "-l" - - "debug" - - "-c" - - "/config/opa.yaml" - - "--addr" - - "0.0.0.0:8181" - - "/tpp/tpp.rego" - volumeMounts: - - name: opa-config - mountPath: /config - - name: tpp-policy - mountPath: /tpp - - # -- configuration of a catchAll-route(e.g. /*) - catchAllRoute: - # -- should it be enabled - enabled: true - # -- configuration to connect the upstream broker - upstream: - url: http://my-broker:8000 - # -- configuration to verify the jwt, coming from the verifier - oidc: - clientId: mySecuredService - discoveryEndpoint: http://verifier:3000/services/mySecuredService/.well-known/openid-configuration - - # -- configuration of routes for apisix - routes: -# - uri: /myRoute -# upstream: -# nodes: -# http://my-upstream-service:8080: 1 -# type: roundrobin -# plugins: -# openid-connect: -# client_id: test-id -# client_secret: the-secret -# bearer_only: true -# use_jwks: true -# discovery: http://the-service/.well-known/openid-configuration -# opa: -# host: "http://localhost:8181" -# policy: policy/main/allow - -# -- configuration for the postgresql to be deployed as part of the connector, see https://github.com/bitnami/charts/tree/main/bitnami/postgresql for all options -postgis: - kubeVersion: 1.34-1 - # -- should it be enabled? set to false if one outside the chart is used. - enabled: true - global: - security: - # allow the image from the legacy repo - allowInsecureImages: true - image: - # -- fixes the unpullable image referenced in the chart - tag: 13.18.0 - # -- repository where the image is held, see https://github.com/bitnami/charts/issues/35164 for further info - repository: bitnamilegacy/postgresql - # -- overrides the generated name, provides stable service names - this should be avoided if multiple instances are available in the same namespace - fullnameOverride: data-service-postgis - # -- overrides the generated name, provides stable service names - this should be avoided if multiple instances are available in the same namespace - nameOverride: data-service-postgis - ## auth configuration for the database - auth: - existingSecret: data-service-secret - secretKeys: - adminPasswordKey: postgres-admin-password - userPasswordKey: postgres-user-password - ## configuration of the postgres primary replicas - primary: - ## provide db initialization - initdb: - ## provide scripts for initialization - scripts: - # -- enable the postgis extension and create the database as expected by scorpio - enable.sh: | - psql postgresql://postgres:${POSTGRES_PASSWORD}@localhost:5432 -c "CREATE EXTENSION postgis;" - psql postgresql://postgres:${POSTGRES_PASSWORD}@localhost:5432 -c "CREATE DATABASE ngb;" + transfers: + # -- host of the endpoint to check the process id, e.g. rainbow + host: "" + # -- path to check the id at + path: /transfers ## configuration of the context-broker - see https://github.com/FIWARE/helm-charts/tree/main/charts/scorpio-broker-aaio for details scorpio: @@ -410,13 +198,13 @@ scorpio: ## configuration of the database to be used by broker db: # -- host of the db - dbhost: data-service-postgis + dbhost: postgres # -- username to be used user: postgres existingSecret: enabled: true - name: data-service-secret - key: postgres-admin-password + name: postgres.postgres.credentials.postgresql.acid.zalan.do + key: password ## configuration of the readiness probe readinessProbe: # -- path to be used for the readiness probe, older versions used /actuator/health @@ -529,11 +317,11 @@ keycloak: enabled: false # -- host of the external db to be used externalDatabase: - host: postgresql - database: keycloak + host: postgres + database: keycloakdb user: postgres - existingSecret: database-secret - existingSecretPasswordKey: postgres-admin-password + existingSecret: postgres.postgres.credentials.postgresql.acid.zalan.do + existingSecretPasswordKey: password # -- extra volumes to be mounted extraVolumeMounts: @@ -546,12 +334,6 @@ keycloak: value: "--import-realm --health-enabled true" - name: KC_FEATURES value: "oid4vc-vci" - # password for reading the key store connected to the did - - name: STORE_PASS - valueFrom: - secretKeyRef: - name: kc-keystore - key: password # keycloak admin password - name: KC_ADMIN_PASSWORD valueFrom: @@ -703,10 +485,11 @@ keycloak: tm-forum-api: # -- should it be enabled? set to false if one outside the chart is used. enabled: true + # -- All TM Forum APIs in a single deployment, using the all-in-one image. This is recommended for testing and development, but not for production use. When set to false, every API will be deployed separately, allowing for more flexibility and scalability. + allInOne: + enabled: false ## configuration to be used by every api-deployment if nothing specific is provided. defaultConfig: - image: - tag: 1.4.4 # -- ngsi-ld broker connection information ngsiLd: # -- address of the broker @@ -810,7 +593,8 @@ tm-forum-api: # -- name of the scope name: default # -- name of the default credential to be configured - credentialType: VerifiableCredential + credentialTypes: + - VerifiableCredential # -- needs to be updated for the concrete dataspace trustedParticipantsLists: http://tir.trust-anchor.org trustedIssuersLists: http://trusted-issuers-list:8080 @@ -934,44 +718,6 @@ dataSpaceConfig: # -- Supported authentication protocols (e.g.: oid4vp) authenticationProtocols: [] - -## didJson provider to make the did.json file available -didJson: - # -- should the did.json be provided? - enabled: false - # -- port of the service to be used - port: 3000 - # -- did to be serverd - did: - # -- key material to be provided in the jwk of the did.json - key: - # -- kty to be used in the jwk - RSA and EC supported - kty: EC - # -- optional x5u endpoint to provide access to the corresponding cert chain - x5u: - # -- In case of kty==EC: xCoord of the EC key - xCoord: - # -- In case of kty==EC: yCoord of the EC key - yCoord: - # -- In case of kty==EC: curve to be used for the EC key - crv: - # -- In case of kty==RSA: exponent of the RSA key - exponent: - # -- In case of kty==RSA: modulus of the RSA key - modulus: - # -- ingress configuration of the did.json - ingress: - # -- should the ingress be enabled? - enabled: false - # -- host to provide the did.json at - host: - # -- tls secret to be used for the ingress - tlsSecret: - # -- annotations to be applied to the ingress - annotations: - traefik.ingress.kubernetes.io/service.passhostheader: "true" - traefik.ingress.kubernetes.io/router.tls: "true" - ## Installation of the mongo-operator - see https://github.com/mongodb/helm-charts/tree/main/charts/community-operator mongo-operator: # -- should the mongo-operator be installed @@ -1534,8 +1280,6 @@ identityhub: sts: port: 8087 path: /api/sts - - service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. type: ClusterIP @@ -1690,14 +1434,14 @@ identityhub: public: "" readiness: "" postgresql: - host: - port: + host: postgres + port: "5432" database: "ih" auth: - username: + username: ih password: - existingSecret: database-secret - existingSecretPasswordKey: postgres-admin-password + existingSecret: ih.postgres.credentials.postgresql.acid.zalan.do + existingSecretPasswordKey: password vault: enabled: false diff --git a/charts/trust-anchor/Chart.yaml b/charts/trust-anchor/Chart.yaml index a489b72..e0f1d27 100644 --- a/charts/trust-anchor/Chart.yaml +++ b/charts/trust-anchor/Chart.yaml @@ -9,5 +9,5 @@ dependencies: repository: https://fiware.github.io/helm-charts - name: mysql condition: mysql.enabled - version: 9.4.4 + version: 14.0.3 repository: https://charts.bitnami.com/bitnami diff --git a/charts/trust-anchor/values.yaml b/charts/trust-anchor/values.yaml index cdc1111..b6352b6 100644 --- a/charts/trust-anchor/values.yaml +++ b/charts/trust-anchor/values.yaml @@ -25,8 +25,9 @@ mysql: existingSecret: mysql-database-secret # -- scripts to be executed on db startup initdbScripts: - create.sql: | - CREATE DATABASE tirdb; + create.sh: | + #!/bin/bash + mysql -u root -p"${MYSQL_ROOT_PASSWORD}" -e "CREATE DATABASE IF NOT EXISTS tirdb;" # -- configuration for the trusted-issuers-list to be deployed as part of the trust-anchor, see https://github.com/FIWARE/helm-charts/tree/main/charts/trusted-issuers-list for all options trusted-issuers-list: diff --git a/doc/deployment-integration/aws-garnet/scenario-1-deployment/yaml/values-dsc-awl-load-balancer-controller-scenario1.yaml b/doc/deployment-integration/aws-garnet/scenario-1-deployment/yaml/values-dsc-awl-load-balancer-controller-scenario1.yaml index 3e710a2..ff49a91 100644 --- a/doc/deployment-integration/aws-garnet/scenario-1-deployment/yaml/values-dsc-awl-load-balancer-controller-scenario1.yaml +++ b/doc/deployment-integration/aws-garnet/scenario-1-deployment/yaml/values-dsc-awl-load-balancer-controller-scenario1.yaml @@ -952,13 +952,13 @@ keycloak: initContainers: - name: add-vc-issuer image: quay.io/fiware/keycloak-vc-issuer:0.5.0 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent volumeMounts: - name: providers mountPath: /target - name: load-did image: quay.io/opencloudio/curl:4.2.0-build.8 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent command: - /bin/sh - /opt/did/script/import.sh diff --git a/doc/deployment-integration/aws-garnet/scenario-1-deployment/yaml/values-dsc-aws-load-balancer-controller-scenario1.yaml b/doc/deployment-integration/aws-garnet/scenario-1-deployment/yaml/values-dsc-aws-load-balancer-controller-scenario1.yaml index 3d972bb..94cfb0f 100644 --- a/doc/deployment-integration/aws-garnet/scenario-1-deployment/yaml/values-dsc-aws-load-balancer-controller-scenario1.yaml +++ b/doc/deployment-integration/aws-garnet/scenario-1-deployment/yaml/values-dsc-aws-load-balancer-controller-scenario1.yaml @@ -952,13 +952,13 @@ keycloak: initContainers: - name: add-vc-issuer image: quay.io/fiware/keycloak-vc-issuer:0.5.0 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent volumeMounts: - name: providers mountPath: /target - name: load-did image: quay.io/opencloudio/curl:4.2.0-build.8 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent command: - /bin/sh - /opt/did/script/import.sh diff --git a/doc/deployment-integration/aws-garnet/scenario-2-deployment/yaml/values-dsc-awl-load-balancer-controller-scenario2.yaml b/doc/deployment-integration/aws-garnet/scenario-2-deployment/yaml/values-dsc-awl-load-balancer-controller-scenario2.yaml index 2447468..3debb46 100644 --- a/doc/deployment-integration/aws-garnet/scenario-2-deployment/yaml/values-dsc-awl-load-balancer-controller-scenario2.yaml +++ b/doc/deployment-integration/aws-garnet/scenario-2-deployment/yaml/values-dsc-awl-load-balancer-controller-scenario2.yaml @@ -952,13 +952,13 @@ keycloak: initContainers: - name: add-vc-issuer image: quay.io/fiware/keycloak-vc-issuer:0.5.0 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent volumeMounts: - name: providers mountPath: /target - name: load-did image: quay.io/opencloudio/curl:4.2.0-build.8 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent command: - /bin/sh - /opt/did/script/import.sh diff --git a/doc/deployment-integration/aws-garnet/scenario-2-deployment/yaml/values-dsc-aws-load-balancer-controller-scenario2.yaml b/doc/deployment-integration/aws-garnet/scenario-2-deployment/yaml/values-dsc-aws-load-balancer-controller-scenario2.yaml index 2447468..3debb46 100644 --- a/doc/deployment-integration/aws-garnet/scenario-2-deployment/yaml/values-dsc-aws-load-balancer-controller-scenario2.yaml +++ b/doc/deployment-integration/aws-garnet/scenario-2-deployment/yaml/values-dsc-aws-load-balancer-controller-scenario2.yaml @@ -952,13 +952,13 @@ keycloak: initContainers: - name: add-vc-issuer image: quay.io/fiware/keycloak-vc-issuer:0.5.0 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent volumeMounts: - name: providers mountPath: /target - name: load-did image: quay.io/opencloudio/curl:4.2.0-build.8 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent command: - /bin/sh - /opt/did/script/import.sh diff --git a/doc/deployment-integration/local-deployment/LOCAL.MD b/doc/deployment-integration/local-deployment/LOCAL.MD index d36516a..b5cc1a4 100644 --- a/doc/deployment-integration/local-deployment/LOCAL.MD +++ b/doc/deployment-integration/local-deployment/LOCAL.MD @@ -1412,7 +1412,7 @@ This will load the keystore into a secret and configures the [realm](../../../ch # add the init container that copies the plugin to the shared folder - name: install-jades-issuer image: quay.io/fiware/keycloak-jades-vc-issuer:1.2.0 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent volumeMounts: - name: providers mountPath: /target @@ -1460,7 +1460,7 @@ dss: deployment: additionalContainers: - name: crl-provider-static - imagePullPolicy: Always + imagePullPolicy: IfNotPresent image: "lipanski/docker-static-website:2.1.0" volumeMounts: - name: crl-provider-json @@ -1494,7 +1494,7 @@ dss: Once everything is properly configured, the Dataspace can be deployed locally via: ```shell - mvn clean deploy -Plocal,etsi + mvn clean deploy -Plocal,elsi ``` The interaction is the same as in all previously described steps - see [Demo Interactions](#demo-interactions). The most visible difference is in the credential. diff --git a/doc/scripts/get-private-jwk-p-256.sh b/doc/scripts/get-private-jwk-p-256.sh index abead93..43f5d2d 100755 --- a/doc/scripts/get-private-jwk-p-256.sh +++ b/doc/scripts/get-private-jwk-p-256.sh @@ -13,12 +13,11 @@ if [ ! -f "$PEM_FILE" ]; then exit 1 fi -# Extract EC key parameters in hex -EC_TEXT=$(openssl ec -in "$PEM_FILE" -no_public -text 2>/dev/null) +# Extract EC key parameters in hex (supports both EC and PKCS#8 formats) +KEY_TEXT=$(openssl pkey -in "$PEM_FILE" -text -noout 2>/dev/null) -D_HEX=$(echo "$EC_TEXT" | awk '/priv:/{flag=1;next}/pub:/{flag=0}flag' | tr -d ' :\n') -PUB_HEX=$(openssl ec -in "$PEM_FILE" -pubout -text 2>/dev/null \ - | awk '/pub:/{flag=1;next}/ASN1 OID/{flag=0}flag' | tr -d ' :\n') +D_HEX=$(echo "$KEY_TEXT" | awk '/priv:/{flag=1;next}/pub:/{flag=0}flag' | tr -d ' :\n') +PUB_HEX=$(echo "$KEY_TEXT" | awk '/pub:/{flag=1;next}/ASN1 OID/{flag=0}flag' | tr -d ' :\n') # Remove uncompressed point prefix (04) PUB_HEX="${PUB_HEX#04}" diff --git a/helpers/certs/generate-certs.sh b/helpers/certs/generate-certs.sh index 0fab85d..ac3575f 100755 --- a/helpers/certs/generate-certs.sh +++ b/helpers/certs/generate-certs.sh @@ -129,22 +129,23 @@ openssl x509 -in ${OUTPUT_FOLDER}/client-provider/certs/client.cert.pem -out ${O cat ${OUTPUT_FOLDER}/client-provider/certs/client.cert.pem ${OUTPUT_FOLDER}/intermediate/certs/ca-chain-bundle.cert.pem > ${OUTPUT_FOLDER}/client-provider/certs/client-chain-bundle.cert.pem -## create keystore to be used by keycloak +## create keystore to be used by keycloak (with full chain bundle) # consumer -openssl pkcs12 -export -password pass:password -in ${OUTPUT_FOLDER}/client-consumer/certs/client-chain-bundle.cert.pem -inkey ${OUTPUT_FOLDER}/client-consumer/private/client.key.pem -out ${OUTPUT_FOLDER}/client-consumer/certificate.p12 -name "certificate" -openssl pkcs12 -export -password pass:password -in ${OUTPUT_FOLDER}/client-consumer/certs/client.cert.pem -inkey ${OUTPUT_FOLDER}/client-consumer/private/client.key.pem -out ${OUTPUT_FOLDER}/client-consumer/keystore-did.pfx -name "certificate" openssl pkcs12 -export -password pass:password -in ${OUTPUT_FOLDER}/client-consumer/certs/client-chain-bundle.cert.pem -inkey ${OUTPUT_FOLDER}/client-consumer/private/client.key.pem -out ${OUTPUT_FOLDER}/client-consumer/keystore.pfx -name "certificate" # provider -openssl pkcs12 -export -password pass:password -in ${OUTPUT_FOLDER}/client-provider/certs/client-chain-bundle.cert.pem -inkey ${OUTPUT_FOLDER}/client-provider/private/client.key.pem -out ${OUTPUT_FOLDER}/client-provider/certificate.p12 -name "certificate" -openssl pkcs12 -export -password pass:password -in ${OUTPUT_FOLDER}/client-provider/certs/client.cert.pem -inkey ${OUTPUT_FOLDER}/client-provider/private/client.key.pem -out ${OUTPUT_FOLDER}/client-provider/keystore-did.pfx -name "certificate" openssl pkcs12 -export -password pass:password -in ${OUTPUT_FOLDER}/client-provider/certs/client-chain-bundle.cert.pem -inkey ${OUTPUT_FOLDER}/client-provider/private/client.key.pem -out ${OUTPUT_FOLDER}/client-provider/keystore.pfx -name "certificate" +## create keystore to be used by did-helper (cert + key only, no chain - did-helper only supports 2 bags) +# consumer +openssl pkcs12 -export -password pass:password -in ${OUTPUT_FOLDER}/client-consumer/certs/client.cert.pem -inkey ${OUTPUT_FOLDER}/client-consumer/private/client.key.pem -out ${OUTPUT_FOLDER}/client-consumer/keystore-did.pfx -name "certificate" + +# provider +openssl pkcs12 -export -password pass:password -in ${OUTPUT_FOLDER}/client-provider/certs/client.cert.pem -inkey ${OUTPUT_FOLDER}/client-provider/private/client.key.pem -out ${OUTPUT_FOLDER}/client-provider/keystore-did.pfx -name "certificate" # consumer kubectl create secret tls tls-secret --cert=${OUTPUT_FOLDER}/client-consumer/certs/client-chain-bundle.cert.pem --key=${OUTPUT_FOLDER}/client-consumer/private/client.key.pem --namespace consumer -o yaml --dry-run=client > ${k3sFolder}/consumer/tls-secret.yaml -kubectl create secret generic kc-keystore --from-file=keystore.pfx=${OUTPUT_FOLDER}/client-consumer/keystore.pfx --from-literal=password="password" --namespace=consumer --dry-run=client -oyaml > ${k3sFolder}/consumer/keystore-secret.yaml -kubectl create secret generic did-keystore --from-file=keystore-did.pfx=${OUTPUT_FOLDER}/client-consumer/keystore-did.pfx --from-literal=password="password" --namespace=consumer --dry-run=client -oyaml > ${k3sFolder}/consumer/keystore-did-secret.yaml +kubectl create secret generic consumer-keystore --from-file=keystore.pfx=${OUTPUT_FOLDER}/client-consumer/keystore.pfx --from-file=keystore-did.pfx=${OUTPUT_FOLDER}/client-consumer/keystore-did.pfx --from-literal=password="password" --namespace=consumer --dry-run=client -oyaml > ${k3sFolder}/consumer/keystore-secret.yaml kubectl create secret generic cert-chain --from-file=${OUTPUT_FOLDER}/client-consumer/certs/client-chain-bundle.cert.pem --namespace consumer -o yaml --dry-run=client > ${k3sFolder}/consumer/cert-chain.yaml consumer_key_env=$(openssl ec -in ${OUTPUT_FOLDER}/client-consumer/private/client.key.pem -noout -text | grep 'priv:' -A 3 | tail -n +2 | tr -d ':\n ') @@ -156,8 +157,7 @@ kubectl create secret generic signing-key-env --from-literal=key="${consumer_key # provider kubectl create secret tls tls-secret --cert=${OUTPUT_FOLDER}/client-provider/certs/client-chain-bundle.cert.pem --key=${OUTPUT_FOLDER}/client-provider/private/client.key.pem --namespace provider -o yaml --dry-run=client > ${k3sFolder}/provider/tls-secret.yaml -kubectl create secret generic kc-keystore --from-file=keystore.pfx=${OUTPUT_FOLDER}/client-provider/keystore.pfx --from-literal=password="password" --namespace=provider --dry-run=client -oyaml > ${k3sFolder}/provider/keystore-secret.yaml -kubectl create secret generic did-keystore --from-file=keystore-did.pfx=${OUTPUT_FOLDER}/client-provider/keystore-did.pfx --from-literal=password="password" --namespace=provider --dry-run=client -oyaml > ${k3sFolder}/provider/keystore-did-secret.yaml +kubectl create secret generic provider-keystore --from-file=keystore.pfx=${OUTPUT_FOLDER}/client-provider/keystore.pfx --from-file=keystore-did.pfx=${OUTPUT_FOLDER}/client-provider/keystore-did.pfx --from-literal=password="password" --namespace=provider --dry-run=client -oyaml > ${k3sFolder}/provider/keystore-secret.yaml kubectl create secret generic cert-chain --from-file=${OUTPUT_FOLDER}/client-provider/certs/client-chain-bundle.cert.pem --namespace provider -o yaml --dry-run=client > ${k3sFolder}/provider/cert-chain.yaml provider_key_env=$(openssl ec -in ${OUTPUT_FOLDER}/client-provider/private/client.key.pem -noout -text | grep 'priv:' -A 3 | tail -n +2 | tr -d ':\n ') diff --git a/it/pom.xml b/it/pom.xml index 324b937..ccc6a85 100644 --- a/it/pom.xml +++ b/it/pom.xml @@ -30,6 +30,8 @@ 1.3.2 4.12.0 v1.1.1 + + ${project.basedir}/.. @@ -218,6 +220,28 @@ test + + org.apache.maven.plugins + maven-antrun-plugin + 1.8 + + + prepare-test + generate-test-sources + + run + + + + + + + + + + + + org.apache.maven.plugins maven-jar-plugin @@ -336,6 +360,14 @@ + + io.github.download-maven-plugin + download-maven-plugin + 2.0.0 + + false + + maven-resources-plugin @@ -385,6 +417,10 @@ template-dsc-mongo-operator test-compile + + template-dsc-postgres-operator + test-compile + @@ -402,6 +438,14 @@ apply-mongo-operator pre-integration-test + + apply-postgres-operator-crd + pre-integration-test + + + apply-postgres-operator + pre-integration-test + apply-participants pre-integration-test diff --git a/it/src/test/java/org/fiware/dataspace/it/components/MPOperationsEnvironment.java b/it/src/test/java/org/fiware/dataspace/it/components/MPOperationsEnvironment.java index fc2fc99..de69a22 100644 --- a/it/src/test/java/org/fiware/dataspace/it/components/MPOperationsEnvironment.java +++ b/it/src/test/java/org/fiware/dataspace/it/components/MPOperationsEnvironment.java @@ -36,10 +36,12 @@ public static OpenIdConfiguration getOpenIDConfiguration(String targetHost) thro .url(targetHost + OIDC_WELL_KNOWN_PATH) .build(); Response wellKnownResponse = HTTP_CLIENT.newCall(wellKnownRequest).execute(); - assertEquals(HttpStatus.SC_OK, wellKnownResponse.code(), "The oidc config should have been returned."); - OpenIdConfiguration openIdConfiguration = OBJECT_MAPPER.readValue(wellKnownResponse.body().string(), OpenIdConfiguration.class); - wellKnownResponse.body().close(); - return openIdConfiguration; + try { + assertEquals(HttpStatus.SC_OK, wellKnownResponse.code(), "The oidc config should have been returned."); + return OBJECT_MAPPER.readValue(wellKnownResponse.body().string(), OpenIdConfiguration.class); + } finally { + wellKnownResponse.body().close(); + } } } diff --git a/it/src/test/java/org/fiware/dataspace/it/components/StepDefinitions.java b/it/src/test/java/org/fiware/dataspace/it/components/StepDefinitions.java index 229d063..2482a97 100644 --- a/it/src/test/java/org/fiware/dataspace/it/components/StepDefinitions.java +++ b/it/src/test/java/org/fiware/dataspace/it/components/StepDefinitions.java @@ -80,16 +80,26 @@ private void cleanUpDcatCatalog() throws Exception { .get() .url(MPOperationsEnvironment.RAINBOW_DIRECT_ADDRESS + "/api/v1/catalogs") .build(); - Response catalogsResponse = HTTP_CLIENT.newCall(catalogsRequest).execute(); - List catalogs = OBJECT_MAPPER.readValue(catalogsResponse.body().string(), new TypeReference>() { - }); - - for (DcatCatalog dcat : catalogs) { - Request deleteRequest = new Request.Builder() - .delete() - .url(MPOperationsEnvironment.RAINBOW_DIRECT_ADDRESS + "/api/v1/catalogs/" + dcat.getId()) - .build(); - HTTP_CLIENT.newCall(deleteRequest).execute(); + try (Response catalogsResponse = HTTP_CLIENT.newCall(catalogsRequest).execute()) { + ResponseBody responseBody = catalogsResponse.body(); + if (responseBody == null || !catalogsResponse.isSuccessful()) { + return; + } + String bodyString = responseBody.string(); + List catalogs; + try { + catalogs = OBJECT_MAPPER.readValue(bodyString, new TypeReference>() {}); + } catch (Exception e) { + log.warn("Could not parse catalogs response (status={}): {}", catalogsResponse.code(), bodyString); + return; + } + for (DcatCatalog dcat : catalogs) { + Request deleteRequest = new Request.Builder() + .delete() + .url(MPOperationsEnvironment.RAINBOW_DIRECT_ADDRESS + "/api/v1/catalogs/" + dcat.getId()) + .build(); + try (Response ignored = HTTP_CLIENT.newCall(deleteRequest).execute()) {} + } } } @@ -98,16 +108,26 @@ private void cleanUpAgreements() throws Exception { .get() .url(MPOperationsEnvironment.RAINBOW_DIRECT_ADDRESS + "/api/v1/agreements") .build(); - Response catalogsResponse = HTTP_CLIENT.newCall(agreementsRequest).execute(); - List agreements = OBJECT_MAPPER.readValue(catalogsResponse.body().string(), new TypeReference>() { - }); - - for (Agreement agreement : agreements) { - Request deleteRequest = new Request.Builder() - .delete() - .url(MPOperationsEnvironment.RAINBOW_DIRECT_ADDRESS + "/api/v1/agreements/" + agreement.getAgreementId()) - .build(); - HTTP_CLIENT.newCall(deleteRequest).execute(); + try (Response agreementsResponse = HTTP_CLIENT.newCall(agreementsRequest).execute()) { + ResponseBody responseBody = agreementsResponse.body(); + if (responseBody == null || !agreementsResponse.isSuccessful()) { + return; + } + String bodyString = responseBody.string(); + List agreements; + try { + agreements = OBJECT_MAPPER.readValue(bodyString, new TypeReference>() {}); + } catch (Exception e) { + log.warn("Could not parse agreements response (status={}): {}", agreementsResponse.code(), bodyString); + return; + } + for (Agreement agreement : agreements) { + Request deleteRequest = new Request.Builder() + .delete() + .url(MPOperationsEnvironment.RAINBOW_DIRECT_ADDRESS + "/api/v1/agreements/" + agreement.getAgreementId()) + .build(); + try (Response ignored = HTTP_CLIENT.newCall(deleteRequest).execute()) {} + } } } @@ -583,9 +603,12 @@ public void registerAtMP() throws Exception { .addHeader("Authorization", "Bearer " + accessToken) .build(); Response organizationCreateResponse = HTTP_CLIENT.newCall(organizationCreateRequest).execute(); - assertEquals(HttpStatus.SC_CREATED, organizationCreateResponse.code(), "The organization should have been created."); - fancyMarketplaceRegistration = OBJECT_MAPPER.readValue(organizationCreateResponse.body().string(), OrganizationVO.class); - organizationCreateResponse.body().close(); + try { + assertEquals(HttpStatus.SC_CREATED, organizationCreateResponse.code(), "The organization should have been created."); + fancyMarketplaceRegistration = OBJECT_MAPPER.readValue(organizationCreateResponse.body().string(), OrganizationVO.class); + } finally { + organizationCreateResponse.body().close(); + } } @When("Fancy Marketplace buys access to M&P's k8s services.") @@ -812,7 +835,12 @@ public void createK8SCluster() throws Exception { try { String accessToken = getAccessTokenForFancyMarketplace(OPERATOR_CREDENTIAL, OPERATOR_SCOPE, MPOperationsEnvironment.PROVIDER_API_ADDRESS); Request creationRequest = createK8SClusterRequest(accessToken); - assertEquals(HttpStatus.SC_CREATED, HTTP_CLIENT.newCall(creationRequest).execute().code(), "The cluster should now have been created."); + Response creationResponse = HTTP_CLIENT.newCall(creationRequest).execute(); + try { + assertEquals(HttpStatus.SC_CREATED, creationResponse.code(), "The cluster should now have been created."); + } finally { + creationResponse.body().close(); + } } catch (Throwable t) { throw new AssertionFailedError(String.format("Error: %s", t)); } @@ -833,7 +861,14 @@ public void accessTheEnergyReport() throws Exception { Awaitility.await() .atMost(Duration.ofSeconds(20)) - .until(() -> HttpStatus.SC_OK == HTTP_CLIENT.newCall(authenticatedEntityRequest).execute().code()); + .until(() -> { + Response r = HTTP_CLIENT.newCall(authenticatedEntityRequest).execute(); + try { + return HttpStatus.SC_OK == r.code(); + } finally { + r.body().close(); + } + }); } @Then("M&P Operations uptime report service is offered at the IDSA Catalog Endpoint.") diff --git a/k3s/consumer-elsi.yaml b/k3s/consumer-elsi.yaml index 23fb42e..8766d69 100644 --- a/k3s/consumer-elsi.yaml +++ b/k3s/consumer-elsi.yaml @@ -1,69 +1,60 @@ -vcverifier: - enabled: false -credentials-config-service: - enabled: false -trusted-issuers-list: - enabled: false -mysql: - enabled: false -odrl-pap: - enabled: false -apisix: - enabled: false +decentralizedIam: + enabled: true + + vcAuthentication: + + postgres-operator: + enabled: false + + managedPostgres: + enabled: true + config: + volume: + storageClass: "local-path" + + vcverifier: + enabled: false + credentials-config-service: + enabled: false + trusted-issuers-list: + enabled: false + dss: + enabled: false + crl: + enabled: false + + odrlAuthorization: + odrl-pap: + enabled: false + apisix: + enabled: false + scorpio: enabled: false -postgis: - enabled: false tm-forum-api: enabled: false contract-management: enabled: false -postgresql: - primary: - persistence: - enabled: false - readReplicas: - persistence: - enabled: false - keycloak: ingress: enabled: true hostname: keycloak-consumer.127.0.0.1.nip.io - command: - - /bin/bash - args: - - -ec - - | - #!/bin/sh - export $(cat /did-material/did.env) - export KC_HOSTNAME=keycloak-consumer.127.0.0.1.nip.io - /opt/bitnami/scripts/keycloak/entrypoint.sh - /opt/bitnami/scripts/keycloak/run.sh initContainers: - name: install-jades-issuer image: quay.io/fiware/keycloak-jades-vc-issuer:1.2.0 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent volumeMounts: - name: providers mountPath: /target - - name: register-at-tir - image: ubuntu + image: curlimages/curl:8.18.0 command: - - /bin/bash + - /bin/sh args: - -ec - | - #!/bin/bash - # source /did-material/did.env - apt-get -y update; apt-get -y install curl curl -X 'POST' 'http://tir.trust-anchor.svc.cluster.local:8080/issuer' -H 'Content-Type: application/json' -d "{\"did\": \"did:elsi:VATDE-1234567\", \"credentials\": []}" - volumeMounts: - - name: did-material - mountPath: /did-material - - name: register-at-til image: quay.io/curl/curl:8.1.2 command: @@ -80,7 +71,6 @@ keycloak: - name: consumer-til-registration mountPath: /bin/init.sh subPath: init.sh - extraVolumeMounts: - name: elsi-trust-store mountPath: /trust-store @@ -88,10 +78,7 @@ keycloak: mountPath: /opt/bitnami/keycloak/data/import - name: providers mountPath: /opt/bitnami/keycloak/providers/ - extraVolumes: - - name: did-material - emptyDir: { } - name: realms configMap: name: test-realm-realm @@ -110,7 +97,7 @@ keycloak: import: true name: test-realm clientRoles: | - "${CLIENT_DID}": [ + "did:web:did-provider.127.0.0.1.nip.io": [ { "name": "READER", "description": "Is allowed to see offers etc.", @@ -137,7 +124,7 @@ keycloak: } ], "clientRoles": { - "${CLIENT_DID}": [ + "did:web:did-provider.127.0.0.1.nip.io": [ "OPERATOR" ], "account": [ @@ -150,7 +137,7 @@ keycloak: } clients: | { - "clientId": "${CLIENT_DID}", + "clientId": "did:web:did-provider.127.0.0.1.nip.io", "enabled": true, "description": "Client to connect test.org", "surrogateAuthRequired": false, @@ -185,7 +172,7 @@ keycloak: "protocolMapper": "oid4vc-target-role-mapper", "config": { "subjectProperty": "roles", - "clientId": "${CLIENT_DID}", + "clientId": "did:web:did-provider.127.0.0.1.nip.io", "supportedCredentialTypes": "OperatorCredential" } }, @@ -271,12 +258,8 @@ registration: configMap: consumer-til-registration til: http://trusted-issuers-list.provider.svc.cluster.local:8080 did: ${DID} - credentialsType: UserCredential - -dss: - enabled: false - crl: - enabled: false + credentialTypes: + - UserCredential elsi: enabled: true diff --git a/k3s/consumer-gaia-x.yaml b/k3s/consumer-gaia-x.yaml index 169786f..869a395 100644 --- a/k3s/consumer-gaia-x.yaml +++ b/k3s/consumer-gaia-x.yaml @@ -1,29 +1,29 @@ -vcverifier: - enabled: false -credentials-config-service: - enabled: false -trusted-issuers-list: - enabled: false -mysql: - enabled: false -odrl-pap: - enabled: false -apisix: - enabled: false scorpio: enabled: false -postgis: - enabled: false tm-forum-api: enabled: false contract-management: enabled: false -postgresql: - primary: - persistence: +decentralizedIam: + enabled: true + vcAuthentication: + postgres-operator: enabled: false - readReplicas: - persistence: + managedPostgres: + enabled: true + config: + volume: + storageClass: "local-path" + vcverifier: + enabled: false + credentials-config-service: + enabled: false + trusted-issuers-list: + enabled: false + odrlAuthorization: + odrl-pap: + enabled: false + apisix: enabled: false keycloak: ingress: @@ -41,14 +41,13 @@ keycloak: /opt/bitnami/scripts/keycloak/run.sh initContainers: - name: register-at-tir - image: ubuntu + image: curlimages/curl:8.18.0 command: - - /bin/bash + - /bin/sh args: - -ec - | - #!/bin/bash - apt-get -y update; apt-get -y install curl + #!/bin/sh curl -X 'POST' 'http://tir.trust-anchor.svc.cluster.local:8080/issuer' -H 'Content-Type: application/json' -d "{\"did\": \"did:web:fancy-marketplace.biz\", \"credentials\": []}" volumeMounts: - name: did-material @@ -92,19 +91,32 @@ keycloak: secret: secretName: consumer-keystore defaultMode: 0755 - signingKey: - storePath: /keys/keystore.pfx - storePassword: "${STORE_PASS}" - keyAlias: certificate - keyPassword: "${STORE_PASS}" - did: did:web:fancy-marketplace.biz - keyAlgorithm: RS256 extraEnvVars: + - name: KEYCLOAK_EXTRA_ARGS + value: "--import-realm" + - name: KC_FEATURES + value: "oid4vc-vci" + # keycloak admin password + - name: KC_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: issuance-secret + key: keycloak-admin + # set in accordance with the memory requests, will result in OOM otherwise + - name: KC_HEAP_SIZE + value: "1024m" - name: "STORE_PASS" valueFrom: secretKeyRef: name: consumer-keystore key: password + signingKey: + storePath: /keys/keystore.pfx + storePassword: "${STORE_PASS}" + keyAlias: certificate + keyPassword: "${STORE_PASS}" + did: did:web:fancy-marketplace.biz + keyAlgorithm: ES256 realm: frontendUrl: http://keycloak-consumer.127.0.0.1.nip.io:8080 import: true @@ -249,7 +261,7 @@ registration: configMap: consumer-til-registration til: http://trusted-issuers-list.provider.svc.cluster.local:8080 did: did:web:fancy-marketplace.biz - credentialTypes: + credentialTypes: - UserCredential did: enabled: true @@ -266,7 +278,7 @@ did: provideKeystore: enabled: true keystoreSecretName: "consumer-keystore" - keystoreSecretKey: "keystore.pfx" + keystoreSecretKey: "keystore-did.pfx" keyType: "EC" ingress: enabled: true diff --git a/k3s/consumer.yaml b/k3s/consumer.yaml index ab465ec..3c6184d 100644 --- a/k3s/consumer.yaml +++ b/k3s/consumer.yaml @@ -1,11 +1,11 @@ -postgresql: - primary: - persistence: - enabled: false - readReplicas: - persistence: - enabled: false keycloak: + metrics: + enabled: true + resources: + requests: + cpu: "100m" + limits: + cpu: "500m" ingress: enabled: true hostname: keycloak-consumer.127.0.0.1.nip.io @@ -13,14 +13,13 @@ keycloak: traefik.ingress.kubernetes.io/router.tls: "true" initContainers: - name: register-at-tir - image: ubuntu + image: curlimages/curl:8.18.0 command: - - /bin/bash + - /bin/sh args: - -ec - | - #!/bin/bash - apt-get -y update; apt-get -y install curl + #!/bin/sh curl -X 'POST' 'http://tir.trust-anchor.svc.cluster.local:8080/issuer' -H 'Content-Type: application/json' -d "{\"did\": \"did:web:fancy-marketplace.biz\", \"credentials\": []}" extraVolumeMounts: - name: realms @@ -33,7 +32,7 @@ keycloak: name: test-realm-realm - name: consumer-key secret: - secretName: kc-keystore + secretName: consumer-keystore defaultMode: 0755 issuerDid: did:web:fancy-marketplace.biz signingKey: @@ -43,6 +42,28 @@ keycloak: keyPassword: "${STORE_PASS}" did: did:web:fancy-marketplace.biz keyAlgorithm: ES256 + extraEnvVars: + - name: KEYCLOAK_EXTRA_ARGS + value: "--import-realm" + - name: KC_FEATURES + value: "oid4vc-vci" + # enable health endpoints + - name: KC_HEALTH_ENABLED + value: "true" + # keycloak admin password + - name: KC_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: issuance-secret + key: keycloak-admin + # set in accordance with the memory requests, will result in OOM otherwise + - name: KC_HEAP_SIZE + value: "1024m" + - name: "STORE_PASS" + valueFrom: + secretKeyRef: + name: consumer-keystore + key: password realm: frontendUrl: https://keycloak-consumer.127.0.0.1.nip.io import: true @@ -649,7 +670,22 @@ keycloak: } ] } - clients: "{\n \"clientId\": \"did:web:mp-operations.org\",\n \"enabled\": true,\n \"description\": \"Client to connect mp-operations.org\",\n \"surrogateAuthRequired\": false,\n \"alwaysDisplayInConsole\": false,\n \"clientAuthenticatorType\": \"client-secret\",\n \"defaultRoles\": [],\n \"redirectUris\": [], \n \"webOrigins\": [],\n \"notBefore\": 0,\n \"bearerOnly\": false,\n \"consentRequired\": false,\n \"standardFlowEnabled\": true,\n \"implicitFlowEnabled\": false,\n \"directAccessGrantsEnabled\": false,\n \"serviceAccountsEnabled\": true,\n \"publicClient\": false,\n \"frontchannelLogout\": false,\n \"secret\": \"kpWxZn7LgcWT84AzS3aS5X5URmL0FC0Q\",\n \"protocol\": \"openid-connect\",\n \"attributes\": {\n \"client.secret.creation.time\": \"1675260539\"\n },\n \"protocolMappers\": [\n ],\n \"authenticationFlowBindingOverrides\": {},\n \"fullScopeAllowed\": true,\n \"nodeReRegistrationTimeout\": -1,\n \"defaultClientScopes\": [],\n \"optionalClientScopes\": []\n},\n{\n \"clientId\": \"did:web:fancy-marketplace.biz\",\n \"enabled\": true,\n \"description\": \"Client to connect itself\",\n \"surrogateAuthRequired\": false,\n \"alwaysDisplayInConsole\": false,\n \"clientAuthenticatorType\": \"client-secret\",\n \"defaultRoles\": [],\n \"redirectUris\": [], \n \"webOrigins\": [],\n \"notBefore\": 0,\n \"bearerOnly\": false,\n \"consentRequired\": false,\n \"standardFlowEnabled\": true,\n \"implicitFlowEnabled\": false,\n \"directAccessGrantsEnabled\": false,\n \"serviceAccountsEnabled\": false,\n \"publicClient\": false,\n \"frontchannelLogout\": false,\n \"protocol\": \"openid-connect\",\n \"attributes\": {\n \"client.secret.creation.time\": \"1675260539\"\n },\n \"protocolMappers\": [\n ],\n \"authenticationFlowBindingOverrides\": {},\n \"fullScopeAllowed\": true,\n \"nodeReRegistrationTimeout\": -1,\n \"defaultClientScopes\": [],\n \"optionalClientScopes\": []\n},\n{\n \"clientId\": \"account\",\n \"name\": \"${client_account}\",\n \"rootUrl\": \"${authBaseUrl}\",\n \"baseUrl\": \"/realms/test-realm/account/\",\n \"surrogateAuthRequired\": false,\n \"enabled\": true,\n \"alwaysDisplayInConsole\": false,\n \"clientAuthenticatorType\": \"client-secret\",\n \"redirectUris\": [\n \"/realms/test-realm/account/*\"\n ],\n \"webOrigins\": [],\n \"notBefore\": 0,\n \"bearerOnly\": false,\n \"consentRequired\": false,\n \"standardFlowEnabled\": true,\n \"implicitFlowEnabled\": false,\n \"directAccessGrantsEnabled\": false,\n \"serviceAccountsEnabled\": true,\n \"publicClient\": true,\n \"frontchannelLogout\": false,\n \"protocol\": \"openid-connect\",\n \"attributes\": {\n \"client.secret.creation.time\": \"1675260539\",\n \"realm_client\": \"false\",\n \"post.logout.redirect.uris\": \"+\"\n },\n \"authenticationFlowBindingOverrides\": {},\n \"fullScopeAllowed\": true,\n \"nodeReRegistrationTimeout\": 0,\n \"defaultClientScopes\": [\n \"web-origins\",\n \"acr\",\n \"roles\",\n \"profile\",\n \"basic\",\n \"email\"\n ],\n \"optionalClientScopes\": [\n \"address\",\n \"phone\",\n \"offline_access\",\n \"organization\",\n \"microprofile-jwt\"\n ]\n},\n{\n \"clientId\": \"account-console\",\n \"name\": \"${client_account-console}\",\n \"rootUrl\": \"${authBaseUrl}\",\n \"baseUrl\": \"/realms/test-realm/account/\",\n \"surrogateAuthRequired\": false,\n \"enabled\": true,\n \"alwaysDisplayInConsole\": false,\n \"clientAuthenticatorType\": \"client-secret\",\n \"redirectUris\": [\n \"/realms/test-realm/account/*\"\n ],\n \"webOrigins\": [],\n \"notBefore\": 0,\n \"bearerOnly\": false,\n \"consentRequired\": false,\n \"standardFlowEnabled\": true,\n \"implicitFlowEnabled\": false,\n \"directAccessGrantsEnabled\": true,\n \"serviceAccountsEnabled\": false,\n \"publicClient\": true,\n \"frontchannelLogout\": false,\n \"protocol\": \"openid-connect\",\n \"attributes\": {\n \"realm_client\": \"false\",\n \"post.logout.redirect.uris\": \"+\",\n \"pkce.code.challenge.method\": \"S256\"\n },\n \"authenticationFlowBindingOverrides\": {},\n \"fullScopeAllowed\": true,\n \"nodeReRegistrationTimeout\": 0,\n \"protocolMappers\": [\n {\n \"id\": \"706c5202-1b03-4fad-a5b8-484287e941f8\",\n \"name\": \"audience resolve\",\n \"protocol\": \"openid-connect\",\n \"protocolMapper\": \"oidc-audience-resolve-mapper\",\n \"consentRequired\": false,\n \"config\": {}\n }\n ],\n \"defaultClientScopes\": [\n \"web-origins\",\n \"acr\",\n \"roles\",\n \"profile\",\n \"basic\",\n \"email\"\n ],\n \"optionalClientScopes\": [\n \"address\",\n \"phone\",\n \"offline_access\",\n \"organization\",\n \"microprofile-jwt\",\n \"LegalPersonCredential\",\n \"OperatorCredential\",\n \"UserCredential\",\n \"MarketplaceCredential\",\n \"MembershipCredential\"\n ]\n},\n{\n \"clientId\": \"admin-cli\",\n \"name\": \"${client_admin-cli}\",\n \"surrogateAuthRequired\": false,\n \"enabled\": true,\n \"alwaysDisplayInConsole\": false,\n \"clientAuthenticatorType\": \"client-secret\",\n \"secret\": \"kpWxZn7LgcWT84AzS3aS5X5URmL0FC0Q\",\n \"redirectUris\": [],\n \"webOrigins\": [],\n \"notBefore\": 0,\n \"bearerOnly\": false,\n \"consentRequired\": false,\n \"standardFlowEnabled\": false,\n \"implicitFlowEnabled\": false,\n \"directAccessGrantsEnabled\": true,\n \"serviceAccountsEnabled\": true,\n \"publicClient\": false,\n \"frontchannelLogout\": false,\n \"protocol\": \"openid-connect\",\n \"attributes\": {\n \"client.secret.creation.time\": \"1675260539\",\n \"realm_client\": \"false\",\n \"client.use.lightweight.access.token.enabled\": \"true\"\n },\n \"authenticationFlowBindingOverrides\": {},\n \"fullScopeAllowed\": true,\n \"nodeReRegistrationTimeout\": 0,\n \"protocolMappers\": [\n {\n \"name\": \"audience resolve\",\n \"protocol\": \"openid-connect\",\n \"protocolMapper\": \"oidc-audience-resolve-mapper\",\n \"consentRequired\": false,\n \"config\": {}\n }\n ],\n \"defaultClientScopes\": [\n \"web-origins\",\n \"acr\",\n \"roles\",\n \"profile\",\n \"basic\",\n \"email\"\n ],\n \"optionalClientScopes\": [\n \"address\",\n \"phone\",\n \"offline_access\",\n \"organization\",\n \"microprofile-jwt\",\n \"UserCredential\",\n \"LegalPersonCredential\",\n \"MarketplaceCredential\"\n ]\n}\n" + clients: "{\n \"clientId\": \"did:web:mp-operations.org\",\n \"enabled\": true,\n \"description\": \"Client to connect mp-operations.org\",\n \"surrogateAuthRequired\": false,\n \"alwaysDisplayInConsole\": false,\n \"clientAuthenticatorType\": \"client-secret\",\n \"defaultRoles\": [],\n \"redirectUris\": [], \n \"webOrigins\": [],\n \"notBefore\": 0,\n \"bearerOnly\": false,\n \"consentRequired\": false,\n \"standardFlowEnabled\": true,\n \"implicitFlowEnabled\": false,\n \"directAccessGrantsEnabled\": false,\n \"serviceAccountsEnabled\": true,\n \"publicClient\": false,\n \"frontchannelLogout\": false,\n \"secret\": \"kpWxZn7LgcWT84AzS3aS5X5URmL0FC0Q\",\n \"protocol\": \"openid-connect\",\n \"attributes\": {\n \"client.secret.creation.time\": \"1675260539\"\n },\n \"protocolMappers\": [\n ],\n \"authenticationFlowBindingOverrides\": {},\n \"fullScopeAllowed\": true,\n \"nodeReRegistrationTimeout\": -1,\n \"defaultClientScopes\": [],\n \"optionalClientScopes\": []\n},\n{\n \"clientId\": \"did:web:fancy-marketplace.biz\",\n \"enabled\": true,\n \"description\": \"Client to connect itself\",\n \"surrogateAuthRequired\": false,\n \"alwaysDisplayInConsole\": false,\n \"clientAuthenticatorType\": \"client-secret\",\n \"defaultRoles\": [],\n \"redirectUris\": [], \n \"webOrigins\": [],\n \"notBefore\": 0,\n \"bearerOnly\": false,\n \"consentRequired\": false,\n \"standardFlowEnabled\": true,\n \"implicitFlowEnabled\": false,\n \"directAccessGrantsEnabled\": false,\n \"serviceAccountsEnabled\": false,\n \"publicClient\": false,\n \"frontchannelLogout\": false,\n \"protocol\": \"openid-connect\",\n \"attributes\": {\n \"client.secret.creation.time\": \"1675260539\"\n },\n \"protocolMappers\": [\n ],\n \"authenticationFlowBindingOverrides\": {},\n \"fullScopeAllowed\": true,\n \"nodeReRegistrationTimeout\": -1,\n \"defaultClientScopes\": [],\n \"optionalClientScopes\": []\n},\n{\n \"clientId\": \"account\",\n \"name\": \"${client_account}\",\n \"rootUrl\": \"${authBaseUrl}\",\n \"baseUrl\": \"/realms/test-realm/account/\",\n \"surrogateAuthRequired\": false,\n \"enabled\": true,\n \"alwaysDisplayInConsole\": false,\n \"clientAuthenticatorType\": \"client-secret\",\n \"redirectUris\": [\n \"/realms/test-realm/account/*\"\n ],\n \"webOrigins\": [],\n \"notBefore\": 0,\n \"bearerOnly\": false,\n \"consentRequired\": false,\n \"standardFlowEnabled\": true,\n \"implicitFlowEnabled\": false,\n \"directAccessGrantsEnabled\": false,\n \"serviceAccountsEnabled\": true,\n \"publicClient\": true,\n \"frontchannelLogout\": false,\n \"protocol\": \"openid-connect\",\n \"attributes\": {\n \"client.secret.creation.time\": \"1675260539\",\n \"realm_client\": \"false\",\n \"post.logout.redirect.uris\": \"+\"\n },\n \"authenticationFlowBindingOverrides\": {},\n \"fullScopeAllowed\": true,\n \"nodeReRegistrationTimeout\": 0,\n \"defaultClientScopes\": [\n \"web-origins\",\n \"acr\",\n \"roles\",\n \"profile\",\n \"basic\",\n \"email\"\n ],\n \"optionalClientScopes\": [\n \"address\",\n \"phone\",\n \"offline_access\",\n \"organization\",\n \"microprofile-jwt\"\n ]\n},\n{\n \"clientId\": \"account-console\",\n \"name\": \"${client_account-console}\",\n \"rootUrl\": \"${authBaseUrl}\",\n \"baseUrl\": \"/realms/test-realm/account/\",\n \"surrogateAuthRequired\": false,\n \"enabled\": true,\n \"alwaysDisplayInConsole\": false,\n \"clientAuthenticatorType\": \"client-secret\",\n \"redirectUris\": [\n \"/realms/test-realm/account/*\"\n ],\n \"webOrigins\": [],\n \"notBefore\": 0,\n \"bearerOnly\": false,\n \"consentRequired\": false,\n \"standardFlowEnabled\": true,\n \"implicitFlowEnabled\": false,\n \"directAccessGrantsEnabled\": true,\n \"serviceAccountsEnabled\": false,\n \"publicClient\": true,\n \"frontchannelLogout\": false,\n \"protocol\": \"openid-connect\",\n \"attributes\": {\n \"realm_client\": \"false\",\n \"post.logout.redirect.uris\": \"+\",\n \"pkce.code.challenge.method\": \"S256\"\n },\n \"authenticationFlowBindingOverrides\": {},\n \"fullScopeAllowed\": true,\n \"nodeReRegistrationTimeout\": 0,\n \"protocolMappers\": [\n {\n \"id\": \"706c5202-1b03-4fad-a5b8-484287e941f8\",\n \"name\": \"audience resolve\",\n \"protocol\": \"openid-connect\",\n \"protocolMapper\": \"oidc-audience-resolve-mapper\",\n \"consentRequired\": false,\n \"config\": {}\n }\n ],\n \"defaultClientScopes\": [\n \"web-origins\",\n \"acr\",\n \"roles\",\n \"profile\",\n \"basic\",\n \"email\"\n ],\n \"optionalClientScopes\": [\n \"address\",\n \"phone\",\n \"offline_access\",\n \"organization\",\n \"microprofile-jwt\",\n \"LegalPersonCredential\",\n \"OperatorCredential\",\n \"UserCredential\",\n \"MarketplaceCredential\",\n \"MembershipCredential\"\n ]\n},\n{\n \"clientId\": \"admin-cli\",\n \"name\": \"${client_admin-cli}\",\n \"surrogateAuthRequired\": false,\n \"enabled\": true,\n \"alwaysDisplayInConsole\": false,\n \"clientAuthenticatorType\": \"client-secret\",\n \"secret\": \"kpWxZn7LgcWT84AzS3aS5X5URmL0FC0Q\",\n \"redirectUris\": [],\n \"webOrigins\": [],\n \"notBefore\": 0,\n \"bearerOnly\": false,\n \"consentRequired\": false,\n \"standardFlowEnabled\": false,\n \"implicitFlowEnabled\": false,\n \"directAccessGrantsEnabled\": true,\n \"serviceAccountsEnabled\": true,\n \"publicClient\": false,\n \"frontchannelLogout\": false,\n \"protocol\": \"openid-connect\",\n \"attributes\": {\n \"client.secret.creation.time\": \"1675260539\",\n \"realm_client\": \"false\",\n \"client.use.lightweight.access.token.enabled\": \"true\"\n },\n \"authenticationFlowBindingOverrides\": {},\n \"fullScopeAllowed\": true,\n \"nodeReRegistrationTimeout\": 0,\n \"protocolMappers\": [\n {\n \"name\": \"audience resolve\",\n \"protocol\": \"openid-connect\",\n \"protocolMapper\": \"oidc-audience-resolve-mapper\",\n \"consentRequired\": false,\n \"config\": {}\n }\n ],\n \"defaultClientScopes\": [\n \"web-origins\",\n \"acr\",\n \"roles\",\n \"profile\",\n \"basic\",\n \"email\"\n ],\n \"optionalClientScopes\": [\n \"address\",\n \"phone\",\n \"offline_access\",\n \"organization\",\n \"microprofile-jwt\",\n \"UserCredential\",\n \"LegalPersonCredential\",\n \"MembershipCredential\",\n \"MarketplaceCredential\"\n ]\n}\n" +# -- integration of rainbow +rainbow: + enabled: true + db: + url: postgres + user: rainbow + existingSecret: rainbow.postgres.credentials.postgresql.acid.zalan.do + passwordKey: password + ingress: + enabled: true + hosts: + - host: rainbow-consumer.127.0.0.1.nip.io + paths: + - / + host: rainbow-consumer.127.0.0.1.nip.io did: enabled: true config: @@ -658,13 +694,13 @@ did: didType: "web" hostUrl: "http://fancy-marketplace.biz" outputFormat: "json_jwk" - keystorePasswordSecretName: "did-keystore" + keystorePasswordSecretName: "consumer-keystore" keystorePasswordSecretKey: "password" generateKey: enabled: false provideKeystore: enabled: true - keystoreSecretName: "did-keystore" + keystoreSecretName: "consumer-keystore" keystoreSecretKey: "keystore-did.pfx" keyType: "EC" ingress: @@ -695,6 +731,10 @@ registration: ## configuration for providing the (central) marketplace # tmf as marketplace backend tm-forum-api: + allInOne: + enabled: true + apiProxy: + enabled: false registration: enabled: false ingress: @@ -703,319 +743,293 @@ tm-forum-api: - host: consumer-tmf.127.0.0.1.nip.io paths: - / - defaultConfig: - livenessProbe: - healthPath: /health/liveness - initialDelaySeconds: 30 - periodSeconds: 100 - successThreshold: 1 - failureThreshold: 300 - timeoutSeconds: 100 - readinessProbe: - readinessPath: /health/readiness - initialDelaySeconds: 30 - periodSeconds: 100 - successThreshold: 1 - failureThreshold: 300 - timeoutSeconds: 100 + # scorpio as tmf backend, no public endpoint required scorpio: enabled: true -# policies for accessing the tmf -odrl-pap: - additionalEnvVars: - - name: GENERAL_ORGANIZATION_DID - value: did:web:fancy-marketplace.biz - ingress: - enabled: true - hosts: - - host: pap-consumer.127.0.0.1.nip.io - paths: - - "/" -# authentication configuration -credentials-config-service: - additionalEnvVars: - - name: FLYWAY_DATASOURCES_DEFAULT_LOCATIONS - value: classpath:db/migration/common,classpath:db/migration/mysql - registration: - enabled: true - services: - - id: tm-forum - defaultOidcScope: "default" - authorizationType: "DEEPLINK" - oidcScopes: - "default": - credentials: - - type: LegalPersonCredential - trustedParticipantsLists: - - http://tir.127.0.0.1.nip.io - # we want that every participant can access the marketplace and register - trustedIssuersLists: - - "*" - jwtInclusion: - enabled: true - fullInclusion: true - dcql: - credentials: - - id: legal-person-query - format: "vc+sd-jwt" - multiple: false - claims: - - id: roles-claim - path: - - roles - meta: - vct_values: - - LegalPersonCredential - - id: dsp - defaultOidcScope: "openid" - authorizationType: "DEEPLINK" - oidcScopes: - "openid": - credentials: - - type: MembershipCredential - trustedParticipantsLists: - - http://tir.127.0.0.1.nip.io - trustedIssuersLists: - - "*" - jwtInclusion: - enabled: true - fullInclusion: true - dcql: - credentials: - - id: mc-query - format: "jwt_vc_json" - multiple: true - meta: - type_values: - - MembershipCredential -# provide authentication capabilities -vcverifier: - ingress: - enabled: true - annotations: - traefik.ingress.kubernetes.io/router.tls: "true" - tls: - - hosts: - - verifier.fancy-marketplace.biz - secretName: tls-secret - hosts: - - host: verifier.fancy-marketplace.biz - paths: - - "/" - deployment: - logging: - level: DEBUG - verifier: - tirAddress: http://tir.127.0.0.1.nip.io/ - did: did:web:fancy-marketplace.biz - supportedModes: ["byValue", "byReference"] - clientIdentification: - keyPath: /signing-key/client.key.pem - requestKeyAlgorithm: ES256 - id: x509_san_dns:verifier.fancy-marketplace.biz - certificatePath: /certificate/client-chain-bundle.cert.pem - server: - host: https://verifier.fancy-marketplace.biz - configRepo: - configEndpoint: http://credentials-config-service:8080 - additionalVolumes: - - name: signing-key - secret: - secretName: signing-key - - name: cert-chain - secret: - secretName: cert-chain - # add the self generated root ca to the system truststore - - name: root-ca - emptyDir: {} - - name: ca-to-add - secret: - secretName: root-ca - additionalVolumeMounts: - - name: signing-key - mountPath: /signing-key - - name: cert-chain - mountPath: /certificate - # add the self generated root ca to the system truststore - - name: root-ca - mountPath: /etc/ssl/cert.pem - subPath: cert.pem - additionalEnvVars: - - name: HTTPS_PROXY - value: "http://squid-proxy.infra.svc.cluster.local:8888" - - name: HTTP_PROXY - value: "http://squid-proxy.infra.svc.cluster.local:8888" - - name: NO_PROXY - value: "credentials-config-service,w3.org,trusted-issuers-list" - initContainers: - # add the self generated root ca to the system truststore - - name: add-root-ca - image: alpine:3.21.3 - command: - - /bin/sh - args: - - -c - - | - #!/bin/sh - cp /etc/ssl/cert.pem /root-ca/cert.pdata.typeem - cat /root-ca/cacert.pem >> /root-ca/cert.pem - volumeMounts: - - name: root-ca - mountPath: /root-ca - - name: ca-to-add - mountPath: /root-ca/cacert.pem - subPath: cacert.pem - - name: register-at-tir - image: ubuntu - command: - - /bin/bash - args: - - -ec - - | - #!/bin/bash - apt-get -y update; apt-get -y install curl - curl -X 'POST' 'http://tir.trust-anchor.svc.cluster.local:8080/issuer' -H 'Content-Type: application/json' -d "{\"did\": \"did:web:fancy-marketplace.biz\", \"credentials\": []}" -# required dbs -mysql: - resourcesPreset: none - primary: - persistence: - enabled: false - secondary: - persistence: - enabled: false -postgis: - primary: - resourcesPreset: none - persistence: - enabled: false - readReplicas: - persistence: - enabled: false -postgresql: - primary: - resourcesPreset: none - persistence: - enabled: false - readReplicas: - persistence: + resources: + limits: + cpu: "500m" + memory: 1Gi + requests: + cpu: "100m" + memory: 128Mi +decentralizedIam: + enabled: true + vcAuthentication: + postgres-operator: enabled: false -# authorized access to tmforum -apisix: - etcd: - replicaCount: 1 - image: - debug: true - dataPlane: - ingress: + managedPostgres: enabled: true - hostname: fancy-marketplace.127.0.0.1.nip.io - extraHosts: - - name: dsp-fancy-marketplace.127.0.0.1.nip.io - path: / - - name: dcp-fancy-marketplace.127.0.0.1.nip.io - path: / - - name: identityhub-fancy-marketplace.127.0.0.1.nip.io - path: / - - name: identityhub-management-fancy-marketplace.127.0.0.1.nip.io - path: / - - name: dsp-dcp-management.127.0.0.1.nip.io - path: / - - name: dsp-oid4vc-management.127.0.0.1.nip.io - path: / - - name: vault-fancy-marketplace.127.0.0.1.nip.io - path: / - catchAllRoute: - enabled: false - controlPlane: - address: http://consumer-apisix-control-plane:9180 - routes: - - uri: /.well-known/openid-configuration - host: fancy-marketplace.127.0.0.1.nip.io - upstream: - nodes: - verifier:3000: 1 - type: roundrobin - plugins: - proxy-rewrite: - uri: /services/tm-forum/.well-known/openid-configuration - - uri: /* - host: fancy-marketplace.127.0.0.1.nip.io - upstream: - nodes: - tm-forum-api:8080: 1 - type: roundrobin - plugins: - openid-connect: - proxy_opts: - https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 - bearer_only: true - use_jwks: true - client_id: tm-forum - client_secret: unused - ssl_verify: false - discovery: https://verifier.fancy-marketplace.biz/services/tm-forum/.well-known/openid-configuration - opa: - host: "http://localhost:8181" - policy: policy/main - with_body: true - - uri: /* - host: dsp-dcp-management.127.0.0.1.nip.io - upstream: - nodes: - consumer-fdsc-edc-dcp:8085: 1 - type: roundrobin - - uri: /* - host: dsp-oid4vc-management.127.0.0.1.nip.io - upstream: - nodes: - consumer-fdsc-edc-oid4vc:8085: 1 - type: roundrobin - - uri: /.well-known/openid-configuration - host: dsp-fancy-marketplace.127.0.0.1.nip.io - upstream: - nodes: - verifier:3000: 1 - type: roundrobin - plugins: - proxy-rewrite: - uri: /services/dsp/.well-known/openid-configuration - - uri: /api/identity/* - host: identityhub-management-fancy-marketplace.127.0.0.1.nip.io - upstream: - nodes: - identityhub-service:8082: 1 - - uri: /api/credentials/* - host: identityhub-fancy-marketplace.127.0.0.1.nip.io - upstream: - nodes: - identityhub-service:8083: 1 - - uri: /* - host: dcp-fancy-marketplace.127.0.0.1.nip.io - upstream: - nodes: - consumer-fdsc-edc-dcp:8080: 1 - - uri: /* - host: dsp-fancy-marketplace.127.0.0.1.nip.io - upstream: - nodes: - consumer-fdsc-edc-oid4vc:8080: 1 - plugins: - openid-connect: - proxy_opts: - https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 - bearer_only: true - use_jwks: true - client_id: dsp - client_secret: unused - ssl_verify: false - discovery: https://verifier.fancy-marketplace.biz/services/dsp/.well-known/openid-configuration - - uri: /* - host: vault-fancy-marketplace.127.0.0.1.nip.io - upstream: - nodes: - consumer-vault:8200: 1 + config: + volume: + storageClass: "local-path" + users: + ngb: + - createdb + rainbow: + - createdb + databases: + ngb: ngb + rainbow: rainbow + preparedDatabases: + ngb: + extensions: + postgis: public + trusted-issuers-list: + deployment: + image: + tag: "0.8.0" # ToDo: remove when updating dependencies + resources: + limits: + cpu: 300m + memory: 512Mi + requests: + cpu: 100m + memory: 128Mi + credentials-config-service: + additionalEnvVars: + - name: FLYWAY_DATASOURCES_DEFAULT_LOCATIONS + value: classpath:db/migration/common,classpath:db/migration/mysql + registration: + enabled: true + services: + - id: tm-forum + defaultOidcScope: "default" + authorizationType: "DEEPLINK" + oidcScopes: + "default": + credentials: + - type: LegalPersonCredential + trustedParticipantsLists: + - http://tir.127.0.0.1.nip.io + # we want that every participant can access the marketplace and register + trustedIssuersLists: + - "*" + jwtInclusion: + enabled: true + fullInclusion: true + dcql: + credentials: + - id: legal-person-query + format: "vc+sd-jwt" + multiple: false + claims: + - id: roles-claim + path: + - roles + meta: + vct_values: + - LegalPersonCredential + vcverifier: + ingress: + enabled: true + annotations: + traefik.ingress.kubernetes.io/router.tls: "true" + tls: + - hosts: + - verifier.fancy-marketplace.biz + secretName: tls-secret + hosts: + - host: verifier.fancy-marketplace.biz + paths: + - "/" + deployment: + logging: + level: DEBUG + verifier: + tirAddress: http://tir.127.0.0.1.nip.io/ + did: did:web:fancy-marketplace.biz + supportedModes: ["byValue", "byReference"] + clientIdentification: + keyPath: /signing-key/client.key.pem + requestKeyAlgorithm: ES256 + id: x509_san_dns:verifier.fancy-marketplace.biz + certificatePath: /certificate/client-chain-bundle.cert.pem + server: + host: https://verifier.fancy-marketplace.biz + configRepo: + configEndpoint: http://credentials-config-service:8080 + additionalVolumes: + - name: signing-key + secret: + secretName: signing-key + - name: cert-chain + secret: + secretName: cert-chain + # add the self generated root ca to the system truststore + - name: root-ca + emptyDir: {} + - name: ca-to-add + secret: + secretName: root-ca + additionalVolumeMounts: + - name: signing-key + mountPath: /signing-key + - name: cert-chain + mountPath: /certificate + # add the self generated root ca to the system truststore + - name: root-ca + mountPath: /etc/ssl/cert.pem + subPath: cert.pem + additionalEnvVars: + - name: HTTPS_PROXY + value: "http://squid-proxy.infra.svc.cluster.local:8888" + - name: HTTP_PROXY + value: "http://squid-proxy.infra.svc.cluster.local:8888" + - name: NO_PROXY + value: "credentials-config-service,w3.org,trusted-issuers-list" + initContainers: + # add the self generated root ca to the system truststore + - name: add-root-ca + image: alpine:3.21.3 + command: + - /bin/sh + args: + - -c + - | + #!/bin/sh + cp /etc/ssl/cert.pem /root-ca/cert.pem + cat /root-ca/cacert.pem >> /root-ca/cert.pem + volumeMounts: + - name: root-ca + mountPath: /root-ca + - name: ca-to-add + mountPath: /root-ca/cacert.pem + subPath: cacert.pem + - name: register-at-tir + image: curlimages/curl:8.18.0 + command: + - /bin/sh + args: + - -ec + - | + curl -X 'POST' 'http://tir.trust-anchor.svc.cluster.local:8080/issuer' -H 'Content-Type: application/json' -d "{\"did\": \"did:web:fancy-marketplace.biz\", \"credentials\": []}" + odrlAuthorization: + # authorized access to tmforum + apisix: + etcd: + replicaCount: 1 + persistence: + enabled: false + ingress: + enabled: true + hosts: + - host: fancy-marketplace.127.0.0.1.nip.io + paths: ["/"] + - host: dsp-fancy-marketplace.127.0.0.1.nip.io + paths: ["/"] + - host: dcp-fancy-marketplace.127.0.0.1.nip.io + paths: ["/"] + - host: identityhub-fancy-marketplace.127.0.0.1.nip.io + paths: ["/"] + - host: identityhub-management-fancy-marketplace.127.0.0.1.nip.io + paths: ["/"] + - host: dsp-dcp-management.127.0.0.1.nip.io + paths: ["/"] + - host: dsp-oid4vc-management.127.0.0.1.nip.io + paths: ["/"] + - host: vault-fancy-marketplace.127.0.0.1.nip.io + paths: ["/"] + catchAllRoute: + enabled: false + routes: + - uri: /.well-known/openid-configuration + host: fancy-marketplace.127.0.0.1.nip.io + upstream: + nodes: + verifier:3000: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /services/tm-forum/.well-known/openid-configuration + - uri: /* + host: fancy-marketplace.127.0.0.1.nip.io + upstream: + nodes: + tm-forum-api-svc:8080: 1 + type: roundrobin + plugins: + openid-connect: + proxy_opts: + https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 + bearer_only: true + use_jwks: true + client_id: tm-forum + client_secret: unused + ssl_verify: false + discovery: https://verifier.fancy-marketplace.biz/services/tm-forum/.well-known/openid-configuration + opa: + host: "http://localhost:8181" + policy: policy/main + with_body: true + - uri: /* + host: dsp-dcp-management.127.0.0.1.nip.io + upstream: + nodes: + consumer-fdsc-edc-dcp:8085: 1 + type: roundrobin + - uri: /* + host: dsp-oid4vc-management.127.0.0.1.nip.io + upstream: + nodes: + consumer-fdsc-edc-oid4vc:8085: 1 + type: roundrobin + - uri: /.well-known/openid-configuration + host: dsp-fancy-marketplace.127.0.0.1.nip.io + upstream: + nodes: + verifier:3000: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /services/dsp/.well-known/openid-configuration + - uri: /api/identity/* + host: identityhub-management-fancy-marketplace.127.0.0.1.nip.io + upstream: + nodes: + identityhub-service:8082: 1 + - uri: /api/credentials/* + host: identityhub-fancy-marketplace.127.0.0.1.nip.io + upstream: + nodes: + identityhub-service:8083: 1 + - uri: /* + host: dcp-fancy-marketplace.127.0.0.1.nip.io + upstream: + nodes: + consumer-fdsc-edc-dcp:8080: 1 + - uri: /* + host: dsp-fancy-marketplace.127.0.0.1.nip.io + upstream: + nodes: + consumer-fdsc-edc-oid4vc:8080: 1 + plugins: + openid-connect: + proxy_opts: + https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 + bearer_only: true + use_jwks: true + client_id: dsp + client_secret: unused + ssl_verify: false + discovery: https://verifier.fancy-marketplace.biz/services/dsp/.well-known/openid-configuration + - uri: /* + host: vault-fancy-marketplace.127.0.0.1.nip.io + upstream: + nodes: + consumer-vault:8200: 1 + # policies for accessing the tmf + odrl-pap: + additionalEnvVars: + - name: GENERAL_ORGANIZATION_DID + value: did:web:fancy-marketplace.biz + ingress: + enabled: true + hosts: + - host: pap-consumer.127.0.0.1.nip.io + paths: + - "/" # contract management for distributing the buy events contract-management: did: did:web:fancy-marketplace.biz @@ -1048,22 +1062,22 @@ contract-management: ## Config for the TM Forum Service hosting the APIs product-order: ## URL of the TM Forum Service hosting the Product Ordering API - url: http://consumer-tm-forum-api-product-ordering-management:8080 + url: http://tm-forum-api-svc:8080 party: ## URL of the TM Forum Service hosting the Party API - url: http://consumer-tm-forum-api-party-catalog:8080 + url: http://tm-forum-api-svc:8080 product-catalog: ## URL of the TM Forum Service hosting the Product Catalog API - url: http://consumer-tm-forum-api-product-catalog:8080 + url: http://tm-forum-api-svc:8080 service-catalog: ## URL of the TM Forum Service hosting the Service Catalog API - url: http://consumer-tm-forum-api-service-catalog:8080 + url: http://tm-forum-api-svc:8080 tmforum-agreement-api: ## URL of the TM Forum Service hosting the Agreement API - url: http://consumer-tm-forum-api-agreement:8080 + url: http://tm-forum-api-svc:8080s quote: ## URL for TM Forum Service hosting the Quote API - url: http://consumer-tm-forum-api-quote:8080 + url: http://tm-forum-api-svc:8080 deployment: # init containers to be used for the local demo initContainers: @@ -1260,13 +1274,13 @@ fdsc-edc: host: squid-proxy.infra.svc.cluster.local port: 8888 tmfExtension: - quoteApi: http://consumer-tm-forum-api-quote.consumer.svc.cluster.local:8080/tmf-api/quote/v4 - agreementApi: http://consumer-tm-forum-api-agreement.consumer.svc.cluster.local:8080/tmf-api/agreementManagement/v4 - productOrderApi: http://consumer-tm-forum-api-product-ordering-management.consumer.svc.cluster.local:8080/tmf-api/productOrderingManagement/v4 - productCatalogApi: http://consumer-tm-forum-api-product-catalog.consumer.svc.cluster.local:8080/tmf-api/productCatalogManagement/v4 - productInventoryApi: http://consumer-tm-forum-api-product-inventory.consumer.svc.cluster.local:8080/tmf-api/productInventory/v4 - usageManagementApi: http://consumer-tm-forum-api-usage-management.consumer.svc.cluster.local:8080/tmf-api/usageManagement/v4 - partyCatalogApi: http://consumer-tm-forum-api-party-catalog.consumer.svc.cluster.local:8080/tmf-api/party/v4 + quoteApi: http://tm-forum-api-svc.consumer.svc.cluster.local:8080/tmf-api/quote/v4 + agreementApi: http://tm-forum-api-svc.consumer.svc.cluster.local:8080/tmf-api/agreementManagement/v4 + productOrderApi: http://tm-forum-api-svc.consumer.svc.cluster.local:8080/tmf-api/productOrderingManagement/v4 + productCatalogApi: http://tm-forum-api-svc.consumer.svc.cluster.local:8080/tmf-api/productCatalogManagement/v4 + productInventoryApi: http://tm-forum-api-svc.consumer.svc.cluster.local:8080/tmf-api/productInventory/v4 + usageManagementApi: http://tm-forum-api-svc.consumer.svc.cluster.local:8080/tmf-api/usageManagement/v4 + partyCatalogApi: http://tm-forum-api-svc.consumer.svc.cluster.local:8080/tmf-api/party/v4 # -- transfer extension is only needed at the provider side fdscTransfer: enabled: false diff --git a/k3s/dsp-provider.yaml b/k3s/dsp-provider.yaml index 0434f97..4d4cd5a 100644 --- a/k3s/dsp-provider.yaml +++ b/k3s/dsp-provider.yaml @@ -8,6 +8,29 @@ did: enabled: false keycloak: + metrics: + enabled: true + extraEnvVars: + - name: KEYCLOAK_EXTRA_ARGS + value: "--import-realm" + - name: KC_FEATURES + value: "oid4vc-vci" + # keycloak admin password + - name: KC_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: issuance-secret + key: keycloak-admin + # set in accordance with the memory requests, will result in OOM otherwise + - name: KC_HEAP_SIZE + value: "1024m" + - name: "STORE_PASS" + valueFrom: + secretKeyRef: + name: provider-keystore + key: password + - name: KC_HEALTH_ENABLED + value: "true" signingKey: did: did:web:mp-operations.org#key-1 diff --git a/k3s/infra/gx-registry/deployment-registry.yaml b/k3s/infra/gx-registry/deployment-registry.yaml index 18eb345..2a2a214 100644 --- a/k3s/infra/gx-registry/deployment-registry.yaml +++ b/k3s/infra/gx-registry/deployment-registry.yaml @@ -23,17 +23,17 @@ spec: fsGroup: 1000 initContainers: - name: wait-for-kubo - image: busybox + image: busybox:1.37.0 command: - sh - -c - until nc -z gx-registry-kubo 5001; do echo waiting for Kubo; sleep 2; done; - name: local-trust image: quay.io/wi_stefan/gaiax-local-trust:0.0.1 - imagePullPolicy: Always + imagePullPolicy: IfNotPresent env: - name: ROOT_CA - value: "MIIFnDCCA4SgAwIBAgIBATANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJERTEPMA0GA1UECAwGU2F4b255MRAwDgYDVQQHDAdEcmVzZGVuMRMwEQYDVQQKDApGSUNPREVTIENBMRMwEQYDVQQDDApGSUNPREVTLUNBMQswCQYDVQQFEwIwMTAeFw0yNTA4MjgwOTA1NDNaFw0zNTA4MjYwOTA1NDNaMGcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZTYXhvbnkxEDAOBgNVBAcMB0RyZXNkZW4xEzARBgNVBAoMCkZJQ09ERVMgQ0ExEzARBgNVBAMMCkZJQ09ERVMtQ0ExCzAJBgNVBAUTAjAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtd2SsyZ353kX0+mu2rrsSDhDcdwLDl1ne6ZFGSIt0Ethkm+MCnLju0sugCr4+ouyYJvhlpdecviCrHfXxJ14NE1GduvX036iScW5Qd08kAYqOtvjEwtHNEvCTc5AsWz+aNnQs8rxW6ei5yupandyjkZWdPasGvtmmMk4QL7+qXZSt4VFRT5AsyDE2NqftEXWFHVMLajVpPuiVd57ty7EIaxfdNrXQPybG5MHMHa55gvnhhgl1GpQl67Tt5JxKkwnWGg4pJR/7FJe6Zgh71ofiXZrFUQAPxBQQBOWzhWdADzmVkuR3ySrXme+pukeZtwerstnUE9d7w80+v501i+7TqJg9uS/gRTupddKRuQyIxd2GDf3NJgk0m4arHoAqzzpFMBCxDu/C1D0kcbGcAaLkS1851DJENl3AWk7ILIsLXo/P1ODOi7sl7nFr72SG0o9KJTd1F9yavHT0sWUJSgn+9bvcdZ5TbuArK7cGeovrbh0tgZU5afnM7FG7+XjEDUnHnwyit8bmuf70acbElMtLoQ6eqjgfsjV4Fx2upouvzG+KQoEfJ3boplG5PwVnRoFBlCGN8SzKsa+sZKaV5iKmDvnzJ++HODBCi4YhH9LQcxuVgBLF3g6kUgOANGZFewdbtBGB4nHArts+QSMMUMtBqGsJZYZ6AX9qs+lVm3p/2kCAwEAAaNTMFEwHQYDVR0OBBYEFKq8sWPtH8eZTy34qN/TfuQKpXrMMB8GA1UdIwQYMBaAFKq8sWPtH8eZTy34qN/TfuQKpXrMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAICoH4twXreuGzfnPYUtg2OA31kYC/6iMvX2jHT7mvyQ2PFvAZQ76k+5wfoSAgiEKyjPkq+jq4g3aYxxZhSahfOi5PEkOghHF1fqCiTg7huEo9c3evhPwiO4Ox6EfoNv1UWQ94hvq/RbIiIIQZjhBh6nyJRf1uv92Pm4BkeserCqszzYbK25h2erGrIjSXsI1NUqHoPItvKwuCPg3iox92PW4fhoXgbdjCyEbw9CJw4C5Juk+B6DESGGawLL1Q1uMj5wgapE9kRGtkvEg/jwvq/YPjEfeqmp01d9olC9Tes3Soi6sXTCaq0xs0cIDrXhyh7PdpPl13G3OVBSRKN1egVMTCFCWjC7iohvQtCocc+uf5bHoQVC3ygxwu7pDdIPFrSX1Z6ohKZWbCgDWGgX3Z3kXKON2m3lFUy0omaTCdRJWT9cWNV5R5OUNpHqiq9s2VzucXngHKJXrXs6ZnkzoI87AfF49c3bTGfWfEKb7X8FdzAQln4jjPh/y04c/XyOhhyNBBfpoTl+oF9xspvzJYJZ0plDDa6JB2inuKBpcljthSA2ZRkAUwISnlnsUEPvGdcxEwtqRPeX29Rrpwn+2zHTlsZXyODCGHPg3HkjTFnyKsjXD5SlCsYX5UgcRK96bsgqNlrfHpYI6bSgbIeVYw8jSV1JFVrbnOXY8TuIP104" + value: "MIIFnDCCA4SgAwIBAgIBATANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJERTEPMA0GA1UECAwGU2F4b255MRAwDgYDVQQHDAdEcmVzZGVuMRMwEQYDVQQKDApGSUNPREVTIENBMRMwEQYDVQQDDApGSUNPREVTLUNBMQswCQYDVQQFEwIwMTAeFw0yNjAyMjUxNDM1NTBaFw0zNjAyMjMxNDM1NTBaMGcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZTYXhvbnkxEDAOBgNVBAcMB0RyZXNkZW4xEzARBgNVBAoMCkZJQ09ERVMgQ0ExEzARBgNVBAMMCkZJQ09ERVMtQ0ExCzAJBgNVBAUTAjAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvLPxmWkECMWVZpRSZkqy21eF3bS5imsZoRZCxPM9YU7flVujHuw8DQx3cWlO4IdiH5gQix7WFb2bJn7iXRDWfYW7SIDRTSKu21Q1pc9cJjVXMBSbfC80Dp8yX2zdAeraGfGY+yz+rnsjFlXtssK+4Gf2ut2Rtb7/ssqKLqt2ybzj2GwuubC79r03MchJ8O8lUROwy67ZUrwPlCg0POBtAOzJNueaBPhlPVPV/XeXQLdcK9utzu5Uv+oklgnepu9k/B/oVJO7lDdkcW18ESVdXfl/G7d2qGwE+CyV9KKD/qxrTB6zOHoLhaUrvcb+EmEYYUiUF8W8OGbMzIT3qpLOwaTk0ESVZO9YSc4fOlHz8MrUCxzRpKheMhRC6HCggTlyIvh0Wwf5TRieODGkBFpjYCkChxHO/iQ6hEc2VLdokZIJzDt43Qltj9+W3VOYEQaTBtWWNWyAYzgJGeGNRavXVz65gz+HfUKlkv6rcflMXojCYAphj2ZbRnZfzg8RdvHHWPfYpoexEaaTFsyjrufUCa7iAguO7P4e+EE3JLdHJwBhOb018cCyK5Hemiu+nvoYDcp8aiPdto8ARbvaubIdiwdsZ8X9FG0HhAsc3YTqN6BykDatA/kK6zJc/kOItbFSO1ODL7r4NTv799wsyip7sDfqOCYEQ97G7SY17JulHf0CAwEAAaNTMFEwHQYDVR0OBBYEFKXw6Nql+0B1mvtDFDSVNsHV9aTCMB8GA1UdIwQYMBaAFKXw6Nql+0B1mvtDFDSVNsHV9aTCMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAEhbFwa5ZjJYF5X/0ggZLQE3BSPl4yfA0kZGxvjmr/H2FpVwSRHatxV6IKN3o2e6R355GpbjfX+8BSEoVBytbITT36AVqYahGe+D3JcbOE6Se5wfSR5cwe3QnGx1ge9jbnPoIFcz7xpkT41t9YLkA1WoUz9bybTK/BZ1gJG0eJcPI2MZSQsyBMPZBGNKxElqGMp/8KxcmiHKROmUqN4rhIKq1XpkyMwsuahD1hyDX0zR/DLvpphTSWhag45CYoAwj4mijCRn7NISctU/7GRyOmvgXJ4eNG9UuxnOTPMS0UXk/1/OHrFMX183wjoKqKSfxabmV2bvgzbFogiPCxsD7nXey+NZz0Qb+gxFNQm8m3WtB4tIckUvxJnIcKB2idGdmmAIAyzOmvbaea0n3KZyVL0yBZMQqIyAkpoOz4LQsar8JhSiqQMWHJFu155qxNivBrTDWp0RuLnZfuwAkJMODbHTwSfMUHrwzDUE8v3PFbOHd78kvGywtOPBhHOmNzUZ+qx4myRgR7U2Pe9R9w4B3zz56b2oIQoUCxSMWzwxMN2JsxwK2YQXCE9XI2MeGeOiZn0E/igU4eN8FDu8NGkkgslc3jhbJl0/KmOJ7nl6SMdZtXJO2UdBFhO8UKuar3l62pcBtKiELwgzmQsJ05i1/NQjLcu3c+hTXkYuD1qyVFFX" volumeMounts: - name: trust-anchor mountPath: /out @@ -43,7 +43,7 @@ spec: runAsNonRoot: true runAsUser: 1000 image: "registry.gitlab.com/gaia-x/lab/compliance/gx-registry:v2.8.1" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent env: - name: PORT value: "3000" diff --git a/k3s/infra/squid/deployment.yaml b/k3s/infra/squid/deployment.yaml index 83d0b63..8a17001 100644 --- a/k3s/infra/squid/deployment.yaml +++ b/k3s/infra/squid/deployment.yaml @@ -16,7 +16,7 @@ spec: containers: - name: squid image: ubuntu/squid:5.2-22.04_beta - imagePullPolicy: Always + imagePullPolicy: IfNotPresent volumeMounts: - name: squid-config mountPath: /etc/squid/squid.conf diff --git a/k3s/mongo-operator.yaml b/k3s/mongo-operator.yaml index 0465450..ca21611 100644 --- a/k3s/mongo-operator.yaml +++ b/k3s/mongo-operator.yaml @@ -4,23 +4,43 @@ mongo-operator: namespace: provider operator: watchNamespace: "*" + resources: + limits: + cpu: 300m + memory: 1Gi + requests: + cpu: 100m + memory: 200Mi -managedMongo: - enabled: false -apisix: - enabled: false +decentralizedIam: + vcAuthentication: + postgres-operator: + enabled: false -credentials-config-service: - enabled: false + managedPostgres: + enabled: false -vcverifier: - enabled: false + trusted-issuers-list: + enabled: false -mysql: - enabled: false + credentials-config-service: + enabled: false + + vcverifier: + enabled: false + + odrlAuthorization: + apisix: + enabled: false + + odrl-pap: + enabled: false + + tpp: + enabled: false -postgresql: +managedMongo: enabled: false postgis: @@ -35,27 +55,15 @@ dataSpaceConfig: scorpio: enabled: false -odrl-pap: - enabled: false - tm-forum-api: enabled: false rainbow: enabled: false -tpp: - enabled: false - contract-management: enabled: false -trusted-issuers-list: - enabled: false - -mongodb: - enabled: false - marketplace: enabled: false diff --git a/k3s/namespaces/postgres-operator.yaml b/k3s/namespaces/postgres-operator.yaml new file mode 100644 index 0000000..e9ca605 --- /dev/null +++ b/k3s/namespaces/postgres-operator.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: postgres-operator \ No newline at end of file diff --git a/k3s/postgres-operator.yaml b/k3s/postgres-operator.yaml new file mode 100644 index 0000000..29667be --- /dev/null +++ b/k3s/postgres-operator.yaml @@ -0,0 +1,66 @@ + +decentralizedIam: + + vcAuthentication: + postgres-operator: + enabled: true + configKubernetes: + enable_cross_namespace_secret: true + + managedPostgres: + enabled: false + + trusted-issuers-list: + enabled: false + + credentials-config-service: + enabled: false + + vcverifier: + enabled: false + + odrlAuthorization: + apisix: + enabled: false + + odrl-pap: + enabled: false + + tpp: + enabled: false + +mongo-operator: + enabled: false + +managedMongo: + enabled: false + +postgis: + enabled: false + +did: + enabled: false + +dataSpaceConfig: + enabled: false + +scorpio: + enabled: false + +tm-forum-api: + enabled: false + +rainbow: + enabled: false + +contract-management: + enabled: false + +marketplace: + enabled: false + +keycloak: + enabled: false + +registration: + enabled: false \ No newline at end of file diff --git a/k3s/provider-elsi.yaml b/k3s/provider-elsi.yaml index b33db64..e23df91 100644 --- a/k3s/provider-elsi.yaml +++ b/k3s/provider-elsi.yaml @@ -1,207 +1,195 @@ keycloak: enabled: false -apisix: - image: - debug: true - dataPlane: - ingress: - enabled: true - hostname: mp-data-service.127.0.0.1.nip.io - extraHosts: - - name: mp-tmf-api.127.0.0.1.nip.io - path: / - catchAllRoute: - enabled: false - routes: |- - - uri: /.well-known/openid-configuration - host: mp-data-service.127.0.0.1.nip.io - upstream: - nodes: - verifier:3000: 1 - type: roundrobin - plugins: - proxy-rewrite: - uri: /services/data-service/.well-known/openid-configuration - - uri: /.well-known/data-space-configuration - upstream: - nodes: - dsconfig:3002: 1 - type: roundrobin - plugins: - proxy-rewrite: - uri: /.well-known/data-space-configuration/data-space-configuration.json - response-rewrite: - headers: - set: - content-type: application/json - - uri: /* - host: mp-data-service.127.0.0.1.nip.io - upstream: - nodes: - data-service-scorpio:9090: 1 - type: roundrobin - plugins: - openid-connect: - bearer_only: true - use_jwks: true - client_id: data-service - client_secret: unused - ssl_verify: false - discovery: http://verifier:3000/services/data-service/.well-known/openid-configuration - opa: - host: "http://localhost:8181" - policy: policy/main - with_body: true - - uri: /.well-known/openid-configuration - host: mp-tmf-api.127.0.0.1.nip.io - upstream: - nodes: - verifier:3000: 1 - type: roundrobin - plugins: - proxy-rewrite: - uri: /services/tmf-api/.well-known/openid-configuration - - uri: /* - host: mp-tmf-api.127.0.0.1.nip.io - upstream: - nodes: - tm-forum-api:8080: 1 - type: roundrobin - plugins: - openid-connect: - bearer_only: true - use_jwks: true - client_id: contract-management - client_secret: unused - ssl_verify: false - discovery: http://verifier:3000/services/tmf-api/.well-known/openid-configuration - opa: - host: "http://localhost:8181" - policy: policy/main - with_body: true - -dss: +decentralizedIam: enabled: true - keystores: - store.jks: /u3+7QAAAAIAAAACAAAAAgANdGVzdC1rZXlzdG9yZQAAAZRfqZdoAAVYLjUwOQAABdgwggXUMIIDvKADAgECAgEBMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEjAQBgNVBAoMCUZJV0FSRSBDQTESMBAGA1UEAwwJRklXQVJFLUNBMRwwGgYJKoZIhvcNAQkBFg1jYUBmaXdhcmUub3JnMQswCQYDVQQFEwIwMTAeFw0yNTAxMTMxMjM1MzVaFw0zNTAxMTExMjM1MzVaMIGCMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEjAQBgNVBAoMCUZJV0FSRSBDQTESMBAGA1UEAwwJRklXQVJFLUNBMRwwGgYJKoZIhvcNAQkBFg1jYUBmaXdhcmUub3JnMQswCQYDVQQFEwIwMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL7OP/jeTq1Bk6W517CjTiN0w+2DmNM5+UN6ll48wZZkHMGUb6q51UqPAxhN8qjEC1KWOgNqc2qnFfeFpCduEnjLia/ANbdgHKQmu9XOUyngJ0W4eKkx4NwS1mm43K9m1cKLVGhfRjvKulMs2Z6nHITcCsren9CDCpMOscAdPNk42Ufqxa7Odq9FDlAFCpIGtzXf8X2pzn9NzSBzW767An+D9wtUkneU7GhK+M8iTkmICoyE4CovqyNI+OPsmLhSxXGcYd3pC65Hsfl+avRTQBdKWawQvsbz/nu/LJl1y9uuCIN3X5BXxeHk9y6g3YOTYPX/BbPFMAZ7oWWMD/dPJG/g18uhehoedIh/W9vrM8p4ed/woSoj6TLfsGsBx9uOaHAgrBpG5qraQiaVhpqdVtXSn7AxErD3VtulBqnMS4X0IOfFIF/r7vqRwvX8biKkth/KzHIVyufnBxY4GU33zmYduVq0tdc1zYcPLkrvF7KH4BCQLzM3ijjnsU7xjWUjqYx9tik2zYlt5ln5NRxphB0Kr+bQVkH17u4hF3zoAiV9VDeeHvse0zQgM/wc/LW4TUylQbOFiS5Bf0nQX62ePVb+hAKGzyuN2c6U/JuDz0kJVbFket57lPj1DU4GloAC5Y+rhxmtOXSHIX8Yqb7A1CwnOskCfXeIMEM058Sl/3ZpAgMBAAGjUzBRMB0GA1UdDgQWBBTRBbrRSfpmUtQC1EIw+sA5qJ45jzAfBgNVHSMEGDAWgBTRBbrRSfpmUtQC1EIw+sA5qJ45jzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCd95ZoDRW5V3P2qmo942X0hJPZESgL/HZM4dv0dlSqz8hZiEAoY2Ezl97b0XrIZrHIU7wyCOfM2vVvKMyBQUK9gmOqMTSCl+sKaj8N6iV3S8+i/4B0FklDiWbiEIoVCG64cR/+Io1j1odO93eoAeaUWRT1QU3GbBUUjJ1f/tzcs2g/76fNyIse+fYn6Nq9o/uYHLMSa/DAgpwl8Xk8gLdqTTqx38TMIA6N4Q4/pRUMVXoT7NtwUKtJSGNoWJBjvhjukFn5/NdBkXJ/+gGIJySr47Dhk+5B0OLioUMowYJRbotHCdcu72eXB7XJG7KC0RRO/b+hKoHsmJCPY/d7QJFw5cb6LVHO/bBB+1GxNX79H8E8DYLLH9CxSYcZQceyOXQ4n6wfKaa/EHDs/8JsRH9VK4YY+ajnMfbfLwr42X+rD1xYWZBcFaeW075yEVfG/93hRMuMfT2kNvyNJcqljGmaVdeUtrnWyM2hSOzgX/yjdDILpyCBsh27bHmcPBdaH05/ZQkP83m6XMIyQik7W5tw9E2hxxUfnWFYlClk3bO6i/gpfHcMYt1VN4gmqpuUynuiykIo0WlXtW/3IXkT+FTlvefXUOLV/9am36eQ3DCOIUzaaVm7v4F1PxtRfQR0n8mStbwifee3VS9wwEUoZxJCu2xUTbukDr64/J5L0OF43wAAAAIADGludGVybWVkaWF0ZQAAAZRfqZgZAAVYLjUwOQAABcwwggXIMIIDsKADAgECAgEBMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEjAQBgNVBAoMCUZJV0FSRSBDQTESMBAGA1UEAwwJRklXQVJFLUNBMRwwGgYJKoZIhvcNAQkBFg1jYUBmaXdhcmUub3JnMQswCQYDVQQFEwIwMTAeFw0yNTAxMTMxMjM1MzVaFw0zMjA0MTYxMjM1MzVaMGQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xEjAQBgNVBAoMCUZJV0FSRSBDQTESMBAGA1UEAwwJRklXQVJFLUNBMRwwGgYJKoZIhvcNAQkBFg1jYUBmaXdhcmUub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1oRE/l9bCHDlBzOvw0DZgq91n15F5Gww8Z+g4KDllH3z+qyg68CjX0LD0O932DbkC3R+cy61iWiV67rl/7xh3744HCQpQyeE0dRMjzpG50GDiXwGnomQZkofMTB2OZz44xuTLvJa7NRPulfQZUgL3Wt9NngwhKuoKCxZyMs+iD4iaac9GS7qMNJFolIQod7v5mT/aQzSz9Gf6/OeamXp4rc5wiQDUuG2tTcVUxPMArtC/EVs4r/glFq2hOrlTHfLla8B3TpXJJK1agTdIr+JKuitTPHAoVKXYNcP1r+Wop3CgTbYjvH7HhFl1X+nrRfFHzwFOI2qrqnokOjAaCz5b6ExkxwU6xSuZ+/zKPqXjZ/yM043sY/KbgDE4L60BIsCgw3p3GdC14OIF/HBA1dSSgsYMhPWltzncoiIYvOejlvW9NwOxiKE1g9e40/UfFyeXpPRO+rITWhlTFmlfXNoFgG/6tjfBBpUbULiLgPBDLRUDzbgXhuCNlf6H5RPIT96WjoF1Imqmf7NUqTq2YhG4AS5WJP56YUKDnH3+M/AjPRQO+2gneXTcBE9VUaayAJS2K8at6aM/d4Q6ZsFjG+t8kETxuHIW5EH2whd1ZgGkIIv4944MQJRxVibY/3yARv/M7sEkIp12rjp92FGhcw11aUG6icZmOf32RB44VpgtQsCAwEAAaNmMGQwHQYDVR0OBBYEFLgLBKaAPJ/DPaNUTaZp8VEQSa58MB8GA1UdIwQYMBaAFNEFutFJ+mZS1ALUQjD6wDmonjmPMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQCHhLGogQlsQH31ULltSXWehHHB7aJEqHgigf6eDSbgmUasjrBwiYkmpxLLAd0hmtzVR5xJvnIzkSOkUIqEvv3YcEuGyR6B6ugS1ED9KFUD6pSwjLcbM3OuskXMqWt3ATf0JpnxamPzW9SEQF8zUYjpYwtQwplar6lDTFlw01tG/sHBYuiacHznNtpZCFLIr/yHPEYw+GTTjnRrfphQuJluo4lAO2aLqqhzDgTI5gXIxWUbTlrlT1YlVnnr8fy/ou5EklALoKAJ5Pa1kp+7cGsE0zjImaOuIlKa/8N8S+pGFj7zzOX0a9k8DwaEhn1SlWQvaMElfygIu0OfkliBa5dYtJiO9QmAvA7FLoIIN4VGkfN+PqXS06AOjVHlDA8FD7aqGZbrRzuOK5Q4nYL7Ux2yY6Qpyom8wUEeiozd+ffsIRUP8KUBtCIikuKbxe/MsamxWubQ0NX4R/p/pVuuw+QFMBgZ+K/WOMdulK9wmUbzBOnF064Fz9tIpRg6cXW2QBzAgdId2GOsbe7hh2G7vM5zVWn2/iTRI241CUJDCZGzUcvXKmaNuhKE9mL7kA8IUm3vM08HvpRrNwm1N0caHQo0kI0eet0F33KhFWvNOHlKx0XXqBBVCyNB8D39gKXUVGS8MdKHjuPJ+rk8SpvlW3snDcbcvyv8OTjwxUv85I+63zq2XR7fMs/wh5f0iSBojyYLg7si - trust: - stores: - - path: /keystores/store.jks - type: jks - password: password - deployment: - additionalContainers: - - name: crl-provider-static - imagePullPolicy: Always - image: "lipanski/docker-static-website:2.1.0" - volumeMounts: - - name: crl-provider-json - mountPath: /home/static/crl.pem - subPath: crl.pem - additionalVolumes: - - name: crl-provider-json - secret: - secretName: crl-provider - health: - port: 8080 - crl: - enabled: true - secret: - crl.pem: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSURuRENDQVlRQ0FRRXdEUVlKS29aSWh2Y05BUUVMQlFBd1pERUxNQWtHQTFVRUJoTUNSRVV4RHpBTkJnTlYKQkFnTUJrSmxjbXhwYmpFU01CQUdBMVVFQ2d3SlJrbFhRVkpGSUVOQk1SSXdFQVlEVlFRRERBbEdTVmRCVWtVdApRMEV4SERBYUJna3Foa2lHOXcwQkNRRVdEV05oUUdacGQyRnlaUzV2Y21jWERUSTFNREV4TXpFeU16VXpObG9YCkRUSTFNREl4TWpFeU16VXpObG93SnpBbEFoUlM2Y1lJTE5pOGZUVGR5NEJDYlFMVys2aXJ6UmNOTWpVd01URXoKTVRJek5UTTJXcUNCd2pDQnZ6Q0Jyd1lEVlIwakJJR25NSUdrZ0JTNEN3U21nRHlmd3oyalZFMm1hZkZSRUVtdQpmS0dCaUtTQmhUQ0JnakVMTUFrR0ExVUVCaE1DUkVVeER6QU5CZ05WQkFnTUJrSmxjbXhwYmpFUE1BMEdBMVVFCkJ3d0dRbVZ5YkdsdU1SSXdFQVlEVlFRS0RBbEdTVmRCVWtVZ1EwRXhFakFRQmdOVkJBTU1DVVpKVjBGU1JTMUQKUVRFY01Cb0dDU3FHU0liM0RRRUpBUllOWTJGQVptbDNZWEpsTG05eVp6RUxNQWtHQTFVRUJSTUNNREdDQVFFdwpDd1lEVlIwVUJBUUNBaEFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElDQVFBdmFQTEpNbWh2MEM2cnA2eXF0a3JYCnZOT3BYNGlOdGVscUNnREpwTG5TYlhndTVJb1dtWFZHeVdFbldNUHkycytsbktnRW5hZmxEazYrdlNxbkp4cmYKcnNXMEZ5VzFaR2dGVDIrNVZRU1I3dXVXWUp3VmtacnM4THdOM3JuQVpuZzdnbWhNYjZqNk9mU2JEV3pBWjVsZApPOWx2cDBCR3lid2pqMmowOUJ3ZXFYK2ZLbHNXMFg3QSt4VWJjRDNKemJDd1lHRHNrc1YrckJNY3RHaEp0cEdkCi9VbFI4bWozcGNjT3RFRHQ4dTR2ZGpPNFlCcERaQ0pZNUxnUjdUZUNDdHgyZFRlck91Wm9hNXdTZFl0eVBybEoKSngzL0s3ckZld0hKaUFZMTl3K3JNWC9IVFN3RTVPMjVESDFabHBKUVVTRDJvR05laE4rTVRuYnZUNk5lKzlkUQpTRmlQbFVKVEZZZGtlTjhoZVR6bUFPR2VOSmdTQ1k5c2VRcEwwMFRvK3VMc2ZCcHZtdnhiRDZOdEJ4NGxtWk9jCjVnZ2NNc3A0aGlWeXFiaW9aTXdaUHZnL3NnUDJFODhTSUdSamJ3dGN1cVVPdHorYUdjZFYxekNvZVRqOEFvTEYKem4wYU9rSWhORVdOUHVJeFc5bHQvNXo4ZThjUmt4UVh0UkdobmpjeWpqWFVEbHZSQ1pCY0pLazZINFlYaFNLdQpsdHhjQ2luVVNpVlB0eFA2ak5FYVlEVzQrdzRkMnNWeFlXVi9tc1d3T1lPaEtOdUErRVBINTVnUHc1d08vci95CjRqc0gwUVhMNGtncmZZS01kSzIzUEJiV0FjaWh0eS8yWGhua1ZlOS91SWtWV2NWVGhmVDlVVkVQaENFSWJhWEIKbXp3akw5SmpIYlI5WFMrWnk5YWxzUT09Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K -vcverifier: - ingress: - enabled: true - hosts: - - host: provider-verifier.127.0.0.1.nip.io - paths: - - "/" - deployment: - verifier: - tirAddress: http://tir.127.0.0.1.nip.io:8080/ - did: ${DID} - server: - host: http://provider-verifier.127.0.0.1.nip.io:8080 - configRepo: - configEndpoint: http://credentials-config-service:8080 - elsi: + vcAuthentication: + + postgres-operator: + enabled: false + + managedPostgres: enabled: true - validationEndpoint: - host: http://provider-dss:8080 - validationPath: /validateSignature - healthPath: /health/liveness + config: + volume: + storageClass: "local-path" + users: + ngb: + - createdb + databases: + ngb: ngb + preparedDatabases: + ngb: + extensions: + postgis: public - alternativeConfig: /alternative-conf/server.yaml - additionalVolumes: - - name: did-material - emptyDir: {} - - name: alternative-conf - emptyDir: {} - additionalVolumeMounts: - - name: alternative-conf - mountPath: /alternative-conf - initContainers: - - name: get-did - image: ubuntu - command: - - /bin/bash - args: - - -ec - - | - #!/bin/bash - apt-get -y update; apt-get -y install wget; apt-get -y install gettext-base - cd /did-material - wget http://did-helper:3002/did-material/did.env - export $(cat /did-material/did.env) - cp /original-conf/server.yaml /alternative-conf/server.yaml - envsubst < /alternative-conf/server.yaml - volumeMounts: - - name: did-material - mountPath: /did-material - - name: config-volume - mountPath: /original-conf - - name: alternative-conf - mountPath: /alternative-conf + vcverifier: + ingress: + enabled: true + hosts: + - host: provider-verifier.127.0.0.1.nip.io + paths: + - "/" + deployment: + verifier: + tirAddress: http://tir.127.0.0.1.nip.io:8080/ + did: ${DID} + server: + host: http://provider-verifier.127.0.0.1.nip.io:8080 + configRepo: + configEndpoint: http://credentials-config-service:8080 + elsi: + enabled: true + validationEndpoint: + host: http://dss:8080 + validationPath: /validateSignature + healthPath: /health/liveness + initContainers: + - name: register-at-tir + image: curlimages/curl:8.18.0 + command: + - /bin/sh + args: + - -ec + - | + curl -X 'POST' 'http://tir.trust-anchor.svc.cluster.local:8080/issuer' -H 'Content-Type: application/json' -d "{\"did\": \"did:web:did-provider.127.0.0.1.nip.io\", \"credentials\": []}" - - name: register-at-tir - image: ubuntu - command: - - /bin/bash - args: - - -ec - - | - #!/bin/bash - source /did-material/did.env - apt-get -y update; apt-get -y install curl - curl -X 'POST' 'http://tir.trust-anchor.svc.cluster.local:8080/issuer' -H 'Content-Type: application/json' -d "{\"did\": \"${DID}\", \"credentials\": []}" - volumeMounts: - - name: did-material - mountPath: /did-material + trusted-issuers-list: + # only open for clean up in the tests + ingress: + til: + enabled: true + hosts: + - host: til-provider.127.0.0.1.nip.io + paths: + - / -mysql: - primary: - persistence: - enabled: false - secondary: - persistence: - enabled: false + dss: + enabled: true + keystores: + store.jks: /u3+7QAAAAIAAAACAAAAAgANdGVzdC1rZXlzdG9yZQAAAZRfqZdoAAVYLjUwOQAABdgwggXUMIIDvKADAgECAgEBMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEjAQBgNVBAoMCUZJV0FSRSBDQTESMBAGA1UEAwwJRklXQVJFLUNBMRwwGgYJKoZIhvcNAQkBFg1jYUBmaXdhcmUub3JnMQswCQYDVQQFEwIwMTAeFw0yNTAxMTMxMjM1MzVaFw0zNTAxMTExMjM1MzVaMIGCMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEjAQBgNVBAoMCUZJV0FSRSBDQTESMBAGA1UEAwwJRklXQVJFLUNBMRwwGgYJKoZIhvcNAQkBFg1jYUBmaXdhcmUub3JnMQswCQYDVQQFEwIwMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL7OP/jeTq1Bk6W517CjTiN0w+2DmNM5+UN6ll48wZZkHMGUb6q51UqPAxhN8qjEC1KWOgNqc2qnFfeFpCduEnjLia/ANbdgHKQmu9XOUyngJ0W4eKkx4NwS1mm43K9m1cKLVGhfRjvKulMs2Z6nHITcCsren9CDCpMOscAdPNk42Ufqxa7Odq9FDlAFCpIGtzXf8X2pzn9NzSBzW767An+D9wtUkneU7GhK+M8iTkmICoyE4CovqyNI+OPsmLhSxXGcYd3pC65Hsfl+avRTQBdKWawQvsbz/nu/LJl1y9uuCIN3X5BXxeHk9y6g3YOTYPX/BbPFMAZ7oWWMD/dPJG/g18uhehoedIh/W9vrM8p4ed/woSoj6TLfsGsBx9uOaHAgrBpG5qraQiaVhpqdVtXSn7AxErD3VtulBqnMS4X0IOfFIF/r7vqRwvX8biKkth/KzHIVyufnBxY4GU33zmYduVq0tdc1zYcPLkrvF7KH4BCQLzM3ijjnsU7xjWUjqYx9tik2zYlt5ln5NRxphB0Kr+bQVkH17u4hF3zoAiV9VDeeHvse0zQgM/wc/LW4TUylQbOFiS5Bf0nQX62ePVb+hAKGzyuN2c6U/JuDz0kJVbFket57lPj1DU4GloAC5Y+rhxmtOXSHIX8Yqb7A1CwnOskCfXeIMEM058Sl/3ZpAgMBAAGjUzBRMB0GA1UdDgQWBBTRBbrRSfpmUtQC1EIw+sA5qJ45jzAfBgNVHSMEGDAWgBTRBbrRSfpmUtQC1EIw+sA5qJ45jzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCd95ZoDRW5V3P2qmo942X0hJPZESgL/HZM4dv0dlSqz8hZiEAoY2Ezl97b0XrIZrHIU7wyCOfM2vVvKMyBQUK9gmOqMTSCl+sKaj8N6iV3S8+i/4B0FklDiWbiEIoVCG64cR/+Io1j1odO93eoAeaUWRT1QU3GbBUUjJ1f/tzcs2g/76fNyIse+fYn6Nq9o/uYHLMSa/DAgpwl8Xk8gLdqTTqx38TMIA6N4Q4/pRUMVXoT7NtwUKtJSGNoWJBjvhjukFn5/NdBkXJ/+gGIJySr47Dhk+5B0OLioUMowYJRbotHCdcu72eXB7XJG7KC0RRO/b+hKoHsmJCPY/d7QJFw5cb6LVHO/bBB+1GxNX79H8E8DYLLH9CxSYcZQceyOXQ4n6wfKaa/EHDs/8JsRH9VK4YY+ajnMfbfLwr42X+rD1xYWZBcFaeW075yEVfG/93hRMuMfT2kNvyNJcqljGmaVdeUtrnWyM2hSOzgX/yjdDILpyCBsh27bHmcPBdaH05/ZQkP83m6XMIyQik7W5tw9E2hxxUfnWFYlClk3bO6i/gpfHcMYt1VN4gmqpuUynuiykIo0WlXtW/3IXkT+FTlvefXUOLV/9am36eQ3DCOIUzaaVm7v4F1PxtRfQR0n8mStbwifee3VS9wwEUoZxJCu2xUTbukDr64/J5L0OF43wAAAAIADGludGVybWVkaWF0ZQAAAZRfqZgZAAVYLjUwOQAABcwwggXIMIIDsKADAgECAgEBMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEjAQBgNVBAoMCUZJV0FSRSBDQTESMBAGA1UEAwwJRklXQVJFLUNBMRwwGgYJKoZIhvcNAQkBFg1jYUBmaXdhcmUub3JnMQswCQYDVQQFEwIwMTAeFw0yNTAxMTMxMjM1MzVaFw0zMjA0MTYxMjM1MzVaMGQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xEjAQBgNVBAoMCUZJV0FSRSBDQTESMBAGA1UEAwwJRklXQVJFLUNBMRwwGgYJKoZIhvcNAQkBFg1jYUBmaXdhcmUub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1oRE/l9bCHDlBzOvw0DZgq91n15F5Gww8Z+g4KDllH3z+qyg68CjX0LD0O932DbkC3R+cy61iWiV67rl/7xh3744HCQpQyeE0dRMjzpG50GDiXwGnomQZkofMTB2OZz44xuTLvJa7NRPulfQZUgL3Wt9NngwhKuoKCxZyMs+iD4iaac9GS7qMNJFolIQod7v5mT/aQzSz9Gf6/OeamXp4rc5wiQDUuG2tTcVUxPMArtC/EVs4r/glFq2hOrlTHfLla8B3TpXJJK1agTdIr+JKuitTPHAoVKXYNcP1r+Wop3CgTbYjvH7HhFl1X+nrRfFHzwFOI2qrqnokOjAaCz5b6ExkxwU6xSuZ+/zKPqXjZ/yM043sY/KbgDE4L60BIsCgw3p3GdC14OIF/HBA1dSSgsYMhPWltzncoiIYvOejlvW9NwOxiKE1g9e40/UfFyeXpPRO+rITWhlTFmlfXNoFgG/6tjfBBpUbULiLgPBDLRUDzbgXhuCNlf6H5RPIT96WjoF1Imqmf7NUqTq2YhG4AS5WJP56YUKDnH3+M/AjPRQO+2gneXTcBE9VUaayAJS2K8at6aM/d4Q6ZsFjG+t8kETxuHIW5EH2whd1ZgGkIIv4944MQJRxVibY/3yARv/M7sEkIp12rjp92FGhcw11aUG6icZmOf32RB44VpgtQsCAwEAAaNmMGQwHQYDVR0OBBYEFLgLBKaAPJ/DPaNUTaZp8VEQSa58MB8GA1UdIwQYMBaAFNEFutFJ+mZS1ALUQjD6wDmonjmPMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQCHhLGogQlsQH31ULltSXWehHHB7aJEqHgigf6eDSbgmUasjrBwiYkmpxLLAd0hmtzVR5xJvnIzkSOkUIqEvv3YcEuGyR6B6ugS1ED9KFUD6pSwjLcbM3OuskXMqWt3ATf0JpnxamPzW9SEQF8zUYjpYwtQwplar6lDTFlw01tG/sHBYuiacHznNtpZCFLIr/yHPEYw+GTTjnRrfphQuJluo4lAO2aLqqhzDgTI5gXIxWUbTlrlT1YlVnnr8fy/ou5EklALoKAJ5Pa1kp+7cGsE0zjImaOuIlKa/8N8S+pGFj7zzOX0a9k8DwaEhn1SlWQvaMElfygIu0OfkliBa5dYtJiO9QmAvA7FLoIIN4VGkfN+PqXS06AOjVHlDA8FD7aqGZbrRzuOK5Q4nYL7Ux2yY6Qpyom8wUEeiozd+ffsIRUP8KUBtCIikuKbxe/MsamxWubQ0NX4R/p/pVuuw+QFMBgZ+K/WOMdulK9wmUbzBOnF064Fz9tIpRg6cXW2QBzAgdId2GOsbe7hh2G7vM5zVWn2/iTRI241CUJDCZGzUcvXKmaNuhKE9mL7kA8IUm3vM08HvpRrNwm1N0caHQo0kI0eet0F33KhFWvNOHlKx0XXqBBVCyNB8D39gKXUVGS8MdKHjuPJ+rk8SpvlW3snDcbcvyv8OTjwxUv85I+63zq2XR7fMs/wh5f0iSBojyYLg7si + trust: + stores: + - path: /keystores/store.jks + type: jks + password: password + deployment: + additionalContainers: + - name: crl-provider-static + imagePullPolicy: IfNotPresent + image: "lipanski/docker-static-website:2.1.0" + volumeMounts: + - name: crl-provider-json + mountPath: /home/static/crl.pem + subPath: crl.pem + additionalVolumes: + - name: crl-provider-json + secret: + secretName: crl-provider + health: + port: 8080 + crl: + enabled: true + secret: + crl.pem: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSURuRENDQVlRQ0FRRXdEUVlKS29aSWh2Y05BUUVMQlFBd1pERUxNQWtHQTFVRUJoTUNSRVV4RHpBTkJnTlYKQkFnTUJrSmxjbXhwYmpFU01CQUdBMVVFQ2d3SlJrbFhRVkpGSUVOQk1SSXdFQVlEVlFRRERBbEdTVmRCVWtVdApRMEV4SERBYUJna3Foa2lHOXcwQkNRRVdEV05oUUdacGQyRnlaUzV2Y21jWERUSTFNREV4TXpFeU16VXpObG9YCkRUSTFNREl4TWpFeU16VXpObG93SnpBbEFoUlM2Y1lJTE5pOGZUVGR5NEJDYlFMVys2aXJ6UmNOTWpVd01URXoKTVRJek5UTTJXcUNCd2pDQnZ6Q0Jyd1lEVlIwakJJR25NSUdrZ0JTNEN3U21nRHlmd3oyalZFMm1hZkZSRUVtdQpmS0dCaUtTQmhUQ0JnakVMTUFrR0ExVUVCaE1DUkVVeER6QU5CZ05WQkFnTUJrSmxjbXhwYmpFUE1BMEdBMVVFCkJ3d0dRbVZ5YkdsdU1SSXdFQVlEVlFRS0RBbEdTVmRCVWtVZ1EwRXhFakFRQmdOVkJBTU1DVVpKVjBGU1JTMUQKUVRFY01Cb0dDU3FHU0liM0RRRUpBUllOWTJGQVptbDNZWEpsTG05eVp6RUxNQWtHQTFVRUJSTUNNREdDQVFFdwpDd1lEVlIwVUJBUUNBaEFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElDQVFBdmFQTEpNbWh2MEM2cnA2eXF0a3JYCnZOT3BYNGlOdGVscUNnREpwTG5TYlhndTVJb1dtWFZHeVdFbldNUHkycytsbktnRW5hZmxEazYrdlNxbkp4cmYKcnNXMEZ5VzFaR2dGVDIrNVZRU1I3dXVXWUp3VmtacnM4THdOM3JuQVpuZzdnbWhNYjZqNk9mU2JEV3pBWjVsZApPOWx2cDBCR3lid2pqMmowOUJ3ZXFYK2ZLbHNXMFg3QSt4VWJjRDNKemJDd1lHRHNrc1YrckJNY3RHaEp0cEdkCi9VbFI4bWozcGNjT3RFRHQ4dTR2ZGpPNFlCcERaQ0pZNUxnUjdUZUNDdHgyZFRlck91Wm9hNXdTZFl0eVBybEoKSngzL0s3ckZld0hKaUFZMTl3K3JNWC9IVFN3RTVPMjVESDFabHBKUVVTRDJvR05laE4rTVRuYnZUNk5lKzlkUQpTRmlQbFVKVEZZZGtlTjhoZVR6bUFPR2VOSmdTQ1k5c2VRcEwwMFRvK3VMc2ZCcHZtdnhiRDZOdEJ4NGxtWk9jCjVnZ2NNc3A0aGlWeXFiaW9aTXdaUHZnL3NnUDJFODhTSUdSamJ3dGN1cVVPdHorYUdjZFYxekNvZVRqOEFvTEYKem4wYU9rSWhORVdOUHVJeFc5bHQvNXo4ZThjUmt4UVh0UkdobmpjeWpqWFVEbHZSQ1pCY0pLazZINFlYaFNLdQpsdHhjQ2luVVNpVlB0eFA2ak5FYVlEVzQrdzRkMnNWeFlXVi9tc1d3T1lPaEtOdUErRVBINTVnUHc1d08vci95CjRqc0gwUVhMNGtncmZZS01kSzIzUEJiV0FjaWh0eS8yWGhua1ZlOS91SWtWV2NWVGhmVDlVVkVQaENFSWJhWEIKbXp3akw5SmpIYlI5WFMrWnk5YWxzUT09Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K -postgis: - primary: - persistence: - enabled: false - readReplicas: - persistence: - enabled: false + odrlAuthorization: -postgresql: - primary: - persistence: - enabled: false - readReplicas: - persistence: - enabled: false + apisix: + etcd: + replicaCount: 1 + persistence: + enabled: false + image: + debug: true + dataPlane: + ingress: + enabled: true + hostname: mp-data-service.127.0.0.1.nip.io + extraHosts: + - name: mp-tmf-api.127.0.0.1.nip.io + path: / + catchAllRoute: + enabled: false + routes: |- + - uri: /.well-known/openid-configuration + host: mp-data-service.127.0.0.1.nip.io + upstream: + nodes: + verifier:3000: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /services/data-service/.well-known/openid-configuration + - uri: /.well-known/data-space-configuration + upstream: + nodes: + dsconfig:3002: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /.well-known/data-space-configuration/data-space-configuration.json + response-rewrite: + headers: + set: + content-type: application/json + - uri: /* + host: mp-data-service.127.0.0.1.nip.io + upstream: + nodes: + data-service-scorpio:9090: 1 + type: roundrobin + plugins: + openid-connect: + bearer_only: true + use_jwks: true + client_id: data-service + client_secret: unused + ssl_verify: false + discovery: http://verifier:3000/services/data-service/.well-known/openid-configuration + opa: + host: "http://localhost:8181" + policy: policy/main + with_body: true + - uri: /.well-known/openid-configuration + host: mp-tmf-api.127.0.0.1.nip.io + upstream: + nodes: + verifier:3000: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /services/tmf-api/.well-known/openid-configuration + - uri: /* + host: mp-tmf-api.127.0.0.1.nip.io + upstream: + nodes: + tm-forum-api-svc:8080: 1 + type: roundrobin + plugins: + openid-connect: + bearer_only: true + use_jwks: true + client_id: contract-management + client_secret: unused + ssl_verify: false + discovery: http://verifier:3000/services/tmf-api/.well-known/openid-configuration + opa: + host: "http://localhost:8181" + policy: policy/main + with_body: true + + odrl-pap: + additionalEnvVars: + - name: GENERAL_ORGANIZATION_DID + value: did:web:did-provider.127.0.0.1.nip.io + ingress: + enabled: true + hosts: + - host: pap-provider.127.0.0.1.nip.io + paths: + - "/" did: enabled: true @@ -255,6 +243,7 @@ scorpio: paths: - "/" ccs: + enabled: true defaultOidcScope: name: default oidcScopes: @@ -271,52 +260,18 @@ scorpio: trustedIssuersLists: - http://trusted-issuers-list:8080 - -odrl-pap: - deployment: - initContainers: - - name: get-did - image: ubuntu - command: - - /bin/bash - args: - - -ec - - | - #!/bin/bash - apt-get -y update; apt-get -y install wget - cd /did-material - wget http://did-helper:3002/did-material/did.env - volumeMounts: - - name: did-material - mountPath: /did-material - additionalVolumes: - - name: did-material - emptyDir: {} - additionalVolumeMounts: - - name: did-material - mountPath: /did-material - command: - - /bin/sh - args: - - -ec - - | - #!/bin/sh - source /did-material/did.env - export GENERAL_ORGANIZATION_DID=$DID - ./application -Dquarkus.http.host=0.0.0.0 - - ingress: - enabled: true - hosts: - - host: pap-provider.127.0.0.1.nip.io - paths: - - "/" - tm-forum-api: + defaultConfig: + contextUrl: https://uri.etsi.org/ngsi-ld/v1/ngsi-ld-core-context.jsonld + allInOne: + enabled: true + apiProxy: + enabled: false registration: ccs: defaultOidcScope: - credentialType: UserCredential + credentialTypes: + - UserCredential trustedParticipantsLists: http://tir.trust-anchor.svc.cluster.local:8080 ingress: @@ -327,15 +282,25 @@ tm-forum-api: - / contract-management: + services: + ## Config for the TM Forum Service hosting the APIs + product-order: + ## URL of the TM Forum Service hosting the Product Ordering API + url: http://tm-forum-api-svc:8080 + party: + ## URL of the TM Forum Service hosting the Party API + url: http://tm-forum-api-svc:8080 + product-catalog: + ## URL of the TM Forum Service hosting the Product Catalog API + url: http://tm-forum-api-svc:8080 + service-catalog: + ## URL of the TM Forum Service hosting the Service Catalog API + url: http://tm-forum-api-svc:8080 + tmforum-agreement-api: + ## URL of the TM Forum Service hosting the Agreement API + url: http://tm-forum-api-svc:8080 + quote: + ## URL for TM Forum Service hosting the Quote API + url: http://tm-forum-api-svc:8080 til: - credentialType: OperatorCredential - -trusted-issuers-list: - # only open for clean up in the tests - ingress: - til: - enabled: true - hosts: - - host: til-provider.127.0.0.1.nip.io - paths: - - / + credentialType: OperatorCredential \ No newline at end of file diff --git a/k3s/provider-gaia-x.yaml b/k3s/provider-gaia-x.yaml index c618482..9fbe1a3 100644 --- a/k3s/provider-gaia-x.yaml +++ b/k3s/provider-gaia-x.yaml @@ -1,208 +1,207 @@ keycloak: enabled: false -apisix: - image: - debug: true - dataPlane: - ingress: + +decentralizedIam: + enabled: true + + vcAuthentication: + + postgres-operator: + enabled: false + + managedPostgres: enabled: true - hostname: mp-data-service.127.0.0.1.nip.io - extraHosts: - - name: mp-tmf-api.127.0.0.1.nip.io - path: / - catchAllRoute: - enabled: false - routes: |- - - uri: /.well-known/openid-configuration - host: mp-data-service.127.0.0.1.nip.io - upstream: - nodes: - verifier:3000: 1 - type: roundrobin - plugins: - proxy-rewrite: - uri: /services/data-service/.well-known/openid-configuration - - uri: /.well-known/data-space-configuration - upstream: - nodes: - dsconfig:3002: 1 - type: roundrobin - plugins: - proxy-rewrite: - uri: /.well-known/data-space-configuration/data-space-configuration.json - response-rewrite: - headers: - set: - content-type: application/json - - uri: /* - host: mp-data-service.127.0.0.1.nip.io - upstream: - nodes: - data-service-scorpio:9090: 1 - type: roundrobin - plugins: - openid-connect: - bearer_only: true - use_jwks: true - client_id: data-service - client_secret: unused - ssl_verify: false - discovery: http://verifier:3000/services/data-service/.well-known/openid-configuration - opa: - host: "http://localhost:8181" - policy: policy/main - with_body: true - - uri: /.well-known/openid-configuration - host: mp-tmf-api.127.0.0.1.nip.io - upstream: - nodes: - verifier:3000: 1 - type: roundrobin - plugins: - proxy-rewrite: - uri: /services/tmf-api/.well-known/openid-configuration - - uri: /* - host: mp-tmf-api.127.0.0.1.nip.io - upstream: - nodes: - tm-forum-api:8080: 1 - type: roundrobin - plugins: - openid-connect: - bearer_only: true - use_jwks: true - client_id: contract-management - client_secret: unused - ssl_verify: false - discovery: http://verifier:3000/services/tmf-api/.well-known/openid-configuration - opa: - host: "http://localhost:8181" - policy: policy/main - with_body: true -credentials-config-service: - ingress: - enabled: true - hosts: - - host: provider-ccs.127.0.0.1.nip.io - paths: - - "/" -vcverifier: - ingress: - enabled: true - hosts: - - host: provider-verifier.127.0.0.1.nip.io - paths: - - "/" - deployment: - logging: - level: DEBUG - verifier: - tirAddress: http://tir.127.0.0.1.nip.io:8080/ - did: ${DID} - server: - host: http://provider-verifier.127.0.0.1.nip.io:8080 - configRepo: - configEndpoint: http://credentials-config-service:8080 - alternativeConfig: /alternative-conf/server.yaml - additionalVolumes: - - name: did-material - emptyDir: {} - - name: alternative-conf - emptyDir: {} - - name: root-ca - emptyDir: {} - - name: ca-to-add - secret: - secretName: root-ca - additionalVolumeMounts: - - name: alternative-conf - mountPath: /alternative-conf - - name: root-ca - mountPath: /etc/ssl/cert.pem - subPath: cert.pem - additionalEnvVars: - - name: HTTPS_PROXY - value: "http://squid-proxy.infra.svc.cluster.local:8888" - - name: HTTP_PROXY - value: "http://squid-proxy.infra.svc.cluster.local:8888" - - name: NO_PROXY - value: "credentials-config-service,w3.org,trusted-issuers-list" - initContainers: - - name: add-root-ca - image: alpine:3.21.3 - command: - - /bin/sh - args: - - -c - - | - #!/bin/sh - cp /etc/ssl/cert.pem /root-ca/cert.pem - cat /root-ca/cacert.pem >> /root-ca/cert.pem - env: - - name: CA_TO_ADD - value: "-----BEGIN CERTIFICATE-----\nMIIFnDCCA4SgAwIBAgIBATANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJERTEP\nMA0GA1UECAwGU2F4b255MRAwDgYDVQQHDAdEcmVzZGVuMRMwEQYDVQQKDApGSUNP\nREVTIENBMRMwEQYDVQQDDApGSUNPREVTLUNBMQswCQYDVQQFEwIwMTAeFw0yNTAy\nMjAwNzUwNDBaFw0zNTAyMTgwNzUwNDBaMGcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI\nDAZTYXhvbnkxEDAOBgNVBAcMB0RyZXNkZW4xEzARBgNVBAoMCkZJQ09ERVMgQ0Ex\nEzARBgNVBAMMCkZJQ09ERVMtQ0ExCzAJBgNVBAUTAjAxMIICIjANBgkqhkiG9w0B\nAQEFAAOCAg8AMIICCgKCAgEAwJguJDSWVxpHqbnvdTpqkiQI9aoYG06ccR50iY2Y\nJye8sLCHQXhDZYfdGFPR65N2veKQPolYgk95DL2587V668VjfqzlBIRkOXj5UkJ5\n50pxCzaXItn52bBmsW9QqXAyIxYFn4f1pT95NVGj+sE23FfSAS3O0qq4yTL42Czn\nSvq378PXak/OaTOJQ+xOAprnnPepEadPDcqEUe5PGSwejJGQd654dUk+VoTdHBTU\njRPdg0FkGI+PB6dpZKhSoeePpvFBznG9R5amDx/COCVzFx1YwhHpbDGMwiNLJqeb\nExiGT5o2O4GugV5RTWRFYuKr1xSTAHiY+g3fCzhQZCD+NGGuaPbkjRGjptwiDpMR\n3CgnkdZh6BqeCpnSiI6tQYpJ9ms5xcCSeTsyf4hisCbawHqbDmCjsuXsMw0WP6VG\nnyYwJ1gwR/RHHe44+zfgv/U7hfULTIb8yi/n24a2FVV0kEAF79UUQGLW7364rXGY\njrIF8vhATZbGAMQiQh1MJMV0kcM8pmqUawDSvZ/llQMhr3OgMybZ2dAsakHVWU2I\nffABGupX3vTONzkpGVYwJIJ21T0QXTPrZgUMzPX/bH+3BHog0QjJ7T3sp0aG4AKT\nBmzYDaU9rIUs47S6TqxBXRQW4xyyy7XMQvXfbe4tExjUkgNfOHQ/5TUjUuBSfjwS\nKZkCAwEAAaNTMFEwHQYDVR0OBBYEFDqF7FNIKOPtvfO6hmhXV6H35l0TMB8GA1Ud\nIwQYMBaAFDqF7FNIKOPtvfO6hmhXV6H35l0TMA8GA1UdEwEB/wQFMAMBAf8wDQYJ\nKoZIhvcNAQELBQADggIBAJ+vbD/9ajM9lOkBqKw2b4wb3Hs7A9olUeBzhnEH5hRI\ncXK+2CYvXf4PHfSyPSy33bhCeTqyeWjDN0eBM76tVUNu92/ft2Vlch27CoJjvkAK\nWO/+YiakgjAVC0IftAvs2YvZ54I6uU1C0EmdE1FcvDWAedyCypcl4871r4M8a55k\nJYg2FpfqOBJMFn9yBW1EkJlTPzzobP1H0q+GKXIMTLvyGRWrpb90DXxJu1i4jdtZ\n36sn6bb6TtT4pUC4OuhDvQ1N/LEbzKVTfRYBoMnEdlooybgZFu5t4uE0AJUgsRWq\nqnlHx2OMMBhhid+qjzo6jXXzXtIn8NjlF/IrwrGO0YrekVTMqKH5sx+4rFF0BO8X\n74N/fwZMHR6p3Zps4D72rogNGhmjZDBSt4tPVARPhAUbWXhRTPB1NunHvwHutfRk\nbBnyjC0BtKoYTqgPLOB4pkdGuuZ6E4dCZfzIE2s98QvY/RBYTUk+D2cJBuVC93RN\nv5wlx0WS46TNRWW0XP+P6cgPbkG5owqTyihuUx4eTh3Rf19wU1W+0wGQDFQ69uLL\n1T3Tkpg9btk/mhTWz4tu62r6NgwibM3KrGEJk0/oLq0z5qe52KW1mMRzRTGIb6pn\nGbGH8xZo2lxZcHzLDWVadXTdryUPDiFE90yyv6tW3GxJTkoi0BIWjYz3Wmf8qieU\n-----END CERTIFICATE-----" - volumeMounts: + config: + volume: + storageClass: "local-path" + users: + ngb: + - createdb + databases: + ngb: ngb + preparedDatabases: + ngb: + extensions: + postgis: public + + trusted-issuers-list: + # only open for clean up in the tests + ingress: + til: + enabled: true + hosts: + - host: til-provider.127.0.0.1.nip.io + paths: + - / + + credentials-config-service: + ingress: + enabled: true + hosts: + - host: provider-ccs.127.0.0.1.nip.io + paths: + - "/" + + vcverifier: + ingress: + enabled: true + hosts: + - host: provider-verifier.127.0.0.1.nip.io + paths: + - "/" + deployment: + logging: + level: DEBUG + verifier: + tirAddress: http://tir.127.0.0.1.nip.io:8080/ + did: ${DID} + server: + host: http://provider-verifier.127.0.0.1.nip.io:8080 + configRepo: + configEndpoint: http://credentials-config-service:8080 + additionalVolumes: - name: root-ca - mountPath: /root-ca + emptyDir: {} - name: ca-to-add - mountPath: /root-ca/cacert.pem - subPath: cacert.pem - - name: get-did - image: ubuntu - command: - - /bin/bash - args: - - -ec - - | - #!/bin/bash - apt-get -y update; apt-get -y install wget; apt-get -y install gettext-base - cd /did-material - wget http://did-helper:3002/did-material/did.env - export $(cat /did-material/did.env) - cp /original-conf/server.yaml /alternative-conf/server.yaml - envsubst < /alternative-conf/server.yaml - volumeMounts: - - name: did-material - mountPath: /did-material - - name: config-volume - mountPath: /original-conf - - name: alternative-conf - mountPath: /alternative-conf - - name: register-at-tir - image: ubuntu - command: - - /bin/bash - args: - - -ec - - | - #!/bin/bash - source /did-material/did.env - apt-get -y update; apt-get -y install curl - curl -X 'POST' 'http://tir.trust-anchor.svc.cluster.local:8080/issuer' -H 'Content-Type: application/json' -d "{\"did\": \"${DID}\", \"credentials\": []}" - volumeMounts: - - name: did-material - mountPath: /did-material -mysql: - primary: - persistence: - enabled: false - secondary: - persistence: - enabled: false -postgis: - primary: - persistence: - enabled: false - readReplicas: - persistence: - enabled: false -postgresql: - primary: - persistence: - enabled: false - readReplicas: - persistence: - enabled: false + secret: + secretName: root-ca + additionalVolumeMounts: + - name: root-ca + mountPath: /etc/ssl/cert.pem + subPath: cert.pem + additionalEnvVars: + - name: HTTPS_PROXY + value: "http://squid-proxy.infra.svc.cluster.local:8888" + - name: HTTP_PROXY + value: "http://squid-proxy.infra.svc.cluster.local:8888" + - name: NO_PROXY + value: "credentials-config-service,w3.org,trusted-issuers-list" + initContainers: + - name: add-root-ca + image: alpine:3.21.3 + command: + - /bin/sh + args: + - -c + - | + #!/bin/sh + cp /etc/ssl/cert.pem /root-ca/cert.pem + cat /root-ca/cacert.pem >> /root-ca/cert.pem + env: + - name: CA_TO_ADD + value: "-----BEGIN CERTIFICATE-----\nMIIFnDCCA4SgAwIBAgIBATANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJERTEP\nMA0GA1UECAwGU2F4b255MRAwDgYDVQQHDAdEcmVzZGVuMRMwEQYDVQQKDApGSUNP\nREVTIENBMRMwEQYDVQQDDApGSUNPREVTLUNBMQswCQYDVQQFEwIwMTAeFw0yNTAy\nMjAwNzUwNDBaFw0zNTAyMTgwNzUwNDBaMGcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI\nDAZTYXhvbnkxEDAOBgNVBAcMB0RyZXNkZW4xEzARBgNVBAoMCkZJQ09ERVMgQ0Ex\nEzARBgNVBAMMCkZJQ09ERVMtQ0ExCzAJBgNVBAUTAjAxMIICIjANBgkqhkiG9w0B\nAQEFAAOCAg8AMIICCgKCAgEAwJguJDSWVxpHqbnvdTpqkiQI9aoYG06ccR50iY2Y\nJye8sLCHQXhDZYfdGFPR65N2veKQPolYgk95DL2587V668VjfqzlBIRkOXj5UkJ5\n50pxCzaXItn52bBmsW9QqXAyIxYFn4f1pT95NVGj+sE23FfSAS3O0qq4yTL42Czn\nSvq378PXak/OaTOJQ+xOAprnnPepEadPDcqEUe5PGSwejJGQd654dUk+VoTdHBTU\njRPdg0FkGI+PB6dpZKhSoeePpvFBznG9R5amDx/COCVzFx1YwhHpbDGMwiNLJqeb\nExiGT5o2O4GugV5RTWRFYuKr1xSTAHiY+g3fCzhQZCD+NGGuaPbkjRGjptwiDpMR\n3CgnkdZh6BqeCpnSiI6tQYpJ9ms5xcCSeTsyf4hisCbawHqbDmCjsuXsMw0WP6VG\nnyYwJ1gwR/RHHe44+zfgv/U7hfULTIb8yi/n24a2FVV0kEAF79UUQGLW7364rXGY\njrIF8vhATZbGAMQiQh1MJMV0kcM8pmqUawDSvZ/llQMhr3OgMybZ2dAsakHVWU2I\nffABGupX3vTONzkpGVYwJIJ21T0QXTPrZgUMzPX/bH+3BHog0QjJ7T3sp0aG4AKT\nBmzYDaU9rIUs47S6TqxBXRQW4xyyy7XMQvXfbe4tExjUkgNfOHQ/5TUjUuBSfjwS\nKZkCAwEAAaNTMFEwHQYDVR0OBBYEFDqF7FNIKOPtvfO6hmhXV6H35l0TMB8GA1Ud\nIwQYMBaAFDqF7FNIKOPtvfO6hmhXV6H35l0TMA8GA1UdEwEB/wQFMAMBAf8wDQYJ\nKoZIhvcNAQELBQADggIBAJ+vbD/9ajM9lOkBqKw2b4wb3Hs7A9olUeBzhnEH5hRI\ncXK+2CYvXf4PHfSyPSy33bhCeTqyeWjDN0eBM76tVUNu92/ft2Vlch27CoJjvkAK\nWO/+YiakgjAVC0IftAvs2YvZ54I6uU1C0EmdE1FcvDWAedyCypcl4871r4M8a55k\nJYg2FpfqOBJMFn9yBW1EkJlTPzzobP1H0q+GKXIMTLvyGRWrpb90DXxJu1i4jdtZ\n36sn6bb6TtT4pUC4OuhDvQ1N/LEbzKVTfRYBoMnEdlooybgZFu5t4uE0AJUgsRWq\nqnlHx2OMMBhhid+qjzo6jXXzXtIn8NjlF/IrwrGO0YrekVTMqKH5sx+4rFF0BO8X\n74N/fwZMHR6p3Zps4D72rogNGhmjZDBSt4tPVARPhAUbWXhRTPB1NunHvwHutfRk\nbBnyjC0BtKoYTqgPLOB4pkdGuuZ6E4dCZfzIE2s98QvY/RBYTUk+D2cJBuVC93RN\nv5wlx0WS46TNRWW0XP+P6cgPbkG5owqTyihuUx4eTh3Rf19wU1W+0wGQDFQ69uLL\n1T3Tkpg9btk/mhTWz4tu62r6NgwibM3KrGEJk0/oLq0z5qe52KW1mMRzRTGIb6pn\nGbGH8xZo2lxZcHzLDWVadXTdryUPDiFE90yyv6tW3GxJTkoi0BIWjYz3Wmf8qieU\n-----END CERTIFICATE-----" + volumeMounts: + - name: root-ca + mountPath: /root-ca + - name: ca-to-add + mountPath: /root-ca/cacert.pem + subPath: cacert.pem + - name: register-at-tir + image: curlimages/curl:8.18.0 + command: + - /bin/sh + args: + - -ec + - | + curl -X 'POST' 'http://tir.trust-anchor.svc.cluster.local:8080/issuer' -H 'Content-Type: application/json' -d "{\"did\": \"did:web:did-provider.127.0.0.1.nip.io\", \"credentials\": []}" + + odrlAuthorization: + + apisix: + etcd: + replicaCount: 1 + persistence: + enabled: false + image: + debug: true + dataPlane: + ingress: + enabled: true + hostname: mp-data-service.127.0.0.1.nip.io + extraHosts: + - name: mp-tmf-api.127.0.0.1.nip.io + path: / + catchAllRoute: + enabled: false + routes: |- + - uri: /.well-known/openid-configuration + host: mp-data-service.127.0.0.1.nip.io + upstream: + nodes: + verifier:3000: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /services/data-service/.well-known/openid-configuration + - uri: /.well-known/data-space-configuration + upstream: + nodes: + dsconfig:3002: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /.well-known/data-space-configuration/data-space-configuration.json + response-rewrite: + headers: + set: + content-type: application/json + - uri: /* + host: mp-data-service.127.0.0.1.nip.io + upstream: + nodes: + data-service-scorpio:9090: 1 + type: roundrobin + plugins: + openid-connect: + bearer_only: true + use_jwks: true + client_id: data-service + client_secret: unused + ssl_verify: false + discovery: http://verifier:3000/services/data-service/.well-known/openid-configuration + opa: + host: "http://localhost:8181" + policy: policy/main + with_body: true + - uri: /.well-known/openid-configuration + host: mp-tmf-api.127.0.0.1.nip.io + upstream: + nodes: + verifier:3000: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /services/tmf-api/.well-known/openid-configuration + - uri: /* + host: mp-tmf-api.127.0.0.1.nip.io + upstream: + nodes: + tm-forum-api-svc:8080: 1 + type: roundrobin + plugins: + openid-connect: + bearer_only: true + use_jwks: true + client_id: contract-management + client_secret: unused + ssl_verify: false + discovery: http://verifier:3000/services/tmf-api/.well-known/openid-configuration + opa: + host: "http://localhost:8181" + policy: policy/main + with_body: true + + odrl-pap: + additionalEnvVars: + - name: GENERAL_ORGANIZATION_DID + value: did:web:did-provider.127.0.0.1.nip.io + ingress: + enabled: true + hosts: + - host: pap-provider.127.0.0.1.nip.io + paths: + - "/" + did: enabled: true config: @@ -253,6 +252,7 @@ scorpio: paths: - "/" ccs: + enabled: true defaultOidcScope: name: default oidcScopes: @@ -270,49 +270,19 @@ scorpio: type: gaia-x trustedIssuersLists: - http://trusted-issuers-list:8080 -odrl-pap: - deployment: - initContainers: - - name: get-did - image: ubuntu - command: - - /bin/bash - args: - - -ec - - | - #!/bin/bash - apt-get -y update; apt-get -y install wget - cd /did-material - wget http://did-helper:3002/did-material/did.env - volumeMounts: - - name: did-material - mountPath: /did-material - additionalVolumes: - - name: did-material - emptyDir: {} - additionalVolumeMounts: - - name: did-material - mountPath: /did-material - command: - - /bin/sh - args: - - -ec - - | - #!/bin/sh - source /did-material/did.env - export GENERAL_ORGANIZATION_DID=$DID - ./application -Dquarkus.http.host=0.0.0.0 - ingress: - enabled: true - hosts: - - host: pap-provider.127.0.0.1.nip.io - paths: - - "/" + tm-forum-api: + defaultConfig: + contextUrl: https://uri.etsi.org/ngsi-ld/v1/ngsi-ld-core-context.jsonld + allInOne: + enabled: true + apiProxy: + enabled: false registration: ccs: defaultOidcScope: - credentialType: UserCredential + credentialTypes: + - UserCredential trustedParticipantsLists: http://tir.trust-anchor.svc.cluster.local:8080 ingress: enabled: true @@ -321,14 +291,25 @@ tm-forum-api: paths: - / contract-management: + services: + ## Config for the TM Forum Service hosting the APIs + product-order: + ## URL of the TM Forum Service hosting the Product Ordering API + url: http://tm-forum-api-svc:8080 + party: + ## URL of the TM Forum Service hosting the Party API + url: http://tm-forum-api-svc:8080 + product-catalog: + ## URL of the TM Forum Service hosting the Product Catalog API + url: http://tm-forum-api-svc:8080 + service-catalog: + ## URL of the TM Forum Service hosting the Service Catalog API + url: http://tm-forum-api-svc:8080 + tmforum-agreement-api: + ## URL of the TM Forum Service hosting the Agreement API + url: http://tm-forum-api-svc:8080 + quote: + ## URL for TM Forum Service hosting the Quote API + url: http://tm-forum-api-svc:8080 til: - credentialType: OperatorCredential -trusted-issuers-list: - # only open for clean up in the tests - ingress: - til: - enabled: true - hosts: - - host: til-provider.127.0.0.1.nip.io - paths: - - / + credentialType: OperatorCredential \ No newline at end of file diff --git a/k3s/provider.yaml b/k3s/provider.yaml index 561326a..8912a33 100644 --- a/k3s/provider.yaml +++ b/k3s/provider.yaml @@ -1,433 +1,539 @@ -apisix: - etcd: - replicaCount: 1 - image: - debug: true - controlPlane: - service: - type: LoadBalancer - address: http://provider-apisix-control-plane:9180 - dataPlane: - ingress: +decentralizedIam: + enabled: true + vcAuthentication: + postgres-operator: + enabled: false + managedPostgres: enabled: true - hostname: mp-data-service.127.0.0.1.nip.io - extraHosts: - - name: mp-tmf-api.127.0.0.1.nip.io - path: / - - name: contract-management.127.0.0.1.nip.io - path: / - - name: dsp-mp-operations.127.0.0.1.nip.io - path: / - - name: dcp-mp-operations.127.0.0.1.nip.io - path: / - - name: identityhub-mp-operations.127.0.0.1.nip.io - path: / - - name: identityhub-management-mp-operations.127.0.0.1.nip.io - path: / - - name: vault-mp-operations.127.0.0.1.nip.io - path: / - catchAllRoute: - enabled: false - routes: - - uri: /.well-known/openid-configuration - host: mp-data-service.127.0.0.1.nip.io - upstream: - nodes: - verifier:3000: 1 - type: roundrobin - plugins: - proxy-rewrite: - uri: /services/data-service/.well-known/openid-configuration - - uri: /.well-known/openid-configuration - host: contract-management.127.0.0.1.nip.io - upstream: - nodes: - verifier:3000: 1 - type: roundrobin - plugins: - proxy-rewrite: - uri: /services/contract-management/.well-known/openid-configuration - - uri: /.well-known/data-space-configuration - upstream: - nodes: - dsconfig:3002: 1 - type: roundrobin - plugins: - proxy-rewrite: - uri: /.well-known/data-space-configuration/data-space-configuration.json - response-rewrite: - headers: - set: - content-type: application/json - - uri: /* - host: mp-data-service.127.0.0.1.nip.io - upstream: - nodes: - data-service-scorpio:9090: 1 - type: roundrobin - plugins: - openid-connect: - proxy_opts: - https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 - bearer_only: true - use_jwks: true - client_id: data-service - client_secret: unused - ssl_verify: false - discovery: https://verifier.mp-operations.org/services/data-service/.well-known/openid-configuration - opa: - host: "http://localhost:8181" - policy: policy/main - with_body: true - - uri: /.well-known/openid-configuration - host: mp-tmf-api.127.0.0.1.nip.io - upstream: - nodes: - verifier:3000: 1 - type: roundrobin - plugins: - proxy-rewrite: - uri: /services/tmf-api/.well-known/openid-configuration - - uri: /.well-known/openid-configuration - host: dsp-mp-operations.127.0.0.1.nip.io - upstream: - nodes: - verifier:3000: 1 - type: roundrobin - plugins: - proxy-rewrite: - uri: /services/dsp/.well-known/openid-configuration - - uri: /* - host: dsp-mp-operations.127.0.0.1.nip.io - upstream: - nodes: - provider-fdsc-edc-oid4vc:8080: 1 - plugins: - openid-connect: - proxy_opts: - https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 - bearer_only: true - use_jwks: true - client_id: dsp - client_secret: unused - ssl_verify: false - discovery: https://verifier.mp-operations.org/services/dsp/.well-known/openid-configuration - - uri: /api/identity/* - host: identityhub-management-mp-operations.127.0.0.1.nip.io - upstream: - nodes: - identityhub-service:8082: 1 - - uri: /api/credentials/* - host: identityhub-mp-operations.127.0.0.1.nip.io - upstream: - nodes: - identityhub-service:8083: 1 - - uri: /* - host: dcp-mp-operations.127.0.0.1.nip.io - upstream: - nodes: - provider-fdsc-edc-dcp:8080: 1 - - uri: /* - host: mp-tmf-api.127.0.0.1.nip.io - upstream: - nodes: - tm-forum-api:8080: 1 - type: roundrobin - plugins: - openid-connect: - proxy_opts: - https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 - bearer_only: true - use_jwks: true - client_id: contract-management - client_secret: unused - ssl_verify: false - discovery: https://verifier.mp-operations.org/services/tmf-api/.well-known/openid-configuration - opa: - host: "http://localhost:8181" - policy: policy/main - with_body: true - - uri: /* - host: contract-management.127.0.0.1.nip.io - upstream: - nodes: - contract-management:8080: 1 - type: roundrobin - plugins: - openid-connect: - proxy_opts: - https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 - bearer_only: true - use_jwks: true - client_id: contract-management - client_secret: unused - ssl_verify: false - discovery: https://verifier.mp-operations.org/services/contract-management/.well-known/openid-configuration - opa: - host: "http://localhost:8181" - policy: policy/main - with_body: true - - uri: /* - host: vault-mp-operations.127.0.0.1.nip.io - upstream: - nodes: - provider-vault:8200: 1 -credentials-config-service: - ingress: - enabled: true - hosts: - - host: provider-ccs.127.0.0.1.nip.io - paths: - - "/" - additionalEnvVars: - - name: FLYWAY_DATASOURCES_DEFAULT_LOCATIONS - value: classpath:db/migration/common,classpath:db/migration/mysql - registration: - enabled: true - services: - - id: bae - defaultOidcScope: "openid learcredential" - authorizationType: "FRONTEND_V2" - oidcScopes: - "openid learcredential": - credentials: - - type: LegalPersonCredential - trustedParticipantsLists: - - http://tir.127.0.0.1.nip.io - trustedIssuersLists: - - http://trusted-issuers-list:8080 - jwtInclusion: - enabled: true - fullInclusion: true - dcql: - credentials: - - id: legal-person-query - format: "vc+sd-jwt" - multiple: false - claims: - - id: name-claim - path: - - firstName - - id: roles-claim - path: - - roles - meta: - vct_values: - - LegalPersonCredential - - id: data-service - defaultOidcScope: "default" - authorizationType: "DEEPLINK" - oidcScopes: - "default": - credentials: - - type: UserCredential - trustedParticipantsLists: - - http://tir.127.0.0.1.nip.io - trustedIssuersLists: - - http://trusted-issuers-list:8080 - jwtInclusion: - enabled: true - fullInclusion: true - dcql: - credentials: - - id: user-query - format: "jwt_vc_json" - multiple: true - meta: - type_values: - - UserCredential - "legal": - credentials: - - type: LegalPersonCredential - trustedParticipantsLists: - - http://tir.127.0.0.1.nip.io - trustedIssuersLists: - - http://trusted-issuers-list:8080 - jwtInclusion: - enabled: true - fullInclusion: true - dcql: - credentials: - - id: legal-person-query - format: "dc+sd-jwt" - multiple: false - claims: - - id: name-claim - path: - - firstName - - id: roles-claim - path: - - roles - meta: - vct_values: - - LegalPersonCredential - "operator": - credentials: - - type: OperatorCredential - trustedParticipantsLists: - - http://tir.127.0.0.1.nip.io - trustedIssuersLists: - - http://trusted-issuers-list:8080 - jwtInclusion: - enabled: true - fullInclusion: true - dcql: - credentials: - - id: operator-query - format: "jwt_vc_json" - multiple: true - meta: - type_values: - - OperatorCredential - - id: dsp - defaultOidcScope: "openid" - authorizationType: "DEEPLINK" - oidcScopes: - "openid": - credentials: - - type: MembershipCredential - trustedParticipantsLists: - - http://tir.127.0.0.1.nip.io - trustedIssuersLists: - - "*" - jwtInclusion: - enabled: true - fullInclusion: true - dcql: - credentials: - - id: mc-query - format: "jwt_vc_json" - multiple: true - meta: - type_values: - - MembershipCredential - - id: contract-management - defaultOidcScope: "external-marketplace" - authorizationType: "DEEPLINK" - oidcScopes: - "external-marketplace": - credentials: - - type: MarketplaceCredential - trustedParticipantsLists: - - http://tir.127.0.0.1.nip.io - trustedIssuersLists: - - "*" - jwtInclusion: - enabled: true - fullInclusion: true - dcql: - credentials: - - id: mc-query - format: "jwt_vc_json" - multiple: true - meta: - type_values: - - MarketplaceCredential -vcverifier: - ingress: - enabled: true - annotations: - traefik.ingress.kubernetes.io/router.tls: "true" - tls: - - hosts: - - verifier.mp-operations.org - secretName: tls-secret - hosts: - - host: verifier.mp-operations.org - paths: - - "/" - deployment: - image: - tag: 5.0.0-PRE - repository: quay.io/wi_stefan/vcverifier - logging: - level: DEBUG - verifier: - tirAddress: http://tir.127.0.0.1.nip.io/ - did: did:web:mp-operations.org - supportedModes: ["byValue", "byReference"] - clientIdentification: - keyPath: /signing-key/client.key.pem - requestKeyAlgorithm: ES256 - id: x509_san_dns:verifier.mp-operations.org - certificatePath: /certificate/client-chain-bundle.cert.pem - server: - host: https://verifier.mp-operations.org - configRepo: - configEndpoint: http://credentials-config-service:8080 - additionalVolumes: - - name: signing-key - secret: - secretName: signing-key - - name: cert-chain - secret: - secretName: cert-chain - # add the self generated root ca to the system truststore - - name: root-ca - emptyDir: {} - - name: ca-to-add - secret: - secretName: root-ca - additionalVolumeMounts: - - name: signing-key - mountPath: /signing-key - - name: cert-chain - mountPath: /certificate - # add the self generated root ca to the system truststore - - name: root-ca - mountPath: /etc/ssl/cert.pem - subPath: cert.pem - additionalEnvVars: - - name: HTTPS_PROXY - value: "http://squid-proxy.infra.svc.cluster.local:8888" - - name: HTTP_PROXY - value: "http://squid-proxy.infra.svc.cluster.local:8888" - - name: NO_PROXY - value: "credentials-config-service,w3.org,trusted-issuers-list" - initContainers: - # add the self generated root ca to the system truststore - - name: add-root-ca - image: alpine:3.21.3 - command: - - /bin/sh - args: - - -c - - | - #!/bin/sh - cp /etc/ssl/cert.pem /root-ca/cert.pdata.typeem - cat /root-ca/cacert.pem >> /root-ca/cert.pem - volumeMounts: + config: + volume: + storageClass: "local-path" + users: + ngb: + - createdb + rainbow: + - createdb + databases: + ngb: ngb + rainbow: rainbow + preparedDatabases: + ngb: + extensions: + postgis: public + trusted-issuers-list: + deployment: + image: + tag: "0.8.0" # ToDo: remove when updating dependencies + resources: + limits: + cpu: 300m + memory: 512Mi + requests: + cpu: 100m + memory: 128Mi + # only open for clean up in the tests + ingress: + til: + enabled: true + hosts: + - host: til-provider.127.0.0.1.nip.io + paths: + - / + credentials-config-service: + ingress: + enabled: true + hosts: + - host: provider-ccs.127.0.0.1.nip.io + paths: + - "/" + additionalEnvVars: + - name: FLYWAY_DATASOURCES_DEFAULT_LOCATIONS + value: classpath:db/migration/common,classpath:db/migration/mysql + registration: + enabled: true + services: + - id: tpp-service + defaultOidcScope: "operator" + authorizationType: "DEEPLINK" + oidcScopes: + "operator": + credentials: + - type: OperatorCredential + trustedParticipantsLists: + - http://tir.127.0.0.1.nip.io + trustedIssuersLists: + - http://trusted-issuers-list:8080 + jwtInclusion: + enabled: true + fullInclusion: true + - id: bae + defaultOidcScope: "openid learcredential" + authorizationType: "FRONTEND_V2" + oidcScopes: + "openid learcredential": + credentials: + - type: LegalPersonCredential + trustedParticipantsLists: + - http://tir.127.0.0.1.nip.io + trustedIssuersLists: + - http://trusted-issuers-list:8080 + jwtInclusion: + enabled: true + fullInclusion: true + dcql: + credentials: + - id: legal-person-query + format: "vc+sd-jwt" + multiple: false + claims: + - id: name-claim + path: + - firstName + - id: roles-claim + path: + - roles + meta: + vct_values: + - LegalPersonCredential + - id: data-service + defaultOidcScope: "default" + authorizationType: "DEEPLINK" + oidcScopes: + "default": + credentials: + - type: UserCredential + trustedParticipantsLists: + - http://tir.127.0.0.1.nip.io + trustedIssuersLists: + - http://trusted-issuers-list:8080 + jwtInclusion: + enabled: true + fullInclusion: true + dcql: + credentials: + - id: user-query + format: "jwt_vc_json" + multiple: true + meta: + type_values: + - UserCredential + "legal": + credentials: + - type: LegalPersonCredential + trustedParticipantsLists: + - http://tir.127.0.0.1.nip.io + trustedIssuersLists: + - http://trusted-issuers-list:8080 + jwtInclusion: + enabled: true + fullInclusion: true + dcql: + credentials: + - id: legal-person-query + format: "dc+sd-jwt" + multiple: false + claims: + - id: name-claim + path: + - firstName + - id: roles-claim + path: + - roles + meta: + vct_values: + - LegalPersonCredential + "operator": + credentials: + - type: OperatorCredential + trustedParticipantsLists: + - http://tir.127.0.0.1.nip.io + trustedIssuersLists: + - http://trusted-issuers-list:8080 + jwtInclusion: + enabled: true + fullInclusion: true + dcql: + credentials: + - id: operator-query + format: "jwt_vc_json" + multiple: true + meta: + type_values: + - OperatorCredential + - id: dsp + defaultOidcScope: "openid" + authorizationType: "DEEPLINK" + oidcScopes: + "openid": + credentials: + - type: MembershipCredential + trustedParticipantsLists: + - http://tir.127.0.0.1.nip.io + trustedIssuersLists: + - "*" + jwtInclusion: + enabled: true + fullInclusion: true + dcql: + credentials: + - id: mc-query + format: "jwt_vc_json" + multiple: true + meta: + type_values: + - MembershipCredential + - id: contract-management + defaultOidcScope: "external-marketplace" + authorizationType: "DEEPLINK" + oidcScopes: + "external-marketplace": + credentials: + - type: MarketplaceCredential + trustedParticipantsLists: + - http://tir.127.0.0.1.nip.io + trustedIssuersLists: + - "*" + jwtInclusion: + enabled: true + fullInclusion: true + dcql: + credentials: + - id: mc-query + format: "jwt_vc_json" + multiple: true + meta: + type_values: + - MarketplaceCredential + vcverifier: + ingress: + enabled: true + annotations: + traefik.ingress.kubernetes.io/router.tls: "true" + tls: + - hosts: + - verifier.mp-operations.org + secretName: tls-secret + hosts: + - host: verifier.mp-operations.org + paths: + - "/" + deployment: + logging: + level: DEBUG + verifier: + tirAddress: http://tir.127.0.0.1.nip.io/ + did: did:web:mp-operations.org + supportedModes: ["byValue", "byReference"] + clientIdentification: + keyPath: /signing-key/client.key.pem + requestKeyAlgorithm: ES256 + id: x509_san_dns:verifier.mp-operations.org + certificatePath: /certificate/client-chain-bundle.cert.pem + server: + host: https://verifier.mp-operations.org + configRepo: + configEndpoint: http://credentials-config-service:8080 + additionalVolumes: + - name: signing-key + secret: + secretName: signing-key + - name: cert-chain + secret: + secretName: cert-chain + # add the self generated root ca to the system truststore - name: root-ca - mountPath: /root-ca + emptyDir: {} - name: ca-to-add - mountPath: /root-ca/cacert.pem - subPath: cacert.pem - - name: register-at-tir - image: ubuntu - command: - - /bin/bash - args: - - -ec - - | - #!/bin/bash - apt-get -y update; apt-get -y install curl - curl -X 'POST' 'http://tir.trust-anchor.svc.cluster.local:8080/issuer' -H 'Content-Type: application/json' -d "{\"did\": \"did:web:mp-operations.org\", \"credentials\": []}" -mysql: - resourcesPreset: none - primary: - persistence: - enabled: false - secondary: - persistence: - enabled: false -postgis: - primary: - resourcesPreset: none - persistence: - enabled: false - readReplicas: - persistence: - enabled: false + secret: + secretName: root-ca + additionalVolumeMounts: + - name: signing-key + mountPath: /signing-key + - name: cert-chain + mountPath: /certificate + # add the self generated root ca to the system truststore + - name: root-ca + mountPath: /etc/ssl/cert.pem + subPath: cert.pem + additionalEnvVars: + - name: HTTPS_PROXY + value: "http://squid-proxy.infra.svc.cluster.local:8888" + - name: HTTP_PROXY + value: "http://squid-proxy.infra.svc.cluster.local:8888" + - name: NO_PROXY + value: "credentials-config-service,w3.org,trusted-issuers-list" + initContainers: + # add the self generated root ca to the system truststore + - name: add-root-ca + image: alpine:3.21.3 + command: + - /bin/sh + args: + - -c + - | + #!/bin/sh + cp /etc/ssl/cert.pem /root-ca/cert.pem + cat /root-ca/cacert.pem >> /root-ca/cert.pem + volumeMounts: + - name: root-ca + mountPath: /root-ca + - name: ca-to-add + mountPath: /root-ca/cacert.pem + subPath: cacert.pem + - name: register-at-tir + image: curlimages/curl:8.18.0 + command: + - /bin/sh + args: + - -ec + - | + curl -X 'POST' 'http://tir.trust-anchor.svc.cluster.local:8080/issuer' -H 'Content-Type: application/json' -d "{\"did\": \"did:web:mp-operations.org\", \"credentials\": []}" + odrlAuthorization: + apisix: + etcd: + replicaCount: 1 + persistence: + enabled: false + apisix: + deployment: + mode: standalone + role: "data_plane" + role_data_plane: + config_provider: "yaml" + catchAllRoute: + enabled: false + ingress: + enabled: true + hosts: + - host: mp-data-service.127.0.0.1.nip.io + paths: ["/"] + - host: tpp-data-service.127.0.0.1.nip.io + paths: ["/"] + - host: tpp-service.127.0.0.1.nip.io + paths: ["/"] + - host: mp-tmf-api.127.0.0.1.nip.io + paths: ["/"] + - host: contract-management.127.0.0.1.nip.io + paths: ["/"] + - host: dsp-mp-operations.127.0.0.1.nip.io + paths: ["/"] + - host: dcp-mp-operations.127.0.0.1.nip.io + paths: ["/"] + - host: identityhub-mp-operations.127.0.0.1.nip.io + paths: ["/"] + - host: identityhub-management-mp-operations.127.0.0.1.nip.io + paths: ["/"] + - host: vault-mp-operations.127.0.0.1.nip.io + paths: ["/"] + catchAllRoute: + enabled: false + routes: + - uri: /.well-known/openid-configuration + host: tpp-service.127.0.0.1.nip.io + upstream: + nodes: + verifier:3000: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /services/tpp-service/.well-known/openid-configuration + - uri: /.well-known/openid-configuration + host: mp-data-service.127.0.0.1.nip.io + upstream: + nodes: + verifier:3000: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /services/data-service/.well-known/openid-configuration + - uri: /.well-known/openid-configuration + host: contract-management.127.0.0.1.nip.io + upstream: + nodes: + verifier:3000: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /services/contract-management/.well-known/openid-configuration + - uri: /.well-known/data-space-configuration + upstream: + nodes: + dsconfig:3002: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /.well-known/data-space-configuration/data-space-configuration.json + response-rewrite: + headers: + set: + content-type: application/json + - uri: /* + host: tpp-data-service.127.0.0.1.nip.io + upstream: + nodes: + data-service-scorpio:9090: 1 + type: roundrobin + plugins: + openid-connect: + proxy_opts: + https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 + bearer_only: true + use_jwks: true + client_id: contract-management + client_secret: unused + ssl_verify: false + discovery: https://verifier.mp-operations.org/services/tmf-api/.well-known/openid-configuration + opa: + host: http://localhost:8181 + policy: tpp + - uri: /* + host: mp-data-service.127.0.0.1.nip.io + upstream: + nodes: + data-service-scorpio:9090: 1 + type: roundrobin + plugins: + openid-connect: + proxy_opts: + https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 + bearer_only: true + use_jwks: true + client_id: data-service + client_secret: unused + ssl_verify: false + discovery: https://verifier.mp-operations.org/services/data-service/.well-known/openid-configuration + opa: + host: http://localhost:8181 + policy: policy/main + with_body: true + - uri: /.well-known/openid-configuration + host: mp-tmf-api.127.0.0.1.nip.io + upstream: + nodes: + verifier:3000: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /services/tmf-api/.well-known/openid-configuration + - uri: /.well-known/openid-configuration + host: dsp-mp-operations.127.0.0.1.nip.io + upstream: + nodes: + verifier:3000: 1 + type: roundrobin + plugins: + proxy-rewrite: + uri: /services/dsp/.well-known/openid-configuration + - uri: /* + host: dsp-mp-operations.127.0.0.1.nip.io + upstream: + nodes: + provider-fdsc-edc-oid4vc:8080: 1 + plugins: + openid-connect: + proxy_opts: + https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 + bearer_only: true + use_jwks: true + client_id: dsp + client_secret: unused + ssl_verify: false + discovery: https://verifier.mp-operations.org/services/dsp/.well-known/openid-configuration + - uri: /api/identity/* + host: identityhub-management-mp-operations.127.0.0.1.nip.io + upstream: + nodes: + identityhub-service:8082: 1 + - uri: /api/credentials/* + host: identityhub-mp-operations.127.0.0.1.nip.io + upstream: + nodes: + identityhub-service:8083: 1 + - uri: /* + host: dcp-mp-operations.127.0.0.1.nip.io + upstream: + nodes: + provider-fdsc-edc-dcp:8080: 1 + - uri: /* + host: mp-tmf-api.127.0.0.1.nip.io + upstream: + nodes: + tm-forum-api-svc:8080: 1 + type: roundrobin + plugins: + openid-connect: + proxy_opts: + https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 + bearer_only: true + use_jwks: true + client_id: contract-management + client_secret: unused + ssl_verify: false + discovery: https://verifier.mp-operations.org/services/tmf-api/.well-known/openid-configuration + opa: + host: http://localhost:8181 + policy: policy/main + with_body: true + - uri: /* + host: contract-management.127.0.0.1.nip.io + upstream: + nodes: + contract-management:8080: 1 + type: roundrobin + plugins: + openid-connect: + proxy_opts: + https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 + bearer_only: true + use_jwks: true + client_id: contract-management + client_secret: unused + ssl_verify: false + discovery: https://verifier.mp-operations.org/services/contract-management/.well-known/openid-configuration + opa: + host: http://localhost:8181 + policy: policy/main + with_body: true + - uri: /* + host: vault-mp-operations.127.0.0.1.nip.io + upstream: + nodes: + provider-vault:8200: 1 + - uri: /* + host: tpp-service.127.0.0.1.nip.io + upstream: + nodes: + rainbow:8080: 1 + plugins: + openid-connect: + proxy_opts: + https_proxy: http://squid-proxy.infra.svc.cluster.local:8888 + bearer_only: true + use_jwks: true + client_id: data-service + client_secret: unused + ssl_verify: false + discovery: https://verifier.mp-operations.org/services/data-service/.well-known/openid-configuration + opa: + host: http://localhost:8181 + policy: policy/main + with_body: true + + odrl-pap: + additionalEnvVars: + - name: GENERAL_ORGANIZATION_DID + value: did:web:mp-operations.org + ingress: + enabled: true + hosts: + - host: pap-provider.127.0.0.1.nip.io + paths: + - "/" + tpp: + enabled: true + transfers: + host: http://rainbow-provider.127.0.0.1.nip.io:8080 + path: transfers postgresql: primary: resourcesPreset: none @@ -444,13 +550,13 @@ did: didType: "web" hostUrl: "http://mp-operations.org" outputFormat: "json_jwk" - keystorePasswordSecretName: "did-keystore" + keystorePasswordSecretName: "provider-keystore" keystorePasswordSecretKey: "password" generateKey: enabled: false provideKeystore: enabled: true - keystoreSecretName: "did-keystore" + keystoreSecretName: "provider-keystore" keystoreSecretKey: "keystore-did.pfx" keyType: "EC" ingress: @@ -483,6 +589,13 @@ dataSpaceConfig: authenticationProtocols: - oid4vp scorpio: + resources: + limits: + cpu: "500m" + memory: 1Gi + requests: + cpu: "100m" + memory: 128Mi ingress: enabled: true # only to make it available for the test initialization @@ -490,21 +603,13 @@ scorpio: - host: scorpio-provider.127.0.0.1.nip.io paths: - "/" -odrl-pap: - deployment: - image: - tag: 1.4.2 - pullPolicy: Always - additionalEnvVars: - - name: GENERAL_ORGANIZATION_DID - value: did:web:mp-operations.org - ingress: - enabled: true - hosts: - - host: pap-provider.127.0.0.1.nip.io - paths: - - "/" tm-forum-api: + defaultConfig: + contextUrl: https://uri.etsi.org/ngsi-ld/v1/ngsi-ld-core-context.jsonld + allInOne: + enabled: true + apiProxy: + enabled: false registration: enabled: false ingress: @@ -513,36 +618,25 @@ tm-forum-api: - host: tm-forum-api.127.0.0.1.nip.io paths: - / - defaultConfig: - livenessProbe: - healthPath: /health/liveness - initialDelaySeconds: 30 - periodSeconds: 100 - successThreshold: 1 - failureThreshold: 300 - timeoutSeconds: 100 - readinessProbe: - readinessPath: /health/readiness - initialDelaySeconds: 30 - periodSeconds: 100 - successThreshold: 1 - failureThreshold: 300 - timeoutSeconds: 100 - -tpp: +# -- integration of rainbow +rainbow: enabled: true - transfers: - host: http://rainbow-provider.127.0.0.1.nip.io:8080 - path: transfers + db: + url: postgres + user: rainbow + existingSecret: rainbow.postgres.credentials.postgresql.acid.zalan.do + passwordKey: password + ingress: + enabled: true + hosts: + - host: rainbow-provider.127.0.0.1.nip.io + paths: + - / contract-management: - deployment: - image: - tag: latest - pullPolicy: Always did: did:web:mp-operations.org enableCentralMarketplace: false enableOdrlPap: true - enableRainbow: false + enableRainbow: true services: ## Config for Trusted Issuers List trusted-issuers-list: @@ -551,22 +645,22 @@ contract-management: ## Config for the TM Forum Service hosting the APIs product-order: ## URL of the TM Forum Service hosting the Product Ordering API - url: http://provider-tm-forum-api-product-ordering-management:8080 + url: http://tm-forum-api-svc:8080 party: ## URL of the TM Forum Service hosting the Party API - url: http://provider-tm-forum-api-party-catalog:8080 + url: http://tm-forum-api-svc:8080 product-catalog: ## URL of the TM Forum Service hosting the Product Catalog API - url: http://provider-tm-forum-api-product-catalog:8080 + url: http://tm-forum-api-svc:8080 service-catalog: ## URL of the TM Forum Service hosting the Service Catalog API - url: http://provider-tm-forum-api-service-catalog:8080 + url: http://tm-forum-api-svc:8080 tmforum-agreement-api: ## URL of the TM Forum Service hosting the Agreement API - url: http://provider-tm-forum-api-agreement:8080 + url: http://tm-forum-api-svc:8080 quote: ## URL for TM Forum Service hosting the Quote API - url: http://provider-tm-forum-api-quote:8080 + url: http://tm-forum-api-svc:8080 odrl: ## URL for the ODRL-PAP url: http://odrl-pap:8080 @@ -576,15 +670,6 @@ contract-management: additionalEnvVars: - name: LOGGER_LEVELS_ROOT value: DEBUG -trusted-issuers-list: - # only open for clean up in the tests - ingress: - til: - enabled: true - hosts: - - host: til-provider.127.0.0.1.nip.io - paths: - - / mongo-operator: enabled: false managedMongo: @@ -613,13 +698,38 @@ managedMongo: runAsUser: 0 runAsGroup: 0 name: change-dir-permissions + - name: mongodb-agent-readinessprobe + resources: + limits: + cpu: "0.2" + memory: 200M + requests: + cpu: "0.1" + memory: 100M + containers: + - name: mongod + resources: + limits: + cpu: "0.2" + memory: 250M + requests: + cpu: "0.1" + memory: 200M + - name: mongodb-agent + resources: + limits: + cpu: "0.2" + memory: 250M + requests: + cpu: "0.1" + memory: 200M volumeClaimTemplates: - metadata: name: data-volume spec: accessModes: - ReadWriteOnce - storageClassName: default + storageClassName: local-path resources: requests: storage: "1Gi" @@ -628,7 +738,7 @@ managedMongo: spec: accessModes: - ReadWriteOnce - storageClassName: default + storageClassName: local-path resources: requests: storage: "1Gi" @@ -651,47 +761,47 @@ marketplace: tag: 10.5.0 extraEnvVars: - name: BAE_CB_CUSTOMER_BILL - value: "http://provider-tm-forum-api-customer-bill-management:8080/tmf-api/customerBillManagement/v4" + value: "http://tm-forum-api-svc:8080/tmf-api/customerBillManagement/v4" bizEcosystemApis: tmForum: catalog: - host: provider-tm-forum-api-product-catalog + host: tm-forum-api-svc port: 8080 path: /tmf-api/productCatalogManagement/v4 inventory: - host: provider-tm-forum-api-product-inventory + host: tm-forum-api-svc port: 8080 path: /tmf-api/productInventory/v4 ordering: - host: provider-tm-forum-api-product-ordering-management + host: tm-forum-api-svc port: 8080 path: /tmf-api/productOrderingManagement/v4 billing: - host: provider-tm-forum-api-account + host: tm-forum-api-svc port: 8080 path: /tmf-api/accountManagement/v4 usage: - host: provider-tm-forum-api-usage-management + host: tm-forum-api-svc port: 8080 path: /tmf-api/usageManagement/v4 party: - host: provider-tm-forum-api-party-catalog + host: tm-forum-api-svc port: 8080 path: /tmf-api/party/v4 customer: - host: provider-tm-forum-api-customer-management + host: tm-forum-api-svc port: 8080 path: /tmf-api/customerManagement/v4 resources: - host: provider-tm-forum-api-resource-catalog + host: tm-forum-api-svc port: 8080 path: /tmf-api/resourceCatalog/v4 services: - host: provider-tm-forum-api-service-catalog + host: tm-forum-api-svc port: 8080 path: /tmf-api/serviceCatalogManagement/v4 resourceInventory: - host: provider-tm-forum-api-resource-inventory + host: tm-forum-api-svc port: 8080 path: /tmf-api/resourceInventoryManagement/v4 bizEcosystemLogicProxy: @@ -723,11 +833,17 @@ marketplace: name: signing-key-env key: key keycloak: + resources: + requests: + cpu: "100m" + limits: + cpu: "500m" ingress: enabled: true hostname: keycloak-provider.127.0.0.1.nip.io annotations: traefik.ingress.kubernetes.io/router.tls: "true" + pathType: Prefix extraVolumeMounts: - name: realms mountPath: /opt/bitnami/keycloak/data/import @@ -739,7 +855,7 @@ keycloak: name: test-realm-realm - name: provider-key secret: - secretName: kc-keystore + secretName: provider-keystore defaultMode: 0755 issuerDid: did:web:mp-operations.org signingKey: @@ -749,6 +865,25 @@ keycloak: keyPassword: "${STORE_PASS}" did: did:web:mp-operations.org keyAlgorithm: ES256 + extraEnvVars: + - name: KEYCLOAK_EXTRA_ARGS + value: "--import-realm" + - name: KC_FEATURES + value: "oid4vc-vci" + # keycloak admin password + - name: KC_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: issuance-secret + key: keycloak-admin + # set in accordance with the memory requests, will result in OOM otherwise + - name: KC_HEAP_SIZE + value: "1024m" + - name: "STORE_PASS" + valueFrom: + secretKeyRef: + name: provider-keystore + key: password realm: frontendUrl: https://keycloak-provider.127.0.0.1.nip.io import: true @@ -1140,13 +1275,13 @@ fdsc-edc: participant: id: did:web:mp-operations.org tmfExtension: - quoteApi: http://provider-tm-forum-api-quote.provider.svc.cluster.local:8080/tmf-api/quote/v4 - agreementApi: http://provider-tm-forum-api-agreement.provider.svc.cluster.local:8080/tmf-api/agreementManagement/v4 - productOrderApi: http://provider-tm-forum-api-product-ordering-management.provider.svc.cluster.local:8080/tmf-api/productOrderingManagement/v4 - productCatalogApi: http://provider-tm-forum-api-product-catalog.provider.svc.cluster.local:8080/tmf-api/productCatalogManagement/v4 - productInventoryApi: http://provider-tm-forum-api-product-inventory.provider.svc.cluster.local:8080/tmf-api/productInventory/v4 - usageManagementApi: http://provider-tm-forum-api-usage-management.provider.svc.cluster.local:8080/tmf-api/usageManagement/v4 - partyCatalogApi: http://provider-tm-forum-api-party-catalog.provider.svc.cluster.local:8080/tmf-api/party/v4 + quoteApi: http://tm-forum-api-svc.provider.svc.cluster.local:8080/tmf-api/quote/v4 + agreementApi: http://tm-forum-api-svc-.provider.svc.cluster.local:8080/tmf-api/agreementManagement/v4 + productOrderApi: http://tm-forum-api-svc.provider.svc.cluster.local:8080/tmf-api/productOrderingManagement/v4 + productCatalogApi: http://tm-forum-api-svc.provider.svc.cluster.local:8080/tmf-api/productCatalogManagement/v4 + productInventoryApi: http://tm-forum-api-svc.provider.svc.cluster.local:8080/tmf-api/productInventory/v4 + usageManagementApi: http://tm-forum-api-svc.provider.svc.cluster.local:8080/tmf-api/usageManagement/v4 + partyCatalogApi: http://tm-forum-api-svc.provider.svc.cluster.local:8080/tmf-api/party/v4 fdscTransfer: credentialsConfigAddress: http://provider-ccs.127.0.0.1.nip.io:8080 transferHost: mp-data-service.127.0.0.1.nip.io diff --git a/k3s/trust-anchor.yaml b/k3s/trust-anchor.yaml index c72dbba..832423e 100644 --- a/k3s/trust-anchor.yaml +++ b/k3s/trust-anchor.yaml @@ -9,6 +9,14 @@ trusted-issuers-list: enabled: true hosts: - host: til.127.0.0.1.nip.io + deployment: + resources: + limits: + cpu: 300m + memory: 512Mi + requests: + cpu: 100m + memory: 128Mi mysql: primary: diff --git a/pom.xml b/pom.xml index fb8bb2b..64ba507 100644 --- a/pom.xml +++ b/pom.xml @@ -17,7 +17,7 @@ 17 UTF-8 - 1.3.0 + 2.1.0 6.13.0 3.1.1 2.4 @@ -137,6 +137,20 @@ ${project.build.directory}/k3s/infra + + download-postgres-operator-config-crd + prepare-package + + wget + + + + https://raw.githubusercontent.com/zalando/postgres-operator/refs/tags/v1.15.1/charts/postgres-operator/crds/operatorconfigurations.yaml + + false + ${project.build.directory}/k3s/infra + + @@ -275,7 +289,7 @@ false true ${project.build.directory}/k3s/dsc-provider - --name-template=provider --namespace=provider -f ${main.basedir}/k3s/provider.yaml + --name-template=provider --namespace=provider -f ${main.basedir}/k3s/provider.yaml --skip-tests @@ -291,7 +305,7 @@ false true ${project.build.directory}/k3s/dsc-consumer - --name-template=consumer --namespace=consumer -f ${main.basedir}/k3s/consumer.yaml + --name-template=consumer --namespace=consumer -f ${main.basedir}/k3s/consumer.yaml --skip-tests @@ -327,6 +341,62 @@ --name-template=mongo-operator --namespace=mongo-operator -f ${main.basedir}/k3s/mongo-operator.yaml + + + template-dsc-postgres-operator + + init + dependency-update + template + + package + + ${project.build.directory}/charts/data-space-connector + false + true + ${project.build.directory}/k3s/infra/postgres-operator + --name-template=postgres-operator --namespace=postgres-operator -f ${main.basedir}/k3s/postgres-operator.yaml + + + + + + + org.apache.maven.plugins + maven-antrun-plugin + 1.8 + + + patch-apisix-ingress-namespace + package + + run + + + + + + + + + + + + @@ -378,6 +448,28 @@ 500 + + apply-postgres-operator-crd + deploy + + apply + + + ${project.build.directory}/k3s/infra/operatorconfigurations.yaml + 500 + + + + apply-postgres-operator + deploy + + apply + + + ${project.build.directory}/k3s/infra/postgres-operator + 500 + + apply-participants deploy @@ -386,7 +478,7 @@ ${project.build.directory}/k3s - 1000 + 1500 @@ -492,7 +584,7 @@ false true ${project.build.directory}/k3s/dsc-provider - --name-template=provider --namespace=provider -f ${main.basedir}/k3s/provider-elsi.yaml + --name-template=provider --namespace=provider -f ${main.basedir}/k3s/provider-elsi.yaml --skip-tests @@ -508,7 +600,7 @@ false true ${project.build.directory}/k3s/dsc-consumer - --name-template=consumer --namespace=consumer -f ${main.basedir}/k3s/consumer-elsi.yaml + --name-template=consumer --namespace=consumer -f ${main.basedir}/k3s/consumer-elsi.yaml --skip-tests @@ -544,6 +636,23 @@ --name-template=mongo-operator --namespace=mongo-operator -f ${main.basedir}/k3s/mongo-operator.yaml + + + template-dsc-postgres-operator + + init + dependency-update + template + + package + + ${project.build.directory}/charts/data-space-connector + false + true + ${project.build.directory}/k3s/infra/postgres-operator + --name-template=postgres-operator --namespace=postgres-operator -f ${main.basedir}/k3s/postgres-operator.yaml + + @@ -576,7 +685,7 @@ false true ${project.build.directory}/k3s/dsc-provider - --name-template=provider --namespace=provider -f ${main.basedir}/k3s/provider.yaml -f ${main.basedir}/k3s/dsp-provider.yaml + --name-template=provider --namespace=provider -f ${main.basedir}/k3s/provider.yaml -f ${main.basedir}/k3s/dsp-provider.yaml --skip-tests @@ -592,7 +701,7 @@ false true ${project.build.directory}/k3s/dsc-consumer - --name-template=consumer --namespace=consumer -f ${main.basedir}/k3s/consumer.yaml -f ${main.basedir}/k3s/dsp-consumer.yaml + --name-template=consumer --namespace=consumer -f ${main.basedir}/k3s/consumer.yaml -f ${main.basedir}/k3s/dsp-consumer.yaml --skip-tests @@ -628,6 +737,23 @@ --name-template=mongo-operator --namespace=mongo-operator -f ${main.basedir}/k3s/mongo-operator.yaml + + + template-dsc-postgres-operator + + init + dependency-update + template + + package + + ${project.build.directory}/charts/data-space-connector + false + true + ${project.build.directory}/k3s/infra/postgres-operator + --name-template=postgres-operator --namespace=postgres-operator -f ${main.basedir}/k3s/postgres-operator.yaml + + @@ -682,7 +808,7 @@ false true ${project.build.directory}/k3s/dsc-provider - --name-template=provider --namespace=provider -f ${main.basedir}/k3s/provider-gaia-x.yaml + --name-template=provider --namespace=provider -f ${main.basedir}/k3s/provider-gaia-x.yaml --skip-tests @@ -698,7 +824,7 @@ false true ${project.build.directory}/k3s/dsc-consumer - --name-template=consumer --namespace=consumer -f ${main.basedir}/k3s/consumer-gaia-x.yaml + --name-template=consumer --namespace=consumer -f ${main.basedir}/k3s/consumer-gaia-x.yaml --skip-tests @@ -734,6 +860,23 @@ --name-template=mongo-operator --namespace=mongo-operator -f ${main.basedir}/k3s/mongo-operator.yaml + + + template-dsc-postgres-operator + + init + dependency-update + template + + package + + ${project.build.directory}/charts/data-space-connector + false + true + ${project.build.directory}/k3s/infra/postgres-operator + --name-template=postgres-operator --namespace=postgres-operator -f ${main.basedir}/k3s/postgres-operator.yaml + +