refactor(dir): update directory to latest version (#142)

Signed-off-by: Árpád Csepi <csepi.arpad@outlook.com>

Author: arpad-csepi

.github/actions/deploy-ads/action.yml

@@ -8,11 +8,11 @@ inputs:
   directory-image-tag:
     description: 'Set slim container image version'
     required: false
-    default: 'v0.2.5'
+    default: 'v0.4.0'
   directory-chart-tag:
     description: 'Set slim chart version'
     required: false
-    default: 'v0.2.5'
+    default: 'v0.4.0'
   kind-cluster-name:
     description: 'Set kind cluster name where components are deployed'
     required: false
@@ -28,7 +28,7 @@ inputs:
   dirctl-bin-version:
     description: 'Version of dirctl binary'
     required: false
-    default: 'v0.2.1'
+    default: 'v0.4.0'
   network-namespace-prefix:
     description: 'Set cluster namespace where directory network are deployed'
     required: false
@@ -65,7 +65,6 @@ runs:
           --wait-for-jobs \
           --timeout "15m"
 
-
     - name: Set OS and Architecture variables
       if: ${{ inputs.deploy-dir-network == 'true' }}
       id: os_arch

integrations/agntcy-dir/Taskfile.yml

@@ -12,8 +12,8 @@ vars:
   ## Image config
   IMAGE_REPO: '{{ .IMAGE_REPO | default "ghcr.io/agntcy" }}'
 
-  DIRECTORY_IMAGE_TAG: '{{ .DIRECTORY_IMAGE_TAG | default "v0.2.7" }}'
-  DIRECTORY_CHART_TAG: '{{ .DIRECTORY_CHART_TAG | default "v0.2.7" }}'
+  DIRECTORY_IMAGE_TAG: '{{ .DIRECTORY_IMAGE_TAG | default "v0.4.0" }}'
+  DIRECTORY_CHART_TAG: '{{ .DIRECTORY_CHART_TAG | default "v0.4.0" }}'
   DIRECTORY_NAMESPACE: '{{ .DIRECTORY_NAMESPACE | default "default" }}'
 
   REMOVE_CONTAINERS: '{{ .REMOVE_CONTAINERS | default "true" }}'
@@ -41,7 +41,7 @@ vars:
       else
         printf $DIRCTL_BIN_PATH
       fi
-  DIRCTL_BIN_VERSION: '{{ .DIRCTL_BIN_VERSION | default "v0.2.7" }}'
+  DIRCTL_BIN_VERSION: '{{ .DIRCTL_BIN_VERSION | default "v0.4.0" }}'
 
 tasks:
   k8s:port-forward:setup:
@@ -65,13 +65,31 @@ tasks:
 
   test-env:deploy:
     desc: Deploy Agntcy directory test env
+    vars:
+      HELM_VALUES: './components/helm/values.yaml'
+
+      # Generate credentials
+      HTPASSWD_USERNAME: 'apiserver'
+      HTPASSWD_PASSWORD:
+        sh: openssl rand -hex 16
+      HTPASSWD_AUTH_HEADER:
+        sh: echo -n "apiserver:{{ .HTPASSWD_PASSWORD }}" | base64
+      HTPASSWD_SYNC_USERNAME: 'sync-user'
+      HTPASSWD_SYNC_PASSWORD:
+        sh: openssl rand -hex 16
     cmds:
       - |
         helm upgrade agntcy-dir \
           oci://{{ .IMAGE_REPO }}/dir/helm-charts/dir \
           --version {{ .DIRECTORY_CHART_TAG }} \
+          -f {{ .HELM_VALUES }} \
           --set apiserver.image.tag="{{ .DIRECTORY_IMAGE_TAG }}" \
-          --set apiserver.config.oci.registry_address="agntcy-dir-zot:5000" \
+          --set apiserver.config.store.oci.registry_address="agntcy-dir-zot:5000" \
+          --set apiserver.config.store.oci.auth_config.username="{{ .HTPASSWD_USERNAME }}" \
+          --set apiserver.config.store.oci.auth_config.password="{{ .HTPASSWD_PASSWORD }}" \
+          --set apiserver.config.sync.auth_config.username="{{ .HTPASSWD_SYNC_USERNAME }}" \
+          --set apiserver.config.sync.auth_config.password="{{ .HTPASSWD_SYNC_PASSWORD }}" \
+          --set apiserver.zot.authHeader="{{ .HTPASSWD_AUTH_HEADER }}" \
           --namespace {{ .DIRECTORY_NAMESPACE }} \
           --create-namespace \
           --install \
@@ -88,21 +106,45 @@ tasks:
     desc: Deploy Directory network peers
     deps:
       - download:dirctl-bin
-    env:
-      DIRECTORY_LOGGER_LOG_LEVEL: ERROR
+    vars:
+      HELM_VALUES: './components/helm/values.yaml'
+
+      # Generate credentials
+      HTPASSWD_USERNAME: 'apiserver'
+      HTPASSWD_PASSWORD:
+        sh: openssl rand -hex 16
+      HTPASSWD_AUTH_HEADER:
+        sh: echo -n "apiserver:{{ .HTPASSWD_PASSWORD }}" | base64
+      HTPASSWD_SYNC_USERNAME: 'sync-user'
+      HTPASSWD_SYNC_PASSWORD:
+        sh: openssl rand -hex 16
     cmds:
       - |
-        test -f /tmp/node.privkey || openssl genpkey -algorithm ED25519 -out /tmp/node.privkey
-        bootstrap_peerid=$({{ .DIRCTL_BIN_PATH }}/dirctl network info /tmp/node.privkey)
+        # Generate private key if it doesn't exist
+      - |
+        test -f /tmp/node.privkey || {{.DIRCTL_BIN_PATH}}/dirctl network init --output /tmp/node.privkey
+
+      # Generate the bootstrap peer ID and export it to the environment file
+      - |
+        bootstrap_peerid=$({{.DIRCTL_BIN_PATH}}/dirctl network info /tmp/node.privkey)
         echo "PEER ID: ${bootstrap_peerid}"
         echo BOOTSTRAP_PEER_ID="${bootstrap_peerid}" > .env
+
+      - |
         helm upgrade agntcy-dir \
           oci://{{ .IMAGE_REPO }}/dir/helm-charts/dir \
           --version {{ .DIRECTORY_CHART_TAG }} \
+          -f {{ .HELM_VALUES }} \
+          -f ./components/config/bootstrap.yaml \
           --set apiserver.image.tag="{{ .DIRECTORY_IMAGE_TAG }}" \
+          --set apiserver.config.store.oci.registry_address="agntcy-dir-zot:5000" \
+          --set apiserver.config.routing.directory_api_address="agntcy-dir-apiserver.bootstrap.svc.cluster.local:8888" \
           --set apiserver.privKey="$(cat /tmp/node.privkey)" \
-          --set apiserver.config.oci.registry_address="agntcy-dir-zot:5000" \
-          -f ./components/config/bootstrap.yaml \
+          --set apiserver.config.store.oci.auth_config.username="{{ .HTPASSWD_USERNAME }}" \
+          --set apiserver.config.store.oci.auth_config.password="{{ .HTPASSWD_PASSWORD }}" \
+          --set apiserver.config.sync.auth_config.username="{{ .HTPASSWD_SYNC_USERNAME }}" \
+          --set apiserver.config.sync.auth_config.password="{{ .HTPASSWD_SYNC_PASSWORD }}" \
+          --set apiserver.zot.authHeader="{{ .HTPASSWD_AUTH_HEADER }}" \
           --namespace bootstrap \
           --create-namespace \
           --install \
@@ -114,18 +156,40 @@ tasks:
     desc: Deploy Directory network peers
     deps:
       - test-env:bootstrap:deploy
+    vars:
+      HELM_VALUES_PATH: './components/helm/values.yaml'
+      # Generate credentials
+      HTPASSWD_USERNAME: 'apiserver'
+      HTPASSWD_PASSWORD:
+        sh: openssl rand -hex 16
+      HTPASSWD_AUTH_HEADER:
+        sh: echo -n "apiserver:{{ .HTPASSWD_PASSWORD }}" | base64
+      HTPASSWD_SYNC_USERNAME: 'sync-user'
+      HTPASSWD_SYNC_PASSWORD:
+        sh: openssl rand -hex 16
+
     cmds:
+      # Deploy the peer servers using Helm
       - for:
           matrix:
             PEER: ['peer1', 'peer2', 'peer3']
         cmd: |
           export $(cat .env)
+
           helm upgrade agntcy-dir \
-           oci://{{ .IMAGE_REPO }}/dir/helm-charts/dir \
+          oci://{{ .IMAGE_REPO }}/dir/helm-charts/dir \
+            -f {{ .HELM_VALUES_PATH }} \
             --version {{ .DIRECTORY_CHART_TAG }} \
-            --set apiserver.image.tag="{{ .DIRECTORY_IMAGE_TAG }}" \
+            --set apiserver.config.store.oci.registry_address="agntcy-dir-zot.{{ .ITEM.PEER }}.svc.cluster.local:5000" \
             --set apiserver.config.routing.bootstrap_peers[0]="/dns4/agntcy-dir-apiserver-routing.bootstrap.svc.cluster.local/tcp/8999/p2p/${BOOTSTRAP_PEER_ID}" \
-            --set apiserver.config.oci.registry_address="agntcy-dir-zot:5000" \
+            --set apiserver.config.routing.directory_api_address="agntcy-dir-apiserver.{{ .ITEM.PEER }}.svc.cluster.local:8888" \
+            --set-json 'apiserver.extraVolumes=[{"name":"zot-config-storage","hostPath":{"path":"/opt/zot-config-{{ .ITEM.PEER }}","type":"DirectoryOrCreate"}}]' \
+            --set-json 'apiserver.zot.extraVolumes=[{"name":"zot-config-storage","hostPath":{"path":"/opt/zot-config-{{ .ITEM.PEER }}","type":"DirectoryOrCreate"}}]' \
+            --set apiserver.config.store.oci.auth_config.username="{{ .HTPASSWD_USERNAME }}" \
+            --set apiserver.config.store.oci.auth_config.password="{{ .HTPASSWD_PASSWORD }}" \
+            --set apiserver.zot.authHeader="{{ .HTPASSWD_AUTH_HEADER }}" \
+            --set apiserver.config.sync.auth_config.username="{{ .HTPASSWD_SYNC_USERNAME }}" \
+            --set apiserver.config.sync.auth_config.password="{{ .HTPASSWD_SYNC_PASSWORD }}" \
             --namespace "{{ .ITEM.PEER }}" \
             --create-namespace \
             --install \

integrations/agntcy-dir/components/helm/values.yaml

@@ -0,0 +1,191 @@
+# Copyright AGNTCY Contributors (https://github.com/agntcy)
+# SPDX-License-Identifier: Apache-2.0
+
+apiserver:
+  image:
+    repository: ghcr.io/agntcy/dir-apiserver
+    tag: v0.4.0
+    pullPolicy: IfNotPresent
+    pullSecrets:
+      - name: regcred
+
+  service:
+    type: NodePort
+
+  log_level: 'DEBUG'
+
+  # Server configuration
+  config:
+    # listen_address: "0.0.0.0:8888"
+    # healthcheck_address: "0.0.0.0:8889"
+
+    # Authentication settings (handles identity verification)
+    # Supports both X.509 (X.509-SVID) and JWT (JWT-SVID) authentication
+    authn:
+      # Enable authentication
+      enabled: false
+      # Authentication mode: "x509" or "jwt"
+      # - x509: Uses X.509-SVID from mutual TLS peer certificates
+      # - jwt: Uses JWT-SVID from Authorization header
+      mode: 'x509'
+      # SPIFFE Workload API socket path (injected by SPIRE agent)
+      socket_path: 'unix:///run/spire/agent-sockets/api.sock'
+      # Expected audiences for JWT validation (only used in JWT mode)
+      audiences:
+        - 'spiffe://example.org/dir-server'
+
+    # Authorization settings (handles access control policies)
+    # Requires authentication to be enabled first
+    authz:
+      # Enable authorization policies
+      enabled: false
+      # Trust domain for this Directory server
+      # Used to distinguish internal (same trust domain) vs external requests
+      trust_domain: 'example.org'
+
+    # Store settings for the storage backend.
+    store:
+      # Storage provider to use.
+      provider: 'oci'
+
+      # OCI-backed store
+      oci:
+        # Path to a local directory that will be to hold data instead of remote.
+        # If this is set to non-empty value, only local store will be used.
+        # local_dir: ""
+
+        # Cache directory to use for metadata.
+        # cache_dir: ""
+
+        # Registry address to connect to
+        # registry_address: 'dir-zot.dir-server.svc.cluster.local:5000'
+        # All data will be stored under this repo.
+        # Objects are pushed as tags, manifests, and blobs.
+        # repository_name: ""
+
+        # Auth credentials to use.
+        auth_config:
+          insecure: 'true'
+          access_token: access-token
+          refresh_token: refresh-token
+
+    # Routing settings for the peer-to-peer network.
+    routing:
+      # Address to use for routing
+      # listen_address: '/ipv4/0.0.0.0/tcp/5555'
+
+      # Path to private key file for peer ID.
+      # key_path: /tmp/agntcy-dir/node.privkey
+
+      # Nodes to use for bootstrapping of the DHT.
+      # We read initial routing tables here and get introduced
+      # to the network.
+      # bootstrap_peers:
+      #   - /ip4/1.1.1.1/tcp/1
+      #   - /ip4/1.1.1.1/tcp/2
+
+      # GossipSub configuration for efficient label announcements
+      # When enabled, labels are propagated via GossipSub mesh to ALL subscribed peers
+      # When disabled, falls back to DHT+Pull mechanism (higher bandwidth, limited reach)
+      # Default: true (recommended for production)
+      gossipsub:
+        enabled: true
+
+      refresh_interval: '1s'
+
+    # Sync configuration
+    sync:
+      # How frequently the scheduler checks for pending syncs
+      scheduler_interval: '1s'
+
+      # Maximum number of sync workers running concurrently
+      worker_count: 1
+
+      # Timeout for individual sync operations
+      worker_timeout: '10m'
+
+      # Registry monitor configuration
+      registry_monitor:
+        check_interval: '30s'
+
+      # Authentication configuration for sync operations
+      auth_config:
+        username: ''
+        password: ''
+
+    # Publication configuration
+    publication:
+      # How frequently the scheduler checks for pending publications
+      scheduler_interval: '1s'
+
+      # Maximum number of publication workers running concurrently
+      worker_count: 1
+
+      # Timeout for individual publication operations
+      worker_timeout: '30m'
+
+    # Events configuration
+    events:
+      # Channel buffer size per subscriber
+      # Larger buffers allow subscribers to fall behind temporarily without dropping events
+      # Default: 100
+      subscriber_buffer_size: 100
+
+      # Enable logging when events are dropped due to slow consumers
+      # Default: true
+      log_slow_consumers: true
+
+      # Enable debug logging of all published events (verbose in production)
+      # Default: false
+      log_published_events: false
+
+  # SPIRE configuration
+  spire:
+    enabled: false
+    trustDomain: example.org
+    federation: []
+      # # Config: https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterfederatedtrustdomain-crd.md
+      # - trustDomain: dir-cluster
+      #   bundleEndpointURL: https://0.0.0.0:8081
+      #   bundleEndpointProfile:
+      #     type: https_web
+
+  extraVolumeMounts: []
+
+  # Zot registry configuration (subchart)
+  zot:
+    extraVolumeMounts: []
+    extraVolumes: []
+
+    mountSecret: false
+    mountConfig: true
+    configFiles:
+      config.json: |-
+        {
+          "distSpecVersion": "1.1.1",
+          "storage": {
+            "rootDirectory": "/var/lib/registry"
+          },
+          "http": {
+            "address": "0.0.0.0",
+            "port": "5000"
+          },
+          "log": {
+            "level": "info"
+          },
+          "extensions": {
+            "search": {
+              "enable": true
+            },
+            "trust": {
+              "enable": true,
+              "cosign": true,
+              "notation": false
+            }
+          }
+        }
+
+    # Configure zot to use the config file from the shared mounted volume
+    extraArgs:
+      - 'serve'
+      - '/etc/zot/config.json'