diff --git a/charts/tractusx-connector-memory/values.yaml b/charts/tractusx-connector-memory/values.yaml index a0e1008643..19c83d0fab 100644 --- a/charts/tractusx-connector-memory/values.yaml +++ b/charts/tractusx-connector-memory/values.yaml @@ -53,12 +53,12 @@ iatp: url: oauth: # -- URL where connectors can request OAuth2 access tokens for DIV access - token_url: + token_url: "https://change-me" client: # -- Client ID for requesting OAuth2 access token for DIV access - id: + id: "change-me" # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access - secret_alias: + secret_alias: "change-me" didService: selfRegistration: # -- Whether Service Self Registration is enabled @@ -217,17 +217,17 @@ runtime: refresh_endpoint: signer: # -- Alias under which the private key (JWK or PEM format) is stored in the vault - privatekey_alias: + privatekey_alias: "change-me" verifier: # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` - publickey_alias: + publickey_alias: "change-me" bdrs: # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) cache_validity_seconds: 600 server: # -- URL of the BPN/DID Resolution Service - url: + url: "https://change-me" # -- configuration for policy engine policy: diff --git a/charts/tractusx-connector/templates/deployment-controlplane.yaml b/charts/tractusx-connector/templates/deployment-controlplane.yaml index 9f7b748362..29c619cf90 100644 --- a/charts/tractusx-connector/templates/deployment-controlplane.yaml +++ b/charts/tractusx-connector/templates/deployment-controlplane.yaml @@ -1,4 +1,6 @@ -# +################################################################################# + + # Copyright (c) 2026 ARENA2036 e.V. # Copyright (c) 2023 ZF Friedrichshafen AG # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) @@ -18,7 +20,7 @@ # under the License. # # SPDX-License-Identifier: Apache-2.0 - # + ################################################################################# --- apiVersion: apps/v1 @@ -46,7 +48,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.imagePullSecrets }} + {{- with .Values.controlplane.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} @@ -142,6 +144,10 @@ spec: {{- end }} {{- end }} + - name: EDC_HOSTNAME + value: {{ .Values.controlplane.hostname | quote }} + - name: "EDC_SQL_SCHEMA_AUTOCREATE" + value: {{ .Values.controlplane.schema.autocreate | quote }} ######################## ## ID CONFIGURATION ## @@ -150,10 +156,8 @@ spec: value: {{ .Values.iatp.id | required ".Values.iatp.id is required" | quote }} - name: "EDC_IAM_ISSUER_ID" value: {{ .Values.iatp.id | required ".Values.iatp.id is required" | quote }} - - name: "EDC_PARTICIPANT_CONTEXT_ID" - value: {{ .Values.participant.contextId | required ".Values.participant.contextId is required" | quote }} - - name: "TRACTUSX_EDC_PARTICIPANT_BPN" - value: {{ .Values.participant.id | required ".Values.participant.id is required" | quote }} + - name: "EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID" + value: {{ .Values.iatp.trustedIssuerId | required ".Values.iatp.trustedIssuerId is required" | quote }} ########################### ## LOGGING CONFIGURATION ## @@ -194,9 +198,10 @@ spec: value: {{ .Values.controlplane.endpoints.protocol.port | quote }} - name: "WEB_HTTP_PROTOCOL_PATH" value: {{ .Values.controlplane.endpoints.protocol.path | quote }} - - name: "EDC_CONTROL_ENDPOINT" - value: {{ include "txdc.controlplane.url.control" .}} - + - name: "WEB_HTTP_VALIDATION_PORT" + value: {{ .Values.controlplane.endpoints.validation.port | quote }} + - name: "WEB_HTTP_VALIDATION_PATH" + value: {{ .Values.controlplane.endpoints.validation.path | quote }} ######### ## DSP ## @@ -259,17 +264,6 @@ spec: - name: "TX_EDC_DCP_CACHE_VALIDITY_SECONDS" value: {{ .Values.iatp.cache.validity | quote }} - ################# - ## BDRS CLIENT ## - ################# - - - name: "TX_EDC_IAM_IATP_BDRS_SERVER_URL" - value: {{ .Values.controlplane.bdrs.server.url | required ".Values.controlplane.bdrs.server.url is required" | quote }} - {{- if .Values.controlplane.bdrs.cache_validity_seconds }} - - name: "TX_EDC_IAM_IATP_BDRS_CACHE_VALIDITY" - value: {{ .Values.controlplane.bdrs.cache_validity_seconds | quote}} - {{- end}} - ########### ## VAULT ## ########### diff --git a/charts/tractusx-connector/templates/deployment-dataplane.yaml b/charts/tractusx-connector/templates/deployment-dataplane.yaml index 40510d5627..9f7d234f39 100644 --- a/charts/tractusx-connector/templates/deployment-dataplane.yaml +++ b/charts/tractusx-connector/templates/deployment-dataplane.yaml @@ -1,4 +1,6 @@ ################################################################################# + + # Copyright (c) 2026 ARENA2036 e.V. # Copyright (c) 2023 ZF Friedrichshafen AG # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) @@ -47,7 +49,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.imagePullSecrets }} + {{- with .Values.dataplane.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} @@ -140,16 +142,20 @@ spec: {{ printf "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=%v" .Values.dataplane.debug.port }} {{- end }} {{- end }} + - name: EDC_HOSTNAME + value: {{ .Values.dataplane.hostname | quote }} + - name: "EDC_SQL_SCHEMA_AUTOCREATE" + value: {{ .Values.dataplane.schema.autocreate | quote }} ######################## ## ID CONFIGURATION ## ######################## - name: EDC_PARTICIPANT_ID value: {{ .Values.participant.id | required ".Values.participant.id is required" | quote }} - - name: EDC_PARTICIPANT_CONTEXT_ID - value: {{ .Values.participant.contextId | required ".Values.participant.contextId is required" | quote}} - name: "EDC_IAM_ISSUER_ID" value: {{ .Values.iatp.id | required ".Values.iatp.id is required" | quote}} + - name: "EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID" + value: {{ .Values.iatp.trustedIssuerId | required ".Values.iatp.trustedIssuerId is required" | quote}} ########################### ## LOGGING CONFIGURATION ## @@ -162,6 +168,10 @@ spec: ####### # API # ####### + - name: "WEB_HTTP_MANAGEMENT_PORT" + value: {{ .Values.dataplane.endpoints.management.port | quote }} + - name: "WEB_HTTP_MANAGEMENT_PATH" + value: {{ .Values.dataplane.endpoints.management.path | quote }} - name: "TX_EDC_DPF_CONSUMER_PROXY_AUTH_APIKEY" value: {{ .Values.dataplane.endpoints.proxy.authKey | required ".Values.dataplane.endpoints.proxy.authKey is required" | quote }} - name: "WEB_HTTP_PORT" diff --git a/charts/tractusx-connector/templates/post-install-vault-setup.yaml b/charts/tractusx-connector/templates/post-install-vault-setup.yaml new file mode 100644 index 0000000000..ce648d251e --- /dev/null +++ b/charts/tractusx-connector/templates/post-install-vault-setup.yaml @@ -0,0 +1,86 @@ +################################################################################# + + # Copyright (c) 2026 ARENA2036 e.V. + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License, Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + # License for the specific language governing permissions and limitations + # under the License. + # + # SPDX-License-Identifier: Apache-2.0 + ################################################################################# +--- +{{ $vaultToken := index .Values "vault" "hashicorp" "token" -}} +{{- $vaultUrl := tpl (index .Values "vault" "hashicorp" "url") . -}} +{{ $fullName := default "connector" .Values.nameOverride -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: post-install-vault-setup + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + restartPolicy: Never + containers: + - name: post-install-job + image: busybox + imagePullPolicy: "IfNotPresent" + command: + - "/bin/sh" + - "-c" + - | + sleep 10 + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/cert.json "{{ $vaultUrl }}/v1/secret/data/tokenSignerPublicKey" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/key.json "{{ $vaultUrl }}/v1/secret/data/tokenSignerPrivateKey" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/aes-secret.json "{{ $vaultUrl }}/v1/secret/data/tokenEncryptionAesKey" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/cons_priv.json "{{ $vaultUrl }}/v1/secret/data/cons_priv" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/cons_pub.json "{{ $vaultUrl }}/v1/secret/data/cons_pub" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/prov_priv.json "{{ $vaultUrl }}/v1/secret/data/prov_priv" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/prov_pub.json "{{ $vaultUrl }}/v1/secret/data/prov_pub" + volumeMounts: + - name: config-volume + mountPath: /opt/config + volumes: + - name: config-volume + configMap: + name: {{ $fullName }}-vault-edc-configmap + defaultMode: 0777 diff --git a/charts/tractusx-connector/templates/vault-edc-configmap.yaml b/charts/tractusx-connector/templates/vault-edc-configmap.yaml new file mode 100644 index 0000000000..c3aa7fbfff --- /dev/null +++ b/charts/tractusx-connector/templates/vault-edc-configmap.yaml @@ -0,0 +1,69 @@ +################################################################################# + + # Copyright (c) 2026 ARENA2036 e.V. + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License, Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + # License for the specific language governing permissions and limitations + # under the License. + # + # SPDX-License-Identifier: Apache-2.0 + ################################################################################# +--- +{{ $fullName := default "connector" .Values.nameOverride -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $fullName }}-vault-edc-configmap +data: + cert.json: |- + { + "data": { + "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsP1Wl50viKzVqw8HGFWP\nis+M8Im4daTFMned5Qr2z90FNgkj1EVhip0mOdD6kDg3bW4RxyL6z3jWi19JKBHZ\n68UTgZNdPbhhPNLEGcQpu8uwgFcWKL4P/IOykEeE8ResGOVg/HzNE7HkTgiBdr2C\nMTEXL3zTmdr0vbFGMbOTPyOvKMoy/2FaJaJAPXo3poGqfRvr6Gu6top2ktRd/z8N\nhBpuzx9QypIsE62ooLNPpqzjezfvzJbc3tko/cXNOyGoZWuEKMTfKwYq3ZjsTZKk\nbjVNgdoEFSWpd6Tqk76B1Cboxv1CD8xw0cQ149eW0IuLkAk3eF5eZR4iQ5YAOZqA\nUQIDAQAB\n-----END PUBLIC KEY-----\n" + } + } + + key.json: |- + { + "data": { + "content": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCw/VaXnS+IrNWr\nDwcYVY+Kz4zwibh1pMUyd53lCvbP3QU2CSPURWGKnSY50PqQODdtbhHHIvrPeNaL\nX0koEdnrxROBk109uGE80sQZxCm7y7CAVxYovg/8g7KQR4TxF6wY5WD8fM0TseRO\nCIF2vYIxMRcvfNOZ2vS9sUYxs5M/I68oyjL/YVolokA9ejemgap9G+voa7q2inaS\n1F3/Pw2EGm7PH1DKkiwTraigs0+mrON7N+/Mltze2Sj9xc07Iahla4QoxN8rBird\nmOxNkqRuNU2B2gQVJal3pOqTvoHUJujG/UIPzHDRxDXj15bQi4uQCTd4Xl5lHiJD\nlgA5moBRAgMBAAECggEAKD8XjYb8G+WHeexDJgSwzTUonLsIg9H52KHMORz+5mIh\nUPoPmHHFfj6BhoSvsZNjAUKWDtU0uPCGwu8iRNcYWa15I841lfcjP3BDEQPjJJXr\nNyf2fUHJA1gURwxIXgWOyCOC5C9h9/BMFPWIsQ5jeFmsJsuJF5OrcyZIar1lxqWu\nQ+HC7f/7JNkpR26uIyGjs1OXwfp+mHqze2Qf8hLWIXcN9tBCQZ75Cg7rarNVimMC\n59QD80JZCHTaCX1ZtE1T8HM+53Ob78lnFCuBfiBT/S3O/NXVsEN9q6rMWKhETVWR\nUX56EqZ7XGSMOzuZyK7kj1QsHzEMrrHjwDSNSjAqFQKBgQC6hEeAWPCEM+WVoF9n\nmhvwZVZv/PPyLAarykBTGoeHR2hqNyih9JmcXL+XQHMlhy1Ka8NtJHvfyB1xhXgF\n/d91i/Yq02+nZoJPNnVWo8zoXIAIq+xg9CBiu0agBxv45PjJkEkQmmEG4Iej1+Kf\n5/+dI7sFjE2T4q/lLK0Aw3x+zQKBgQDy7Ho7eRi5CV1Ks+r5lpGGdM15hbE5tviE\nfmJvaEUh3oWuwdkyFjD/QEPITG1bFuvhATdEEWxTbuswNEbELLhKCPcixcI0sLUO\n6BeNi1YD6ouuqsWBLvmE4hvoDR7RlkpUduxWpZ2tNIDJYYTwCERhcYK9OtHU15kc\nlS0pEjF/lQKBgEh+28/OQgYQqd7ji9GX+94PdW5n0mXBqQIixafHewAgyDvonpl8\nmixFfI6MlXTzuq3ffwEwGhncDV2vc/xYNf/ZW+A/eHmHhYTGdQss9ZsnQPid4m24\n1dGqWwQeX0f5r52gwFV8u9PRd8c+RS7EHP12At5gL1MY3CdmmwPd98jNAoGASvPV\n/xWtICKYi10aCip/+kl9wJoUhadD5LWOL6uvcPTUsIgVONQKCCfPAjU6pJlc7E7Q\nu4rYrqGRpYzrrMnTjtxXTH5SHqnLI69O3Rh50LmEob8FM4fH601MqPurX6WMh6Ut\n5Moy7Wc+uWQCfYE/gAVi/nnwlkhzcJNCnOKFLUUCgYA4nbhLrdEeCBJas2+Z9aGw\n/SurtHF2z2meAPO3VaYslf0D0xKzUIv5hkkzaNgs0pFGt0BcKfTWkYy/Hh4QXZhm\n//ZrqbkVsqzDOcqGwQcDmUEN/T+vprUJVKqpNHXT6fz3OTydxLQ7K7SXzwXWYfRW\ncpjdr0c1tVVLMyNG+Wahrg==\n-----END PRIVATE KEY-----\n" + } + } + aes-secret.json: |- + { + "data": { + "content": {{ randAlphaNum 32 | b64enc | quote }} + } + } + cons_priv.json: |- + { + "data": { + "content": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC9zbB90iPotlvz\nsTCAt246XNL+dHoiSlEYgBsPgroqfEuLWQkVeM2F0L2fWEsvNc6ZU5SJBEDqPTVe\noaYnv6iXShbTaBaZVoFbt2L8+rJmQQ2YoB5qQwLtfsqIDIwuTwQUgiNe747NDtsb\nJmjMpib3fTsB6m+0CsWYDPuU/7bmUJvYytnw/MOLhaUiHAC68jKsgsAemyDzOSUN\nYJfcIbnS/o12OFZ4Na3nKdr96kMB1zN+PE4+K2oTgFRh69zq+z/G5au7mliBdwns\n5Efmf1ijlH6MFZeaeTVMjfHSq8IOIpOSvigjjK5p8T7vCSYettej2rfcgZpBRa44\n3V8m+F7zAgMBAAECggEAF/cnyMtG03RrKdr+p9IBbgcYcR6d6UR+9tv+DrhP71tg\nYojsd7SYJsRTnRIV9DEUFBIUmDRcSfdOjNNWWoB9thSZyznCWLwuezktm4nACt89\n6z6UeJBbh0dSJVmIPbSmbDx+YNdYrZWpnsT7yJNWKju6vqQuVIpjpq5E+exL2Mqu\nj44wW/5ro9jaOhm8mUbAacEctQYixBmy8HXPBm6AtezdD7HpftdI+VWN0LO7IlLn\naWICR8vx18dEF+706JHPKpsovZbolu0Zvl19RSG4Zj3dhVoTw+vbeXTOkHR2wNdP\nDfL4m0exKl6McPos3CG9kEAUwceGR2CZpy0xssBkGQKBgQD/K/Svv/xrMK8pVQVv\nY699OX9pwm6NBq3Ti8LIKejPUW5V2ZZVtSb8njWmgAi6RPp6vO/mWhuUrXahoUrY\nfe0AqW7wTgKmmjXbTvy47VS5Z5S30DT8DAYp8CJekibnU4jwsIgYJgao1TeOTOq3\ngnGdPLlvSa4BagyogWp7+keaTwKBgQC+a2nbyuL3e/Sk+qio0kDkpI6hYIKWg+7u\n0FOsHJjItcwkSkfRKIFRdI7iGYlukE/38xfizs0tLJXYRbdrlUgq/lTgd4i3UoVw\nOAXzEJX0lunZgXNd9jjnADh3pgVbwX9AKDhFz+nu3yL5Egc8FN+caP9Is5xPxYfg\n8J/Pp8DcHQKBgDOc6HlEFAJ6bnOlxtupBi4GG0eBFGtiFnbbpiJml7iXeAHVaRsc\n8S3XsnJjI2DJ4wBAhyXIxBtmmsBGp6Tyk6W2n8HrhY29U3dwmp2tI5383Y/whUcW\nB4kkEU+fsE7KDsDgdCauSlqMBhi6Zh+IOwLa7YcdGB0hHj5XLvq0vRbxAoGAQCpp\n7YqcmNDIS5+7ncfb3jAlb/PZjWa/6PGCgIjSYy//rmrpcG25xf0E+OOqD/vJNsBP\n2Dnfoc1YYRx9Bl+zhelWKJ2fEEdad8opFxMLtPP1sTmR6qPB4PWOEaN8QsMdYj0r\nWTsKlVfTrSKKFZDjGQ24mIMNtUPW2dG7yHm633ECgYEAqaLLo4VYUcjTKnYdBChA\nPFAk/ZwSR+/TY0vXw3Ghm/oiBNVSMVHFBoAFdbt4lWKJlryW+1Wi11cFYXfsBrmb\nJTnK1u7EZDebm9hFBzpp7/yY5uu38NduGKh5+goAVtPXZR9s/8ypyt3xVflcDxzA\nt7VMyFNRxj517ZJPCNN+ImU=\n-----END PRIVATE KEY-----\n" + } + } + cons_pub.json: |- + { + "data": { + "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvc2wfdIj6LZb87EwgLdu\nOlzS/nR6IkpRGIAbD4K6KnxLi1kJFXjNhdC9n1hLLzXOmVOUiQRA6j01XqGmJ7+o\nl0oW02gWmVaBW7di/PqyZkENmKAeakMC7X7KiAyMLk8EFIIjXu+OzQ7bGyZozKYm\n9307AepvtArFmAz7lP+25lCb2MrZ8PzDi4WlIhwAuvIyrILAHpsg8zklDWCX3CG5\n0v6NdjhWeDWt5yna/epDAdczfjxOPitqE4BUYevc6vs/xuWru5pYgXcJ7ORH5n9Y\no5R+jBWXmnk1TI3x0qvCDiKTkr4oI4yuafE+7wkmHrbXo9q33IGaQUWuON1fJvhe\n8wIDAQAB\n-----END PUBLIC KEY-----\n" + } + } + prov_priv.json: |- + { + "data": { + "content": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDN/ECrw6rbkvkw\nNGoJX1TatjytEvfwhFm/IViYPXfPccQHyVhG9YiQNS1e9v5UhUc8BGNvrZjIm7e9\nHNhPGlOlLiHh3wfU/wG5srcqz1aSV2omFVPz9Nc9TSkwaF6oJcs4AL+Z0+IyQN1e\nPThoqu9aVd5wtRXnS0nh5Dd0CC0spchZdUbtslQXs4c8uBDRGdT2/mkBu5isMxW0\nCg+muQWk1t8vgYVxlokGGvsKjQXFV3RPJQ6hNjsZjVmAqDGYFcA/AxK1WYBV5Hyu\nAZHUU2yityva/IqQPLXN/4fcXQcLxLjrl0MSpWUik/YeuV2bQFyakpvj5wox/w7E\nMNjWBodnAgMBAAECggEADELlO83Tm4ScQuNqPArJyGEYeIby0+uhufy+qZ7f3sab\nXO+xZDvuXpzDvO2zH8EO1FxAg2yc3E6LBkqAXikN7JaAtTf4K+FOe+LPADd3JEWC\nAvVT2edrpPFoYvWVGNymRAjYK7Lb019eesl/7f8ROcCqk1PvYCUjpzruybN8GOmq\naAuvCmrn9+zW8nPDSvFvNC7TTV4LnaRGsWabCA2589c6rDr52ddbXQZ2bXhIkVlw\n+RcfCIA2yZhrYfwDynQP/dPIwaC12y/phONIOFgDmurJHTTm0/3GmyDgU4xdfEan\nqWN2BwYfG2eOaGRTktUxjvmfj4kQF+6V8BiEA1KGAQKBgQDz0tuJBolkCn4nTMXl\nQx/QaacZBLJdHeniD2B6s7715TOgv+6DYzJypxYsNkKX4jLKykOJAQ3SUmWNq+ar\n6HJUE9Ral27zg8AAgZwQBCBr3hXulUkN3Ca2Qe3zhM6OtKlQvCY91zkXIecvQ7/s\ncLepmEXqMe0VXsR6c5C2VFiOAQKBgQDYRaeTcES+LSqHeAUqNytc4qy27lIEA4Vm\nzCd2oK0B1QuBCe2nVPsIMPnv92yfZ2RExEkqJXk0WfxB0fKM6BphTWFGnzbleHH3\nE+0BAfi/JmvOtJUbsbQdqTnV1OjCBL3YsubOJJwF+u9yzYoJdy7oldOmqrKC3zgs\nSOehRF9lZwKBgHEqwv58bDRkslznQ0q/tvpyrz3rciXKBo4H+Q26c72JnkbUDo4o\n8ndImf/3Rz1bnZuF+YaTWKjv2XbB/JR5lOb1NTC+7J5V3j3d6mN8pteqAp/z5i5q\nqgUZ4KmQUJbnv1ZbnZxCUpsr/zNuzJufTX+Hz5t9hL7Qd30mOlqGF3wBAoGBAKKb\nhIqTf+wpU2+1qtR51I2rFMcZ2uqPpy6KUyWbW1kkUNj9mQUWHQSkpldphe84MqiN\nmKEqub3F5qeqbh7JqIP+RSRvMzxHWhC2l50JWXiHL8mj9vRyoQUoJocC5Npz7DXR\nFT5rQjAw4vZDWgUR6mAPvqnyb/N8V+TcD+Qt3zgDAoGBAL001/N43dI6NR+Mlcw8\nYtrfTO5xoakVzx7tdC1g3gry/MiJn/+iftpFSf/hNp8HyQEHlRkubQuL4j0I/Fe3\nHjTc3wPIZhcOpitfbn9VMgpXXWmguK/s4oMMNxoe+Ey71/hlp5UdGOidGhaWq9Jk\nAsqJhS57iz0RP3ikSic9Tb3s\n-----END PRIVATE KEY-----\n" + } + } + prov_pub.json: |- + { + "data": { + "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfxAq8Oq25L5MDRqCV9U\n2rY8rRL38IRZvyFYmD13z3HEB8lYRvWIkDUtXvb+VIVHPARjb62YyJu3vRzYTxpT\npS4h4d8H1P8BubK3Ks9WkldqJhVT8/TXPU0pMGheqCXLOAC/mdPiMkDdXj04aKrv\nWlXecLUV50tJ4eQ3dAgtLKXIWXVG7bJUF7OHPLgQ0RnU9v5pAbuYrDMVtAoPprkF\npNbfL4GFcZaJBhr7Co0FxVd0TyUOoTY7GY1ZgKgxmBXAPwMStVmAVeR8rgGR1FNs\norcr2vyKkDy1zf+H3F0HC8S465dDEqVlIpP2Hrldm0BcmpKb4+cKMf8OxDDY1gaH\nZwIDAQAB\n-----END PUBLIC KEY-----\n" + } + } diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml new file mode 100644 index 0000000000..2e7c0ef4e7 --- /dev/null +++ b/charts/tractusx-connector/values-consumer.yaml @@ -0,0 +1,128 @@ +shared: + connectorId: &connectorId did:web:consumer-wallet.staging.construct-x.net:consumer + secretAlias: &secretAlias consumersecret + trustedIssuerId: &trustedIssuerId did:web:issuer.staging.construct-x.net:issuer + clusterIssuer: &clusterIssuer letsencrypt-staging + ingressClass: &ingressClass nginx + imagePullSecret: &imagePullSecret registry-creds + controlplaneFqdn: &controlplaneFqdn consumer-edc-controlplane.staging.construct-x.net + dataplaneFqdn: &dataplaneFqdn consumer-edc-dataplane.staging.construct-x.net + +nameOverride: consumer-edc +fullnameOverride: consumer-edc + +participant: + id: *connectorId + +iatp: + id: *connectorId + trustedIssuerId: *trustedIssuerId + trustedIssuers: + - id: *trustedIssuerId + sts: + oauth: + token_url: https://consumer-wallet.staging.construct-x.net/api/sts/token + client: + id: *connectorId + secret_alias: *secretAlias + didService: + selfRegistration: + id: *connectorId + +controlplane: + hostname: consumer-edc-controlplane + imagePullSecrets: + - name: *imagePullSecret + env: + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias + ingresses: + ## Public / Internet facing Ingress + - enabled: true + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - protocol + className: *ingressClass + tls: + enabled: true + secretName: consumer-edc-cp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - validation + - metrics + className: *ingressClass + tls: + enabled: true + secretName: consumer-edc-cp-int-tls + certManager: + clusterIssuer: *clusterIssuer + +dataplane: + hostname: consumer-edc-dataplane + imagePullSecrets: + - name: *imagePullSecret + token: + signer: + privatekey_alias: cons_priv + verifier: + publickey_alias: cons_pub + env: + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias + ingresses: + ## Public / Internet facing Ingress + - enabled: true + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - public + - proxy + className: *ingressClass + tls: + enabled: true + secretName: consumer-edc-dp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - metrics + className: *ingressClass + tls: + enabled: true + secretName: consumer-edc-dp-int-tls + certManager: + clusterIssuer: *clusterIssuer + +postgresql: + primary: + persistence: + enabled: true + readReplicas: + persistence: + enabled: true diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml new file mode 100644 index 0000000000..60507edda1 --- /dev/null +++ b/charts/tractusx-connector/values-provider.yaml @@ -0,0 +1,128 @@ +shared: + connectorId: &connectorId did:web:provider-wallet.staging.construct-x.net:provider + secretAlias: &secretAlias providersecret + trustedIssuerId: &trustedIssuerId did:web:issuer.staging.construct-x.net:issuer + clusterIssuer: &clusterIssuer letsencrypt-staging + ingressClass: &ingressClass nginx + imagePullSecret: &imagePullSecret registry-creds + controlplaneFqdn: &controlplaneFqdn provider-edc-controlplane.staging.construct-x.net + dataplaneFqdn: &dataplaneFqdn provider-edc-dataplane.staging.construct-x.net + +nameOverride: provider-edc +fullnameOverride: provider-edc + +participant: + id: *connectorId + +iatp: + id: *connectorId + trustedIssuerId: *trustedIssuerId + trustedIssuers: + - id: *trustedIssuerId + sts: + oauth: + token_url: https://provider-wallet.staging.construct-x.net/api/sts/token + client: + id: *connectorId + secret_alias: *secretAlias + didService: + selfRegistration: + id: *connectorId + +controlplane: + hostname: provider-edc-controlplane + imagePullSecrets: + - name: *imagePullSecret + env: + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias + ingresses: + ## Public / Internet facing Ingress + - enabled: true + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - protocol + className: *ingressClass + tls: + enabled: true + secretName: provider-edc-cp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - validation + - metrics + className: *ingressClass + tls: + enabled: true + secretName: provider-edc-cp-int-tls + certManager: + clusterIssuer: *clusterIssuer + +dataplane: + hostname: provider-edc-dataplane + imagePullSecrets: + - name: *imagePullSecret + token: + signer: + privatekey_alias: prov_priv + verifier: + publickey_alias: prov_pub + env: + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias + ingresses: + ## Public / Internet facing Ingress + - enabled: true + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - public + - proxy + className: *ingressClass + tls: + enabled: true + secretName: provider-edc-dp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - metrics + className: *ingressClass + tls: + enabled: true + secretName: provider-edc-dp-int-tls + certManager: + clusterIssuer: *clusterIssuer + +postgresql: + primary: + persistence: + enabled: true + readReplicas: + persistence: + enabled: true diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index 1accc39341..af390116f5 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -1,8 +1,5 @@ ################################################################################# -# Copyright (c) 2023,2024 ZF Friedrichshafen AG -# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH -# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation +# Copyright (c) 2026 ARENA2036 e.V. # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -26,10 +23,10 @@ # Declare variables to be passed into your templates. install: - # -- Deploying a PostgreSQL instance - postgresql: true - # -- Deploying a HashiCorp Vault instance - vault: true + # -- Deploying a PostgreSQL instance + postgresql: true + # -- Deploying a HashiCorp Vault instance + vault: true fullnameOverride: "" nameOverride: "" @@ -40,651 +37,731 @@ imagePullSecrets: [] customLabels: {} participant: - # -- BPN Number - id: "BPNLCHANGEME" - # -- Participant Context Id - Newly introduced id for a connector instance (needed for multitenancy) - contextId: "UUID CHANGEME" + id: "did:web:changeme" iatp: - # -- Decentralized IDentifier (DID) of the connector - id: "did:web:changeme" - # -- Configures the trusted issuers for this runtime. If no supportedTypes are specified, the value defaults to "*" for that issuer - trustedIssuers: [] - # - id: "did:web:example1.com" - # supportedTypes: - # - "MembershipCredential" - # - "did:web:example2.com" - sts: - div: - # -- URL where connectors can request SI tokens - url: - oauth: - # -- URL where connectors can request OAuth2 access tokens for DIV access - token_url: - client: - # -- Client ID for requesting OAuth2 access token for DIV access - id: - # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access - secret_alias: - didService: - selfRegistration: - # -- Whether Service Self Registration is enabled - enabled: false - # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) - id: "did:web:changeme" - # - Configures the Verifiable Presentation cache - cache: - # -- Whether the Verifiable Presentation cache is enabled - enabled: true - # -- Validity of the Verifiable Presentation cache in seconds - validity: 86400 + # -- Decentralized IDentifier (DID) of the connector + id: "did:web:changeme" + # -- ID of the trusted issuer that is used for SI token validation (maps to EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID) + trustedIssuerId: "change-me" + # -- Configures the trusted issuers for this runtime. If no supportedTypes are specified, the value defaults to "*" for that issuer + trustedIssuers: [] + # - id: "did:web:example1.com" + # supportedTypes: + # - "MembershipCredential" + # - "did:web:example2.com" + sts: + div: + # -- URL where connectors can request SI tokens + url: + oauth: + # -- URL where connectors can request OAuth2 access tokens for DIV access + token_url: "https://change-me" + client: + # -- Client ID for requesting OAuth2 access token for DIV access + id: "change-me" + # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access + secret_alias: "change-me" + didService: + selfRegistration: + # -- Whether Service Self Registration is enabled + enabled: false + # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) + id: "did:web:changeme" + # - Configures the Verifiable Presentation cache + cache: + # -- Whether the Verifiable Presentation cache is enabled + enabled: true + # -- Validity of the Verifiable Presentation cache in seconds + validity: 86400 # -- Add custom ca certificates to the truststore customCaCerts: {} log4j2: - # -- Whether to enable the json log config in log4j2.config - enableJsonLogs: true - # -- Log4j2 configuration for json log formatting. - config: |- - Appenders: - Console: - name: CONSOLE - JsonTemplateLayout: - eventTemplate: |- - { - "timestamp": { - "$resolver": "timestamp", - "pattern": { - "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", - "timeZone": "UTC" + # -- Whether to enable the json log config in log4j2.config + enableJsonLogs: true + # -- Log4j2 configuration for json log formatting. + config: |- + Appenders: + Console: + name: CONSOLE + JsonTemplateLayout: + eventTemplate: |- + { + "timestamp": { + "$resolver": "timestamp", + "pattern": { + "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", + "timeZone": "UTC" + } + }, + "level": { + "$resolver": "level", + "field": "severity", + "severity": { + "field": "keyword" + } + }, + "message": { + "$resolver": "message" + } } - }, - "level": { - "$resolver": "level", - "field": "severity", - "severity": { - "field": "keyword" - } - }, - "message": { - "$resolver": "message" - } - } - Loggers: - Root: - level: "OFF" - Logger: - name: org.eclipse.edc.monitor.logger - level: DEBUG - AppenderRef: - ref: CONSOLE + Loggers: + Root: + level: "OFF" + Logger: + name: org.eclipse.edc.monitor.logger + level: DEBUG + AppenderRef: + ref: CONSOLE controlplane: - image: - # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically - repository: "" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "" - initContainers: [] - debug: - # -- Enables java debugging mode. - enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false - - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG - - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - # -- endpoints of the control plane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 8080 - # -- path for incoming api calls - path: /api - # -- data management api, used by internal users, can be added to an ingress and must not be internet facing - management: - # -- port for incoming api calls - port: 8081 - # -- path for incoming api calls - path: /management - # -- authentication key, must be attached to each request as `X-Api-Key` header - authKey: "password" - # -- if the JWKS url is set, the DelegatedAuth service will be engaged - jwksUrl: - - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 8083 - # -- path for incoming api calls - path: /control - # -- dsp api, used for inter connector communication and must be internet facing - protocol: - # -- port for incoming api calls - port: 8084 - # -- path for incoming api calls - path: /api/v1/dsp - # -- metrics api, used for application metrics, must not be internet facing - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - bdrs: - # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) - cache_validity_seconds: 600 - server: - # -- URL of the BPN/DID Resolution Service - url: - - # -- configuration for policy engine - policy: - validation: - enabled: true - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be pass onto deployment pods - env: {} - # ENV_NAME: value - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - ## Ingress declaration to expose the network service. - ingresses: - ## Public / Internet facing Ingress - - enabled: false - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-control.local" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - protocol - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource + nameOverride: "" + fullnameOverride: "" + # -- hostname where the controlplane is reachable + hostname: "" + image: + # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically + repository: "ghcr.io/project-construct-x/con-x-controlplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + # -- Configure ghcr credentials to pull the control plane image + imagePullSecrets: + - name: ghcr-creds + initContainers: [] + debug: + # -- Enables java debugging mode. enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - ## Private / Intranet facing Ingress - - enabled: false - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-control.intranet" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - management - - control - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + # -- endpoints of the control plane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 9000 + # -- path for incoming api calls + path: /api + # -- data management api, used by internal users, can be added to an ingress and must not be internet facing + management: + # -- port for incoming api calls + port: 9010 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- if the JWKS url is set, the DelegatedAuth service will be engaged + jwksUrl: + + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9050 + # -- path for incoming api calls + path: /control + # -- dsp api, used for inter connector communication and must be internet facing + protocol: + # -- port for incoming api calls + port: 9020 + # -- path for incoming api calls + path: /dsp + # -- validation api + validation: + # -- port for incoming api calls + port: 9030 + # -- path for incoming api calls + path: /validation + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + bdrs: + # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) + cache_validity_seconds: 600 + server: + # -- URL of the BPN/DID Resolution Service + url: + + # -- configuration for policy engine + policy: + validation: + enabled: true + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be passed onto deployment pods + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user + TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + # Database schema auto-creation + schema: + autocreate: true + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-control.local" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - protocol + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + ## Private / Intranet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-control.intranet" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - management + - control + - validation + - metrics + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - - url: - # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) - protocol: "" + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + + url: + # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) + protocol: "" dataplane: - image: - # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically - repository: "" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "" - initContainers: [] - debug: - # -- Enables java debugging mode. - enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false - - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG - - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} + nameOverride: "" + fullnameOverride: "" + # -- hostname where the dataplane is reachable + hostname: "" + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "ghcr.io/project-construct-x/con-x-dataplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + # -- Configure ghcr credentials to pull the control plane image + imagePullSecrets: + - name: ghcr-creds + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false - # -- endpoints of the dataplane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 8080 - # -- path for incoming api calls - path: /api - # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. - public: - # -- port for incoming api calls - port: 8081 - # -- path for incoming api calls - path: /api/public - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 8084 - # -- path for incoming api calls - path: /api/control - proxy: - # -- port for incoming api calls - port: 8186 - # -- path for incoming api calls - path: /proxy - # -- authentication key, must be attached to each request as `X-Api-Key` header - authKey: "password" - # -- metrics api, used for application metrics, must not be internet facing - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - token: - refresh: - # -- TTL in seconds for access tokens (also known as EDR token) - expiry_seconds: 300 - # -- Tolerance for token expiry in seconds - expiry_tolerance_seconds: 10 - # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` - refresh_endpoint: - signer: - # -- Alias under which the private key (JWK or PEM format) is stored in the vault - privatekey_alias: - verifier: - # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` - publickey_alias: - - aws: - endpointOverride: "" - accessKeyId: "" - secretAccessKey: "" - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be pass onto deployment pods - env: {} - # ENV_NAME: value - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - ## Ingress declaration to expose the network service. - ingresses: - ## Public / Internet facing Ingress - - enabled: false - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-data.local" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - public - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- endpoints of the dataplane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8181 + # -- path for incoming api calls + path: /api + # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. + public: + # -- port for incoming api calls + port: 9500 + # -- path for incoming api calls + path: /public + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9550 + # -- path for incoming api calls + path: /control + # -- data management api + management: + # -- port for incoming api calls + port: 9510 + # -- path for incoming api calls + path: /management + # -- proxy api for consumer data transfer + proxy: + # -- port for incoming api calls + port: 9511 + # -- path for incoming api calls + path: /proxy + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + token: + refresh: + # -- TTL in seconds for access tokens (also known as EDR token) + expiry_seconds: 300 + # -- Tolerance for token expiry in seconds + expiry_tolerance_seconds: 10 + # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` + refresh_endpoint: + signer: + # -- Alias under which the private key (JWK or PEM format) is stored in the vault + privatekey_alias: priv + verifier: + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` + publickey_alias: pub + + # Database schema auto-creation + schema: + autocreate: true + + aws: + endpointOverride: "" + accessKeyId: "" + secretAccessKey: "" + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be passed onto deployment pods + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_DATA_PLANE_SELF_UNREGISTRATION: true + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:issuer-wallet.staging.construct-x.net:issuer + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-data.local" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + - proxy + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + ## Private / Intranet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-data.intranet" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - management + - control + - metrics + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - url: - # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) - public: "" + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) + public: "" postgresql: - image: - repository: "bitnamilegacy/postgresql" - tag: "16.2.0-debian-12-r10" - jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" - primary: - persistence: - enabled: false - readReplicas: - persistence: - enabled: false - auth: - database: "edc" - username: "user" - password: "password" + image: + repository: "bitnamilegacy/postgresql" + tag: "16.2.0-debian-12-r10" + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" + primary: + persistence: + enabled: false + readReplicas: + persistence: + enabled: false + auth: + database: "edc" + username: "user" + password: "password" vault: - injector: - enabled: false - server: - dev: - enabled: true - devRootToken: "root" - postStart: # must be set externally! - hashicorp: - url: "http://{{ .Release.Name }}-vault:8200" - token: "root" - timeout: 30 - healthCheck: - enabled: true - standbyOk: true - paths: - secret: /v1/secret - health: /v1/sys/health - folder: "" + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: "root" + postStart: # must be set externally! + hashicorp: + url: "http://{{ .Release.Name }}-vault:8200" + token: "root" + timeout: 30 + healthCheck: + enabled: true + standbyOk: true + paths: + secret: /v1/secret + health: /v1/sys/health + folder: "" networkPolicy: - # -- If `true` network policy will be created to restrict access to control- and dataplane - enabled: false - # -- Configuration of the controlplane component - controlplane: - # -- Specify from rule network policy for cp (defaults to all namespaces) - from: - - namespaceSelector: {} - # -- Configuration of the dataplane component - dataplane: - # -- Specify from rule network policy for dp (defaults to all namespaces) - from: - - namespaceSelector: {} + # -- If `true` network policy will be created to restrict access to control- and dataplane + enabled: false + # -- Configuration of the controlplane component + controlplane: + # -- Specify from rule network policy for cp (defaults to all namespaces) + from: + - namespaceSelector: {} + # -- Configuration of the dataplane component + dataplane: + # -- Specify from rule network policy for dp (defaults to all namespaces) + from: + - namespaceSelector: {} serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) - imagePullSecrets: [] + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) + imagePullSecrets: [] # -- Configurations for Helm tests tests: - # -- Configure the hook-delete-policy for Helm tests - hookDeletePolicy: before-hook-creation,hook-succeeded + # -- Configure the hook-delete-policy for Helm tests + hookDeletePolicy: before-hook-creation,hook-succeeded