From af64dbbe9fa4206617b8b02b23fe925882130578 Mon Sep 17 00:00:00 2001 From: Saud Khan Date: Wed, 8 Apr 2026 11:54:06 +0200 Subject: [PATCH 01/17] feat: adapted construct-x connector helm chart configurations --- .../templates/deployment-controlplane.yaml | 28 +- .../templates/deployment-dataplane.yaml | 12 +- .../templates/post-install-vault-setup.yaml | 66 ++ .../templates/vault-edc-configmap.yaml | 49 ++ .../tractusx-connector/values-consumer.yaml | 687 ++++++++++++++++++ .../tractusx-connector/values-provider.yaml | 687 ++++++++++++++++++ 6 files changed, 1509 insertions(+), 20 deletions(-) create mode 100644 charts/tractusx-connector/templates/post-install-vault-setup.yaml create mode 100644 charts/tractusx-connector/templates/vault-edc-configmap.yaml create mode 100644 charts/tractusx-connector/values-consumer.yaml create mode 100644 charts/tractusx-connector/values-provider.yaml diff --git a/charts/tractusx-connector/templates/deployment-controlplane.yaml b/charts/tractusx-connector/templates/deployment-controlplane.yaml index 9f7b748362..aedb7aacfa 100644 --- a/charts/tractusx-connector/templates/deployment-controlplane.yaml +++ b/charts/tractusx-connector/templates/deployment-controlplane.yaml @@ -142,6 +142,10 @@ spec: {{- end }} {{- end }} + - name: EDC_HOSTNAME + value: {{ .Values.controlplane.hostname | quote }} + - name: "EDC_SQL_SCHEMA_AUTOCREATE" + value: {{ .Values.controlplane.schema.autocreate | quote }} ######################## ## ID CONFIGURATION ## @@ -150,10 +154,8 @@ spec: value: {{ .Values.iatp.id | required ".Values.iatp.id is required" | quote }} - name: "EDC_IAM_ISSUER_ID" value: {{ .Values.iatp.id | required ".Values.iatp.id is required" | quote }} - - name: "EDC_PARTICIPANT_CONTEXT_ID" - value: {{ .Values.participant.contextId | required ".Values.participant.contextId is required" | quote }} - - name: "TRACTUSX_EDC_PARTICIPANT_BPN" - value: {{ .Values.participant.id | required ".Values.participant.id is required" | quote }} + - name: "EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID" + value: {{ .Values.iatp.trustedIssuerId | required ".Values.iatp.trustedIssuerId is required" | quote }} ########################### ## LOGGING CONFIGURATION ## @@ -194,9 +196,10 @@ spec: value: {{ .Values.controlplane.endpoints.protocol.port | quote }} - name: "WEB_HTTP_PROTOCOL_PATH" value: {{ .Values.controlplane.endpoints.protocol.path | quote }} - - name: "EDC_CONTROL_ENDPOINT" - value: {{ include "txdc.controlplane.url.control" .}} - + - name: "WEB_HTTP_VALIDATION_PORT" + value: {{ .Values.controlplane.endpoints.validation.port | quote }} + - name: "WEB_HTTP_VALIDATION_PATH" + value: {{ .Values.controlplane.endpoints.validation.path | quote }} ######### ## DSP ## @@ -259,17 +262,6 @@ spec: - name: "TX_EDC_DCP_CACHE_VALIDITY_SECONDS" value: {{ .Values.iatp.cache.validity | quote }} - ################# - ## BDRS CLIENT ## - ################# - - - name: "TX_EDC_IAM_IATP_BDRS_SERVER_URL" - value: {{ .Values.controlplane.bdrs.server.url | required ".Values.controlplane.bdrs.server.url is required" | quote }} - {{- if .Values.controlplane.bdrs.cache_validity_seconds }} - - name: "TX_EDC_IAM_IATP_BDRS_CACHE_VALIDITY" - value: {{ .Values.controlplane.bdrs.cache_validity_seconds | quote}} - {{- end}} - ########### ## VAULT ## ########### diff --git a/charts/tractusx-connector/templates/deployment-dataplane.yaml b/charts/tractusx-connector/templates/deployment-dataplane.yaml index 40510d5627..a800308313 100644 --- a/charts/tractusx-connector/templates/deployment-dataplane.yaml +++ b/charts/tractusx-connector/templates/deployment-dataplane.yaml @@ -140,16 +140,20 @@ spec: {{ printf "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=%v" .Values.dataplane.debug.port }} {{- end }} {{- end }} + - name: EDC_HOSTNAME + value: {{ .Values.dataplane.hostname | quote }} + - name: "EDC_SQL_SCHEMA_AUTOCREATE" + value: {{ .Values.dataplane.schema.autocreate | quote }} ######################## ## ID CONFIGURATION ## ######################## - name: EDC_PARTICIPANT_ID value: {{ .Values.participant.id | required ".Values.participant.id is required" | quote }} - - name: EDC_PARTICIPANT_CONTEXT_ID - value: {{ .Values.participant.contextId | required ".Values.participant.contextId is required" | quote}} - name: "EDC_IAM_ISSUER_ID" value: {{ .Values.iatp.id | required ".Values.iatp.id is required" | quote}} + - name: "EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID" + value: {{ .Values.iatp.trustedIssuerId | required ".Values.iatp.trustedIssuerId is required" | quote}} ########################### ## LOGGING CONFIGURATION ## @@ -162,6 +166,10 @@ spec: ####### # API # ####### + - name: "WEB_HTTP_MANAGEMENT_PORT" + value: {{ .Values.dataplane.endpoints.management.port | quote }} + - name: "WEB_HTTP_MANAGEMENT_PATH" + value: {{ .Values.dataplane.endpoints.management.path | quote }} - name: "TX_EDC_DPF_CONSUMER_PROXY_AUTH_APIKEY" value: {{ .Values.dataplane.endpoints.proxy.authKey | required ".Values.dataplane.endpoints.proxy.authKey is required" | quote }} - name: "WEB_HTTP_PORT" diff --git a/charts/tractusx-connector/templates/post-install-vault-setup.yaml b/charts/tractusx-connector/templates/post-install-vault-setup.yaml new file mode 100644 index 0000000000..a179a8aec0 --- /dev/null +++ b/charts/tractusx-connector/templates/post-install-vault-setup.yaml @@ -0,0 +1,66 @@ +{{- $vaultToken := index .Values "vault" "hashicorp" "token" -}} +{{- $vaultUrl := tpl (index .Values "vault" "hashicorp" "url") . -}} +{{- $fullName := .Values.nameOverride -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: post-install-vault-setup + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + restartPolicy: Never + containers: + - name: post-install-job + image: busybox + imagePullPolicy: "IfNotPresent" + command: + - "/bin/sh" + - "-c" + - | + sleep 10 + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/cert.json "{{ $vaultUrl }}/v1/secret/data/tokenSignerPublicKey" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/key.json "{{ $vaultUrl }}/v1/secret/data/tokenSignerPrivateKey" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/aes-secret.json "{{ $vaultUrl }}/v1/secret/data/tokenEncryptionAesKey" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/cons_priv.json "{{ $vaultUrl }}/v1/secret/data/cons_priv" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/cons_pub.json "{{ $vaultUrl }}/v1/secret/data/cons_pub" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/prov_priv.json "{{ $vaultUrl }}/v1/secret/data/prov_priv" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/prov_pub.json "{{ $vaultUrl }}/v1/secret/data/prov_pub" + volumeMounts: + - name: config-volume + mountPath: /opt/config + volumes: + - name: config-volume + configMap: + name: {{ $fullName }}-vault-edc-configmap + defaultMode: 0777 diff --git a/charts/tractusx-connector/templates/vault-edc-configmap.yaml b/charts/tractusx-connector/templates/vault-edc-configmap.yaml new file mode 100644 index 0000000000..efcff6b8e7 --- /dev/null +++ b/charts/tractusx-connector/templates/vault-edc-configmap.yaml @@ -0,0 +1,49 @@ +{{- $fullName := .Values.nameOverride -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $fullName }}-vault-edc-configmap +data: + cert.json: |- + { + "data": { + "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsP1Wl50viKzVqw8HGFWP\nis+M8Im4daTFMned5Qr2z90FNgkj1EVhip0mOdD6kDg3bW4RxyL6z3jWi19JKBHZ\n68UTgZNdPbhhPNLEGcQpu8uwgFcWKL4P/IOykEeE8ResGOVg/HzNE7HkTgiBdr2C\nMTEXL3zTmdr0vbFGMbOTPyOvKMoy/2FaJaJAPXo3poGqfRvr6Gu6top2ktRd/z8N\nhBpuzx9QypIsE62ooLNPpqzjezfvzJbc3tko/cXNOyGoZWuEKMTfKwYq3ZjsTZKk\nbjVNgdoEFSWpd6Tqk76B1Cboxv1CD8xw0cQ149eW0IuLkAk3eF5eZR4iQ5YAOZqA\nUQIDAQAB\n-----END PUBLIC KEY-----\n" + } + } + + key.json: |- + { + "data": { + "content": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCw/VaXnS+IrNWr\nDwcYVY+Kz4zwibh1pMUyd53lCvbP3QU2CSPURWGKnSY50PqQODdtbhHHIvrPeNaL\nX0koEdnrxROBk109uGE80sQZxCm7y7CAVxYovg/8g7KQR4TxF6wY5WD8fM0TseRO\nCIF2vYIxMRcvfNOZ2vS9sUYxs5M/I68oyjL/YVolokA9ejemgap9G+voa7q2inaS\n1F3/Pw2EGm7PH1DKkiwTraigs0+mrON7N+/Mltze2Sj9xc07Iahla4QoxN8rBird\nmOxNkqRuNU2B2gQVJal3pOqTvoHUJujG/UIPzHDRxDXj15bQi4uQCTd4Xl5lHiJD\nlgA5moBRAgMBAAECggEAKD8XjYb8G+WHeexDJgSwzTUonLsIg9H52KHMORz+5mIh\nUPoPmHHFfj6BhoSvsZNjAUKWDtU0uPCGwu8iRNcYWa15I841lfcjP3BDEQPjJJXr\nNyf2fUHJA1gURwxIXgWOyCOC5C9h9/BMFPWIsQ5jeFmsJsuJF5OrcyZIar1lxqWu\nQ+HC7f/7JNkpR26uIyGjs1OXwfp+mHqze2Qf8hLWIXcN9tBCQZ75Cg7rarNVimMC\n59QD80JZCHTaCX1ZtE1T8HM+53Ob78lnFCuBfiBT/S3O/NXVsEN9q6rMWKhETVWR\nUX56EqZ7XGSMOzuZyK7kj1QsHzEMrrHjwDSNSjAqFQKBgQC6hEeAWPCEM+WVoF9n\nmhvwZVZv/PPyLAarykBTGoeHR2hqNyih9JmcXL+XQHMlhy1Ka8NtJHvfyB1xhXgF\n/d91i/Yq02+nZoJPNnVWo8zoXIAIq+xg9CBiu0agBxv45PjJkEkQmmEG4Iej1+Kf\n5/+dI7sFjE2T4q/lLK0Aw3x+zQKBgQDy7Ho7eRi5CV1Ks+r5lpGGdM15hbE5tviE\nfmJvaEUh3oWuwdkyFjD/QEPITG1bFuvhATdEEWxTbuswNEbELLhKCPcixcI0sLUO\n6BeNi1YD6ouuqsWBLvmE4hvoDR7RlkpUduxWpZ2tNIDJYYTwCERhcYK9OtHU15kc\nlS0pEjF/lQKBgEh+28/OQgYQqd7ji9GX+94PdW5n0mXBqQIixafHewAgyDvonpl8\nmixFfI6MlXTzuq3ffwEwGhncDV2vc/xYNf/ZW+A/eHmHhYTGdQss9ZsnQPid4m24\n1dGqWwQeX0f5r52gwFV8u9PRd8c+RS7EHP12At5gL1MY3CdmmwPd98jNAoGASvPV\n/xWtICKYi10aCip/+kl9wJoUhadD5LWOL6uvcPTUsIgVONQKCCfPAjU6pJlc7E7Q\nu4rYrqGRpYzrrMnTjtxXTH5SHqnLI69O3Rh50LmEob8FM4fH601MqPurX6WMh6Ut\n5Moy7Wc+uWQCfYE/gAVi/nnwlkhzcJNCnOKFLUUCgYA4nbhLrdEeCBJas2+Z9aGw\n/SurtHF2z2meAPO3VaYslf0D0xKzUIv5hkkzaNgs0pFGt0BcKfTWkYy/Hh4QXZhm\n//ZrqbkVsqzDOcqGwQcDmUEN/T+vprUJVKqpNHXT6fz3OTydxLQ7K7SXzwXWYfRW\ncpjdr0c1tVVLMyNG+Wahrg==\n-----END PRIVATE KEY-----\n" + } + } + aes-secret.json: |- + { + "data": { + "content": {{ randAlphaNum 32 | b64enc | quote }} + } + } + cons_priv.json: |- + { + "data": { + "content": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC9zbB90iPotlvz\nsTCAt246XNL+dHoiSlEYgBsPgroqfEuLWQkVeM2F0L2fWEsvNc6ZU5SJBEDqPTVe\noaYnv6iXShbTaBaZVoFbt2L8+rJmQQ2YoB5qQwLtfsqIDIwuTwQUgiNe747NDtsb\nJmjMpib3fTsB6m+0CsWYDPuU/7bmUJvYytnw/MOLhaUiHAC68jKsgsAemyDzOSUN\nYJfcIbnS/o12OFZ4Na3nKdr96kMB1zN+PE4+K2oTgFRh69zq+z/G5au7mliBdwns\n5Efmf1ijlH6MFZeaeTVMjfHSq8IOIpOSvigjjK5p8T7vCSYettej2rfcgZpBRa44\n3V8m+F7zAgMBAAECggEAF/cnyMtG03RrKdr+p9IBbgcYcR6d6UR+9tv+DrhP71tg\nYojsd7SYJsRTnRIV9DEUFBIUmDRcSfdOjNNWWoB9thSZyznCWLwuezktm4nACt89\n6z6UeJBbh0dSJVmIPbSmbDx+YNdYrZWpnsT7yJNWKju6vqQuVIpjpq5E+exL2Mqu\nj44wW/5ro9jaOhm8mUbAacEctQYixBmy8HXPBm6AtezdD7HpftdI+VWN0LO7IlLn\naWICR8vx18dEF+706JHPKpsovZbolu0Zvl19RSG4Zj3dhVoTw+vbeXTOkHR2wNdP\nDfL4m0exKl6McPos3CG9kEAUwceGR2CZpy0xssBkGQKBgQD/K/Svv/xrMK8pVQVv\nY699OX9pwm6NBq3Ti8LIKejPUW5V2ZZVtSb8njWmgAi6RPp6vO/mWhuUrXahoUrY\nfe0AqW7wTgKmmjXbTvy47VS5Z5S30DT8DAYp8CJekibnU4jwsIgYJgao1TeOTOq3\ngnGdPLlvSa4BagyogWp7+keaTwKBgQC+a2nbyuL3e/Sk+qio0kDkpI6hYIKWg+7u\n0FOsHJjItcwkSkfRKIFRdI7iGYlukE/38xfizs0tLJXYRbdrlUgq/lTgd4i3UoVw\nOAXzEJX0lunZgXNd9jjnADh3pgVbwX9AKDhFz+nu3yL5Egc8FN+caP9Is5xPxYfg\n8J/Pp8DcHQKBgDOc6HlEFAJ6bnOlxtupBi4GG0eBFGtiFnbbpiJml7iXeAHVaRsc\n8S3XsnJjI2DJ4wBAhyXIxBtmmsBGp6Tyk6W2n8HrhY29U3dwmp2tI5383Y/whUcW\nB4kkEU+fsE7KDsDgdCauSlqMBhi6Zh+IOwLa7YcdGB0hHj5XLvq0vRbxAoGAQCpp\n7YqcmNDIS5+7ncfb3jAlb/PZjWa/6PGCgIjSYy//rmrpcG25xf0E+OOqD/vJNsBP\n2Dnfoc1YYRx9Bl+zhelWKJ2fEEdad8opFxMLtPP1sTmR6qPB4PWOEaN8QsMdYj0r\nWTsKlVfTrSKKFZDjGQ24mIMNtUPW2dG7yHm633ECgYEAqaLLo4VYUcjTKnYdBChA\nPFAk/ZwSR+/TY0vXw3Ghm/oiBNVSMVHFBoAFdbt4lWKJlryW+1Wi11cFYXfsBrmb\nJTnK1u7EZDebm9hFBzpp7/yY5uu38NduGKh5+goAVtPXZR9s/8ypyt3xVflcDxzA\nt7VMyFNRxj517ZJPCNN+ImU=\n-----END PRIVATE KEY-----\n" + } + } + cons_pub.json: |- + { + "data": { + "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvc2wfdIj6LZb87EwgLdu\nOlzS/nR6IkpRGIAbD4K6KnxLi1kJFXjNhdC9n1hLLzXOmVOUiQRA6j01XqGmJ7+o\nl0oW02gWmVaBW7di/PqyZkENmKAeakMC7X7KiAyMLk8EFIIjXu+OzQ7bGyZozKYm\n9307AepvtArFmAz7lP+25lCb2MrZ8PzDi4WlIhwAuvIyrILAHpsg8zklDWCX3CG5\n0v6NdjhWeDWt5yna/epDAdczfjxOPitqE4BUYevc6vs/xuWru5pYgXcJ7ORH5n9Y\no5R+jBWXmnk1TI3x0qvCDiKTkr4oI4yuafE+7wkmHrbXo9q33IGaQUWuON1fJvhe\n8wIDAQAB\n-----END PUBLIC KEY-----\n" + } + } + prov_priv.json: |- + { + "data": { + "content": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDN/ECrw6rbkvkw\nNGoJX1TatjytEvfwhFm/IViYPXfPccQHyVhG9YiQNS1e9v5UhUc8BGNvrZjIm7e9\nHNhPGlOlLiHh3wfU/wG5srcqz1aSV2omFVPz9Nc9TSkwaF6oJcs4AL+Z0+IyQN1e\nPThoqu9aVd5wtRXnS0nh5Dd0CC0spchZdUbtslQXs4c8uBDRGdT2/mkBu5isMxW0\nCg+muQWk1t8vgYVxlokGGvsKjQXFV3RPJQ6hNjsZjVmAqDGYFcA/AxK1WYBV5Hyu\nAZHUU2yityva/IqQPLXN/4fcXQcLxLjrl0MSpWUik/YeuV2bQFyakpvj5wox/w7E\nMNjWBodnAgMBAAECggEADELlO83Tm4ScQuNqPArJyGEYeIby0+uhufy+qZ7f3sab\nXO+xZDvuXpzDvO2zH8EO1FxAg2yc3E6LBkqAXikN7JaAtTf4K+FOe+LPADd3JEWC\nAvVT2edrpPFoYvWVGNymRAjYK7Lb019eesl/7f8ROcCqk1PvYCUjpzruybN8GOmq\naAuvCmrn9+zW8nPDSvFvNC7TTV4LnaRGsWabCA2589c6rDr52ddbXQZ2bXhIkVlw\n+RcfCIA2yZhrYfwDynQP/dPIwaC12y/phONIOFgDmurJHTTm0/3GmyDgU4xdfEan\nqWN2BwYfG2eOaGRTktUxjvmfj4kQF+6V8BiEA1KGAQKBgQDz0tuJBolkCn4nTMXl\nQx/QaacZBLJdHeniD2B6s7715TOgv+6DYzJypxYsNkKX4jLKykOJAQ3SUmWNq+ar\n6HJUE9Ral27zg8AAgZwQBCBr3hXulUkN3Ca2Qe3zhM6OtKlQvCY91zkXIecvQ7/s\ncLepmEXqMe0VXsR6c5C2VFiOAQKBgQDYRaeTcES+LSqHeAUqNytc4qy27lIEA4Vm\nzCd2oK0B1QuBCe2nVPsIMPnv92yfZ2RExEkqJXk0WfxB0fKM6BphTWFGnzbleHH3\nE+0BAfi/JmvOtJUbsbQdqTnV1OjCBL3YsubOJJwF+u9yzYoJdy7oldOmqrKC3zgs\nSOehRF9lZwKBgHEqwv58bDRkslznQ0q/tvpyrz3rciXKBo4H+Q26c72JnkbUDo4o\n8ndImf/3Rz1bnZuF+YaTWKjv2XbB/JR5lOb1NTC+7J5V3j3d6mN8pteqAp/z5i5q\nqgUZ4KmQUJbnv1ZbnZxCUpsr/zNuzJufTX+Hz5t9hL7Qd30mOlqGF3wBAoGBAKKb\nhIqTf+wpU2+1qtR51I2rFMcZ2uqPpy6KUyWbW1kkUNj9mQUWHQSkpldphe84MqiN\nmKEqub3F5qeqbh7JqIP+RSRvMzxHWhC2l50JWXiHL8mj9vRyoQUoJocC5Npz7DXR\nFT5rQjAw4vZDWgUR6mAPvqnyb/N8V+TcD+Qt3zgDAoGBAL001/N43dI6NR+Mlcw8\nYtrfTO5xoakVzx7tdC1g3gry/MiJn/+iftpFSf/hNp8HyQEHlRkubQuL4j0I/Fe3\nHjTc3wPIZhcOpitfbn9VMgpXXWmguK/s4oMMNxoe+Ey71/hlp5UdGOidGhaWq9Jk\nAsqJhS57iz0RP3ikSic9Tb3s\n-----END PRIVATE KEY-----\n" + } + } + prov_pub.json: |- + { + "data": { + "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfxAq8Oq25L5MDRqCV9U\n2rY8rRL38IRZvyFYmD13z3HEB8lYRvWIkDUtXvb+VIVHPARjb62YyJu3vRzYTxpT\npS4h4d8H1P8BubK3Ks9WkldqJhVT8/TXPU0pMGheqCXLOAC/mdPiMkDdXj04aKrv\nWlXecLUV50tJ4eQ3dAgtLKXIWXVG7bJUF7OHPLgQ0RnU9v5pAbuYrDMVtAoPprkF\npNbfL4GFcZaJBhr7Co0FxVd0TyUOoTY7GY1ZgKgxmBXAPwMStVmAVeR8rgGR1FNs\norcr2vyKkDy1zf+H3F0HC8S465dDEqVlIpP2Hrldm0BcmpKb4+cKMf8OxDDY1gaH\nZwIDAQAB\n-----END PUBLIC KEY-----\n" + } + } diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml new file mode 100644 index 0000000000..ecd8a0aa11 --- /dev/null +++ b/charts/tractusx-connector/values-consumer.yaml @@ -0,0 +1,687 @@ +################################################################################# +# Copyright (c) 2023,2024 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# + +--- +# Default values for eclipse-dataspace-connector. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +install: + postgresql: true + vault: true + +fullnameOverride: "" +nameOverride: "consumer-conn" + +imagePullSecrets: [] +customLabels: {} + +participant: + id: "did:web:consumer-idhub.staging.construct-x.net:consumer" + +iatp: + id: "did:web:consumer-idhub.staging.construct-x.net:consumer" + trustedIssuerId: did:web:local-issuer-service.staging.construct-x.net:issuer + trustedIssuers: + - id: "did:web:local-issuer-service.staging.construct-x.net:issuer" + + sts: + div: + url: + oauth: + token_url: https://consumer-idhub.staging.construct-x.net/api/sts/token + client: + # -- Client ID for requesting OAuth2 access token for DIV access + id: did:web:consumer-idhub.staging.construct-x.net:consumer + # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access + secret_alias: consumersecret + didService: + selfRegistration: + # -- Whether Service Self Registration is enabled + enabled: false + # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) + id: "did:web:consumer-idhub.staging.construct-x.net:consumer" + # - Configures the Verifiable Presentation cache + cache: + # -- Whether the Verifiable Presentation cache is enabled + enabled: true + # -- Validity of the Verifiable Presentation cache in seconds + validity: 86400 + +# -- Add custom ca certificates to the truststore +customCaCerts: {} + +log4j2: + # -- Whether to enable the json log config in log4j2.config + enableJsonLogs: true + # -- Log4j2 configuration for json log formatting. + config: |- + Appenders: + Console: + name: CONSOLE + JsonTemplateLayout: + eventTemplate: |- + { + "timestamp": { + "$resolver": "timestamp", + "pattern": { + "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", + "timeZone": "UTC" + } + }, + "level": { + "$resolver": "level", + "field": "severity", + "severity": { + "field": "keyword" + } + }, + "message": { + "$resolver": "message" + } + } + Loggers: + Root: + level: "OFF" + Logger: + name: org.eclipse.edc.monitor.logger + level: DEBUG + AppenderRef: + ref: CONSOLE + +controlplane: + nameOverride: "consumer-conn-controlplane" + fullnameOverride: "" + enabled: true + hostname: consumer-conn-controlplane + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "registry.onstackit.cloud/constructx/con-x-controlplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + imagePullSecrets: + - name: registry-creds + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + # -- endpoints of the control plane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 9000 + # -- path for incoming api calls + path: /api + # -- data management api, used by internal users, can be added to an ingress and must not be internet facing + management: + # -- port for incoming api calls + port: 9010 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- if the JWKS url is set, the DelegatedAuth service will be engaged + jwksUrl: + + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9050 + # -- path for incoming api calls + path: /control + # -- dsp api, used for inter connector communication and must be internet facing + protocol: + # -- port for incoming api calls + port: 9020 + # -- path for incoming api calls + path: /dsp + # -- metrics api, used for application metrics, must not be internet facing + validation: + # -- port for incoming api calls + port: 9030 + # -- path for incoming api calls + path: /validation + # -- dsp api, use + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + # -- configuration for policy engine + policy: + validation: + enabled: true + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be pass onto deployment pods + env: {} + # ENV_NAME: value + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + schema: + autocreate: true + + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_IAM_ISSUER_ID: did:web:consumer-idhub.staging.construct-x.net:consumer + TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: consumersecret + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + + ingresses: + - enabled: true + hostname: "consumer-conn-controlplane.staging.construct-x.net" + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: "consumer-conn-controlplane.staging.construct-x.net" + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - default + - protocol + - management + - dsp + - validation + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "consumer-conn-cp-tls" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + ## Private / Intranet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "consumer-conn-controlplane.staging.construct-x.net" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - control + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + + url: + control: "https://consumer-conn-controlplane.staging.construct-x.net/control" + # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) + protocol: "" + +dataplane: + nameOverride: "consumer-conn-dataplane" + fullnameOverride: "" + enabled: true + hostname: consumer-conn-dataplane + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "registry.onstackit.cloud/constructx/con-x-dataplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + imagePullSecrets: + - name: registry-creds + + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- endpoints of the dataplane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8181 + # -- path for incoming api calls + path: /api + # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. + public: + # -- port for incoming api calls + port: 9500 + # -- path for incoming api calls + path: /public + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9550 + # -- path for incoming api calls + path: /control + management: + # -- port for incoming api calls + port: 9510 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each request as `X-Api-Key` header + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + token: + refresh: + # -- TTL in seconds for access tokens (also known as EDR token) + expiry_seconds: 300 + # -- Tolerance for token expiry in seconds + expiry_tolerance_seconds: 10 + # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` + refresh_endpoint: + signer: + # -- Alias under which the private key (JWK or PEM format) is stored in the vault + privatekey_alias: cons_priv + verifier: + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` + publickey_alias: cons_pub + + schema: + autocreate: true + + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_DATA_PLANE_SELF_UNREGISTRATION: true + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + EDC_IAM_ISSUER_ID: did:web:consumer-idhub.staging.construct-x.net:consumer + EDC_SQL_SCHEMA_AUTOCREATE: true + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:local-issuer-service.staging.construct-x.net:issuer + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: consumersecret + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be pass onto deployment pods + env: {} + # ENV_NAME: value + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "consumer-conn-dataplane.staging.construct-x.net" + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: "consumer-conn-dataplane.staging.construct-x.net" + external-dns.alpha.kubernetes.io/ttl: "300" + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "consumer-conn-dp-tls" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) + public: "" + +postgresql: + image: + repository: "bitnamilegacy/postgresql" + tag: "16.2.0-debian-12-r10" + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" + primary: + persistence: + enabled: true + readReplicas: + persistence: + enabled: true + auth: + database: "edc" + username: "user" + password: "password" + +vault: + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: "root" + postStart: # must be set externally! + hashicorp: + url: "http://{{ .Release.Name }}-vault:8200" + token: "root" + timeout: 30 + healthCheck: + enabled: true + standbyOk: true + paths: + secret: /v1/secret + health: /v1/sys/health + folder: "" \ No newline at end of file diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml new file mode 100644 index 0000000000..a8f6fc74c8 --- /dev/null +++ b/charts/tractusx-connector/values-provider.yaml @@ -0,0 +1,687 @@ +################################################################################# +# Copyright (c) 2023,2024 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# + +--- +# Default values for eclipse-dataspace-connector. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +install: + postgresql: true + vault: true + +fullnameOverride: "" +nameOverride: "provider-conn" + +imagePullSecrets: [] +customLabels: {} + +participant: + id: "did:web:provider-idhub.staging.construct-x.net:provider" + +iatp: + id: "did:web:provider-idhub.staging.construct-x.net:provider" + trustedIssuerId: did:web:local-issuer-service.staging.construct-x.net:issuer + trustedIssuers: + - id: "did:web:local-issuer-service.staging.construct-x.net:issuer" + + sts: + div: + url: + oauth: + token_url: https://provider-idhub.staging.construct-x.net/api/sts/token + client: + # -- Client ID for requesting OAuth2 access token for DIV access + id: did:web:provider-idhub.staging.construct-x.net:provider + # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access + secret_alias: providersecret + didService: + selfRegistration: + # -- Whether Service Self Registration is enabled + enabled: false + # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) + id: "did:web:provider-idhub.staging.construct-x.net:provider" + # - Configures the Verifiable Presentation cache + cache: + # -- Whether the Verifiable Presentation cache is enabled + enabled: true + # -- Validity of the Verifiable Presentation cache in seconds + validity: 86400 + +# -- Add custom ca certificates to the truststore +customCaCerts: {} + +log4j2: + # -- Whether to enable the json log config in log4j2.config + enableJsonLogs: true + # -- Log4j2 configuration for json log formatting. + config: |- + Appenders: + Console: + name: CONSOLE + JsonTemplateLayout: + eventTemplate: |- + { + "timestamp": { + "$resolver": "timestamp", + "pattern": { + "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", + "timeZone": "UTC" + } + }, + "level": { + "$resolver": "level", + "field": "severity", + "severity": { + "field": "keyword" + } + }, + "message": { + "$resolver": "message" + } + } + Loggers: + Root: + level: "OFF" + Logger: + name: org.eclipse.edc.monitor.logger + level: DEBUG + AppenderRef: + ref: CONSOLE + +controlplane: + nameOverride: "provider-conn-controlplane" + fullnameOverride: "" + enabled: true + hostname: provider-conn-controlplane + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "registry.onstackit.cloud/constructx/con-x-controlplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + imagePullSecrets: + - name: registry-creds + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + # -- endpoints of the control plane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 9000 + # -- path for incoming api calls + path: /api + # -- data management api, used by internal users, can be added to an ingress and must not be internet facing + management: + # -- port for incoming api calls + port: 9010 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- if the JWKS url is set, the DelegatedAuth service will be engaged + jwksUrl: + + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9050 + # -- path for incoming api calls + path: /control + # -- dsp api, used for inter connector communication and must be internet facing + protocol: + # -- port for incoming api calls + port: 9020 + # -- path for incoming api calls + path: /dsp + # -- metrics api, used for application metrics, must not be internet facing + validation: + # -- port for incoming api calls + port: 9030 + # -- path for incoming api calls + path: /validation + # -- dsp api, use + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + # -- configuration for policy engine + policy: + validation: + enabled: true + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be pass onto deployment pods + env: {} + # ENV_NAME: value + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + schema: + autocreate: true + + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_IAM_ISSUER_ID: did:web:provider-idhub.staging.construct-x.net:provider + TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: providersecret + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + + ingresses: + - enabled: true + hostname: "provider-conn-controlplane.staging.construct-x.net" + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: "provider-conn-controlplane.staging.construct-x.net" + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - default + - protocol + - management + - dsp + - validation + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "provider-conn-cp-tls" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + ## Private / Intranet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "provider-conn-controlplane.staging.construct-x.net" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - control + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + + url: + control: "https://provider-conn-controlplane.staging.construct-x.net/control" + # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) + protocol: "" + +dataplane: + nameOverride: "provider-conn-dataplane" + fullnameOverride: "" + enabled: true + hostname: provider-conn-dataplane + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "registry.onstackit.cloud/constructx/con-x-dataplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + imagePullSecrets: + - name: registry-creds + + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- endpoints of the dataplane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8181 + # -- path for incoming api calls + path: /api + # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. + public: + # -- port for incoming api calls + port: 9500 + # -- path for incoming api calls + path: /public + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9550 + # -- path for incoming api calls + path: /control + management: + # -- port for incoming api calls + port: 9510 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each request as `X-Api-Key` header + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + token: + refresh: + # -- TTL in seconds for access tokens (also known as EDR token) + expiry_seconds: 300 + # -- Tolerance for token expiry in seconds + expiry_tolerance_seconds: 10 + # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` + refresh_endpoint: + signer: + # -- Alias under which the private key (JWK or PEM format) is stored in the vault + privatekey_alias: prov_priv + verifier: + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` + publickey_alias: prov_pub + + schema: + autocreate: true + + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_DATA_PLANE_SELF_UNREGISTRATION: true + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + EDC_IAM_ISSUER_ID: did:web:provider-idhub.staging.construct-x.net:provider + EDC_SQL_SCHEMA_AUTOCREATE: true + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:local-issuer-service.staging.construct-x.net:issuer + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: providersecret + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be pass onto deployment pods + env: {} + # ENV_NAME: value + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "provider-conn-dataplane.staging.construct-x.net" + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: "provider-conn-dataplane.staging.construct-x.net" + external-dns.alpha.kubernetes.io/ttl: "300" + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "provider-conn-dp-tls" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) + public: "" + +postgresql: + image: + repository: "bitnamilegacy/postgresql" + tag: "16.2.0-debian-12-r10" + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" + primary: + persistence: + enabled: true + readReplicas: + persistence: + enabled: true + auth: + database: "edc" + username: "user" + password: "password" + +vault: + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: "root" + postStart: # must be set externally! + hashicorp: + url: "http://{{ .Release.Name }}-vault:8200" + token: "root" + timeout: 30 + healthCheck: + enabled: true + standbyOk: true + paths: + secret: /v1/secret + health: /v1/sys/health + folder: "" \ No newline at end of file From cbab90580198891b5b9bb34620a2c7c377ad2773 Mon Sep 17 00:00:00 2001 From: Saud Khan Date: Thu, 30 Apr 2026 15:31:43 +0200 Subject: [PATCH 02/17] chore(lint): added autocreate property to the default values --- charts/tractusx-connector/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index 1accc39341..dba2d9e5e7 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -549,6 +549,9 @@ dataplane: # - first-config-map # - second-config-map + schema: + autocreate: true + ## Ingress declaration to expose the network service. ingresses: ## Public / Internet facing Ingress From 85b6fc08bce72326cce59f1918a10a930ad3948c Mon Sep 17 00:00:00 2001 From: Dennis Borrmann Date: Mon, 15 Jun 2026 10:37:04 +0200 Subject: [PATCH 03/17] lcense headers added --- .../templates/deployment-controlplane.yaml | 6 +- .../templates/deployment-dataplane.yaml | 2 + .../templates/post-install-vault-setup.yaml | 20 + .../templates/vault-edc-configmap.yaml | 20 + .../tractusx-connector/values-consumer.yaml | 17 +- .../tractusx-connector/values-provider.yaml | 19 +- charts/tractusx-connector/values.yaml | 1255 ++++++++--------- 7 files changed, 688 insertions(+), 651 deletions(-) diff --git a/charts/tractusx-connector/templates/deployment-controlplane.yaml b/charts/tractusx-connector/templates/deployment-controlplane.yaml index aedb7aacfa..0dc39d20b8 100644 --- a/charts/tractusx-connector/templates/deployment-controlplane.yaml +++ b/charts/tractusx-connector/templates/deployment-controlplane.yaml @@ -1,4 +1,6 @@ -# +################################################################################# + + # Copyright (c) 2026 ARENA2036 e.V. # Copyright (c) 2023 ZF Friedrichshafen AG # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) @@ -18,7 +20,7 @@ # under the License. # # SPDX-License-Identifier: Apache-2.0 - # + ################################################################################# --- apiVersion: apps/v1 diff --git a/charts/tractusx-connector/templates/deployment-dataplane.yaml b/charts/tractusx-connector/templates/deployment-dataplane.yaml index a800308313..52994579b0 100644 --- a/charts/tractusx-connector/templates/deployment-dataplane.yaml +++ b/charts/tractusx-connector/templates/deployment-dataplane.yaml @@ -1,4 +1,6 @@ ################################################################################# + + # Copyright (c) 2026 ARENA2036 e.V. # Copyright (c) 2023 ZF Friedrichshafen AG # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) diff --git a/charts/tractusx-connector/templates/post-install-vault-setup.yaml b/charts/tractusx-connector/templates/post-install-vault-setup.yaml index a179a8aec0..95ef637415 100644 --- a/charts/tractusx-connector/templates/post-install-vault-setup.yaml +++ b/charts/tractusx-connector/templates/post-install-vault-setup.yaml @@ -1,3 +1,23 @@ +################################################################################# + + # Copyright (c) 2026 ARENA2036 e.V. + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License, Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + # License for the specific language governing permissions and limitations + # under the License. + # + # SPDX-License-Identifier: Apache-2.0 + ################################################################################# + {{- $vaultToken := index .Values "vault" "hashicorp" "token" -}} {{- $vaultUrl := tpl (index .Values "vault" "hashicorp" "url") . -}} {{- $fullName := .Values.nameOverride -}} diff --git a/charts/tractusx-connector/templates/vault-edc-configmap.yaml b/charts/tractusx-connector/templates/vault-edc-configmap.yaml index efcff6b8e7..8ab4a9c291 100644 --- a/charts/tractusx-connector/templates/vault-edc-configmap.yaml +++ b/charts/tractusx-connector/templates/vault-edc-configmap.yaml @@ -1,3 +1,23 @@ +################################################################################# + + # Copyright (c) 2026 ARENA2036 e.V. + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License, Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + # License for the specific language governing permissions and limitations + # under the License. + # + # SPDX-License-Identifier: Apache-2.0 + ################################################################################# + {{- $fullName := .Values.nameOverride -}} apiVersion: v1 kind: ConfigMap diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index ecd8a0aa11..5936970f47 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -1,8 +1,5 @@ ################################################################################# -# Copyright (c) 2023,2024 ZF Friedrichshafen AG -# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH -# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation +# Copyright (c) 2026 ARENA2036 e.V. # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -273,9 +270,9 @@ controlplane: envConfigMapNames: [] # - first-config-map # - second-config-map - + schema: - autocreate: true + autocreate: true env: EDC_IAM_DID_WEB_USE_HTTPS: true @@ -408,7 +405,7 @@ dataplane: tag: "latest" imagePullSecrets: - name: registry-creds - + initContainers: [] debug: # -- Enables java debugging mode. @@ -506,7 +503,7 @@ dataplane: publickey_alias: cons_pub schema: - autocreate: true + autocreate: true env: EDC_IAM_DID_WEB_USE_HTTPS: true @@ -589,7 +586,7 @@ dataplane: endpoints: - public # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - + tls: # -- Enables TLS on the ingress resource enabled: true @@ -684,4 +681,4 @@ vault: paths: secret: /v1/secret health: /v1/sys/health - folder: "" \ No newline at end of file + folder: "" diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index a8f6fc74c8..d27850743b 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -1,8 +1,5 @@ ################################################################################# -# Copyright (c) 2023,2024 ZF Friedrichshafen AG -# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH -# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation +# Copyright (c) 2026 ARENA2036 e.V. # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -273,9 +270,9 @@ controlplane: envConfigMapNames: [] # - first-config-map # - second-config-map - + schema: - autocreate: true + autocreate: true env: EDC_IAM_DID_WEB_USE_HTTPS: true @@ -408,7 +405,7 @@ dataplane: tag: "latest" imagePullSecrets: - name: registry-creds - + initContainers: [] debug: # -- Enables java debugging mode. @@ -506,7 +503,7 @@ dataplane: publickey_alias: prov_pub schema: - autocreate: true + autocreate: true env: EDC_IAM_DID_WEB_USE_HTTPS: true @@ -516,7 +513,7 @@ dataplane: EDC_SQL_SCHEMA_AUTOCREATE: true EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:local-issuer-service.staging.construct-x.net:issuer EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: providersecret - + # -- additional labels for the pod podLabels: {} # -- additional annotations for the pod @@ -589,7 +586,7 @@ dataplane: endpoints: - public # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - + tls: # -- Enables TLS on the ingress resource enabled: true @@ -684,4 +681,4 @@ vault: paths: secret: /v1/secret health: /v1/sys/health - folder: "" \ No newline at end of file + folder: "" diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index dba2d9e5e7..71cf6ed603 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -1,4 +1,5 @@ ################################################################################# +# Copyright (c) 2026 ARENA2036 e.V. # Copyright (c) 2023,2024 ZF Friedrichshafen AG # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) @@ -26,10 +27,10 @@ # Declare variables to be passed into your templates. install: - # -- Deploying a PostgreSQL instance - postgresql: true - # -- Deploying a HashiCorp Vault instance - vault: true + # -- Deploying a PostgreSQL instance + postgresql: true + # -- Deploying a HashiCorp Vault instance + vault: true fullnameOverride: "" nameOverride: "" @@ -40,654 +41,652 @@ imagePullSecrets: [] customLabels: {} participant: - # -- BPN Number - id: "BPNLCHANGEME" - # -- Participant Context Id - Newly introduced id for a connector instance (needed for multitenancy) - contextId: "UUID CHANGEME" + # -- BPN Number + id: "BPNLCHANGEME" + # -- Participant Context Id - Newly introduced id for a connector instance (needed for multitenancy) + contextId: "UUID CHANGEME" iatp: - # -- Decentralized IDentifier (DID) of the connector - id: "did:web:changeme" - # -- Configures the trusted issuers for this runtime. If no supportedTypes are specified, the value defaults to "*" for that issuer - trustedIssuers: [] - # - id: "did:web:example1.com" - # supportedTypes: - # - "MembershipCredential" - # - "did:web:example2.com" - sts: - div: - # -- URL where connectors can request SI tokens - url: - oauth: - # -- URL where connectors can request OAuth2 access tokens for DIV access - token_url: - client: - # -- Client ID for requesting OAuth2 access token for DIV access - id: - # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access - secret_alias: - didService: - selfRegistration: - # -- Whether Service Self Registration is enabled - enabled: false - # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) - id: "did:web:changeme" - # - Configures the Verifiable Presentation cache - cache: - # -- Whether the Verifiable Presentation cache is enabled - enabled: true - # -- Validity of the Verifiable Presentation cache in seconds - validity: 86400 + # -- Decentralized IDentifier (DID) of the connector + id: "did:web:changeme" + # -- Configures the trusted issuers for this runtime. If no supportedTypes are specified, the value defaults to "*" for that issuer + trustedIssuers: [] + # - id: "did:web:example1.com" + # supportedTypes: + # - "MembershipCredential" + # - "did:web:example2.com" + sts: + div: + # -- URL where connectors can request SI tokens + url: + oauth: + # -- URL where connectors can request OAuth2 access tokens for DIV access + token_url: + client: + # -- Client ID for requesting OAuth2 access token for DIV access + id: + # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access + secret_alias: + didService: + selfRegistration: + # -- Whether Service Self Registration is enabled + enabled: false + # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) + id: "did:web:changeme" + # - Configures the Verifiable Presentation cache + cache: + # -- Whether the Verifiable Presentation cache is enabled + enabled: true + # -- Validity of the Verifiable Presentation cache in seconds + validity: 86400 # -- Add custom ca certificates to the truststore customCaCerts: {} log4j2: - # -- Whether to enable the json log config in log4j2.config - enableJsonLogs: true - # -- Log4j2 configuration for json log formatting. - config: |- - Appenders: - Console: - name: CONSOLE - JsonTemplateLayout: - eventTemplate: |- - { - "timestamp": { - "$resolver": "timestamp", - "pattern": { - "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", - "timeZone": "UTC" + # -- Whether to enable the json log config in log4j2.config + enableJsonLogs: true + # -- Log4j2 configuration for json log formatting. + config: |- + Appenders: + Console: + name: CONSOLE + JsonTemplateLayout: + eventTemplate: |- + { + "timestamp": { + "$resolver": "timestamp", + "pattern": { + "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", + "timeZone": "UTC" + } + }, + "level": { + "$resolver": "level", + "field": "severity", + "severity": { + "field": "keyword" + } + }, + "message": { + "$resolver": "message" + } } - }, - "level": { - "$resolver": "level", - "field": "severity", - "severity": { - "field": "keyword" - } - }, - "message": { - "$resolver": "message" - } - } - Loggers: - Root: - level: "OFF" - Logger: - name: org.eclipse.edc.monitor.logger - level: DEBUG - AppenderRef: - ref: CONSOLE + Loggers: + Root: + level: "OFF" + Logger: + name: org.eclipse.edc.monitor.logger + level: DEBUG + AppenderRef: + ref: CONSOLE controlplane: - image: - # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically - repository: "" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "" - initContainers: [] - debug: - # -- Enables java debugging mode. - enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false - - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG - - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - # -- endpoints of the control plane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 8080 - # -- path for incoming api calls - path: /api - # -- data management api, used by internal users, can be added to an ingress and must not be internet facing - management: - # -- port for incoming api calls - port: 8081 - # -- path for incoming api calls - path: /management - # -- authentication key, must be attached to each request as `X-Api-Key` header - authKey: "password" - # -- if the JWKS url is set, the DelegatedAuth service will be engaged - jwksUrl: - - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 8083 - # -- path for incoming api calls - path: /control - # -- dsp api, used for inter connector communication and must be internet facing - protocol: - # -- port for incoming api calls - port: 8084 - # -- path for incoming api calls - path: /api/v1/dsp - # -- metrics api, used for application metrics, must not be internet facing - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - bdrs: - # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) - cache_validity_seconds: 600 - server: - # -- URL of the BPN/DID Resolution Service - url: - - # -- configuration for policy engine - policy: - validation: - enabled: true - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be pass onto deployment pods - env: {} - # ENV_NAME: value - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - ## Ingress declaration to expose the network service. - ingresses: - ## Public / Internet facing Ingress - - enabled: false - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-control.local" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - protocol - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource + image: + # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically + repository: "" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "" + initContainers: [] + debug: + # -- Enables java debugging mode. enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - ## Private / Intranet facing Ingress - - enabled: false - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-control.intranet" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - management - - control - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + # -- endpoints of the control plane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8080 + # -- path for incoming api calls + path: /api + # -- data management api, used by internal users, can be added to an ingress and must not be internet facing + management: + # -- port for incoming api calls + port: 8081 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- if the JWKS url is set, the DelegatedAuth service will be engaged + jwksUrl: + + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 8083 + # -- path for incoming api calls + path: /control + # -- dsp api, used for inter connector communication and must be internet facing + protocol: + # -- port for incoming api calls + port: 8084 + # -- path for incoming api calls + path: /api/v1/dsp + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + bdrs: + # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) + cache_validity_seconds: 600 + server: + # -- URL of the BPN/DID Resolution Service + url: + + # -- configuration for policy engine + policy: + validation: + enabled: true + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be pass onto deployment pods + env: {} + # ENV_NAME: value + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-control.local" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - protocol + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + ## Private / Intranet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-control.intranet" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - management + - control + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - - url: - # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) - protocol: "" + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + + url: + # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) + protocol: "" dataplane: - image: - # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically - repository: "" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "" - initContainers: [] - debug: - # -- Enables java debugging mode. - enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false - - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG - - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "" + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false - # -- endpoints of the dataplane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 8080 - # -- path for incoming api calls - path: /api - # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. - public: - # -- port for incoming api calls - port: 8081 - # -- path for incoming api calls - path: /api/public - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 8084 - # -- path for incoming api calls - path: /api/control - proxy: - # -- port for incoming api calls - port: 8186 - # -- path for incoming api calls - path: /proxy - # -- authentication key, must be attached to each request as `X-Api-Key` header - authKey: "password" - # -- metrics api, used for application metrics, must not be internet facing - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - token: - refresh: - # -- TTL in seconds for access tokens (also known as EDR token) - expiry_seconds: 300 - # -- Tolerance for token expiry in seconds - expiry_tolerance_seconds: 10 - # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` - refresh_endpoint: - signer: - # -- Alias under which the private key (JWK or PEM format) is stored in the vault - privatekey_alias: - verifier: - # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` - publickey_alias: - - aws: - endpointOverride: "" - accessKeyId: "" - secretAccessKey: "" - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be pass onto deployment pods - env: {} - # ENV_NAME: value - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - schema: - autocreate: true - - ## Ingress declaration to expose the network service. - ingresses: - ## Public / Internet facing Ingress - - enabled: false - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-data.local" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - public - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- endpoints of the dataplane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8080 + # -- path for incoming api calls + path: /api + # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. + public: + # -- port for incoming api calls + port: 8081 + # -- path for incoming api calls + path: /api/public + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 8084 + # -- path for incoming api calls + path: /api/control + proxy: + # -- port for incoming api calls + port: 8186 + # -- path for incoming api calls + path: /proxy + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + token: + refresh: + # -- TTL in seconds for access tokens (also known as EDR token) + expiry_seconds: 300 + # -- Tolerance for token expiry in seconds + expiry_tolerance_seconds: 10 + # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` + refresh_endpoint: + signer: + # -- Alias under which the private key (JWK or PEM format) is stored in the vault + privatekey_alias: + verifier: + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` + publickey_alias: + + aws: + endpointOverride: "" + accessKeyId: "" + secretAccessKey: "" + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be pass onto deployment pods + env: {} + # ENV_NAME: value + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + schema: + autocreate: true + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-data.local" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - url: - # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) - public: "" + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) + public: "" postgresql: - image: - repository: "bitnamilegacy/postgresql" - tag: "16.2.0-debian-12-r10" - jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" - primary: - persistence: - enabled: false - readReplicas: - persistence: - enabled: false - auth: - database: "edc" - username: "user" - password: "password" + image: + repository: "bitnamilegacy/postgresql" + tag: "16.2.0-debian-12-r10" + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" + primary: + persistence: + enabled: false + readReplicas: + persistence: + enabled: false + auth: + database: "edc" + username: "user" + password: "password" vault: - injector: - enabled: false - server: - dev: - enabled: true - devRootToken: "root" - postStart: # must be set externally! - hashicorp: - url: "http://{{ .Release.Name }}-vault:8200" - token: "root" - timeout: 30 - healthCheck: - enabled: true - standbyOk: true - paths: - secret: /v1/secret - health: /v1/sys/health - folder: "" + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: "root" + postStart: # must be set externally! + hashicorp: + url: "http://{{ .Release.Name }}-vault:8200" + token: "root" + timeout: 30 + healthCheck: + enabled: true + standbyOk: true + paths: + secret: /v1/secret + health: /v1/sys/health + folder: "" networkPolicy: - # -- If `true` network policy will be created to restrict access to control- and dataplane - enabled: false - # -- Configuration of the controlplane component - controlplane: - # -- Specify from rule network policy for cp (defaults to all namespaces) - from: - - namespaceSelector: {} - # -- Configuration of the dataplane component - dataplane: - # -- Specify from rule network policy for dp (defaults to all namespaces) - from: - - namespaceSelector: {} + # -- If `true` network policy will be created to restrict access to control- and dataplane + enabled: false + # -- Configuration of the controlplane component + controlplane: + # -- Specify from rule network policy for cp (defaults to all namespaces) + from: + - namespaceSelector: {} + # -- Configuration of the dataplane component + dataplane: + # -- Specify from rule network policy for dp (defaults to all namespaces) + from: + - namespaceSelector: {} serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) - imagePullSecrets: [] + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) + imagePullSecrets: [] # -- Configurations for Helm tests tests: - # -- Configure the hook-delete-policy for Helm tests - hookDeletePolicy: before-hook-creation,hook-succeeded + # -- Configure the hook-delete-policy for Helm tests + hookDeletePolicy: before-hook-creation,hook-succeeded From afd66f5cd42fc52e36b50e118785468fe2bafd8e Mon Sep 17 00:00:00 2001 From: Dennis Borrmann Date: Mon, 15 Jun 2026 12:53:49 +0200 Subject: [PATCH 04/17] diff ready for cleanup --- _diff_helper.py | 61 ++ charts/tractusx-connector/values-diff.yaml | 722 +++++++++++++++++++++ charts/tractusx-connector/values.yaml | 66 +- 3 files changed, 831 insertions(+), 18 deletions(-) create mode 100644 _diff_helper.py create mode 100644 charts/tractusx-connector/values-diff.yaml diff --git a/_diff_helper.py b/_diff_helper.py new file mode 100644 index 0000000000..2fa816302d --- /dev/null +++ b/_diff_helper.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python3 +"""Deep-compare stage-specific values files against values.yaml and keep only differences.""" + +import yaml +import sys +from copy import deepcopy + +def load_yaml(path): + with open(path, 'r') as f: + return yaml.safe_load(f) + +def deep_diff(stage_dict, default_dict): + """ + Recursively remove keys from stage_dict that have the same value as in default_dict. + Returns the stripped dict (only contains keys that differ from default). + """ + if not isinstance(stage_dict, dict) or not isinstance(default_dict, dict): + return stage_dict + + result = {} + for key, stage_val in stage_dict.items(): + if key not in default_dict: + # Key only exists in stage - keep it + result[key] = deepcopy(stage_val) + else: + default_val = default_dict[key] + if isinstance(stage_val, dict) and isinstance(default_val, dict): + # Recurse into nested dicts + diff = deep_diff(stage_val, default_val) + if diff: # Only keep if there are differences + result[key] = diff + elif stage_val != default_val: + # Value differs - keep it + result[key] = deepcopy(stage_val) + # else: same value - omit + return result + +def main(): + base_dir = "charts/tractusx-connector" + default_path = f"{base_dir}/values.yaml" + stage_files = [ + f"{base_dir}/values-provider.yaml", + f"{base_dir}/values-consumer.yaml", + ] + + default = load_yaml(default_path) + + for stage_path in stage_files: + stage = load_yaml(stage_path) + diff = deep_diff(stage, default) + + print(f"\n=== Differences for {stage_path} ===") + print(yaml.dump(diff, default_flow_style=False, sort_keys=False, allow_unicode=True, width=120)) + + # Write back to the same file + with open(stage_path, 'w') as f: + yaml.dump(diff, f, default_flow_style=False, sort_keys=False, allow_unicode=True, width=120) + print(f"Rewrote {stage_path} with diff-only content") + +if __name__ == "__main__": + main() diff --git a/charts/tractusx-connector/values-diff.yaml b/charts/tractusx-connector/values-diff.yaml new file mode 100644 index 0000000000..8cfad9433f --- /dev/null +++ b/charts/tractusx-connector/values-diff.yaml @@ -0,0 +1,722 @@ +################################################################################# +# Copyright (c) 2026 ARENA2036 e.V. +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# + +--- +# Default values for eclipse-dataspace-connector. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +install: + # -- Deploying a PostgreSQL instance + postgresql: true + # -- Deploying a HashiCorp Vault instance + vault: true + +fullnameOverride: "" +nameOverride: "" + +# -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) +imagePullSecrets: [] +# -- Add some custom labels +customLabels: {} + +participant: + id: "did:web:consumer-idhub.staging.construct-x.net:consumer" + +iatp: + # -- Decentralized IDentifier (DID) of the connector + id: "did:web:changeme" + # -- Configures the trusted issuers for this runtime. If no supportedTypes are specified, the value defaults to "*" for that issuer + trustedIssuers: [] + # - id: "did:web:example1.com" + # supportedTypes: + # - "MembershipCredential" + # - "did:web:example2.com" + sts: + div: + # -- URL where connectors can request SI tokens + url: + oauth: + # -- URL where connectors can request OAuth2 access tokens for DIV access + token_url: + client: + # -- Client ID for requesting OAuth2 access token for DIV access + id: + # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access + secret_alias: + didService: + selfRegistration: + # -- Whether Service Self Registration is enabled + enabled: false + # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) + id: "did:web:changeme" + # - Configures the Verifiable Presentation cache + cache: + # -- Whether the Verifiable Presentation cache is enabled + enabled: true + # -- Validity of the Verifiable Presentation cache in seconds + validity: 86400 + +# -- Add custom ca certificates to the truststore +customCaCerts: {} + +log4j2: + # -- Whether to enable the json log config in log4j2.config + enableJsonLogs: true + # -- Log4j2 configuration for json log formatting. + config: |- + Appenders: + Console: + name: CONSOLE + JsonTemplateLayout: + eventTemplate: |- + { + "timestamp": { + "$resolver": "timestamp", + "pattern": { + "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", + "timeZone": "UTC" + } + }, + "level": { + "$resolver": "level", + "field": "severity", + "severity": { + "field": "keyword" + } + }, + "message": { + "$resolver": "message" + } + } + Loggers: + Root: + level: "OFF" + Logger: + name: org.eclipse.edc.monitor.logger + level: DEBUG + AppenderRef: + ref: CONSOLE + +controlplane: + image: + # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically + repository: "ghcr.io/project-construct-x/con-x-controlplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + # -- Configure ghcr credentials to pull the control plane image + imagePullSecrets: + - name: ghcr-creds + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + # -- endpoints of the control plane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8080 + # -- path for incoming api calls + path: /api + # -- data management api, used by internal users, can be added to an ingress and must not be internet facing + management: + # -- port for incoming api calls + port: 8081 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- if the JWKS url is set, the DelegatedAuth service will be engaged + jwksUrl: + + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 8083 + # -- path for incoming api calls + path: /control + # -- dsp api, used for inter connector communication and must be internet facing + protocol: + # -- port for incoming api calls + port: 8084 + # -- path for incoming api calls + path: /api/v1/dsp + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + bdrs: + # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) + cache_validity_seconds: 600 + server: + # -- URL of the BPN/DID Resolution Service + url: + + # -- configuration for policy engine + policy: + validation: + enabled: true + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be pass onto deployment pods + env: {} + # ENV_NAME: value + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + # Database schema auto-creation + schema: + autocreate: true + + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user + TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-control.local" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - protocol + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + ## Private / Intranet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-control.intranet" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - management + - control + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + + url: + # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) + protocol: "" + +dataplane: + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "ghcr.io/project-construct-x/con-x-dataplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + # -- Configure ghcr credentials to pull the control plane image + imagePullSecrets: + - name: ghcr-creds + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- endpoints of the dataplane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8080 + # -- path for incoming api calls + path: /api + # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. + public: + # -- port for incoming api calls + port: 8081 + # -- path for incoming api calls + path: /api/public + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 8084 + # -- path for incoming api calls + path: /api/control + proxy: + # -- port for incoming api calls + port: 8186 + # -- path for incoming api calls + path: /proxy + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + token: + refresh: + # -- TTL in seconds for access tokens (also known as EDR token) + expiry_seconds: 300 + # -- Tolerance for token expiry in seconds + expiry_tolerance_seconds: 10 + # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` + refresh_endpoint: + signer: + # -- Alias under which the private key (JWK or PEM format) is stored in the vault + privatekey_alias: priv + verifier: + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` + publickey_alias: pub + + # Database schema auto-creation + schema: + autocreate: true + + aws: + endpointOverride: "" + accessKeyId: "" + secretAccessKey: "" + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be pass onto deployment pods + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_DATA_PLANE_SELF_UNREGISTRATION: true + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:issuer-wallet.staging.construct-x.net:issuer + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + schema: + autocreate: true + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-data.local" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) + public: "" + +postgresql: + image: + repository: "bitnamilegacy/postgresql" + tag: "16.2.0-debian-12-r10" + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" + primary: + persistence: + enabled: false + readReplicas: + persistence: + enabled: false + auth: + database: "edc" + username: "user" + password: "password" + +vault: + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: "root" + postStart: # must be set externally! + hashicorp: + url: "http://{{ .Release.Name }}-vault:8200" + token: "root" + timeout: 30 + healthCheck: + enabled: true + standbyOk: true + paths: + secret: /v1/secret + health: /v1/sys/health + folder: "" + +networkPolicy: + # -- If `true` network policy will be created to restrict access to control- and dataplane + enabled: false + # -- Configuration of the controlplane component + controlplane: + # -- Specify from rule network policy for cp (defaults to all namespaces) + from: + - namespaceSelector: {} + # -- Configuration of the dataplane component + dataplane: + # -- Specify from rule network policy for dp (defaults to all namespaces) + from: + - namespaceSelector: {} + +serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) + imagePullSecrets: [] + +# -- Configurations for Helm tests +tests: + # -- Configure the hook-delete-policy for Helm tests + hookDeletePolicy: before-hook-creation,hook-succeeded diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index 71cf6ed603..8cfad9433f 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -1,9 +1,5 @@ ################################################################################# # Copyright (c) 2026 ARENA2036 e.V. -# Copyright (c) 2023,2024 ZF Friedrichshafen AG -# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH -# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -41,10 +37,7 @@ imagePullSecrets: [] customLabels: {} participant: - # -- BPN Number - id: "BPNLCHANGEME" - # -- Participant Context Id - Newly introduced id for a connector instance (needed for multitenancy) - contextId: "UUID CHANGEME" + id: "did:web:consumer-idhub.staging.construct-x.net:consumer" iatp: # -- Decentralized IDentifier (DID) of the connector @@ -124,11 +117,14 @@ log4j2: controlplane: image: # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically - repository: "" + repository: "ghcr.io/project-construct-x/con-x-controlplane-postgresql-hashicorp-vault" # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion - tag: "" + tag: "latest" + # -- Configure ghcr credentials to pull the control plane image + imagePullSecrets: + - name: ghcr-creds initContainers: [] debug: # -- Enables java debugging mode. @@ -284,6 +280,28 @@ controlplane: # - first-config-map # - second-config-map + # Database schema auto-creation + schema: + autocreate: true + + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user + TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + ## Ingress declaration to expose the network service. ingresses: ## Public / Internet facing Ingress @@ -385,11 +403,14 @@ controlplane: dataplane: image: # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically - repository: "" + repository: "ghcr.io/project-construct-x/con-x-dataplane-postgresql-hashicorp-vault" # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion - tag: "" + tag: "latest" + # -- Configure ghcr credentials to pull the control plane image + imagePullSecrets: + - name: ghcr-creds initContainers: [] debug: # -- Enables java debugging mode. @@ -481,11 +502,15 @@ dataplane: # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` refresh_endpoint: signer: - # -- Alias under which the private key (JWK or PEM format) is stored in the vault - privatekey_alias: + # -- Alias under which the private key (JWK or PEM format) is stored in the vault + privatekey_alias: priv verifier: - # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` - publickey_alias: + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` + publickey_alias: pub + + # Database schema auto-creation + schema: + autocreate: true aws: endpointOverride: "" @@ -525,8 +550,13 @@ dataplane: runAsUser: 10001 # -- Extra environment variables that will be pass onto deployment pods - env: {} - # ENV_NAME: value + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_DATA_PLANE_SELF_UNREGISTRATION: true + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:issuer-wallet.staging.construct-x.net:issuer + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core From a4ec09ea06aff17648229e8c6fcec0a6cdd1ddc1 Mon Sep 17 00:00:00 2001 From: Dennis Borrmann Date: Mon, 15 Jun 2026 13:40:33 +0200 Subject: [PATCH 05/17] more cleanup --- _diff2.py | 34 + _diff_helper.py | 61 -- .../tractusx-connector/values-consumer.yaml | 768 +++-------------- .../tractusx-connector/values-provider.yaml | 769 +++--------------- charts/tractusx-connector/values.yaml | 42 +- 5 files changed, 242 insertions(+), 1432 deletions(-) create mode 100644 _diff2.py delete mode 100644 _diff_helper.py diff --git a/_diff2.py b/_diff2.py new file mode 100644 index 0000000000..5bce5ce207 --- /dev/null +++ b/_diff2.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python3 +import yaml +from copy import deepcopy + +def deep_diff(stage_dict, default_dict): + if not isinstance(stage_dict, dict) or not isinstance(default_dict, dict): + return stage_dict if stage_dict != default_dict else None + result = {} + for key, stage_val in stage_dict.items(): + if key not in default_dict: + result[key] = deepcopy(stage_val) + else: + default_val = default_dict[key] + if isinstance(stage_val, dict) and isinstance(default_val, dict): + diff = deep_diff(stage_val, default_val) + if diff is not None and diff != {}: + result[key] = diff + elif stage_val != default_val: + result[key] = deepcopy(stage_val) + return result + +base_dir = "charts/tractusx-connector" +with open(f"{base_dir}/values.yaml", 'r') as f: + default = yaml.safe_load(f) + +for stage_name in ["values-provider.yaml", "values-consumer.yaml"]: + path = f"{base_dir}/{stage_name}" + with open(path, 'r') as f: + stage = yaml.safe_load(f) + diff = deep_diff(stage, default) + print(f"=== {stage_name} ===") + print(yaml.dump(diff, default_flow_style=False, sort_keys=False, allow_unicode=True, width=120)) + with open(path, 'w') as f: + yaml.dump(diff, f, default_flow_style=False, sort_keys=False, allow_unicode=True, width=120) diff --git a/_diff_helper.py b/_diff_helper.py deleted file mode 100644 index 2fa816302d..0000000000 --- a/_diff_helper.py +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env python3 -"""Deep-compare stage-specific values files against values.yaml and keep only differences.""" - -import yaml -import sys -from copy import deepcopy - -def load_yaml(path): - with open(path, 'r') as f: - return yaml.safe_load(f) - -def deep_diff(stage_dict, default_dict): - """ - Recursively remove keys from stage_dict that have the same value as in default_dict. - Returns the stripped dict (only contains keys that differ from default). - """ - if not isinstance(stage_dict, dict) or not isinstance(default_dict, dict): - return stage_dict - - result = {} - for key, stage_val in stage_dict.items(): - if key not in default_dict: - # Key only exists in stage - keep it - result[key] = deepcopy(stage_val) - else: - default_val = default_dict[key] - if isinstance(stage_val, dict) and isinstance(default_val, dict): - # Recurse into nested dicts - diff = deep_diff(stage_val, default_val) - if diff: # Only keep if there are differences - result[key] = diff - elif stage_val != default_val: - # Value differs - keep it - result[key] = deepcopy(stage_val) - # else: same value - omit - return result - -def main(): - base_dir = "charts/tractusx-connector" - default_path = f"{base_dir}/values.yaml" - stage_files = [ - f"{base_dir}/values-provider.yaml", - f"{base_dir}/values-consumer.yaml", - ] - - default = load_yaml(default_path) - - for stage_path in stage_files: - stage = load_yaml(stage_path) - diff = deep_diff(stage, default) - - print(f"\n=== Differences for {stage_path} ===") - print(yaml.dump(diff, default_flow_style=False, sort_keys=False, allow_unicode=True, width=120)) - - # Write back to the same file - with open(stage_path, 'w') as f: - yaml.dump(diff, f, default_flow_style=False, sort_keys=False, allow_unicode=True, width=120) - print(f"Rewrote {stage_path} with diff-only content") - -if __name__ == "__main__": - main() diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index 5936970f47..d8a297f0f4 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -1,684 +1,98 @@ -################################################################################# -# Copyright (c) 2026 ARENA2036 e.V. -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -################################################################################# - ---- -# Default values for eclipse-dataspace-connector. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -install: - postgresql: true - vault: true - -fullnameOverride: "" -nameOverride: "consumer-conn" - -imagePullSecrets: [] -customLabels: {} - +nameOverride: consumer-conn participant: - id: "did:web:consumer-idhub.staging.construct-x.net:consumer" - + id: did:web:consumer-idhub.staging.construct-x.net:consumer iatp: - id: "did:web:consumer-idhub.staging.construct-x.net:consumer" - trustedIssuerId: did:web:local-issuer-service.staging.construct-x.net:issuer - trustedIssuers: - - id: "did:web:local-issuer-service.staging.construct-x.net:issuer" - - sts: - div: - url: - oauth: - token_url: https://consumer-idhub.staging.construct-x.net/api/sts/token - client: - # -- Client ID for requesting OAuth2 access token for DIV access - id: did:web:consumer-idhub.staging.construct-x.net:consumer - # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access - secret_alias: consumersecret - didService: - selfRegistration: - # -- Whether Service Self Registration is enabled - enabled: false - # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) - id: "did:web:consumer-idhub.staging.construct-x.net:consumer" - # - Configures the Verifiable Presentation cache - cache: - # -- Whether the Verifiable Presentation cache is enabled - enabled: true - # -- Validity of the Verifiable Presentation cache in seconds - validity: 86400 - -# -- Add custom ca certificates to the truststore -customCaCerts: {} - -log4j2: - # -- Whether to enable the json log config in log4j2.config - enableJsonLogs: true - # -- Log4j2 configuration for json log formatting. - config: |- - Appenders: - Console: - name: CONSOLE - JsonTemplateLayout: - eventTemplate: |- - { - "timestamp": { - "$resolver": "timestamp", - "pattern": { - "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", - "timeZone": "UTC" - } - }, - "level": { - "$resolver": "level", - "field": "severity", - "severity": { - "field": "keyword" - } - }, - "message": { - "$resolver": "message" - } - } - Loggers: - Root: - level: "OFF" - Logger: - name: org.eclipse.edc.monitor.logger - level: DEBUG - AppenderRef: - ref: CONSOLE - + id: did:web:consumer-idhub.staging.construct-x.net:consumer + trustedIssuerId: did:web:local-issuer-service.staging.construct-x.net:issuer + trustedIssuers: + - id: did:web:local-issuer-service.staging.construct-x.net:issuer + sts: + oauth: + token_url: https://consumer-idhub.staging.construct-x.net/api/sts/token + client: + id: did:web:consumer-idhub.staging.construct-x.net:consumer + secret_alias: consumersecret + didService: + selfRegistration: + id: did:web:consumer-idhub.staging.construct-x.net:consumer controlplane: - nameOverride: "consumer-conn-controlplane" - fullnameOverride: "" - enabled: true - hostname: consumer-conn-controlplane - image: - # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically - repository: "registry.onstackit.cloud/constructx/con-x-controlplane-postgresql-hashicorp-vault" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "latest" - imagePullSecrets: - - name: registry-creds - initContainers: [] - debug: - # -- Enables java debugging mode. - enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + nameOverride: consumer-conn-controlplane enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - # -- endpoints of the control plane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 9000 - # -- path for incoming api calls - path: /api - # -- data management api, used by internal users, can be added to an ingress and must not be internet facing - management: - # -- port for incoming api calls - port: 9010 - # -- path for incoming api calls - path: /management - # -- authentication key, must be attached to each request as `X-Api-Key` header - authKey: "password" - # -- if the JWKS url is set, the DelegatedAuth service will be engaged - jwksUrl: - - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 9050 - # -- path for incoming api calls - path: /control - # -- dsp api, used for inter connector communication and must be internet facing - protocol: - # -- port for incoming api calls - port: 9020 - # -- path for incoming api calls - path: /dsp - # -- metrics api, used for application metrics, must not be internet facing - validation: - # -- port for incoming api calls - port: 9030 - # -- path for incoming api calls - path: /validation - # -- dsp api, use - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - # -- configuration for policy engine - policy: - validation: - enabled: true - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be pass onto deployment pods - env: {} - # ENV_NAME: value - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - schema: - autocreate: true - - env: - EDC_IAM_DID_WEB_USE_HTTPS: true - EDC_IAM_ISSUER_ID: did:web:consumer-idhub.staging.construct-x.net:consumer - TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: consumersecret - EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json - - ingresses: - - enabled: true - hostname: "consumer-conn-controlplane.staging.construct-x.net" - className: "nginx" - annotations: - cert-manager.io/cluster-issuer: letsencrypt-staging - external-dns.alpha.kubernetes.io/hostname: "consumer-conn-controlplane.staging.construct-x.net" - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - default - - protocol - - management - - dsp - - validation - tls: - # -- Enables TLS on the ingress resource - enabled: true - # -- If present overwrites the default secret name - secretName: "consumer-conn-cp-tls" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "letsencrypt-staging" - ## Private / Intranet facing Ingress - - enabled: false - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "consumer-conn-controlplane.staging.construct-x.net" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - control - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "nginx" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource - enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "letsencrypt-staging" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - - url: - control: "https://consumer-conn-controlplane.staging.construct-x.net/control" - # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) - protocol: "" - + hostname: consumer-conn-controlplane + image: + repository: registry.onstackit.cloud/constructx/con-x-controlplane-postgresql-hashicorp-vault + imagePullSecrets: + - name: registry-creds + env: + EDC_IAM_ISSUER_ID: did:web:consumer-idhub.staging.construct-x.net:consumer + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: consumersecret + ingresses: + - enabled: true + hostname: consumer-conn-controlplane.staging.construct-x.net + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: consumer-conn-controlplane.staging.construct-x.net + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - default + - management + - public + - protocol + - validation + - metrics + tls: + enabled: true + secretName: consumer-conn-cp-tls + certManager: + clusterIssuer: letsencrypt-staging + - enabled: false + hostname: consumer-conn-controlplane.staging.construct-x.net + endpoints: + - control + className: nginx + tls: + enabled: false + certManager: + clusterIssuer: letsencrypt-staging + url: + control: https://consumer-conn-controlplane.staging.construct-x.net/control dataplane: - nameOverride: "consumer-conn-dataplane" - fullnameOverride: "" - enabled: true - hostname: consumer-conn-dataplane - image: - # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically - repository: "registry.onstackit.cloud/constructx/con-x-dataplane-postgresql-hashicorp-vault" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "latest" - imagePullSecrets: - - name: registry-creds - - initContainers: [] - debug: - # -- Enables java debugging mode. - enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false - - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG - - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + nameOverride: consumer-conn-dataplane enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} - - # -- endpoints of the dataplane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 8181 - # -- path for incoming api calls - path: /api - # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. - public: - # -- port for incoming api calls - port: 9500 - # -- path for incoming api calls - path: /public - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 9550 - # -- path for incoming api calls - path: /control - management: - # -- port for incoming api calls - port: 9510 - # -- path for incoming api calls - path: /management - # -- authentication key, must be attached to each request as `X-Api-Key` header - # -- metrics api, used for application metrics, must not be internet facing - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - token: - refresh: - # -- TTL in seconds for access tokens (also known as EDR token) - expiry_seconds: 300 - # -- Tolerance for token expiry in seconds - expiry_tolerance_seconds: 10 - # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` - refresh_endpoint: - signer: - # -- Alias under which the private key (JWK or PEM format) is stored in the vault - privatekey_alias: cons_priv - verifier: - # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` - publickey_alias: cons_pub - - schema: - autocreate: true - - env: - EDC_IAM_DID_WEB_USE_HTTPS: true - EDC_DATA_PLANE_SELF_UNREGISTRATION: true - EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json - EDC_IAM_ISSUER_ID: did:web:consumer-idhub.staging.construct-x.net:consumer - EDC_SQL_SCHEMA_AUTOCREATE: true - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:local-issuer-service.staging.construct-x.net:issuer - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: consumersecret - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be pass onto deployment pods - env: {} - # ENV_NAME: value - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - ## Ingress declaration to expose the network service. - ingresses: - ## Public / Internet facing Ingress - - enabled: false - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "consumer-conn-dataplane.staging.construct-x.net" - className: "nginx" - annotations: - cert-manager.io/cluster-issuer: letsencrypt-staging - external-dns.alpha.kubernetes.io/hostname: "consumer-conn-dataplane.staging.construct-x.net" - external-dns.alpha.kubernetes.io/ttl: "300" - # -- EDC endpoints exposed by this ingress resource - endpoints: - - public - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - - tls: - # -- Enables TLS on the ingress resource - enabled: true - # -- If present overwrites the default secret name - secretName: "consumer-conn-dp-tls" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "letsencrypt-staging" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - url: - # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) - public: "" - + hostname: consumer-conn-dataplane + image: + repository: registry.onstackit.cloud/constructx/con-x-dataplane-postgresql-hashicorp-vault + imagePullSecrets: + - name: registry-creds + token: + signer: + privatekey_alias: cons_priv + verifier: + publickey_alias: cons_pub + env: + EDC_IAM_ISSUER_ID: did:web:consumer-idhub.staging.construct-x.net:consumer + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:local-issuer-service.staging.construct-x.net:issuer + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: consumersecret + ingresses: + - enabled: false + hostname: consumer-conn-dataplane.staging.construct-x.net + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: consumer-conn-dataplane.staging.construct-x.net + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - public + tls: + enabled: true + secretName: consumer-conn-dp-tls + certManager: + clusterIssuer: letsencrypt-staging postgresql: - image: - repository: "bitnamilegacy/postgresql" - tag: "16.2.0-debian-12-r10" - jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" - primary: - persistence: - enabled: true - readReplicas: - persistence: - enabled: true - auth: - database: "edc" - username: "user" - password: "password" - -vault: - injector: - enabled: false - server: - dev: - enabled: true - devRootToken: "root" - postStart: # must be set externally! - hashicorp: - url: "http://{{ .Release.Name }}-vault:8200" - token: "root" - timeout: 30 - healthCheck: - enabled: true - standbyOk: true - paths: - secret: /v1/secret - health: /v1/sys/health - folder: "" + primary: + persistence: + enabled: true + readReplicas: + persistence: + enabled: true diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index d27850743b..7405038c5d 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -1,684 +1,99 @@ -################################################################################# -# Copyright (c) 2026 ARENA2036 e.V. -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -################################################################################# - ---- -# Default values for eclipse-dataspace-connector. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -install: - postgresql: true - vault: true - -fullnameOverride: "" -nameOverride: "provider-conn" - -imagePullSecrets: [] -customLabels: {} - +nameOverride: provider-conn participant: - id: "did:web:provider-idhub.staging.construct-x.net:provider" - + id: did:web:provider-idhub.staging.construct-x.net:provider iatp: - id: "did:web:provider-idhub.staging.construct-x.net:provider" - trustedIssuerId: did:web:local-issuer-service.staging.construct-x.net:issuer - trustedIssuers: - - id: "did:web:local-issuer-service.staging.construct-x.net:issuer" - - sts: - div: - url: - oauth: - token_url: https://provider-idhub.staging.construct-x.net/api/sts/token - client: - # -- Client ID for requesting OAuth2 access token for DIV access - id: did:web:provider-idhub.staging.construct-x.net:provider - # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access - secret_alias: providersecret - didService: - selfRegistration: - # -- Whether Service Self Registration is enabled - enabled: false - # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) - id: "did:web:provider-idhub.staging.construct-x.net:provider" - # - Configures the Verifiable Presentation cache - cache: - # -- Whether the Verifiable Presentation cache is enabled - enabled: true - # -- Validity of the Verifiable Presentation cache in seconds - validity: 86400 - -# -- Add custom ca certificates to the truststore -customCaCerts: {} - -log4j2: - # -- Whether to enable the json log config in log4j2.config - enableJsonLogs: true - # -- Log4j2 configuration for json log formatting. - config: |- - Appenders: - Console: - name: CONSOLE - JsonTemplateLayout: - eventTemplate: |- - { - "timestamp": { - "$resolver": "timestamp", - "pattern": { - "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", - "timeZone": "UTC" - } - }, - "level": { - "$resolver": "level", - "field": "severity", - "severity": { - "field": "keyword" - } - }, - "message": { - "$resolver": "message" - } - } - Loggers: - Root: - level: "OFF" - Logger: - name: org.eclipse.edc.monitor.logger - level: DEBUG - AppenderRef: - ref: CONSOLE - + id: did:web:provider-idhub.staging.construct-x.net:provider + trustedIssuerId: did:web:local-issuer-service.staging.construct-x.net:issuer + trustedIssuers: + - id: did:web:local-issuer-service.staging.construct-x.net:issuer + sts: + oauth: + token_url: https://provider-idhub.staging.construct-x.net/api/sts/token + client: + id: did:web:provider-idhub.staging.construct-x.net:provider + secret_alias: providersecret + didService: + selfRegistration: + id: did:web:provider-idhub.staging.construct-x.net:provider controlplane: - nameOverride: "provider-conn-controlplane" - fullnameOverride: "" - enabled: true - hostname: provider-conn-controlplane - image: - # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically - repository: "registry.onstackit.cloud/constructx/con-x-controlplane-postgresql-hashicorp-vault" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "latest" - imagePullSecrets: - - name: registry-creds - initContainers: [] - debug: - # -- Enables java debugging mode. - enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + nameOverride: provider-conn-controlplane enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - # -- endpoints of the control plane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 9000 - # -- path for incoming api calls - path: /api - # -- data management api, used by internal users, can be added to an ingress and must not be internet facing - management: - # -- port for incoming api calls - port: 9010 - # -- path for incoming api calls - path: /management - # -- authentication key, must be attached to each request as `X-Api-Key` header - authKey: "password" - # -- if the JWKS url is set, the DelegatedAuth service will be engaged - jwksUrl: - - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 9050 - # -- path for incoming api calls - path: /control - # -- dsp api, used for inter connector communication and must be internet facing - protocol: - # -- port for incoming api calls - port: 9020 - # -- path for incoming api calls - path: /dsp - # -- metrics api, used for application metrics, must not be internet facing - validation: - # -- port for incoming api calls - port: 9030 - # -- path for incoming api calls - path: /validation - # -- dsp api, use - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - # -- configuration for policy engine - policy: - validation: - enabled: true - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be pass onto deployment pods - env: {} - # ENV_NAME: value - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - schema: - autocreate: true - - env: - EDC_IAM_DID_WEB_USE_HTTPS: true - EDC_IAM_ISSUER_ID: did:web:provider-idhub.staging.construct-x.net:provider - TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: providersecret - EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json - - ingresses: - - enabled: true - hostname: "provider-conn-controlplane.staging.construct-x.net" - className: "nginx" - annotations: - cert-manager.io/cluster-issuer: letsencrypt-staging - external-dns.alpha.kubernetes.io/hostname: "provider-conn-controlplane.staging.construct-x.net" - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - default - - protocol - - management - - dsp - - validation - tls: - # -- Enables TLS on the ingress resource - enabled: true - # -- If present overwrites the default secret name - secretName: "provider-conn-cp-tls" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "letsencrypt-staging" - ## Private / Intranet facing Ingress - - enabled: false - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "provider-conn-controlplane.staging.construct-x.net" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - control - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "nginx" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource - enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "letsencrypt-staging" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - - url: - control: "https://provider-conn-controlplane.staging.construct-x.net/control" - # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) - protocol: "" - + hostname: provider-conn-controlplane + image: + repository: registry.onstackit.cloud/constructx/con-x-controlplane-postgresql-hashicorp-vault + imagePullSecrets: + - name: registry-creds + env: + EDC_IAM_ISSUER_ID: did:web:provider-idhub.staging.construct-x.net:provider + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: providersecret + ingresses: + - enabled: true + hostname: provider-conn-controlplane.staging.construct-x.net + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: provider-conn-controlplane.staging.construct-x.net + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - default + - management + - public + - protocol + - validation + - metrics + tls: + enabled: true + secretName: provider-conn-cp-tls + certManager: + clusterIssuer: letsencrypt-staging + - enabled: false + hostname: provider-conn-controlplane.staging.construct-x.net + endpoints: + - control + className: nginx + tls: + enabled: false + secretName: "provider-conn-cp-tls" + certManager: + clusterIssuer: letsencrypt-staging + url: + control: https://provider-conn-controlplane.staging.construct-x.net/control dataplane: - nameOverride: "provider-conn-dataplane" - fullnameOverride: "" - enabled: true - hostname: provider-conn-dataplane - image: - # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically - repository: "registry.onstackit.cloud/constructx/con-x-dataplane-postgresql-hashicorp-vault" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "latest" - imagePullSecrets: - - name: registry-creds - - initContainers: [] - debug: - # -- Enables java debugging mode. - enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false - - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG - - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + nameOverride: provider-conn-dataplane enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} - - # -- endpoints of the dataplane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 8181 - # -- path for incoming api calls - path: /api - # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. - public: - # -- port for incoming api calls - port: 9500 - # -- path for incoming api calls - path: /public - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 9550 - # -- path for incoming api calls - path: /control - management: - # -- port for incoming api calls - port: 9510 - # -- path for incoming api calls - path: /management - # -- authentication key, must be attached to each request as `X-Api-Key` header - # -- metrics api, used for application metrics, must not be internet facing - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - token: - refresh: - # -- TTL in seconds for access tokens (also known as EDR token) - expiry_seconds: 300 - # -- Tolerance for token expiry in seconds - expiry_tolerance_seconds: 10 - # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` - refresh_endpoint: - signer: - # -- Alias under which the private key (JWK or PEM format) is stored in the vault - privatekey_alias: prov_priv - verifier: - # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` - publickey_alias: prov_pub - - schema: - autocreate: true - - env: - EDC_IAM_DID_WEB_USE_HTTPS: true - EDC_DATA_PLANE_SELF_UNREGISTRATION: true - EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json - EDC_IAM_ISSUER_ID: did:web:provider-idhub.staging.construct-x.net:provider - EDC_SQL_SCHEMA_AUTOCREATE: true - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:local-issuer-service.staging.construct-x.net:issuer - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: providersecret - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be pass onto deployment pods - env: {} - # ENV_NAME: value - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - ## Ingress declaration to expose the network service. - ingresses: - ## Public / Internet facing Ingress - - enabled: true - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "provider-conn-dataplane.staging.construct-x.net" - className: "nginx" - annotations: - cert-manager.io/cluster-issuer: letsencrypt-staging - external-dns.alpha.kubernetes.io/hostname: "provider-conn-dataplane.staging.construct-x.net" - external-dns.alpha.kubernetes.io/ttl: "300" - # -- EDC endpoints exposed by this ingress resource - endpoints: - - public - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - - tls: - # -- Enables TLS on the ingress resource - enabled: true - # -- If present overwrites the default secret name - secretName: "provider-conn-dp-tls" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "letsencrypt-staging" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - url: - # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) - public: "" - + hostname: provider-conn-dataplane + image: + repository: registry.onstackit.cloud/constructx/con-x-dataplane-postgresql-hashicorp-vault + imagePullSecrets: + - name: registry-creds + token: + signer: + privatekey_alias: prov_priv + verifier: + publickey_alias: prov_pub + env: + EDC_IAM_ISSUER_ID: did:web:provider-idhub.staging.construct-x.net:provider + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:local-issuer-service.staging.construct-x.net:issuer + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: providersecret + ingresses: + - enabled: true + hostname: provider-conn-dataplane.staging.construct-x.net + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: provider-conn-dataplane.staging.construct-x.net + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - public + tls: + enabled: true + secretName: provider-conn-dp-tls + certManager: + clusterIssuer: letsencrypt-staging postgresql: - image: - repository: "bitnamilegacy/postgresql" - tag: "16.2.0-debian-12-r10" - jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" - primary: - persistence: - enabled: true - readReplicas: - persistence: - enabled: true - auth: - database: "edc" - username: "user" - password: "password" - -vault: - injector: - enabled: false - server: - dev: - enabled: true - devRootToken: "root" - postStart: # must be set externally! - hashicorp: - url: "http://{{ .Release.Name }}-vault:8200" - token: "root" - timeout: 30 - healthCheck: - enabled: true - standbyOk: true - paths: - secret: /v1/secret - health: /v1/sys/health - folder: "" + primary: + persistence: + enabled: true + readReplicas: + persistence: + enabled: true diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index 8cfad9433f..d2f1f5d043 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -37,7 +37,7 @@ imagePullSecrets: [] customLabels: {} participant: - id: "did:web:consumer-idhub.staging.construct-x.net:consumer" + id: "did:web:wallet.staging.construct-x.net:user" iatp: # -- Decentralized IDentifier (DID) of the connector @@ -115,6 +115,8 @@ log4j2: ref: CONSOLE controlplane: + nameOverride: "" + fullnameOverride: "" image: # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically repository: "ghcr.io/project-construct-x/con-x-controlplane-postgresql-hashicorp-vault" @@ -170,13 +172,13 @@ controlplane: # -- default api for health checks, should not be added to any ingress default: # -- port for incoming api calls - port: 8080 + port: 9000 # -- path for incoming api calls path: /api # -- data management api, used by internal users, can be added to an ingress and must not be internet facing management: # -- port for incoming api calls - port: 8081 + port: 9010 # -- path for incoming api calls path: /management # -- authentication key, must be attached to each request as `X-Api-Key` header @@ -187,15 +189,21 @@ controlplane: # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not control: # -- port for incoming api calls - port: 8083 + port: 9050 # -- path for incoming api calls path: /control # -- dsp api, used for inter connector communication and must be internet facing protocol: # -- port for incoming api calls - port: 8084 + port: 9020 # -- path for incoming api calls - path: /api/v1/dsp + path: /dsp + # -- validation api + validation: + # -- port for incoming api calls + port: 9030 + # -- path for incoming api calls + path: /validation # -- metrics api, used for application metrics, must not be internet facing metrics: # -- port for incoming api calls @@ -256,7 +264,6 @@ controlplane: runAsUser: 10001 # -- Extra environment variables that will be pass onto deployment pods - env: {} # ENV_NAME: value # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. @@ -401,6 +408,8 @@ controlplane: protocol: "" dataplane: + nameOverride: "" + fullnameOverride: "" image: # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically repository: "ghcr.io/project-construct-x/con-x-dataplane-postgresql-hashicorp-vault" @@ -464,28 +473,27 @@ dataplane: # -- default api for health checks, should not be added to any ingress default: # -- port for incoming api calls - port: 8080 + port: 8181 # -- path for incoming api calls path: /api # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. public: # -- port for incoming api calls - port: 8081 + port: 9500 # -- path for incoming api calls - path: /api/public + path: /public # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not control: # -- port for incoming api calls - port: 8084 + port: 9550 # -- path for incoming api calls - path: /api/control - proxy: + path: /control + # -- data management api + management: # -- port for incoming api calls - port: 8186 + port: 9510 # -- path for incoming api calls - path: /proxy - # -- authentication key, must be attached to each request as `X-Api-Key` header - authKey: "password" + path: /management # -- metrics api, used for application metrics, must not be internet facing metrics: # -- port for incoming api calls From dc00f85d11d1168647e3bf96f8322b9d46e2ccab Mon Sep 17 00:00:00 2001 From: Dennis Borrmann Date: Mon, 15 Jun 2026 14:49:14 +0200 Subject: [PATCH 06/17] further cleanup --- _diff2.py | 34 - .../tractusx-connector/values-consumer.yaml | 88 ++- charts/tractusx-connector/values-diff.yaml | 722 ------------------ .../tractusx-connector/values-provider.yaml | 83 +- charts/tractusx-connector/values.yaml | 67 +- 5 files changed, 123 insertions(+), 871 deletions(-) delete mode 100644 _diff2.py delete mode 100644 charts/tractusx-connector/values-diff.yaml diff --git a/_diff2.py b/_diff2.py deleted file mode 100644 index 5bce5ce207..0000000000 --- a/_diff2.py +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env python3 -import yaml -from copy import deepcopy - -def deep_diff(stage_dict, default_dict): - if not isinstance(stage_dict, dict) or not isinstance(default_dict, dict): - return stage_dict if stage_dict != default_dict else None - result = {} - for key, stage_val in stage_dict.items(): - if key not in default_dict: - result[key] = deepcopy(stage_val) - else: - default_val = default_dict[key] - if isinstance(stage_val, dict) and isinstance(default_val, dict): - diff = deep_diff(stage_val, default_val) - if diff is not None and diff != {}: - result[key] = diff - elif stage_val != default_val: - result[key] = deepcopy(stage_val) - return result - -base_dir = "charts/tractusx-connector" -with open(f"{base_dir}/values.yaml", 'r') as f: - default = yaml.safe_load(f) - -for stage_name in ["values-provider.yaml", "values-consumer.yaml"]: - path = f"{base_dir}/{stage_name}" - with open(path, 'r') as f: - stage = yaml.safe_load(f) - diff = deep_diff(stage, default) - print(f"=== {stage_name} ===") - print(yaml.dump(diff, default_flow_style=False, sort_keys=False, allow_unicode=True, width=120)) - with open(path, 'w') as f: - yaml.dump(diff, f, default_flow_style=False, sort_keys=False, allow_unicode=True, width=120) diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index d8a297f0f4..f1182468c3 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -1,94 +1,92 @@ +_anchors: + connectorId: &connectorId did:web:consumer-idhub.staging.construct-x.net:consumer + secretAlias: &secretAlias consumersecret + trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer + clusterIssuer: &clusterIssuer letsencrypt-staging + ingressClass: &ingressClass nginx + imagePullSecret: &imagePullSecret registry-creds + controlplaneFqdn: &controlplaneFqdn consumer-conn-controlplane.staging.construct-x.net + dataplaneFqdn: &dataplaneFqdn consumer-conn-dataplane.staging.construct-x.net + nameOverride: consumer-conn + participant: - id: did:web:consumer-idhub.staging.construct-x.net:consumer + id: *connectorId + iatp: - id: did:web:consumer-idhub.staging.construct-x.net:consumer - trustedIssuerId: did:web:local-issuer-service.staging.construct-x.net:issuer + id: *connectorId + trustedIssuerId: *trustedIssuerId trustedIssuers: - - id: did:web:local-issuer-service.staging.construct-x.net:issuer + - id: *trustedIssuerId sts: oauth: token_url: https://consumer-idhub.staging.construct-x.net/api/sts/token client: - id: did:web:consumer-idhub.staging.construct-x.net:consumer - secret_alias: consumersecret + id: *connectorId + secret_alias: *secretAlias didService: selfRegistration: - id: did:web:consumer-idhub.staging.construct-x.net:consumer + id: *connectorId + controlplane: - nameOverride: consumer-conn-controlplane - enabled: true hostname: consumer-conn-controlplane - image: - repository: registry.onstackit.cloud/constructx/con-x-controlplane-postgresql-hashicorp-vault imagePullSecrets: - - name: registry-creds + - name: *imagePullSecret + endpoints: + management: + authKey: consumer-conn-controlplane-management-password env: - EDC_IAM_ISSUER_ID: did:web:consumer-idhub.staging.construct-x.net:consumer - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: consumersecret + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias ingresses: - enabled: true - hostname: consumer-conn-controlplane.staging.construct-x.net - className: nginx + hostname: *controlplaneFqdn annotations: - cert-manager.io/cluster-issuer: letsencrypt-staging - external-dns.alpha.kubernetes.io/hostname: consumer-conn-controlplane.staging.construct-x.net + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn external-dns.alpha.kubernetes.io/ttl: "300" endpoints: - default - management - - public - protocol - validation - metrics + className: *ingressClass tls: enabled: true secretName: consumer-conn-cp-tls certManager: - clusterIssuer: letsencrypt-staging - - enabled: false - hostname: consumer-conn-controlplane.staging.construct-x.net - endpoints: - - control - className: nginx - tls: - enabled: false - certManager: - clusterIssuer: letsencrypt-staging - url: - control: https://consumer-conn-controlplane.staging.construct-x.net/control + clusterIssuer: *clusterIssuer + dataplane: - nameOverride: consumer-conn-dataplane - enabled: true hostname: consumer-conn-dataplane - image: - repository: registry.onstackit.cloud/constructx/con-x-dataplane-postgresql-hashicorp-vault imagePullSecrets: - - name: registry-creds + - name: *imagePullSecret token: signer: privatekey_alias: cons_priv verifier: publickey_alias: cons_pub env: - EDC_IAM_ISSUER_ID: did:web:consumer-idhub.staging.construct-x.net:consumer - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:local-issuer-service.staging.construct-x.net:issuer - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: consumersecret + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias ingresses: - - enabled: false - hostname: consumer-conn-dataplane.staging.construct-x.net - className: nginx + - enabled: true + hostname: *dataplaneFqdn annotations: - cert-manager.io/cluster-issuer: letsencrypt-staging - external-dns.alpha.kubernetes.io/hostname: consumer-conn-dataplane.staging.construct-x.net + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn external-dns.alpha.kubernetes.io/ttl: "300" endpoints: - public + className: *ingressClass tls: enabled: true secretName: consumer-conn-dp-tls certManager: - clusterIssuer: letsencrypt-staging + clusterIssuer: *clusterIssuer + postgresql: primary: persistence: diff --git a/charts/tractusx-connector/values-diff.yaml b/charts/tractusx-connector/values-diff.yaml deleted file mode 100644 index 8cfad9433f..0000000000 --- a/charts/tractusx-connector/values-diff.yaml +++ /dev/null @@ -1,722 +0,0 @@ -################################################################################# -# Copyright (c) 2026 ARENA2036 e.V. -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -################################################################################# - ---- -# Default values for eclipse-dataspace-connector. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -install: - # -- Deploying a PostgreSQL instance - postgresql: true - # -- Deploying a HashiCorp Vault instance - vault: true - -fullnameOverride: "" -nameOverride: "" - -# -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) -imagePullSecrets: [] -# -- Add some custom labels -customLabels: {} - -participant: - id: "did:web:consumer-idhub.staging.construct-x.net:consumer" - -iatp: - # -- Decentralized IDentifier (DID) of the connector - id: "did:web:changeme" - # -- Configures the trusted issuers for this runtime. If no supportedTypes are specified, the value defaults to "*" for that issuer - trustedIssuers: [] - # - id: "did:web:example1.com" - # supportedTypes: - # - "MembershipCredential" - # - "did:web:example2.com" - sts: - div: - # -- URL where connectors can request SI tokens - url: - oauth: - # -- URL where connectors can request OAuth2 access tokens for DIV access - token_url: - client: - # -- Client ID for requesting OAuth2 access token for DIV access - id: - # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access - secret_alias: - didService: - selfRegistration: - # -- Whether Service Self Registration is enabled - enabled: false - # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) - id: "did:web:changeme" - # - Configures the Verifiable Presentation cache - cache: - # -- Whether the Verifiable Presentation cache is enabled - enabled: true - # -- Validity of the Verifiable Presentation cache in seconds - validity: 86400 - -# -- Add custom ca certificates to the truststore -customCaCerts: {} - -log4j2: - # -- Whether to enable the json log config in log4j2.config - enableJsonLogs: true - # -- Log4j2 configuration for json log formatting. - config: |- - Appenders: - Console: - name: CONSOLE - JsonTemplateLayout: - eventTemplate: |- - { - "timestamp": { - "$resolver": "timestamp", - "pattern": { - "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", - "timeZone": "UTC" - } - }, - "level": { - "$resolver": "level", - "field": "severity", - "severity": { - "field": "keyword" - } - }, - "message": { - "$resolver": "message" - } - } - Loggers: - Root: - level: "OFF" - Logger: - name: org.eclipse.edc.monitor.logger - level: DEBUG - AppenderRef: - ref: CONSOLE - -controlplane: - image: - # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically - repository: "ghcr.io/project-construct-x/con-x-controlplane-postgresql-hashicorp-vault" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "latest" - # -- Configure ghcr credentials to pull the control plane image - imagePullSecrets: - - name: ghcr-creds - initContainers: [] - debug: - # -- Enables java debugging mode. - enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false - - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG - - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - # -- endpoints of the control plane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 8080 - # -- path for incoming api calls - path: /api - # -- data management api, used by internal users, can be added to an ingress and must not be internet facing - management: - # -- port for incoming api calls - port: 8081 - # -- path for incoming api calls - path: /management - # -- authentication key, must be attached to each request as `X-Api-Key` header - authKey: "password" - # -- if the JWKS url is set, the DelegatedAuth service will be engaged - jwksUrl: - - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 8083 - # -- path for incoming api calls - path: /control - # -- dsp api, used for inter connector communication and must be internet facing - protocol: - # -- port for incoming api calls - port: 8084 - # -- path for incoming api calls - path: /api/v1/dsp - # -- metrics api, used for application metrics, must not be internet facing - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - bdrs: - # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) - cache_validity_seconds: 600 - server: - # -- URL of the BPN/DID Resolution Service - url: - - # -- configuration for policy engine - policy: - validation: - enabled: true - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be pass onto deployment pods - env: {} - # ENV_NAME: value - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - # Database schema auto-creation - schema: - autocreate: true - - env: - EDC_IAM_DID_WEB_USE_HTTPS: true - EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user - TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret - EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json - - ## Ingress declaration to expose the network service. - ingresses: - ## Public / Internet facing Ingress - - enabled: false - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-control.local" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - protocol - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource - enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - ## Private / Intranet facing Ingress - - enabled: false - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-control.intranet" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - management - - control - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource - enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - - url: - # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) - protocol: "" - -dataplane: - image: - # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically - repository: "ghcr.io/project-construct-x/con-x-dataplane-postgresql-hashicorp-vault" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "latest" - # -- Configure ghcr credentials to pull the control plane image - imagePullSecrets: - - name: ghcr-creds - initContainers: [] - debug: - # -- Enables java debugging mode. - enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false - - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG - - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} - - # -- endpoints of the dataplane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 8080 - # -- path for incoming api calls - path: /api - # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. - public: - # -- port for incoming api calls - port: 8081 - # -- path for incoming api calls - path: /api/public - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 8084 - # -- path for incoming api calls - path: /api/control - proxy: - # -- port for incoming api calls - port: 8186 - # -- path for incoming api calls - path: /proxy - # -- authentication key, must be attached to each request as `X-Api-Key` header - authKey: "password" - # -- metrics api, used for application metrics, must not be internet facing - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - token: - refresh: - # -- TTL in seconds for access tokens (also known as EDR token) - expiry_seconds: 300 - # -- Tolerance for token expiry in seconds - expiry_tolerance_seconds: 10 - # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` - refresh_endpoint: - signer: - # -- Alias under which the private key (JWK or PEM format) is stored in the vault - privatekey_alias: priv - verifier: - # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` - publickey_alias: pub - - # Database schema auto-creation - schema: - autocreate: true - - aws: - endpointOverride: "" - accessKeyId: "" - secretAccessKey: "" - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be pass onto deployment pods - env: - EDC_IAM_DID_WEB_USE_HTTPS: true - EDC_DATA_PLANE_SELF_UNREGISTRATION: true - EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json - EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:issuer-wallet.staging.construct-x.net:issuer - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - schema: - autocreate: true - - ## Ingress declaration to expose the network service. - ingresses: - ## Public / Internet facing Ingress - - enabled: false - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-data.local" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - public - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource - enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - url: - # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) - public: "" - -postgresql: - image: - repository: "bitnamilegacy/postgresql" - tag: "16.2.0-debian-12-r10" - jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" - primary: - persistence: - enabled: false - readReplicas: - persistence: - enabled: false - auth: - database: "edc" - username: "user" - password: "password" - -vault: - injector: - enabled: false - server: - dev: - enabled: true - devRootToken: "root" - postStart: # must be set externally! - hashicorp: - url: "http://{{ .Release.Name }}-vault:8200" - token: "root" - timeout: 30 - healthCheck: - enabled: true - standbyOk: true - paths: - secret: /v1/secret - health: /v1/sys/health - folder: "" - -networkPolicy: - # -- If `true` network policy will be created to restrict access to control- and dataplane - enabled: false - # -- Configuration of the controlplane component - controlplane: - # -- Specify from rule network policy for cp (defaults to all namespaces) - from: - - namespaceSelector: {} - # -- Configuration of the dataplane component - dataplane: - # -- Specify from rule network policy for dp (defaults to all namespaces) - from: - - namespaceSelector: {} - -serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) - imagePullSecrets: [] - -# -- Configurations for Helm tests -tests: - # -- Configure the hook-delete-policy for Helm tests - hookDeletePolicy: before-hook-creation,hook-succeeded diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index 7405038c5d..a97155e18e 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -1,95 +1,96 @@ +_anchors: + connectorId: &connectorId did:web:provider-idhub.staging.construct-x.net:provider + secretAlias: &secretAlias providersecret + trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer + clusterIssuer: &clusterIssuer letsencrypt-staging + ingressClass: &ingressClass nginx + imagePullSecret: &imagePullSecret registry-creds + controlplaneFqdn: &controlplaneFqdn provider-conn-controlplane.staging.construct-x.net + dataplaneFqdn: &dataplaneFqdn provider-conn-dataplane.staging.construct-x.net + nameOverride: provider-conn + participant: - id: did:web:provider-idhub.staging.construct-x.net:provider + id: *connectorId + iatp: - id: did:web:provider-idhub.staging.construct-x.net:provider - trustedIssuerId: did:web:local-issuer-service.staging.construct-x.net:issuer + id: *connectorId + trustedIssuerId: *trustedIssuerId trustedIssuers: - - id: did:web:local-issuer-service.staging.construct-x.net:issuer + - id: *trustedIssuerId sts: oauth: token_url: https://provider-idhub.staging.construct-x.net/api/sts/token client: - id: did:web:provider-idhub.staging.construct-x.net:provider - secret_alias: providersecret + id: *connectorId + secret_alias: *secretAlias didService: selfRegistration: - id: did:web:provider-idhub.staging.construct-x.net:provider + id: *connectorId + controlplane: - nameOverride: provider-conn-controlplane - enabled: true hostname: provider-conn-controlplane image: repository: registry.onstackit.cloud/constructx/con-x-controlplane-postgresql-hashicorp-vault imagePullSecrets: - - name: registry-creds + - name: *imagePullSecret + endpoints: + management: + authKey: provider-conn-controlplane-management-password env: - EDC_IAM_ISSUER_ID: did:web:provider-idhub.staging.construct-x.net:provider - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: providersecret + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias ingresses: - enabled: true - hostname: provider-conn-controlplane.staging.construct-x.net - className: nginx + hostname: *controlplaneFqdn annotations: - cert-manager.io/cluster-issuer: letsencrypt-staging - external-dns.alpha.kubernetes.io/hostname: provider-conn-controlplane.staging.construct-x.net + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn external-dns.alpha.kubernetes.io/ttl: "300" endpoints: - default - management - - public - protocol - validation - metrics + className: *ingressClass tls: enabled: true secretName: provider-conn-cp-tls certManager: - clusterIssuer: letsencrypt-staging - - enabled: false - hostname: provider-conn-controlplane.staging.construct-x.net - endpoints: - - control - className: nginx - tls: - enabled: false - secretName: "provider-conn-cp-tls" - certManager: - clusterIssuer: letsencrypt-staging - url: - control: https://provider-conn-controlplane.staging.construct-x.net/control + clusterIssuer: *clusterIssuer + dataplane: - nameOverride: provider-conn-dataplane - enabled: true hostname: provider-conn-dataplane image: repository: registry.onstackit.cloud/constructx/con-x-dataplane-postgresql-hashicorp-vault imagePullSecrets: - - name: registry-creds + - name: *imagePullSecret token: signer: privatekey_alias: prov_priv verifier: publickey_alias: prov_pub env: - EDC_IAM_ISSUER_ID: did:web:provider-idhub.staging.construct-x.net:provider - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:local-issuer-service.staging.construct-x.net:issuer - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: providersecret + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias ingresses: - enabled: true - hostname: provider-conn-dataplane.staging.construct-x.net - className: nginx + hostname: *dataplaneFqdn annotations: - cert-manager.io/cluster-issuer: letsencrypt-staging - external-dns.alpha.kubernetes.io/hostname: provider-conn-dataplane.staging.construct-x.net + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn external-dns.alpha.kubernetes.io/ttl: "300" endpoints: - public + className: *ingressClass tls: enabled: true secretName: provider-conn-dp-tls certManager: - clusterIssuer: letsencrypt-staging + clusterIssuer: *clusterIssuer + postgresql: primary: persistence: diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index d2f1f5d043..5dc452227e 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -37,11 +37,13 @@ imagePullSecrets: [] customLabels: {} participant: - id: "did:web:wallet.staging.construct-x.net:user" + id: "did:web:changeme" iatp: # -- Decentralized IDentifier (DID) of the connector id: "did:web:changeme" + # -- ID of the trusted issuer that is used for SI token validation (maps to EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID) + trustedIssuerId: "" # -- Configures the trusted issuers for this runtime. If no supportedTypes are specified, the value defaults to "*" for that issuer trustedIssuers: [] # - id: "did:web:example1.com" @@ -117,6 +119,8 @@ log4j2: controlplane: nameOverride: "" fullnameOverride: "" + # -- hostname where the controlplane is reachable + hostname: "" image: # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically repository: "ghcr.io/project-construct-x/con-x-controlplane-postgresql-hashicorp-vault" @@ -263,8 +267,24 @@ controlplane: # -- The container's process will run with the specified uid runAsUser: 10001 - # -- Extra environment variables that will be pass onto deployment pods - # ENV_NAME: value + # -- Extra environment variables that will be passed onto deployment pods + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user + TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core @@ -291,24 +311,6 @@ controlplane: schema: autocreate: true - env: - EDC_IAM_DID_WEB_USE_HTTPS: true - EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user - TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret - EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json - ## Ingress declaration to expose the network service. ingresses: ## Public / Internet facing Ingress @@ -410,6 +412,8 @@ controlplane: dataplane: nameOverride: "" fullnameOverride: "" + # -- hostname where the dataplane is reachable + hostname: "" image: # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically repository: "ghcr.io/project-construct-x/con-x-dataplane-postgresql-hashicorp-vault" @@ -494,6 +498,14 @@ dataplane: port: 9510 # -- path for incoming api calls path: /management + # -- proxy api for consumer data transfer + proxy: + # -- port for incoming api calls + port: 9511 + # -- path for incoming api calls + path: /proxy + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" # -- metrics api, used for application metrics, must not be internet facing metrics: # -- port for incoming api calls @@ -510,11 +522,11 @@ dataplane: # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` refresh_endpoint: signer: - # -- Alias under which the private key (JWK or PEM format) is stored in the vault - privatekey_alias: priv + # -- Alias under which the private key (JWK or PEM format) is stored in the vault + privatekey_alias: priv verifier: - # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` - publickey_alias: pub + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` + publickey_alias: pub # Database schema auto-creation schema: @@ -557,7 +569,7 @@ dataplane: # -- The container's process will run with the specified uid runAsUser: 10001 - # -- Extra environment variables that will be pass onto deployment pods + # -- Extra environment variables that will be passed onto deployment pods env: EDC_IAM_DID_WEB_USE_HTTPS: true EDC_DATA_PLANE_SELF_UNREGISTRATION: true @@ -587,9 +599,6 @@ dataplane: # - first-config-map # - second-config-map - schema: - autocreate: true - ## Ingress declaration to expose the network service. ingresses: ## Public / Internet facing Ingress From 68e05b3391f4eb57b165dc2f4ec8c739844221be Mon Sep 17 00:00:00 2001 From: Dennis Borrmann Date: Mon, 15 Jun 2026 15:04:37 +0200 Subject: [PATCH 07/17] private/public ingress --- .../tractusx-connector/values-consumer.yaml | 40 +++++++++++++++++-- .../tractusx-connector/values-provider.yaml | 40 +++++++++++++++++-- charts/tractusx-connector/values.yaml | 34 ++++++++++++++-- 3 files changed, 105 insertions(+), 9 deletions(-) diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index f1182468c3..e5c6a64ab1 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -39,6 +39,7 @@ controlplane: EDC_IAM_ISSUER_ID: *connectorId EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias ingresses: + ## Public / Internet facing Ingress - enabled: true hostname: *controlplaneFqdn annotations: @@ -46,15 +47,29 @@ controlplane: external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn external-dns.alpha.kubernetes.io/ttl: "300" endpoints: - - default - - management - protocol + className: *ingressClass + tls: + enabled: true + secretName: consumer-conn-cp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control - validation - metrics className: *ingressClass tls: enabled: true - secretName: consumer-conn-cp-tls + secretName: consumer-conn-cp-int-tls certManager: clusterIssuer: *clusterIssuer @@ -72,6 +87,7 @@ dataplane: EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias ingresses: + ## Public / Internet facing Ingress - enabled: true hostname: *dataplaneFqdn annotations: @@ -80,12 +96,30 @@ dataplane: external-dns.alpha.kubernetes.io/ttl: "300" endpoints: - public + - proxy className: *ingressClass tls: enabled: true secretName: consumer-conn-dp-tls certManager: clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - metrics + className: *ingressClass + tls: + enabled: true + secretName: consumer-conn-dp-int-tls + certManager: + clusterIssuer: *clusterIssuer postgresql: primary: diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index a97155e18e..9e8bf80283 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -41,6 +41,7 @@ controlplane: EDC_IAM_ISSUER_ID: *connectorId EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias ingresses: + ## Public / Internet facing Ingress - enabled: true hostname: *controlplaneFqdn annotations: @@ -48,15 +49,29 @@ controlplane: external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn external-dns.alpha.kubernetes.io/ttl: "300" endpoints: - - default - - management - protocol + className: *ingressClass + tls: + enabled: true + secretName: provider-conn-cp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control - validation - metrics className: *ingressClass tls: enabled: true - secretName: provider-conn-cp-tls + secretName: provider-conn-cp-int-tls certManager: clusterIssuer: *clusterIssuer @@ -76,6 +91,7 @@ dataplane: EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias ingresses: + ## Public / Internet facing Ingress - enabled: true hostname: *dataplaneFqdn annotations: @@ -84,12 +100,30 @@ dataplane: external-dns.alpha.kubernetes.io/ttl: "300" endpoints: - public + - proxy className: *ingressClass tls: enabled: true secretName: provider-conn-dp-tls certManager: clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - metrics + className: *ingressClass + tls: + enabled: true + secretName: provider-conn-dp-int-tls + certManager: + clusterIssuer: *clusterIssuer postgresql: primary: diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index 5dc452227e..d0db2aaa40 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -314,7 +314,7 @@ controlplane: ## Ingress declaration to expose the network service. ingresses: ## Public / Internet facing Ingress - - enabled: false + - enabled: true # -- The hostname to be used to precisely map incoming traffic onto the underlying network service hostname: "edc-control.local" # -- Additional ingress annotations to add @@ -337,7 +337,7 @@ controlplane: # -- If preset enables certificate generation via cert-manager cluster-wide issuer clusterIssuer: "" ## Private / Intranet facing Ingress - - enabled: false + - enabled: true # -- The hostname to be used to precisely map incoming traffic onto the underlying network service hostname: "edc-control.intranet" # -- Additional ingress annotations to add @@ -346,6 +346,8 @@ controlplane: endpoints: - management - control + - validation + - metrics # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use className: "" # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource @@ -602,7 +604,7 @@ dataplane: ## Ingress declaration to expose the network service. ingresses: ## Public / Internet facing Ingress - - enabled: false + - enabled: true # -- The hostname to be used to precisely map incoming traffic onto the underlying network service hostname: "edc-data.local" # -- Additional ingress annotations to add @@ -610,6 +612,32 @@ dataplane: # -- EDC endpoints exposed by this ingress resource endpoints: - public + - proxy + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + ## Private / Intranet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-data.intranet" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - management + - control + - metrics # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use className: "" # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource From fd098ea1703bbbc39fb7778b6e643d7159dab472 Mon Sep 17 00:00:00 2001 From: Dennis Borrmann Date: Mon, 15 Jun 2026 15:06:17 +0200 Subject: [PATCH 08/17] remove pw override --- charts/tractusx-connector/values-consumer.yaml | 3 --- charts/tractusx-connector/values-provider.yaml | 3 --- 2 files changed, 6 deletions(-) diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index e5c6a64ab1..ee06172f34 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -32,9 +32,6 @@ controlplane: hostname: consumer-conn-controlplane imagePullSecrets: - name: *imagePullSecret - endpoints: - management: - authKey: consumer-conn-controlplane-management-password env: EDC_IAM_ISSUER_ID: *connectorId EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index 9e8bf80283..69357b78b8 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -34,9 +34,6 @@ controlplane: repository: registry.onstackit.cloud/constructx/con-x-controlplane-postgresql-hashicorp-vault imagePullSecrets: - name: *imagePullSecret - endpoints: - management: - authKey: provider-conn-controlplane-management-password env: EDC_IAM_ISSUER_ID: *connectorId EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias From 69acebc6f85ea8be2a76a4ec9591e95fc5599243 Mon Sep 17 00:00:00 2001 From: Dennis Borrmann Date: Mon, 15 Jun 2026 15:10:14 +0200 Subject: [PATCH 09/17] done --- charts/tractusx-connector/values-provider.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index 69357b78b8..8c62c2addb 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -30,8 +30,6 @@ iatp: controlplane: hostname: provider-conn-controlplane - image: - repository: registry.onstackit.cloud/constructx/con-x-controlplane-postgresql-hashicorp-vault imagePullSecrets: - name: *imagePullSecret env: @@ -74,8 +72,6 @@ controlplane: dataplane: hostname: provider-conn-dataplane - image: - repository: registry.onstackit.cloud/constructx/con-x-dataplane-postgresql-hashicorp-vault imagePullSecrets: - name: *imagePullSecret token: From 0d00f53c8197ab9e8945293fa5334e54d2317b12 Mon Sep 17 00:00:00 2001 From: Dennis Borrmann Date: Mon, 15 Jun 2026 15:22:45 +0200 Subject: [PATCH 10/17] _anchor => shared --- charts/tractusx-connector/values-consumer.yaml | 2 +- charts/tractusx-connector/values-provider.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index ee06172f34..9f27c11b04 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -1,4 +1,4 @@ -_anchors: +shared: connectorId: &connectorId did:web:consumer-idhub.staging.construct-x.net:consumer secretAlias: &secretAlias consumersecret trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index 8c62c2addb..e173683eff 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -1,4 +1,4 @@ -_anchors: +shared: connectorId: &connectorId did:web:provider-idhub.staging.construct-x.net:provider secretAlias: &secretAlias providersecret trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer From fbea8cb6eec9bf50ffbc7d00890cad0861874044 Mon Sep 17 00:00:00 2001 From: Saud Khan Date: Mon, 15 Jun 2026 23:21:09 +0200 Subject: [PATCH 11/17] chore: fixed issues to the post install configmap-volume-mount and imagePullSecrets references --- .../tractusx-connector/templates/deployment-controlplane.yaml | 2 +- charts/tractusx-connector/templates/deployment-dataplane.yaml | 2 +- .../tractusx-connector/templates/post-install-vault-setup.yaml | 2 +- charts/tractusx-connector/templates/vault-edc-configmap.yaml | 2 +- charts/tractusx-connector/values-consumer.yaml | 1 + charts/tractusx-connector/values-provider.yaml | 1 + 6 files changed, 6 insertions(+), 4 deletions(-) diff --git a/charts/tractusx-connector/templates/deployment-controlplane.yaml b/charts/tractusx-connector/templates/deployment-controlplane.yaml index 0dc39d20b8..29c619cf90 100644 --- a/charts/tractusx-connector/templates/deployment-controlplane.yaml +++ b/charts/tractusx-connector/templates/deployment-controlplane.yaml @@ -48,7 +48,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.imagePullSecrets }} + {{- with .Values.controlplane.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/tractusx-connector/templates/deployment-dataplane.yaml b/charts/tractusx-connector/templates/deployment-dataplane.yaml index 52994579b0..9f7d234f39 100644 --- a/charts/tractusx-connector/templates/deployment-dataplane.yaml +++ b/charts/tractusx-connector/templates/deployment-dataplane.yaml @@ -49,7 +49,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.imagePullSecrets }} + {{- with .Values.dataplane.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/tractusx-connector/templates/post-install-vault-setup.yaml b/charts/tractusx-connector/templates/post-install-vault-setup.yaml index 95ef637415..7c01ea8523 100644 --- a/charts/tractusx-connector/templates/post-install-vault-setup.yaml +++ b/charts/tractusx-connector/templates/post-install-vault-setup.yaml @@ -17,7 +17,7 @@ # # SPDX-License-Identifier: Apache-2.0 ################################################################################# - +--- {{- $vaultToken := index .Values "vault" "hashicorp" "token" -}} {{- $vaultUrl := tpl (index .Values "vault" "hashicorp" "url") . -}} {{- $fullName := .Values.nameOverride -}} diff --git a/charts/tractusx-connector/templates/vault-edc-configmap.yaml b/charts/tractusx-connector/templates/vault-edc-configmap.yaml index 8ab4a9c291..59148063ed 100644 --- a/charts/tractusx-connector/templates/vault-edc-configmap.yaml +++ b/charts/tractusx-connector/templates/vault-edc-configmap.yaml @@ -17,7 +17,7 @@ # # SPDX-License-Identifier: Apache-2.0 ################################################################################# - +--- {{- $fullName := .Values.nameOverride -}} apiVersion: v1 kind: ConfigMap diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index 9f27c11b04..a1fa0e4c27 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -9,6 +9,7 @@ shared: dataplaneFqdn: &dataplaneFqdn consumer-conn-dataplane.staging.construct-x.net nameOverride: consumer-conn +fullnameOverride: consumer-conn participant: id: *connectorId diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index e173683eff..c04ccfd1b0 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -9,6 +9,7 @@ shared: dataplaneFqdn: &dataplaneFqdn provider-conn-dataplane.staging.construct-x.net nameOverride: provider-conn +fullnameOverride: provider-conn participant: id: *connectorId From cdf5c006ef8255e8edbf5351171c9f5517f61227 Mon Sep 17 00:00:00 2001 From: Dennis Borrmann Date: Tue, 16 Jun 2026 09:11:44 +0200 Subject: [PATCH 12/17] fix linter --- .../templates/post-install-vault-setup.yaml | 4 +- .../templates/vault-edc-configmap.yaml | 2 +- .../tractusx-connector/values-consumer.yaml | 228 +-- .../tractusx-connector/values-provider.yaml | 228 +-- charts/tractusx-connector/values.yaml | 1410 ++++++++--------- 5 files changed, 936 insertions(+), 936 deletions(-) diff --git a/charts/tractusx-connector/templates/post-install-vault-setup.yaml b/charts/tractusx-connector/templates/post-install-vault-setup.yaml index 7c01ea8523..904b4295c2 100644 --- a/charts/tractusx-connector/templates/post-install-vault-setup.yaml +++ b/charts/tractusx-connector/templates/post-install-vault-setup.yaml @@ -18,9 +18,9 @@ # SPDX-License-Identifier: Apache-2.0 ################################################################################# --- -{{- $vaultToken := index .Values "vault" "hashicorp" "token" -}} +{{ $vaultToken := index .Values "vault" "hashicorp" "token" -}} {{- $vaultUrl := tpl (index .Values "vault" "hashicorp" "url") . -}} -{{- $fullName := .Values.nameOverride -}} +{{ $fullName := .Values.nameOverride -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/charts/tractusx-connector/templates/vault-edc-configmap.yaml b/charts/tractusx-connector/templates/vault-edc-configmap.yaml index 59148063ed..351f35d4e0 100644 --- a/charts/tractusx-connector/templates/vault-edc-configmap.yaml +++ b/charts/tractusx-connector/templates/vault-edc-configmap.yaml @@ -18,7 +18,7 @@ # SPDX-License-Identifier: Apache-2.0 ################################################################################# --- -{{- $fullName := .Values.nameOverride -}} +{{ $fullName := .Values.nameOverride -}} apiVersion: v1 kind: ConfigMap metadata: diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index a1fa0e4c27..52fb6190d6 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -1,128 +1,128 @@ shared: - connectorId: &connectorId did:web:consumer-idhub.staging.construct-x.net:consumer - secretAlias: &secretAlias consumersecret - trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer - clusterIssuer: &clusterIssuer letsencrypt-staging - ingressClass: &ingressClass nginx - imagePullSecret: &imagePullSecret registry-creds - controlplaneFqdn: &controlplaneFqdn consumer-conn-controlplane.staging.construct-x.net - dataplaneFqdn: &dataplaneFqdn consumer-conn-dataplane.staging.construct-x.net + connectorId: &connectorId did:web:consumer-idhub.staging.construct-x.net:consumer + secretAlias: &secretAlias consumersecret + trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer + clusterIssuer: &clusterIssuer letsencrypt-staging + ingressClass: &ingressClass nginx + imagePullSecret: &imagePullSecret registry-creds + controlplaneFqdn: &controlplaneFqdn consumer-conn-controlplane.staging.construct-x.net + dataplaneFqdn: &dataplaneFqdn consumer-conn-dataplane.staging.construct-x.net nameOverride: consumer-conn fullnameOverride: consumer-conn participant: - id: *connectorId + id: *connectorId iatp: - id: *connectorId - trustedIssuerId: *trustedIssuerId - trustedIssuers: - - id: *trustedIssuerId - sts: - oauth: - token_url: https://consumer-idhub.staging.construct-x.net/api/sts/token - client: - id: *connectorId - secret_alias: *secretAlias - didService: - selfRegistration: - id: *connectorId + id: *connectorId + trustedIssuerId: *trustedIssuerId + trustedIssuers: + - id: *trustedIssuerId + sts: + oauth: + token_url: https://consumer-idhub.staging.construct-x.net/api/sts/token + client: + id: *connectorId + secret_alias: *secretAlias + didService: + selfRegistration: + id: *connectorId controlplane: - hostname: consumer-conn-controlplane - imagePullSecrets: - - name: *imagePullSecret - env: - EDC_IAM_ISSUER_ID: *connectorId - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias - ingresses: - ## Public / Internet facing Ingress - - enabled: true - hostname: *controlplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - protocol - className: *ingressClass - tls: - enabled: true - secretName: consumer-conn-cp-tls - certManager: - clusterIssuer: *clusterIssuer - ## Private / Intranet facing Ingress - - enabled: false - hostname: *controlplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - management - - control - - validation - - metrics - className: *ingressClass - tls: - enabled: true - secretName: consumer-conn-cp-int-tls - certManager: - clusterIssuer: *clusterIssuer + hostname: consumer-conn-controlplane + imagePullSecrets: + - name: *imagePullSecret + env: + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias + ingresses: + ## Public / Internet facing Ingress + - enabled: true + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - protocol + className: *ingressClass + tls: + enabled: true + secretName: consumer-conn-cp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - validation + - metrics + className: *ingressClass + tls: + enabled: true + secretName: consumer-conn-cp-int-tls + certManager: + clusterIssuer: *clusterIssuer dataplane: - hostname: consumer-conn-dataplane - imagePullSecrets: - - name: *imagePullSecret - token: - signer: - privatekey_alias: cons_priv - verifier: - publickey_alias: cons_pub - env: - EDC_IAM_ISSUER_ID: *connectorId - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias - ingresses: - ## Public / Internet facing Ingress - - enabled: true - hostname: *dataplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - public - - proxy - className: *ingressClass - tls: - enabled: true - secretName: consumer-conn-dp-tls - certManager: - clusterIssuer: *clusterIssuer - ## Private / Intranet facing Ingress - - enabled: false - hostname: *dataplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - management - - control - - metrics - className: *ingressClass - tls: - enabled: true - secretName: consumer-conn-dp-int-tls - certManager: - clusterIssuer: *clusterIssuer + hostname: consumer-conn-dataplane + imagePullSecrets: + - name: *imagePullSecret + token: + signer: + privatekey_alias: cons_priv + verifier: + publickey_alias: cons_pub + env: + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias + ingresses: + ## Public / Internet facing Ingress + - enabled: true + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - public + - proxy + className: *ingressClass + tls: + enabled: true + secretName: consumer-conn-dp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - metrics + className: *ingressClass + tls: + enabled: true + secretName: consumer-conn-dp-int-tls + certManager: + clusterIssuer: *clusterIssuer postgresql: - primary: - persistence: - enabled: true - readReplicas: - persistence: - enabled: true + primary: + persistence: + enabled: true + readReplicas: + persistence: + enabled: true diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index c04ccfd1b0..479f1b29ed 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -1,128 +1,128 @@ shared: - connectorId: &connectorId did:web:provider-idhub.staging.construct-x.net:provider - secretAlias: &secretAlias providersecret - trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer - clusterIssuer: &clusterIssuer letsencrypt-staging - ingressClass: &ingressClass nginx - imagePullSecret: &imagePullSecret registry-creds - controlplaneFqdn: &controlplaneFqdn provider-conn-controlplane.staging.construct-x.net - dataplaneFqdn: &dataplaneFqdn provider-conn-dataplane.staging.construct-x.net + connectorId: &connectorId did:web:provider-idhub.staging.construct-x.net:provider + secretAlias: &secretAlias providersecret + trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer + clusterIssuer: &clusterIssuer letsencrypt-staging + ingressClass: &ingressClass nginx + imagePullSecret: &imagePullSecret registry-creds + controlplaneFqdn: &controlplaneFqdn provider-conn-controlplane.staging.construct-x.net + dataplaneFqdn: &dataplaneFqdn provider-conn-dataplane.staging.construct-x.net nameOverride: provider-conn fullnameOverride: provider-conn participant: - id: *connectorId + id: *connectorId iatp: - id: *connectorId - trustedIssuerId: *trustedIssuerId - trustedIssuers: - - id: *trustedIssuerId - sts: - oauth: - token_url: https://provider-idhub.staging.construct-x.net/api/sts/token - client: - id: *connectorId - secret_alias: *secretAlias - didService: - selfRegistration: - id: *connectorId + id: *connectorId + trustedIssuerId: *trustedIssuerId + trustedIssuers: + - id: *trustedIssuerId + sts: + oauth: + token_url: https://provider-idhub.staging.construct-x.net/api/sts/token + client: + id: *connectorId + secret_alias: *secretAlias + didService: + selfRegistration: + id: *connectorId controlplane: - hostname: provider-conn-controlplane - imagePullSecrets: - - name: *imagePullSecret - env: - EDC_IAM_ISSUER_ID: *connectorId - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias - ingresses: - ## Public / Internet facing Ingress - - enabled: true - hostname: *controlplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - protocol - className: *ingressClass - tls: - enabled: true - secretName: provider-conn-cp-tls - certManager: - clusterIssuer: *clusterIssuer - ## Private / Intranet facing Ingress - - enabled: false - hostname: *controlplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - management - - control - - validation - - metrics - className: *ingressClass - tls: - enabled: true - secretName: provider-conn-cp-int-tls - certManager: - clusterIssuer: *clusterIssuer + hostname: provider-conn-controlplane + imagePullSecrets: + - name: *imagePullSecret + env: + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias + ingresses: + ## Public / Internet facing Ingress + - enabled: true + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - protocol + className: *ingressClass + tls: + enabled: true + secretName: provider-conn-cp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - validation + - metrics + className: *ingressClass + tls: + enabled: true + secretName: provider-conn-cp-int-tls + certManager: + clusterIssuer: *clusterIssuer dataplane: - hostname: provider-conn-dataplane - imagePullSecrets: - - name: *imagePullSecret - token: - signer: - privatekey_alias: prov_priv - verifier: - publickey_alias: prov_pub - env: - EDC_IAM_ISSUER_ID: *connectorId - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias - ingresses: - ## Public / Internet facing Ingress - - enabled: true - hostname: *dataplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - public - - proxy - className: *ingressClass - tls: - enabled: true - secretName: provider-conn-dp-tls - certManager: - clusterIssuer: *clusterIssuer - ## Private / Intranet facing Ingress - - enabled: false - hostname: *dataplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - management - - control - - metrics - className: *ingressClass - tls: - enabled: true - secretName: provider-conn-dp-int-tls - certManager: - clusterIssuer: *clusterIssuer + hostname: provider-conn-dataplane + imagePullSecrets: + - name: *imagePullSecret + token: + signer: + privatekey_alias: prov_priv + verifier: + publickey_alias: prov_pub + env: + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias + ingresses: + ## Public / Internet facing Ingress + - enabled: true + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - public + - proxy + className: *ingressClass + tls: + enabled: true + secretName: provider-conn-dp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - metrics + className: *ingressClass + tls: + enabled: true + secretName: provider-conn-dp-int-tls + certManager: + clusterIssuer: *clusterIssuer postgresql: - primary: - persistence: - enabled: true - readReplicas: - persistence: - enabled: true + primary: + persistence: + enabled: true + readReplicas: + persistence: + enabled: true diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index d0db2aaa40..3d5597de87 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -23,10 +23,10 @@ # Declare variables to be passed into your templates. install: - # -- Deploying a PostgreSQL instance - postgresql: true - # -- Deploying a HashiCorp Vault instance - vault: true + # -- Deploying a PostgreSQL instance + postgresql: true + # -- Deploying a HashiCorp Vault instance + vault: true fullnameOverride: "" nameOverride: "" @@ -37,731 +37,731 @@ imagePullSecrets: [] customLabels: {} participant: - id: "did:web:changeme" + id: "did:web:changeme" iatp: - # -- Decentralized IDentifier (DID) of the connector - id: "did:web:changeme" - # -- ID of the trusted issuer that is used for SI token validation (maps to EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID) - trustedIssuerId: "" - # -- Configures the trusted issuers for this runtime. If no supportedTypes are specified, the value defaults to "*" for that issuer - trustedIssuers: [] - # - id: "did:web:example1.com" - # supportedTypes: - # - "MembershipCredential" - # - "did:web:example2.com" - sts: - div: - # -- URL where connectors can request SI tokens - url: - oauth: - # -- URL where connectors can request OAuth2 access tokens for DIV access - token_url: - client: - # -- Client ID for requesting OAuth2 access token for DIV access - id: - # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access - secret_alias: - didService: - selfRegistration: - # -- Whether Service Self Registration is enabled - enabled: false - # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) - id: "did:web:changeme" - # - Configures the Verifiable Presentation cache - cache: - # -- Whether the Verifiable Presentation cache is enabled - enabled: true - # -- Validity of the Verifiable Presentation cache in seconds - validity: 86400 + # -- Decentralized IDentifier (DID) of the connector + id: "did:web:changeme" + # -- ID of the trusted issuer that is used for SI token validation (maps to EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID) + trustedIssuerId: "change-me" + # -- Configures the trusted issuers for this runtime. If no supportedTypes are specified, the value defaults to "*" for that issuer + trustedIssuers: [] + # - id: "did:web:example1.com" + # supportedTypes: + # - "MembershipCredential" + # - "did:web:example2.com" + sts: + div: + # -- URL where connectors can request SI tokens + url: + oauth: + # -- URL where connectors can request OAuth2 access tokens for DIV access + token_url: "https://change-me" + client: + # -- Client ID for requesting OAuth2 access token for DIV access + id: "change-me" + # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access + secret_alias: "change-me" + didService: + selfRegistration: + # -- Whether Service Self Registration is enabled + enabled: false + # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) + id: "did:web:changeme" + # - Configures the Verifiable Presentation cache + cache: + # -- Whether the Verifiable Presentation cache is enabled + enabled: true + # -- Validity of the Verifiable Presentation cache in seconds + validity: 86400 # -- Add custom ca certificates to the truststore customCaCerts: {} log4j2: - # -- Whether to enable the json log config in log4j2.config - enableJsonLogs: true - # -- Log4j2 configuration for json log formatting. - config: |- - Appenders: - Console: - name: CONSOLE - JsonTemplateLayout: - eventTemplate: |- - { - "timestamp": { - "$resolver": "timestamp", - "pattern": { - "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", - "timeZone": "UTC" - } - }, - "level": { - "$resolver": "level", - "field": "severity", - "severity": { - "field": "keyword" - } - }, - "message": { - "$resolver": "message" - } + # -- Whether to enable the json log config in log4j2.config + enableJsonLogs: true + # -- Log4j2 configuration for json log formatting. + config: |- + Appenders: + Console: + name: CONSOLE + JsonTemplateLayout: + eventTemplate: |- + { + "timestamp": { + "$resolver": "timestamp", + "pattern": { + "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", + "timeZone": "UTC" } - Loggers: - Root: - level: "OFF" - Logger: - name: org.eclipse.edc.monitor.logger - level: DEBUG - AppenderRef: - ref: CONSOLE + }, + "level": { + "$resolver": "level", + "field": "severity", + "severity": { + "field": "keyword" + } + }, + "message": { + "$resolver": "message" + } + } + Loggers: + Root: + level: "OFF" + Logger: + name: org.eclipse.edc.monitor.logger + level: DEBUG + AppenderRef: + ref: CONSOLE controlplane: - nameOverride: "" - fullnameOverride: "" - # -- hostname where the controlplane is reachable - hostname: "" - image: - # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically - repository: "ghcr.io/project-construct-x/con-x-controlplane-postgresql-hashicorp-vault" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "latest" - # -- Configure ghcr credentials to pull the control plane image - imagePullSecrets: - - name: ghcr-creds - initContainers: [] - debug: - # -- Enables java debugging mode. - enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false - - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG + nameOverride: "" + fullnameOverride: "" + # -- hostname where the controlplane is reachable + hostname: "" + image: + # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically + repository: "ghcr.io/project-construct-x/con-x-controlplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + # -- Configure ghcr credentials to pull the control plane image + imagePullSecrets: + - name: ghcr-creds + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + # -- endpoints of the control plane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 9000 + # -- path for incoming api calls + path: /api + # -- data management api, used by internal users, can be added to an ingress and must not be internet facing + management: + # -- port for incoming api calls + port: 9010 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- if the JWKS url is set, the DelegatedAuth service will be engaged + jwksUrl: + + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9050 + # -- path for incoming api calls + path: /control + # -- dsp api, used for inter connector communication and must be internet facing + protocol: + # -- port for incoming api calls + port: 9020 + # -- path for incoming api calls + path: /dsp + # -- validation api + validation: + # -- port for incoming api calls + port: 9030 + # -- path for incoming api calls + path: /validation + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + bdrs: + # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) + cache_validity_seconds: 600 + server: + # -- URL of the BPN/DID Resolution Service + url: + + # -- configuration for policy engine + policy: + validation: + enabled: true + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - # -- endpoints of the control plane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 9000 - # -- path for incoming api calls - path: /api - # -- data management api, used by internal users, can be added to an ingress and must not be internet facing - management: - # -- port for incoming api calls - port: 9010 - # -- path for incoming api calls - path: /management - # -- authentication key, must be attached to each request as `X-Api-Key` header - authKey: "password" - # -- if the JWKS url is set, the DelegatedAuth service will be engaged - jwksUrl: - - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 9050 - # -- path for incoming api calls - path: /control - # -- dsp api, used for inter connector communication and must be internet facing - protocol: - # -- port for incoming api calls - port: 9020 - # -- path for incoming api calls - path: /dsp - # -- validation api - validation: - # -- port for incoming api calls - port: 9030 - # -- path for incoming api calls - path: /validation - # -- metrics api, used for application metrics, must not be internet facing - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - bdrs: - # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) - cache_validity_seconds: 600 - server: - # -- URL of the BPN/DID Resolution Service - url: - - # -- configuration for policy engine - policy: - validation: - enabled: true - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be passed onto deployment pods - env: - EDC_IAM_DID_WEB_USE_HTTPS: true - EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user - TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret - EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - # Database schema auto-creation - schema: - autocreate: true - - ## Ingress declaration to expose the network service. - ingresses: - ## Public / Internet facing Ingress - - enabled: true - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-control.local" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - protocol - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource - enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - ## Private / Intranet facing Ingress - - enabled: true - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-control.intranet" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - management - - control - - validation - - metrics - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource - enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be passed onto deployment pods + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user + TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + # Database schema auto-creation + schema: + autocreate: true + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-control.local" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - protocol + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - - url: - # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) - protocol: "" - -dataplane: - nameOverride: "" - fullnameOverride: "" - # -- hostname where the dataplane is reachable - hostname: "" - image: - # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically - repository: "ghcr.io/project-construct-x/con-x-dataplane-postgresql-hashicorp-vault" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "latest" - # -- Configure ghcr credentials to pull the control plane image - imagePullSecrets: - - name: ghcr-creds - initContainers: [] - debug: - # -- Enables java debugging mode. + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + ## Private / Intranet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-control.intranet" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - management + - control + - validation + - metrics + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + + url: + # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) + protocol: "" - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG +dataplane: + nameOverride: "" + fullnameOverride: "" + # -- hostname where the dataplane is reachable + hostname: "" + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "ghcr.io/project-construct-x/con-x-dataplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + # -- Configure ghcr credentials to pull the control plane image + imagePullSecrets: + - name: ghcr-creds + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} - - # -- endpoints of the dataplane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 8181 - # -- path for incoming api calls - path: /api - # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. - public: - # -- port for incoming api calls - port: 9500 - # -- path for incoming api calls - path: /public - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 9550 - # -- path for incoming api calls - path: /control - # -- data management api - management: - # -- port for incoming api calls - port: 9510 - # -- path for incoming api calls - path: /management - # -- proxy api for consumer data transfer - proxy: - # -- port for incoming api calls - port: 9511 - # -- path for incoming api calls - path: /proxy - # -- authentication key, must be attached to each request as `X-Api-Key` header - authKey: "password" - # -- metrics api, used for application metrics, must not be internet facing - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - token: - refresh: - # -- TTL in seconds for access tokens (also known as EDR token) - expiry_seconds: 300 - # -- Tolerance for token expiry in seconds - expiry_tolerance_seconds: 10 - # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` - refresh_endpoint: - signer: - # -- Alias under which the private key (JWK or PEM format) is stored in the vault - privatekey_alias: priv - verifier: - # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` - publickey_alias: pub - - # Database schema auto-creation - schema: - autocreate: true - - aws: - endpointOverride: "" - accessKeyId: "" - secretAccessKey: "" - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be passed onto deployment pods - env: - EDC_IAM_DID_WEB_USE_HTTPS: true - EDC_DATA_PLANE_SELF_UNREGISTRATION: true - EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json - EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:issuer-wallet.staging.construct-x.net:issuer - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - ## Ingress declaration to expose the network service. - ingresses: - ## Public / Internet facing Ingress - - enabled: true - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-data.local" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - public - - proxy - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource - enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - ## Private / Intranet facing Ingress - - enabled: true - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-data.intranet" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - management - - control - - metrics - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource - enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + # -- endpoints of the dataplane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8181 + # -- path for incoming api calls + path: /api + # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. + public: + # -- port for incoming api calls + port: 9500 + # -- path for incoming api calls + path: /public + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9550 + # -- path for incoming api calls + path: /control + # -- data management api + management: + # -- port for incoming api calls + port: 9510 + # -- path for incoming api calls + path: /management + # -- proxy api for consumer data transfer + proxy: + # -- port for incoming api calls + port: 9511 + # -- path for incoming api calls + path: /proxy + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + token: + refresh: + # -- TTL in seconds for access tokens (also known as EDR token) + expiry_seconds: 300 + # -- Tolerance for token expiry in seconds + expiry_tolerance_seconds: 10 + # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` + refresh_endpoint: + signer: + # -- Alias under which the private key (JWK or PEM format) is stored in the vault + privatekey_alias: priv + verifier: + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` + publickey_alias: pub + + # Database schema auto-creation + schema: + autocreate: true + + aws: + endpointOverride: "" + accessKeyId: "" + secretAccessKey: "" + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be passed onto deployment pods + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_DATA_PLANE_SELF_UNREGISTRATION: true + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:issuer-wallet.staging.construct-x.net:issuer + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-data.local" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + - proxy + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + ## Private / Intranet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-data.intranet" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - management + - control + - metrics + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - url: - # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) - public: "" + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) + public: "" postgresql: - image: - repository: "bitnamilegacy/postgresql" - tag: "16.2.0-debian-12-r10" - jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" - primary: - persistence: - enabled: false - readReplicas: - persistence: - enabled: false - auth: - database: "edc" - username: "user" - password: "password" + image: + repository: "bitnamilegacy/postgresql" + tag: "16.2.0-debian-12-r10" + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" + primary: + persistence: + enabled: false + readReplicas: + persistence: + enabled: false + auth: + database: "edc" + username: "user" + password: "password" vault: - injector: - enabled: false - server: - dev: - enabled: true - devRootToken: "root" - postStart: # must be set externally! - hashicorp: - url: "http://{{ .Release.Name }}-vault:8200" - token: "root" - timeout: 30 - healthCheck: - enabled: true - standbyOk: true - paths: - secret: /v1/secret - health: /v1/sys/health - folder: "" + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: "root" + postStart: # must be set externally! + hashicorp: + url: "http://{{ .Release.Name }}-vault:8200" + token: "root" + timeout: 30 + healthCheck: + enabled: true + standbyOk: true + paths: + secret: /v1/secret + health: /v1/sys/health + folder: "" networkPolicy: - # -- If `true` network policy will be created to restrict access to control- and dataplane - enabled: false - # -- Configuration of the controlplane component - controlplane: - # -- Specify from rule network policy for cp (defaults to all namespaces) - from: - - namespaceSelector: {} - # -- Configuration of the dataplane component - dataplane: - # -- Specify from rule network policy for dp (defaults to all namespaces) - from: - - namespaceSelector: {} + # -- If `true` network policy will be created to restrict access to control- and dataplane + enabled: false + # -- Configuration of the controlplane component + controlplane: + # -- Specify from rule network policy for cp (defaults to all namespaces) + from: + - namespaceSelector: {} + # -- Configuration of the dataplane component + dataplane: + # -- Specify from rule network policy for dp (defaults to all namespaces) + from: + - namespaceSelector: {} serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) - imagePullSecrets: [] + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) + imagePullSecrets: [] # -- Configurations for Helm tests tests: - # -- Configure the hook-delete-policy for Helm tests - hookDeletePolicy: before-hook-creation,hook-succeeded + # -- Configure the hook-delete-policy for Helm tests + hookDeletePolicy: before-hook-creation,hook-succeeded From f227dbfbdfef2263e6dd78f0bb2c0f48a37e0746 Mon Sep 17 00:00:00 2001 From: Dennis Borrmann Date: Tue, 16 Jun 2026 09:15:53 +0200 Subject: [PATCH 13/17] fix linter tractusx connector memory --- charts/tractusx-connector-memory/values.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/tractusx-connector-memory/values.yaml b/charts/tractusx-connector-memory/values.yaml index a0e1008643..19c83d0fab 100644 --- a/charts/tractusx-connector-memory/values.yaml +++ b/charts/tractusx-connector-memory/values.yaml @@ -53,12 +53,12 @@ iatp: url: oauth: # -- URL where connectors can request OAuth2 access tokens for DIV access - token_url: + token_url: "https://change-me" client: # -- Client ID for requesting OAuth2 access token for DIV access - id: + id: "change-me" # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access - secret_alias: + secret_alias: "change-me" didService: selfRegistration: # -- Whether Service Self Registration is enabled @@ -217,17 +217,17 @@ runtime: refresh_endpoint: signer: # -- Alias under which the private key (JWK or PEM format) is stored in the vault - privatekey_alias: + privatekey_alias: "change-me" verifier: # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` - publickey_alias: + publickey_alias: "change-me" bdrs: # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) cache_validity_seconds: 600 server: # -- URL of the BPN/DID Resolution Service - url: + url: "https://change-me" # -- configuration for policy engine policy: From dd995f009ebe341e7d20b0e232b8beaf19c77044 Mon Sep 17 00:00:00 2001 From: Dennis Borrmann Date: Tue, 16 Jun 2026 09:20:16 +0200 Subject: [PATCH 14/17] fix linter --- .../tractusx-connector/templates/post-install-vault-setup.yaml | 2 +- charts/tractusx-connector/templates/vault-edc-configmap.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/tractusx-connector/templates/post-install-vault-setup.yaml b/charts/tractusx-connector/templates/post-install-vault-setup.yaml index 904b4295c2..ce648d251e 100644 --- a/charts/tractusx-connector/templates/post-install-vault-setup.yaml +++ b/charts/tractusx-connector/templates/post-install-vault-setup.yaml @@ -20,7 +20,7 @@ --- {{ $vaultToken := index .Values "vault" "hashicorp" "token" -}} {{- $vaultUrl := tpl (index .Values "vault" "hashicorp" "url") . -}} -{{ $fullName := .Values.nameOverride -}} +{{ $fullName := default "connector" .Values.nameOverride -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/charts/tractusx-connector/templates/vault-edc-configmap.yaml b/charts/tractusx-connector/templates/vault-edc-configmap.yaml index 351f35d4e0..c3aa7fbfff 100644 --- a/charts/tractusx-connector/templates/vault-edc-configmap.yaml +++ b/charts/tractusx-connector/templates/vault-edc-configmap.yaml @@ -18,7 +18,7 @@ # SPDX-License-Identifier: Apache-2.0 ################################################################################# --- -{{ $fullName := .Values.nameOverride -}} +{{ $fullName := default "connector" .Values.nameOverride -}} apiVersion: v1 kind: ConfigMap metadata: From 31a5282471eae64eeaa7542488f7536acce9051b Mon Sep 17 00:00:00 2001 From: Dennis Borrmann Date: Tue, 16 Jun 2026 09:25:53 +0200 Subject: [PATCH 15/17] fix: restore original 4-space indentation in values files --- .../tractusx-connector/values-consumer.yaml | 228 +-- .../tractusx-connector/values-provider.yaml | 228 +-- charts/tractusx-connector/values.yaml | 1410 ++++++++--------- 3 files changed, 933 insertions(+), 933 deletions(-) diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index 52fb6190d6..a1fa0e4c27 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -1,128 +1,128 @@ shared: - connectorId: &connectorId did:web:consumer-idhub.staging.construct-x.net:consumer - secretAlias: &secretAlias consumersecret - trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer - clusterIssuer: &clusterIssuer letsencrypt-staging - ingressClass: &ingressClass nginx - imagePullSecret: &imagePullSecret registry-creds - controlplaneFqdn: &controlplaneFqdn consumer-conn-controlplane.staging.construct-x.net - dataplaneFqdn: &dataplaneFqdn consumer-conn-dataplane.staging.construct-x.net + connectorId: &connectorId did:web:consumer-idhub.staging.construct-x.net:consumer + secretAlias: &secretAlias consumersecret + trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer + clusterIssuer: &clusterIssuer letsencrypt-staging + ingressClass: &ingressClass nginx + imagePullSecret: &imagePullSecret registry-creds + controlplaneFqdn: &controlplaneFqdn consumer-conn-controlplane.staging.construct-x.net + dataplaneFqdn: &dataplaneFqdn consumer-conn-dataplane.staging.construct-x.net nameOverride: consumer-conn fullnameOverride: consumer-conn participant: - id: *connectorId + id: *connectorId iatp: - id: *connectorId - trustedIssuerId: *trustedIssuerId - trustedIssuers: - - id: *trustedIssuerId - sts: - oauth: - token_url: https://consumer-idhub.staging.construct-x.net/api/sts/token - client: - id: *connectorId - secret_alias: *secretAlias - didService: - selfRegistration: - id: *connectorId + id: *connectorId + trustedIssuerId: *trustedIssuerId + trustedIssuers: + - id: *trustedIssuerId + sts: + oauth: + token_url: https://consumer-idhub.staging.construct-x.net/api/sts/token + client: + id: *connectorId + secret_alias: *secretAlias + didService: + selfRegistration: + id: *connectorId controlplane: - hostname: consumer-conn-controlplane - imagePullSecrets: - - name: *imagePullSecret - env: - EDC_IAM_ISSUER_ID: *connectorId - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias - ingresses: - ## Public / Internet facing Ingress - - enabled: true - hostname: *controlplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - protocol - className: *ingressClass - tls: - enabled: true - secretName: consumer-conn-cp-tls - certManager: - clusterIssuer: *clusterIssuer - ## Private / Intranet facing Ingress - - enabled: false - hostname: *controlplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - management - - control - - validation - - metrics - className: *ingressClass - tls: - enabled: true - secretName: consumer-conn-cp-int-tls - certManager: - clusterIssuer: *clusterIssuer + hostname: consumer-conn-controlplane + imagePullSecrets: + - name: *imagePullSecret + env: + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias + ingresses: + ## Public / Internet facing Ingress + - enabled: true + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - protocol + className: *ingressClass + tls: + enabled: true + secretName: consumer-conn-cp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - validation + - metrics + className: *ingressClass + tls: + enabled: true + secretName: consumer-conn-cp-int-tls + certManager: + clusterIssuer: *clusterIssuer dataplane: - hostname: consumer-conn-dataplane - imagePullSecrets: - - name: *imagePullSecret - token: - signer: - privatekey_alias: cons_priv - verifier: - publickey_alias: cons_pub - env: - EDC_IAM_ISSUER_ID: *connectorId - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias - ingresses: - ## Public / Internet facing Ingress - - enabled: true - hostname: *dataplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - public - - proxy - className: *ingressClass - tls: - enabled: true - secretName: consumer-conn-dp-tls - certManager: - clusterIssuer: *clusterIssuer - ## Private / Intranet facing Ingress - - enabled: false - hostname: *dataplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - management - - control - - metrics - className: *ingressClass - tls: - enabled: true - secretName: consumer-conn-dp-int-tls - certManager: - clusterIssuer: *clusterIssuer + hostname: consumer-conn-dataplane + imagePullSecrets: + - name: *imagePullSecret + token: + signer: + privatekey_alias: cons_priv + verifier: + publickey_alias: cons_pub + env: + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias + ingresses: + ## Public / Internet facing Ingress + - enabled: true + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - public + - proxy + className: *ingressClass + tls: + enabled: true + secretName: consumer-conn-dp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - metrics + className: *ingressClass + tls: + enabled: true + secretName: consumer-conn-dp-int-tls + certManager: + clusterIssuer: *clusterIssuer postgresql: - primary: - persistence: - enabled: true - readReplicas: - persistence: - enabled: true + primary: + persistence: + enabled: true + readReplicas: + persistence: + enabled: true diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index 479f1b29ed..c04ccfd1b0 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -1,128 +1,128 @@ shared: - connectorId: &connectorId did:web:provider-idhub.staging.construct-x.net:provider - secretAlias: &secretAlias providersecret - trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer - clusterIssuer: &clusterIssuer letsencrypt-staging - ingressClass: &ingressClass nginx - imagePullSecret: &imagePullSecret registry-creds - controlplaneFqdn: &controlplaneFqdn provider-conn-controlplane.staging.construct-x.net - dataplaneFqdn: &dataplaneFqdn provider-conn-dataplane.staging.construct-x.net + connectorId: &connectorId did:web:provider-idhub.staging.construct-x.net:provider + secretAlias: &secretAlias providersecret + trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer + clusterIssuer: &clusterIssuer letsencrypt-staging + ingressClass: &ingressClass nginx + imagePullSecret: &imagePullSecret registry-creds + controlplaneFqdn: &controlplaneFqdn provider-conn-controlplane.staging.construct-x.net + dataplaneFqdn: &dataplaneFqdn provider-conn-dataplane.staging.construct-x.net nameOverride: provider-conn fullnameOverride: provider-conn participant: - id: *connectorId + id: *connectorId iatp: - id: *connectorId - trustedIssuerId: *trustedIssuerId - trustedIssuers: - - id: *trustedIssuerId - sts: - oauth: - token_url: https://provider-idhub.staging.construct-x.net/api/sts/token - client: - id: *connectorId - secret_alias: *secretAlias - didService: - selfRegistration: - id: *connectorId + id: *connectorId + trustedIssuerId: *trustedIssuerId + trustedIssuers: + - id: *trustedIssuerId + sts: + oauth: + token_url: https://provider-idhub.staging.construct-x.net/api/sts/token + client: + id: *connectorId + secret_alias: *secretAlias + didService: + selfRegistration: + id: *connectorId controlplane: - hostname: provider-conn-controlplane - imagePullSecrets: - - name: *imagePullSecret - env: - EDC_IAM_ISSUER_ID: *connectorId - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias - ingresses: - ## Public / Internet facing Ingress - - enabled: true - hostname: *controlplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - protocol - className: *ingressClass - tls: - enabled: true - secretName: provider-conn-cp-tls - certManager: - clusterIssuer: *clusterIssuer - ## Private / Intranet facing Ingress - - enabled: false - hostname: *controlplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - management - - control - - validation - - metrics - className: *ingressClass - tls: - enabled: true - secretName: provider-conn-cp-int-tls - certManager: - clusterIssuer: *clusterIssuer + hostname: provider-conn-controlplane + imagePullSecrets: + - name: *imagePullSecret + env: + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias + ingresses: + ## Public / Internet facing Ingress + - enabled: true + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - protocol + className: *ingressClass + tls: + enabled: true + secretName: provider-conn-cp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *controlplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *controlplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - validation + - metrics + className: *ingressClass + tls: + enabled: true + secretName: provider-conn-cp-int-tls + certManager: + clusterIssuer: *clusterIssuer dataplane: - hostname: provider-conn-dataplane - imagePullSecrets: - - name: *imagePullSecret - token: - signer: - privatekey_alias: prov_priv - verifier: - publickey_alias: prov_pub - env: - EDC_IAM_ISSUER_ID: *connectorId - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias - ingresses: - ## Public / Internet facing Ingress - - enabled: true - hostname: *dataplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - public - - proxy - className: *ingressClass - tls: - enabled: true - secretName: provider-conn-dp-tls - certManager: - clusterIssuer: *clusterIssuer - ## Private / Intranet facing Ingress - - enabled: false - hostname: *dataplaneFqdn - annotations: - cert-manager.io/cluster-issuer: *clusterIssuer - external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn - external-dns.alpha.kubernetes.io/ttl: "300" - endpoints: - - management - - control - - metrics - className: *ingressClass - tls: - enabled: true - secretName: provider-conn-dp-int-tls - certManager: - clusterIssuer: *clusterIssuer + hostname: provider-conn-dataplane + imagePullSecrets: + - name: *imagePullSecret + token: + signer: + privatekey_alias: prov_priv + verifier: + publickey_alias: prov_pub + env: + EDC_IAM_ISSUER_ID: *connectorId + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias + ingresses: + ## Public / Internet facing Ingress + - enabled: true + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - public + - proxy + className: *ingressClass + tls: + enabled: true + secretName: provider-conn-dp-tls + certManager: + clusterIssuer: *clusterIssuer + ## Private / Intranet facing Ingress + - enabled: false + hostname: *dataplaneFqdn + annotations: + cert-manager.io/cluster-issuer: *clusterIssuer + external-dns.alpha.kubernetes.io/hostname: *dataplaneFqdn + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - management + - control + - metrics + className: *ingressClass + tls: + enabled: true + secretName: provider-conn-dp-int-tls + certManager: + clusterIssuer: *clusterIssuer postgresql: - primary: - persistence: - enabled: true - readReplicas: - persistence: - enabled: true + primary: + persistence: + enabled: true + readReplicas: + persistence: + enabled: true diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index 3d5597de87..84e18f105e 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -23,10 +23,10 @@ # Declare variables to be passed into your templates. install: - # -- Deploying a PostgreSQL instance - postgresql: true - # -- Deploying a HashiCorp Vault instance - vault: true + # -- Deploying a PostgreSQL instance + postgresql: true + # -- Deploying a HashiCorp Vault instance + vault: true fullnameOverride: "" nameOverride: "" @@ -37,731 +37,731 @@ imagePullSecrets: [] customLabels: {} participant: - id: "did:web:changeme" + id: "did:web:changeme" iatp: - # -- Decentralized IDentifier (DID) of the connector - id: "did:web:changeme" - # -- ID of the trusted issuer that is used for SI token validation (maps to EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID) - trustedIssuerId: "change-me" - # -- Configures the trusted issuers for this runtime. If no supportedTypes are specified, the value defaults to "*" for that issuer - trustedIssuers: [] - # - id: "did:web:example1.com" - # supportedTypes: - # - "MembershipCredential" - # - "did:web:example2.com" - sts: - div: - # -- URL where connectors can request SI tokens - url: - oauth: - # -- URL where connectors can request OAuth2 access tokens for DIV access - token_url: "https://change-me" - client: - # -- Client ID for requesting OAuth2 access token for DIV access - id: "change-me" - # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access - secret_alias: "change-me" - didService: - selfRegistration: - # -- Whether Service Self Registration is enabled - enabled: false - # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) - id: "did:web:changeme" - # - Configures the Verifiable Presentation cache - cache: - # -- Whether the Verifiable Presentation cache is enabled - enabled: true - # -- Validity of the Verifiable Presentation cache in seconds - validity: 86400 + # -- Decentralized IDentifier (DID) of the connector + id: "did:web:changeme" + # -- ID of the trusted issuer that is used for SI token validation (maps to EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID) + trustedIssuerId: "change-me" + # -- Configures the trusted issuers for this runtime. If no supportedTypes are specified, the value defaults to "*" for that issuer + trustedIssuers: [] + # - id: "did:web:example1.com" + # supportedTypes: + # - "MembershipCredential" + # - "did:web:example2.com" + sts: + div: + # -- URL where connectors can request SI tokens + url: + oauth: + # -- URL where connectors can request OAuth2 access tokens for DIV access + token_url: "https://change-me" + client: + # -- Client ID for requesting OAuth2 access token for DIV access + id: "change-me" + # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access + secret_alias: "change-me" + didService: + selfRegistration: + # -- Whether Service Self Registration is enabled + enabled: false + # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) + id: "did:web:changeme" + # - Configures the Verifiable Presentation cache + cache: + # -- Whether the Verifiable Presentation cache is enabled + enabled: true + # -- Validity of the Verifiable Presentation cache in seconds + validity: 86400 # -- Add custom ca certificates to the truststore customCaCerts: {} log4j2: - # -- Whether to enable the json log config in log4j2.config - enableJsonLogs: true - # -- Log4j2 configuration for json log formatting. - config: |- - Appenders: - Console: - name: CONSOLE - JsonTemplateLayout: - eventTemplate: |- - { - "timestamp": { - "$resolver": "timestamp", - "pattern": { - "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", - "timeZone": "UTC" + # -- Whether to enable the json log config in log4j2.config + enableJsonLogs: true + # -- Log4j2 configuration for json log formatting. + config: |- + Appenders: + Console: + name: CONSOLE + JsonTemplateLayout: + eventTemplate: |- + { + "timestamp": { + "$resolver": "timestamp", + "pattern": { + "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", + "timeZone": "UTC" + } + }, + "level": { + "$resolver": "level", + "field": "severity", + "severity": { + "field": "keyword" + } + }, + "message": { + "$resolver": "message" + } } - }, - "level": { - "$resolver": "level", - "field": "severity", - "severity": { - "field": "keyword" - } - }, - "message": { - "$resolver": "message" - } - } - Loggers: - Root: - level: "OFF" - Logger: - name: org.eclipse.edc.monitor.logger - level: DEBUG - AppenderRef: - ref: CONSOLE + Loggers: + Root: + level: "OFF" + Logger: + name: org.eclipse.edc.monitor.logger + level: DEBUG + AppenderRef: + ref: CONSOLE controlplane: - nameOverride: "" - fullnameOverride: "" - # -- hostname where the controlplane is reachable - hostname: "" - image: - # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically - repository: "ghcr.io/project-construct-x/con-x-controlplane-postgresql-hashicorp-vault" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "latest" - # -- Configure ghcr credentials to pull the control plane image - imagePullSecrets: - - name: ghcr-creds - initContainers: [] - debug: - # -- Enables java debugging mode. - enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false - - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG - - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - # -- endpoints of the control plane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 9000 - # -- path for incoming api calls - path: /api - # -- data management api, used by internal users, can be added to an ingress and must not be internet facing - management: - # -- port for incoming api calls - port: 9010 - # -- path for incoming api calls - path: /management - # -- authentication key, must be attached to each request as `X-Api-Key` header - authKey: "password" - # -- if the JWKS url is set, the DelegatedAuth service will be engaged - jwksUrl: - - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 9050 - # -- path for incoming api calls - path: /control - # -- dsp api, used for inter connector communication and must be internet facing - protocol: - # -- port for incoming api calls - port: 9020 - # -- path for incoming api calls - path: /dsp - # -- validation api - validation: - # -- port for incoming api calls - port: 9030 - # -- path for incoming api calls - path: /validation - # -- metrics api, used for application metrics, must not be internet facing - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - bdrs: - # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) - cache_validity_seconds: 600 - server: - # -- URL of the BPN/DID Resolution Service - url: - - # -- configuration for policy engine - policy: - validation: - enabled: true - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be passed onto deployment pods - env: - EDC_IAM_DID_WEB_USE_HTTPS: true - EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user - TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false - TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret - EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - # Database schema auto-creation - schema: - autocreate: true - - ## Ingress declaration to expose the network service. - ingresses: - ## Public / Internet facing Ingress - - enabled: true - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-control.local" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - protocol - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource + nameOverride: "" + fullnameOverride: "" + # -- hostname where the controlplane is reachable + hostname: "" + image: + # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically + repository: "ghcr.io/project-construct-x/con-x-controlplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + # -- Configure ghcr credentials to pull the control plane image + imagePullSecrets: + - name: ghcr-creds + initContainers: [] + debug: + # -- Enables java debugging mode. enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - ## Private / Intranet facing Ingress - - enabled: true - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-control.intranet" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - management - - control - - validation - - metrics - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + # -- endpoints of the control plane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 9000 + # -- path for incoming api calls + path: /api + # -- data management api, used by internal users, can be added to an ingress and must not be internet facing + management: + # -- port for incoming api calls + port: 9010 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- if the JWKS url is set, the DelegatedAuth service will be engaged + jwksUrl: + + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9050 + # -- path for incoming api calls + path: /control + # -- dsp api, used for inter connector communication and must be internet facing + protocol: + # -- port for incoming api calls + port: 9020 + # -- path for incoming api calls + path: /dsp + # -- validation api + validation: + # -- port for incoming api calls + port: 9030 + # -- path for incoming api calls + path: /validation + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + bdrs: + # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) + cache_validity_seconds: 600 + server: + # -- URL of the BPN/DID Resolution Service + url: + + # -- configuration for policy engine + policy: + validation: + enabled: true + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be passed onto deployment pods + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user + TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + # Database schema auto-creation + schema: + autocreate: true + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-control.local" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - protocol + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + ## Private / Intranet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-control.intranet" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - management + - control + - validation + - metrics + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - - url: - # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) - protocol: "" + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + + url: + # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) + protocol: "" dataplane: - nameOverride: "" - fullnameOverride: "" - # -- hostname where the dataplane is reachable - hostname: "" - image: - # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically - repository: "ghcr.io/project-construct-x/con-x-dataplane-postgresql-hashicorp-vault" - # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "latest" - # -- Configure ghcr credentials to pull the control plane image - imagePullSecrets: - - name: ghcr-creds - initContainers: [] - debug: - # -- Enables java debugging mode. - enabled: false - # -- Port where the debuggee can connect to. - port: 1044 - # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. - suspendOnStart: false - - logs: - # -- Defines the log granularity of the default Console Monitor. - level: DEBUG - - livenessProbe: - # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first liveness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - readinessProbe: - # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - enabled: true - # -- seconds to wait before performing the first readiness check - initialDelaySeconds: 30 - # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds - periodSeconds: 10 - # -- number of seconds after which the probe times out - timeoutSeconds: 5 - # -- when a probe fails kubernetes will try 6 times before giving up - failureThreshold: 6 - # -- number of consecutive successes for the probe to be considered successful after having failed - successThreshold: 1 - - service: - # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. - type: ClusterIP - # -- additional labels for the service - labels: {} - # -- additional annotations for the service - annotations: {} - - # -- endpoints of the dataplane - endpoints: - # -- default api for health checks, should not be added to any ingress - default: - # -- port for incoming api calls - port: 8181 - # -- path for incoming api calls - path: /api - # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. - public: - # -- port for incoming api calls - port: 9500 - # -- path for incoming api calls - path: /public - # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not - control: - # -- port for incoming api calls - port: 9550 - # -- path for incoming api calls - path: /control - # -- data management api - management: - # -- port for incoming api calls - port: 9510 - # -- path for incoming api calls - path: /management - # -- proxy api for consumer data transfer - proxy: - # -- port for incoming api calls - port: 9511 - # -- path for incoming api calls - path: /proxy - # -- authentication key, must be attached to each request as `X-Api-Key` header - authKey: "password" - # -- metrics api, used for application metrics, must not be internet facing - metrics: - # -- port for incoming api calls - port: 9090 - # -- path for incoming api calls - path: /metrics - - token: - refresh: - # -- TTL in seconds for access tokens (also known as EDR token) - expiry_seconds: 300 - # -- Tolerance for token expiry in seconds - expiry_tolerance_seconds: 10 - # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` - refresh_endpoint: - signer: - # -- Alias under which the private key (JWK or PEM format) is stored in the vault - privatekey_alias: priv - verifier: - # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` - publickey_alias: pub - - # Database schema auto-creation - schema: - autocreate: true - - aws: - endpointOverride: "" - accessKeyId: "" - secretAccessKey: "" - - # -- additional labels for the pod - podLabels: {} - # -- additional annotations for the pod - podAnnotations: {} - # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment - podSecurityContext: - seccompProfile: - # -- Restrict a Container's Syscalls with seccomp - type: RuntimeDefault - # -- Runs all processes within a pod with a special uid - runAsUser: 10001 - # -- Processes within a pod will belong to this guid - runAsGroup: 10001 - # -- The owner for volumes and any files created within volumes will belong to this guid - fsGroup: 10001 - # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod - securityContext: - capabilities: - # -- Specifies which capabilities to drop to reduce syscall attack surface - drop: - - ALL - # -- Specifies which capabilities to add to issue specialized syscalls - add: [] - # -- Whether the root filesystem is mounted in read-only mode - readOnlyRootFilesystem: true - # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID - allowPrivilegeEscalation: false - # -- Requires the container to run without root privileges - runAsNonRoot: true - # -- The container's process will run with the specified uid - runAsUser: 10001 - - # -- Extra environment variables that will be passed onto deployment pods - env: - EDC_IAM_DID_WEB_USE_HTTPS: true - EDC_DATA_PLANE_SELF_UNREGISTRATION: true - EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json - EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:issuer-wallet.staging.construct-x.net:issuer - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret - - # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. - # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core - envValueFrom: {} - # ENV_NAME: - # configMapKeyRef: - # name: configmap-name - # key: value_key - # secretKeyRef: - # name: secret-name - # key: value_key - - # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from - envSecretNames: [] - # - first-secret - # - second-secret - - # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from - envConfigMapNames: [] - # - first-config-map - # - second-config-map - - ## Ingress declaration to expose the network service. - ingresses: - ## Public / Internet facing Ingress - - enabled: true - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-data.local" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - public - - proxy - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource + nameOverride: "" + fullnameOverride: "" + # -- hostname where the dataplane is reachable + hostname: "" + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "ghcr.io/project-construct-x/con-x-dataplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + # -- Configure ghcr credentials to pull the control plane image + imagePullSecrets: + - name: ghcr-creds + initContainers: [] + debug: + # -- Enables java debugging mode. enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - ## Private / Intranet facing Ingress - - enabled: true - # -- The hostname to be used to precisely map incoming traffic onto the underlying network service - hostname: "edc-data.intranet" - # -- Additional ingress annotations to add - annotations: {} - # -- EDC endpoints exposed by this ingress resource - endpoints: - - management - - control - - metrics - # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use - className: "" - # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource - tls: - # -- Enables TLS on the ingress resource + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- endpoints of the dataplane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8181 + # -- path for incoming api calls + path: /api + # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. + public: + # -- port for incoming api calls + port: 9500 + # -- path for incoming api calls + path: /public + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9550 + # -- path for incoming api calls + path: /control + # -- data management api + management: + # -- port for incoming api calls + port: 9510 + # -- path for incoming api calls + path: /management + # -- proxy api for consumer data transfer + proxy: + # -- port for incoming api calls + port: 9511 + # -- path for incoming api calls + path: /proxy + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + token: + refresh: + # -- TTL in seconds for access tokens (also known as EDR token) + expiry_seconds: 300 + # -- Tolerance for token expiry in seconds + expiry_tolerance_seconds: 10 + # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` + refresh_endpoint: + signer: + # -- Alias under which the private key (JWK or PEM format) is stored in the vault + privatekey_alias: priv + verifier: + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` + publickey_alias: pub + + # Database schema auto-creation + schema: + autocreate: true + + aws: + endpointOverride: "" + accessKeyId: "" + secretAccessKey: "" + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be passed onto deployment pods + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_DATA_PLANE_SELF_UNREGISTRATION: true + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:issuer-wallet.staging.construct-x.net:issuer + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-data.local" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + - proxy + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + ## Private / Intranet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-data.intranet" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - management + - control + - metrics + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) enabled: false - # -- If present overwrites the default secret name - secretName: "" - ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource - certManager: - # -- If preset enables certificate generation via cert-manager namespace scoped issuer - issuer: "" - # -- If preset enables certificate generation via cert-manager cluster-wide issuer - clusterIssuer: "" - - # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container - volumeMounts: - # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories - volumes: - - # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: - limits: - # -- Maximum CPU limit - cpu: 1.5 - # -- Maximum memory limit - memory: 1024Mi - requests: - # -- Initial CPU request - cpu: 500m - # -- Initial memory request - memory: 1024Mi - - replicaCount: 1 - - autoscaling: - # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) - enabled: false - # -- Minimal replicas if resource consumption falls below resource threshholds - minReplicas: 1 - # -- Maximum replicas if resource consumption exceeds resource threshholds - maxReplicas: 100 - # -- targetAverageUtilization of cpu provided to a pod - targetCPUUtilizationPercentage: 80 - # -- targetAverageUtilization of memory provided to a pod - targetMemoryUtilizationPercentage: 80 - - # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics - opentelemetry: |- - otel.javaagent.enabled=false - otel.javaagent.debug=false - - # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes - nodeSelector: {} - # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes - tolerations: [] - # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on - affinity: {} - url: - # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) - public: "" + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) + public: "" postgresql: - image: - repository: "bitnamilegacy/postgresql" - tag: "16.2.0-debian-12-r10" - jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" - primary: - persistence: - enabled: false - readReplicas: - persistence: - enabled: false - auth: - database: "edc" - username: "user" - password: "password" + image: + repository: "bitnamilegacy/postgresql" + tag: "16.2.0-debian-12-r10" + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" + primary: + persistence: + enabled: false + readReplicas: + persistence: + enabled: false + auth: + database: "edc" + username: "user" + password: "password" vault: - injector: - enabled: false - server: - dev: - enabled: true - devRootToken: "root" - postStart: # must be set externally! - hashicorp: - url: "http://{{ .Release.Name }}-vault:8200" - token: "root" - timeout: 30 - healthCheck: - enabled: true - standbyOk: true - paths: - secret: /v1/secret - health: /v1/sys/health - folder: "" + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: "root" + postStart: # must be set externally! + hashicorp: + url: "http://{{ .Release.Name }}-vault:8200" + token: "root" + timeout: 30 + healthCheck: + enabled: true + standbyOk: true + paths: + secret: /v1/secret + health: /v1/sys/health + folder: "" networkPolicy: - # -- If `true` network policy will be created to restrict access to control- and dataplane - enabled: false - # -- Configuration of the controlplane component - controlplane: - # -- Specify from rule network policy for cp (defaults to all namespaces) - from: - - namespaceSelector: {} - # -- Configuration of the dataplane component - dataplane: - # -- Specify from rule network policy for dp (defaults to all namespaces) - from: - - namespaceSelector: {} + # -- If `true` network policy will be created to restrict access to control- and dataplane + enabled: false + # -- Configuration of the controlplane component + controlplane: + # -- Specify from rule network policy for cp (defaults to all namespaces) + from: + - namespaceSelector: {} + # -- Configuration of the dataplane component + dataplane: + # -- Specify from rule network policy for dp (defaults to all namespaces) + from: + - namespaceSelector: {} serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) - imagePullSecrets: [] + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) + imagePullSecrets: [] # -- Configurations for Helm tests tests: - # -- Configure the hook-delete-policy for Helm tests - hookDeletePolicy: before-hook-creation,hook-succeeded + # -- Configure the hook-delete-policy for Helm tests + hookDeletePolicy: before-hook-creation,hook-succeeded From 6c8b69294c0a05617895c9135fab9287f6e9db40 Mon Sep 17 00:00:00 2001 From: Dennis Borrmann Date: Tue, 16 Jun 2026 09:29:08 +0200 Subject: [PATCH 16/17] fix: add missing space before inline comment to satisfy yamllint --- charts/tractusx-connector/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index 84e18f105e..af390116f5 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -723,7 +723,7 @@ vault: dev: enabled: true devRootToken: "root" - postStart: # must be set externally! + postStart: # must be set externally! hashicorp: url: "http://{{ .Release.Name }}-vault:8200" token: "root" From 2401ecf00455da97f9fa18e7d1268e5944614ce2 Mon Sep 17 00:00:00 2001 From: Simon Bergerfurth Date: Tue, 16 Jun 2026 10:21:21 +0200 Subject: [PATCH 17/17] chore(helm): change override wallet names --- .../tractusx-connector/values-consumer.yaml | 26 +++++++++---------- .../tractusx-connector/values-provider.yaml | 26 +++++++++---------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index a1fa0e4c27..2e7c0ef4e7 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -1,15 +1,15 @@ shared: - connectorId: &connectorId did:web:consumer-idhub.staging.construct-x.net:consumer + connectorId: &connectorId did:web:consumer-wallet.staging.construct-x.net:consumer secretAlias: &secretAlias consumersecret - trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer + trustedIssuerId: &trustedIssuerId did:web:issuer.staging.construct-x.net:issuer clusterIssuer: &clusterIssuer letsencrypt-staging ingressClass: &ingressClass nginx imagePullSecret: &imagePullSecret registry-creds - controlplaneFqdn: &controlplaneFqdn consumer-conn-controlplane.staging.construct-x.net - dataplaneFqdn: &dataplaneFqdn consumer-conn-dataplane.staging.construct-x.net + controlplaneFqdn: &controlplaneFqdn consumer-edc-controlplane.staging.construct-x.net + dataplaneFqdn: &dataplaneFqdn consumer-edc-dataplane.staging.construct-x.net -nameOverride: consumer-conn -fullnameOverride: consumer-conn +nameOverride: consumer-edc +fullnameOverride: consumer-edc participant: id: *connectorId @@ -21,7 +21,7 @@ iatp: - id: *trustedIssuerId sts: oauth: - token_url: https://consumer-idhub.staging.construct-x.net/api/sts/token + token_url: https://consumer-wallet.staging.construct-x.net/api/sts/token client: id: *connectorId secret_alias: *secretAlias @@ -30,7 +30,7 @@ iatp: id: *connectorId controlplane: - hostname: consumer-conn-controlplane + hostname: consumer-edc-controlplane imagePullSecrets: - name: *imagePullSecret env: @@ -49,7 +49,7 @@ controlplane: className: *ingressClass tls: enabled: true - secretName: consumer-conn-cp-tls + secretName: consumer-edc-cp-tls certManager: clusterIssuer: *clusterIssuer ## Private / Intranet facing Ingress @@ -67,12 +67,12 @@ controlplane: className: *ingressClass tls: enabled: true - secretName: consumer-conn-cp-int-tls + secretName: consumer-edc-cp-int-tls certManager: clusterIssuer: *clusterIssuer dataplane: - hostname: consumer-conn-dataplane + hostname: consumer-edc-dataplane imagePullSecrets: - name: *imagePullSecret token: @@ -98,7 +98,7 @@ dataplane: className: *ingressClass tls: enabled: true - secretName: consumer-conn-dp-tls + secretName: consumer-edc-dp-tls certManager: clusterIssuer: *clusterIssuer ## Private / Intranet facing Ingress @@ -115,7 +115,7 @@ dataplane: className: *ingressClass tls: enabled: true - secretName: consumer-conn-dp-int-tls + secretName: consumer-edc-dp-int-tls certManager: clusterIssuer: *clusterIssuer diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index c04ccfd1b0..60507edda1 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -1,15 +1,15 @@ shared: - connectorId: &connectorId did:web:provider-idhub.staging.construct-x.net:provider + connectorId: &connectorId did:web:provider-wallet.staging.construct-x.net:provider secretAlias: &secretAlias providersecret - trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer + trustedIssuerId: &trustedIssuerId did:web:issuer.staging.construct-x.net:issuer clusterIssuer: &clusterIssuer letsencrypt-staging ingressClass: &ingressClass nginx imagePullSecret: &imagePullSecret registry-creds - controlplaneFqdn: &controlplaneFqdn provider-conn-controlplane.staging.construct-x.net - dataplaneFqdn: &dataplaneFqdn provider-conn-dataplane.staging.construct-x.net + controlplaneFqdn: &controlplaneFqdn provider-edc-controlplane.staging.construct-x.net + dataplaneFqdn: &dataplaneFqdn provider-edc-dataplane.staging.construct-x.net -nameOverride: provider-conn -fullnameOverride: provider-conn +nameOverride: provider-edc +fullnameOverride: provider-edc participant: id: *connectorId @@ -21,7 +21,7 @@ iatp: - id: *trustedIssuerId sts: oauth: - token_url: https://provider-idhub.staging.construct-x.net/api/sts/token + token_url: https://provider-wallet.staging.construct-x.net/api/sts/token client: id: *connectorId secret_alias: *secretAlias @@ -30,7 +30,7 @@ iatp: id: *connectorId controlplane: - hostname: provider-conn-controlplane + hostname: provider-edc-controlplane imagePullSecrets: - name: *imagePullSecret env: @@ -49,7 +49,7 @@ controlplane: className: *ingressClass tls: enabled: true - secretName: provider-conn-cp-tls + secretName: provider-edc-cp-tls certManager: clusterIssuer: *clusterIssuer ## Private / Intranet facing Ingress @@ -67,12 +67,12 @@ controlplane: className: *ingressClass tls: enabled: true - secretName: provider-conn-cp-int-tls + secretName: provider-edc-cp-int-tls certManager: clusterIssuer: *clusterIssuer dataplane: - hostname: provider-conn-dataplane + hostname: provider-edc-dataplane imagePullSecrets: - name: *imagePullSecret token: @@ -98,7 +98,7 @@ dataplane: className: *ingressClass tls: enabled: true - secretName: provider-conn-dp-tls + secretName: provider-edc-dp-tls certManager: clusterIssuer: *clusterIssuer ## Private / Intranet facing Ingress @@ -115,7 +115,7 @@ dataplane: className: *ingressClass tls: enabled: true - secretName: provider-conn-dp-int-tls + secretName: provider-edc-dp-int-tls certManager: clusterIssuer: *clusterIssuer