diff --git a/charts/tractusx-identityhub/templates/deployment.yaml b/charts/tractusx-identityhub/templates/deployment.yaml index a5255154..91b1a728 100644 --- a/charts/tractusx-identityhub/templates/deployment.yaml +++ b/charts/tractusx-identityhub/templates/deployment.yaml @@ -20,6 +20,7 @@ # --- +{{- $fullName := .Values.fullnameOverride -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -161,7 +162,7 @@ spec: {{- end }} {{- range $value := .Values.identityhub.envConfigMapNames }} - configMapRef: - name: {{ $value | quote }} + name: {{ printf "%s-%s" $fullName $value | quote }} {{- end }} {{- end }} volumeMounts: diff --git a/charts/tractusx-identityhub/templates/identityhub-config.yaml b/charts/tractusx-identityhub/templates/identityhub-config.yaml index 64c09459..da0dca29 100644 --- a/charts/tractusx-identityhub/templates/identityhub-config.yaml +++ b/charts/tractusx-identityhub/templates/identityhub-config.yaml @@ -22,11 +22,12 @@ --- # this configmap contains all application configuration that is required by the identityhub runtime. - +--- +{{- $fullName := .Values.fullnameOverride -}} apiVersion: v1 kind: ConfigMap metadata: - name: "identityhub-config" + name: {{ $fullName }}-identityhub-config namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "identityhub.labels" . | nindent 4 }} diff --git a/charts/tractusx-identityhub/templates/identityhub-datasource-config.yaml b/charts/tractusx-identityhub/templates/identityhub-datasource-config.yaml index 34039f36..4eeaa390 100644 --- a/charts/tractusx-identityhub/templates/identityhub-datasource-config.yaml +++ b/charts/tractusx-identityhub/templates/identityhub-datasource-config.yaml @@ -22,11 +22,12 @@ --- # this configmap contains all database configuration that is required by the identityhub runtime. - +--- +{{- $fullName := .Values.fullnameOverride -}} apiVersion: v1 kind: ConfigMap metadata: - name: "identityhub-datasource-config" + name: {{ $fullName }}-identityhub-datasource-config namespace: {{ .Release.Namespace | default "default" | quote }} labels: {{- include "identityhub.labels" . | nindent 4 }} diff --git a/charts/tractusx-identityhub/templates/post-install-vault-setup.yaml b/charts/tractusx-identityhub/templates/post-install-vault-setup.yaml new file mode 100644 index 00000000..92ed8b92 --- /dev/null +++ b/charts/tractusx-identityhub/templates/post-install-vault-setup.yaml @@ -0,0 +1,57 @@ +{{- $vaultToken := index .Values "vault" "hashicorp" "token" -}} +{{- $vaultUrl := tpl (index .Values "vault" "hashicorp" "url") . -}} +{{- $fullName := .Values.fullnameOverride -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: post-install-vault-setup + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + restartPolicy: Never + containers: + - name: post-install-job + image: busybox + imagePullPolicy: "IfNotPresent" + command: + - "/bin/sh" + - "-c" + - | + sleep 10 + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/cons_priv.json "{{ $vaultUrl }}/v1/secret/data/cons_priv" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/cons_pub.json "{{ $vaultUrl }}/v1/secret/data/cons_pub" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/prov_priv.json "{{ $vaultUrl }}/v1/secret/data/prov_priv" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/prov_pub.json "{{ $vaultUrl }}/v1/secret/data/prov_pub" + volumeMounts: + - name: config-volume + mountPath: /opt/config + volumes: + - name: config-volume + configMap: + name: {{ $fullName }}-vault-configmap + defaultMode: 0777 diff --git a/charts/tractusx-identityhub/templates/vault-configmap.yaml b/charts/tractusx-identityhub/templates/vault-configmap.yaml new file mode 100644 index 00000000..bc71aae2 --- /dev/null +++ b/charts/tractusx-identityhub/templates/vault-configmap.yaml @@ -0,0 +1,30 @@ +{{- $fullName := .Values.fullnameOverride -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $fullName }}-vault-configmap +data: + cons_priv.json: |- + { + "data": { + "content": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC9zbB90iPotlvz\nsTCAt246XNL+dHoiSlEYgBsPgroqfEuLWQkVeM2F0L2fWEsvNc6ZU5SJBEDqPTVe\noaYnv6iXShbTaBaZVoFbt2L8+rJmQQ2YoB5qQwLtfsqIDIwuTwQUgiNe747NDtsb\nJmjMpib3fTsB6m+0CsWYDPuU/7bmUJvYytnw/MOLhaUiHAC68jKsgsAemyDzOSUN\nYJfcIbnS/o12OFZ4Na3nKdr96kMB1zN+PE4+K2oTgFRh69zq+z/G5au7mliBdwns\n5Efmf1ijlH6MFZeaeTVMjfHSq8IOIpOSvigjjK5p8T7vCSYettej2rfcgZpBRa44\n3V8m+F7zAgMBAAECggEAF/cnyMtG03RrKdr+p9IBbgcYcR6d6UR+9tv+DrhP71tg\nYojsd7SYJsRTnRIV9DEUFBIUmDRcSfdOjNNWWoB9thSZyznCWLwuezktm4nACt89\n6z6UeJBbh0dSJVmIPbSmbDx+YNdYrZWpnsT7yJNWKju6vqQuVIpjpq5E+exL2Mqu\nj44wW/5ro9jaOhm8mUbAacEctQYixBmy8HXPBm6AtezdD7HpftdI+VWN0LO7IlLn\naWICR8vx18dEF+706JHPKpsovZbolu0Zvl19RSG4Zj3dhVoTw+vbeXTOkHR2wNdP\nDfL4m0exKl6McPos3CG9kEAUwceGR2CZpy0xssBkGQKBgQD/K/Svv/xrMK8pVQVv\nY699OX9pwm6NBq3Ti8LIKejPUW5V2ZZVtSb8njWmgAi6RPp6vO/mWhuUrXahoUrY\nfe0AqW7wTgKmmjXbTvy47VS5Z5S30DT8DAYp8CJekibnU4jwsIgYJgao1TeOTOq3\ngnGdPLlvSa4BagyogWp7+keaTwKBgQC+a2nbyuL3e/Sk+qio0kDkpI6hYIKWg+7u\n0FOsHJjItcwkSkfRKIFRdI7iGYlukE/38xfizs0tLJXYRbdrlUgq/lTgd4i3UoVw\nOAXzEJX0lunZgXNd9jjnADh3pgVbwX9AKDhFz+nu3yL5Egc8FN+caP9Is5xPxYfg\n8J/Pp8DcHQKBgDOc6HlEFAJ6bnOlxtupBi4GG0eBFGtiFnbbpiJml7iXeAHVaRsc\n8S3XsnJjI2DJ4wBAhyXIxBtmmsBGp6Tyk6W2n8HrhY29U3dwmp2tI5383Y/whUcW\nB4kkEU+fsE7KDsDgdCauSlqMBhi6Zh+IOwLa7YcdGB0hHj5XLvq0vRbxAoGAQCpp\n7YqcmNDIS5+7ncfb3jAlb/PZjWa/6PGCgIjSYy//rmrpcG25xf0E+OOqD/vJNsBP\n2Dnfoc1YYRx9Bl+zhelWKJ2fEEdad8opFxMLtPP1sTmR6qPB4PWOEaN8QsMdYj0r\nWTsKlVfTrSKKFZDjGQ24mIMNtUPW2dG7yHm633ECgYEAqaLLo4VYUcjTKnYdBChA\nPFAk/ZwSR+/TY0vXw3Ghm/oiBNVSMVHFBoAFdbt4lWKJlryW+1Wi11cFYXfsBrmb\nJTnK1u7EZDebm9hFBzpp7/yY5uu38NduGKh5+goAVtPXZR9s/8ypyt3xVflcDxzA\nt7VMyFNRxj517ZJPCNN+ImU=\n-----END PRIVATE KEY-----\n" + } + } + cons_pub.json: |- + { + "data": { + "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvc2wfdIj6LZb87EwgLdu\nOlzS/nR6IkpRGIAbD4K6KnxLi1kJFXjNhdC9n1hLLzXOmVOUiQRA6j01XqGmJ7+o\nl0oW02gWmVaBW7di/PqyZkENmKAeakMC7X7KiAyMLk8EFIIjXu+OzQ7bGyZozKYm\n9307AepvtArFmAz7lP+25lCb2MrZ8PzDi4WlIhwAuvIyrILAHpsg8zklDWCX3CG5\n0v6NdjhWeDWt5yna/epDAdczfjxOPitqE4BUYevc6vs/xuWru5pYgXcJ7ORH5n9Y\no5R+jBWXmnk1TI3x0qvCDiKTkr4oI4yuafE+7wkmHrbXo9q33IGaQUWuON1fJvhe\n8wIDAQAB\n-----END PUBLIC KEY-----\n" + } + } + prov_priv.json: |- + { + "data": { + "content": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDN/ECrw6rbkvkw\nNGoJX1TatjytEvfwhFm/IViYPXfPccQHyVhG9YiQNS1e9v5UhUc8BGNvrZjIm7e9\nHNhPGlOlLiHh3wfU/wG5srcqz1aSV2omFVPz9Nc9TSkwaF6oJcs4AL+Z0+IyQN1e\nPThoqu9aVd5wtRXnS0nh5Dd0CC0spchZdUbtslQXs4c8uBDRGdT2/mkBu5isMxW0\nCg+muQWk1t8vgYVxlokGGvsKjQXFV3RPJQ6hNjsZjVmAqDGYFcA/AxK1WYBV5Hyu\nAZHUU2yityva/IqQPLXN/4fcXQcLxLjrl0MSpWUik/YeuV2bQFyakpvj5wox/w7E\nMNjWBodnAgMBAAECggEADELlO83Tm4ScQuNqPArJyGEYeIby0+uhufy+qZ7f3sab\nXO+xZDvuXpzDvO2zH8EO1FxAg2yc3E6LBkqAXikN7JaAtTf4K+FOe+LPADd3JEWC\nAvVT2edrpPFoYvWVGNymRAjYK7Lb019eesl/7f8ROcCqk1PvYCUjpzruybN8GOmq\naAuvCmrn9+zW8nPDSvFvNC7TTV4LnaRGsWabCA2589c6rDr52ddbXQZ2bXhIkVlw\n+RcfCIA2yZhrYfwDynQP/dPIwaC12y/phONIOFgDmurJHTTm0/3GmyDgU4xdfEan\nqWN2BwYfG2eOaGRTktUxjvmfj4kQF+6V8BiEA1KGAQKBgQDz0tuJBolkCn4nTMXl\nQx/QaacZBLJdHeniD2B6s7715TOgv+6DYzJypxYsNkKX4jLKykOJAQ3SUmWNq+ar\n6HJUE9Ral27zg8AAgZwQBCBr3hXulUkN3Ca2Qe3zhM6OtKlQvCY91zkXIecvQ7/s\ncLepmEXqMe0VXsR6c5C2VFiOAQKBgQDYRaeTcES+LSqHeAUqNytc4qy27lIEA4Vm\nzCd2oK0B1QuBCe2nVPsIMPnv92yfZ2RExEkqJXk0WfxB0fKM6BphTWFGnzbleHH3\nE+0BAfi/JmvOtJUbsbQdqTnV1OjCBL3YsubOJJwF+u9yzYoJdy7oldOmqrKC3zgs\nSOehRF9lZwKBgHEqwv58bDRkslznQ0q/tvpyrz3rciXKBo4H+Q26c72JnkbUDo4o\n8ndImf/3Rz1bnZuF+YaTWKjv2XbB/JR5lOb1NTC+7J5V3j3d6mN8pteqAp/z5i5q\nqgUZ4KmQUJbnv1ZbnZxCUpsr/zNuzJufTX+Hz5t9hL7Qd30mOlqGF3wBAoGBAKKb\nhIqTf+wpU2+1qtR51I2rFMcZ2uqPpy6KUyWbW1kkUNj9mQUWHQSkpldphe84MqiN\nmKEqub3F5qeqbh7JqIP+RSRvMzxHWhC2l50JWXiHL8mj9vRyoQUoJocC5Npz7DXR\nFT5rQjAw4vZDWgUR6mAPvqnyb/N8V+TcD+Qt3zgDAoGBAL001/N43dI6NR+Mlcw8\nYtrfTO5xoakVzx7tdC1g3gry/MiJn/+iftpFSf/hNp8HyQEHlRkubQuL4j0I/Fe3\nHjTc3wPIZhcOpitfbn9VMgpXXWmguK/s4oMMNxoe+Ey71/hlp5UdGOidGhaWq9Jk\nAsqJhS57iz0RP3ikSic9Tb3s\n-----END PRIVATE KEY-----\n" + } + } + prov_pub.json: |- + { + "data": { + "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfxAq8Oq25L5MDRqCV9U\n2rY8rRL38IRZvyFYmD13z3HEB8lYRvWIkDUtXvb+VIVHPARjb62YyJu3vRzYTxpT\npS4h4d8H1P8BubK3Ks9WkldqJhVT8/TXPU0pMGheqCXLOAC/mdPiMkDdXj04aKrv\nWlXecLUV50tJ4eQ3dAgtLKXIWXVG7bJUF7OHPLgQ0RnU9v5pAbuYrDMVtAoPprkF\npNbfL4GFcZaJBhr7Co0FxVd0TyUOoTY7GY1ZgKgxmBXAPwMStVmAVeR8rgGR1FNs\norcr2vyKkDy1zf+H3F0HC8S465dDEqVlIpP2Hrldm0BcmpKb4+cKMf8OxDDY1gaH\nZwIDAQAB\n-----END PUBLIC KEY-----\n" + } + } diff --git a/charts/tractusx-identityhub/values-stag-ihub-consumer.yaml b/charts/tractusx-identityhub/values-stag-ihub-consumer.yaml new file mode 100644 index 00000000..3bc74834 --- /dev/null +++ b/charts/tractusx-identityhub/values-stag-ihub-consumer.yaml @@ -0,0 +1,428 @@ +################################################################################# +# Copyright (c) 2025 Cofinity-X +# Copyright (c) 2025,2026 LKS Next +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# + +--- +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + + +install: + postgresql: true + vault: true + +fullnameOverride: "consumer-idhub" +nameOverride: "" +# -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) +imagePullSecrets: + - name: registry-creds +# -- To add some custom labels +customLabels: {} + +# -- Add custom ca certificates to the truststore +customCaCerts: {} + +identityhub: + image: + repository: "registry.onstackit.cloud/constructx/identityhub-dev" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + initContainers: [] + useSVE: false + debug: + enabled: false + port: 1044 + suspendOnStart: false + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 5 + # -- this fields specifies that kubernetes should perform a liveness check every 5 seconds + periodSeconds: 5 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 5 + # -- this fields specifies that kubernetes should perform a readiness check every 5 seconds + periodSeconds: 5 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # -- endpoints of the control plane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8181 + # -- path for incoming api calls + path: /api + # -- management api, used by internal users, can be added to an ingress and must not be internet facing + identity: + # -- port for incoming api calls + port: 15151 + # -- path for incoming api calls + path: /api/identity + # -- authentication key, must be attached to each 'X-Api-Key' request header + authKeyAlias: "sup3r$3cr3t" + # -- DCP Presentation API endpoint + credentials: + # -- port for incoming api calls + port: 13131 + # -- path for incoming api calls + path: /api/credentials + # -- DID service endpoint. DID documents can be resolved from here. + did: + # -- port for incoming api calls + port: 12345 + # -- path for incoming api calls + path: / + # -- STS Accounts API, used to manipulate STS accounts + accounts: + port: 8085 + path: /api/accounts + authKeyAlias: "sup3r$3cr3t" + # -- Version API, used to obtain exact version information about all APIs at runtime + version: + port: 8086 + path: /.well-known/api + # -- STS Endpoint, used to obtain tokens + sts: + port: 9292 + path: /api/sts + + didweb: + https: true + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + annotations: {} + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10100 + # -- Processes within a pod will belong to this guid + runAsGroup: 10100 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10100 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10100 + # Extra environment variables that will be pass onto deployment pods + env: + JAVA_TOOL_OPTIONS: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:1045 + EDC_HOSTNAME: consumer-idhub.staging.construct-x.net + EDC_IH_API_SUPERUSER_ID: admin + EDC_IH_API_SUPERUSER_KEY: YWRtaW4.adminKey + EDC_SQL_SCHEMA_AUTOCREATE: true + + # "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME:c + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: ["identityhub-config", "identityhub-datasource-config"] + # - first-config-map + # - second-config-map + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress for the Presentation API + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "consumer-idhub.staging.construct-x.net" + # -- Additional ingress annotations to add + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: "consumer-idhub.staging.construct-x.net" + external-dns.alpha.kubernetes.io/ttl: "300" + # -- EDC endpoints exposed by this ingress resource + endpoints: + - default + - credentials + - did + - sts + - identity + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "consumer-idhub-tls" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + ## Ingress for the Identity API, should not be internet facing + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "consumer-idhub.staging.construct-x.net" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - identity + - accounts + - version + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: [] + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: [] + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 250m + memory: 128Mi + replicaCount: 1 + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + # Configuration of the [Java Util Logging Facade](https://docs.oracle.com/javase/7/docs/technotes/guides/logging/overview.html) + logging: + # -- Enable logging to create .log files + enabled: true + persistence: + # -- Enable .log files to persist in local machine + enabled: false + # -- Persistent volume access mode + accessMode: ReadWriteOnce + # -- Persistent volume size + size: 1Gi + # -- Persistent volume claim storage name + storageClass: "standard" + # -- List of handlers to use in the logger + handlers: + - java.util.logging.ConsoleHandler + - java.util.logging.FileHandler + handlersConfig: + # -- Console handler configuration + java.util.logging.ConsoleHandler: + level: FINE + formatter: org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter + java.util.logging.FileHandler: + # -- Log level of handler + level: FINE + # -- Formatter to use in handler, formatter must be set in identityhub.logging.formatters + formatter: org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter + # -- Path where the log is created, must be the same path as the logging.path values + pattern: /app/logs/identityhub.log + # -- Limit of bytes to write before log file rotation + limit: 0 + # -- Number of files to use in log file rotation + count: 1 + # -- Append logs to the file or create new file every deployment + append: true + formatters: + # -- configuration of custom colorful formatter + org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter: + format: "%7$s[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$s] %5$s%6$s%n%8$s" + # -- root log level + level: INFO + # -- package level control + # @default -- `{"org.eclipse.edc": "FINE"}` + logLevels: + org.glassfish: "OFF" + jdk.event: "OFF" + jakarta.json: "OFF" + org.jvnet: "OFF" + okhttp3.internal: "OFF" + org.flywaydb: "OFF" + org.postgresql: "OFF" + org.eclipse.edc: "FINE" + org.eclipse.tractusx: "FINE" + # -- path where the log resides, must be the same path as the fileHandler pattern + path: /app/logs + # -- default logging properties if logging is not enabled + default: |- + .level=INFO + org.eclipse.edc.level=INFO + handlers=java.util.logging.ConsoleHandler + java.util.logging.ConsoleHandler.formatter=org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter + java.util.logging.ConsoleHandler.level=ALL + org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter.format=%7$s[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$s] %5$s%6$s%n%8$s + # [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) + protocol: "" + public: "" + readiness: "" + # -- Initial participant context configuration + iatp: + sts: + oauth: + client: + # -- Enable participant context client configuration + enabled: true + # -- Client ID // Did of the initial participant + id: "did:web:consumer-idhub.staging.construct-x.net" + # -- The client secret that is stored in the vault for requesting OAuth2 access token for Presentation API access + secret: "testme" + # -- Alias under which the client secret is stored in the vault + secret_alias: "sts-secret" + # -- The x-api-key that is stored in the vault for the initial participant + x_api_key: "ZGlkOndlYjppZGVudGl0eWh1Yi5wcmVzZW50YXRpb24ubG9jYWw=.randomChars" + # -- Whether web DIDs should be interpreted as HTTPS or HTTP + didweb: + https: true + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) + imagePullSecrets: [] +# -- Configurations for Helm tests +tests: + # -- Configure the hook-delete-policy for Helm tests + hookDeletePolicy: before-hook-creation,hook-succeeded + +postgresql: + image: + # -- workaround to use bitnamilegacy chart for version 12.12.x till committers align on new postgresql charts + repository: bitnamilegacy/postgresql + # -- workaround to use bitnamilegacy chart for version 12.12.x till committers align on new postgresql charts + tag: 15.4.0-debian-11-r45 + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/consumer-idhub" + primary: + persistence: + enabled: true + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + readReplicas: + persistence: + enabled: false + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + auth: + database: "consumer-idhub" + username: "user" + password: "password" + +vault: + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: "root" + postStart: # must be set externally! + hashicorp: + url: "http://{{ .Release.Name }}-vault:8200" + token: "root" + timeout: 30 + healthCheck: + enabled: true + standbyOk: true + paths: + secret: /v1/secret + health: /v1/sys/health diff --git a/charts/tractusx-identityhub/values-stag-ihub-provider.yaml b/charts/tractusx-identityhub/values-stag-ihub-provider.yaml new file mode 100644 index 00000000..9d22c646 --- /dev/null +++ b/charts/tractusx-identityhub/values-stag-ihub-provider.yaml @@ -0,0 +1,428 @@ +################################################################################# +# Copyright (c) 2025 Cofinity-X +# Copyright (c) 2025,2026 LKS Next +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# + +--- +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + + +install: + postgresql: true + vault: true + +fullnameOverride: "provider-idhub" +nameOverride: "provider-idhub" +# -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) +imagePullSecrets: + - name: registry-creds +# -- To add some custom labels +customLabels: {} + +# -- Add custom ca certificates to the truststore +customCaCerts: {} + +identityhub: + image: + repository: "registry.onstackit.cloud/constructx/identityhub-dev" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + initContainers: [] + useSVE: false + debug: + enabled: false + port: 1044 + suspendOnStart: false + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 5 + # -- this fields specifies that kubernetes should perform a liveness check every 5 seconds + periodSeconds: 5 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 5 + # -- this fields specifies that kubernetes should perform a readiness check every 5 seconds + periodSeconds: 5 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # -- endpoints of the control plane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8181 + # -- path for incoming api calls + path: /api + # -- management api, used by internal users, can be added to an ingress and must not be internet facing + identity: + # -- port for incoming api calls + port: 15151 + # -- path for incoming api calls + path: /api/identity + # -- authentication key, must be attached to each 'X-Api-Key' request header + authKeyAlias: "sup3r$3cr3t" + # -- DCP Presentation API endpoint + credentials: + # -- port for incoming api calls + port: 13131 + # -- path for incoming api calls + path: /api/credentials + # -- DID service endpoint. DID documents can be resolved from here. + did: + # -- port for incoming api calls + port: 12345 + # -- path for incoming api calls + path: / + # -- STS Accounts API, used to manipulate STS accounts + accounts: + port: 8085 + path: /api/accounts + authKeyAlias: "sup3r$3cr3t" + # -- Version API, used to obtain exact version information about all APIs at runtime + version: + port: 8086 + path: /.well-known/api + # -- STS Endpoint, used to obtain tokens + sts: + port: 9292 + path: /api/sts + + didweb: + https: true + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + annotations: {} + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10100 + # -- Processes within a pod will belong to this guid + runAsGroup: 10100 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10100 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10100 + # Extra environment variables that will be pass onto deployment pods + env: + JAVA_TOOL_OPTIONS: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:1045 + EDC_HOSTNAME: provider-idhub.staging.construct-x.net + EDC_IH_API_SUPERUSER_ID: admin + EDC_IH_API_SUPERUSER_KEY: YWRtaW4.adminKey + EDC_SQL_SCHEMA_AUTOCREATE: true + + # "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME:c + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: ["identityhub-config", "identityhub-datasource-config"] + # - first-config-map + # - second-config-map + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress for the Presentation API + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "provider-idhub.staging.construct-x.net" + # -- Additional ingress annotations to add + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: "provider-idhub.staging.construct-x.net" + external-dns.alpha.kubernetes.io/ttl: "300" + # -- EDC endpoints exposed by this ingress resource + endpoints: + - default + - credentials + - did + - sts + - identity + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "provider-idhub-tls" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + ## Ingress for the Identity API, should not be internet facing + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "provider-idhub.staging.construct-x.net" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - identity + - accounts + - version + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: [] + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: [] + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 250m + memory: 128Mi + replicaCount: 1 + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + # Configuration of the [Java Util Logging Facade](https://docs.oracle.com/javase/7/docs/technotes/guides/logging/overview.html) + logging: + # -- Enable logging to create .log files + enabled: true + persistence: + # -- Enable .log files to persist in local machine + enabled: false + # -- Persistent volume access mode + accessMode: ReadWriteOnce + # -- Persistent volume size + size: 1Gi + # -- Persistent volume claim storage name + storageClass: "standard" + # -- List of handlers to use in the logger + handlers: + - java.util.logging.ConsoleHandler + - java.util.logging.FileHandler + handlersConfig: + # -- Console handler configuration + java.util.logging.ConsoleHandler: + level: FINE + formatter: org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter + java.util.logging.FileHandler: + # -- Log level of handler + level: FINE + # -- Formatter to use in handler, formatter must be set in identityhub.logging.formatters + formatter: org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter + # -- Path where the log is created, must be the same path as the logging.path values + pattern: /app/logs/identityhub.log + # -- Limit of bytes to write before log file rotation + limit: 0 + # -- Number of files to use in log file rotation + count: 1 + # -- Append logs to the file or create new file every deployment + append: true + formatters: + # -- configuration of custom colorful formatter + org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter: + format: "%7$s[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$s] %5$s%6$s%n%8$s" + # -- root log level + level: INFO + # -- package level control + # @default -- `{"org.eclipse.edc": "FINE"}` + logLevels: + org.glassfish: "OFF" + jdk.event: "OFF" + jakarta.json: "OFF" + org.jvnet: "OFF" + okhttp3.internal: "OFF" + org.flywaydb: "OFF" + org.postgresql: "OFF" + org.eclipse.edc: "FINE" + org.eclipse.tractusx: "FINE" + # -- path where the log resides, must be the same path as the fileHandler pattern + path: /app/logs + # -- default logging properties if logging is not enabled + default: |- + .level=INFO + org.eclipse.edc.level=INFO + handlers=java.util.logging.ConsoleHandler + java.util.logging.ConsoleHandler.formatter=org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter + java.util.logging.ConsoleHandler.level=ALL + org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter.format=%7$s[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$s] %5$s%6$s%n%8$s + # [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) + protocol: "" + public: "" + readiness: "" + # -- Initial participant context configuration + iatp: + sts: + oauth: + client: + # -- Enable participant context client configuration + enabled: true + # -- Client ID // Did of the initial participant + id: "did:web:provider-idhub.staging.construct-x.net" + # -- The client secret that is stored in the vault for requesting OAuth2 access token for Presentation API access + secret: "testme" + # -- Alias under which the client secret is stored in the vault + secret_alias: "sts-secret" + # -- The x-api-key that is stored in the vault for the initial participant + x_api_key: "ZGlkOndlYjppZGVudGl0eWh1Yi5wcmVzZW50YXRpb24ubG9jYWw=.randomChars" + # -- Whether web DIDs should be interpreted as HTTPS or HTTP + didweb: + https: true + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) + imagePullSecrets: [] +# -- Configurations for Helm tests +tests: + # -- Configure the hook-delete-policy for Helm tests + hookDeletePolicy: before-hook-creation,hook-succeeded + +postgresql: + image: + # -- workaround to use bitnamilegacy chart for version 12.12.x till committers align on new postgresql charts + repository: bitnamilegacy/postgresql + # -- workaround to use bitnamilegacy chart for version 12.12.x till committers align on new postgresql charts + tag: 15.4.0-debian-11-r45 + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/provider-idhub" + primary: + persistence: + enabled: true + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + readReplicas: + persistence: + enabled: false + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + auth: + database: "provider-idhub" + username: "user" + password: "password" + +vault: + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: "root" + postStart: # must be set externally! + hashicorp: + url: "http://{{ .Release.Name }}-vault:8200" + token: "root" + timeout: 30 + healthCheck: + enabled: true + standbyOk: true + paths: + secret: /v1/secret + health: /v1/sys/health diff --git a/charts/tractusx-issuerservice/values-stag-issuer.yaml b/charts/tractusx-issuerservice/values-stag-issuer.yaml new file mode 100644 index 00000000..9389d149 --- /dev/null +++ b/charts/tractusx-issuerservice/values-stag-issuer.yaml @@ -0,0 +1,419 @@ +################################################################################# +# Copyright (c) 2025 Cofinity-X +# Copyright (c) 2025 LKS Next +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# + +--- +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + + +install: + postgresql: true + vault: true + +fullnameOverride: "" +nameOverride: "" +# -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) +imagePullSecrets: + - name: registry-creds +# -- To add some custom labels +customLabels: {} + +# -- Add custom ca certificates to the truststore +customCaCerts: {} + +issuerservice: + image: + repository: "registry.onstackit.cloud/constructx/issuerservice-dev" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + initContainers: [] + useSVE: false + debug: + enabled: false + port: 1044 + suspendOnStart: false + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 5 + # -- this fields specifies that kubernetes should perform a liveness check every 5 seconds + periodSeconds: 5 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 5 + # -- this fields specifies that kubernetes should perform a readiness check every 5 seconds + periodSeconds: 5 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # -- endpoints of the control plane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8081 + # -- path for incoming api calls + path: /api + # -- DCP Issuance API. Must be internet-facing. + issuance: + port: 8082 + path: /api/issuance + # -- DID API, used to resolve the issuer's DID document. Must be internet-facing + did: + port: 12345 + path: / + # -- Version API, used to obtain exact version information about all APIs at runtime. Should not be internet-facing + version: + port: 8084 + path: /.well-known/api + # -- STS Token API, for the IssuerService to create Self-Issued ID tokens + sts: + port: 8085 + path: /api/sts + # -- Issuer Admin API to manage data of the IssuerService. Should not be internet-facing + issueradmin: + port: 8086 + path: /api/issuer + # -- Identity API, used to manage certain identity aspects such as DID documents, key pairs etc. Should not be internet-facing + identity: + port: 8087 + path: /api/identity + # -- StatusList API, used to check the status of verifiable credentials. Must be internet-facing + statuslist: + port: 8088 + path: /statuslist + + # -- Whether web DIDs should be interpreted as HTTPS or HTTP + didweb: + https: true + + # -- Whether Self-Issued ID tokens are protected with JTI claims (=nonce) + jtivalidation: false + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + annotations: {} + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10100 + # -- Processes within a pod will belong to this guid + runAsGroup: 10100 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10100 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10100 + # Extra environment variables that will be pass onto deployment pods + env: + JAVA_TOOL_OPTIONS: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:1044 + EDC_HOSTNAME: local-issuer-service.staging.construct-x.net + EDC_IH_ISSUER_DEV_DEFAULTCONFIG: /app/setup.json + EDC_ISSUER__SEND_RETRY_LIMIT: 0 + EDC_IH_API_SUPERUSER_ID: admin + EDC_IH_API_SUPERUSER_KEY: YWRtaW4.adminKey + EDC_SQL_SCHEMA_AUTOCREATE: true + + # "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME:c + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: ["issuerservice-config", "issuerservice-datasource-config"] + # - first-config-map + # - second-config-map + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress for the Issuance APIs + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "local-issuer-service.staging.construct-x.net" + # -- Additional ingress annotations to add + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: "local-issuer-service.staging.construct-x.net" + external-dns.alpha.kubernetes.io/ttl: "300" + # -- EDC endpoints exposed by this ingress resource + endpoints: + - issuance + - sts + - did + - statuslist + - issueradmin + - identity + - default + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + ## Public / Internet facing Ingress for the DID API + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "issuerservice-did.staging.construct-x.net" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - issueradmin + - identity + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "nginx" + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: [] + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: [] + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 250m + memory: 128Mi + replicaCount: 1 + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + # Configuration of the [Java Util Logging Facade](https://docs.oracle.com/javase/7/docs/technotes/guides/logging/overview.html) + logging: + # -- Enable logging to create .log files + enabled: true + persistence: + # -- Enable .log files to persist in local machine + enabled: false + # -- Persistent volume access mode + accessMode: ReadWriteOnce + # -- Persistent volume size + size: 1Gi + # -- Persistent volume claim storage name + storageClass: "standard" + # -- List of handlers to use in the logger + handlers: + - java.util.logging.ConsoleHandler + - java.util.logging.FileHandler + handlersConfig: + # -- Console handler configuration + java.util.logging.ConsoleHandler: + level: FINE + formatter: org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter + java.util.logging.FileHandler: + # -- Log level of handler + level: FINE + # -- Formatter to use in handler, formatter must be set in identityhub.logging.formatters + formatter: org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter + # -- Path where the log is created, must be the same path as the logging.path values + pattern: /app/logs/identityhub.log + # -- Limit of bytes to write before log file rotation + limit: 0 + # -- Number of files to use in log file rotation + count: 1 + # -- Append logs to the file or create new file every deployment + append: true + formatters: + # -- configuration of custom colorful formatter + org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter: + format: "%7$s[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$s] %5$s%6$s%n%8$s" + # -- root log level + level: INFO + # -- package level control + # @default -- `{"org.eclipse.edc": "FINE"}` + logLevels: + org.glassfish: "OFF" + jdk.event: "OFF" + jakarta.json: "OFF" + org.jvnet: "OFF" + okhttp3.internal: "OFF" + org.flywaydb: "OFF" + org.postgresql: "OFF" + org.eclipse.edc: "FINE" + org.eclipse.tractusx: "FINE" + # -- path where the log resides, must be the same path as the fileHandler pattern + path: /app/logs + # -- default logging properties if logging is not enabled + default: |- + .level=INFO + org.eclipse.edc.level=INFO + handlers=java.util.logging.ConsoleHandler + java.util.logging.ConsoleHandler.formatter=org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter + java.util.logging.ConsoleHandler.level=ALL + org.eclipse.tractusx.identityhub.monitor.ColorfulFormatter.format=%7$s[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$s] %5$s%6$s%n%8$s + # [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) + protocol: "" + public: "" + readiness: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) + imagePullSecrets: [] +# -- Configurations for Helm tests +tests: + # -- Configure the hook-delete-policy for Helm tests + hookDeletePolicy: before-hook-creation,hook-succeeded + +postgresql: + image: + # -- workaround to use bitnamilegacy chart for version 12.12.x till committers align on new postgresql charts + repository: bitnamilegacy/postgresql + # -- workaround to use bitnamilegacy chart for version 12.12.x till committers align on new postgresql charts + tag: 15.4.0-debian-11-r45 + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/issuer" + primary: + persistence: + enabled: false + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + readReplicas: + persistence: + enabled: false + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + auth: + database: "issuer" + username: "user" + password: "password" + +vault: + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: "root" + postStart: # must be set externally! + hashicorp: + url: "http://{{ .Release.Name }}-vault:8200" + token: "root" + timeout: 30 + healthCheck: + enabled: false + standbyOk: true + paths: + secret: /v1/secret + health: /v1/sys/health + +statuslist: + signing_key: + alias: default + # -- Callback address for statuslist + callback: + address: "https://local-issuer-service.staging.construct-x.net/statuslist"