Replace DAPS with SSI in Helm charts (#511)

* feat: replace DAPS with SSI in helm charts * updated README files * Apply suggestions from code review Co-authored-by: Enrico Risa <enrico.risa@gmail.com> --------- Co-authored-by: Enrico Risa <enrico.risa@gmail.com>
eclipse-tractusx · Jun 21, 2023 · 3c421a7 · 3c421a7
1 parent e65f215
commit 3c421a7
Show file tree

Hide file tree

Showing 88 changed files with 3,065 additions and 2,218 deletions.
diff --git a/.github/workflows/deployment-test.yaml b/.github/workflows/deployment-test.yaml
@@ -83,7 +83,7 @@ jobs:
           helm_command: |-
             helm install tx-inmem charts/tractusx-connector-memory \
             -f edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml \
-            --set vault.secrets="daps-crt:$(cat daps.cert);daps-key:$(cat daps.key)" \
+            --set vault.secrets="client-secret:$(cat client.secret)" \
             --wait-for-jobs --timeout=120s --dependency-update
             
             # wait for the pod to become ready
@@ -135,9 +135,8 @@ jobs:
           rootDir: "."
           values_file: edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml
           helm_command: |-
-            az keyvault secret set --vault-name ${{ secrets.AZURE_VAULT_NAME }} --name daps-crt --value "$(cat daps.cert)" > /dev/null
-            az keyvault secret set --vault-name ${{ secrets.AZURE_VAULT_NAME }} --name daps-key --value "$(cat daps.key)" > /dev/null
             az keyvault secret set --vault-name ${{ secrets.AZURE_VAULT_NAME }} --name aes-keys --value "$(cat aes.key)" > /dev/null
+            az keyvault secret set --vault-name ${{ secrets.AZURE_VAULT_NAME }} --name client-secret --value "$(cat client.secret)" > /dev/null
             
             helm install tx-prod charts/tractusx-connector-azure-vault \
              -f edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml \

diff --git a/charts/tractusx-connector-azure-vault/Chart.yaml b/charts/tractusx-connector-azure-vault/Chart.yaml
@@ -50,12 +50,6 @@ home: https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx
 sources:
   - https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector
 dependencies:
-  # IDS Dynamic Attribute Provisioning Service (IAM)
-  - name: daps
-    version: 0.0.1
-    repository: "file://./subcharts/omejdn"
-    alias: daps
-    condition: install.daps
   # PostgreSQL
   - name: postgresql
     alias: postgresql

diff --git a/charts/tractusx-connector-azure-vault/README.md b/charts/tractusx-connector-azure-vault/README.md
@@ -50,13 +50,12 @@ Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the pri
 
 ## Source Code
 
-<https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector>
+* <https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector>
 
 ## Requirements
 
 | Repository | Name | Version |
 |------------|------|---------|
-| file://./subcharts/omejdn | daps(daps) | 0.0.1 |
 | https://charts.bitnami.com/bitnami | postgresql(postgresql) | 12.1.6 |
 
 ## Values
@@ -161,20 +160,17 @@ Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the pri
 | controlplane.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid |
 | controlplane.service.annotations | object | `{}` |  |
 | controlplane.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. |
+| controlplane.ssi.endpoint.audience | string | `"http://this.audience"` |  |
+| controlplane.ssi.miw.authorityId | string | `""` |  |
+| controlplane.ssi.miw.url | string | `""` |  |
+| controlplane.ssi.oauth.client.id | string | `""` |  |
+| controlplane.ssi.oauth.client.secretAlias | string | `"client-secret"` |  |
+| controlplane.ssi.oauth.tokenurl | string | `""` |  |
 | controlplane.tolerations | list | `[]` |  |
 | controlplane.url.ids | string | `""` | Explicitly declared url for reaching the ids api (e.g. if ingresses not used) |
 | controlplane.volumeMounts | list | `[]` | declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container |
 | controlplane.volumes | list | `[]` | [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories |
 | customLabels | object | `{}` |  |
-| daps.clientId | string | `""` |  |
-| daps.connectors[0].attributes.referringConnector | string | `"http://sokrates-controlplane/BPNSOKRATES"` |  |
-| daps.connectors[0].certificate | string | `""` |  |
-| daps.connectors[0].id | string | `"E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65"` |  |
-| daps.connectors[0].name | string | `"sokrates"` |  |
-| daps.fullnameOverride | string | `"daps"` |  |
-| daps.paths.jwks | string | `"/jwks.json"` |  |
-| daps.paths.token | string | `"/token"` |  |
-| daps.url | string | `""` |  |
 | dataplane.affinity | object | `{}` |  |
 | dataplane.autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) |
 | dataplane.autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds |
@@ -255,34 +251,31 @@ Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the pri
 | dataplane.volumeMounts | list | `[]` | declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container |
 | dataplane.volumes | list | `[]` | [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories |
 | fullnameOverride | string | `""` |  |
-| idsdaps.connectors[0].certificate | string | `""` |  |
 | imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) |
-| install.daps | bool | `true` |  |
 | install.postgresql | bool | `true` |  |
 | nameOverride | string | `""` |  |
 | participant.id | string | `""` |  |
 | postgresql.auth.database | string | `"edc"` |  |
 | postgresql.auth.password | string | `"password"` |  |
 | postgresql.auth.username | string | `"user"` |  |
 | postgresql.enabled | bool | `false` |  |
-| postgresql.fullnameOverride | string | `"postgresql"` |  |
-| postgresql.jdbcUrl | string | `""` |  |
+| postgresql.jdbcUrl | string | `"jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc"` |  |
 | postgresql.primary.persistence | string | `nil` |  |
 | postgresql.readReplicas.persistence.enabled | bool | `false` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.imagePullSecrets | list | `[]` | Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) |
 | serviceAccount.name | string | `""` |  |
+| tests | object | `{"hookDeletePolicy":"before-hook-creation,hook-succeeded"}` | Configurations for Helm tests |
+| tests.hookDeletePolicy | string | `"before-hook-creation,hook-succeeded"` | Configure the hook-delete-policy for Helm tests |
 | vault.azure.certificate | string | `nil` |  |
 | vault.azure.client | string | `""` |  |
 | vault.azure.name | string | `""` |  |
 | vault.azure.secret | string | `nil` |  |
 | vault.azure.tenant | string | `""` |  |
-| vault.secretNames.dapsPrivateKey | string | `"daps-private-key"` |  |
-| vault.secretNames.dapsPublicKey | string | `"daps-public-key"` |  |
 | vault.secretNames.transferProxyTokenEncryptionAesKey | string | `"transfer-proxy-token-encryption-aes-key"` |  |
-| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `"transfer-proxy-token-signer-private-key"` |  |
-| vault.secretNames.transferProxyTokenSignerPublicKey | string | `"transfer-proxy-token-signer-public-key"` |  |
+| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `nil` |  |
+| vault.secretNames.transferProxyTokenSignerPublicKey | string | `nil` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0)
diff --git a/charts/tractusx-connector-azure-vault/subcharts/omejdn/README.md b/charts/tractusx-connector-azure-vault/subcharts/omejdn/README.md
diff --git a/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml b/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml
@@ -1,24 +1,24 @@
 #
-#  Copyright (c) 2023 ZF Friedrichshafen AG
-#  Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH
-#  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
-#  Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
-#
-#  See the NOTICE file(s) distributed with this work for additional
-#  information regarding copyright ownership.
-#
-#  This program and the accompanying materials are made available under the
-#  terms of the Apache License, Version 2.0 which is available at
-#  https://www.apache.org/licenses/LICENSE-2.0
-#
-#  Unless required by applicable law or agreed to in writing, software
-#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#  License for the specific language governing permissions and limitations
-#  under the License.
-#
-#  SPDX-License-Identifier: Apache-2.0
-#
+  #  Copyright (c) 2023 ZF Friedrichshafen AG
+  #  Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH
+  #  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+  #  Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
+  #
+  #  See the NOTICE file(s) distributed with this work for additional
+  #  information regarding copyright ownership.
+  #
+  #  This program and the accompanying materials are made available under the
+  #  terms of the Apache License, Version 2.0 which is available at
+  #  https://www.apache.org/licenses/LICENSE-2.0
+  #
+  #  Unless required by applicable law or agreed to in writing, software
+  #  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+  #  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+  #  License for the specific language governing permissions and limitations
+  #  under the License.
+  #
+  #  SPDX-License-Identifier: Apache-2.0
+  #
 
 ---
 apiVersion: apps/v1
@@ -115,21 +115,21 @@ spec:
             - name: EDC_PARTICIPANT_ID
               value: {{ .Values.participant.id | required ".Values.participant.id is required" | quote }}
 
-            ########################
-            ## DAPS CONFIGURATION ##
-            ########################
-
-            # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/iam/oauth2/oauth2-core
-            - name: EDC_OAUTH_CLIENT_ID
-              value: {{ .Values.daps.clientId | required ".Values.daps.clientId is required" | quote }}
-            - name: EDC_OAUTH_PROVIDER_JWKS_URL
-              value: {{ printf "%s%s" (tpl .Values.daps.url .) .Values.daps.paths.jwks }}
-            - name: EDC_OAUTH_TOKEN_URL
-              value: {{ printf "%s%s" (tpl .Values.daps.url .) .Values.daps.paths.token }}
-            - name: EDC_OAUTH_PRIVATE_KEY_ALIAS
-              value: {{ .Values.vault.secretNames.dapsPrivateKey | required ".Values.vault.secretNames.dapsPrivateKey is required" | quote }}
-            - name: EDC_OAUTH_CERTIFICATE_ALIAS
-              value: {{ .Values.vault.secretNames.dapsPublicKey | required ".Values.vault.secretNames.dapsPublicKey is required" | quote }}
+            ##########################
+            # SSI / MIW CONFIGURATION
+            ##########################
+            - name: "TX_SSI_MIW_URL"
+              value: {{ .Values.controlplane.ssi.miw.url }}
+            - name: "TX_SSI_MIW_AUTHORITY_ID"
+              value: {{ .Values.controlplane.ssi.miw.authorityId }}
+            - name: "TX_SSI_OAUTH_TOKEN_URL"
+              value: {{ .Values.controlplane.ssi.oauth.tokenurl }}
+            - name: "TX_SSI_OAUTH_CLIENT_ID"
+              value: {{ .Values.controlplane.ssi.oauth.client.id }}
+            - name: "TX_SSI_OAUTH_CLIENT_SECRET_ALIAS"
+              value: {{ .Values.controlplane.ssi.oauth.client.secretAlias }}
+            - name: "TX_SSI_ENDPOINT_AUDIENCE"
+              value: {{ printf "%s%s" (include "txdc.controlplane.url.protocol" .) .Values.controlplane.endpoints.protocol.path | quote }}
 
             #######
             # API #
@@ -252,10 +252,14 @@ spec:
             # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/data-plane-transfer
             - name: "EDC_TRANSFER_PROXY_ENDPOINT"
               value: {{ include "txdc.dataplane.url.public" . }}
+            {{- if .Values.vault.secretNames.transferProxyTokenSignerPrivateKey }}
             - name: "EDC_TRANSFER_PROXY_TOKEN_SIGNER_PRIVATEKEY_ALIAS"
               value: {{ .Values.vault.secretNames.transferProxyTokenSignerPrivateKey | quote }}
+            {{- end }}
+            {{- if .Values.vault.secretNames.transferProxyTokenSignerPublicKey }}
             - name: "EDC_TRANSFER_PROXY_TOKEN_VERIFIER_PUBLICKEY_ALIAS"
               value: {{ .Values.vault.secretNames.transferProxyTokenSignerPublicKey | quote }}
+            {{- end }}
 
             # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/transfer/transfer-pull-http-dynamic-receiver
 

diff --git a/charts/tractusx-connector-azure-vault/values.yaml b/charts/tractusx-connector-azure-vault/values.yaml
@@ -27,14 +27,12 @@
 # Declare variables to be passed into your templates.
 
 install:
-  daps: true
   postgresql: true
 fullnameOverride: ""
 nameOverride: ""
 
 # -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry)
 imagePullSecrets: []
-
 customLabels: {}
 
 participant:
@@ -131,6 +129,18 @@ controlplane:
   businessPartnerValidation:
     log:
       agreementValidation: true
+  # SSI configuration
+  ssi:
+    miw:
+      url: ""
+      authorityId: ""
+    oauth:
+      tokenurl: ""
+      client:
+        id: ""
+        secretAlias: "client-secret"
+    endpoint:
+      audience: "http://this.audience"
   service:
     # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service.
     type: ClusterIP
@@ -515,25 +525,10 @@ vault:
     certificate:
 
   secretNames:
-    transferProxyTokenSignerPrivateKey: transfer-proxy-token-signer-private-key
-    transferProxyTokenSignerPublicKey: transfer-proxy-token-signer-public-key
+    transferProxyTokenSignerPrivateKey:
+    transferProxyTokenSignerPublicKey:
     transferProxyTokenEncryptionAesKey: transfer-proxy-token-encryption-aes-key
-    dapsPrivateKey: daps-private-key
-    dapsPublicKey: daps-public-key
 
-daps:
-  url: "http://{{ .Release.Name }}-daps:4567"
-  clientId: ""
-  paths:
-    jwks: /jwks.json
-    token: /token
-  connectors:
-    - id: E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65:keyid:E7:07:2D:74:56:66:31:F0:7B:10:EA:B6:03:06:4C:23:7F:ED:A6:65
-      name: sokrates
-      attributes:
-        referringConnector: http://sokrates-controlplane/BPNSOKRATES
-      # Must be the same certificate that is stores in section 'sokrates-vault'
-      certificate: ""    # must be set externally!
 backendService:
   httpProxyTokenReceiverUrl: ""
 serviceAccount:
@@ -546,10 +541,6 @@ serviceAccount:
   name: ""
   # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry)
   imagePullSecrets: []
-idsdaps:
-  connectors:
-    - certificate: |-
-
 # -- Configurations for Helm tests
 tests:
   # -- Configure the hook-delete-policy for Helm tests