From ec1073cc966ba3ea233f4889e0ea67f96c82da0c Mon Sep 17 00:00:00 2001 From: Paul Latzelsperger Date: Thu, 22 Jun 2023 09:49:15 +0200 Subject: [PATCH] docs: add quick guide to the charts' README --- .../tractusx-connector-azure-vault/README.md | 46 +++++++++--------- .../README.md.gotmpl | 47 +++++++++++-------- .../values.yaml | 2 - charts/tractusx-connector-memory/README.md | 44 +++++++++-------- .../README.md.gotmpl | 45 ++++++++++-------- charts/tractusx-connector-memory/values.yaml | 2 - charts/tractusx-connector/README.md | 40 +++++++++------- charts/tractusx-connector/README.md.gotmpl | 41 +++++++++------- charts/tractusx-connector/values.yaml | 2 - 9 files changed, 148 insertions(+), 121 deletions(-) diff --git a/charts/tractusx-connector-azure-vault/README.md b/charts/tractusx-connector-azure-vault/README.md index cc0d46135..a807d8345 100644 --- a/charts/tractusx-connector-azure-vault/README.md +++ b/charts/tractusx-connector-azure-vault/README.md @@ -9,31 +9,38 @@ This chart is intended for use with an _existing_ PostgreSQL database and an _ex **Homepage:** -This chart uses Azure KeyVault, which is expected to contain the following secrets on application start: +## Setting up SSI -- `daps-cert`: contains the x509 certificate of the connector. -- `daps-key`: the private key of the x509 certificate -- `aes-keys`: a 128bit, 256bit or 512bit string used to encrypt data. Must be stored in base64 format. +### Preconditions -These must be obtained from a DAPS instance, the process of which is out of the scope of this document. Alternatively, -self-signed certificates can be used for testing: +- the Managed Identity Walled (MIW) must be running and reachable via network +- the necessary set of VerifiableCredentials for this participant must be pushed to MIW. This is typically done by the + Portal during participant onboarding +- KeyCloak must be running and reachable via network +- an account with KeyCloak must be created for this BPN and the connector must be able to obtain access tokens +- the client ID and client secret corresponding to that account must be known -```shell -openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout daps.key -out daps.cert -subj "/CN=test" -export DAPS_KEY="$(cat daps.key)" -export DAPS_CERT="$(cat daps.cert)" -``` +### Preparatory work -## Launching the application +- store your KeyCloak client secret in the Azure KeyVault. The exact procedure is as follows: + ```bash + az keyvault secret set --vault-name --name client-secret --value "$YOUR_CLIENT_SECRET" + ``` + By default, Tractus-X EDC expects to find the secret under `client-secret`. -The following requirements must be met before launching the application: +### Configure the chart -- Write access to an Azure KeyVault instance is required to run this chart -- Secrets are seeded in advance -- The vault's client id, client secret, tenant id and vault name (not the url!) are known +Be sure to provide the following configuration entries to your Tractus-X EDC Helm chart: +- `controlplane.ssi.miw.url`: the URL +- `controlplane.ssi.miw.authorityId`: the BPN of the issuer authority +- `controlplane.ssi.oauth.tokenurl`: the URL (of KeyCloak), where access tokens can be obtained +- `controlplane.ssi.oauth.client.id`: client ID for KeyCloak +- `controlplane.ssi.oauth.client.secretAlias`: the alias under which the client secret is stored in the vault. Defaults to `client-secret`. -Please also consider using [this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml) -to launch the application. +### Launching the application + +As an easy starting point, please consider using [this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml) +to launch the application. The configuration values mentioned above (`controlplane.ssi.*`) will have to be adapted manually. Combined, run this shell command to start the in-memory Tractus-X EDC runtime: ```shell @@ -46,8 +53,6 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. --set vault.azure.tenant=$AZURE_TENANT_ID ``` -Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the private key. - ## Source Code * @@ -160,7 +165,6 @@ Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the pri | controlplane.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | | controlplane.service.annotations | object | `{}` | | | controlplane.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | -| controlplane.ssi.endpoint.audience | string | `"http://this.audience"` | | | controlplane.ssi.miw.authorityId | string | `""` | | | controlplane.ssi.miw.url | string | `""` | | | controlplane.ssi.oauth.client.id | string | `""` | | diff --git a/charts/tractusx-connector-azure-vault/README.md.gotmpl b/charts/tractusx-connector-azure-vault/README.md.gotmpl index c90617416..b2de42ced 100644 --- a/charts/tractusx-connector-azure-vault/README.md.gotmpl +++ b/charts/tractusx-connector-azure-vault/README.md.gotmpl @@ -8,31 +8,40 @@ {{ template "chart.homepageLine" . }} -This chart uses Azure KeyVault, which is expected to contain the following secrets on application start: +## Setting up SSI -- `daps-cert`: contains the x509 certificate of the connector. -- `daps-key`: the private key of the x509 certificate -- `aes-keys`: a 128bit, 256bit or 512bit string used to encrypt data. Must be stored in base64 format. +### Preconditions -These must be obtained from a DAPS instance, the process of which is out of the scope of this document. Alternatively, -self-signed certificates can be used for testing: +- the Managed Identity Walled (MIW) must be running and reachable via network +- the necessary set of VerifiableCredentials for this participant must be pushed to MIW. This is typically done by the + Portal during participant onboarding +- KeyCloak must be running and reachable via network +- an account with KeyCloak must be created for this BPN and the connector must be able to obtain access tokens +- the client ID and client secret corresponding to that account must be known -```shell -openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout daps.key -out daps.cert -subj "/CN=test" -export DAPS_KEY="$(cat daps.key)" -export DAPS_CERT="$(cat daps.cert)" -``` +### Preparatory work + +- store your KeyCloak client secret in the Azure KeyVault. The exact procedure is as follows: + ```bash + az keyvault secret set --vault-name --name client-secret --value "$YOUR_CLIENT_SECRET" + ``` + By default, Tractus-X EDC expects to find the secret under `client-secret`. -## Launching the application -The following requirements must be met before launching the application: +### Configure the chart -- Write access to an Azure KeyVault instance is required to run this chart -- Secrets are seeded in advance -- The vault's client id, client secret, tenant id and vault name (not the url!) are known +Be sure to provide the following configuration entries to your Tractus-X EDC Helm chart: +- `controlplane.ssi.miw.url`: the URL +- `controlplane.ssi.miw.authorityId`: the BPN of the issuer authority +- `controlplane.ssi.oauth.tokenurl`: the URL (of KeyCloak), where access tokens can be obtained +- `controlplane.ssi.oauth.client.id`: client ID for KeyCloak +- `controlplane.ssi.oauth.client.secretAlias`: the alias under which the client secret is stored in the vault. Defaults to `client-secret`. -Please also consider using [this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml) -to launch the application. + +### Launching the application + +As an easy starting point, please consider using [this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml) +to launch the application. The configuration values mentioned above (`controlplane.ssi.*`) will have to be adapted manually. Combined, run this shell command to start the in-memory Tractus-X EDC runtime: ```shell @@ -45,8 +54,6 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version {{ --set vault.azure.tenant=$AZURE_TENANT_ID ``` -Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the private key. - {{ template "chart.maintainersSection" . }} diff --git a/charts/tractusx-connector-azure-vault/values.yaml b/charts/tractusx-connector-azure-vault/values.yaml index f9758ecaf..c8d4a82aa 100644 --- a/charts/tractusx-connector-azure-vault/values.yaml +++ b/charts/tractusx-connector-azure-vault/values.yaml @@ -139,8 +139,6 @@ controlplane: client: id: "" secretAlias: "client-secret" - endpoint: - audience: "http://this.audience" service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. type: ClusterIP diff --git a/charts/tractusx-connector-memory/README.md b/charts/tractusx-connector-memory/README.md index f49f98b6f..57a456d1d 100644 --- a/charts/tractusx-connector-memory/README.md +++ b/charts/tractusx-connector-memory/README.md @@ -6,39 +6,44 @@ A Helm chart for Tractus-X Eclipse Data Space Connector based on memory. Please **Homepage:** -This chart uses an in-memory secrets vault, which is required to contain the following secrets on application start: +## Setting up SSI -- `daps-cert`: contains the x509 certificate of the connector. -- `daps-key`: the private key of the x509 certificate +### Preconditions -These must be obtained from a DAPS instance, the process of which is out of the scope of this document. Alternatively, -self-signed certificates can be used for testing: +- the Managed Identity Walled (MIW) must be running and reachable via network +- the necessary set of VerifiableCredentials for this participant must be pushed to MIW. This is typically done by the + Portal during participant onboarding +- KeyCloak must be running and reachable via network +- an account with KeyCloak must be created for this BPN and the connector must be able to obtain access tokens +- the client ID and client secret corresponding to that account must be known -```shell -openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout daps.key -out daps.cert -subj "/CN=test" -export DAPS_KEY="$(cat daps.key)" -export DAPS_CERT="$(cat daps.cert)" -``` +### Preparatory work + +- store your KeyCloak client secret in the HashiCorp vault. The exact procedure will depend on your deployment of HashiCorp Vault and + is out of scope of this document. But by default, Tractus-X EDC expects to find the secret under `secret/client-secret`. -## Launching the application +### Configure the chart -The in-memory vault can be seeded directly with secrets that are passed in `:;:;...` format. -This config value can be passed to the runtime using the `vault.secrets` parameter. In addition, the runtime requires a -couple of configuration parameters, all of which can be found in the section below. Please also consider using -[this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml) -to launch the application. +Be sure to provide the following configuration entries to your Tractus-X EDC Helm chart: +- `runtime.ssi.miw.url`: the URL +- `runtime.ssi.miw.authorityId`: the BPN of the issuer authority +- `runtime.ssi.oauth.tokenurl`: the URL (of KeyCloak), where access tokens can be obtained +- `runtime.ssi.oauth.client.id`: client ID for KeyCloak +- `runtime.ssi.oauth.client.secretAlias`: the alias under which the client secret is stored in the vault. Defaults to `client-secret`. +### Launching the application + +As an easy starting point, please consider using [this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml) +to launch the application. The configuration values mentioned above (`controlplane.ssi.*`) will have to be adapted manually. Combined, run this shell command to start the in-memory Tractus-X EDC runtime: ```shell helm repo add tractusx-edc https://eclipse-tractusx.github.io/charts/dev helm install my-release tractusx-edc/tractusx-connector-memory --version 0.5.0-rc1 \ -f /tractusx-connector-memory-test.yaml \ - --set vault.secrets="daps-cert:$DAPS_CERT;daps-key:$DAPS_KEY" \ + --set vault.secrets="client-secret:$YOUR_CLIENT_SECRET" ``` -Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the private key. - ## Source Code * @@ -157,7 +162,6 @@ Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the pri | runtime.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | | runtime.service.annotations | object | `{}` | | | runtime.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | -| runtime.ssi.endpoint.audience | string | `"http://this.audience"` | | | runtime.ssi.miw.authorityId | string | `""` | | | runtime.ssi.miw.url | string | `""` | | | runtime.ssi.oauth.client.id | string | `""` | | diff --git a/charts/tractusx-connector-memory/README.md.gotmpl b/charts/tractusx-connector-memory/README.md.gotmpl index f67920699..a096c3d99 100644 --- a/charts/tractusx-connector-memory/README.md.gotmpl +++ b/charts/tractusx-connector-memory/README.md.gotmpl @@ -8,39 +8,46 @@ {{ template "chart.homepageLine" . }} -This chart uses an in-memory secrets vault, which is required to contain the following secrets on application start: +## Setting up SSI -- `daps-cert`: contains the x509 certificate of the connector. -- `daps-key`: the private key of the x509 certificate +### Preconditions -These must be obtained from a DAPS instance, the process of which is out of the scope of this document. Alternatively, -self-signed certificates can be used for testing: +- the Managed Identity Walled (MIW) must be running and reachable via network +- the necessary set of VerifiableCredentials for this participant must be pushed to MIW. This is typically done by the + Portal during participant onboarding +- KeyCloak must be running and reachable via network +- an account with KeyCloak must be created for this BPN and the connector must be able to obtain access tokens +- the client ID and client secret corresponding to that account must be known + +### Preparatory work + +- store your KeyCloak client secret in the HashiCorp vault. The exact procedure will depend on your deployment of HashiCorp Vault and + is out of scope of this document. But by default, Tractus-X EDC expects to find the secret under `secret/client-secret`. -```shell -openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout daps.key -out daps.cert -subj "/CN=test" -export DAPS_KEY="$(cat daps.key)" -export DAPS_CERT="$(cat daps.cert)" -``` -## Launching the application +### Configure the chart -The in-memory vault can be seeded directly with secrets that are passed in `:;:;...` format. -This config value can be passed to the runtime using the `vault.secrets` parameter. In addition, the runtime requires a -couple of configuration parameters, all of which can be found in the section below. Please also consider using -[this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml) -to launch the application. +Be sure to provide the following configuration entries to your Tractus-X EDC Helm chart: +- `runtime.ssi.miw.url`: the URL +- `runtime.ssi.miw.authorityId`: the BPN of the issuer authority +- `runtime.ssi.oauth.tokenurl`: the URL (of KeyCloak), where access tokens can be obtained +- `runtime.ssi.oauth.client.id`: client ID for KeyCloak +- `runtime.ssi.oauth.client.secretAlias`: the alias under which the client secret is stored in the vault. Defaults to `client-secret`. + +### Launching the application + +As an easy starting point, please consider using [this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml) +to launch the application. The configuration values mentioned above (`controlplane.ssi.*`) will have to be adapted manually. Combined, run this shell command to start the in-memory Tractus-X EDC runtime: ```shell helm repo add tractusx-edc https://eclipse-tractusx.github.io/charts/dev helm install my-release tractusx-edc/tractusx-connector-memory --version {{ .Version }} \ -f /tractusx-connector-memory-test.yaml \ - --set vault.secrets="daps-cert:$DAPS_CERT;daps-key:$DAPS_KEY" \ + --set vault.secrets="client-secret:$YOUR_CLIENT_SECRET" ``` -Note that `DAPS_CERT` contains the x509 certificate, `DAPS_KEY` contains the private key. - {{ template "chart.maintainersSection" . }} {{ template "chart.sourcesSection" . }} diff --git a/charts/tractusx-connector-memory/values.yaml b/charts/tractusx-connector-memory/values.yaml index b0b9b2351..199eabc01 100644 --- a/charts/tractusx-connector-memory/values.yaml +++ b/charts/tractusx-connector-memory/values.yaml @@ -138,8 +138,6 @@ runtime: client: id: "" secretAlias: "client-secret" - endpoint: - audience: "http://this.audience" service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. diff --git a/charts/tractusx-connector/README.md b/charts/tractusx-connector/README.md index 161996f33..49d92abc9 100644 --- a/charts/tractusx-connector/README.md +++ b/charts/tractusx-connector/README.md @@ -9,30 +9,35 @@ This chart is intended for use with an _existing_ PostgreSQL database and an _ex **Homepage:** -This chart uses Hashicorp Vault, which is expected to contain the following secrets on application start: +## Setting up SSI -- `daps-cert`: contains the x509 certificate of the connector. -- `daps-key`: the private key of the x509 certificate -- `aes-keys`: a 128bit, 256bit or 512bit string used to encrypt data. Must be stored in base64 format. +### Preconditions -These must be obtained from a DAPS instance, the process of which is out of the scope of this document. Alternatively, -self-signed certificates can be used for testing: +- the Managed Identity Walled (MIW) must be running and reachable via network +- the necessary set of VerifiableCredentials for this participant must be pushed to MIW. This is typically done by the + Portal during participant onboarding +- KeyCloak must be running and reachable via network +- an account with KeyCloak must be created for this BPN and the connector must be able to obtain access tokens +- the client ID and client secret corresponding to that account must be known -```shell -openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout daps.key -out daps.cert -subj "/CN=test" -export DAPS_KEY="$(cat daps.key)" -export DAPS_CERT="$(cat daps.cert)" -``` +### Preparatory work + +- store your KeyCloak client secret in the HashiCorp vault. The exact procedure will depend on your deployment of HashiCorp Vault and + is out of scope of this document. But by default, Tractus-X EDC expects to find the secret under `secret/client-secret`. -## Launching the application +### Configure the chart -The following requirements must be met before launching the application: +Be sure to provide the following configuration entries to your Tractus-X EDC Helm chart: +- `controlplane.ssi.miw.url`: the URL +- `controlplane.ssi.miw.authorityId`: the BPN of the issuer authority +- `controlplane.ssi.oauth.tokenurl`: the URL (of KeyCloak), where access tokens can be obtained +- `controlplane.ssi.oauth.client.id`: client ID for KeyCloak +- `controlplane.ssi.oauth.client.secretAlias`: the alias under which the client secret is stored in the vault. Defaults to `client-secret`. -- Write access to a HashiCorp Vault instance is required to run this chart -- Secrets are seeded in advance +### Launching the application -Please also consider using [this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml) -to launch the application. +As an easy starting point, please consider using [this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml) +to launch the application. The configuration values mentioned above (`controlplane.ssi.*`) will have to be adapted manually. Combined, run this shell command to start the in-memory Tractus-X EDC runtime: ```shell @@ -154,7 +159,6 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.5.0-rc1 \ | controlplane.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | | controlplane.service.annotations | object | `{}` | | | controlplane.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | -| controlplane.ssi.endpoint.audience | string | `"http://this.audience"` | | | controlplane.ssi.miw.authorityId | string | `""` | | | controlplane.ssi.miw.url | string | `""` | | | controlplane.ssi.oauth.client.id | string | `""` | | diff --git a/charts/tractusx-connector/README.md.gotmpl b/charts/tractusx-connector/README.md.gotmpl index 210216e6c..195706caf 100644 --- a/charts/tractusx-connector/README.md.gotmpl +++ b/charts/tractusx-connector/README.md.gotmpl @@ -8,30 +8,37 @@ {{ template "chart.homepageLine" . }} -This chart uses Hashicorp Vault, which is expected to contain the following secrets on application start: +## Setting up SSI -- `daps-cert`: contains the x509 certificate of the connector. -- `daps-key`: the private key of the x509 certificate -- `aes-keys`: a 128bit, 256bit or 512bit string used to encrypt data. Must be stored in base64 format. +### Preconditions -These must be obtained from a DAPS instance, the process of which is out of the scope of this document. Alternatively, -self-signed certificates can be used for testing: +- the Managed Identity Walled (MIW) must be running and reachable via network +- the necessary set of VerifiableCredentials for this participant must be pushed to MIW. This is typically done by the + Portal during participant onboarding +- KeyCloak must be running and reachable via network +- an account with KeyCloak must be created for this BPN and the connector must be able to obtain access tokens +- the client ID and client secret corresponding to that account must be known -```shell -openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout daps.key -out daps.cert -subj "/CN=test" -export DAPS_KEY="$(cat daps.key)" -export DAPS_CERT="$(cat daps.cert)" -``` +### Preparatory work + +- store your KeyCloak client secret in the HashiCorp vault. The exact procedure will depend on your deployment of HashiCorp Vault and + is out of scope of this document. But by default, Tractus-X EDC expects to find the secret under `secret/client-secret`. + + +### Configure the chart -## Launching the application +Be sure to provide the following configuration entries to your Tractus-X EDC Helm chart: +- `controlplane.ssi.miw.url`: the URL +- `controlplane.ssi.miw.authorityId`: the BPN of the issuer authority +- `controlplane.ssi.oauth.tokenurl`: the URL (of KeyCloak), where access tokens can be obtained +- `controlplane.ssi.oauth.client.id`: client ID for KeyCloak +- `controlplane.ssi.oauth.client.secretAlias`: the alias under which the client secret is stored in the vault. Defaults to `client-secret`. -The following requirements must be met before launching the application: -- Write access to a HashiCorp Vault instance is required to run this chart -- Secrets are seeded in advance +### Launching the application -Please also consider using [this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml) -to launch the application. +As an easy starting point, please consider using [this example configuration](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml) +to launch the application. The configuration values mentioned above (`controlplane.ssi.*`) will have to be adapted manually. Combined, run this shell command to start the in-memory Tractus-X EDC runtime: ```shell diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index 21b4a4edc..1960d08c2 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -140,8 +140,6 @@ controlplane: client: id: "" secretAlias: "client-secret" - endpoint: - audience: "http://this.audience" service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service.