From badb46d7d90232d661665a33410c3f11d210a401 Mon Sep 17 00:00:00 2001 From: rohit-smartsensesolutions Date: Thu, 22 Aug 2024 16:54:50 +0530 Subject: [PATCH] feat: Helm charts for revocation service --- charts/managed-identity-wallet/.gitignore | 3 +- charts/managed-identity-wallet/Chart.lock | 24 +- charts/managed-identity-wallet/Chart.yaml | 11 +- charts/managed-identity-wallet/README.md | 290 ++++++++------- .../templates/NOTES.txt | 5 +- .../templates/_helpers.tpl | 35 ++ .../{deployment.yaml => miw-deployment.yaml} | 10 +- .../{ingress.yaml => miw-ingress.yaml} | 4 +- .../{secret.yaml => miw-secret.yaml} | 4 +- .../{service.yaml => miw-service.yaml} | 4 +- .../templates/networkpolicy.yaml | 4 +- .../templates/pgAdmin-server-definitions.yaml | 2 +- .../templates/psql-pv.yaml | 11 + .../templates/vcrs-configmap.yaml | 27 ++ .../templates/vcrs-deployment.yaml | 83 +++++ .../templates/vcrs-ingress.yaml | 80 +++++ .../templates/vcrs-secrets.yaml | 27 ++ .../templates/vcrs-service.yaml | 32 ++ charts/managed-identity-wallet/values.yaml | 332 +++++++++++++----- 19 files changed, 748 insertions(+), 240 deletions(-) rename charts/managed-identity-wallet/templates/{deployment.yaml => miw-deployment.yaml} (96%) rename charts/managed-identity-wallet/templates/{ingress.yaml => miw-ingress.yaml} (96%) rename charts/managed-identity-wallet/templates/{secret.yaml => miw-secret.yaml} (94%) rename charts/managed-identity-wallet/templates/{service.yaml => miw-service.yaml} (92%) create mode 100644 charts/managed-identity-wallet/templates/psql-pv.yaml create mode 100644 charts/managed-identity-wallet/templates/vcrs-configmap.yaml create mode 100644 charts/managed-identity-wallet/templates/vcrs-deployment.yaml create mode 100644 charts/managed-identity-wallet/templates/vcrs-ingress.yaml create mode 100644 charts/managed-identity-wallet/templates/vcrs-secrets.yaml create mode 100644 charts/managed-identity-wallet/templates/vcrs-service.yaml diff --git a/charts/managed-identity-wallet/.gitignore b/charts/managed-identity-wallet/.gitignore index ee3892e87..7639ceec9 100644 --- a/charts/managed-identity-wallet/.gitignore +++ b/charts/managed-identity-wallet/.gitignore @@ -1 +1,2 @@ -charts/ +charts/pgadmin4 +**/charts/*.tgz \ No newline at end of file diff --git a/charts/managed-identity-wallet/Chart.lock b/charts/managed-identity-wallet/Chart.lock index ef26fd56f..5f15f8b4c 100644 --- a/charts/managed-identity-wallet/Chart.lock +++ b/charts/managed-identity-wallet/Chart.lock @@ -1,15 +1,15 @@ dependencies: -- name: keycloak - repository: https://charts.bitnami.com/bitnami - version: 15.1.6 -- name: common - repository: https://charts.bitnami.com/bitnami - version: 2.13.3 -- name: postgresql - repository: https://charts.bitnami.com/bitnami - version: 11.9.13 -- name: pgadmin4 - repository: file://charts/pgadmin4 - version: 1.19.0 + - name: keycloak + repository: https://charts.bitnami.com/bitnami + version: 22.1.0 + - name: common + repository: https://charts.bitnami.com/bitnami + version: 2.13.3 + - name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 11.9.13 + - name: pgadmin4 + repository: file://charts/pgadmin4 + version: 1.19.0 digest: sha256:fb94864221b4fed31894b48ac56b72a2324da0dc1cb1d6888cc52c3490685df7 generated: "2023-12-15T10:30:41.880265+01:00" diff --git a/charts/managed-identity-wallet/Chart.yaml b/charts/managed-identity-wallet/Chart.yaml index 78627ee42..d782405a3 100644 --- a/charts/managed-identity-wallet/Chart.yaml +++ b/charts/managed-identity-wallet/Chart.yaml @@ -22,7 +22,6 @@ name: managed-identity-wallet description: | Managed Identity Wallet is supposed to supply a secure data source and data sink for Digital Identity Documents (DID), in order to enable Self-Sovereign Identity founding on those DIDs. And at the same it shall support an uninterrupted tracking and tracing and documenting the usage of those DIDs, e.g. within logistical supply chains. - type: application version: 1.0.0-develop.4 @@ -32,18 +31,15 @@ home: https://github.com/eclipse-tractusx/managed-identity-wallet keywords: - Managed Identity Wallet - eclipse-tractusx - sources: - https://github.com/eclipse-tractusx/managed-identity-wallet - maintainers: - name: Dominik Pinsel email: dominik.pinsel@mercedes-benz.com url: https://github.com/DominikPinsel - dependencies: - name: keycloak - version: 15.1.6 + version: 22.1.0 repository: https://charts.bitnami.com/bitnami condition: keycloak.enabled - name: common @@ -52,11 +48,10 @@ dependencies: - bitnami-common version: 2.x.x - name: postgresql - version: 11.9.13 + version: "16.x.x" repository: https://charts.bitnami.com/bitnami condition: postgresql.enabled - name: pgadmin4 - repository: file://charts/pgadmin4 # https://helm.runix.net - # License: https://github.com/rowanruseler/helm-charts/blob/main/LICENSE + repository: file://charts/pgadmin4 version: 1.19.0 condition: pgadmin4.enabled diff --git a/charts/managed-identity-wallet/README.md b/charts/managed-identity-wallet/README.md index 3984b37fb..c2ee872be 100644 --- a/charts/managed-identity-wallet/README.md +++ b/charts/managed-identity-wallet/README.md @@ -1,6 +1,6 @@ -# managed-identity-wallet +# Managed Identity Wallet - Verifiable Credential Revocation Service ![Version: 1.0.0-develop.4](https://img.shields.io/badge/Version-1.0.0--develop.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0-develop.4](https://img.shields.io/badge/AppVersion-1.0.0--develop.4-informational?style=flat-square) @@ -41,9 +41,7 @@ And at the same it shall support an uninterrupted tracking and tracing and docum ### Install Chart - helm install [RELEASE_NAME] tractusx-dev/managed-identity-wallet - - helm install [RELEASE_NAME] tractusx-stable/managed-identity-wallet + helm install [RELEASE_NAME] charts/managed-identity-wallet

(back to top)

@@ -75,124 +73,179 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document ## Requirements -| Repository | Name | Version | -|------------|------|---------| -| file://charts/pgadmin4 | pgadmin4 | 1.19.0 | -| https://charts.bitnami.com/bitnami | common | 2.x.x | -| https://charts.bitnami.com/bitnami | keycloak | 15.1.6 | +| Repository | Name | Version | +| ---------------------------------- | ---------- | ------- | +| file://charts/pgadmin4 | pgadmin4 | 1.19.0 | +| https://charts.bitnami.com/bitnami | common | 2.x.x | +| https://charts.bitnami.com/bitnami | keycloak | 15.1.6 | | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 |

(back to top)

## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | Affinity configuration | -| envs | object | `{}` | envs Parameters for the application (will be provided as environment variables) | -| extraVolumeMounts | list | `[]` | add volume mounts to the miw deployment | -| extraVolumes | list | `[]` | add volumes to the miw deployment | -| fullnameOverride | string | `""` | String to fully override common.names.fullname template | -| image.pullPolicy | string | `"Always"` | PullPolicy | -| image.repository | string | `"tractusx/managed-identity-wallet"` | Image repository | -| image.tag | string | `""` | Image tag (empty one will use "appVersion" value from chart definition) | -| ingress.annotations | object | `{}` | Ingress annotations | -| ingress.enabled | bool | `false` | Enable ingress controller resource | -| ingress.hosts | list | `[]` | Ingress accepted hostnames | -| ingress.tls | list | `[]` | Ingress TLS configuration | -| initContainers | list | `[]` | add initContainers to the miw deployment | -| keycloak.auth.adminPassword | string | `""` | Keycloak admin password | -| keycloak.auth.adminUser | string | `"admin"` | Keycloak admin user | -| keycloak.enabled | bool | `true` | Enable to deploy Keycloak | -| keycloak.extraEnvVars | list | `[]` | Extra environment variables | -| keycloak.ingress.annotations | object | `{}` | | -| keycloak.ingress.enabled | bool | `false` | | -| keycloak.ingress.hosts | list | `[]` | | -| keycloak.ingress.tls | list | `[]` | | -| keycloak.keycloakConfigCli.backoffLimit | int | `2` | Number of retries before considering a Job as failed | -| keycloak.keycloakConfigCli.enabled | bool | `true` | Enable to create the miw playground realm | -| keycloak.keycloakConfigCli.existingConfigmap | string | `"keycloak-realm-config"` | Existing configmap name for the realm configuration | -| keycloak.postgresql.auth.database | string | `"miw_keycloak"` | Database name | -| keycloak.postgresql.auth.password | string | `""` | KeycloakPostgresql password to set (if empty one is generated) | -| keycloak.postgresql.auth.username | string | `"miw_keycloak"` | Keycloak PostgreSQL user | -| keycloak.postgresql.enabled | bool | `true` | Enable to deploy PostgreSQL | -| keycloak.postgresql.nameOverride | string | `"keycloak-postgresql"` | Name of the PostgreSQL chart to deploy. Mandatory when the MIW deploys a PostgreSQL chart, too. | -| livenessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":20,"periodSeconds":5,"timeoutSeconds":15}` | Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | -| livenessProbe.enabled | bool | `true` | Enables/Disables the livenessProbe at all | -| livenessProbe.failureThreshold | int | `3` | When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. | -| livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before readiness probe are initiated. | -| livenessProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe | -| livenessProbe.timeoutSeconds | int | `15` | Number of seconds after which the probe times out. | -| miw.authorityWallet.bpn | string | `"BPNL000000000000"` | Authority Wallet BPNL | -| miw.authorityWallet.name | string | `""` | Authority Wallet Name | -| miw.database.encryptionKey.secret | string | `""` | Existing secret for database encryption key | -| miw.database.encryptionKey.secretKey | string | `""` | Existing secret key for database encryption key | -| miw.database.encryptionKey.value | string | `""` | Database encryption key for confidential data. Ignored if `secret` is set. If empty a secret with 32 random alphanumeric chars is generated. | -| miw.database.host | string | `"{{ .Release.Name }}-postgresql"` | Database host | -| miw.database.name | string | `"miw_app"` | Database name | -| miw.database.port | int | `5432` | Database port | -| miw.database.secret | string | `"{{ .Release.Name }}-postgresql"` | Existing secret name for the database password | -| miw.database.secretPasswordKey | string | `"password"` | Existing secret key for the database password | -| miw.database.useSSL | bool | `false` | Set to true to enable SSL connection to the database | -| miw.database.user | string | `"miw"` | Database user | -| miw.environment | string | `"dev"` | Runtime environment. Should be ether local, dev, int or prod | -| miw.host | string | `"{{ .Release.Name }}-managed-identity-wallet:8080"` | Host name | -| miw.keycloak.clientId | string | `"miw_private_client"` | Keycloak client id | -| miw.keycloak.realm | string | `"miw_test"` | Keycloak realm | -| miw.keycloak.url | string | `"http://{{ .Release.Name }}-keycloak"` | Keycloak URL | -| miw.logging.level | string | `"INFO"` | Log level. Should be ether ERROR, WARN, INFO, DEBUG, or TRACE. | -| miw.ssi.enforceHttpsInDidWebResolution | bool | `true` | Enable to use HTTPS in DID Web Resolution | -| miw.ssi.vcExpiryDate | string | `""` | Verifiable Credential expiry date. Format 'dd-MM-yyyy'. If empty it is set to 31-12- | -| nameOverride | string | `""` | String to partially override common.names.fullname template (will maintain the release name) | -| networkPolicy.enabled | bool | `false` | If `true` network policy will be created to restrict access to managed-identity-wallet | -| networkPolicy.from | list | `[{"namespaceSelector":{}}]` | Specify from rule network policy for miw (defaults to all namespaces) | -| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector configuration | -| pgadmin4.enabled | bool | `false` | Enable to deploy pgAdmin | -| pgadmin4.env.email | string | `"admin@miw.com"` | Preset the admin user email | -| pgadmin4.env.password | string | `"very-secret-password"` | preset password (there is no auto-generated password) | -| pgadmin4.extraServerDefinitions.enabled | bool | `true` | enable the predefined server for pgadmin | -| pgadmin4.extraServerDefinitions.servers | object | `{}` | See [here](https://github.com/rowanruseler/helm-charts/blob/9b970b2e419c2300dfbb3f827a985157098a0287/charts/pgadmin4/values.yaml#L84) how to configure the predefined servers | -| pgadmin4.ingress.annotations | object | `{}` | | -| pgadmin4.ingress.enabled | bool | `false` | Enagle pgAdmin ingress | -| pgadmin4.ingress.hosts | list | `[]` | See [here](https://github.com/rowanruseler/helm-charts/blob/9b970b2e419c2300dfbb3f827a985157098a0287/charts/pgadmin4/values.yaml#L104) how to configure the ingress host(s) | -| pgadmin4.ingress.tls | list | `[]` | See [here](https://github.com/rowanruseler/helm-charts/blob/9b970b2e419c2300dfbb3f827a985157098a0287/charts/pgadmin4/values.yaml#L109) how to configure tls for the ingress host(s) | -| podAnnotations | object | `{}` | PodAnnotation configuration | -| podSecurityContext | object | `{}` | PodSecurityContext | -| postgresql.auth.database | string | `"miw_app"` | Postgresql database to create | -| postgresql.auth.enablePostgresUser | bool | `false` | Enable postgresql admin user | -| postgresql.auth.password | string | `""` | Postgresql password to set (if empty one is generated) | -| postgresql.auth.postgresPassword | string | `""` | Postgresql admin user password | -| postgresql.auth.username | string | `"miw"` | Postgresql user to create | -| postgresql.backup.cronjob.schedule | string | `"* */6 * * *"` | Backup schedule | -| postgresql.backup.cronjob.storage.existingClaim | string | `""` | Name of an existing PVC to use | -| postgresql.backup.cronjob.storage.resourcePolicy | string | `"keep"` | Set resource policy to "keep" to avoid removing PVCs during a helm delete operation | -| postgresql.backup.cronjob.storage.size | string | `"8Gi"` | PVC Storage Request for the backup data volume | -| postgresql.backup.enabled | bool | `false` | Enable to create a backup cronjob | -| postgresql.enabled | bool | `true` | Enable to deploy Postgresql | -| readinessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":30,"periodSeconds":5,"successThreshold":1,"timeoutSeconds":5}` | Kubernetes [readiness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | -| readinessProbe.enabled | bool | `true` | Enables/Disables the readinessProbe at all | -| readinessProbe.failureThreshold | int | `3` | When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready. | -| readinessProbe.initialDelaySeconds | int | `30` | Number of seconds after the container has started before readiness probe are initiated. | -| readinessProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe | -| readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed. | -| readinessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. | -| replicaCount | int | `1` | The amount of replicas to run | -| resources.limits.cpu | int | `2` | CPU resource limits | -| resources.limits.memory | string | `"1Gi"` | Memory resource limits | -| resources.requests.cpu | string | `"250m"` | CPU resource requests | -| resources.requests.memory | string | `"500Mi"` | Memory resource requests | -| secrets | object | `{}` | Parameters for the application (will be stored as secrets - so, for passwords, ...) | -| securityContext.allowPrivilegeEscalation | bool | `false` | Allow privilege escalation | -| securityContext.privileged | bool | `false` | Enable privileged container | -| securityContext.runAsGroup | int | `11111` | Group ID used to run the container | -| securityContext.runAsNonRoot | bool | `true` | Enable to run the container as a non-root user | -| securityContext.runAsUser | int | `11111` | User ID used to run the container | -| service.port | int | `8080` | Kubernetes Service port | -| service.type | string | `"ClusterIP"` | Kubernetes Service type | -| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount | -| serviceAccount.create | bool | `true` | Enable creation of ServiceAccount | -| serviceAccount.name | string | `""` | The name of the ServiceAccount to use. | -| tolerations | list | `[]` | Tolerations configuration | +| Key | Type | Default | Description | +| ------------------------------------------------ | ------ | -------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| affinity | object | `{}` | Affinity configuration | +| envs | object | `{}` | envs Parameters for the application (will be provided as environment variables) | +| extraVolumeMounts | list | `[]` | add volume mounts to the miw deployment | +| extraVolumes | list | `[]` | add volumes to the miw deployment | +| fullnameOverride | string | `""` | String to fully override common.names.fullname template | +| image.pullPolicy | string | `"Always"` | PullPolicy | +| image.repository | string | `"tractusx/managed-identity-wallet"` | Image repository | +| image.tag | string | `""` | Image tag (empty one will use "appVersion" value from chart definition) | +| ingress.annotations | object | `{}` | Ingress annotations | +| ingress.enabled | bool | `false` | Enable ingress controller resource | +| ingress.hosts | list | `[]` | Ingress accepted hostnames | +| ingress.tls | list | `[]` | Ingress TLS configuration | +| initContainers | list | `[]` | add initContainers to the miw deployment | +| keycloak.auth.adminPassword | string | `""` | Keycloak admin password | +| keycloak.auth.adminUser | string | `"admin"` | Keycloak admin user | +| keycloak.enabled | bool | `true` | Enable to deploy Keycloak | +| keycloak.extraEnvVars | list | `[]` | Extra environment variables | +| keycloak.ingress.annotations | object | `{}` | | +| keycloak.ingress.enabled | bool | `false` | | +| keycloak.ingress.hosts | list | `[]` | | +| keycloak.ingress.tls | list | `[]` | | +| keycloak.keycloakConfigCli.backoffLimit | int | `2` | Number of retries before considering a Job as failed | +| keycloak.keycloakConfigCli.enabled | bool | `true` | Enable to create the miw playground realm | +| keycloak.keycloakConfigCli.existingConfigmap | string | `"keycloak-realm-config"` | Existing configmap name for the realm configuration | +| keycloak.postgresql.auth.database | string | `"miw_keycloak"` | Database name | +| keycloak.postgresql.auth.password | string | `""` | KeycloakPostgresql password to set (if empty one is generated) | +| keycloak.postgresql.auth.username | string | `"miw_keycloak"` | Keycloak PostgreSQL user | +| keycloak.postgresql.enabled | bool | `true` | Enable to deploy PostgreSQL | +| keycloak.postgresql.nameOverride | string | `"keycloak-postgresql"` | Name of the PostgreSQL chart to deploy. Mandatory when the MIW deploys a PostgreSQL chart, too. | +| livenessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":20,"periodSeconds":5,"timeoutSeconds":15}` | Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | +| livenessProbe.enabled | bool | `true` | Enables/Disables the livenessProbe at all | +| livenessProbe.failureThreshold | int | `3` | When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. | +| livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before readiness probe are initiated. | +| livenessProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe | +| livenessProbe.timeoutSeconds | int | `15` | Number of seconds after which the probe times out. | +| miw.authorityWallet.bpn | string | `"BPNL000000000000"` | Authority Wallet BPNL | +| miw.authorityWallet.name | string | `""` | Authority Wallet Name | +| miw.database.encryptionKey.secret | string | `""` | Existing secret for database encryption key | +| miw.database.encryptionKey.secretKey | string | `""` | Existing secret key for database encryption key | +| miw.database.encryptionKey.value | string | `""` | Database encryption key for confidential data. Ignored if `secret` is set. If empty a secret with 32 random alphanumeric chars is generated. | +| miw.database.host | string | `"{{ .Release.Name }}-postgresql"` | Database host | +| miw.database.name | string | `"miw_app"` | Database name | +| miw.database.port | int | `5432` | Database port | +| miw.database.secret | string | `"{{ .Release.Name }}-postgresql"` | Existing secret name for the database password | +| miw.database.secretPasswordKey | string | `""` | Existing secret key for the database password | +| miw.database.useSSL | bool | `false` | Set to true to enable SSL connection to the database | +| miw.database.user | string | `"miw"` | Database user | +| miw.environment | string | `"dev"` | Runtime environment. Should be ether local, dev, int or prod | +| miw.host | string | `"{{ .Release.Name }}-managed-identity-wallet:8080"` | Host name | +| miw.keycloak.clientId | string | `"miw_private_client"` | Keycloak client id | +| miw.keycloak.realm | string | `"miw_test"` | Keycloak realm | +| miw.keycloak.url | string | `"http://{{ .Release.Name }}-keycloak"` | Keycloak URL | +| miw.logging.level | string | `"INFO"` | Log level. Should be ether ERROR, WARN, INFO, DEBUG, or TRACE. | +| miw.ssi.enforceHttpsInDidWebResolution | bool | `true` | Enable to use HTTPS in DID Web Resolution | +| miw.ssi.vcExpiryDate | string | `""` | Verifiable Credential expiry date. Format 'dd-MM-yyyy'. If empty it is set to 31-12- | +| nameOverride | string | `""` | String to partially override common.names.fullname template (will maintain the release name) | +| networkPolicy.enabled | bool | `false` | If `true` network policy will be created to restrict access to managed-identity-wallet | +| networkPolicy.from | list | `[{"namespaceSelector":{}}]` | Specify from rule network policy for miw (defaults to all namespaces) | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector configuration | +| pgadmin4.enabled | bool | `false` | Enable to deploy pgAdmin | +| pgadmin4.env.email | string | `"admin@miw.com"` | Preset the admin user email | +| pgadmin4.env.password | string | `"very-secret-password"` | preset password (there is no auto-generated password) | +| pgadmin4.extraServerDefinitions.enabled | bool | `true` | enable the predefined server for pgadmin | +| pgadmin4.extraServerDefinitions.servers | object | `{}` | See [here](https://github.com/rowanruseler/helm-charts/blob/9b970b2e419c2300dfbb3f827a985157098a0287/charts/pgadmin4/values.yaml#L84) how to configure the predefined servers | +| pgadmin4.ingress.annotations | object | `{}` | | +| pgadmin4.ingress.enabled | bool | `false` | Enagle pgAdmin ingress | +| pgadmin4.ingress.hosts | list | `[]` | See [here](https://github.com/rowanruseler/helm-charts/blob/9b970b2e419c2300dfbb3f827a985157098a0287/charts/pgadmin4/values.yaml#L104) how to configure the ingress host(s) | +| pgadmin4.ingress.tls | list | `[]` | See [here](https://github.com/rowanruseler/helm-charts/blob/9b970b2e419c2300dfbb3f827a985157098a0287/charts/pgadmin4/values.yaml#L109) how to configure tls for the ingress host(s) | +| podAnnotations | object | `{}` | PodAnnotation configuration | +| podSecurityContext | object | `{}` | PodSecurityContext | +| postgresql.auth.database | string | `"miw_app"` | Postgresql database to create | +| postgresql.auth.enablePostgresUser | bool | `false` | Enable postgresql admin user | +| postgresql.auth.password | string | `""` | Postgresql password to set (if empty one is generated) | +| postgresql.auth.postgresPassword | string | `""` | Postgresql admin user password | +| postgresql.auth.username | string | `"miw"` | Postgresql user to create | +| postgresql.backup.cronjob.schedule | string | `"* */6 * * *"` | Backup schedule | +| postgresql.backup.cronjob.storage.existingClaim | string | `""` | Name of an existing PVC to use | +| postgresql.backup.cronjob.storage.resourcePolicy | string | `"keep"` | Set resource policy to "keep" to avoid removing PVCs during a helm delete operation | +| postgresql.backup.cronjob.storage.size | string | `"8Gi"` | PVC Storage Request for the backup data volume | +| postgresql.backup.enabled | bool | `false` | Enable to create a backup cronjob | +| postgresql.enabled | bool | `true` | Enable to deploy Postgresql | +| readinessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":30,"periodSeconds":5,"successThreshold":1,"timeoutSeconds":5}` | Kubernetes [readiness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | +| readinessProbe.enabled | bool | `true` | Enables/Disables the readinessProbe at all | +| readinessProbe.failureThreshold | int | `3` | When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready. | +| readinessProbe.initialDelaySeconds | int | `30` | Number of seconds after the container has started before readiness probe are initiated. | +| readinessProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe | +| readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed. | +| readinessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. | +| replicaCount | int | `1` | The amount of replicas to run | +| resources.limits.cpu | int | `2` | CPU resource limits | +| resources.limits.memory | string | `"1Gi"` | Memory resource limits | +| resources.requests.cpu | string | `"250m"` | CPU resource requests | +| resources.requests.memory | string | `"500Mi"` | Memory resource requests | +| secrets | object | `{}` | Parameters for the application (will be stored as secrets - so, for passwords, ...) | +| securityContext.allowPrivilegeEscalation | bool | `false` | Allow privilege escalation | +| securityContext.privileged | bool | `false` | Enable privileged container | +| securityContext.runAsGroup | int | `11111` | Group ID used to run the container | +| securityContext.runAsNonRoot | bool | `true` | Enable to run the container as a non-root user | +| securityContext.runAsUser | int | `11111` | User ID used to run the container | +| service.port | int | `8080` | Kubernetes Service port | +| service.type | string | `"ClusterIP"` | Kubernetes Service type | +| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount | +| serviceAccount.create | bool | `true` | Enable creation of ServiceAccount | +| serviceAccount.name | string | `""` | The name of the ServiceAccount to use. | +| tolerations | list | `[]` | Tolerations configuration | +| vcrs.replicaCount | int | `1` | Number of replicas to run | +| vcrs.url | string | `"https://a888-203-129-213-107.ngrok-free.app"` | Application URL | +| vcrs.vcContexts | string | `"https://www.w3.org/2018/credentials/v1, https://cofinity-x.github.io/schema-registry/w3c/v1.0/BitstringStatusList.json"` | App VC context | +| vcrs.domain.url | string | `"https://977d-203-129-213-107.ngrok-free.app"` | App domain | +| vcrs.domain.host | string | `"localhost"` | The application name | +| vcrs.appName | string | `"verifiable-credential-revocation-service"` | The configmap name | +| vcrs.appPort | string | `"8081"` | The application port | +| vcrs.appProfile | string | `"local"` | The application profile | +| vcrs.applicationLogLevel | string | `"DEBUG"` | The application log level | +| vcrs.configName | string | `"verifiable-credential-revocation-service-config"` | The service name | +| vcrs.serviceName | string | `"verifiable-credential-revocation-service"` | The secret name | +| vcrs.secretName | string | `"verifiable-credential-revocation-service-secret"` | The secret name | +| vcrs.ingressName | string | `"verifiable-credential-revocation-service-ingress"` | Ingress name | +| vcrs.image.repository | string | `"docker.io/example"` | Image repository | +| vcrs.image.pullPolicy | string | `"IfNotPresent"` | PullPolicy | +| vcrs.image.tag | string | `"latest"` | Image tag (empty one will use "appVersion" value from chart definition) | +| vcrs.resources.requests.cpu | string | `"250m"` | CPU resource requests | +| vcrs.resources.requests.memory | string | `"512Mi"` | Memory resource requests | +| vcrs.resources.limits.cpu | string | `"500m"` | CPU resource limits | +| vcrs.resources.limits.memory | string | `"1Gi"` | Memory resource limits | +| vcrs.livenessProbe.enabled | bool | `true` | Enables/Disables the livenessProbe | +| vcrs.livenessProbe.failureThreshold | int | `5` | Failure threshold for liveness probe | +| vcrs.livenessProbe.initialDelaySeconds | int | `60` | Initial delay before liveness probe starts | +| vcrs.livenessProbe.timeoutSeconds | int | `30` | Timeout for liveness probe | +| vcrs.livenessProbe.periodSeconds | int | `15` | How often to perform liveness probe | +| vcrs.readinessProbe.enabled | bool | `true` | Enables/Disables the readinessProbe | +| vcrs.readinessProbe.failureThreshold | int | `5` | Failure threshold for readiness probe | +| vcrs.readinessProbe.initialDelaySeconds | int | `60` | Initial delay before readiness probe starts | +| vcrs.readinessProbe.timeoutSeconds | int | `15` | Timeout for readiness probe | +| vcrs.readinessProbe.periodSeconds | int | `15` | How often to perform readiness probe | +| vcrs.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the readiness probe to be considered successful | +| vcrs.ingress.enabled | bool | `false` | Enable to deploy ingress | +| vcrs.ingress.tls | bool | `false` | TLS configuration for ingress | +| vcrs.ingress.urlPrefix | string | `/` | URL prefix for ingress | +| vcrs.ingress.className | string | `"nginx"` | Ingress class name | +| vcrs.ingress.annotations | object | `{}` | Ingress annotations | +| vcrs.ingress.service.type | string | `"ClusterIP"` | Kubernetes Service type | +| vcrs.ingress.service.port | int | `8081` | Kubernetes Service port | +| vcrs.database.databaseHost | string | `"managed-identity-wallet-postgresql"` | The Database Host | +| vcrs.database.databasePort | int | `5432` | The Database Port | +| vcrs.database.databaseName | string | `"vcrs_app"` | The Database Name | +| vcrs.database.databaseUseSSL | bool | `false` | The Database SSL | +| vcrs.database.databaseUsername | string | `"vcrs"` | The Database Username | +| vcrs.database.databaseConnectionPoolSize | int | `10` | The Database connection pool size | +| vcrs.database.databasepass | string | `""` | The Database password | +| vcrs.swagger.enableSwaggerUi | bool | `true` | Enable Swagger UI | +| vcrs.swagger.enableApiDoc | bool | `true` | Enable Swagger API Doc | +| vcrs.security.serviceSecurityEnabed | bool | `true` | Enable application security | +| vcrs.keycloak.enabled | bool | `false` | Enable Keycloak | +| vcrs.keycloak.keycloakRealm | string | `"miw_test"` | Keycloak Realm | +| vcrs.keycloak.clientId | string | `"miw_private_client"` | Keycloak Client ID | +| vcrs.keycloak.publicClientId | string | `"miw_public_client"` | Keycloak Public Client ID | +| vcrs.keycloak.authServerUrl | string | `"http://{{ .Release.Name }}-keycloak"` | Keycloak Auth Server URL | +| vcrs.logging.revocation | string | `"INFO"` | Logging method for revocation | + For more information on how to configure the Keycloak see - https://github.com/bitnami/charts/tree/main/bitnami/keycloak. @@ -260,9 +313,10 @@ when deploying the MIW in a production environment: ## Maintainers -| Name | Email | Url | -| ---- | ------ | --- | +| Name | Email | Url | +| -------------- | ---------------------------------- | ---------------------------------- | | Dominik Pinsel | | | +| Rohit Solanki | | |

(back to top)

diff --git a/charts/managed-identity-wallet/templates/NOTES.txt b/charts/managed-identity-wallet/templates/NOTES.txt index ddfc099c9..2c3e36f93 100644 --- a/charts/managed-identity-wallet/templates/NOTES.txt +++ b/charts/managed-identity-wallet/templates/NOTES.txt @@ -17,6 +17,7 @@ {{- else if contains "ClusterIP" .Values.service.type }} export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "managed-identity-wallet.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT + Visit http://127.0.0.1:8080 (MIW) and http://127.0.0.1:8081 (VCRS) to use your application + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:8080 + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8081:8081 {{- end }} diff --git a/charts/managed-identity-wallet/templates/_helpers.tpl b/charts/managed-identity-wallet/templates/_helpers.tpl index cf153767c..6fd0b2394 100644 --- a/charts/managed-identity-wallet/templates/_helpers.tpl +++ b/charts/managed-identity-wallet/templates/_helpers.tpl @@ -24,6 +24,10 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} +{{- define "verifiable-credential-revocation-service.name" -}} +{{- default .Chart.Name .Values.vcrs.env.APPLICATION_NAME | trunc 63 | trimSuffix "-" }} +{{- end }} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -42,6 +46,19 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- end }} +{{- define "verifiable-credential-revocation-service.fullname" -}} +{{- if .Values.vcrs.env.APPLICATION_NAME }} +{{- .Values.vcrs.env.APPLICATION_NAME | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.vcrs.env.APPLICATION_NAME }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + {{/* Create chart name and version as used by the chart label. */}} @@ -49,6 +66,10 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} +{{- define "verifiable-credential-revocation-service.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + {{/* Common labels */}} @@ -61,6 +82,15 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} +{{- define "verifiable-credential-revocation-service.labels" -}} +helm.sh/chart: {{ include "verifiable-credential-revocation-service.chart" . }} +{{ include "verifiable-credential-revocation-service.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + {{/* Selector labels */}} @@ -69,6 +99,11 @@ app.kubernetes.io/name: {{ include "managed-identity-wallet.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} +{{- define "verifiable-credential-revocation-service.selectorLabels" -}} +app.kubernetes.io/name: {{ include "verifiable-credential-revocation-service.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + {{/* Create the name of the service account to use */}} diff --git a/charts/managed-identity-wallet/templates/deployment.yaml b/charts/managed-identity-wallet/templates/miw-deployment.yaml similarity index 96% rename from charts/managed-identity-wallet/templates/deployment.yaml rename to charts/managed-identity-wallet/templates/miw-deployment.yaml index 801dbf9a7..805b6c096 100644 --- a/charts/managed-identity-wallet/templates/deployment.yaml +++ b/charts/managed-identity-wallet/templates/miw-deployment.yaml @@ -1,4 +1,4 @@ -# /******************************************************************************** +# ******************************************************************************** # * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation # * # * See the NOTICE file(s) distributed with this work for additional @@ -15,7 +15,7 @@ # * under the License. # * # * SPDX-License-Identifier: Apache-2.0 -# ********************************************************************************/ +# ******************************************************************************** apiVersion: apps/v1 kind: Deployment @@ -117,7 +117,7 @@ spec: - name: http containerPort: 8080 protocol: TCP - {{- with .Values.livenessProbe }} + {{- with .Values.miw.livenessProbe }} {{- if .enabled }} livenessProbe: httpGet: @@ -130,7 +130,7 @@ spec: timeoutSeconds: {{ .timeoutSeconds }} {{- end }} {{- end }} - {{- with .Values.readinessProbe }} + {{- with .Values.miw.readinessProbe }} {{- if .enabled }} readinessProbe: httpGet: @@ -162,4 +162,4 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: - {{- toYaml .Values.extraVolumes | nindent 8 }} + {{- toYaml .Values.extraVolumes | nindent 8 }} \ No newline at end of file diff --git a/charts/managed-identity-wallet/templates/ingress.yaml b/charts/managed-identity-wallet/templates/miw-ingress.yaml similarity index 96% rename from charts/managed-identity-wallet/templates/ingress.yaml rename to charts/managed-identity-wallet/templates/miw-ingress.yaml index a550fece2..afb584a89 100644 --- a/charts/managed-identity-wallet/templates/ingress.yaml +++ b/charts/managed-identity-wallet/templates/miw-ingress.yaml @@ -1,4 +1,4 @@ -# /******************************************************************************** +# ******************************************************************************** # * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation # * # * See the NOTICE file(s) distributed with this work for additional @@ -15,7 +15,7 @@ # * under the License. # * # * SPDX-License-Identifier: Apache-2.0 -# ********************************************************************************/ +# ******************************************************************************** {{ if .Values.ingress.enabled -}} {{- $fullName := include "managed-identity-wallet.fullname" . -}} diff --git a/charts/managed-identity-wallet/templates/secret.yaml b/charts/managed-identity-wallet/templates/miw-secret.yaml similarity index 94% rename from charts/managed-identity-wallet/templates/secret.yaml rename to charts/managed-identity-wallet/templates/miw-secret.yaml index 832ecf87b..ff3af397c 100644 --- a/charts/managed-identity-wallet/templates/secret.yaml +++ b/charts/managed-identity-wallet/templates/miw-secret.yaml @@ -1,4 +1,4 @@ -# /******************************************************************************** +# ******************************************************************************** # * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation # * # * See the NOTICE file(s) distributed with this work for additional @@ -15,7 +15,7 @@ # * under the License. # * # * SPDX-License-Identifier: Apache-2.0 -# ********************************************************************************/ +# ******************************************************************************** {{ if .Values.secrets -}} apiVersion: v1 diff --git a/charts/managed-identity-wallet/templates/service.yaml b/charts/managed-identity-wallet/templates/miw-service.yaml similarity index 92% rename from charts/managed-identity-wallet/templates/service.yaml rename to charts/managed-identity-wallet/templates/miw-service.yaml index 8c067a45b..4dd6103d9 100644 --- a/charts/managed-identity-wallet/templates/service.yaml +++ b/charts/managed-identity-wallet/templates/miw-service.yaml @@ -1,4 +1,4 @@ -# /******************************************************************************** +# ******************************************************************************** # * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation # * # * See the NOTICE file(s) distributed with this work for additional @@ -15,7 +15,7 @@ # * under the License. # * # * SPDX-License-Identifier: Apache-2.0 -# ********************************************************************************/ +# ******************************************************************************** apiVersion: v1 kind: Service diff --git a/charts/managed-identity-wallet/templates/networkpolicy.yaml b/charts/managed-identity-wallet/templates/networkpolicy.yaml index f989b9b71..7fa2a38df 100644 --- a/charts/managed-identity-wallet/templates/networkpolicy.yaml +++ b/charts/managed-identity-wallet/templates/networkpolicy.yaml @@ -1,4 +1,4 @@ -# /******************************************************************************** +# ******************************************************************************** # * Copyright (c) 2024 Contributors to the Eclipse Foundation # * # * See the NOTICE file(s) distributed with this work for additional @@ -15,7 +15,7 @@ # * under the License. # * # * SPDX-License-Identifier: Apache-2.0 -# ********************************************************************************/ +# ******************************************************************************** {{- if .Values.networkPolicy.enabled }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy diff --git a/charts/managed-identity-wallet/templates/pgAdmin-server-definitions.yaml b/charts/managed-identity-wallet/templates/pgAdmin-server-definitions.yaml index 53fd2be4f..35117541b 100644 --- a/charts/managed-identity-wallet/templates/pgAdmin-server-definitions.yaml +++ b/charts/managed-identity-wallet/templates/pgAdmin-server-definitions.yaml @@ -21,7 +21,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ .Release.Name }}-pgadmin4-server-definitions + name: pgadmin4-server-definitions labels: {{- include "pgadmin.labels" . | nindent 4 }} data: diff --git a/charts/managed-identity-wallet/templates/psql-pv.yaml b/charts/managed-identity-wallet/templates/psql-pv.yaml new file mode 100644 index 000000000..828a4e87f --- /dev/null +++ b/charts/managed-identity-wallet/templates/psql-pv.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: postgres-seed-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: standard \ No newline at end of file diff --git a/charts/managed-identity-wallet/templates/vcrs-configmap.yaml b/charts/managed-identity-wallet/templates/vcrs-configmap.yaml new file mode 100644 index 000000000..bf07ec84d --- /dev/null +++ b/charts/managed-identity-wallet/templates/vcrs-configmap.yaml @@ -0,0 +1,27 @@ +############################################################### +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "verifiable-credential-revocation-service.fullname" . }} +data: + {{- range $key, $val := .Values.vcrs.env }} + {{ $key }}: {{ $val | quote }} + {{- end}} \ No newline at end of file diff --git a/charts/managed-identity-wallet/templates/vcrs-deployment.yaml b/charts/managed-identity-wallet/templates/vcrs-deployment.yaml new file mode 100644 index 000000000..95db61ce2 --- /dev/null +++ b/charts/managed-identity-wallet/templates/vcrs-deployment.yaml @@ -0,0 +1,83 @@ +############################################################### +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "verifiable-credential-revocation-service.fullname" . }} + labels: + {{- include "verifiable-credential-revocation-service.labels" . | nindent 4 }} +spec: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + selector: + matchLabels: + {{- include "verifiable-credential-revocation-service.selectorLabels" . | nindent 6 }} + replicas: {{ .Values.vcrs.replicaCount }} + revisionHistoryLimit: 2 + template: + metadata: + labels: + {{- include "verifiable-credential-revocation-service.selectorLabels" . | nindent 8 }} + spec: + containers: + - name: {{ include "verifiable-credential-revocation-service.fullname" . }} + image: {{ .Values.vcrs.image.repository }}:{{ default .Chart.AppVersion .Values.vcrs.image.tag }} + imagePullPolicy: {{ .Values.vcrs.image.pullPolicy }} + resources: + {{- toYaml .Values.vcrs.resources | nindent 12 }} + envFrom: + - secretRef: + name: {{ .Values.vcrs.secretName }} + - configMapRef: + name: {{ .Values.vcrs.configName }} + {{- with .Values.vcrs.livenessProbe }} + {{- if .enabled }} + ports: + - name: http + containerPort: 8081 + protocol: TCP + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: 8081 + scheme: HTTP + failureThreshold: {{ .failureThreshold }} + initialDelaySeconds: {{ .initialDelaySeconds }} + periodSeconds: {{ .periodSeconds }} + timeoutSeconds: {{ .timeoutSeconds }} + {{- end }} + {{- end }} + {{- with .Values.vcrs.readinessProbe }} + {{- if .enabled }} + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: 8081 + scheme: HTTP + failureThreshold: {{ .failureThreshold }} + initialDelaySeconds: {{ .initialDelaySeconds }} + periodSeconds: {{ .periodSeconds }} + successThreshold: {{ .successThreshold }} + timeoutSeconds: {{ .timeoutSeconds }} + {{- end }} + {{- end }} \ No newline at end of file diff --git a/charts/managed-identity-wallet/templates/vcrs-ingress.yaml b/charts/managed-identity-wallet/templates/vcrs-ingress.yaml new file mode 100644 index 000000000..0f36912ba --- /dev/null +++ b/charts/managed-identity-wallet/templates/vcrs-ingress.yaml @@ -0,0 +1,80 @@ +############################################################### +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + +{{- if .Values.vcrs.ingress.enabled -}} +{{- $fullName := include "verifiable-credential-revocation-service.fullname" . -}} +{{- $svcPort := .Values.vcrs.ingress.service.port -}} +{{- if and .Values.ingress.vcrs.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.vcrs.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.vcrs.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.vcrs.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "verifiable-credential-revocation-service.labels" . | nindent 4 }} + {{- with .Values.ingress.vcrs.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.vcrs.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.vcrs.className }} + {{- end }} + {{- if .Values.ingress.vcrs.tls }} + tls: + {{- range .Values.ingress.vcrs.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.vcrs.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/managed-identity-wallet/templates/vcrs-secrets.yaml b/charts/managed-identity-wallet/templates/vcrs-secrets.yaml new file mode 100644 index 000000000..82f8d7fd6 --- /dev/null +++ b/charts/managed-identity-wallet/templates/vcrs-secrets.yaml @@ -0,0 +1,27 @@ +############################################################### +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "verifiable-credential-revocation-service.fullname" . }} +type: Opaque +data: + {{- range $key, $val := .Values.vcrs.secrets }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} diff --git a/charts/managed-identity-wallet/templates/vcrs-service.yaml b/charts/managed-identity-wallet/templates/vcrs-service.yaml new file mode 100644 index 000000000..15412d481 --- /dev/null +++ b/charts/managed-identity-wallet/templates/vcrs-service.yaml @@ -0,0 +1,32 @@ +############################################################### +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "verifiable-credential-revocation-service.fullname" . }} +spec: + type: {{ .Values.vcrs.ingress.service.type }} + ports: + - port: {{ .Values.vcrs.ingress.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "verifiable-credential-revocation-service.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/managed-identity-wallet/values.yaml b/charts/managed-identity-wallet/values.yaml index 0b87fe376..8f627ff07 100644 --- a/charts/managed-identity-wallet/values.yaml +++ b/charts/managed-identity-wallet/values.yaml @@ -1,30 +1,30 @@ -# /******************************************************************************** -# * Copyright (c) 2021,2024 Contributors to the Eclipse Foundation -# * -# * See the NOTICE file(s) distributed with this work for additional -# * information regarding copyright ownership. -# * -# * This program and the accompanying materials are made available under the -# * terms of the Apache License, Version 2.0 which is available at -# * https://www.apache.org/licenses/LICENSE-2.0. -# * -# * Unless required by applicable law or agreed to in writing, software -# * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# * License for the specific language governing permissions and limitations -# * under the License. -# * -# * SPDX-License-Identifier: Apache-2.0 -# ********************************************************************************/ - +############################################################### +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### +# +# ----------------------------------------------- Values for Managed Identity Wallet ----------------------------------------------- # +# # -- The amount of replicas to run replicaCount: 1 - # -- String to partially override common.names.fullname template (will maintain the release name) nameOverride: "" # -- String to fully override common.names.fullname template fullnameOverride: "" - image: # -- Image repository repository: tractusx/managed-identity-wallet @@ -32,14 +32,11 @@ image: pullPolicy: Always # -- Image tag (empty one will use "appVersion" value from chart definition) tag: "" - - +imagePullSecrets: [] # -- Parameters for the application (will be stored as secrets - so, for passwords, ...) secrets: {} - # -- envs Parameters for the application (will be provided as environment variables) envs: {} - serviceAccount: # -- Enable creation of ServiceAccount create: true @@ -47,13 +44,12 @@ serviceAccount: annotations: {} # -- The name of the ServiceAccount to use. name: "" - service: # -- Kubernetes Service type type: ClusterIP # -- Kubernetes Service port port: 8080 - +# -- Ingress Configuration ingress: # -- Enable ingress controller resource enabled: false @@ -70,10 +66,10 @@ ingress: # - secretName: chart-example-tls # hosts: # - chart-example.local - -# -- PodSecurityContext + className: nginx +# -- Pod security configurations podSecurityContext: {} - +# -- Pod security parameters securityContext: # -- Enable privileged container privileged: false @@ -85,35 +81,8 @@ securityContext: runAsGroup: 11111 # -- Enable to run the container as a non-root user runAsNonRoot: true - -# -- Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) -livenessProbe: - # -- Enables/Disables the livenessProbe at all - enabled: true - # -- When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. - failureThreshold: 3 - # -- Number of seconds after the container has started before readiness probe are initiated. - initialDelaySeconds: 20 - # -- Number of seconds after which the probe times out. - timeoutSeconds: 15 - # -- How often (in seconds) to perform the probe - periodSeconds: 5 - -# -- Kubernetes [readiness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) -readinessProbe: - # -- Enables/Disables the readinessProbe at all - enabled: true - # -- When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready. - failureThreshold: 3 - # -- Number of seconds after the container has started before readiness probe are initiated. - initialDelaySeconds: 30 - # -- How often (in seconds) to perform the probe - periodSeconds: 5 - # -- Minimum consecutive successes for the probe to be considered successful after having failed. - successThreshold: 1 - # -- Number of seconds after which the probe times out. - timeoutSeconds: 5 - + # # -- Filesystem group ID + # fsGroup: 1001 resources: requests: # -- CPU resource requests @@ -125,38 +94,29 @@ resources: cpu: 2 # -- Memory resource limits memory: 1Gi - # -- NodeSelector configuration nodeSelector: "kubernetes.io/os": linux - # -- Tolerations configuration tolerations: [] - # -- Affinity configuration affinity: {} - # -- PodAnnotation configuration podAnnotations: {} - # -- add initContainers to the miw deployment initContainers: [] - networkPolicy: # -- If `true` network policy will be created to restrict access to managed-identity-wallet enabled: false # -- Specify from rule network policy for miw (defaults to all namespaces) from: - - namespaceSelector: {} - + - namespaceSelector: {} # -- add volumes to the miw deployment extraVolumes: [] - -# -- add volume mounts to the miw deployment extraVolumeMounts: [] - -## @section Managed Identity Wallet Primary Parameters -## +# +# -----------------------------------------------MIW----------------------------------------------- # +# miw: ## @param miw.host Host name ## @param miw.logging.level Log level. Should be ether ERROR, WARN, INFO, DEBUG, or TRACE. @@ -184,15 +144,16 @@ miw: # -- Database port port: 5432 # -- Database host - host: "{{ .Release.Name }}-postgresql" + host: "managed-identity-wallet-postgresql" # -- Database user user: "miw" # -- Database name name: "miw_app" # -- Existing secret name for the database password - secret: "{{ .Release.Name }}-postgresql" + secret: "managed-identity-wallet-postgresql" # -- Existing secret key for the database password secretPasswordKey: "password" + # -- Password encryption configuratons encryptionKey: # -- Database encryption key for confidential data. Ignored if `secret` is set. If empty a secret with 32 random alphanumeric chars is generated. value: "" @@ -207,32 +168,71 @@ miw: clientId: "miw_private_client" # -- Keycloak URL url: "http://{{ .Release.Name }}-keycloak" - -# For more information on how to configure the Keycloak chart see https://github.com/bitnami/charts/tree/main/bitnami/keycloak. + # -- Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + livenessProbe: + # -- Enables/Disables the livenessProbe at all + enabled: true + # -- When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. + failureThreshold: 3 + # -- Number of seconds after the container has started before readiness probe are initiated. + initialDelaySeconds: 20 + # -- Number of seconds after which the probe times out. + timeoutSeconds: 15 + # -- How often (in seconds) to perform the probe + periodSeconds: 5 + # -- Kubernetes [readiness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + readinessProbe: + # -- Enables/Disables the readinessProbe at all + enabled: true + # -- When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready. + failureThreshold: 3 + # -- Number of seconds after the container has started before readiness probe are initiated. + initialDelaySeconds: 30 + # -- How often (in seconds) to perform the probe + periodSeconds: 5 + # -- Minimum consecutive successes for the probe to be considered successful after having failed. + successThreshold: 1 + # -- Number of seconds after which the probe times out. + timeoutSeconds: 5 + # For more information on how to configure the Keycloak chart see https://github.com/bitnami/charts/tree/main/bitnami/keycloak. +# ----------------------------------------------- KEYCLOAK ----------------------------------------------- # keycloak: # -- Enable to deploy Keycloak enabled: true # -- Extra environment variables extraEnvVars: [] - # - name: KEYCLOAK_HOSTNAME - # value: "{{ .Release.Name }}-keycloak" + # - name: KEYCLOAK_HOSTNAME + # value: "keycloak" postgresql: # -- Name of the PostgreSQL chart to deploy. Mandatory when the MIW deploys a PostgreSQL chart, too. nameOverride: "keycloak-postgresql" # -- Enable to deploy PostgreSQL enabled: true auth: - # -- Keycloak PostgreSQL user + # -- Postgresql admin user password username: "miw_keycloak" # -- KeycloakPostgresql password to set (if empty one is generated) - password: "" + password: "adminpass" # -- Database name database: "miw_keycloak" + volumePermissions: + enabled: true ingress: + # -- Enable ingress controller resource enabled: false + # -- Ingress annotations annotations: {} + # -- Ingress accepted hostnames hosts: [] + # - host: chart-example.local + # paths: + # - path: / + # pathType: Prefix + # -- Ingress TLS configuration tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local auth: # -- Keycloak admin user adminUser: "admin" @@ -245,28 +245,53 @@ keycloak: existingConfigmap: keycloak-realm-config # -- Number of retries before considering a Job as failed backoffLimit: 2 - +# ----------------------------------------------- POSTGRESQL ----------------------------------------------- # # For more information on how to configure the PostgreSQL chart see https://github.com/bitnami/charts/tree/main/bitnami/postgresql. postgresql: # -- Enable to deploy Postgresql enabled: true + image: + tag: "16-debian-12" + # -- Debug logs + debug: true auth: # -- Enable postgresql admin user - enablePostgresUser: false + enablePostgresUser: true # -- Postgresql admin user password - postgresPassword: "" + postgresPassword: "adminpass" # -- Postgresql user to create username: "miw" # -- Postgresql password to set (if empty one is generated) - password: "" + password: "adminpass" # -- Postgresql database to create database: "miw_app" + # -- Creating a new database for VCRS application (Edit the DB configurations as required in configmap) + primary: + extraVolumes: + - name: postgres-seed + persistentVolumeClaim: + claimName: postgres-seed-pvc + extraVolumeMounts: + - mountPath: /docker-entrypoint-initdb.d/seed + name: postgres-seed + initdb: + user: "postgres" + password: "adminpass" + scripts: + init.sql: | + CREATE DATABASE vcrs_app; + CREATE USER vcrs WITH ENCRYPTED PASSWORD 'adminpass'; + GRANT ALL PRIVILEGES ON DATABASE vcrs_app TO vcrs; + \c vcrs_app + GRANT ALL ON SCHEMA public TO vcrs; backup: # -- Enable to create a backup cronjob enabled: false + #Cronjob Configuration cronjob: # -- Backup schedule schedule: "* */6 * * *" + # Backup Storage configuration storage: # -- Name of an existing PVC to use existingClaim: "" @@ -274,7 +299,9 @@ postgresql: resourcePolicy: "keep" # -- PVC Storage Request for the backup data volume size: "8Gi" - + volumePermissions: + enabled: true +# ----------------------------------------------- PGADMIN ----------------------------------------------- # # For more information on how to configure the pgadmin chart see https://artifacthub.io/packages/helm/runix/pgadmin4. # (Here we're using a stripped-down version of the pgadmin chart, to just ) pgadmin4: @@ -318,3 +345,138 @@ pgadmin4: subPath: servers.json mountPath: "/pgadmin4/servers.json" readOnly: true +# +# ----------------------------------------------- Values for Verifiable Credential Revocation Service application ----------------------------------------------- # +# +vcrs: + replicaCount: 1 + # -- Revocation application configuration + host: localhost + # -- The configmap name + nameOverride: "verifiable-credential-revocation-service" + # -- String to partially override common.names.fullname template (will maintain the release name) + fullnameOverride: "verifiable-credential-revocation-service" + # -- ConfigMap Name + configName: "verifiable-credential-revocation-service-config" + # -- The Service name + serviceName: "verifiable-credential-revocation-service" + # -- The Secret name + secretName: "verifiable-credential-revocation-service-secret" + image: + # -- Image repository + repository: public.ecr.aws/w6s7t8e0/tractusx/verifiable-credential-revocation-service + # -- PullPolicy + pullPolicy: IfNotPresent + # -- Image tag (empty one will use "appVersion" value from chart definition) + tag: "latest" + env: + # -- The application name + APPLICATION_NAME: verifiable-credential-revocation-service + # -- The application port + APPLICATION_PORT: 8081 + # -- The application profile + APPLICATION_PROFILE: local + # -- The Database Host + DATABASE_HOST: managed-identity-wallet-postgresql + # -- The Database Port + DATABASE_PORT: 5432 + # -- The Database Name + DATABASE_NAME: vcrs_app + # -- The Database SSL + DATABASE_USE_SSL_COMMUNICATION: false + # -- The Database Name + DATABASE_USERNAME: vcrs + # -- The Database connection pool size + DATABASE_CONNECTION_POOL_SIZE: 10 + # -- Swagger UI config + ENABLE_SWAGGER_UI: true + # -- Swagger Api Doc + ENABLE_API_DOC: true + # -- The application log level + APPLICATION_LOG_LEVEL: DEBUG + # Enable application security + SERVICE_SECURITY_ENABLED: true + # -- KeyClocak Configurations + KEYCLOAK_REALM: miw_test + # -- ClientID Config + KEYCLOAK_CLIENT_ID: miw_private_client + # -- ClientID Config + KEYCLOAK_PUBLIC_CLIENT_ID: miw_public_client + # -- Auth URL for Keycloak + AUTH_SERVER_URL: "http://{{ .Release.Name }}-keycloak" + # -- Revocation application configuration + MIW_URL: https://a888-203-129-213-107.ngrok-free.app + VC_SCHEMA_LINK: https://www.w3.org/2018/credentials/v1, https://cofinity-x.github.io/schema-registry/w3c/v1.0/BitstringStatusList.json + DOMAIN_URL: https://977d-203-129-213-107.ngrok-free.app + # Application logging configurations + APP_LOG_LEVEL: INFO + secrets: + # -- The Database Password + DATABASE_PASSWORD: "adminpass" + resources: + requests: + # -- CPU resource requests + cpu: 250m + # -- Memory resource requests + memory: 512Mi + limits: + # -- CPU resource limits + cpu: 500m + # -- Memory resource limits + memory: 1Gi + # -- Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + livenessProbe: + # -- Enables/Disables the livenessProbe at all + enabled: true + # -- When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. + failureThreshold: 5 + # -- Number of seconds after the container has started before readiness probes are initiated. + initialDelaySeconds: 60 + # -- Number of seconds after which the probe times out. + timeoutSeconds: 30 + # -- How often (in seconds) to perform the probe + periodSeconds: 15 + # -- Kubernetes [readiness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + readinessProbe: + # -- Enables/Disables the readinessProbe at all + enabled: true + # -- When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready. + failureThreshold: 5 + # -- Number of seconds after the container has started before readiness probe are initiated. + initialDelaySeconds: 60 + # -- How often (in seconds) to perform the probe + periodSeconds: 15 + # -- Minimum consecutive successes for the probe to be considered successful after having failed. + successThreshold: 1 + # -- Number of seconds after which the probe times out. + timeoutSeconds: 15 + # -- ingress configuration + ingressName: "verifiable-credential-revocation-service-ingress" + ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + service: + # -- Kubernetes Service type + type: ClusterIP + # -- Kubernetes Service port + port: 8081 + database: + encryptionKey: + # -- Database encryption key for confidential data. Ignored if `secret` is set. If empty a secret with 32 random alphanumeric chars is generated. + value: "" + # -- Existing secret for database encryption key + secret: "" + # -- Existing secret key for database encryption key + secretKey: ""