charts/tractusx-connector/values.yaml

#################################################################################
#  Copyright (c) 2023,2024 ZF Friedrichshafen AG
#  Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH
#  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
#  Copyright (c) 2021,2024 Contributors to the Eclipse Foundation
#
#  See the NOTICE file(s) distributed with this work for additional
#  information regarding copyright ownership.
#
#  This program and the accompanying materials are made available under the
#  terms of the Apache License, Version 2.0 which is available at
#  https://www.apache.org/licenses/LICENSE-2.0.
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#  License for the specific language governing permissions and limitations
#  under the License.
#
#  SPDX-License-Identifier: Apache-2.0
#################################################################################

---
# Default values for eclipse-dataspace-connector.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

install:
  # -- Deploying a PostgreSQL instance
  postgresql: true
  # -- Deploying a HashiCorp Vault instance
  vault: true

fullnameOverride: ""
nameOverride: ""

# -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry)
imagePullSecrets: []
# -- Add some custom labels
customLabels: {}

participant:
  # -- BPN Number
  id: "BPNLCHANGEME"

iatp:
  # -- Decentralized IDentifier (DID) of the connector
  id: "did:web:changeme"
  # -- Configures the trusted issuers for this runtime
  trustedIssuers: []
  sts:
    dim:
      # -- URL where connectors can request SI tokens
      url:
    oauth:
      # -- URL where connectors can request OAuth2 access tokens for DIM access
      token_url:
      client:
        # -- Client ID for requesting OAuth2 access token for DIM access
        id:
        # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIM access
        secret_alias:

# -- Add custom ca certificates to the truststore
customCaCerts: {}

controlplane:
  image:
    # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically
    repository: ""
    # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use
    pullPolicy: IfNotPresent
    # -- Overrides the image tag whose default is the chart appVersion
    tag: ""
  initContainers: []
  debug:
    # -- Enables java debugging mode.
    enabled: false
    # -- Port where the debuggee can connect to.
    port: 1044
    # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port.
    suspendOnStart: false

  logs:
    # -- Defines the log granularity of the default Console Monitor.
    level: DEBUG

  livenessProbe:
    # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)
    enabled: true
    # -- seconds to wait before performing the first liveness check
    initialDelaySeconds: 30
    # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds
    periodSeconds: 10
    # -- number of seconds after which the probe times out
    timeoutSeconds: 5
    # -- when a probe fails kubernetes will try 6 times before giving up
    failureThreshold: 6
    # -- number of consecutive successes for the probe to be considered successful after having failed
    successThreshold: 1
  readinessProbe:
    # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)
    enabled: true
    # -- seconds to wait before performing the first readiness check
    initialDelaySeconds: 30
    # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds
    periodSeconds: 10
    # -- number of seconds after which the probe times out
    timeoutSeconds: 5
    # -- when a probe fails kubernetes will try 6 times before giving up
    failureThreshold: 6
    # -- number of consecutive successes for the probe to be considered successful after having failed
    successThreshold: 1

  # -- endpoints of the control plane
  endpoints:
    # -- default api for health checks, should not be added to any ingress
    default:
      # -- port for incoming api calls
      port: 8080
      # -- path for incoming api calls
      path: /api
    # -- data management api, used by internal users, can be added to an ingress and must not be internet facing
    management:
      # -- port for incoming api calls
      port: 8081
      # -- path for incoming api calls
      path: /management
      # -- authentication key, must be attached to each request as `X-Api-Key` header
      authKey: "password"
      # -- if the JWKS url is set, the DelegatedAuth service will be engaged
      jwksUrl:

    # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not
    control:
      # -- port for incoming api calls
      port: 8083
      # -- path for incoming api calls
      path: /control
    # -- dsp api, used for inter connector communication and must be internet facing
    protocol:
      # -- port for incoming api calls
      port: 8084
      # -- path for incoming api calls
      path: /api/v1/dsp
    # -- metrics api, used for application metrics, must not be internet facing
    metrics:
      # -- port for incoming api calls
      port: 9090
      # -- path for incoming api calls
      path: /metrics
    catalog:
      # -- port for incoming catalog cache query requests
      port: 8085
      # -- path for incoming catalog cache query requests
      path: /catalog
      # -- authentication key, must be attached to each request as `X-Api-Key` header
      authKey: "password"

  bdrs:
    # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min)
    cache_validity_seconds: 600
    server:
      # -- URL of the BPN/DID Resolution Service
      url:

  # -- configuration for the built-in federated catalog crawler
  catalog:
    # -- Flag to globally enable/disable the FC feature
    enabled: false
    crawler:
      # -- Number of desired crawlers. Final number might be different, based on number of crawl targets
      num:
      # -- Period between two crawl runs in seconds. Default is 60 seconds.
      period:
      # -- Initial delay for the crawling to start. Leave blank for a random delay
      initialDelay:
      # -- File path to a JSON file containing TargetNode entries
      targetsFile:
  # -- configuration for policy engine
  policy:
    validation:
      enabled: true

  service:
    # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service.
    type: ClusterIP
    # -- additional labels for the service
    labels: {}
    # -- additional annotations for the service
    annotations: {}

  # -- additional labels for the pod
  podLabels: {}
  # -- additional annotations for the pod
  podAnnotations: {}
  # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment
  podSecurityContext:
    seccompProfile:
      # -- Restrict a Container's Syscalls with seccomp
      type: RuntimeDefault
    # -- Runs all processes within a pod with a special uid
    runAsUser: 10001
    # -- Processes within a pod will belong to this guid
    runAsGroup: 10001
    # -- The owner for volumes and any files created within volumes will belong to this guid
    fsGroup: 10001
  # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod
  securityContext:
    capabilities:
      # -- Specifies which capabilities to drop to reduce syscall attack surface
      drop:
        - ALL
      # -- Specifies which capabilities to add to issue specialized syscalls
      add: []
    # -- Whether the root filesystem is mounted in read-only mode
    readOnlyRootFilesystem: true
    # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID
    allowPrivilegeEscalation: false
    # -- Requires the container to run without root privileges
    runAsNonRoot: true
    # -- The container's process will run with the specified uid
    runAsUser: 10001

  # -- Extra environment variables that will be pass onto deployment pods
  env: {}
  #  ENV_NAME: value

  # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
  # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
  envValueFrom: {}
  #  ENV_NAME:
  #    configMapKeyRef:
  #      name: configmap-name
  #      key: value_key
  #    secretKeyRef:
  #      name: secret-name
  #      key: value_key

  # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from
  envSecretNames: []
  #  - first-secret
  #  - second-secret

  # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from
  envConfigMapNames: []
  #  - first-config-map
  #  - second-config-map

  ## Ingress declaration to expose the network service.
  ingresses:
    ## Public / Internet facing Ingress
    - enabled: false
      # -- The hostname to be used to precisely map incoming traffic onto the underlying network service
      hostname: "edc-control.local"
      # -- Additional ingress annotations to add
      annotations: {}
      # -- EDC endpoints exposed by this ingress resource
      endpoints:
        - protocol
      # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)  to use
      className: ""
      # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource
      tls:
        # -- Enables TLS on the ingress resource
        enabled: false
        # -- If present overwrites the default secret name
        secretName: ""
      ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource
      certManager:
        # -- If preset enables certificate generation via cert-manager namespace scoped issuer
        issuer: ""
        # -- If preset enables certificate generation via cert-manager cluster-wide issuer
        clusterIssuer: ""
    ## Private / Intranet facing Ingress
    - enabled: false
      # -- The hostname to be used to precisely map incoming traffic onto the underlying network service
      hostname: "edc-control.intranet"
      # -- Additional ingress annotations to add
      annotations: {}
      # -- EDC endpoints exposed by this ingress resource
      endpoints:
        - management
        - control
      # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)  to use
      className: ""
      # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource
      tls:
        # -- Enables TLS on the ingress resource
        enabled: false
        # -- If present overwrites the default secret name
        secretName: ""
      ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource
      certManager:
        # -- If preset enables certificate generation via cert-manager namespace scoped issuer
        issuer: ""
        # -- If preset enables certificate generation via cert-manager cluster-wide issuer
        clusterIssuer: ""

  # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container
  volumeMounts:
  # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories
  volumes:

  # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container
  resources:
    limits:
      # -- Maximum CPU limit
      cpu: 1.5
      # -- Maximum memory limit
      memory: 1024Mi
    requests:
      # -- Initial CPU request
      cpu: 500m
      # -- Initial memory request
      memory: 1024Mi

  replicaCount: 1

  autoscaling:
    # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/)
    enabled: false
    # -- Minimal replicas if resource consumption falls below resource threshholds
    minReplicas: 1
    # -- Maximum replicas if resource consumption exceeds resource threshholds
    maxReplicas: 100
    # -- targetAverageUtilization of cpu provided to a pod
    targetCPUUtilizationPercentage: 80
    # -- targetAverageUtilization of memory provided to a pod
    targetMemoryUtilizationPercentage: 80

  # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics
  opentelemetry: |-
    otel.javaagent.enabled=false
    otel.javaagent.debug=false


  # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes
  nodeSelector: {}
  # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes
  tolerations: []
  # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on
  affinity: {}

  url:
    # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used)
    protocol: ""

dataplane:
  image:
    # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically
    repository: ""
    # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use
    pullPolicy: IfNotPresent
    # -- Overrides the image tag whose default is the chart appVersion
    tag: ""
  initContainers: []
  debug:
    # -- Enables java debugging mode.
    enabled: false
    # -- Port where the debuggee can connect to.
    port: 1044
    # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port.
    suspendOnStart: false

  logs:
    # -- Defines the log granularity of the default Console Monitor.
    level: DEBUG

  livenessProbe:
    # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)
    enabled: true
    # -- seconds to wait before performing the first liveness check
    initialDelaySeconds: 30
    # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds
    periodSeconds: 10
    # -- number of seconds after which the probe times out
    timeoutSeconds: 5
    # -- when a probe fails kubernetes will try 6 times before giving up
    failureThreshold: 6
    # -- number of consecutive successes for the probe to be considered successful after having failed
    successThreshold: 1
  readinessProbe:
    # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)
    enabled: true
    # -- seconds to wait before performing the first readiness check
    initialDelaySeconds: 30
    # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds
    periodSeconds: 10
    # -- number of seconds after which the probe times out
    timeoutSeconds: 5
    # -- when a probe fails kubernetes will try 6 times before giving up
    failureThreshold: 6
    # -- number of consecutive successes for the probe to be considered successful after having failed
    successThreshold: 1

  service:
    # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service.
    type: ClusterIP
    # -- additional labels for the service
    labels: {}
    # -- additional annotations for the service
    annotations: {}

  # -- endpoints of the dataplane
  endpoints:
    # -- default api for health checks, should not be added to any ingress
    default:
      # -- port for incoming api calls
      port: 8080
      # -- path for incoming api calls
      path: /api
    # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing.
    public:
      # -- port for incoming api calls
      port: 8081
      # -- path for incoming api calls
      path: /api/public
    # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not
    control:
      # -- port for incoming api calls
      port: 8084
      # -- path for incoming api calls
      path: /api/control
    proxy:
      # -- port for incoming api calls
      port: 8186
      # -- path for incoming api calls
      path: /proxy
      # -- authentication key, must be attached to each request as `X-Api-Key` header
      authKey: "password"
    # -- metrics api, used for application metrics, must not be internet facing
    metrics:
      # -- port for incoming api calls
      port: 9090
      # -- path for incoming api calls
      path: /metrics

  token:
    refresh:
      # -- TTL in seconds for access tokens (also known as EDR token)
      expiry_seconds: 300
      # -- Tolerance for token expiry in seconds
      expiry_tolerance_seconds: 10
      # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `<PUBLIC_API>/token`
      refresh_endpoint:
    signer:
      # -- Alias under which the private key (JWK or PEM format) is stored in the vault
      privatekey_alias:
    verifier:
      # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias`
      publickey_alias:

  aws:
    endpointOverride: ""
    accessKeyId: ""
    secretAccessKey: ""

  # -- additional labels for the pod
  podLabels: {}
  # -- additional annotations for the pod
  podAnnotations: {}
  # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment
  podSecurityContext:
    seccompProfile:
      # -- Restrict a Container's Syscalls with seccomp
      type: RuntimeDefault
    # -- Runs all processes within a pod with a special uid
    runAsUser: 10001
    # -- Processes within a pod will belong to this guid
    runAsGroup: 10001
    # -- The owner for volumes and any files created within volumes will belong to this guid
    fsGroup: 10001
  # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod
  securityContext:
    capabilities:
      # -- Specifies which capabilities to drop to reduce syscall attack surface
      drop:
        - ALL
      # -- Specifies which capabilities to add to issue specialized syscalls
      add: []
    # -- Whether the root filesystem is mounted in read-only mode
    readOnlyRootFilesystem: true
    # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID
    allowPrivilegeEscalation: false
    # -- Requires the container to run without root privileges
    runAsNonRoot: true
    # -- The container's process will run with the specified uid
    runAsUser: 10001

  # -- Extra environment variables that will be pass onto deployment pods
  env: {}
  #  ENV_NAME: value

  # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
  # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
  envValueFrom: {}
  #  ENV_NAME:
  #    configMapKeyRef:
  #      name: configmap-name
  #      key: value_key
  #    secretKeyRef:
  #      name: secret-name
  #      key: value_key

  # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from
  envSecretNames: []
  #  - first-secret
  #  - second-secret

  # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from
  envConfigMapNames: []
  #  - first-config-map
  #  - second-config-map

  ## Ingress declaration to expose the network service.
  ingresses:
    ## Public / Internet facing Ingress
    - enabled: false
      # -- The hostname to be used to precisely map incoming traffic onto the underlying network service
      hostname: "edc-data.local"
      # -- Additional ingress annotations to add
      annotations: {}
      # -- EDC endpoints exposed by this ingress resource
      endpoints:
        - public
      # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)  to use
      className: ""
      # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource
      tls:
        # -- Enables TLS on the ingress resource
        enabled: false
        # -- If present overwrites the default secret name
        secretName: ""
      ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource
      certManager:
        # -- If preset enables certificate generation via cert-manager namespace scoped issuer
        issuer: ""
        # -- If preset enables certificate generation via cert-manager cluster-wide issuer
        clusterIssuer: ""

  # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container
  volumeMounts:
  # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories
  volumes:

  # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container
  resources:
    limits:
      # -- Maximum CPU limit
      cpu: 1.5
      # -- Maximum memory limit
      memory: 1024Mi
    requests:
      # -- Initial CPU request
      cpu: 500m
      # -- Initial memory request
      memory: 1024Mi

  replicaCount: 1

  autoscaling:
    # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/)
    enabled: false
    # -- Minimal replicas if resource consumption falls below resource threshholds
    minReplicas: 1
    # -- Maximum replicas if resource consumption exceeds resource threshholds
    maxReplicas: 100
    # -- targetAverageUtilization of cpu provided to a pod
    targetCPUUtilizationPercentage: 80
    # -- targetAverageUtilization of memory provided to a pod
    targetMemoryUtilizationPercentage: 80

  # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics
  opentelemetry: |-
    otel.javaagent.enabled=false
    otel.javaagent.debug=false


  # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes
  nodeSelector: {}
  # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes
  tolerations: []
  # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on
  affinity: {}
  url:
    # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used)
    public: ""

postgresql:
  jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc"
  primary:
    persistence:
      enabled: false
  readReplicas:
    persistence:
      enabled: false
  auth:
    database: "edc"
    username: "user"
    password: "password"

vault:
  injector:
    enabled: false
  server:
    dev:
      enabled: true
      devRootToken: "root"
    postStart:    # must be set externally!
  hashicorp:
    url: "http://{{ .Release.Name }}-vault:8200"
    token: "root"
    timeout: 30
    healthCheck:
      enabled: true
      standbyOk: true
    paths:
      secret: /v1/secret
      health: /v1/sys/health

networkPolicy:
  # -- If `true` network policy will be created to restrict access to control- and dataplane
  enabled: false
  # -- Configuration of the controlplane component
  controlplane:
    # -- Specify from rule network policy for cp (defaults to all namespaces)
    from:
    - namespaceSelector: {}
  # -- Configuration of the dataplane component
  dataplane:
    # -- Specify from rule network policy for dp (defaults to all namespaces)
    from:
    - namespaceSelector: {}

serviceAccount:
  # -- Specifies whether a service account should be created
  create: true
  # -- Annotations to add to the service account
  annotations: {}
  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""
  # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry)
  imagePullSecrets: []

# -- Configurations for Helm tests
tests:
  # -- Configure the hook-delete-policy for Helm tests
  hookDeletePolicy: before-hook-creation,hook-succeeded