From c07588e94e8278ac253c3e267f7b2c768b4ca5ff Mon Sep 17 00:00:00 2001 From: Torsten Egenolf Date: Tue, 28 May 2024 23:30:34 +0200 Subject: [PATCH 1/3] feat: deployment with did config and h2 as default db --- k8s/helm/tngkds/README.md | 56 ++++--- .../tngkds/charts/tngkds-backend/README.md | 139 +++++++++--------- .../tngkds-backend/templates/deployment.yaml | 81 +++++----- .../charts/tngkds-backend/values-local.yaml | 13 +- .../tngkds/charts/tngkds-backend/values.yaml | 52 +++++-- k8s/helm/tngkds/values.yaml | 15 +- 6 files changed, 193 insertions(+), 163 deletions(-) diff --git a/k8s/helm/tngkds/README.md b/k8s/helm/tngkds/README.md index 78f00e0..b814bca 100644 --- a/k8s/helm/tngkds/README.md +++ b/k8s/helm/tngkds/README.md @@ -14,33 +14,31 @@ The versions from umbrella chart are currently not used, please refer to to corr ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| tngkds-backend.gateway.connector.enabled | bool | `true` | flag whether the kds is connected to the TNG | -| tngkds-backend.gateway.connector.endpoint | string | `""` | The url where the TNG can be reached | -| tngkds-backend.gateway.connector.max-cache-age | int | `300` | | -| tngkds-backend.gateway.connector.proxy.enabled | bool | `false` | used for development, when KDS is run behind a proxy. If set to true, _tngkds-backend.gateway.connector.proxy.port_ and _tngkds-backend.gateway.connector.proxy.host_ also need to be applied | -| tngkds-backend.gateway.connector.tls_key_store.alias | string | `"clientcredentials"` | | -| tngkds-backend.gateway.connector.tls_key_store.password | string | `""` | | -| tngkds-backend.gateway.connector.tls_key_store.path | string | `"/certs/tls_key_store.p12"` | | -| tngkds-backend.gateway.connector.tls_trust_store.alias | string | `"tng-tls-server-certificate"` | | -| tngkds-backend.gateway.connector.tls_trust_store.password | string | `""` | | -| tngkds-backend.gateway.connector.tls_trust_store.path | string | `"/certs/tng_tls_server_truststore.p12"` | | -| tngkds-backend.gateway.connector.trust_anchor.alias | string | `"trustanchor"` | | -| tngkds-backend.gateway.connector.trust_anchor.password | string | `""` | | -| tngkds-backend.gateway.connector.trust_anchor.path | string | `"/certs/trustanchor_store.jks"` | | -| tngkds-backend.image.tag | string | `""` | | -| tngkds-backend.liquibaseImage.tag | string | `""` | | -| tngkds-backend.path | string | `"/()(*)"` | | -| tngkds-backend.port | int | `8080` | | -| tngkds-backend.psql.asPod.enabled | bool | `false` | | -| tngkds-backend.psql.cluster | string | `"svc.cluster.local"` | | -| tngkds-backend.psql.dbName | string | `"kdsdb"` | | -| tngkds-backend.psql.password | string | `nil` | | -| tngkds-backend.psql.port | int | `5432` | | -| tngkds-backend.psql.serviceName | string | `"postgresql-d01.postgres.database.azure.com"` | | -| tngkds-backend.psql.username | string | `nil` | | -| tngkds-postgres.asPod.enabled | bool | `false` | | -| tngkds-postgres.path | string | `"/()(*)"` | | -| tngkds-postgres.port | int | `5432` | | +| Key | Type | Default | Description | +|-----------------------------------------------------------|--------|-------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| tngkds-backend.gateway.connector.enabled | bool | `true` | flag whether the kds is connected to the TNG | +| tngkds-backend.gateway.connector.endpoint | string | `""` | The url where the TNG can be reached | +| tngkds-backend.gateway.connector.max-cache-age | int | `300` | | +| tngkds-backend.gateway.connector.proxy.enabled | bool | `false` | used for development, when KDS is run behind a proxy. If set to true, _tngkds-backend.gateway.connector.proxy.port_ and _tngkds-backend.gateway.connector.proxy.host_ also need to be applied | +| tngkds-backend.gateway.connector.tls_key_store.alias | string | `"clientcredentials"` | | +| tngkds-backend.gateway.connector.tls_key_store.password | string | `""` | | +| tngkds-backend.gateway.connector.tls_key_store.path | string | `"/certs/tls_key_store.p12"` | | +| tngkds-backend.gateway.connector.tls_trust_store.alias | string | `"tng-tls-server-certificate"` | | +| tngkds-backend.gateway.connector.tls_trust_store.password | string | `""` | | +| tngkds-backend.gateway.connector.tls_trust_store.path | string | `"/certs/tng_tls_server_truststore.p12"` | | +| tngkds-backend.gateway.connector.trust_anchor.alias | string | `"trustanchor"` | | +| tngkds-backend.gateway.connector.trust_anchor.password | string | `""` | | +| tngkds-backend.gateway.connector.trust_anchor.path | string | `"/certs/trustanchor_store.jks"` | | +| tngkds-backend.image.tag | string | `""` | | +| tngkds-backend.liquibaseImage.tag | string | `""` | | +| tngkds-backend.path | string | `"/()(*)"` | | +| tngkds-backend.port | int | `8080` | | +| tngkds-backend.db.driverclass | String | `org.h2.Driver` | The JDBC driver class | +| tngkds-backend.db.plattform | String | `org.hibernate.dialect.H2Dialect` | The Hibernate dialect | +| tngkds-backend.db.url | String | `jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1;` | The JDBC URL for the database connection | +| tngkds-backend.db.username | String | `sa` | The username for the database connection | +| tngkds-backend.db.password | String | `''` | The password for the database connection | +| tngkds-postgres.asPod.enabled | bool | `false` | | +| tngkds-postgres.path | string | `"/()(*)"` | | +| tngkds-postgres.port | int | `5432` | | diff --git a/k8s/helm/tngkds/charts/tngkds-backend/README.md b/k8s/helm/tngkds/charts/tngkds-backend/README.md index df51549..41c9c24 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/README.md +++ b/k8s/helm/tngkds/charts/tngkds-backend/README.md @@ -7,74 +7,73 @@ A Helm chart for TNG Key Distribution Service ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | | -| autoscaling.enabled | bool | `false` | | -| autoscaling.maxReplicas | int | `100` | | -| autoscaling.minReplicas | int | `1` | | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | | -| did.cron | string | `"*/10 * * * * *"` | spring cronjob configuration, how often shall the did file be generated | -| did.didUploadProvider | string | `"local-file"` | Upload provider for Did document, currently local-file | -| did.localFile.directory | string | `"trustlist"` | If upload provider is local-file: directory of the generated file | -| did.localFile.file-name | string | `"did.json"` | If upload provider is local-file: file-name of the generated file | -| did.did_controller | string | `"did:web:def"` | The controller that is generating the did.json / controlling its contents | -| did.did_id | string | `"did:web:abc"` | The ID of the did entry | -| did.enableDidGeneration | bool | `true` | Shall the did documents be generated | -| did.ld_proof_nonce | string | `"n0nc3"` | Nonce of the Did Document | -| did.ld_proof_verification_method | string | `"did:web:dummy.net"` | Verification Method of the DID Signer. Usually a did-link to a did.json containing the public key material that was used to sign this DID | -| did.trust_list_controller_prefix | string | `"did:web:abc"` | | -| did.trust_list_id_prefix | string | `"did:web:abc"` | | -| fullnameOverride | string | `""` | | -| gateway.connector.enabled | bool | `true` | | -| gateway.connector.endpoint | string | `""` | | -| gateway.connector.max-cache-age | int | `300` | | -| gateway.connector.proxy.enabled | bool | `false` | used for development, when your machine needs a proxy to access _tng.who.int_ | -| gateway.connector.tls_key_store.alias | string | `""` | KDS application accesses the cert via its alias | -| gateway.connector.tls_key_store.password | string | `""` | | -| gateway.connector.tls_key_store.path | string | `""` | | -| gateway.connector.tls_trust_store.alias | string | `""` |KDS application accesses the cert via its alias | -| gateway.connector.tls_trust_store.password | string | `""` | | -| gateway.connector.tls_trust_store.path | string | `""` | | -| gateway.connector.trust_anchor.alias | string | `""` | tng application access the cert via its alias | -| gateway.connector.trust_anchor.password | string | `""` | | -| gateway.connector.trust_anchor.path | string | `""` | | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution"` | | -| image.tag | string | `"0.0.1-d890889"` | version of the container image to be used for deployment | -| imagePullSecrets | string | `"tng-distribution-pull-secret"` | | -| ingress.annotations | object | `{}` | | -| ingress.className | string | `""` | | -| ingress.enabled | bool | `false` | | -| ingress.hosts[0].host | string | `"chart-example.local"` | | -| ingress.hosts[0].paths[0].path | string | `"/"` | | -| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | -| ingress.tls | list | `[]` | | -| liquibaseImage.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution-initcontainer"` | | -| liquibaseImage.tag | string | `""` | version of the initcontainer image to be used, the tag is the same as for _image.tag_ | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podSecurityContext | object | `{}` | | -| psql.cluster | string | `"svc.cluster.local"` | | -| psql.dbName | string | `"postgres"` | Name of the Shema to be used | -| psql.password | string | `""` | Password of the _psql.username_ | -| psql.port | int | `5432` | port where the db service is running | -| psql.serviceName | string | `"postgres"` | Name of the db service | -| psql.username | string | `""` | user that ist used to perform the liquibase actions and to r/w to the DB | -| replicaCount | int | `1` | | -| resources | object | `{}` | | -| securityContext | object | `{}` | | -| server.port | int | `8080` | port of the kds applications api server | -| service.ports[0].name | string | `"http"` | | -| service.ports[0].nodePort | int | `30166` | | -| service.ports[0].port | int | `8080` | | -| service.ports[0].protocol | string | `"TCP"` | | -| service.ports[0].targetPort | int | `8080` | | -| service.type | string | `"NodePort"` | | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | | -| serviceAccount.name | string | `""` | | -| spring.profile | string | `"cloud"` | {_0..n_} Spring profiles to be activated, usually used for feature toggle, currently not in use (existing values will be ignored) | -| tolerations | list | `[]` | | +| Key | Type | Default | Description | +|--------------------------------------------|--------|---------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------| +| affinity | object | `{}` | | +| autoscaling.enabled | bool | `false` | | +| autoscaling.maxReplicas | int | `100` | | +| autoscaling.minReplicas | int | `1` | | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| did.cron | string | `"*/10 * * * * *"` | spring cronjob configuration, how often shall the did file be generated | +| did.didUploadProvider | string | `"local-file"` | Upload provider for Did document, currently local-file | +| did.localFile.directory | string | `"trustlist"` | If upload provider is local-file: directory of the generated file | +| did.localFile.file-name | string | `"did.json"` | If upload provider is local-file: file-name of the generated file | +| did.did_controller | string | `"did:web:def"` | The controller that is generating the did.json / controlling its contents | +| did.did_id | string | `"did:web:abc"` | The ID of the did entry | +| did.enableDidGeneration | bool | `true` | Shall the did documents be generated | +| did.ld_proof_nonce | string | `"n0nc3"` | Nonce of the Did Document | +| did.ld_proof_verification_method | string | `"did:web:dummy.net"` | Verification Method of the DID Signer. Usually a did-link to a did.json containing the public key material that was used to sign this DID | +| did.trust_list_controller_prefix | string | `"did:web:abc"` | | +| did.trust_list_id_prefix | string | `"did:web:abc"` | | +| fullnameOverride | string | `""` | | +| gateway.connector.enabled | bool | `true` | | +| gateway.connector.endpoint | string | `""` | | +| gateway.connector.max-cache-age | int | `300` | | +| gateway.connector.proxy.enabled | bool | `false` | used for development, when your machine needs a proxy to access _tng.who.int_ | +| gateway.connector.tls_key_store.alias | string | `""` | KDS application accesses the cert via its alias | +| gateway.connector.tls_key_store.password | string | `""` | | +| gateway.connector.tls_key_store.path | string | `""` | | +| gateway.connector.tls_trust_store.alias | string | `""` | KDS application accesses the cert via its alias | +| gateway.connector.tls_trust_store.password | string | `""` | | +| gateway.connector.tls_trust_store.path | string | `""` | | +| gateway.connector.trust_anchor.alias | string | `""` | tng application access the cert via its alias | +| gateway.connector.trust_anchor.password | string | `""` | | +| gateway.connector.trust_anchor.path | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution"` | | +| image.tag | string | `"0.0.1-d890889"` | version of the container image to be used for deployment | +| imagePullSecrets | string | `"tng-distribution-pull-secret"` | | +| ingress.annotations | object | `{}` | | +| ingress.className | string | `""` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts[0].host | string | `"chart-example.local"` | | +| ingress.hosts[0].paths[0].path | string | `"/"` | | +| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | +| ingress.tls | list | `[]` | | +| liquibaseImage.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution-initcontainer"` | | +| liquibaseImage.tag | string | `""` | version of the initcontainer image to be used, the tag is the same as for _image.tag_ | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | | +| podSecurityContext | object | `{}` | | +| db.driverclass | String | `org.h2.Driver` | The JDBC driver class | +| db.plattform | String | `org.hibernate.dialect.H2Dialect` | The Hibernate dialect | +| db.url | String | `jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1;` | The JDBC URL for the database connection | +| db.username | String | `sa` | The username for the database connection | +| db.password | String | `''` | The password for the database connection | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| server.port | int | `8080` | port of the kds applications api server | +| service.ports[0].name | string | `"http"` | | +| service.ports[0].nodePort | int | `30166` | | +| service.ports[0].port | int | `8080` | | +| service.ports[0].protocol | string | `"TCP"` | | +| service.ports[0].targetPort | int | `8080` | | +| service.type | string | `"NodePort"` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | +| spring.profile | string | `"cloud"` | {_0..n_} Spring profiles to be activated, usually used for feature toggle, currently not in use (existing values will be ignored) | +| tolerations | list | `[]` | | diff --git a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml b/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml index d261cda..deb2317 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml +++ b/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml @@ -21,27 +21,6 @@ spec: labels: {{- include "tngkds-backend.labels" . | nindent 8 }} spec: - initContainers: - - name: liquibase - image: "{{ .Values.liquibaseImage.repository }}:{{ .Values.liquibaseImage.tag }}" - command: ["/bin/sh", "-c"] - args: - - liquibase update --changeLogFile=db/changelog.yaml; - env: - - name: LIQUIBASE_COMMAND_URL - {{- if .Values.psql.asPod.enabled }} - value: "jdbc:postgresql://{{ .Values.psql.serviceName }}.{{ .Release.Namespace }}.{{ .Values.psql.cluster }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" - {{ else }} - value: "jdbc:postgresql://{{ .Values.psql.serviceName }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" - {{ end -}} - - name: LIQUIBASE_COMMAND_USERNAME - value: {{ .Values.psql.username | quote }} - - name: LIQUIBASE_COMMAND_PASSWORD - value: {{ .Values.psql.password | quote }} - - name: LIQUIBASE_SEARCH_PATH - value: /liquibase - - name: LIQUIBASE_LOG_LEVEL - value: ERROR imagePullSecrets: - name: {{ .Values.imagePullSecrets }} containers: @@ -62,21 +41,17 @@ spec: - name: SPRING_PROFILES_ACTIVE value: {{ .Values.spring.profile }} - name: SPRING_DATASOURCE_URL - {{- if .Values.psql.asPod.enabled }} - value: "jdbc:postgresql://{{ .Values.psql.serviceName }}.{{ .Release.Namespace }}.{{ .Values.psql.cluster }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" - {{ else }} - value: "jdbc:postgresql://{{ .Values.psql.serviceName }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" - {{ end -}} + value: {{ .Values.db.url | quote }} - name: SPRING_DATASOURCE_DRIVERCLASSNAME - value: "org.postgresql.Driver" + value: {{ .Values.db.driverclass | quote }} - name: SPRING_DATASOURCE_JNDI_NAME value: "false" - name: SPRING_JPA_DATABASEPLATFORM - value: "org.hibernate.dialect.PostgreSQLDialect" + value: {{ .Values.db.plattform | quote }} - name: SPRING_DATASOURCE_USERNAME - value: {{ .Values.psql.username | quote }} + value: {{ .Values.db.username | quote }} - name: SPRING_DATASOURCE_PASSWORD - value: {{ .Values.psql.password | quote }} + value: {{ .Values.db.password | quote }} - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PATH value: {{ .Values.gateway.connector.tls_trust_store.path }} - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PASSWORD @@ -100,10 +75,48 @@ spec: - name: DGC_GATEWAY_CONNECTOR_ENDPOINT value: {{ .Values.gateway.connector.endpoint }} {{- if .Values.did.enableDidGeneration }} - {{- range $name, $val := .Values.did }} - - name: DGC_{{ $name | upper }} - value: {{ $val | quote }} - {{- end }} + - name: DGC_DID_CRON + value: "{{ .Values.did.cron }}" + - name: DGC_DID_DIDUPLOADPROVIDER + value: "{{ .Values.did.didUploadProvider }}" + - name: DGC_DID_LOCALFILE_DIRECTORY + value: "{{ .Values.did.localFile.directory }}" + - name: DGC_DID_LOCALFILE_FILENAME + value: "{{ index .Values.did.localFile.filename }}" + - name: DGC_DID_GIT_WORKDIR + value: "{{ .Values.did.git.workdir }}" + - name: DGC_DID_GIT_PREFIX + value: "{{ .Values.did.git.prefix }}" + - name: DGC_DID_GIT_URL + value: "{{ .Values.did.git.url }}" + - name: DGC_DID_GIT_PAT + value: "{{ .Values.did.git.pat }}" + - name: DGC_DID_DIDSIGNINGPROVIDER + value: "{{ .Values.did.didSigningProvider }}" + - name: DGC_DID_LDPROOFVERIFICATIONMETHOD + value: "{{ index .Values.did "ld-proof-verification-method" }}" + - name: DGC_DID_DIDID + value: "{{ index .Values.did "did-id" }}" + - name: DGC_DID_TRUSTLISTPATH + value: "{{ index .Values.did "trust-list-path" }}" + - name: DGC_DID_TRUSTLISTREFPATH + value: "{{ index .Values.did "trust-list-ref-path" }}" + - name: DGC_DID_DIDCONTROLLER + value: "{{ index .Values.did "did-controller" }}" + - name: DGC_DID_TRUSTLISTIDPREFIX + value: "{{ index .Values.did "trust-list-id-prefix" }}" + - name: DGC_DID_TRUSTLISTCONTROLLEPREFIX + value: "{{ index .Values.did "trust-list-controller-prefix" }}" + {{- range $key, $value := .Values.did.virtualCountries }} + - name: DGC_DID_VIRTUALCOUNTRIES_{{ $key | toString | upper }} + value: "{{ $value }}" + {{- end }} + - name: DGC_DID_GROUPDENYLIST + value: "{{ join "," (index .Values.did "group-deny-list") }}" + {{- range $key, $value := index .Values.did "group-name-mapping" }} + - name: DGC_DID_GROUPNAMEMAPPING_{{ $key | toString | upper }} + value: "{{ $value }}" + {{- end }} {{- end }} volumeMounts: - name: secrets-jks diff --git a/k8s/helm/tngkds/charts/tngkds-backend/values-local.yaml b/k8s/helm/tngkds/charts/tngkds-backend/values-local.yaml index 8c4729f..a2d6ed5 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/values-local.yaml +++ b/k8s/helm/tngkds/charts/tngkds-backend/values-local.yaml @@ -88,12 +88,13 @@ tolerations: [] affinity: {} -# Postgres -psql: - serviceName: postgres - port: 5432 - dbName: postgres - cluster: svc.cluster.local +# H2 +db: + driverclass: org.h2.Driver + plattform: org.hibernate.dialect.H2Dialect + url: jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1; + username: sa + password: '' # ConfigMap configMap: diff --git a/k8s/helm/tngkds/charts/tngkds-backend/values.yaml b/k8s/helm/tngkds/charts/tngkds-backend/values.yaml index fff857c..84bac08 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/values.yaml +++ b/k8s/helm/tngkds/charts/tngkds-backend/values.yaml @@ -99,14 +99,13 @@ tolerations: [] affinity: {} -# Postgres -psql: - serviceName: postgres - port: 5432 - dbName: postgres - cluster: svc.cluster.local - username: - password: +# H2 +db: + driverclass: org.h2.Driver + plattform: org.hibernate.dialect.H2Dialect + url: jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1; + username: sa + password: '' # ConfigMap # configMap: @@ -143,12 +142,35 @@ gateway: password: path: did: - enableDidGeneration: true cron: "*/10 * * * * *" + enableDidGeneration: true didUploadProvider: local-file - ld_proof_verification_method: did:web:dummy.net - ld_proof_nonce: n0nc3 - did_id: did:web:abc - did_controller: did:web:def - trust_list_id_prefix: did:web:abc - trust_list_controller_prefix: did:web:abc + localFile: + directory: ./kdsgitworkdir/tng-cdn-dev/v2.0.0 + file-name: did.json + git: + workdir: ./kdsgituploader # oon clonind will checkout e.g. tng-cdn-dev + prefix: v2.0.0 #for copy action into git workdir from local file exporter path + url: https://github.com/WorldHealthOrganization/tng-cdn-dev + pat: #TODO: set by secret + didSigningProvider: dummy + ld-proof-verification-method: did:web:dummy.net + did-id: did:web:worldhealthorganization.github.io:tng-cdn-dev:v2.0.0 + trust-list-path: trustlist + trust-list-ref-path: trustlist-ref + did-controller: did:web:def + trust-list-id-prefix: did:web:abc + trust-list-controller-prefix: did:web:abc + contextMapping: + "[https://www.w3.org/ns/did/v1]": did_v1.json + "[https://w3id.org/security/suites/jws-2020/v1]": jws-2020_v1.json + virtualCountries: + XA: XXA + XB: XXB + XO: XXO + XL: XCL + EU: XEU + group-deny-list: + - UPLOAD + group-name-mapping: + CSCA: SCA diff --git a/k8s/helm/tngkds/values.yaml b/k8s/helm/tngkds/values.yaml index 1544a3c..0d6c767 100644 --- a/k8s/helm/tngkds/values.yaml +++ b/k8s/helm/tngkds/values.yaml @@ -16,15 +16,12 @@ tngkds-backend: tag: path: /()(*) port: 8080 - psql: - serviceName: postgresql-d01.postgres.database.azure.com - port: 5432 - dbName: kdsdb - cluster: svc.cluster.local # will be used if db is running as Pod - username: - password: - asPod: - enabled: false # run db as Service or Pod,set in conjunction with tngkds-postgres + db: + driverclass: org.h2.Driver + plattform: org.hibernate.dialect.H2Dialect + url: jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1; + username: sa + password: '' gateway: connector: enabled: true From ce3eaf7af930f9accc37248ecb9dad251070273c Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Wed, 29 May 2024 10:49:07 +0200 Subject: [PATCH 2/3] fix: value preparation in deployment MF --- k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml b/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml index deb2317..828c5e6 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml +++ b/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml @@ -82,7 +82,7 @@ spec: - name: DGC_DID_LOCALFILE_DIRECTORY value: "{{ .Values.did.localFile.directory }}" - name: DGC_DID_LOCALFILE_FILENAME - value: "{{ index .Values.did.localFile.filename }}" + value: "{{ .Values.did.localFile.filename }}" - name: DGC_DID_GIT_WORKDIR value: "{{ .Values.did.git.workdir }}" - name: DGC_DID_GIT_PREFIX From 7ce0e6888e5711597bc4b15e795e6c7783c7b319 Mon Sep 17 00:00:00 2001 From: Torsten Egenolf Date: Wed, 29 May 2024 17:53:37 +0200 Subject: [PATCH 3/3] docs: addded configuration documentation --- .../tngkds/charts/tngkds-backend/README.md | 145 +++++++++--------- .../tngkds/charts/tngkds-backend/values.yaml | 4 +- 2 files changed, 78 insertions(+), 71 deletions(-) diff --git a/k8s/helm/tngkds/charts/tngkds-backend/README.md b/k8s/helm/tngkds/charts/tngkds-backend/README.md index 41c9c24..42a95f8 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/README.md +++ b/k8s/helm/tngkds/charts/tngkds-backend/README.md @@ -7,73 +7,80 @@ A Helm chart for TNG Key Distribution Service ## Values -| Key | Type | Default | Description | -|--------------------------------------------|--------|---------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------| -| affinity | object | `{}` | | -| autoscaling.enabled | bool | `false` | | -| autoscaling.maxReplicas | int | `100` | | -| autoscaling.minReplicas | int | `1` | | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | | -| did.cron | string | `"*/10 * * * * *"` | spring cronjob configuration, how often shall the did file be generated | -| did.didUploadProvider | string | `"local-file"` | Upload provider for Did document, currently local-file | -| did.localFile.directory | string | `"trustlist"` | If upload provider is local-file: directory of the generated file | -| did.localFile.file-name | string | `"did.json"` | If upload provider is local-file: file-name of the generated file | -| did.did_controller | string | `"did:web:def"` | The controller that is generating the did.json / controlling its contents | -| did.did_id | string | `"did:web:abc"` | The ID of the did entry | -| did.enableDidGeneration | bool | `true` | Shall the did documents be generated | -| did.ld_proof_nonce | string | `"n0nc3"` | Nonce of the Did Document | -| did.ld_proof_verification_method | string | `"did:web:dummy.net"` | Verification Method of the DID Signer. Usually a did-link to a did.json containing the public key material that was used to sign this DID | -| did.trust_list_controller_prefix | string | `"did:web:abc"` | | -| did.trust_list_id_prefix | string | `"did:web:abc"` | | -| fullnameOverride | string | `""` | | -| gateway.connector.enabled | bool | `true` | | -| gateway.connector.endpoint | string | `""` | | -| gateway.connector.max-cache-age | int | `300` | | -| gateway.connector.proxy.enabled | bool | `false` | used for development, when your machine needs a proxy to access _tng.who.int_ | -| gateway.connector.tls_key_store.alias | string | `""` | KDS application accesses the cert via its alias | -| gateway.connector.tls_key_store.password | string | `""` | | -| gateway.connector.tls_key_store.path | string | `""` | | -| gateway.connector.tls_trust_store.alias | string | `""` | KDS application accesses the cert via its alias | -| gateway.connector.tls_trust_store.password | string | `""` | | -| gateway.connector.tls_trust_store.path | string | `""` | | -| gateway.connector.trust_anchor.alias | string | `""` | tng application access the cert via its alias | -| gateway.connector.trust_anchor.password | string | `""` | | -| gateway.connector.trust_anchor.path | string | `""` | | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution"` | | -| image.tag | string | `"0.0.1-d890889"` | version of the container image to be used for deployment | -| imagePullSecrets | string | `"tng-distribution-pull-secret"` | | -| ingress.annotations | object | `{}` | | -| ingress.className | string | `""` | | -| ingress.enabled | bool | `false` | | -| ingress.hosts[0].host | string | `"chart-example.local"` | | -| ingress.hosts[0].paths[0].path | string | `"/"` | | -| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | -| ingress.tls | list | `[]` | | -| liquibaseImage.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution-initcontainer"` | | -| liquibaseImage.tag | string | `""` | version of the initcontainer image to be used, the tag is the same as for _image.tag_ | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podSecurityContext | object | `{}` | | -| db.driverclass | String | `org.h2.Driver` | The JDBC driver class | -| db.plattform | String | `org.hibernate.dialect.H2Dialect` | The Hibernate dialect | -| db.url | String | `jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1;` | The JDBC URL for the database connection | -| db.username | String | `sa` | The username for the database connection | -| db.password | String | `''` | The password for the database connection | -| replicaCount | int | `1` | | -| resources | object | `{}` | | -| securityContext | object | `{}` | | -| server.port | int | `8080` | port of the kds applications api server | -| service.ports[0].name | string | `"http"` | | -| service.ports[0].nodePort | int | `30166` | | -| service.ports[0].port | int | `8080` | | -| service.ports[0].protocol | string | `"TCP"` | | -| service.ports[0].targetPort | int | `8080` | | -| service.type | string | `"NodePort"` | | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | | -| serviceAccount.name | string | `""` | | -| spring.profile | string | `"cloud"` | {_0..n_} Spring profiles to be activated, usually used for feature toggle, currently not in use (existing values will be ignored) | -| tolerations | list | `[]` | | +| Key | Type | Default | Description | +|--------------------------------------------|--------|---------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| affinity | object | `{}` | | +| autoscaling.enabled | bool | `false` | | +| autoscaling.maxReplicas | int | `100` | | +| autoscaling.minReplicas | int | `1` | | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| did.cron | string | `"*/10 * * * * *"` | spring cronjob configuration, how often shall the did file be generated | +| did.didUploadProvider | string | `"local-file"` | Upload provider for Did document, currently local-file | +| did.localFile.directory | string | `"trustlist"` | If upload provider is local-file: directory of the generated file | +| did.localFile.file-name | string | `"did.json"` | If upload provider is local-file: file-name of the generated file | +| did.did_controller | string | `"did:web:def"` | The controller that is generating the did.json / controlling its contents | +| did.did_id | string | `"did:web:abc"` | The ID of the did entry | +| did.enableDidGeneration | bool | `true` | Shall the did documents be generated | +| did.ld_proof_nonce | string | `"n0nc3"` | Nonce of the Did Document | +| did.ld_proof_verification_method | string | `"did:web:dummy.net"` | Verification Method of the DID Signer. Usually a did-link to a did.json containing the public key material that was used to sign this DID | +| did.trust_list_controller_prefix | string | `"did:web:abc"` | | +| did.trust_list_id_prefix | string | `"did:web:abc"` | | +| did.workdir | string | `"/tmp/kdsgituploader"` | local folder used for checkout and update git repository | +| did.prefix | string | `"v2.0.0"` | prefix used as root folder name for generated files | +| did.url | string | `"https://github.com/WorldHealthOrganization/tng-cdn-dev"` | the git repository to work in | +| did.pat | string | `"git did pat by secret tng-bot-dev"` | the personal access token of the technical user that has permission to write to the repository | +| did.didSigningProvider | string | `"dummy"`, `"local-keystore"` for configured private key | signing provider to be used to sign the did documents (proof section). dummy can be used for dev. "local-keystore"` should be used with configured private key in keystore. (see: How to setup signing material for DID Signing in [certs documentation](../../../../../certs/PlaceYourGatewayAccessKeysHere.md) | +| did.trust-list-path | string | `"trustlist"` | path that contains DID documents of trustlist | +| did.trust-list-ref-path | string | `"trustlist-ref"` | path that contains DID documents with references only | +| fullnameOverride | string | `""` | | +| gateway.connector.enabled | bool | `true` | | +| gateway.connector.endpoint | string | `""` | | +| gateway.connector.max-cache-age | int | `300` | | +| gateway.connector.proxy.enabled | bool | `false` | used for development, when your machine needs a proxy to access _tng.who.int_ | +| gateway.connector.tls_key_store.alias | string | `""` | KDS application accesses the cert via its alias | +| gateway.connector.tls_key_store.password | string | `""` | | +| gateway.connector.tls_key_store.path | string | `""` | | +| gateway.connector.tls_trust_store.alias | string | `""` | KDS application accesses the cert via its alias | +| gateway.connector.tls_trust_store.password | string | `""` | | +| gateway.connector.tls_trust_store.path | string | `""` | | +| gateway.connector.trust_anchor.alias | string | `""` | tng application access the cert via its alias | +| gateway.connector.trust_anchor.password | string | `""` | | +| gateway.connector.trust_anchor.path | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution"` | | +| image.tag | string | `"0.0.1-d890889"` | version of the container image to be used for deployment | +| imagePullSecrets | string | `"tng-distribution-pull-secret"` | | +| ingress.annotations | object | `{}` | | +| ingress.className | string | `""` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts[0].host | string | `"chart-example.local"` | | +| ingress.hosts[0].paths[0].path | string | `"/"` | | +| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | +| ingress.tls | list | `[]` | | +| liquibaseImage.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution-initcontainer"` | | +| liquibaseImage.tag | string | `""` | version of the initcontainer image to be used, the tag is the same as for _image.tag_ | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | | +| podSecurityContext | object | `{}` | | +| db.driverclass | String | `org.h2.Driver` | The JDBC driver class | +| db.plattform | String | `org.hibernate.dialect.H2Dialect` | The Hibernate dialect | +| db.url | String | `jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1;` | The JDBC URL for the database connection | +| db.username | String | `sa` | The username for the database connection | +| db.password | String | `''` | The password for the database connection | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| server.port | int | `8080` | port of the kds applications api server | +| service.ports[0].name | string | `"http"` | | +| service.ports[0].nodePort | int | `30166` | | +| service.ports[0].port | int | `8080` | | +| service.ports[0].protocol | string | `"TCP"` | | +| service.ports[0].targetPort | int | `8080` | | +| service.type | string | `"NodePort"` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | +| spring.profile | string | `"cloud"` | {_0..n_} Spring profiles to be activated, usually used for feature toggle, currently not in use (existing values will be ignored) | +| tolerations | list | `[]` | | diff --git a/k8s/helm/tngkds/charts/tngkds-backend/values.yaml b/k8s/helm/tngkds/charts/tngkds-backend/values.yaml index 84bac08..c26858c 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/values.yaml +++ b/k8s/helm/tngkds/charts/tngkds-backend/values.yaml @@ -146,10 +146,10 @@ did: enableDidGeneration: true didUploadProvider: local-file localFile: - directory: ./kdsgitworkdir/tng-cdn-dev/v2.0.0 + directory: /tmp/kdsgitworkdir/tng-cdn-dev/v2.0.0 file-name: did.json git: - workdir: ./kdsgituploader # oon clonind will checkout e.g. tng-cdn-dev + workdir: /tmp/kdsgituploader # oon clonind will checkout e.g. tng-cdn-dev prefix: v2.0.0 #for copy action into git workdir from local file exporter path url: https://github.com/WorldHealthOrganization/tng-cdn-dev pat: #TODO: set by secret