From c162cada45cd0a885d0546214a18a32a7ac41f02 Mon Sep 17 00:00:00 2001 From: rohit-smartsensesolutions Date: Tue, 24 Sep 2024 15:03:42 +0530 Subject: [PATCH] fix: zap scan errors --- .github/workflows/release.yml | 250 ++++++++++++++++++ charts/managed-identity-wallet/README.md | 22 +- .../templates/networkpolicy.yaml | 2 +- .../templates/vcrs-deployment.yaml | 81 ++++-- .../templates/vcrs-hpa.yaml | 32 +++ charts/managed-identity-wallet/values.yaml | 58 ++-- 6 files changed, 389 insertions(+), 56 deletions(-) create mode 100644 .github/workflows/release.yml create mode 100644 charts/managed-identity-wallet/templates/vcrs-hpa.yaml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..e760bd4b --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,250 @@ +# Copyright (c) 2021-2023 Contributors to the Eclipse Foundation + +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. + +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# SPDX-License-Identifier: Apache-2.0 +--- + + name: Semantic Release + on: + push: + branches: + - main + - develop + pull_request: + branches: + - main + - develop + + env: + IMAGE_NAMESPACE: "tractusx" + IMAGE_NAME: "managed-identity-wallet" + + jobs: + + semantic_release: + name: Repository Release + runs-on: ubuntu-latest + permissions: + # see https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs + contents: write + pull-requests: write + packages: write + outputs: + next_release: ${{ steps.semantic-release.outputs.next_release }} + will_create_new_release: ${{ steps.semantic-release.outputs.will_create_new_release }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Validate Gradle wrapper + uses: gradle/wrapper-validation-action@v2 + + - name: Setup Helm + uses: azure/setup-helm@v4.1.0 + + - name: Setup JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 20 + + # setup helm-docs as it is needed during semantic-release + - uses: gabe565/setup-helm-docs-action@v1 + name: Setup helm-docs + if: github.event_name != 'pull_request' + with: + version: v1.11.3 + + - name: Run semantic release + id: semantic-release + if: github.event_name != 'pull_request' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GIT_AUTHOR_EMAIL: ${{ github.actor }}@users.noreply.github.com + GIT_COMMITTER_EMAIL: ${{ github.actor }}@users.noreply.github.com + run: | + npx --yes -p @semantic-release/exec -p @semantic-release/changelog -p @semantic-release/git -p @semantic-release/commit-analyzer -p @semantic-release/release-notes-generator semantic-release + + - name: Run semantic release (dry run) + if: github.event_name == 'pull_request' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GIT_AUTHOR_EMAIL: ${{ github.actor }}@users.noreply.github.com + GIT_COMMITTER_EMAIL: ${{ github.actor }}@users.noreply.github.com + run: | + npx --yes -p @semantic-release/exec -p @semantic-release/github -p @semantic-release/changelog -p @semantic-release/git -p @semantic-release/commit-analyzer -p @semantic-release/release-notes-generator semantic-release --dry-run + + - name: Execute Gradle build + run: ./gradlew build + + - name: Upload build artifact + uses: actions/upload-artifact@v4 + with: + name: build + path: ./miw/build + if-no-files-found: error + retention-days: 1 + + - name: Upload Helm chart artifact + uses: actions/upload-artifact@v4 + with: + name: charts + path: ./charts + if-no-files-found: error + retention-days: 1 + + - name: Report semantic-release outputs + run: | + echo "::notice::${{ env.next_release }}" + echo "::notice::${{ env.will_create_new_release }}" + + - name: Upload jar to GitHub release + if: github.event_name != 'pull_request' && steps.semantic-release.outputs.will_create_new_release == 'true' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_VERSION: ${{ steps.semantic-release.outputs.next_release }} + run: | + echo "::notice::Uploading jar to GitHub release" + gh release upload "v$RELEASE_VERSION" ./miw/build/libs/miw-latest.jar + + docker: + name: Docker Release + needs: semantic_release + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Download build artifact + uses: actions/download-artifact@v4 + with: + name: build + path: ./miw/build + + - name: Download Helm chart artifact + uses: actions/download-artifact@v4 + with: + name: charts + path: ./charts + + # Create SemVer or ref tags dependent of trigger event + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }} + # Automatically prepare image tags; See action docs for more examples. + # semver patter will generate tags like these for example :1 :1.2 :1.2.3 + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}},value=${{ needs.semantic_release.outputs.next_release }} + type=semver,pattern={{major}},value=${{ needs.semantic_release.outputs.next_release }} + type=semver,pattern={{major}}.{{minor}},value=${{ needs.semantic_release.outputs.next_release }} + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} + + - name: DockerHub login + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + # Use existing DockerHub credentials present as secrets + username: ${{ secrets.DOCKER_HUB_USER }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} + + - name: Push image + uses: docker/build-push-action@v5 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + # https://github.com/peter-evans/dockerhub-description + # Important step to push image description to DockerHub + - name: Update Docker Hub description + if: github.event_name != 'pull_request' + uses: peter-evans/dockerhub-description@v3 + with: + # readme-filepath defaults to toplevel README.md, Only necessary if you have a dedicated file with your 'Notice for docker images' + readme-filepath: Docker-hub-notice.md + username: ${{ secrets.DOCKER_HUB_USER }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} + repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }} + + helm: + name: Helm Release + needs: semantic_release + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Download Helm chart artifact + uses: actions/download-artifact@v4 + with: + name: charts + path: ./charts + + - name: Install Helm + uses: azure/setup-helm@v4.1.0 + + - name: Add Helm dependency repositories + run: | + helm repo add bitnami https://charts.bitnami.com/bitnami + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Release chart + if: github.event_name != 'pull_request' && needs.semantic_release.outputs.will_create_new_release == 'true' + run: | + # Package MIW chart + helm_package_path=$(helm package -u -d helm-charts ./charts/managed-identity-wallet | grep -o 'to: .*' | cut -d' ' -f2-) + echo "HELM_PACKAGE_PATH=$helm_package_path" >> $GITHUB_ENV + + # Commit and push to gh-pages + git add helm-charts + git stash -- helm-charts + git reset --hard + git fetch origin + git checkout gh-pages + git stash pop + + # Generate helm repo index.yaml + helm repo index . --merge index.yaml --url https://${GITHUB_REPOSITORY_OWNER}.github.io/${GITHUB_REPOSITORY#*/}/ + git add index.yaml + + git commit -s -m "Release ${{ needs.semantic_release.outputs.next_release }}" + + git push origin gh-pages + + - name: Upload chart to GitHub release + if: github.event_name != 'pull_request' && needs.semantic_release.outputs.will_create_new_release == 'true' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_VERSION: ${{ needs.semantic_release.outputs.next_release }} + HELM_PACKAGE_PATH: ${{ env.HELM_PACKAGE_PATH }} + run: | + echo "::notice::Uploading chart to GitHub release" + gh release upload "v$RELEASE_VERSION" "$HELM_PACKAGE_PATH" \ No newline at end of file diff --git a/charts/managed-identity-wallet/README.md b/charts/managed-identity-wallet/README.md index c157e1e5..8aff8490 100644 --- a/charts/managed-identity-wallet/README.md +++ b/charts/managed-identity-wallet/README.md @@ -201,7 +201,7 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document | serviceAccount.create | bool | `true` | Enable creation of ServiceAccount | | serviceAccount.name | string | `""` | The name of the ServiceAccount to use. | | tolerations | list | `[]` | Tolerations configuration | -| vcrs | object | `{"configName":"verifiable-credential-revocation-service","database":{"encryptionKey":{"secret":"","secretKey":"","value":""}},"env":{"APPLICATION_LOG_LEVEL":"DEBUG","APPLICATION_NAME":"verifiable-credential-revocation-service","APPLICATION_PORT":8081,"APPLICATION_PROFILE":"local","APP_LOG_LEVEL":"INFO","AUTH_SERVER_URL":"http://{{ .Release.Name }}-keycloak","DATABASE_CONNECTION_POOL_SIZE":10,"DATABASE_HOST":"managed-identity-wallet-postgresql","DATABASE_NAME":"vcrs_app","DATABASE_PORT":5432,"DATABASE_USERNAME":"vcrs","DATABASE_USE_SSL_COMMUNICATION":false,"DOMAIN_URL":"https://977d-203-129-213-107.ngrok-free.app","ENABLE_API_DOC":true,"ENABLE_SWAGGER_UI":true,"KEYCLOAK_CLIENT_ID":"miw_private_client","KEYCLOAK_PUBLIC_CLIENT_ID":"miw_public_client","KEYCLOAK_REALM":"miw_test","MIW_URL":"https://a888-203-129-213-107.ngrok-free.app","SERVICE_SECURITY_ENABLED":true,"VC_SCHEMA_LINK":"https://www.w3.org/2018/credentials/v1, https://cofinity-x.github.io/schema-registry/w3c/v1.0/BitstringStatusList.json"},"fullnameOverride":"verifiable-credential-revocation-service","host":"localhost","image":{"pullPolicy":"IfNotPresent","repository":"public.ecr.aws/w6s7t8e0/tractusx/verifiable-credential-revocation-service","tag":"latest"},"ingress":{"annotations":{},"className":"","enabled":false,"hosts":null,"service":{"port":8081,"type":"ClusterIP"},"tls":[]},"ingressName":"verifiable-credential-revocation-service-ingress","livenessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":60,"periodSeconds":15,"timeoutSeconds":30},"nameOverride":"verifiable-credential-revocation-service","readinessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":60,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"replicaCount":1,"resources":{"limits":{"cpu":"500m","memory":"1Gi"},"requests":{"cpu":"250m","memory":"512Mi"}},"secretName":"verifiable-credential-revocation-service","secrets":{"DATABASE_PASSWORD":"defaultpassword","password":"defaultpassword","postgres-password":"defaultpassword"},"serviceName":"verifiable-credential-revocation-service"}` | Values for Verifiable Credential Revocation Service application | +| vcrs | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80,"targetMemoryUtilizationPercentage":80},"configName":"verifiable-credential-revocation-service","database":{"encryptionKey":{"secret":"","secretKey":"","value":""}},"env":{"APPLICATION_LOG_LEVEL":"DEBUG","APPLICATION_NAME":"verifiable-credential-revocation-service","APPLICATION_PORT":8081,"APPLICATION_PROFILE":"local","APP_LOG_LEVEL":"INFO","AUTH_SERVER_URL":"http://{{ .Release.Name }}-keycloak","DATABASE_CONNECTION_POOL_SIZE":10,"DATABASE_HOST":"managed-identity-wallet-postgresql","DATABASE_NAME":"vcrs_app","DATABASE_PORT":5432,"DATABASE_USERNAME":"vcrs","DATABASE_USE_SSL_COMMUNICATION":false,"DOMAIN_URL":"https://977d-203-129-213-107.ngrok-free.app","ENABLE_API_DOC":true,"ENABLE_SWAGGER_UI":true,"KEYCLOAK_CLIENT_ID":"miw_private_client","KEYCLOAK_PUBLIC_CLIENT_ID":"miw_public_client","KEYCLOAK_REALM":"miw_test","MIW_URL":"https://a888-203-129-213-107.ngrok-free.app","SERVICE_SECURITY_ENABLED":true,"VC_SCHEMA_LINK":"https://www.w3.org/2018/credentials/v1, https://cofinity-x.github.io/schema-registry/w3c/v1.0/BitstringStatusList.json"},"fullnameOverride":"verifiable-credential-revocation-service","host":"localhost","image":{"pullPolicy":"IfNotPresent","repository":"public.ecr.aws/w6s7t8e0/tractusx/verifiable-credential-revocation-service","tag":"latest"},"imagePullSecrets":[],"ingress":{"annotations":{},"className":"","enabled":false,"hosts":null,"service":{"port":8081,"type":"ClusterIP"},"tls":[]},"ingressName":"verifiable-credential-revocation-service-ingress","livenessProbe":{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"periodSeconds":5,"timeoutSeconds":30},"nameOverride":"verifiable-credential-revocation-service","nodeSelector":{},"podAnnotations":{},"podLabels":{},"podSecurityContext":{},"readinessProbe":{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"periodSeconds":30,"timeoutSeconds":30},"replicaCount":1,"resources":{},"rollingUpdate":{"enabled":true,"rollingUpdateMaxSurge":1,"rollingUpdateMaxUnavailable":0},"secretName":"verifiable-credential-revocation-service","secrets":{"DATABASE_PASSWORD":"defaultpassword","password":"defaultpassword","postgres-password":"defaultpassword"},"securityContext":{"allowPrivilegeEscalation":false},"serviceName":"verifiable-credential-revocation-service","tolerations":[],"volumeMounts":[],"volumes":[]}` | Values for Verifiable Credential Revocation Service application | | vcrs.configName | string | `"verifiable-credential-revocation-service"` | ConfigMap Name | | vcrs.database.encryptionKey.secret | string | `""` | Existing secret for database encryption key | | vcrs.database.encryptionKey.secretKey | string | `""` | Existing secret key for database encryption key | @@ -230,23 +230,19 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document | vcrs.image.tag | string | `"latest"` | Image tag (empty one will use "appVersion" value from chart definition) | | vcrs.ingress.service.port | int | `8081` | Kubernetes Service port | | vcrs.ingress.service.type | string | `"ClusterIP"` | Kubernetes Service type | -| vcrs.livenessProbe | object | `{"enabled":true,"failureThreshold":5,"initialDelaySeconds":60,"periodSeconds":15,"timeoutSeconds":30}` | Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | +| vcrs.livenessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"periodSeconds":5,"timeoutSeconds":30}` | Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | | vcrs.livenessProbe.enabled | bool | `true` | Enables/Disables the livenessProbe at all | -| vcrs.livenessProbe.failureThreshold | int | `5` | When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. | -| vcrs.livenessProbe.initialDelaySeconds | int | `60` | Number of seconds after the container has started before readiness probes are initiated. | -| vcrs.livenessProbe.periodSeconds | int | `15` | How often (in seconds) to perform the probe | +| vcrs.livenessProbe.failureThreshold | int | `3` | When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. | +| vcrs.livenessProbe.initialDelaySeconds | int | `60` | Number of seconds after the container has started before readiness probe are initiated. | +| vcrs.livenessProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe | | vcrs.livenessProbe.timeoutSeconds | int | `30` | Number of seconds after which the probe times out. | | vcrs.nameOverride | string | `"verifiable-credential-revocation-service"` | The configmap name | +| vcrs.readinessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"periodSeconds":30,"timeoutSeconds":30}` | Kubernetes [readiness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | | vcrs.readinessProbe.enabled | bool | `true` | Enables/Disables the readinessProbe at all | -| vcrs.readinessProbe.failureThreshold | int | `5` | When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready. | +| vcrs.readinessProbe.failureThreshold | int | `3` | When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready. | | vcrs.readinessProbe.initialDelaySeconds | int | `60` | Number of seconds after the container has started before readiness probe are initiated. | -| vcrs.readinessProbe.periodSeconds | int | `15` | How often (in seconds) to perform the probe | -| vcrs.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed. | -| vcrs.readinessProbe.timeoutSeconds | int | `15` | Number of seconds after which the probe times out. | -| vcrs.resources.limits.cpu | string | `"500m"` | CPU resource limits | -| vcrs.resources.limits.memory | string | `"1Gi"` | Memory resource limits | -| vcrs.resources.requests.cpu | string | `"250m"` | CPU resource requests | -| vcrs.resources.requests.memory | string | `"512Mi"` | Memory resource requests | +| vcrs.readinessProbe.periodSeconds | int | `30` | How often (in seconds) to perform the probe | +| vcrs.readinessProbe.timeoutSeconds | int | `30` | Number of seconds after which the probe times out. | | vcrs.secretName | string | `"verifiable-credential-revocation-service"` | The Secret name | | vcrs.secrets.DATABASE_PASSWORD | string | `"defaultpassword"` | The Database Password | | vcrs.secrets.password | string | `"defaultpassword"` | Postgresql password for MIW non-root User | diff --git a/charts/managed-identity-wallet/templates/networkpolicy.yaml b/charts/managed-identity-wallet/templates/networkpolicy.yaml index 425016e6..2edaefbc 100644 --- a/charts/managed-identity-wallet/templates/networkpolicy.yaml +++ b/charts/managed-identity-wallet/templates/networkpolicy.yaml @@ -1,5 +1,5 @@ # /******************************************************************************** -# * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation +# * Copyright (c) 2024 Contributors to the Eclipse Foundation # * # * See the NOTICE file(s) distributed with this work for additional # * information regarding copyright ownership. diff --git a/charts/managed-identity-wallet/templates/vcrs-deployment.yaml b/charts/managed-identity-wallet/templates/vcrs-deployment.yaml index 95db61ce..16179582 100644 --- a/charts/managed-identity-wallet/templates/vcrs-deployment.yaml +++ b/charts/managed-identity-wallet/templates/vcrs-deployment.yaml @@ -24,38 +24,49 @@ metadata: labels: {{- include "verifiable-credential-revocation-service.labels" . | nindent 4 }} spec: - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 0 - maxSurge: 1 + {{- if not .Values.vcrs.autoscaling.enabled }} + replicas: {{ .Values.vcrs.replicaCount }} + {{- end }} selector: matchLabels: {{- include "verifiable-credential-revocation-service.selectorLabels" . | nindent 6 }} - replicas: {{ .Values.vcrs.replicaCount }} - revisionHistoryLimit: 2 + strategy: + {{- if .Values.vcrs.rollingUpdate.enabled }} + type: RollingUpdate + rollingUpdate: + maxSurge: {{ .Values.vcrs.rollingUpdate.rollingUpdateMaxSurge }} + maxUnavailable: {{ .Values.vcrs.rollingUpdate.rollingUpdateMaxUnavailable }} + {{- end }} template: metadata: + {{- with .Values.vcrs.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} labels: - {{- include "verifiable-credential-revocation-service.selectorLabels" . | nindent 8 }} + {{- include "verifiable-credential-revocation-service.labels" . | nindent 8 }} + {{- with .Values.vcrs.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: + {{- with .Values.vcrs.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.vcrs.podSecurityContext | nindent 8 }} containers: - - name: {{ include "verifiable-credential-revocation-service.fullname" . }} - image: {{ .Values.vcrs.image.repository }}:{{ default .Chart.AppVersion .Values.vcrs.image.tag }} + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.vcrs.securityContext | nindent 12 }} + image: "{{ .Values.vcrs.image.repository }}:{{ .Values.vcrs.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.vcrs.image.pullPolicy }} - resources: - {{- toYaml .Values.vcrs.resources | nindent 12 }} - envFrom: - - secretRef: - name: {{ .Values.vcrs.secretName }} - - configMapRef: - name: {{ .Values.vcrs.configName }} - {{- with .Values.vcrs.livenessProbe }} - {{- if .enabled }} ports: - name: http - containerPort: 8081 + containerPort: {{ .Values.vcrs.ingress.service.port }} protocol: TCP + {{- with .Values.vcrs.livenessProbe }} + {{- if .enabled }} livenessProbe: httpGet: path: /actuator/health/liveness @@ -77,7 +88,33 @@ spec: failureThreshold: {{ .failureThreshold }} initialDelaySeconds: {{ .initialDelaySeconds }} periodSeconds: {{ .periodSeconds }} - successThreshold: {{ .successThreshold }} timeoutSeconds: {{ .timeoutSeconds }} {{- end }} - {{- end }} \ No newline at end of file + {{- end }} + resources: + {{- toYaml .Values.vcrs.resources | nindent 12 }} + envFrom: + - secretRef: + name: {{ .Values.vcrs.secretName }} + - configMapRef: + name: {{ .Values.vcrs.configName }} + {{- with .Values.vcrs.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.vcrs.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.vcrs.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.vcrs.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.vcrs.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/charts/managed-identity-wallet/templates/vcrs-hpa.yaml b/charts/managed-identity-wallet/templates/vcrs-hpa.yaml new file mode 100644 index 00000000..9c5ae5a8 --- /dev/null +++ b/charts/managed-identity-wallet/templates/vcrs-hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.vcrs.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "verifiable-credential-revocation-service.fullname" . }} + labels: + {{- include "verifiable-credential-revocation-service.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "verifiable-credential-revocation-service.fullname" . }} + minReplicas: {{ .Values.vcrs.autoscaling.minReplicas }} + maxReplicas: {{ .Values.vcrs.autoscaling.maxReplicas }} + metrics: + {{- if .Values.vcrs.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.vcrs.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.vcrs.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.vcrs.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/managed-identity-wallet/values.yaml b/charts/managed-identity-wallet/values.yaml index 09844c05..4a631b78 100644 --- a/charts/managed-identity-wallet/values.yaml +++ b/charts/managed-identity-wallet/values.yaml @@ -409,44 +409,53 @@ vcrs: password: "defaultpassword" # -- Postgresql password for postgres root-user postgres-password: "defaultpassword" - resources: - requests: - # -- CPU resource requests - cpu: 250m - # -- Memory resource requests - memory: 512Mi - limits: - # -- CPU resource limits - cpu: 500m - # -- Memory resource limits - memory: 1Gi + podAnnotations: {} + podLabels: {} + imagePullSecrets: [] + rollingUpdate: + enabled: true + # Minimum number of pods that should be running during the update process. + rollingUpdateMaxSurge: 1 + # Maximum number of pods that can be unavailable during the update process. + rollingUpdateMaxUnavailable: 0 + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi # -- Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) livenessProbe: # -- Enables/Disables the livenessProbe at all enabled: true # -- When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. - failureThreshold: 5 - # -- Number of seconds after the container has started before readiness probes are initiated. + failureThreshold: 3 + # -- Number of seconds after the container has started before readiness probe are initiated. initialDelaySeconds: 60 # -- Number of seconds after which the probe times out. timeoutSeconds: 30 # -- How often (in seconds) to perform the probe - periodSeconds: 15 - # -- Kubernetes [readiness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + periodSeconds: 5 + # -- Kubernetes [readiness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) readinessProbe: # -- Enables/Disables the readinessProbe at all enabled: true # -- When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready. - failureThreshold: 5 + failureThreshold: 3 # -- Number of seconds after the container has started before readiness probe are initiated. initialDelaySeconds: 60 # -- How often (in seconds) to perform the probe - periodSeconds: 15 - # -- Minimum consecutive successes for the probe to be considered successful after having failed. - successThreshold: 1 + periodSeconds: 30 # -- Number of seconds after which the probe times out. - timeoutSeconds: 15 + timeoutSeconds: 30 # -- ingress configuration + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 ingressName: "verifiable-credential-revocation-service-ingress" ingress: enabled: false @@ -476,3 +485,12 @@ vcrs: secret: "" # -- Existing secret key for database encryption key secretKey: "" + podSecurityContext: {} + securityContext: + allowPrivilegeEscalation: false + volumes: [] + # Additional volumeMounts on the output Deployment definition. + volumeMounts: [] + nodeSelector: {} + tolerations: [] + affinity: {}