Merge branch 'main' into fix/ddcc-gateway-lib-dependency-version

.github/workflows/ci-main.yml

@@ -9,14 +9,14 @@ jobs:
   build:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/setup-java@v2
+      - uses: actions/setup-java@v4
         with:
           java-version: 17
           distribution: adopt
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: actions/cache@v2
+      - uses: actions/cache@v3
         with:
           path: |
             ~/.m2/repository
@@ -27,10 +27,6 @@ jobs:
           APP_LATEST_REV=$(git rev-list --tags --max-count=1)
           APP_LATEST_TAG=$(git describe --tags ${APP_LATEST_REV} 2> /dev/null || echo 0.0.0)
           echo "APP_VERSION=${APP_LATEST_TAG}-${APP_SHA}" >> ${GITHUB_ENV}
-      - name: copyContext
-        run: |-
-          rm ./src/main/resources/static/context.json
-          echo '${{ secrets.CONTEXT_FILE }}' > ./src/main/resources/static/context.json
       - name: mvn
         run: |-
           mvn versions:set \
@@ -57,6 +53,10 @@ jobs:
           --file ./Dockerfile
           --tag "${APP_PACKAGES_URL}:${APP_VERSION}";
           docker push "${APP_PACKAGES_URL}:${APP_VERSION}";
+          docker build .
+          --file ./DB-Changelog-Dockerfile
+          --tag "${APP_PACKAGES_URL}-initcontainer:${APP_VERSION}";
+          docker push "${APP_PACKAGES_URL}-initcontainer:${APP_VERSION}";
         env:
           APP_PACKAGES_URL: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution
           APP_PACKAGES_USERNAME: ${{ github.actor }}

.github/workflows/ci-release.yml

@@ -9,14 +9,14 @@ jobs:
     env:
       APP_VERSION: ${{ github.event.release.tag_name }}
     steps:
-      - uses: actions/setup-java@v2
+      - uses: actions/setup-java@v4
         with:
           java-version: 17
           distribution: adopt
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: actions/cache@v2
+      - uses: actions/cache@v3
         with:
           path: |
             ~/.m2/repository
@@ -48,6 +48,10 @@ jobs:
           --tag "${APP_PACKAGES_URL}:${APP_VERSION}"
           docker push "${APP_PACKAGES_URL}:latest"
           docker push "${APP_PACKAGES_URL}:${APP_VERSION}"
+          docker build .
+          --file ./DB-Changelog-Dockerfile
+          --tag "${APP_PACKAGES_URL}-initcontainer:${APP_VERSION}";
+          docker push "${APP_PACKAGES_URL}-initcontainer:${APP_VERSION}";
         env:
           APP_PACKAGES_URL: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution
           APP_PACKAGES_USERNAME: ${{ github.actor }}
@@ -56,38 +60,6 @@ jobs:
         run: |-
           gh release upload ${APP_VERSION} \
           --clobber \
-          ./target/openapi.json#openapi-${APP_VERSION}.json \
           ./target/generated-resources/licenses.xml#licenses-${APP_VERSION}.xml
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  deploy:
-    runs-on: ubuntu-20.04
-    environment: dev
-    needs:
-      - build
-    env:
-      APP_VERSION: ${{ github.event.release.tag_name }}
-    steps:
-      - name: cf setup
-        run: |-
-          curl -sL "https://packages.cloudfoundry.org/stable?release=${CF_RELEASE}&version=${CF_VERSION}" | \
-          sudo tar -zx -C /usr/local/bin
-        env:
-          CF_VERSION: 7.2.0
-          CF_RELEASE: linux64-binary
-      - name: cf push
-        run: |-
-          cf api ${CF_API}
-          cf auth
-          cf target -o ${CF_ORG} -s ${CF_SPACE}
-          cf push ${APP_NAME} --docker-image ${APP_IMAGE}:${APP_VERSION} --docker-username ${CF_DOCKER_USERNAME}
-        env:
-          APP_NAME: tng-key-distribution-test
-          APP_IMAGE: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution
-          CF_API: ${{ secrets.CF_API }}
-          CF_ORG: ${{ secrets.CF_ORG }}
-          CF_SPACE: ${{ secrets.CF_SPACE }}
-          CF_USERNAME: ${{ secrets.CF_USERNAME }}
-          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
-          CF_DOCKER_USERNAME: ${{ secrets.CF_DOCKER_USERNAME }}
-          CF_DOCKER_PASSWORD: ${{ secrets.CF_DOCKER_PASSWORD }}

.github/workflows/helm-release.yml

@@ -0,0 +1,28 @@
+name: Release Charts
+
+on:
+  release:
+    types:
+      - created
+  workflow_dispatch: # This allows the workflow to be triggered manually
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        with:
+          charts_dir: "k8s/charts" # Specify the path to your charts directory
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.gitignore

@@ -4,6 +4,8 @@ target/
 !**/src/main/**
 !**/src/test/**
 
+application-local.yml
+
 ### STS ###
 .apt_generated
 .classpath

DB-Changelog-Dockerfile

@@ -0,0 +1,3 @@
+FROM liquibase/liquibase
+
+COPY /src/main/resources/db /liquibase/db

README.md

@@ -1,14 +1,14 @@
-<h1 align="center">
+<h1 style="text-align:center">
     TNG Key Distribution Service
 </h1>
 
-<p align="center">
+<div style="text-align:center">
     <a href="/../../commits/" title="Last Commit"><img src="https://img.shields.io/github/last-commit/worldhealthorganization/tng-key-distribution?style=flat"></a>
     <a href="/../../issues" title="Open Issues"><img src="https://img.shields.io/github/issues/worldhealthorganization/tng-key-distribution?style=flat"></a>
     <a href="./LICENSE" title="License"><img src="https://img.shields.io/badge/License-Apache%202.0-green.svg?style=flat"></a>
-</p>
+</div>
 
-<p align="center">
+<p style="text-align:center">
   <a href="#about">About</a> •
   <a href="#development">Development</a> •
   <a href="#documentation">Documentation</a> •
@@ -131,7 +131,9 @@ docker-compose up --build
 
 After all containers have started, you will be able to reach the service on your [local machine](http://localhost:8080/api/docs) under port 8080.
 
-## Documentation  
+## Cloud deployment
+
+## Documentation
 
 [OpenAPI Spec](https://worldhealthorganization.github.io/tng-key-distribution/)
 
@@ -147,11 +149,11 @@ The following channels are available for discussions, feedback, and support requ
 | **Issues**    | <a href="/../../issues" title="Open Issues"><img src="https://img.shields.io/github/issues/worldhealthorganization/tng-key-distribution?style=flat"></a>  |
 | **Other requests**    | <a href="mailto:[email protected]" title="Email DGC Team"><img src="https://img.shields.io/badge/email-DGC%20team-green?logo=mail.ru&style=flat-square&logoColor=white"></a>   |
 
-## How to contribute  
+## How to contribute
 
 Contribution and feedback is encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our [Contribution Guidelines](./CONTRIBUTING.md). By participating in this project, you agree to abide by its [Code of Conduct](./CODE_OF_CONDUCT.md) at all times.
 
-## Contributors  
+## Contributors
 
 Our commitment to open source means that we are enabling -in fact encouraging- all interested parties to contribute and become part of its developer community.
 

certs/From Files to secrets to container with mounted volumes.md

@@ -1,58 +1,68 @@
-### How to populate the keystores and truststores, trustanchor files in k8s cluster  
-A general approach how to secrets are mounted volumes can be found in the official [documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume)  
-1.) generate the keystore, truststore trust_anchor  as described in [PlaceYourGatewayAccessKeysHere.md](PlaceYourGatewayAccessKeysHere.md)  
-2.) combine the resulting files in a single secret with  
-```(bash)
-kubectl create secret generic mtls_secret --dry-run=client -o yaml --from-file=tls_key_store.p12 --from-file=tng_tls_server_truststore.p12 --from-file=trustanchor_store.jks > mtls_secret.yaml
-kubectl create secret generic <secret-name> --dry-run=client -o yaml --from-file=<file1.p12> --from-file=<file2>.p12 --from-file=<file3.jks> > combined_tls_secret.yaml
-```
-this will result in a yaml file containing the base64 encoded file contents of that three files
-```(json)
-apiVersion: v1
-data:
-  tls_key_store.p12: MIIF3wIBAzCCBZUGDQEJFDEkHiIAYwBsAGkAZQBuAHQAYwByAGUAZABlAG4AdABpAGEAbABzMEEwMTANBglghkgBZQMEAgEFAAQgt/aPlSTVrkAIplPg++vrX...../czGzdjH1XPrutiae8EAFoECKv4c1pYD2TDAgIIAA==
-  trustanchor_store.jks: /u3+7QAAAAIAAAABAAAAAgAadG5nLXRscy1zZXJ2ZXItY2VydGlmaWNhdGUAAAGLVC9h5gAFWC41MDkAAAUaMIIFFjCCAv6gAwIBAgIRAJErCEr
-  tng_tls_server_truststore.p12: /u3+7QAAAAIAAAABAAAAAgAXoB1.....lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4avAuvDsz
-kind: Secret
-metadata:
-  creationTimestamp: null
-  name: mtls_secret
-```
-This file then can be temporarily included in your helm charts or directly applied to your cluster with
-```(shell)
-kubectl apply -f mtls_secret.yaml # will apply the secret to current context
-```  
-**Note that your secrets with keystores/truststores contain sensible data. Keep them in save place**
-
-In the deployment of your helm chart include the the secret as volumes in the template spec
-````(helm)
-spec:
-  template:
-    spec:
-      volumes:
-        - name: secrets-jks
-          secret:
-            secretName: mtls-secret
-            items:
-              - key: tls_key_store.p12
-                path: tls_key_store.p12
-              - key: trustanchor_store.jks
-                path: trustanchor_store.jks
-              - key: tng_tls_server_truststore.p12
-                path: tng_tls_server_truststore.p12
-````
-The items array is optional as long as the keynames reflect the filenames and all keys in the secret
-shall be mapped to files
-
-The according volume mounts are defined in the container section
-````(helm)
-spec:
-  templates:
-    spec:
-      containers:
-        volumeMounts:
-          - name: secrets-jks
-            mountPath: /certs
-            readOnly: true
-````
-
+### How to populate the keystores and truststores, trustanchor files in k8s cluster
+
+A general approach how to secrets are mounted volumes can be found in the official [documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume)  
+1.) generate the keystore, truststore trust_anchor as described in [PlaceYourGatewayAccessKeysHere.md](PlaceYourGatewayAccessKeysHere.md)  
+2.) combine the resulting files in a single secret with
+
+```(bash)
+kubectl create secret generic mtls-secret --dry-run=client --namespace=kds -o yaml --from-file=tls_key_store.p12 --from-file=tng_tls_server_truststore.p12 --from-file=trustanchor_store.jks > mtls_secret.yaml
+kubectl create secret generic <secret-name> --dry-run=client --namespace=<namespace-of-the-secret> -o yaml --from-file=<file1.p12> --from-file=<file2>.p12 --from-file=<file3.jks> > combined_tls_secret.yaml
+```
+
+this will result in a yaml file containing the base64 encoded file contents of that three files
+
+```(json)
+apiVersion: v1
+data:
+  tls_key_store.p12: MIIF3wIBAzCCBZUGDQEJFDEkHiIAYwBsAGkAZQBuAHQAYwByAGUAZABlAG4AdABpAGEAbABzMEEwMTANBglghkgBZQMEAgEFAAQgt/aPlSTVrkAIplPg++vrX...../czGzdjH1XPrutiae8EAFoECKv4c1pYD2TDAgIIAA==
+  trustanchor_store.jks: /u3+7QAAAAIAAAABAAAAAgAadG5nLXRscy1zZXJ2ZXItY2VydGlmaWNhdGUAAAGLVC9h5gAFWC41MDkAAAUaMIIFFjCCAv6gAwIBAgIRAJErCEr
+  tng_tls_server_truststore.p12: /u3+7QAAAAIAAAABAAAAAgAXoB1.....lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4avAuvDsz
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: mtls-secret
+```
+
+This file then can be temporarily included in your helm charts or directly applied to your cluster with
+
+```(shell)
+kubectl apply -f mtls-secret.yaml # will apply the secret to current context
+```
+
+**Note that your secrets with keystores/truststores contain sensible data. Keep them in save place**
+
+In the deployment of your helm chart include the secret as volumes in the template spec
+
+```(helm)
+spec:
+  template:
+    spec:
+      volumes:
+        - name: secrets-jks
+          secret:
+            secretName: mtls-secret
+            items:
+              - key: tls_key_store.p12
+                path: tls_key_store.p12
+              - key: trustanchor_store.jks
+                path: trustanchor_store.jks
+              - key: tng_tls_server_truststore.p12
+                path: tng_tls_server_truststore.p12
+```
+
+The items array is optional as long as the keynames reflect the filenames and all keys in the secret
+shall be mapped to files
+
+The according volume mounts are defined in the container section
+
+```(helm)
+spec:
+  templates:
+    spec:
+      containers:
+        volumeMounts:
+          - name: secrets-jks
+            mountPath: /certs
+            readOnly: true
+```
+