Merge pull request #24 from WorldHealthOrganization/feature/db_service

feature: db as service

certs/From Files to secrets to container with mounted volumes.md

@@ -1,58 +1,68 @@
-### How to populate the keystores and truststores, trustanchor files in k8s cluster  
-A general approach how to secrets are mounted volumes can be found in the official [documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume)  
-1.) generate the keystore, truststore trust_anchor  as described in [PlaceYourGatewayAccessKeysHere.md](PlaceYourGatewayAccessKeysHere.md)  
-2.) combine the resulting files in a single secret with  
-```(bash)
-kubectl create secret generic mtls-secret --dry-run=client -o yaml --from-file=tls_key_store.p12 --from-file=tng_tls_server_truststore.p12 --from-file=trustanchor_store.jks > mtls_secret.yaml
-kubectl create secret generic <secret-name> --dry-run=client -o yaml --from-file=<file1.p12> --from-file=<file2>.p12 --from-file=<file3.jks> > combined_tls_secret.yaml
-```
-this will result in a yaml file containing the base64 encoded file contents of that three files
-```(json)
-apiVersion: v1
-data:
-  tls_key_store.p12: MIIF3wIBAzCCBZUGDQEJFDEkHiIAYwBsAGkAZQBuAHQAYwByAGUAZABlAG4AdABpAGEAbABzMEEwMTANBglghkgBZQMEAgEFAAQgt/aPlSTVrkAIplPg++vrX...../czGzdjH1XPrutiae8EAFoECKv4c1pYD2TDAgIIAA==
-  trustanchor_store.jks: /u3+7QAAAAIAAAABAAAAAgAadG5nLXRscy1zZXJ2ZXItY2VydGlmaWNhdGUAAAGLVC9h5gAFWC41MDkAAAUaMIIFFjCCAv6gAwIBAgIRAJErCEr
-  tng_tls_server_truststore.p12: /u3+7QAAAAIAAAABAAAAAgAXoB1.....lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4avAuvDsz
-kind: Secret
-metadata:
-  creationTimestamp: null
-  name: mtls-secret
-```
-This file then can be temporarily included in your helm charts or directly applied to your cluster with
-```(shell)
-kubectl apply -f mtls-secret.yaml # will apply the secret to current context
-```  
-**Note that your secrets with keystores/truststores contain sensible data. Keep them in save place**
-
-In the deployment of your helm chart include the secret as volumes in the template spec
-````(helm)
-spec:
-  template:
-    spec:
-      volumes:
-        - name: secrets-jks
-          secret:
-            secretName: mtls-secret
-            items:
-              - key: tls_key_store.p12
-                path: tls_key_store.p12
-              - key: trustanchor_store.jks
-                path: trustanchor_store.jks
-              - key: tng_tls_server_truststore.p12
-                path: tng_tls_server_truststore.p12
-````
-The items array is optional as long as the keynames reflect the filenames and all keys in the secret
-shall be mapped to files
-
-The according volume mounts are defined in the container section
-````(helm)
-spec:
-  templates:
-    spec:
-      containers:
-        volumeMounts:
-          - name: secrets-jks
-            mountPath: /certs
-            readOnly: true
-````
-
+### How to populate the keystores and truststores, trustanchor files in k8s cluster
+
+A general approach how to secrets are mounted volumes can be found in the official [documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume)  
+1.) generate the keystore, truststore trust_anchor as described in [PlaceYourGatewayAccessKeysHere.md](PlaceYourGatewayAccessKeysHere.md)  
+2.) combine the resulting files in a single secret with
+
+```(bash)
+kubectl create secret generic mtls-secret --dry-run=client --namespace=kds -o yaml --from-file=tls_key_store.p12 --from-file=tng_tls_server_truststore.p12 --from-file=trustanchor_store.jks > mtls_secret.yaml
+kubectl create secret generic <secret-name> --dry-run=client --namespace=<namespace-of-the-secret> -o yaml --from-file=<file1.p12> --from-file=<file2>.p12 --from-file=<file3.jks> > combined_tls_secret.yaml
+```
+
+this will result in a yaml file containing the base64 encoded file contents of that three files
+
+```(json)
+apiVersion: v1
+data:
+  tls_key_store.p12: MIIF3wIBAzCCBZUGDQEJFDEkHiIAYwBsAGkAZQBuAHQAYwByAGUAZABlAG4AdABpAGEAbABzMEEwMTANBglghkgBZQMEAgEFAAQgt/aPlSTVrkAIplPg++vrX...../czGzdjH1XPrutiae8EAFoECKv4c1pYD2TDAgIIAA==
+  trustanchor_store.jks: /u3+7QAAAAIAAAABAAAAAgAadG5nLXRscy1zZXJ2ZXItY2VydGlmaWNhdGUAAAGLVC9h5gAFWC41MDkAAAUaMIIFFjCCAv6gAwIBAgIRAJErCEr
+  tng_tls_server_truststore.p12: /u3+7QAAAAIAAAABAAAAAgAXoB1.....lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4avAuvDsz
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: mtls-secret
+```
+
+This file then can be temporarily included in your helm charts or directly applied to your cluster with
+
+```(shell)
+kubectl apply -f mtls-secret.yaml # will apply the secret to current context
+```
+
+**Note that your secrets with keystores/truststores contain sensible data. Keep them in save place**
+
+In the deployment of your helm chart include the secret as volumes in the template spec
+
+```(helm)
+spec:
+  template:
+    spec:
+      volumes:
+        - name: secrets-jks
+          secret:
+            secretName: mtls-secret
+            items:
+              - key: tls_key_store.p12
+                path: tls_key_store.p12
+              - key: trustanchor_store.jks
+                path: trustanchor_store.jks
+              - key: tng_tls_server_truststore.p12
+                path: tng_tls_server_truststore.p12
+```
+
+The items array is optional as long as the keynames reflect the filenames and all keys in the secret
+shall be mapped to files
+
+The according volume mounts are defined in the container section
+
+```(helm)
+spec:
+  templates:
+    spec:
+      containers:
+        volumeMounts:
+          - name: secrets-jks
+            mountPath: /certs
+            readOnly: true
+```
+

k8s/helm/tngkds/README.md

@@ -0,0 +1,46 @@
+# tngkds
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+A Helm chart for Kubernetes
+
+## Requirements
+The versions from umbrella chart are currently not used, please refer to to corresponding image tags in value files 
+
+| Repository | Name | Version |
+|------------|------|---------|
+|  | tngkds-backend | 0.1.0 |
+|  | tngkds-postgres | 0.1.0 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| tngkds-backend.gateway.connector.enabled | bool | `true` | flag whether the kds is connected to the TNG |
+| tngkds-backend.gateway.connector.endpoint | string | `"<tng-gateway-endpoint>"` | The url where the TNG can be reached |
+| tngkds-backend.gateway.connector.max-cache-age | int | `300` |  |
+| tngkds-backend.gateway.connector.proxy.enabled | bool | `false` | used for development, when KDS is run behind a proxy. If set to true, _tngkds-backend.gateway.connector.proxy.port_ and _tngkds-backend.gateway.connector.proxy.host_ also need to be applied |
+| tngkds-backend.gateway.connector.tls_key_store.alias | string | `"clientcredentials"` |  |
+| tngkds-backend.gateway.connector.tls_key_store.password | string | `"<password of tls_key_store>"` |  |
+| tngkds-backend.gateway.connector.tls_key_store.path | string | `"/certs/tls_key_store.p12"` |  |
+| tngkds-backend.gateway.connector.tls_trust_store.alias | string | `"tng-tls-server-certificate"` |  |
+| tngkds-backend.gateway.connector.tls_trust_store.password | string | `"<password of tls_truststore>"` |  |
+| tngkds-backend.gateway.connector.tls_trust_store.path | string | `"/certs/tng_tls_server_truststore.p12"` |  |
+| tngkds-backend.gateway.connector.trust_anchor.alias | string | `"trustanchor"` |  |
+| tngkds-backend.gateway.connector.trust_anchor.password | string | `"<password of trustanchor_store>"` |  |
+| tngkds-backend.gateway.connector.trust_anchor.path | string | `"/certs/trustanchor_store.jks"` |  |
+| tngkds-backend.image.tag | string | `"<kds-image-tag>"` |  |
+| tngkds-backend.liquibaseImage.tag | string | `"<liquibase-image-tag(initcontainer)>"` |  |
+| tngkds-backend.path | string | `"/()(*)"` |  |
+| tngkds-backend.port | int | `8080` |  |
+| tngkds-backend.psql.asPod.enabled | bool | `false` |  |
+| tngkds-backend.psql.cluster | string | `"svc.cluster.local"` |  |
+| tngkds-backend.psql.dbName | string | `"kdsdb"` |  |
+| tngkds-backend.psql.password | string | `nil` |  |
+| tngkds-backend.psql.port | int | `5432` |  |
+| tngkds-backend.psql.serviceName | string | `"postgresql-d01.postgres.database.azure.com"` |  |
+| tngkds-backend.psql.username | string | `nil` |  |
+| tngkds-postgres.asPod.enabled | bool | `false` |  |
+| tngkds-postgres.path | string | `"/()(*)"` |  |
+| tngkds-postgres.port | int | `5432` |  |
+

k8s/helm/tngkds/charts/tngkds-backend/README.md

@@ -0,0 +1,80 @@
+
+# tngkds-backend
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+A Helm chart for TNG Key Distribution Service
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| autoscaling.enabled | bool | `false` |  |
+| autoscaling.maxReplicas | int | `100` |  |
+| autoscaling.minReplicas | int | `1` |  |
+| autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| did.cron | string | `"*/10 * * * * *"` | spring cronjob configuration, how often shall the did file be generated |
+| did.didUploadProvider | string | `"local-file"` | Upload provider for Did document, currently local-file |
+| did.localFile.directory | string | `"trustlist"` | If upload provider is local-file: directory of the generated file |
+| did.localFile.file-name | string | `"did.json"` | If upload provider is local-file: file-name of the generated file  |
+| did.did_controller | string | `"did:web:def"` | The controller that is generating the did.json / controlling its contents |
+| did.did_id | string | `"did:web:abc"` | The ID of the did entry |
+| did.enableDidGeneration | bool | `true` | Shall the did documents be generated |
+| did.ld_proof_nonce | string | `"n0nc3"` | Nonce of the Did Document |
+| did.ld_proof_verification_method | string | `"did:web:dummy.net"` | Verification Method of the DID Signer. Usually a did-link to a did.json containing the public key material that was used to sign this DID |
+| did.trust_list_controller_prefix | string | `"did:web:abc"` |  |
+| did.trust_list_id_prefix | string | `"did:web:abc"` |  |
+| fullnameOverride | string | `""` |  |
+| gateway.connector.enabled | bool | `true` |  |
+| gateway.connector.endpoint | string | `"<endpoint of the tng>"` |  |
+| gateway.connector.max-cache-age | int | `300` |  |
+| gateway.connector.proxy.enabled | bool | `false` | used for development, when your machine needs a proxy to access _tng.who.int_ |
+| gateway.connector.tls_key_store.alias | string | `"<alias of the cert in keystore>"` | KDS application accesses the cert via its alias |
+| gateway.connector.tls_key_store.password | string | `"<password to open keystore>"` |  |
+| gateway.connector.tls_key_store.path | string | `"<full path of the keystore file>"` |  |
+| gateway.connector.tls_trust_store.alias | string | `"<alias of the cert in truststore>"` |KDS application accesses the cert via its alias |
+| gateway.connector.tls_trust_store.password | string | `"<password to open truststore>"` |  |
+| gateway.connector.tls_trust_store.path | string | `"<full pathname of the truststore file>"` |  |
+| gateway.connector.trust_anchor.alias | string | `"<alias of the trust_anchor chert>"` | tng application access the cert via its alias |
+| gateway.connector.trust_anchor.password | string | `"<password to open trust_anchor_store>"` |  |
+| gateway.connector.trust_anchor.path | string | `"<full path of the trust_anchor_store>"` |  |
+| image.pullPolicy | string | `"IfNotPresent"` |  |
+| image.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution"` |  |
+| image.tag | string | `"0.0.1-d890889"` | version of the container image to be used for deployment |
+| imagePullSecrets | string | `"tng-distribution-pull-secret"` |  |
+| ingress.annotations | object | `{}` |  |
+| ingress.className | string | `""` |  |
+| ingress.enabled | bool | `false` |  |
+| ingress.hosts[0].host | string | `"chart-example.local"` |  |
+| ingress.hosts[0].paths[0].path | string | `"/"` |  |
+| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
+| ingress.tls | list | `[]` |  |
+| liquibaseImage.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution-initcontainer"` |  |
+| liquibaseImage.tag | string | `"<liquibase-image-tag>"` | version of the initcontainer image to be used, the tag is the same as for _image.tag_ |
+| nameOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| podAnnotations | object | `{}` |  |
+| podSecurityContext | object | `{}` |  |
+| psql.cluster | string | `"svc.cluster.local"` |  |
+| psql.dbName | string | `"postgres"` | Name of the Shema to be used |
+| psql.password | string | `"<dbpassword>"` | Password of the _psql.username_ |
+| psql.port | int | `5432` | port where the db service is running |
+| psql.serviceName | string | `"postgres"` | Name of the db service |
+| psql.username | string | `"<dbusername>"` | user that ist used to perform the liquibase actions and to r/w to the DB |
+| replicaCount | int | `1` |  |
+| resources | object | `{}` |  |
+| securityContext | object | `{}` |  |
+| server.port | int | `8080` | port of the kds applications api server |
+| service.ports[0].name | string | `"http"` |  |
+| service.ports[0].nodePort | int | `30166` |  |
+| service.ports[0].port | int | `8080` |  |
+| service.ports[0].protocol | string | `"TCP"` |  |
+| service.ports[0].targetPort | int | `8080` |  |
+| service.type | string | `"NodePort"` |  |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.create | bool | `true` |  |
+| serviceAccount.name | string | `""` |  |
+| spring.profile | string | `"cloud"` | {_0..n_} Spring profiles to be activated, usually used for feature toggle, currently not in use (existing values will be ignored) |
+| tolerations | list | `[]` |  |
+

k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml

@@ -4,6 +4,7 @@ metadata:
   name: {{ include "tngkds-backend.fullname" . }}
   labels:
     {{- include "tngkds-backend.labels" . | nindent 4 }}
+  namespace: {{ .Release.Namespace }}
 spec:
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
@@ -28,17 +29,15 @@ spec:
             - liquibase update --changeLogFile=db/changelog.yaml;
           env:
             - name: LIQUIBASE_COMMAND_URL
+            {{- if .Values.psql.asPod.enabled }}
               value: "jdbc:postgresql://{{ .Values.psql.serviceName }}.{{ .Release.Namespace }}.{{ .Values.psql.cluster }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}"
+            {{ else }}
+              value: "jdbc:postgresql://{{ .Values.psql.serviceName }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}"
+            {{ end -}}
             - name: LIQUIBASE_COMMAND_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "tngkds-backend.fullname" . }}-secret
-                  key: pgUser
+              value: {{ .Values.psql.username | quote }}
             - name: LIQUIBASE_COMMAND_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "tngkds-backend.fullname" . }}-secret
-                  key: pgPassword
+              value: {{ .Values.psql.password | quote }}
             - name: LIQUIBASE_SEARCH_PATH
               value: /liquibase
             - name: LIQUIBASE_LOG_LEVEL
@@ -63,45 +62,49 @@ spec:
             - name: SPRING_PROFILES_ACTIVE
               value: {{ .Values.spring.profile }}
             - name: SPRING_DATASOURCE_URL
+            {{- if .Values.psql.asPod.enabled }}
               value: "jdbc:postgresql://{{ .Values.psql.serviceName }}.{{ .Release.Namespace }}.{{ .Values.psql.cluster }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}"
+            {{ else }}
+              value: "jdbc:postgresql://{{ .Values.psql.serviceName }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}"
+            {{ end -}} 
             - name: SPRING_DATASOURCE_DRIVERCLASSNAME
               value: "org.postgresql.Driver"
             - name: SPRING_DATASOURCE_JNDI_NAME
               value: "false"
             - name: SPRING_JPA_DATABASEPLATFORM
               value: "org.hibernate.dialect.PostgreSQLDialect"
             - name: SPRING_DATASOURCE_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "tngkds-backend.fullname" . }}-secret
-                  key: pgUser
+              value: {{ .Values.psql.username | quote }}
             - name: SPRING_DATASOURCE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "tngkds-backend.fullname" . }}-secret
-                  key: pgPassword
+              value: {{ .Values.psql.password | quote }}
             - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PATH
               value: {{ .Values.gateway.connector.tls_trust_store.path }}
             - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PASSWORD
-              value: {{ .Values.gateway.connector.tls_trust_store.password }}
+              value: {{ .Values.gateway.connector.tls_trust_store.password | quote }}
             - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_ALIAS
               value: {{ .Values.gateway.connector.tls_trust_store.alias }}
             - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PATH
               value: {{ .Values.gateway.connector.tls_key_store.path }}
             - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PASSWORD
-              value: {{ .Values.gateway.connector.tls_key_store.password }}
+              value: {{ .Values.gateway.connector.tls_key_store.password | quote }}
             - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_ALIAS
               value: {{.Values.gateway.connector.tls_key_store.alias }}
             - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PATH
               value: {{ .Values.gateway.connector.trust_anchor.path }}
             - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PASSWORD
-              value: {{ .Values.gateway.connector.trust_anchor.password }}
+              value: {{ .Values.gateway.connector.trust_anchor.password | quote }}
             - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_ALIAS
               value: {{ .Values.gateway.connector.trust_anchor.alias }}
             - name: DGC_GATEWAY_CONNECTOR_ENABLED
-              value: {{ .Values.gateway.connector.enabled |quote }}
+              value: {{ .Values.gateway.connector.enabled | quote }}
             - name: DGC_GATEWAY_CONNECTOR_ENDPOINT
               value: {{ .Values.gateway.connector.endpoint }}
+          {{- if .Values.did.enableDidGeneration }}
+          {{- range $name, $val := .Values.did }}
+            - name: DGC_{{ $name | upper }}
+              value: {{ $val | quote }}
+          {{- end }}
+          {{- end }}
           volumeMounts:
             - name: secrets-jks
               mountPath: /certs