diff --git a/charts/managed-identity-wallet/templates/deployment.yaml b/charts/managed-identity-wallet/templates/deployment.yaml index b58f8e7c6..f1f066df8 100644 --- a/charts/managed-identity-wallet/templates/deployment.yaml +++ b/charts/managed-identity-wallet/templates/deployment.yaml @@ -52,17 +52,17 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: APP_LOG_LEVEL - value: {{ default .Values.miw.logging.level "INFO" }} + value: {{ .Values.miw.logging.level }} - name: MIW_HOST_NAME value: {{ tpl .Values.miw.host . }} - name: ENCRYPTION_KEY value: {{ default .Values.miw.database.encryptionKey (randAlphaNum 32)}} - name: AUTHORITY_WALLET_BPN - value: {{ tpl .Values.miw.authorityWallet.bpn . }} + value: {{ tpl .Values.miw.authorityWallet.bpn . }} - name: AUTHORITY_WALLET_DID value: {{ printf "did:web:%s:%s" ( tpl .Values.miw.host . | replace ":" "%3A" | replace "/" ":") .Values.miw.authorityWallet.bpn }} - name: ENFORCE_HTTPS_IN_DID_RESOLUTION - value: {{ .Values.miw.ssi.enforceHttpsInDidWebResolution | quote }} + value: {{ quote .Values.miw.ssi.enforceHttpsInDidWebResolution }} - name: APPLICATION_ENVIRONMENT value: {{ .Values.miw.environment }} - name: KEYCLOAK_REALM @@ -72,17 +72,20 @@ spec: - name: AUTH_SERVER_URL value: {{ tpl .Values.miw.keycloak.url . }} - name: USE_SSL - value: {{ .Values.miw.database.useSSL | quote }} + value: {{ quote .Values.miw.database.useSSL }} - name: DB_HOST - value: {{ tpl .Values.miw.database.host . }} + value: {{ tpl .Values.miw.database.host . }} - name: DB_PORT - value: {{ .Values.miw.database.port | quote }} + value: {{ quote .Values.miw.database.port }} - name: DB_NAME - value: {{ tpl .Values.miw.database.database . }} + value: {{ tpl .Values.miw.database.name . }} - name: DB_USER_NAME value: {{ .Values.miw.database.user }} - name: DB_PASSWORD - value: {{ .Values.miw.database.password }} + valueFrom: + secretKeyRef: + name: {{ tpl .Values.miw.database.secret . }} + key: {{ tpl .Values.miw.database.secretPasswordKey . }} - name: APPLICATION_PORT value: "8080" - name: VC_EXPIRY_DATE diff --git a/charts/managed-identity-wallet/templates/job-keycloak-db.yaml b/charts/managed-identity-wallet/templates/job-keycloak-db.yaml index 2b2a789b4..d189f5d09 100644 --- a/charts/managed-identity-wallet/templates/job-keycloak-db.yaml +++ b/charts/managed-identity-wallet/templates/job-keycloak-db.yaml @@ -1,4 +1,23 @@ -{{- if .Values.keycloak.enabled }} +# /******************************************************************************** +# * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation +# * +# * See the NOTICE file(s) distributed with this work for additional +# * information regarding copyright ownership. +# * +# * This program and the accompanying materials are made available under the +# * terms of the Apache License, Version 2.0 which is available at +# * https://www.apache.org/licenses/LICENSE-2.0. +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# * License for the specific language governing permissions and limitations +# * under the License. +# * +# * SPDX-License-Identifier: Apache-2.0 +# ********************************************************************************/ + +{{- if and .Values.keycloak.enabled .Values.keycloak.jobs.createDatabaseIfNotExists }} apiVersion: batch/v1 kind: Job metadata: @@ -11,9 +30,20 @@ spec: image: postgres:13 env: - name: USER - value: {{ tpl ( .Values.keycloak.externalDatabase.user | quote ) . }} + value: {{ tpl ( quote .Values.keycloak.externalDatabase.user ) . }} + {{- if .Values.keycloak.externalDatabase.password }} + - name: PGPASSWORD + value: {{ tpl ( quote .Values.keycloak.externalDatabase.password ) . }} + {{- else if and .Values.keycloak.externalDatabase.existingSecret .Values.keycloak.externalDatabase.existingSecretPasswordKey }} + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl ( quote .Values.keycloak.externalDatabase.existingSecret ) . }} + key: {{ quote .Values.keycloak.externalDatabase.existingSecretPasswordKey }} + {{- else }} - name: PGPASSWORD - value: {{ tpl ( .Values.keycloak.externalDatabase.password | quote ) . }} + value: "postgres" + {{- end }} - name: HOST value: {{ tpl ( .Values.keycloak.externalDatabase.host | quote ) . }} - name: PORT @@ -40,4 +70,4 @@ spec: restartPolicy: Never backoffLimit: 0 --- -{{- end}} # end if .Values.keycloak.enabled +{{- end}} # end if .Values.keycloak.enabled and .Values.keycloak.jobs.createDatabaseIfNotExists diff --git a/charts/managed-identity-wallet/templates/job-miw-db.yaml b/charts/managed-identity-wallet/templates/job-miw-db.yaml index 680292937..9b6947ba9 100644 --- a/charts/managed-identity-wallet/templates/job-miw-db.yaml +++ b/charts/managed-identity-wallet/templates/job-miw-db.yaml @@ -1,3 +1,23 @@ +# /******************************************************************************** +# * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation +# * +# * See the NOTICE file(s) distributed with this work for additional +# * information regarding copyright ownership. +# * +# * This program and the accompanying materials are made available under the +# * terms of the Apache License, Version 2.0 which is available at +# * https://www.apache.org/licenses/LICENSE-2.0. +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# * License for the specific language governing permissions and limitations +# * under the License. +# * +# * SPDX-License-Identifier: Apache-2.0 +# ********************************************************************************/ + +{{- if .Values.miw.jobs.createDatabaseIfNotExists }} apiVersion: batch/v1 kind: Job metadata: @@ -12,13 +32,16 @@ spec: - name: USER value: {{ tpl ( .Values.miw.database.user | quote ) . }} - name: PGPASSWORD - value: {{ tpl ( .Values.miw.database.password | quote ) . }} + valueFrom: + secretKeyRef: + name: {{ tpl ( quote .Values.miw.database.secret ) . }} + key: {{ quote .Values.miw.database.secretPasswordKey }} - name: HOST value: {{ tpl ( .Values.miw.database.host | quote ) . }} - name: PORT value: {{ tpl ( .Values.miw.database.port | quote ) . }} - name: DATABASE - value: {{ tpl ( .Values.miw.database.database | quote ) . }} + value: {{ tpl ( .Values.miw.database.name | quote ) . }} command: [ "bash", "-c", "--" ] args: - | @@ -38,3 +61,4 @@ spec: securityContext: {{ .Values.jobSecurityContext | toYaml | nindent 12 }} restartPolicy: Never backoffLimit: 0 +{{- end }} \ No newline at end of file diff --git a/charts/managed-identity-wallet/values.yaml b/charts/managed-identity-wallet/values.yaml index 944a02f5f..0b9b2265d 100644 --- a/charts/managed-identity-wallet/values.yaml +++ b/charts/managed-identity-wallet/values.yaml @@ -17,47 +17,6 @@ # * SPDX-License-Identifier: Apache-2.0 # ********************************************************************************/ -anchors: - setupDependencies: &setupDependencies true - postgres: - host: &postgresHost "{{ .Release.Name }}-postgresql" - port: &postgresPort 5432 - user: &postgresUser user - password: &postgresPassword password - database: &postgresDatabase postgres - backup: - enabled: &postgresBackupEnabled false - keycloak: - realm: &keycloakRealm miw_test - clientId: &keycloakClientId miw_private_client - host: &keycloakHost "{{ .Release.Name }}-keycloak" - url: &keycloakUrl "http://{{ .Release.Name }}-keycloak" - user: &keycloakUser user - password: &keycloakPassword password - postgres: - database: &keyCloakPostgresDatabase "miw_keycloak" - miw: - host: &miwHost "{{ .Release.Name }}-managed-identity-wallet:8080" - # -- Runtime environment. Should be ether local, dev, int or prod - environment: &miwEnvironment dev - logging: - # -- Log Level. Should be ether ERROR, WARN, INFO, DEBUG, or TRACE. Default: INFO - level: &miwLoggingLevel "" - authorityWallet: - bpn: &authorityWalletBpn "BPNL000000000000" - ssi: - useHttpsInDidWebResolution: &useHttpsInDidWebResolution false - # -- Verifiable Credential expiry date. Format 'dd-MM-yyyy'. Default: 31-12- - vcExpiryDate: &vcExpiryDate "" - postgres: - database: &miwPostgresDatabase "miw_app" - # -- database encryption key for confidential data. Default: 32 random alphanumeric chars - encryptionKey: &miwPostgresEncryptionKey "" - defaultSecurityContext: &defaultSecurityContext - runAsUser: 1001 - runAsGroup: 0 - runAsNonRoot: true - # -- The amount of replicas to run replicaCount: 1 @@ -77,36 +36,60 @@ fullnameOverride: "" # -- Parameters for the application (will be stored as secrets - so, for passwords, ...) secrets: { } -# DB_USER_NAME: xxx # Has to be the same as below in "postgresql" section -# DB_PASSWORD: xxx # Has to be the same as below in "postgresql" section -# KEYCLOAK_CLIENT_ID: xxx +# TODO write encryption key to secret always # ENCRYPTION_KEY: xxx # 64 chars # -- Parameters for the application (will be provided as plain environment variables) envs: { } +# -- Parameters for the application (will be provided as plain environment variables) miw: - host: *miwHost - environment: *miwEnvironment + # -- MIW host name. Default: -managed-identity-wallet: + host: "{{ .Release.Name }}-managed-identity-wallet:8080" + # -- Runtime environment. Should be ether local, dev, int or prod + environment: "dev" + # -- Job configuration + jobs: + # -- Enable to create the database if it does not exist + createDatabaseIfNotExists: true ssi: - enforceHttpsInDidWebResolution: *useHttpsInDidWebResolution - vcExpiryDate: *vcExpiryDate + # -- Enable to use HTTPS in DID Web Resolution + enforceHttpsInDidWebResolution: false + # -- Verifiable Credential expiry date. Format 'dd-MM-yyyy'. If empty it is set to 31-12- + vcExpiryDate: "" + # -- Authority Wallet authorityWallet: - bpn: *authorityWalletBpn + # -- Authority Wallet BPN + bpn: "BPNL000000000000" + # -- Database database: + # -- Set to true to enable SSL connection to the database useSSL: false - port: *postgresPort - host: *postgresHost - user: *postgresUser - password: *postgresPassword - database: *miwPostgresDatabase - encryptionKey: *miwPostgresEncryptionKey + # -- Database port + port: 5432 + # -- Database host. Default: -postgresql + host: "{{ .Release.Name }}-postgresql" + # -- Database user. Default: miw + user: "miw" + # -- Existing secret name for the database password. Default: -postgresql + secret: "{{ .Release.Name }}-postgresql" + # -- Existing secret key for the database password + secretPasswordKey: "password" + # -- Database name. Default: miw_app + name: "miw_app" + # -- Database encryption key for confidential data. If empty it is set to 32 random alphanumeric chars + encryptionKey: "" keycloak: - realm: *keycloakRealm - clientId: *keycloakClientId - url: *keycloakUrl + # -- Keycloak realm + realm: "miw_test" + # -- Keycloak client id + clientId: "miw_private_client" + # -- Keycloak URL. Default: -keycloak:4200 + url: "http://{{ .Release.Name }}-keycloak:4200" logging: - level: *miwLoggingLevel + # -- Log Level. Should be ether ERROR, WARN, INFO, DEBUG, or TRACE. Default: INFO + level: "INFO" + # -- ServiceAccount configuration serviceAccount: @@ -138,11 +121,15 @@ podSecurityContext: { } # -- JobSecurityContext jobSecurityContext: - *defaultSecurityContext + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true # -- Preconfigured SecurityContext securityContext: - *defaultSecurityContext + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true # -- Resource boundaries resources: @@ -168,42 +155,81 @@ podAnnotations: { } # -- Keycloak configuration keycloak: - enabled: *setupDependencies + # -- Enable to deploy Keycloak + enabled: true + # -- Job configuration + jobs: + # -- Enable to create keycloak database if not exists + createDatabaseIfNotExists: true + # -- Keycloak postgresql database configuration postgresql: + # -- Enable to deploy Keycloak postgresql database enabled: false + # -- Existing database configuration externalDatabase: - host: *postgresHost - port: *postgresPort - user: *postgresUser - password: *postgresPassword - database: *keyCloakPostgresDatabase + # -- Database host. Default: -postgresql + host: "{{ .Release.Name }}-postgresql" + # -- Database port + port: 5432 + # -- Database user + user: "miw" + # -- Database name + database: "miw_keycloak" + # -- Existing secret name for the database password. Default: -postgresql + existingSecret: "{{ .Release.Name }}-postgresql" + # -- Existing secret key for the database password + existingSecretPasswordKey: "password" + # -- Keycloak authentication auth: - adminUser: *keycloakUser - adminPassword: *keycloakPassword + # -- Keycloak admin user + adminUser: "" + # -- Keycloak admin password + adminPassword: "" + # -- Playground Keycloak realm configuration for the MIW keycloakConfigCli: + # -- Enable to create the miw playground realm enabled: true + # -- Existing configmap name for the realm configuration existingConfigmap: keycloak-realm-config + # -- Number of retries before considering a Job as failed backoffLimit: 5 + # -- Environment Variables for the Keycloak container extraEnvVars: + # -- Keycloak hostname. Default: -keycloak:4200 - name: KEYCLOAK_HOSTNAME - value: *keycloakHost + value: "{{ .Release.Name }}-keycloak:4200" +# -- Postgresql configuration postgresql: - enabled: *setupDependencies - service: - port: *postgresPort + # -- Enable to deploy Postgresql + enabled: true + # -- Postgresql authentication auth: - database: *postgresDatabase - username: *postgresUser - password: *postgresPassword - # -- see https://github.com/bitnami/charts/tree/main/bitnami/postgresql#backup-parameters + # -- Enable postgresql admin user + enablePostgresUser: false + # -- User to create + username: "miw" + # -- Backup configuration (see https://github.com/bitnami/charts/tree/main/bitnami/postgresql#backup-parameters) backup: - enabled: *postgresBackupEnabled + # -- Enable to create a backup cronjob + enabled: false + # -- Cronjob configuration conjob: + # -- Backup schedule schedule: "* */6 * * *" + # -- Cronjob security context containerSecurityContext: - *defaultSecurityContext + # -- user id + runAsUser: 1001 + # -- group id + runAsGroup: 0 + # -- enable to run as non root + runAsNonRoot: true + # -- Cronjob storage configuration storage: + # -- Name of an existing PVC to use existingClaim: "" + # -- Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted resourcePolicy: "keep" + # -- PVC Storage Request for the backup data volume size: "8Gi" \ No newline at end of file