build(v1.0.0-rc.2): merge main into dev #82

.github/dependabot.yml

@@ -0,0 +1,60 @@
+###############################################################
+# Copyright (c) 2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+###############################################################
+
+---
+version: 2
+updates:
+  # NuGet
+  -
+    package-ecosystem: "nuget"
+    target-branch: dev
+    directory: /
+    labels:
+      - "dependabot"
+      - "dependencies"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  # Github Actions
+  -
+    package-ecosystem: "github-actions"
+    target-branch: dev
+    directory: /
+    labels:
+      - "dependabot"
+      - "github-actions"
+    schedule:
+      interval: "weekly"
+
+  # Docker
+  -
+    package-ecosystem: "docker"
+    target-branch: dev
+    directory: ./docker/
+    labels:
+      - "dependabot"
+      - "docker"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]

.github/workflows/release-please.yml

@@ -22,7 +22,7 @@ name: Release Please
 on:
   push:
     branches:
-      - 'v*.*.*'
+      - 'changelog/v*.*.*'
   workflow_dispatch:
 
 permissions:

.github/workflows/trivy-dev.yml

@@ -53,7 +53,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
         with:
           scan-type: "config"
           hide-progress: false
@@ -86,7 +86,7 @@ jobs:
       # For public images, no ENV vars must be set.
       - name: Run Trivy vulnerability scanner
         if: always()
-        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
         with:
           # Path to Docker image
           image-ref: "${{ env.IMAGE_NAMESPACE }}/ssi-credential-issuer-service:dev"
@@ -118,7 +118,7 @@ jobs:
       # For public images, no ENV vars must be set.
       - name: Run Trivy vulnerability scanner
         if: always()
-        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
         with:
           # Path to Docker image
           image-ref: "${{ env.IMAGE_NAMESPACE }}/ssi-credential-issuer-migrations:dev"
@@ -151,7 +151,7 @@ jobs:
       # For public images, no ENV vars must be set.
       - name: Run Trivy vulnerability scanner
         if: always()
-        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
         with:
           # Path to Docker image
           image-ref: "${{ env.IMAGE_NAMESPACE }}/ssi-credential-expiry-app:dev"
@@ -184,7 +184,7 @@ jobs:
       # For public images, no ENV vars must be set.
       - name: Run Trivy vulnerability scanner
         if: always()
-        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
         with:
           # Path to Docker image
           image-ref: "${{ env.IMAGE_NAMESPACE }}/ssi-credential-issuer-processes-worker:dev"

.github/workflows/trivy.yml

@@ -53,7 +53,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
         with:
           scan-type: "config"
           hide-progress: false
@@ -87,7 +87,7 @@ jobs:
       # For public images, no ENV vars must be set.
       - name: Run Trivy vulnerability scanner
         if: always()
-        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
         with:
           # Path to Docker image
           image-ref: "${{ env.IMAGE_NAMESPACE }}/ssi-credential-issuer-service:latest"
@@ -119,7 +119,7 @@ jobs:
       # For public images, no ENV vars must be set.
       - name: Run Trivy vulnerability scanner
         if: always()
-        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
         with:
           # Path to Docker image
           image-ref: "${{ env.IMAGE_NAMESPACE }}/ssi-credential-issuer-migrations:latest"
@@ -151,7 +151,7 @@ jobs:
       # For public images, no ENV vars must be set.
       - name: Run Trivy vulnerability scanner
         if: always()
-        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
         with:
           # Path to Docker image
           image-ref: "${{ env.IMAGE_NAMESPACE }}/ssi-credential-expiry-app:latest"
@@ -183,7 +183,7 @@ jobs:
       # For public images, no ENV vars must be set.
       - name: Run Trivy vulnerability scanner
         if: always()
-        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # v0.19.0
         with:
           # Path to Docker image
           image-ref: "${{ env.IMAGE_NAMESPACE }}/ssi-credential-issuer-processes-worker:latest"

CHANGELOG.md

@@ -0,0 +1,23 @@
+# Changelog
+
+## [1.0.0-rc.1](https://github.com/eclipse-tractusx/ssi-credential-issuer/compare/v1.0.0-rc.1...v1.0.0-rc.1) (2024-04-15)
+
+
+### Features
+
+* establish a database to handle credential requests, verified credentials, document proof, and managing lifecycle ([609567a](https://github.com/eclipse-tractusx/ssi-credential-issuer/commit/609567a6131fdcb1f12ea8a6653b5dbc9963816e))
+* establish a GET endpoint for retrieving own credential requests with their current status ([609567a](https://github.com/eclipse-tractusx/ssi-credential-issuer/commit/609567a6131fdcb1f12ea8a6653b5dbc9963816e))
+* establish a GET endpoint to retrieve supported credential types, allowing customers to see all credentials that can be requested ([609567a](https://github.com/eclipse-tractusx/ssi-credential-issuer/commit/609567a6131fdcb1f12ea8a6653b5dbc9963816e))
+* establish a job to store newly created verified credentials inside the holder wallet ([609567a](https://github.com/eclipse-tractusx/ssi-credential-issuer/commit/609567a6131fdcb1f12ea8a6653b5dbc9963816e))
+* establish a notification system for credential expiry to alert holders ([609567a](https://github.com/eclipse-tractusx/ssi-credential-issuer/commit/609567a6131fdcb1f12ea8a6653b5dbc9963816e))
+* establish a processes worker to create credentials and submit them for signature by the issuer wallet ([609567a](https://github.com/eclipse-tractusx/ssi-credential-issuer/commit/609567a6131fdcb1f12ea8a6653b5dbc9963816e))
+* establish an admin endpoint to retrieve credential requests for the purpose of approval or rejection ([609567a](https://github.com/eclipse-tractusx/ssi-credential-issuer/commit/609567a6131fdcb1f12ea8a6653b5dbc9963816e))
+* establish endpoints to approve or reject customer credential requests ([609567a](https://github.com/eclipse-tractusx/ssi-credential-issuer/commit/609567a6131fdcb1f12ea8a6653b5dbc9963816e))
+* establish POST endpoints for credential requests for BPN (Business Partner Number), Membership, and Framework Agreement credentials ([609567a](https://github.com/eclipse-tractusx/ssi-credential-issuer/commit/609567a6131fdcb1f12ea8a6653b5dbc9963816e))
+* implement a job to run expiry validation and revocation of credentials ([609567a](https://github.com/eclipse-tractusx/ssi-credential-issuer/commit/609567a6131fdcb1f12ea8a6653b5dbc9963816e))
+* **known issue:** upload of documents with credential requests currently not working ([609567a](https://github.com/eclipse-tractusx/ssi-credential-issuer/commit/609567a6131fdcb1f12ea8a6653b5dbc9963816e))
+
+
+### Miscellaneous Chores
+
+* release 1.0.0-rc.1 ([e74c880](https://github.com/eclipse-tractusx/ssi-credential-issuer/commit/e74c880fef9245fca685c102541e46420893db2e))

charts/ssi-credential-issuer/Chart.yaml

@@ -20,8 +20,8 @@
 apiVersion: v2
 name: ssi-credential-issuer
 type: application
-version: 1.0.0-rc.1
-appVersion: 1.0.0-rc.1
+version: 1.0.0-rc.2
+appVersion: 1.0.0-rc.2
 description: Helm chart for SSI Credential Issuer
 home: https://github.com/eclipse-tractusx/ssi-credential-issuer
 dependencies:

charts/ssi-credential-issuer/README.md

@@ -1,4 +1,4 @@
-# Helm chart for Catena-X SSI Credential Issuer
+# Helm chart for SSI Credential Issuer
 
 This helm chart installs the Catena-X SSI Credential Issuer application.
 
@@ -27,7 +27,7 @@ To use the helm chart as a dependency:
 dependencies:
   - name: ssi-credential-issuer
     repository: https://eclipse-tractusx.github.io/charts/dev
-    version: 1.0.0-rc.1
+    version: 1.0.0-rc.2
 ```
 
 ## Requirements
@@ -40,6 +40,9 @@ dependencies:
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| portalBackendAddress | string | `"https://portal-backend.example.org"` | Provide portal-backend base address. |
+| walletAddress | string | `"https://wallet.example.org"` |  |
+| walletTokenAddress | string | `"https://wallet.example.org/oauth/token"` |  |
 | issuer.image.name | string | `"docker.io/tractusx/ssi-credential-issuer-service"` |  |
 | issuer.image.tag | string | `""` |  |
 | issuer.imagePullPolicy | string | `"IfNotPresent"` |  |
@@ -56,9 +59,9 @@ dependencies:
 | issuer.portal.grantType | string | `"client_credentials"` |  |
 | issuer.portal.clientId | string | `"portal-client-id"` | Provide portal client-id from CX IAM centralidp. |
 | issuer.portal.clientSecret | string | `""` | Client-secret for portal client-id. Secret-key 'portal-client-secret'. |
-| issuer.credential.issuerDid | string | `""` |  |
-| issuer.credential.issuerBpn | string | `""` |  |
-| issuer.credential.statusListUrl | string | `""` |  |
+| issuer.credential.issuerDid | string | `"did:web:example"` |  |
+| issuer.credential.issuerBpn | string | `"BPNL00000001TEST"` |  |
+| issuer.credential.statusListUrl | string | `"https://example.org/statuslist"` |  |
 | issuer.credential.encryptionConfigIndex | int | `0` |  |
 | issuer.credential.encryptionConfigs.index0.index | int | `0` |  |
 | issuer.credential.encryptionConfigs.index0.cipherMode | string | `"CBC"` |  |
@@ -68,7 +71,7 @@ dependencies:
 | issuermigrations.image.name | string | `"docker.io/tractusx/ssi-credential-issuer-migrations"` |  |
 | issuermigrations.image.tag | string | `""` |  |
 | issuermigrations.imagePullPolicy | string | `"IfNotPresent"` |  |
-| issuermigrations.resources | object | `{"limits":{"cpu":"45m","memory":"105M"},"requests":{"cpu":"15m","memory":"105M"}}` | We recommend to review the default resource limits as this should a conscious choice. |
+| issuermigrations.resources | object | `{"limits":{"cpu":"45m","memory":"200M"},"requests":{"cpu":"15m","memory":"200M"}}` | We recommend to review the default resource limits as this should a conscious choice. |
 | issuermigrations.seeding.testDataEnvironments | string | `""` |  |
 | issuermigrations.seeding.testDataPaths | string | `"Seeder/Data"` |  |
 | issuermigrations.logging.default | string | `"Information"` |  |
@@ -77,7 +80,7 @@ dependencies:
 | processesworker.image.name | string | `"docker.io/tractusx/ssi-credential-issuer-processes-worker"` |  |
 | processesworker.image.tag | string | `""` |  |
 | processesworker.imagePullPolicy | string | `"IfNotPresent"` |  |
-| processesworker.resources | object | `{"limits":{"cpu":"45m","memory":"105M"},"requests":{"cpu":"15m","memory":"105M"}}` | We recommend to review the default resource limits as this should a conscious choice. |
+| processesworker.resources | object | `{"limits":{"cpu":"45m","memory":"200M"},"requests":{"cpu":"15m","memory":"200M"}}` | We recommend to review the default resource limits as this should a conscious choice. |
 | processesworker.logging.default | string | `"Information"` |  |
 | processesworker.portal.scope | string | `"openid"` |  |
 | processesworker.portal.grantType | string | `"client_credentials"` |  |
@@ -127,7 +130,6 @@ dependencies:
 | externalDatabase.database | string | `"issuer"` | Database name. |
 | externalDatabase.password | string | `""` | Password for the non-root username (default 'issuer'). Secret-key 'password'. |
 | externalDatabase.existingSecret | string | `"issuer-external-db"` | Secret containing the password non-root username, (default 'issuer'). |
-| externalDatabase.existingSecretPasswordKey | string | `"password"` | Name of an existing secret key containing the database credentials. |
 | centralidp | object | `{"address":"https://centralidp.example.org","authRealm":"CX-Central","jwtBearerOptions":{"metadataPath":"/auth/realms/CX-Central/.well-known/openid-configuration","refreshInterval":"00:00:30","requireHttpsMetadata":"true","tokenValidationParameters":{"validAudience":"Cl24-CX-SSI-CredentialIssuer","validIssuerPath":"/auth/realms/CX-Central"}},"tokenPath":"/auth/realms/CX-Central/protocol/openid-connect/token","useAuthTrail":true}` | Provide details about centralidp (CX IAM) Keycloak instance. |
 | centralidp.address | string | `"https://centralidp.example.org"` | Provide centralidp base address (CX IAM), without trailing '/auth'. |
 | centralidp.useAuthTrail | bool | `true` | Flag if the api should be used with an leading /auth path |

charts/ssi-credential-issuer/templates/cronjob-issuer-processes.yaml

@@ -66,6 +66,8 @@ spec:
             - name: "CONNECTIONSTRINGS__ISSUERDB"
               value: "Server={{ .Values.externalDatabase.host }};Database={{ .Values.externalDatabase.database }};Port={{ .Values.externalDatabase.port }};User Id={{ .Values.externalDatabase.username }};Password=$(ISSUER_PASSWORD);Ssl Mode={{ .Values.dbConnection.sslMode }};"
             {{- end }}
+            - name: "PORTAL__CLIENTID"
+              value: "{{ .Values.issuer.portal.clientId }}"
             - name: "PORTAL__CLIENTSECRET"
               valueFrom:
                 secretKeyRef:
@@ -75,12 +77,33 @@ spec:
               value: "{{ .Values.processesworker.portal.grantType }}"
             - name: "PORTAL__TOKENADDRESS"
               value: "{{ .Values.centralidp.address }}{{ .Values.centralidp.tokenPath }}"
+            - name: "PORTAL__BASEADDRESS"
+              value: "{{ .Values.portalBackendAddress }}"
             - name: "PORTAL__PASSWORD"
               value: "empty"
             - name: "PORTAL__SCOPE"
               value: "{{ .Values.processesworker.portal.scope }}"
             - name: "PORTAL__USERNAME"
               value: "empty"
+            - name: "CALLBACK__CLIENTID"
+              value: "{{ .Values.issuer.portal.clientId }}"
+            - name: "CALLBACK__CLIENTSECRET"
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ template "issuer.secretName" . }}"
+                  key: "portal-client-secret"
+            - name: "CALLBACK__GRANTTYPE"
+              value: "{{ .Values.processesworker.portal.grantType }}"
+            - name: "CALLBACK__TOKENADDRESS"
+              value: "{{ .Values.centralidp.address }}{{ .Values.centralidp.tokenPath }}"
+            - name: "CALLBACK__BASEADDRESS"
+              value: "{{ .Values.portalBackendAddress }}"
+            - name: "CALLBACK__PASSWORD"
+              value: "empty"
+            - name: "CALLBACK__SCOPE"
+              value: "{{ .Values.processesworker.portal.scope }}"
+            - name: "CALLBACK__USERNAME"
+              value: "empty"
             - name: "WALLET__BASEADDRESS"
               value: "{{ .Values.walletAddress }}"
             - name: "WALLET__CLIENTID"

charts/ssi-credential-issuer/templates/deployment-issuer-service.yaml

@@ -93,6 +93,8 @@ spec:
           value: "{{ .Values.issuer.logging.businessLogic }}"
         - name: "SWAGGERENABLED"
           value: "{{ .Values.issuer.swaggerEnabled }}"
+        - name: "PORTAL__CLIENTID"
+          value: "{{ .Values.issuer.portal.clientId }}"
         - name: "PORTAL__CLIENTSECRET"
           valueFrom:
             secretKeyRef:
@@ -102,6 +104,8 @@ spec:
           value: "{{ .Values.issuer.portal.grantType }}"
         - name: "PORTAL__TOKENADDRESS"
           value: "{{ .Values.centralidp.address }}{{ .Values.centralidp.tokenPath }}"
+        - name: "PORTAL__BASEADDRESS"
+          value: "{{ .Values.portalBackendAddress }}"
         - name: "PORTAL__PASSWORD"
           value: "empty"
         - name: "PORTAL__SCOPE"

charts/ssi-credential-issuer/values.yaml

@@ -17,6 +17,11 @@
 # SPDX-License-Identifier: Apache-2.0
 ###############################################################
 
+# -- Provide portal-backend base address.
+portalBackendAddress: "https://portal-backend.example.org"
+walletAddress: "https://wallet.example.org"
+walletTokenAddress: "https://wallet.example.org/oauth/token"
+
 issuer:
   image:
     name: "docker.io/tractusx/ssi-credential-issuer-service"
@@ -52,9 +57,9 @@ issuer:
     # -- Client-secret for portal client-id. Secret-key 'portal-client-secret'.
     clientSecret: ""
   credential:
-    issuerDid: ""
-    issuerBpn: ""
-    statusListUrl: ""
+    issuerDid: "did:web:example"
+    issuerBpn: "BPNL00000001TEST"
+    statusListUrl: "https://example.org/statuslist"
     encryptionConfigIndex: 0
     encryptionConfigs:
       index0:
@@ -75,10 +80,10 @@ issuermigrations:
   resources:
     requests:
       cpu: 15m
-      memory: 105M
+      memory: 200M
     limits:
       cpu: 45m
-      memory: 105M
+      memory: 200M
   seeding:
     testDataEnvironments: ""
     testDataPaths: "Seeder/Data"
@@ -97,10 +102,10 @@ processesworker:
   resources:
     requests:
       cpu: 15m
-      memory: 105M
+      memory: 200M
     limits:
       cpu: 45m
-      memory: 105M
+      memory: 200M
   logging:
     default: "Information"
   portal:

consortia/argocd-app-templates/appsetup-int.yaml

@@ -28,7 +28,7 @@ spec:
   source:
     path: charts/ssi-credential-issuer
     repoURL: 'https://github.com/eclipse-tractusx/ssi-credential-issuer.git'
-    targetRevision: ssi-credential-issuer-1.0.0-rc.1
+    targetRevision: ssi-credential-issuer-1.0.0-rc.2
     plugin:
       env:
         - name: AVP_SECRET

consortia/argocd-app-templates/appsetup-pen.yaml

@@ -28,7 +28,7 @@ spec:
   source:
     path: charts/ssi-credential-issuer
     repoURL: 'https://github.com/eclipse-tractusx/ssi-credential-issuer.git'
-    targetRevision: ssi-credential-issuer-1.0.0-rc.1
+    targetRevision: ssi-credential-issuer-1.0.0-2
     plugin:
       env:
         - name: AVP_SECRET

consortia/argocd-app-templates/appsetup-stable.yaml

@@ -29,7 +29,7 @@ spec:
   source:
     path: ''
     repoURL: 'https://eclipse-tractusx.github.io/charts/dev'
-    targetRevision: ssi-credential-issuer-1.0.0-rc.1
+    targetRevision: ssi-credential-issuer-1.0.0-rc.2
     plugin:
       env:
         - name: HELM_VALUES