diff --git a/charts/tractusx-connector-azure-vault/README.md b/charts/tractusx-connector-azure-vault/README.md index 1acbdcb9a..4f108db82 100644 --- a/charts/tractusx-connector-azure-vault/README.md +++ b/charts/tractusx-connector-azure-vault/README.md @@ -66,18 +66,17 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | Key | Type | Default | Description | |-----|------|---------|-------------| -| controlplane.affinity | object | `{}` | | +| controlplane.affinity | object | `{}` | [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on | | controlplane.autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | | controlplane.autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | | controlplane.autoscaling.minReplicas | int | `1` | Minimal replicas if resource consumption falls below resource threshholds | | controlplane.autoscaling.targetCPUUtilizationPercentage | int | `80` | targetAverageUtilization of cpu provided to a pod | | controlplane.autoscaling.targetMemoryUtilizationPercentage | int | `80` | targetAverageUtilization of memory provided to a pod | -| controlplane.bdrs.cache_validity_seconds | int | `600` | | -| controlplane.bdrs.server.url | string | `nil` | | -| controlplane.businessPartnerValidation.log.agreementValidation | bool | `true` | | -| controlplane.debug.enabled | bool | `false` | | -| controlplane.debug.port | int | `1044` | | -| controlplane.debug.suspendOnStart | bool | `false` | | +| controlplane.bdrs.cache_validity_seconds | int | `600` | Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) | +| controlplane.bdrs.server.url | string | `nil` | URL of the BPN/DID Resolution Service | +| controlplane.debug.enabled | bool | `false` | Enables java debugging mode. | +| controlplane.debug.port | int | `1044` | Port where the debuggee can connect to. | +| controlplane.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. | | controlplane.endpoints | object | `{"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane | | controlplane.endpoints.control | object | `{"path":"/control","port":8083}` | control api, used for internal control calls. can be added to the internal ingress, but should probably not | | controlplane.endpoints.control.path | string | `"/control"` | path for incoming api calls | @@ -86,7 +85,7 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | controlplane.endpoints.default.path | string | `"/api"` | path for incoming api calls | | controlplane.endpoints.default.port | int | `8080` | port for incoming api calls | | controlplane.endpoints.management | object | `{"authKey":"password","path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing | -| controlplane.endpoints.management.authKey | string | `"password"` | authentication key, must be attached to each 'X-Api-Key' request header | +| controlplane.endpoints.management.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header | | controlplane.endpoints.management.path | string | `"/management"` | path for incoming api calls | | controlplane.endpoints.management.port | int | `8081` | port for incoming api calls | | controlplane.endpoints.metrics | object | `{"path":"/metrics","port":9090}` | metrics api, used for application metrics, must not be internet facing | @@ -96,9 +95,9 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | controlplane.endpoints.protocol.path | string | `"/api/v1/dsp"` | path for incoming api calls | | controlplane.endpoints.protocol.port | int | `8084` | port for incoming api calls | | controlplane.env | object | `{}` | | -| controlplane.envConfigMapNames | list | `[]` | | -| controlplane.envSecretNames | list | `[]` | | -| controlplane.envValueFrom | object | `{}` | | +| controlplane.envConfigMapNames | list | `[]` | [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from | +| controlplane.envSecretNames | list | `[]` | [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from | +| controlplane.envValueFrom | object | `{}` | "valueFrom" environment variable references that will be added to deployment pods. Name is templated. ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core | | controlplane.image.pullPolicy | string | `"IfNotPresent"` | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use | | controlplane.image.repository | string | `""` | Which derivate of the control plane to use. when left empty the deployment will select the correct image automatically | | controlplane.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | @@ -123,8 +122,6 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | controlplane.ingresses[1].tls.enabled | bool | `false` | Enables TLS on the ingress resource | | controlplane.ingresses[1].tls.secretName | string | `""` | If present overwrites the default secret name | | controlplane.initContainers | list | `[]` | | -| controlplane.limits.cpu | float | `1.5` | | -| controlplane.limits.memory | string | `"512Mi"` | | | controlplane.livenessProbe.enabled | bool | `true` | Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | | controlplane.livenessProbe.failureThreshold | int | `6` | when a probe fails kubernetes will try 6 times before giving up | | controlplane.livenessProbe.initialDelaySeconds | int | `30` | seconds to wait before performing the first liveness check | @@ -132,7 +129,7 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | controlplane.livenessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | | controlplane.livenessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | | controlplane.logging | string | `".level=INFO\norg.eclipse.edc.level=ALL\nhandlers=java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter\njava.util.logging.ConsoleHandler.level=ALL\njava.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n"` | configuration of the [Java Util Logging Facade](https://docs.oracle.com/javase/7/docs/technotes/guides/logging/overview.html) | -| controlplane.nodeSelector | object | `{}` | | +| controlplane.nodeSelector | object | `{}` | [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes | | controlplane.opentelemetry | string | `"otel.javaagent.enabled=false\notel.javaagent.debug=false"` | configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics | | controlplane.podAnnotations | object | `{}` | additional annotations for the pod | | controlplane.podLabels | object | `{}` | additional labels for the pod | @@ -148,24 +145,27 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | controlplane.readinessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | | controlplane.readinessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | | controlplane.replicaCount | int | `1` | | -| controlplane.requests.cpu | string | `"500m"` | | -| controlplane.requests.memory | string | `"128Mi"` | | -| controlplane.resources | object | `{}` | [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container | +| controlplane.resources | object | `{"limits":{"cpu":1.5,"memory":"1024Mi"},"requests":{"cpu":"500m","memory":"1024Mi"}}` | [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container | +| controlplane.resources.limits.cpu | float | `1.5` | Maximum CPU limit | +| controlplane.resources.limits.memory | string | `"1024Mi"` | Maximum memory limit | +| controlplane.resources.requests.cpu | string | `"500m"` | Initial CPU request | +| controlplane.resources.requests.memory | string | `"1024Mi"` | Initial memory request | | controlplane.securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID | | controlplane.securityContext.capabilities.add | list | `[]` | Specifies which capabilities to add to issue specialized syscalls | | controlplane.securityContext.capabilities.drop | list | `["ALL"]` | Specifies which capabilities to drop to reduce syscall attack surface | | controlplane.securityContext.readOnlyRootFilesystem | bool | `true` | Whether the root filesystem is mounted in read-only mode | | controlplane.securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges | | controlplane.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | -| controlplane.service.annotations | object | `{}` | | +| controlplane.service.annotations | object | `{}` | additional annotations for the service | +| controlplane.service.labels | object | `{}` | additional labels for the service | | controlplane.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | -| controlplane.tolerations | list | `[]` | | +| controlplane.tolerations | list | `[]` | [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes | | controlplane.url.protocol | string | `""` | Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) | | controlplane.volumeMounts | string | `nil` | declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container | | controlplane.volumes | string | `nil` | [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories | | customCaCerts | object | `{}` | Add custom ca certificates to the truststore | -| customLabels | object | `{}` | To add some custom labels | -| dataplane.affinity | object | `{}` | | +| customLabels | object | `{}` | Add some custom labels | +| dataplane.affinity | object | `{}` | [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on | | dataplane.autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | | dataplane.autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | | dataplane.autoscaling.minReplicas | int | `1` | Minimal replicas if resource consumption falls below resource threshholds | @@ -174,24 +174,29 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | dataplane.aws.accessKeyId | string | `""` | | | dataplane.aws.endpointOverride | string | `""` | | | dataplane.aws.secretAccessKey | string | `""` | | -| dataplane.debug.enabled | bool | `false` | | -| dataplane.debug.port | int | `1044` | | -| dataplane.debug.suspendOnStart | bool | `false` | | -| dataplane.endpoints.control.path | string | `"/api/control"` | | -| dataplane.endpoints.control.port | int | `8084` | | -| dataplane.endpoints.default.path | string | `"/api"` | | -| dataplane.endpoints.default.port | int | `8080` | | -| dataplane.endpoints.metrics.path | string | `"/metrics"` | | -| dataplane.endpoints.metrics.port | int | `9090` | | -| dataplane.endpoints.proxy.authKey | string | `"password"` | | -| dataplane.endpoints.proxy.path | string | `"/proxy"` | | -| dataplane.endpoints.proxy.port | int | `8186` | | -| dataplane.endpoints.public.path | string | `"/api/public"` | | -| dataplane.endpoints.public.port | int | `8081` | | -| dataplane.env | object | `{}` | | -| dataplane.envConfigMapNames | list | `[]` | | -| dataplane.envSecretNames | list | `[]` | | -| dataplane.envValueFrom | object | `{}` | | +| dataplane.debug.enabled | bool | `false` | Enables java debugging mode. | +| dataplane.debug.port | int | `1044` | Port where the debuggee can connect to. | +| dataplane.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. | +| dataplane.endpoints | object | `{"control":{"path":"/control","port":8084},"default":{"path":"/api","port":8080},"metrics":{"path":"/metrics","port":9090},"proxy":{"authKey":"password","path":"/proxy","port":8186},"public":{"path":"/api/public","port":8081}}` | endpoints of the dataplane | +| dataplane.endpoints.control | object | `{"path":"/control","port":8084}` | control api, used for internal control calls. can be added to the internal ingress, but should probably not | +| dataplane.endpoints.control.path | string | `"/control"` | path for incoming api calls | +| dataplane.endpoints.control.port | int | `8084` | port for incoming api calls | +| dataplane.endpoints.default | object | `{"path":"/api","port":8080}` | default api for health checks, should not be added to any ingress | +| dataplane.endpoints.default.path | string | `"/api"` | path for incoming api calls | +| dataplane.endpoints.default.port | int | `8080` | port for incoming api calls | +| dataplane.endpoints.metrics | object | `{"path":"/metrics","port":9090}` | metrics api, used for application metrics, must not be internet facing | +| dataplane.endpoints.metrics.path | string | `"/metrics"` | path for incoming api calls | +| dataplane.endpoints.metrics.port | int | `9090` | port for incoming api calls | +| dataplane.endpoints.proxy.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header | +| dataplane.endpoints.proxy.path | string | `"/proxy"` | path for incoming api calls | +| dataplane.endpoints.proxy.port | int | `8186` | port for incoming api calls | +| dataplane.endpoints.public | object | `{"path":"/api/public","port":8081}` | public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. | +| dataplane.endpoints.public.path | string | `"/api/public"` | path for incoming api calls | +| dataplane.endpoints.public.port | int | `8081` | port for incoming api calls | +| dataplane.env | object | `{}` | Extra environment variables that will be pass onto deployment pods | +| dataplane.envConfigMapNames | list | `[]` | [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from | +| dataplane.envSecretNames | list | `[]` | [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from | +| dataplane.envValueFrom | object | `{}` | "valueFrom" environment variable references that will be added to deployment pods. Name is templated. ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core | | dataplane.image.pullPolicy | string | `"IfNotPresent"` | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use | | dataplane.image.repository | string | `""` | Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically | | dataplane.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | @@ -206,8 +211,6 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | dataplane.ingresses[0].tls.enabled | bool | `false` | Enables TLS on the ingress resource | | dataplane.ingresses[0].tls.secretName | string | `""` | If present overwrites the default secret name | | dataplane.initContainers | list | `[]` | | -| dataplane.limits.cpu | float | `1.5` | | -| dataplane.limits.memory | string | `"1024Mi"` | | | dataplane.livenessProbe.enabled | bool | `true` | Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | | dataplane.livenessProbe.failureThreshold | int | `6` | when a probe fails kubernetes will try 6 times before giving up | | dataplane.livenessProbe.initialDelaySeconds | int | `30` | seconds to wait before performing the first liveness check | @@ -215,7 +218,7 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | dataplane.livenessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | | dataplane.livenessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | | dataplane.logging | string | `".level=INFO\norg.eclipse.edc.level=ALL\nhandlers=java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter\njava.util.logging.ConsoleHandler.level=ALL\njava.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n"` | configuration of the [Java Util Logging Facade](https://docs.oracle.com/javase/7/docs/technotes/guides/logging/overview.html) | -| dataplane.nodeSelector | object | `{}` | | +| dataplane.nodeSelector | object | `{}` | [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes | | dataplane.opentelemetry | string | `"otel.javaagent.enabled=false\notel.javaagent.debug=false"` | configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics | | dataplane.podAnnotations | object | `{}` | additional annotations for the pod | | dataplane.podLabels | object | `{}` | additional labels for the pod | @@ -231,35 +234,38 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | dataplane.readinessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | | dataplane.readinessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | | dataplane.replicaCount | int | `1` | | -| dataplane.requests.cpu | string | `"500m"` | | -| dataplane.requests.memory | string | `"128Mi"` | | -| dataplane.resources | object | `{}` | [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container | +| dataplane.resources | object | `{"limits":{"cpu":1.5,"memory":"1024Mi"},"requests":{"cpu":"500m","memory":"1024Mi"}}` | [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container | +| dataplane.resources.limits.cpu | float | `1.5` | Maximum CPU limit | +| dataplane.resources.limits.memory | string | `"1024Mi"` | Maximum memory limit | +| dataplane.resources.requests.cpu | string | `"500m"` | Initial CPU request | +| dataplane.resources.requests.memory | string | `"1024Mi"` | Initial memory request | | dataplane.securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID | | dataplane.securityContext.capabilities.add | list | `[]` | Specifies which capabilities to add to issue specialized syscalls | | dataplane.securityContext.capabilities.drop | list | `["ALL"]` | Specifies which capabilities to drop to reduce syscall attack surface | | dataplane.securityContext.readOnlyRootFilesystem | bool | `true` | Whether the root filesystem is mounted in read-only mode | | dataplane.securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges | | dataplane.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | -| dataplane.service.port | int | `80` | | +| dataplane.service.annotations | object | `{}` | additional annotations for the service | +| dataplane.service.labels | object | `{}` | additional labels for the service | | dataplane.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | -| dataplane.token.refresh.expiry_seconds | int | `300` | | -| dataplane.token.refresh.expiry_tolerance_seconds | int | `10` | | -| dataplane.token.refresh.refresh_endpoint | string | `nil` | | -| dataplane.token.signer.privatekey_alias | string | `nil` | | -| dataplane.token.verifier.publickey_alias | string | `nil` | | -| dataplane.tolerations | list | `[]` | | +| dataplane.token.refresh.expiry_seconds | int | `300` | TTL in seconds for access tokens (also known as EDR token) | +| dataplane.token.refresh.expiry_tolerance_seconds | int | `10` | Tolerance for token expiry in seconds | +| dataplane.token.refresh.refresh_endpoint | string | `nil` | Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` | +| dataplane.token.signer.privatekey_alias | string | `nil` | Alias under which the private key (JWK or PEM format) is stored in the vault | +| dataplane.token.verifier.publickey_alias | string | `nil` | Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` | +| dataplane.tolerations | list | `[]` | [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes | | dataplane.url.public | string | `""` | Explicitly declared url for reaching the public api (e.g. if ingresses not used) | | dataplane.volumeMounts | string | `nil` | declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container | | dataplane.volumes | string | `nil` | [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories | | fullnameOverride | string | `""` | | -| iatp.id | string | `"did:web:changeme"` | | -| iatp.sts.dim.url | string | `nil` | | -| iatp.sts.oauth.client.id | string | `nil` | | -| iatp.sts.oauth.client.secret_alias | string | `nil` | | -| iatp.sts.oauth.token_url | string | `nil` | | +| iatp.id | string | `"did:web:changeme"` | Decentralized IDentifier (DID) of the connector | +| iatp.sts.dim.url | string | `nil` | URL where connectors can request SI tokens | +| iatp.sts.oauth.client.id | string | `nil` | Client ID for requesting OAuth2 access token for DIM access | +| iatp.sts.oauth.client.secret_alias | string | `nil` | Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIM access | +| iatp.sts.oauth.token_url | string | `nil` | URL where connectors can request OAuth2 access tokens for DIM access | | iatp.trustedIssuers | list | `[]` | Configures the trusted issuers for this runtime | | imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | -| install.postgresql | bool | `true` | | +| install.postgresql | bool | `true` | Deploying a PostgreSQL instance | | nameOverride | string | `""` | | | networkPolicy.controlplane | object | `{"from":[{"namespaceSelector":{}}]}` | Configuration of the controlplane component | | networkPolicy.controlplane.from | list | `[{"namespaceSelector":{}}]` | Specify from rule network policy for cp (defaults to all namespaces) | @@ -273,10 +279,10 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | postgresql.jdbcUrl | string | `"jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc"` | | | postgresql.primary.persistence.enabled | bool | `false` | | | postgresql.readReplicas.persistence.enabled | bool | `false` | | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.imagePullSecrets | list | `[]` | Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | -| serviceAccount.name | string | `""` | | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tests | object | `{"hookDeletePolicy":"before-hook-creation,hook-succeeded"}` | Configurations for Helm tests | | tests.hookDeletePolicy | string | `"before-hook-creation,hook-succeeded"` | Configure the hook-delete-policy for Helm tests | | vault.azure.certificate | string | `nil` | | @@ -284,8 +290,6 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0. | vault.azure.name | string | `""` | | | vault.azure.secret | string | `nil` | | | vault.azure.tenant | string | `nil` | | -| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `nil` | | -| vault.secretNames.transferProxyTokenSignerPublicKey | string | `nil` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/) diff --git a/charts/tractusx-connector-azure-vault/README.md.gotmpl b/charts/tractusx-connector-azure-vault/README.md.gotmpl index cb5cc10e6..352cd8f13 100644 --- a/charts/tractusx-connector-azure-vault/README.md.gotmpl +++ b/charts/tractusx-connector-azure-vault/README.md.gotmpl @@ -60,4 +60,5 @@ helm install my-release tractusx-edc/tractusx-connector-azure-vault --version {{ {{ template "chart.valuesSection" . }} -{{ template "helm-docs.versionFooter" . }} +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/) diff --git a/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml b/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml index e11a13042..17d3dbdec 100644 --- a/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml +++ b/charts/tractusx-connector-azure-vault/templates/deployment-controlplane.yaml @@ -272,7 +272,7 @@ spec: ## IATP / STS / DIM CONFIG ## ############################# - name: "EDC_IAM_STS_OAUTH_TOKEN_URL" - value: {{ .Values.iatp.sts.oauth.token_url | required ".Values.iatp.oauth.token_url is required" | quote}} + value: {{ .Values.iatp.sts.oauth.token_url | required ".Values.iatp.sts.oauth.token_url is required" | quote}} - name: "EDC_IAM_STS_OAUTH_CLIENT_ID" value: {{ .Values.iatp.sts.oauth.client.id | required ".Values.iatp.sts.oauth.client.id is required" | quote}} - name: "EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS" @@ -289,10 +289,8 @@ spec: ## BDRS CLIENT ## ################# - {{- if .Values.controlplane.bdrs.server.url }} - name: "TX_IAM_IATP_BDRS_SERVER_URL" value: {{ .Values.controlplane.bdrs.server.url | required ".Values.controlplane.bdrs.server.url is required" | quote }} - {{- end }} {{- if .Values.controlplane.bdrs.cache_validity_seconds }} - name: "TX_IAM_IATP_BDRS_CACHE_VALIDITY" value: {{ .Values.controlplane.bdrs.cache_validity_seconds | quote}} @@ -322,14 +320,6 @@ spec: value: {{ .Values.vault.azure.certificate | quote }} {{- end }} - - - ########################### - ## BUSINESS PARTNER NUMBER VALIDATION EXTENSION ## - ########################### - - name: "TRACTUSX_BUSINESSPARTNERVALIDATION_LOG_AGREEMENT_VALIDATION" - value: {{ .Values.controlplane.businessPartnerValidation.log.agreementValidation | quote }} - ###################################### ## Additional environment variables ## ###################################### diff --git a/charts/tractusx-connector-azure-vault/templates/deployment-dataplane.yaml b/charts/tractusx-connector-azure-vault/templates/deployment-dataplane.yaml index 6e56595cb..298d66c0e 100644 --- a/charts/tractusx-connector-azure-vault/templates/deployment-dataplane.yaml +++ b/charts/tractusx-connector-azure-vault/templates/deployment-dataplane.yaml @@ -214,7 +214,7 @@ spec: ## IATP / STS / DIM CONFIG ## ############################# - name: "EDC_IAM_STS_OAUTH_TOKEN_URL" - value: {{ .Values.iatp.sts.oauth.token_url | required ".Values.iatp.oauth.token_url is required" | quote}} + value: {{ .Values.iatp.sts.oauth.token_url | required ".Values.iatp.sts.oauth.token_url is required" | quote}} - name: "EDC_IAM_STS_OAUTH_CLIENT_ID" value: {{ .Values.iatp.sts.oauth.client.id | required ".Values.iatp.sts.oauth.client.id is required" | quote}} - name: "EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS" diff --git a/charts/tractusx-connector-azure-vault/templates/networkpolicy.yaml b/charts/tractusx-connector-azure-vault/templates/networkpolicy.yaml new file mode 100644 index 000000000..183af9b48 --- /dev/null +++ b/charts/tractusx-connector-azure-vault/templates/networkpolicy.yaml @@ -0,0 +1,46 @@ +################################################################################# +# Copyright (c) 2024 ZF Friedrichshafen AG +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# + +{{- if eq (.Values.networkPolicy.enabled | toString) "true" }} +{{- range tuple "controlplane" "dataplane" }} +{{- $name := . }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "txdc.fullname" $ }}-{{ $name }} + labels: + {{- include (printf "txdc.%s.labels" $name) $ | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include (printf "txdc.%s.selectorLabels" $name) $ | nindent 6 }} + ingress: + - from: + {{- toYaml (index $.Values.networkPolicy $name "from") | nindent 6 }} + ports: + {{- range $key,$value := (index $.Values $name "endpoints") }} + - port: {{ $value.port }} + protocol: TCP + {{- end }} + policyTypes: + - Ingress +--- +{{- end }} +{{- end }} diff --git a/charts/tractusx-connector-azure-vault/templates/service-controlplane.yaml b/charts/tractusx-connector-azure-vault/templates/service-controlplane.yaml index f39a69538..bf0a83cea 100644 --- a/charts/tractusx-connector-azure-vault/templates/service-controlplane.yaml +++ b/charts/tractusx-connector-azure-vault/templates/service-controlplane.yaml @@ -1,8 +1,8 @@ ################################################################################# -# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023,2024 ZF Friedrichshafen AG # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021,2023 Contributors to the Eclipse Foundation +# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -26,9 +26,16 @@ apiVersion: v1 kind: Service metadata: name: {{ include "txdc.fullname" . }}-controlplane - namespace: {{ .Release.Namespace | default "default" | quote }} + namespace: {{ .Release.Namespace }} + {{- with .Values.controlplane.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: {{- include "txdc.controlplane.labels" . | nindent 4 }} + {{- with .Values.controlplane.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.controlplane.service.type }} ports: diff --git a/charts/tractusx-connector-azure-vault/templates/service-dataplane.yaml b/charts/tractusx-connector-azure-vault/templates/service-dataplane.yaml index 14230b9de..6700191a8 100644 --- a/charts/tractusx-connector-azure-vault/templates/service-dataplane.yaml +++ b/charts/tractusx-connector-azure-vault/templates/service-dataplane.yaml @@ -1,30 +1,38 @@ +################################################################################# +# Copyright (c) 2024 ZF Friedrichshafen AG +# Copyright (c) 2023,2024 Contributors to the Eclipse Foundation # - # Copyright (c) 2023 Contributors to the Eclipse Foundation - # - # See the NOTICE file(s) distributed with this work for additional - # information regarding copyright ownership. - # - # This program and the accompanying materials are made available under the - # terms of the Apache License, Version 2.0 which is available at - # https://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - # License for the specific language governing permissions and limitations - # under the License. - # - # SPDX-License-Identifier: Apache-2.0 - # +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# --- apiVersion: v1 kind: Service metadata: name: {{ include "txdc.fullname" . }}-dataplane - namespace: {{ .Release.Namespace | default "default" | quote }} + namespace: {{ .Release.Namespace }} + {{- with .Values.dataplane.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: {{- include "txdc.dataplane.labels" . | nindent 4 }} + {{- with .Values.dataplane.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.dataplane.service.type }} ports: diff --git a/charts/tractusx-connector-azure-vault/values.yaml b/charts/tractusx-connector-azure-vault/values.yaml index 3886de42c..702d448e7 100644 --- a/charts/tractusx-connector-azure-vault/values.yaml +++ b/charts/tractusx-connector-azure-vault/values.yaml @@ -1,8 +1,8 @@ ################################################################################# -# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023,2024 ZF Friedrichshafen AG # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021,2023 Contributors to the Eclipse Foundation +# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -20,41 +20,47 @@ # SPDX-License-Identifier: Apache-2.0 ################################################################################# - --- # Default values for eclipse-dataspace-connector. # This is a YAML-formatted file. # Declare variables to be passed into your templates. install: + # -- Deploying a PostgreSQL instance postgresql: true + fullnameOverride: "" nameOverride: "" # -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) imagePullSecrets: [] -# -- To add some custom labels +# -- Add some custom labels customLabels: {} participant: # -- BPN Number id: "BPNLCHANGEME" - iatp: - # Decentralized IDentifier + # -- Decentralized IDentifier (DID) of the connector id: "did:web:changeme" # -- Configures the trusted issuers for this runtime trustedIssuers: [] sts: dim: + # -- URL where connectors can request SI tokens url: oauth: + # -- URL where connectors can request OAuth2 access tokens for DIM access token_url: client: + # -- Client ID for requesting OAuth2 access token for DIM access id: + # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIM access secret_alias: +# -- Add custom ca certificates to the truststore +customCaCerts: {} controlplane: image: @@ -66,9 +72,13 @@ controlplane: tag: "" initContainers: [] debug: + # -- Enables java debugging mode. enabled: false + # -- Port where the debuggee can connect to. port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. suspendOnStart: false + livenessProbe: # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) enabled: true @@ -95,6 +105,7 @@ controlplane: failureThreshold: 6 # -- number of consecutive successes for the probe to be considered successful after having failed successThreshold: 1 + # -- endpoints of the control plane endpoints: # -- default api for health checks, should not be added to any ingress @@ -109,7 +120,7 @@ controlplane: port: 8081 # -- path for incoming api calls path: /management - # -- authentication key, must be attached to each 'X-Api-Key' request header + # -- authentication key, must be attached to each request as `X-Api-Key` header authKey: "password" # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not control: @@ -130,21 +141,21 @@ controlplane: # -- path for incoming api calls path: /metrics - businessPartnerValidation: - log: - agreementValidation: true - bdrs: - # time that a cached BPN/DID resolution map is valid in seconds, default is 10 min + # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) cache_validity_seconds: 600 server: - # URL of the BPN/DID Resolution Service - required: + # -- URL of the BPN/DID Resolution Service url: service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service annotations: {} + # -- additional labels for the pod podLabels: {} # -- additional annotations for the pod @@ -176,11 +187,12 @@ controlplane: runAsNonRoot: true # -- The container's process will run with the specified uid runAsUser: 10001 + # Extra environment variables that will be pass onto deployment pods env: {} # ENV_NAME: value - # "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core envValueFrom: {} # ENV_NAME: @@ -191,12 +203,12 @@ controlplane: # name: secret-name # key: value_key - # [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from envSecretNames: [] # - first-secret # - second-secret - # [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from envConfigMapNames: [] # - first-config-map # - second-config-map @@ -250,23 +262,27 @@ controlplane: issuer: "" # -- If preset enables certificate generation via cert-manager cluster-wide issuer clusterIssuer: "" + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container volumeMounts: # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories volumes: + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: - cpu: 1.5 - memory: 512Mi - requests: - cpu: 500m - memory: 128Mi + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + replicaCount: 1 + autoscaling: # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) enabled: false @@ -278,6 +294,7 @@ controlplane: targetCPUUtilizationPercentage: 80 # -- targetAverageUtilization of memory provided to a pod targetMemoryUtilizationPercentage: 80 + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics opentelemetry: |- otel.javaagent.enabled=false @@ -291,20 +308,17 @@ controlplane: java.util.logging.ConsoleHandler.level=ALL java.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n - # [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes nodeSelector: {} - # [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes tolerations: [] - # [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on affinity: {} url: # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) protocol: "" -# -- Add custom ca certificates to the truststore -customCaCerts: {} - dataplane: image: # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically @@ -315,9 +329,13 @@ dataplane: tag: "" initContainers: [] debug: + # -- Enables java debugging mode. enabled: false + # -- Port where the debuggee can connect to. port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. suspendOnStart: false + livenessProbe: # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) enabled: true @@ -344,45 +362,69 @@ dataplane: failureThreshold: 6 # -- number of consecutive successes for the probe to be considered successful after having failed successThreshold: 1 + service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. type: ClusterIP - port: 80 + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- endpoints of the dataplane endpoints: + # -- default api for health checks, should not be added to any ingress default: + # -- port for incoming api calls port: 8080 + # -- path for incoming api calls path: /api + # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. public: + # -- port for incoming api calls port: 8081 + # -- path for incoming api calls path: /api/public + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not control: + # -- port for incoming api calls port: 8084 - path: /api/control + # -- path for incoming api calls + path: /control proxy: + # -- port for incoming api calls port: 8186 + # -- path for incoming api calls path: /proxy + # -- authentication key, must be attached to each request as `X-Api-Key` header authKey: "password" + # -- metrics api, used for application metrics, must not be internet facing metrics: + # -- port for incoming api calls port: 9090 + # -- path for incoming api calls path: /metrics token: refresh: + # -- TTL in seconds for access tokens (also known as EDR token) expiry_seconds: 300 + # -- Tolerance for token expiry in seconds expiry_tolerance_seconds: 10 - # optional URL that can be provided where clients go to refresh tokens. + # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` refresh_endpoint: signer: - # alias under which the private key is stored in the vault (JWK or PEM format) + # -- Alias under which the private key (JWK or PEM format) is stored in the vault privatekey_alias: verifier: - # alias under which the public key is stored in the vault, that belongs to the private key ("privatekey_alias", JWK or PEM format) + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` publickey_alias: aws: endpointOverride: "" accessKeyId: "" secretAccessKey: "" + # -- additional labels for the pod podLabels: {} # -- additional annotations for the pod @@ -414,11 +456,12 @@ dataplane: runAsNonRoot: true # -- The container's process will run with the specified uid runAsUser: 10001 - # Extra environment variables that will be pass onto deployment pods + + # -- Extra environment variables that will be pass onto deployment pods env: {} # ENV_NAME: value - # "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core envValueFrom: {} # ENV_NAME: @@ -429,12 +472,12 @@ dataplane: # name: secret-name # key: value_key - # [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from envSecretNames: [] # - first-secret # - second-secret - # [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from envConfigMapNames: [] # - first-config-map # - second-config-map @@ -464,23 +507,27 @@ dataplane: issuer: "" # -- If preset enables certificate generation via cert-manager cluster-wide issuer clusterIssuer: "" + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container volumeMounts: # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories volumes: + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: - cpu: 1.5 - memory: 1024Mi - requests: - cpu: 500m - memory: 128Mi + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + replicaCount: 1 + autoscaling: # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) enabled: false @@ -492,6 +539,7 @@ dataplane: targetCPUUtilizationPercentage: 80 # -- targetAverageUtilization of memory provided to a pod targetMemoryUtilizationPercentage: 80 + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics opentelemetry: |- otel.javaagent.enabled=false @@ -504,11 +552,12 @@ dataplane: java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter java.util.logging.ConsoleHandler.level=ALL java.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n - # [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes nodeSelector: {} - # [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes tolerations: [] - # [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on affinity: {} url: @@ -527,6 +576,7 @@ postgresql: database: "edc" username: "user" password: "password" + vault: azure: name: "" @@ -535,10 +585,6 @@ vault: secret: certificate: - secretNames: - transferProxyTokenSignerPrivateKey: - transferProxyTokenSignerPublicKey: - networkPolicy: # -- If `true` network policy will be created to restrict access to control- and dataplane enabled: false @@ -554,11 +600,11 @@ networkPolicy: - namespaceSelector: {} serviceAccount: - # Specifies whether a service account should be created + # -- Specifies whether a service account should be created create: true - # Annotations to add to the service account + # -- Annotations to add to the service account annotations: {} - # The name of the service account to use. + # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) diff --git a/charts/tractusx-connector-memory/README.md b/charts/tractusx-connector-memory/README.md index 6fa6270da..9bfd36508 100644 --- a/charts/tractusx-connector-memory/README.md +++ b/charts/tractusx-connector-memory/README.md @@ -54,32 +54,30 @@ helm install my-release tractusx-edc/tractusx-connector-memory --version 0.7.2 \ | Key | Type | Default | Description | |-----|------|---------|-------------| -| backendService.httpProxyTokenReceiverUrl | string | `"https://example.com"` | Specifies a backend service which will receive the EDR | | customCaCerts | object | `{}` | Add custom ca certificates to the truststore | -| customLabels | object | `{}` | To add some custom labels | +| customLabels | object | `{}` | Add some custom labels | | fullnameOverride | string | `""` | | -| iatp.id | string | `"did:web:changeme"` | | -| iatp.sts.dim.url | string | `nil` | | -| iatp.sts.oauth.client.id | string | `nil` | | -| iatp.sts.oauth.client.secret_alias | string | `nil` | | -| iatp.sts.oauth.token_url | string | `nil` | | +| iatp.id | string | `"did:web:changeme"` | Decentralized IDentifier (DID) of the connector | +| iatp.sts.dim.url | string | `nil` | URL where connectors can request SI tokens | +| iatp.sts.oauth.client.id | string | `nil` | Client ID for requesting OAuth2 access token for DIM access | +| iatp.sts.oauth.client.secret_alias | string | `nil` | Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIM access | +| iatp.sts.oauth.token_url | string | `nil` | URL where connectors can request OAuth2 access tokens for DIM access | | iatp.trustedIssuers | list | `[]` | Configures the trusted issuers for this runtime | | imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | | nameOverride | string | `""` | | | participant.id | string | `"BPNLCHANGEME"` | BPN Number | -| runtime.affinity | object | `{}` | | +| runtime.affinity | object | `{}` | [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on | | runtime.autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | | runtime.autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | | runtime.autoscaling.minReplicas | int | `1` | Minimal replicas if resource consumption falls below resource threshholds | | runtime.autoscaling.targetCPUUtilizationPercentage | int | `80` | targetAverageUtilization of cpu provided to a pod | | runtime.autoscaling.targetMemoryUtilizationPercentage | int | `80` | targetAverageUtilization of memory provided to a pod | -| runtime.bdrs.cache_validity_seconds | int | `600` | | -| runtime.bdrs.server.url | string | `nil` | | -| runtime.businessPartnerValidation.log.agreementValidation | bool | `true` | | -| runtime.debug.enabled | bool | `false` | | -| runtime.debug.port | int | `1044` | | -| runtime.debug.suspendOnStart | bool | `false` | | -| runtime.endpoints | object | `{"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"protocol":{"path":"/api/v1/dsp","port":8084},"proxy":{"authKey":"password","path":"/proxy","port":8186},"public":{"path":"/api/public","port":8086}}` | endpoints of the control plane | +| runtime.bdrs.cache_validity_seconds | int | `600` | Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) | +| runtime.bdrs.server.url | string | `nil` | URL of the BPN/DID Resolution Service | +| runtime.debug.enabled | bool | `false` | Enables java debugging mode. | +| runtime.debug.port | int | `1044` | Port where the debuggee can connect to. | +| runtime.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. | +| runtime.endpoints | object | `{"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"protocol":{"path":"/api/v1/dsp","port":8084},"proxy":{"authKey":"password","path":"/proxy","port":8186},"public":{"path":"/api/public","port":8086}}` | endpoints of the controlplane | | runtime.endpoints.control | object | `{"path":"/control","port":8083}` | control api, used for internal control calls. can be added to the internal ingress, but should probably not | | runtime.endpoints.control.path | string | `"/control"` | path for incoming api calls | | runtime.endpoints.control.port | int | `8083` | port for incoming api calls | @@ -87,18 +85,25 @@ helm install my-release tractusx-edc/tractusx-connector-memory --version 0.7.2 \ | runtime.endpoints.default.path | string | `"/api"` | path for incoming api calls | | runtime.endpoints.default.port | int | `8080` | port for incoming api calls | | runtime.endpoints.management | object | `{"authKey":"password","path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing | -| runtime.endpoints.management.authKey | string | `"password"` | authentication key, must be attached to each 'X-Api-Key' request header | +| runtime.endpoints.management.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header | | runtime.endpoints.management.path | string | `"/management"` | path for incoming api calls | | runtime.endpoints.management.port | int | `8081` | port for incoming api calls | | runtime.endpoints.protocol | object | `{"path":"/api/v1/dsp","port":8084}` | dsp api, used for inter connector communication and must be internet facing | | runtime.endpoints.protocol.path | string | `"/api/v1/dsp"` | path for incoming api calls | | runtime.endpoints.protocol.port | int | `8084` | port for incoming api calls | +| runtime.endpoints.proxy | object | `{"authKey":"password","path":"/proxy","port":8186}` | proxy API | +| runtime.endpoints.proxy.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header | +| runtime.endpoints.proxy.path | string | `"/proxy"` | path for incoming api calls | +| runtime.endpoints.proxy.port | int | `8186` | port for incoming api calls | +| runtime.endpoints.public | object | `{"path":"/api/public","port":8086}` | public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. | +| runtime.endpoints.public.path | string | `"/api/public"` | path for incoming api calls | +| runtime.endpoints.public.port | int | `8086` | port for incoming api calls | | runtime.env | object | `{}` | | -| runtime.envConfigMapNames | list | `[]` | | -| runtime.envSecretNames | list | `[]` | | -| runtime.envValueFrom | object | `{}` | | +| runtime.envConfigMapNames | list | `[]` | [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from | +| runtime.envSecretNames | list | `[]` | [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from | +| runtime.envValueFrom | object | `{}` | "valueFrom" environment variable references that will be added to deployment pods. Name is templated. ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core | | runtime.image.pullPolicy | string | `"IfNotPresent"` | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use | -| runtime.image.repository | string | `""` | | +| runtime.image.repository | string | `""` | Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically | | runtime.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | runtime.ingresses[0].annotations | object | `{}` | Additional ingress annotations to add | | runtime.ingresses[0].certManager.clusterIssuer | string | `""` | If preset enables certificate generation via cert-manager cluster-wide issuer | @@ -121,8 +126,6 @@ helm install my-release tractusx-edc/tractusx-connector-memory --version 0.7.2 \ | runtime.ingresses[1].tls.enabled | bool | `false` | Enables TLS on the ingress resource | | runtime.ingresses[1].tls.secretName | string | `""` | If present overwrites the default secret name | | runtime.initContainers | list | `[]` | | -| runtime.limits.cpu | float | `1.5` | | -| runtime.limits.memory | string | `"512Mi"` | | | runtime.livenessProbe.enabled | bool | `true` | Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | | runtime.livenessProbe.failureThreshold | int | `6` | when a probe fails kubernetes will try 6 times before giving up | | runtime.livenessProbe.initialDelaySeconds | int | `30` | seconds to wait before performing the first liveness check | @@ -130,7 +133,7 @@ helm install my-release tractusx-edc/tractusx-connector-memory --version 0.7.2 \ | runtime.livenessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | | runtime.livenessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | | runtime.logging | string | `".level=INFO\norg.eclipse.edc.level=ALL\nhandlers=java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter\njava.util.logging.ConsoleHandler.level=ALL\njava.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n"` | configuration of the [Java Util Logging Facade](https://docs.oracle.com/javase/7/docs/technotes/guides/logging/overview.html) | -| runtime.nodeSelector | object | `{}` | | +| runtime.nodeSelector | object | `{}` | [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes | | runtime.podAnnotations | object | `{}` | additional annotations for the pod | | runtime.podLabels | object | `{}` | additional labels for the pod | | runtime.podSecurityContext | object | `{"fsGroup":10001,"runAsGroup":10001,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment | @@ -145,37 +148,38 @@ helm install my-release tractusx-edc/tractusx-connector-memory --version 0.7.2 \ | runtime.readinessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | | runtime.readinessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | | runtime.replicaCount | int | `1` | | -| runtime.requests.cpu | string | `"500m"` | | -| runtime.requests.memory | string | `"128Mi"` | | -| runtime.resources | object | `{}` | [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container | +| runtime.resources | object | `{"limits":{"cpu":1.5,"memory":"1024Mi"},"requests":{"cpu":"500m","memory":"1024Mi"}}` | [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container | +| runtime.resources.limits.cpu | float | `1.5` | Maximum CPU limit | +| runtime.resources.limits.memory | string | `"1024Mi"` | Maximum memory limit | +| runtime.resources.requests.cpu | string | `"500m"` | Initial CPU request | +| runtime.resources.requests.memory | string | `"1024Mi"` | Initial memory request | | runtime.securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID | | runtime.securityContext.capabilities.add | list | `[]` | Specifies which capabilities to add to issue specialized syscalls | | runtime.securityContext.capabilities.drop | list | `["ALL"]` | Specifies which capabilities to drop to reduce syscall attack surface | | runtime.securityContext.readOnlyRootFilesystem | bool | `true` | Whether the root filesystem is mounted in read-only mode | | runtime.securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges | | runtime.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | -| runtime.service.annotations | object | `{}` | | +| runtime.service.annotations | object | `{}` | additional annotations for the service | +| runtime.service.labels | object | `{}` | additional labels for the service | | runtime.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | -| runtime.token.refresh.expiry_seconds | int | `300` | | -| runtime.token.refresh.expiry_tolerance_seconds | int | `10` | | -| runtime.token.refresh.refresh_endpoint | string | `nil` | | -| runtime.token.signer.privatekey_alias | string | `nil` | | -| runtime.token.verifier.publickey_alias | string | `nil` | | -| runtime.tolerations | list | `[]` | | +| runtime.token.refresh.expiry_seconds | int | `300` | TTL in seconds for access tokens (also known as EDR token) | +| runtime.token.refresh.expiry_tolerance_seconds | int | `10` | Tolerance for token expiry in seconds | +| runtime.token.refresh.refresh_endpoint | string | `nil` | Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` | +| runtime.token.signer.privatekey_alias | string | `nil` | Alias under which the private key (JWK or PEM format) is stored in the vault | +| runtime.token.verifier.publickey_alias | string | `nil` | Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` | +| runtime.tolerations | list | `[]` | [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes | | runtime.url.protocol | string | `""` | Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) | -| runtime.url.public | string | `""` | | -| runtime.url.readiness | string | `""` | | +| runtime.url.public | string | `""` | Explicitly declared url for reaching the public api (e.g. if ingresses not used) | | runtime.volumeMounts | list | `[]` | declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container | | runtime.volumes | list | `[]` | [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.imagePullSecrets | list | `[]` | Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | -| serviceAccount.name | string | `""` | | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tests | object | `{"hookDeletePolicy":"before-hook-creation,hook-succeeded"}` | Configurations for Helm tests | | tests.hookDeletePolicy | string | `"before-hook-creation,hook-succeeded"` | Configure the hook-delete-policy for Helm tests | -| vault.secretNames | string | `nil` | | | vault.secrets | string | `""` | | | vault.server.postStart | string | `""` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/) diff --git a/charts/tractusx-connector-memory/README.md.gotmpl b/charts/tractusx-connector-memory/README.md.gotmpl index fd4b05c2c..3484c4f84 100644 --- a/charts/tractusx-connector-memory/README.md.gotmpl +++ b/charts/tractusx-connector-memory/README.md.gotmpl @@ -57,4 +57,5 @@ helm install my-release tractusx-edc/tractusx-connector-memory --version {{ .Ver {{ template "chart.valuesSection" . }} -{{ template "helm-docs.versionFooter" . }} +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/) diff --git a/charts/tractusx-connector-memory/templates/deployment-runtime.yaml b/charts/tractusx-connector-memory/templates/deployment-runtime.yaml index 91dfb5993..b63a6ff80 100644 --- a/charts/tractusx-connector-memory/templates/deployment-runtime.yaml +++ b/charts/tractusx-connector-memory/templates/deployment-runtime.yaml @@ -203,7 +203,7 @@ spec: ## IATP / STS / DIM CONFIG ## ############################# - name: "EDC_IAM_STS_OAUTH_TOKEN_URL" - value: {{ .Values.iatp.sts.oauth.token_url | required ".Values.iatp.oauth.token_url is required" | quote}} + value: {{ .Values.iatp.sts.oauth.token_url | required ".Values.iatp.sts.oauth.token_url is required" | quote}} - name: "EDC_IAM_STS_OAUTH_CLIENT_ID" value: {{ .Values.iatp.sts.oauth.client.id | required ".Values.iatp.sts.oauth.client.id is required" | quote}} - name: "EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS" @@ -220,10 +220,8 @@ spec: ## BDRS CLIENT ## ################# - {{- if .Values.runtime.bdrs.server.url }} - name: "TX_IAM_IATP_BDRS_SERVER_URL" value: {{ .Values.runtime.bdrs.server.url | required ".Values.runtime.bdrs.server.url is required" | quote }} - {{- end }} {{- if .Values.runtime.bdrs.cache_validity_seconds }} - name: "TX_IAM_IATP_BDRS_CACHE_VALIDITY" value: {{ .Values.runtime.bdrs.cache_validity_seconds | quote}} @@ -280,12 +278,6 @@ spec: - name: "EDC_CP_ADAPTER_REUSE_CONTRACT_AGREEMENT" value: "0" - ########################### - ## BUSINESS PARTNER NUMBER VALIDATION EXTENSION ## - ########################### - - name: "TRACTUSX_BUSINESSPARTNERVALIDATION_LOG_AGREEMENT_VALIDATION" - value: {{ .Values.runtime.businessPartnerValidation.log.agreementValidation | quote }} - ###################################### ## Additional environment variables ## ###################################### diff --git a/charts/tractusx-connector-memory/templates/service-runtime.yaml b/charts/tractusx-connector-memory/templates/service-runtime.yaml index d6c441b85..0767c0d06 100644 --- a/charts/tractusx-connector-memory/templates/service-runtime.yaml +++ b/charts/tractusx-connector-memory/templates/service-runtime.yaml @@ -1,33 +1,40 @@ +################################################################################# +# Copyright (c) 2023,2024 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation # - # Copyright (c) 2023 ZF Friedrichshafen AG - # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH - # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - # Copyright (c) 2021,2023 Contributors to the Eclipse Foundation - # - # See the NOTICE file(s) distributed with this work for additional - # information regarding copyright ownership. - # - # This program and the accompanying materials are made available under the - # terms of the Apache License, Version 2.0 which is available at - # https://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - # License for the specific language governing permissions and limitations - # under the License. - # - # SPDX-License-Identifier: Apache-2.0 - # +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# --- apiVersion: v1 kind: Service metadata: name: {{ include "txdc.fullname" . }}-runtime - namespace: {{ .Release.Namespace | default "default" | quote }} + namespace: {{ .Release.Namespace }} + {{- with .Values.runtime.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: {{- include "txdc.runtime.labels" . | nindent 4 }} + {{- with .Values.runtime.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.runtime.service.type }} ports: diff --git a/charts/tractusx-connector-memory/values.yaml b/charts/tractusx-connector-memory/values.yaml index d1b3d50b8..c7c4ad63b 100644 --- a/charts/tractusx-connector-memory/values.yaml +++ b/charts/tractusx-connector-memory/values.yaml @@ -1,6 +1,7 @@ ################################################################################# +# Copyright (c) 2024 ZF Friedrichshafen AG # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021,2023 Contributors to the Eclipse Foundation +# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -25,9 +26,10 @@ fullnameOverride: "" nameOverride: "" + # -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) imagePullSecrets: [] -# -- To add some custom labels +# -- Add some custom labels customLabels: {} participant: @@ -35,17 +37,21 @@ participant: id: "BPNLCHANGEME" iatp: - # Decentralized IDentifier + # -- Decentralized IDentifier (DID) of the connector id: "did:web:changeme" # -- Configures the trusted issuers for this runtime trustedIssuers: [] sts: dim: + # -- URL where connectors can request SI tokens url: oauth: + # -- URL where connectors can request OAuth2 access tokens for DIM access token_url: client: + # -- Client ID for requesting OAuth2 access token for DIM access id: + # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIM access secret_alias: # -- Add custom ca certificates to the truststore @@ -53,6 +59,7 @@ customCaCerts: {} runtime: image: + # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically repository: "" # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use pullPolicy: IfNotPresent @@ -60,9 +67,13 @@ runtime: tag: "" initContainers: [] debug: + # -- Enables java debugging mode. enabled: false + # -- Port where the debuggee can connect to. port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. suspendOnStart: false + livenessProbe: # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) enabled: true @@ -89,7 +100,8 @@ runtime: failureThreshold: 6 # -- number of consecutive successes for the probe to be considered successful after having failed successThreshold: 1 - # -- endpoints of the control plane + + # -- endpoints of the controlplane endpoints: # -- default api for health checks, should not be added to any ingress default: @@ -103,7 +115,7 @@ runtime: port: 8081 # -- path for incoming api calls path: /management - # -- authentication key, must be attached to each 'X-Api-Key' request header + # -- authentication key, must be attached to each request as `X-Api-Key` header authKey: "password" # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not control: @@ -117,41 +129,51 @@ runtime: port: 8084 # -- path for incoming api calls path: /api/v1/dsp + # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. public: + # -- port for incoming api calls port: 8086 + # -- path for incoming api calls path: /api/public + # -- proxy API proxy: + # -- port for incoming api calls port: 8186 + # -- path for incoming api calls path: /proxy + # -- authentication key, must be attached to each request as `X-Api-Key` header authKey: "password" - businessPartnerValidation: - log: - agreementValidation: true token: refresh: + # -- TTL in seconds for access tokens (also known as EDR token) expiry_seconds: 300 + # -- Tolerance for token expiry in seconds expiry_tolerance_seconds: 10 - # optional URL that can be provided where clients go to refresh tokens. + # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` refresh_endpoint: signer: - # alias under which the private key is stored in the vault (JWK or PEM format) + # -- Alias under which the private key (JWK or PEM format) is stored in the vault privatekey_alias: verifier: - # alias under which the public key is stored in the vault, that belongs to the private key ("privatekey_alias", JWK or PEM format) + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` publickey_alias: bdrs: - # time that a cached BPN/DID resolution map is valid in seconds, default is 10 min + # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) cache_validity_seconds: 600 server: - # URL of the BPN/DID Resolution Service - required: + # -- URL of the BPN/DID Resolution Service url: service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service annotations: {} + # -- additional labels for the pod podLabels: {} # -- additional annotations for the pod @@ -183,11 +205,12 @@ runtime: runAsNonRoot: true # -- The container's process will run with the specified uid runAsUser: 10001 + # Extra environment variables that will be pass onto deployment pods env: {} # ENV_NAME: value - # "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core envValueFrom: {} # ENV_NAME: @@ -198,12 +221,12 @@ runtime: # name: secret-name # key: value_key - # [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from envSecretNames: [] # - first-secret # - second-secret - # [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from envConfigMapNames: [] # - first-config-map # - second-config-map @@ -258,23 +281,27 @@ runtime: issuer: "" # -- If preset enables certificate generation via cert-manager cluster-wide issuer clusterIssuer: "" + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container volumeMounts: [] # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories volumes: [] + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: - cpu: 1.5 - memory: 512Mi - requests: - cpu: 500m - memory: 128Mi + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + replicaCount: 1 + autoscaling: # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) enabled: false @@ -286,6 +313,7 @@ runtime: targetCPUUtilizationPercentage: 80 # -- targetAverageUtilization of memory provided to a pod targetMemoryUtilizationPercentage: 80 + # -- configuration of the [Java Util Logging Facade](https://docs.oracle.com/javase/7/docs/technotes/guides/logging/overview.html) logging: |- .level=INFO @@ -294,36 +322,37 @@ runtime: java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter java.util.logging.ConsoleHandler.level=ALL java.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n - # [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes nodeSelector: {} - # [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes tolerations: [] - # [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on affinity: {} + url: # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) protocol: "" + # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) public: "" - readiness: "" + vault: # secrets can be seeded by supplying them in a semicolon separated list key1:secret2;key2:secret2 secrets: "" - secretNames: server: postStart: |- -backendService: - # -- Specifies a backend service which will receive the EDR - httpProxyTokenReceiverUrl: "https://example.com" + serviceAccount: - # Specifies whether a service account should be created + # -- Specifies whether a service account should be created create: true - # Annotations to add to the service account + # -- Annotations to add to the service account annotations: {} - # The name of the service account to use. + # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) imagePullSecrets: [] + # -- Configurations for Helm tests tests: # -- Configure the hook-delete-policy for Helm tests diff --git a/charts/tractusx-connector/README.md b/charts/tractusx-connector/README.md index 16f99ed04..25582a3b3 100644 --- a/charts/tractusx-connector/README.md +++ b/charts/tractusx-connector/README.md @@ -63,18 +63,17 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.7.2 \ | Key | Type | Default | Description | |-----|------|---------|-------------| -| controlplane.affinity | object | `{}` | | +| controlplane.affinity | object | `{}` | [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on | | controlplane.autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | | controlplane.autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | | controlplane.autoscaling.minReplicas | int | `1` | Minimal replicas if resource consumption falls below resource threshholds | | controlplane.autoscaling.targetCPUUtilizationPercentage | int | `80` | targetAverageUtilization of cpu provided to a pod | | controlplane.autoscaling.targetMemoryUtilizationPercentage | int | `80` | targetAverageUtilization of memory provided to a pod | -| controlplane.bdrs.cache_validity_seconds | int | `600` | | -| controlplane.bdrs.server.url | string | `nil` | | -| controlplane.businessPartnerValidation.log.agreementValidation | bool | `true` | | -| controlplane.debug.enabled | bool | `false` | | -| controlplane.debug.port | int | `1044` | | -| controlplane.debug.suspendOnStart | bool | `false` | | +| controlplane.bdrs.cache_validity_seconds | int | `600` | Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) | +| controlplane.bdrs.server.url | string | `nil` | URL of the BPN/DID Resolution Service | +| controlplane.debug.enabled | bool | `false` | Enables java debugging mode. | +| controlplane.debug.port | int | `1044` | Port where the debuggee can connect to. | +| controlplane.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. | | controlplane.endpoints | object | `{"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"password","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"protocol":{"path":"/api/v1/dsp","port":8084}}` | endpoints of the control plane | | controlplane.endpoints.control | object | `{"path":"/control","port":8083}` | control api, used for internal control calls. can be added to the internal ingress, but should probably not | | controlplane.endpoints.control.path | string | `"/control"` | path for incoming api calls | @@ -83,7 +82,7 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.7.2 \ | controlplane.endpoints.default.path | string | `"/api"` | path for incoming api calls | | controlplane.endpoints.default.port | int | `8080` | port for incoming api calls | | controlplane.endpoints.management | object | `{"authKey":"password","path":"/management","port":8081}` | data management api, used by internal users, can be added to an ingress and must not be internet facing | -| controlplane.endpoints.management.authKey | string | `"password"` | authentication key, must be attached to each 'X-Api-Key' request header | +| controlplane.endpoints.management.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header | | controlplane.endpoints.management.path | string | `"/management"` | path for incoming api calls | | controlplane.endpoints.management.port | int | `8081` | port for incoming api calls | | controlplane.endpoints.metrics | object | `{"path":"/metrics","port":9090}` | metrics api, used for application metrics, must not be internet facing | @@ -92,12 +91,12 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.7.2 \ | controlplane.endpoints.protocol | object | `{"path":"/api/v1/dsp","port":8084}` | dsp api, used for inter connector communication and must be internet facing | | controlplane.endpoints.protocol.path | string | `"/api/v1/dsp"` | path for incoming api calls | | controlplane.endpoints.protocol.port | int | `8084` | port for incoming api calls | -| controlplane.env | object | `{}` | | -| controlplane.envConfigMapNames | list | `[]` | | -| controlplane.envSecretNames | list | `[]` | | -| controlplane.envValueFrom | object | `{}` | | +| controlplane.env | object | `{}` | Extra environment variables that will be pass onto deployment pods | +| controlplane.envConfigMapNames | list | `[]` | [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from | +| controlplane.envSecretNames | list | `[]` | [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from | +| controlplane.envValueFrom | object | `{}` | "valueFrom" environment variable references that will be added to deployment pods. Name is templated. ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core | | controlplane.image.pullPolicy | string | `"IfNotPresent"` | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use | -| controlplane.image.repository | string | `""` | Which derivate of the control plane to use. when left empty the deployment will select the correct image automatically | +| controlplane.image.repository | string | `""` | Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically | | controlplane.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | controlplane.ingresses[0].annotations | object | `{}` | Additional ingress annotations to add | | controlplane.ingresses[0].certManager.clusterIssuer | string | `""` | If preset enables certificate generation via cert-manager cluster-wide issuer | @@ -120,8 +119,6 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.7.2 \ | controlplane.ingresses[1].tls.enabled | bool | `false` | Enables TLS on the ingress resource | | controlplane.ingresses[1].tls.secretName | string | `""` | If present overwrites the default secret name | | controlplane.initContainers | list | `[]` | | -| controlplane.limits.cpu | float | `1.5` | | -| controlplane.limits.memory | string | `"512Mi"` | | | controlplane.livenessProbe.enabled | bool | `true` | Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | | controlplane.livenessProbe.failureThreshold | int | `6` | when a probe fails kubernetes will try 6 times before giving up | | controlplane.livenessProbe.initialDelaySeconds | int | `30` | seconds to wait before performing the first liveness check | @@ -129,7 +126,7 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.7.2 \ | controlplane.livenessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | | controlplane.livenessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | | controlplane.logging | string | `".level=INFO\norg.eclipse.edc.level=ALL\nhandlers=java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter\njava.util.logging.ConsoleHandler.level=ALL\njava.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n"` | configuration of the [Java Util Logging Facade](https://docs.oracle.com/javase/7/docs/technotes/guides/logging/overview.html) | -| controlplane.nodeSelector | object | `{}` | | +| controlplane.nodeSelector | object | `{}` | [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes | | controlplane.opentelemetry | string | `"otel.javaagent.enabled=false\notel.javaagent.debug=false"` | configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics | | controlplane.podAnnotations | object | `{}` | additional annotations for the pod | | controlplane.podLabels | object | `{}` | additional labels for the pod | @@ -145,24 +142,27 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.7.2 \ | controlplane.readinessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | | controlplane.readinessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | | controlplane.replicaCount | int | `1` | | -| controlplane.requests.cpu | string | `"500m"` | | -| controlplane.requests.memory | string | `"128Mi"` | | -| controlplane.resources | object | `{}` | [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container | +| controlplane.resources | object | `{"limits":{"cpu":1.5,"memory":"1024Mi"},"requests":{"cpu":"500m","memory":"1024Mi"}}` | [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container | +| controlplane.resources.limits.cpu | float | `1.5` | Maximum CPU limit | +| controlplane.resources.limits.memory | string | `"1024Mi"` | Maximum memory limit | +| controlplane.resources.requests.cpu | string | `"500m"` | Initial CPU request | +| controlplane.resources.requests.memory | string | `"1024Mi"` | Initial memory request | | controlplane.securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID | | controlplane.securityContext.capabilities.add | list | `[]` | Specifies which capabilities to add to issue specialized syscalls | | controlplane.securityContext.capabilities.drop | list | `["ALL"]` | Specifies which capabilities to drop to reduce syscall attack surface | | controlplane.securityContext.readOnlyRootFilesystem | bool | `true` | Whether the root filesystem is mounted in read-only mode | | controlplane.securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges | | controlplane.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | -| controlplane.service.annotations | object | `{}` | | +| controlplane.service.annotations | object | `{}` | additional annotations for the service | +| controlplane.service.labels | object | `{}` | additional labels for the service | | controlplane.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | -| controlplane.tolerations | list | `[]` | | +| controlplane.tolerations | list | `[]` | [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes | | controlplane.url.protocol | string | `""` | Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) | | controlplane.volumeMounts | string | `nil` | declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container | | controlplane.volumes | string | `nil` | [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories | | customCaCerts | object | `{}` | Add custom ca certificates to the truststore | -| customLabels | object | `{}` | To add some custom labels | -| dataplane.affinity | object | `{}` | | +| customLabels | object | `{}` | Add some custom labels | +| dataplane.affinity | object | `{}` | [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on | | dataplane.autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | | dataplane.autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | | dataplane.autoscaling.minReplicas | int | `1` | Minimal replicas if resource consumption falls below resource threshholds | @@ -171,24 +171,29 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.7.2 \ | dataplane.aws.accessKeyId | string | `""` | | | dataplane.aws.endpointOverride | string | `""` | | | dataplane.aws.secretAccessKey | string | `""` | | -| dataplane.debug.enabled | bool | `false` | | -| dataplane.debug.port | int | `1044` | | -| dataplane.debug.suspendOnStart | bool | `false` | | -| dataplane.endpoints.control.path | string | `"/api/control"` | | -| dataplane.endpoints.control.port | int | `8084` | | -| dataplane.endpoints.default.path | string | `"/api"` | | -| dataplane.endpoints.default.port | int | `8080` | | -| dataplane.endpoints.metrics.path | string | `"/metrics"` | | -| dataplane.endpoints.metrics.port | int | `9090` | | -| dataplane.endpoints.proxy.authKey | string | `"password"` | | -| dataplane.endpoints.proxy.path | string | `"/proxy"` | | -| dataplane.endpoints.proxy.port | int | `8186` | | -| dataplane.endpoints.public.path | string | `"/api/public"` | | -| dataplane.endpoints.public.port | int | `8081` | | -| dataplane.env | object | `{}` | | -| dataplane.envConfigMapNames | list | `[]` | | -| dataplane.envSecretNames | list | `[]` | | -| dataplane.envValueFrom | object | `{}` | | +| dataplane.debug.enabled | bool | `false` | Enables java debugging mode. | +| dataplane.debug.port | int | `1044` | Port where the debuggee can connect to. | +| dataplane.debug.suspendOnStart | bool | `false` | Defines if the JVM should wait with starting the application until someone connected to the debugging port. | +| dataplane.endpoints | object | `{"control":{"path":"/api/control","port":8084},"default":{"path":"/api","port":8080},"metrics":{"path":"/metrics","port":9090},"proxy":{"authKey":"password","path":"/proxy","port":8186},"public":{"path":"/api/public","port":8081}}` | endpoints of the dataplane | +| dataplane.endpoints.control | object | `{"path":"/api/control","port":8084}` | control api, used for internal control calls. can be added to the internal ingress, but should probably not | +| dataplane.endpoints.control.path | string | `"/api/control"` | path for incoming api calls | +| dataplane.endpoints.control.port | int | `8084` | port for incoming api calls | +| dataplane.endpoints.default | object | `{"path":"/api","port":8080}` | default api for health checks, should not be added to any ingress | +| dataplane.endpoints.default.path | string | `"/api"` | path for incoming api calls | +| dataplane.endpoints.default.port | int | `8080` | port for incoming api calls | +| dataplane.endpoints.metrics | object | `{"path":"/metrics","port":9090}` | metrics api, used for application metrics, must not be internet facing | +| dataplane.endpoints.metrics.path | string | `"/metrics"` | path for incoming api calls | +| dataplane.endpoints.metrics.port | int | `9090` | port for incoming api calls | +| dataplane.endpoints.proxy.authKey | string | `"password"` | authentication key, must be attached to each request as `X-Api-Key` header | +| dataplane.endpoints.proxy.path | string | `"/proxy"` | path for incoming api calls | +| dataplane.endpoints.proxy.port | int | `8186` | port for incoming api calls | +| dataplane.endpoints.public | object | `{"path":"/api/public","port":8081}` | public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. | +| dataplane.endpoints.public.path | string | `"/api/public"` | path for incoming api calls | +| dataplane.endpoints.public.port | int | `8081` | port for incoming api calls | +| dataplane.env | object | `{}` | Extra environment variables that will be pass onto deployment pods | +| dataplane.envConfigMapNames | list | `[]` | [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from | +| dataplane.envSecretNames | list | `[]` | [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from | +| dataplane.envValueFrom | object | `{}` | "valueFrom" environment variable references that will be added to deployment pods. Name is templated. ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core | | dataplane.image.pullPolicy | string | `"IfNotPresent"` | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use | | dataplane.image.repository | string | `""` | Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically | | dataplane.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | @@ -203,8 +208,6 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.7.2 \ | dataplane.ingresses[0].tls.enabled | bool | `false` | Enables TLS on the ingress resource | | dataplane.ingresses[0].tls.secretName | string | `""` | If present overwrites the default secret name | | dataplane.initContainers | list | `[]` | | -| dataplane.limits.cpu | float | `1.5` | | -| dataplane.limits.memory | string | `"1024Mi"` | | | dataplane.livenessProbe.enabled | bool | `true` | Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | | dataplane.livenessProbe.failureThreshold | int | `6` | when a probe fails kubernetes will try 6 times before giving up | | dataplane.livenessProbe.initialDelaySeconds | int | `30` | seconds to wait before performing the first liveness check | @@ -212,7 +215,7 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.7.2 \ | dataplane.livenessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | | dataplane.livenessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | | dataplane.logging | string | `".level=INFO\norg.eclipse.edc.level=ALL\nhandlers=java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter\njava.util.logging.ConsoleHandler.level=ALL\njava.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n"` | configuration of the [Java Util Logging Facade](https://docs.oracle.com/javase/7/docs/technotes/guides/logging/overview.html) | -| dataplane.nodeSelector | object | `{}` | | +| dataplane.nodeSelector | object | `{}` | [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes | | dataplane.opentelemetry | string | `"otel.javaagent.enabled=false\notel.javaagent.debug=false"` | configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics | | dataplane.podAnnotations | object | `{}` | additional annotations for the pod | | dataplane.podLabels | object | `{}` | additional labels for the pod | @@ -228,36 +231,40 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.7.2 \ | dataplane.readinessProbe.successThreshold | int | `1` | number of consecutive successes for the probe to be considered successful after having failed | | dataplane.readinessProbe.timeoutSeconds | int | `5` | number of seconds after which the probe times out | | dataplane.replicaCount | int | `1` | | -| dataplane.requests.cpu | string | `"500m"` | | -| dataplane.requests.memory | string | `"128Mi"` | | -| dataplane.resources | object | `{}` | [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container | +| dataplane.resources | object | `{"limits":{"cpu":1.5,"memory":"1024Mi"},"requests":{"cpu":"500m","memory":"1024Mi"}}` | [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container | +| dataplane.resources.limits.cpu | float | `1.5` | Maximum CPU limit | +| dataplane.resources.limits.memory | string | `"1024Mi"` | Maximum memory limit | +| dataplane.resources.requests.cpu | string | `"500m"` | Initial CPU request | +| dataplane.resources.requests.memory | string | `"1024Mi"` | Initial memory request | +| dataplane.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"add":[],"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":10001}` | The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod | | dataplane.securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID | | dataplane.securityContext.capabilities.add | list | `[]` | Specifies which capabilities to add to issue specialized syscalls | | dataplane.securityContext.capabilities.drop | list | `["ALL"]` | Specifies which capabilities to drop to reduce syscall attack surface | | dataplane.securityContext.readOnlyRootFilesystem | bool | `true` | Whether the root filesystem is mounted in read-only mode | | dataplane.securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges | | dataplane.securityContext.runAsUser | int | `10001` | The container's process will run with the specified uid | -| dataplane.service.port | int | `80` | | +| dataplane.service.annotations | object | `{}` | additional annotations for the service | +| dataplane.service.labels | object | `{}` | additional labels for the service | | dataplane.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. | -| dataplane.token.refresh.expiry_seconds | int | `300` | | -| dataplane.token.refresh.expiry_tolerance_seconds | int | `10` | | -| dataplane.token.refresh.refresh_endpoint | string | `nil` | | -| dataplane.token.signer.privatekey_alias | string | `nil` | | -| dataplane.token.verifier.publickey_alias | string | `nil` | | -| dataplane.tolerations | list | `[]` | | +| dataplane.token.refresh.expiry_seconds | int | `300` | TTL in seconds for access tokens (also known as EDR token) | +| dataplane.token.refresh.expiry_tolerance_seconds | int | `10` | Tolerance for token expiry in seconds | +| dataplane.token.refresh.refresh_endpoint | string | `nil` | Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` | +| dataplane.token.signer.privatekey_alias | string | `nil` | Alias under which the private key (JWK or PEM format) is stored in the vault | +| dataplane.token.verifier.publickey_alias | string | `nil` | Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` | +| dataplane.tolerations | list | `[]` | [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes | | dataplane.url.public | string | `""` | Explicitly declared url for reaching the public api (e.g. if ingresses not used) | | dataplane.volumeMounts | string | `nil` | declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container | | dataplane.volumes | string | `nil` | [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories | | fullnameOverride | string | `""` | | -| iatp.id | string | `"did:web:changeme"` | | -| iatp.sts.dim.url | string | `nil` | | -| iatp.sts.oauth.client.id | string | `nil` | | -| iatp.sts.oauth.client.secret_alias | string | `nil` | | -| iatp.sts.oauth.token_url | string | `nil` | | +| iatp.id | string | `"did:web:changeme"` | Decentralized IDentifier (DID) of the connector | +| iatp.sts.dim.url | string | `nil` | URL where connectors can request SI tokens | +| iatp.sts.oauth.client.id | string | `nil` | Client ID for requesting OAuth2 access token for DIM access | +| iatp.sts.oauth.client.secret_alias | string | `nil` | Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIM access | +| iatp.sts.oauth.token_url | string | `nil` | URL where connectors can request OAuth2 access tokens for DIM access | | iatp.trustedIssuers | list | `[]` | Configures the trusted issuers for this runtime | | imagePullSecrets | list | `[]` | Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | -| install.postgresql | bool | `true` | | -| install.vault | bool | `true` | | +| install.postgresql | bool | `true` | Deploying a PostgreSQL instance | +| install.vault | bool | `true` | Deploying a HashiCorp Vault instance | | nameOverride | string | `""` | | | networkPolicy.controlplane | object | `{"from":[{"namespaceSelector":{}}]}` | Configuration of the controlplane component | | networkPolicy.controlplane.from | list | `[{"namespaceSelector":{}}]` | Specify from rule network policy for cp (defaults to all namespaces) | @@ -271,10 +278,10 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.7.2 \ | postgresql.jdbcUrl | string | `"jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc"` | | | postgresql.primary.persistence.enabled | bool | `false` | | | postgresql.readReplicas.persistence.enabled | bool | `false` | | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.imagePullSecrets | list | `[]` | Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) | -| serviceAccount.name | string | `""` | | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tests | object | `{"hookDeletePolicy":"before-hook-creation,hook-succeeded"}` | Configurations for Helm tests | | tests.hookDeletePolicy | string | `"before-hook-creation,hook-succeeded"` | Configure the hook-delete-policy for Helm tests | | vault.hashicorp.healthCheck.enabled | bool | `true` | | @@ -285,11 +292,9 @@ helm install my-release tractusx-edc/tractusx-connector --version 0.7.2 \ | vault.hashicorp.token | string | `"root"` | | | vault.hashicorp.url | string | `"http://{{ .Release.Name }}-vault:8200"` | | | vault.injector.enabled | bool | `false` | | -| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `nil` | | -| vault.secretNames.transferProxyTokenSignerPublicKey | string | `nil` | | | vault.server.dev.devRootToken | string | `"root"` | | | vault.server.dev.enabled | bool | `true` | | | vault.server.postStart | string | `nil` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/) diff --git a/charts/tractusx-connector/README.md.gotmpl b/charts/tractusx-connector/README.md.gotmpl index 05b0f0f93..de3ef9149 100644 --- a/charts/tractusx-connector/README.md.gotmpl +++ b/charts/tractusx-connector/README.md.gotmpl @@ -56,4 +56,5 @@ helm install my-release tractusx-edc/tractusx-connector --version {{ .Version }} {{ template "chart.valuesSection" . }} -{{ template "helm-docs.versionFooter" . }} +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/) diff --git a/charts/tractusx-connector/templates/deployment-controlplane.yaml b/charts/tractusx-connector/templates/deployment-controlplane.yaml index fb7450841..9cf9e6c4b 100644 --- a/charts/tractusx-connector/templates/deployment-controlplane.yaml +++ b/charts/tractusx-connector/templates/deployment-controlplane.yaml @@ -273,7 +273,7 @@ spec: ## IATP / STS / DIM CONFIG ## ############################# - name: "EDC_IAM_STS_OAUTH_TOKEN_URL" - value: {{ .Values.iatp.sts.oauth.token_url | required ".Values.iatp.oauth.token_url is required" | quote}} + value: {{ .Values.iatp.sts.oauth.token_url | required ".Values.iatp.sts.oauth.token_url is required" | quote}} - name: "EDC_IAM_STS_OAUTH_CLIENT_ID" value: {{ .Values.iatp.sts.oauth.client.id | required ".Values.iatp.sts.oauth.client.id is required" | quote}} - name: "EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS" @@ -290,10 +290,8 @@ spec: ## BDRS CLIENT ## ################# - {{- if .Values.controlplane.bdrs.server.url }} - name: "TX_IAM_IATP_BDRS_SERVER_URL" value: {{ .Values.controlplane.bdrs.server.url | required ".Values.controlplane.bdrs.server.url is required" | quote }} - {{- end }} {{- if .Values.controlplane.bdrs.cache_validity_seconds }} - name: "TX_IAM_IATP_BDRS_CACHE_VALIDITY" value: {{ .Values.controlplane.bdrs.cache_validity_seconds | quote}} @@ -319,12 +317,6 @@ spec: - name: "EDC_VAULT_HASHICORP_API_HEALTH_CHECK_PATH" value: {{ .Values.vault.hashicorp.paths.health | quote }} - ########################### - ## BUSINESS PARTNER NUMBER VALIDATION EXTENSION ## - ########################### - - name: "TRACTUSX_BUSINESSPARTNERVALIDATION_LOG_AGREEMENT_VALIDATION" - value: {{ .Values.controlplane.businessPartnerValidation.log.agreementValidation | quote }} - ###################################### ## Additional environment variables ## ###################################### diff --git a/charts/tractusx-connector/templates/deployment-dataplane.yaml b/charts/tractusx-connector/templates/deployment-dataplane.yaml index 48dbb24b7..d84c9fc83 100644 --- a/charts/tractusx-connector/templates/deployment-dataplane.yaml +++ b/charts/tractusx-connector/templates/deployment-dataplane.yaml @@ -210,7 +210,7 @@ spec: ## IATP / STS / DIM CONFIG ## ############################# - name: "EDC_IAM_STS_OAUTH_TOKEN_URL" - value: {{ .Values.iatp.sts.oauth.token_url | required ".Values.iatp.oauth.token_url is required" | quote}} + value: {{ .Values.iatp.sts.oauth.token_url | required ".Values.iatp.sts.oauth.token_url is required" | quote}} - name: "EDC_IAM_STS_OAUTH_CLIENT_ID" value: {{ .Values.iatp.sts.oauth.client.id | required ".Values.iatp.sts.oauth.client.id is required" | quote}} - name: "EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS" diff --git a/charts/tractusx-connector/templates/service-controlplane.yaml b/charts/tractusx-connector/templates/service-controlplane.yaml index f39a69538..400a5d80c 100644 --- a/charts/tractusx-connector/templates/service-controlplane.yaml +++ b/charts/tractusx-connector/templates/service-controlplane.yaml @@ -1,8 +1,8 @@ ################################################################################# -# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023.2024 ZF Friedrichshafen AG # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021,2023 Contributors to the Eclipse Foundation +# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -26,9 +26,16 @@ apiVersion: v1 kind: Service metadata: name: {{ include "txdc.fullname" . }}-controlplane - namespace: {{ .Release.Namespace | default "default" | quote }} + namespace: {{ .Release.Namespace }} + {{- with .Values.controlplane.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: {{- include "txdc.controlplane.labels" . | nindent 4 }} + {{- with .Values.controlplane.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.controlplane.service.type }} ports: diff --git a/charts/tractusx-connector/templates/service-dataplane.yaml b/charts/tractusx-connector/templates/service-dataplane.yaml index 0f1fc5e8c..6b6e35a70 100644 --- a/charts/tractusx-connector/templates/service-dataplane.yaml +++ b/charts/tractusx-connector/templates/service-dataplane.yaml @@ -1,8 +1,8 @@ ################################################################################# -# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023,2024 ZF Friedrichshafen AG # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021,2023 Contributors to the Eclipse Foundation +# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -26,9 +26,16 @@ apiVersion: v1 kind: Service metadata: name: {{ include "txdc.fullname" . }}-dataplane - namespace: {{ .Release.Namespace | default "default" | quote }} + namespace: {{ .Release.Namespace }} + {{- with .Values.dataplane.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: {{- include "txdc.dataplane.labels" . | nindent 4 }} + {{- with .Values.dataplane.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.dataplane.service.type }} ports: diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index bbccfd65b..48e32fda8 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -1,8 +1,8 @@ ################################################################################# -# Copyright (c) 2023 ZF Friedrichshafen AG +# Copyright (c) 2023,2024 ZF Friedrichshafen AG # Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH # Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# Copyright (c) 2021,2023 Contributors to the Eclipse Foundation +# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -20,45 +20,53 @@ # SPDX-License-Identifier: Apache-2.0 ################################################################################# - --- # Default values for eclipse-dataspace-connector. # This is a YAML-formatted file. # Declare variables to be passed into your templates. install: + # -- Deploying a PostgreSQL instance postgresql: true + # -- Deploying a HashiCorp Vault instance vault: true + fullnameOverride: "" nameOverride: "" + # -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) imagePullSecrets: [] -# -- To add some custom labels +# -- Add some custom labels customLabels: {} participant: # -- BPN Number id: "BPNLCHANGEME" - iatp: - # Decentralized IDentifier + # -- Decentralized IDentifier (DID) of the connector id: "did:web:changeme" # -- Configures the trusted issuers for this runtime trustedIssuers: [] sts: dim: + # -- URL where connectors can request SI tokens url: oauth: + # -- URL where connectors can request OAuth2 access tokens for DIM access token_url: client: + # -- Client ID for requesting OAuth2 access token for DIM access id: + # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIM access secret_alias: +# -- Add custom ca certificates to the truststore +customCaCerts: {} controlplane: image: - # -- Which derivate of the control plane to use. when left empty the deployment will select the correct image automatically + # -- Which derivate of the control plane to use. When left empty the deployment will select the correct image automatically repository: "" # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use pullPolicy: IfNotPresent @@ -66,9 +74,13 @@ controlplane: tag: "" initContainers: [] debug: + # -- Enables java debugging mode. enabled: false + # -- Port where the debuggee can connect to. port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. suspendOnStart: false + livenessProbe: # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) enabled: true @@ -95,6 +107,7 @@ controlplane: failureThreshold: 6 # -- number of consecutive successes for the probe to be considered successful after having failed successThreshold: 1 + # -- endpoints of the control plane endpoints: # -- default api for health checks, should not be added to any ingress @@ -109,7 +122,7 @@ controlplane: port: 8081 # -- path for incoming api calls path: /management - # -- authentication key, must be attached to each 'X-Api-Key' request header + # -- authentication key, must be attached to each request as `X-Api-Key` header authKey: "password" # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not control: @@ -130,21 +143,21 @@ controlplane: # -- path for incoming api calls path: /metrics - businessPartnerValidation: - log: - agreementValidation: true - bdrs: - # time that a cached BPN/DID resolution map is valid in seconds, default is 10 min + # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) cache_validity_seconds: 600 server: - # URL of the BPN/DID Resolution Service - required: + # -- URL of the BPN/DID Resolution Service url: service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service annotations: {} + # -- additional labels for the pod podLabels: {} # -- additional annotations for the pod @@ -176,11 +189,12 @@ controlplane: runAsNonRoot: true # -- The container's process will run with the specified uid runAsUser: 10001 - # Extra environment variables that will be pass onto deployment pods + + # -- Extra environment variables that will be pass onto deployment pods env: {} # ENV_NAME: value - # "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core envValueFrom: {} # ENV_NAME: @@ -191,12 +205,12 @@ controlplane: # name: secret-name # key: value_key - # [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from envSecretNames: [] # - first-secret # - second-secret - # [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from envConfigMapNames: [] # - first-config-map # - second-config-map @@ -250,23 +264,27 @@ controlplane: issuer: "" # -- If preset enables certificate generation via cert-manager cluster-wide issuer clusterIssuer: "" + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container volumeMounts: # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories volumes: + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: - cpu: 1.5 - memory: 512Mi - requests: - cpu: 500m - memory: 128Mi + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + replicaCount: 1 + autoscaling: # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) enabled: false @@ -278,6 +296,7 @@ controlplane: targetCPUUtilizationPercentage: 80 # -- targetAverageUtilization of memory provided to a pod targetMemoryUtilizationPercentage: 80 + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics opentelemetry: |- otel.javaagent.enabled=false @@ -290,19 +309,18 @@ controlplane: java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter java.util.logging.ConsoleHandler.level=ALL java.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n - # [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes nodeSelector: {} - # [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes tolerations: [] - # [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on affinity: {} + url: # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) protocol: "" -# -- Add custom ca certificates to the truststore -customCaCerts: {} - dataplane: image: # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically @@ -313,9 +331,13 @@ dataplane: tag: "" initContainers: [] debug: + # -- Enables java debugging mode. enabled: false + # -- Port where the debuggee can connect to. port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. suspendOnStart: false + livenessProbe: # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) enabled: true @@ -342,45 +364,69 @@ dataplane: failureThreshold: 6 # -- number of consecutive successes for the probe to be considered successful after having failed successThreshold: 1 + service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. type: ClusterIP - port: 80 + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- endpoints of the dataplane endpoints: + # -- default api for health checks, should not be added to any ingress default: + # -- port for incoming api calls port: 8080 + # -- path for incoming api calls path: /api + # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. public: + # -- port for incoming api calls port: 8081 + # -- path for incoming api calls path: /api/public + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not control: + # -- port for incoming api calls port: 8084 + # -- path for incoming api calls path: /api/control proxy: + # -- port for incoming api calls port: 8186 + # -- path for incoming api calls path: /proxy + # -- authentication key, must be attached to each request as `X-Api-Key` header authKey: "password" + # -- metrics api, used for application metrics, must not be internet facing metrics: + # -- port for incoming api calls port: 9090 + # -- path for incoming api calls path: /metrics token: refresh: + # -- TTL in seconds for access tokens (also known as EDR token) expiry_seconds: 300 + # -- Tolerance for token expiry in seconds expiry_tolerance_seconds: 10 - # optional URL that can be provided where clients go to refresh tokens. + # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` refresh_endpoint: signer: - # alias under which the private key is stored in the vault (JWK or PEM format) + # -- Alias under which the private key (JWK or PEM format) is stored in the vault privatekey_alias: verifier: - # alias under which the public key is stored in the vault, that belongs to the private key ("privatekey_alias", JWK or PEM format) + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` publickey_alias: aws: endpointOverride: "" accessKeyId: "" secretAccessKey: "" + # -- additional labels for the pod podLabels: {} # -- additional annotations for the pod @@ -396,7 +442,7 @@ dataplane: runAsGroup: 10001 # -- The owner for volumes and any files created within volumes will belong to this guid fsGroup: 10001 - # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod securityContext: capabilities: # -- Specifies which capabilities to drop to reduce syscall attack surface @@ -412,11 +458,12 @@ dataplane: runAsNonRoot: true # -- The container's process will run with the specified uid runAsUser: 10001 - # Extra environment variables that will be pass onto deployment pods + + # -- Extra environment variables that will be pass onto deployment pods env: {} # ENV_NAME: value - # "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core envValueFrom: {} # ENV_NAME: @@ -427,12 +474,12 @@ dataplane: # name: secret-name # key: value_key - # [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from envSecretNames: [] # - first-secret # - second-secret - # [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from envConfigMapNames: [] # - first-config-map # - second-config-map @@ -462,23 +509,27 @@ dataplane: issuer: "" # -- If preset enables certificate generation via cert-manager cluster-wide issuer clusterIssuer: "" + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container volumeMounts: # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories volumes: + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: - cpu: 1.5 - memory: 1024Mi - requests: - cpu: 500m - memory: 128Mi + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + replicaCount: 1 + autoscaling: # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) enabled: false @@ -490,6 +541,7 @@ dataplane: targetCPUUtilizationPercentage: 80 # -- targetAverageUtilization of memory provided to a pod targetMemoryUtilizationPercentage: 80 + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics opentelemetry: |- otel.javaagent.enabled=false @@ -502,15 +554,17 @@ dataplane: java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter java.util.logging.ConsoleHandler.level=ALL java.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n - # [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes nodeSelector: {} - # [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes tolerations: [] - # [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on affinity: {} url: # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) public: "" + postgresql: jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" primary: @@ -523,6 +577,7 @@ postgresql: database: "edc" username: "user" password: "password" + vault: injector: enabled: false @@ -541,9 +596,7 @@ vault: paths: secret: /v1/secret health: /v1/sys/health - secretNames: - transferProxyTokenSignerPrivateKey: - transferProxyTokenSignerPublicKey: + networkPolicy: # -- If `true` network policy will be created to restrict access to control- and dataplane enabled: false @@ -559,11 +612,11 @@ networkPolicy: - namespaceSelector: {} serviceAccount: - # Specifies whether a service account should be created + # -- Specifies whether a service account should be created create: true - # Annotations to add to the service account + # -- Annotations to add to the service account annotations: {} - # The name of the service account to use. + # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) diff --git a/docs/migration/Version_0.5.x_0.7.x.md b/docs/migration/Version_0.5.x_0.7.x.md index 95c35aa18..18b7ab5d2 100644 --- a/docs/migration/Version_0.5.x_0.7.x.md +++ b/docs/migration/Version_0.5.x_0.7.x.md @@ -67,7 +67,6 @@ participant's control plane and data plane. | `dataplane.token.refresh.expiry_seconds` | `TX_EDC_DATAPLANE_TOKEN_EXPIRY` | | 30 | TTL for access tokens | | `dataplane.token.refresh.expiry_tolerance_seconds` | `TX_EDC_DATAPLANE_TOKEN_EXPIRY_TOLERANCE` | | 10 | tolerance for token expiry | | `dataplane.token.refresh.refresh_endpoint` | `TX_EDC_DATAPLANE_TOKEN_REFRESH_ENDPOINT` | | `/token` | endpoint for an OAuth2 token refresh request | -| `dataplane.token.refresh.refresh_endpoint` | `TX_EDC_DATAPLANE_TOKEN_REFRESH_ENDPOINT` | | `/token` | endpoint for an OAuth2 token refresh request | | `dataplane.token.signer.privatekey_alias` | `EDC_TRANSFER_PROXY_TOKEN_SIGNER_PRIVATEKEY_ALIAS` | x | | alias, under which the private key is stored in the vault | | `dataplane.token.verifier.publickey_alias` | `EDC_TRANSFER_PROXY_TOKEN_VERIFIER_PUBLICKEY_ALIAS` | x | | alias, under which the public key is stored in the vault | diff --git a/edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml b/edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml index d418ff985..deed97dce 100644 --- a/edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml +++ b/edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml @@ -84,13 +84,7 @@ vault: tenant: '' secret: certificate: - secretNames: - # this must be set through CLI args: --set vault.secrets=$YOUR_VAULT_SECRETS where YOUR_VAULT_SECRETS should - # be a string in the format "key1:secret1;key2:secret2;..." - secrets: server: postStart: -backendService: - httpProxyTokenReceiverUrl: "http://backend:8080" tests: hookDeletePolicy: before-hook-creation diff --git a/edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml b/edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml index 9032eab3a..2953caf29 100644 --- a/edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml +++ b/edc-tests/deployment/src/main/resources/helm/tractusx-connector-memory-test.yaml @@ -55,10 +55,5 @@ runtime: privatekey_alias: "key-1" verifier: publickey_alias: "key-1" -vault: - secretNames: - secrets: -backendService: - httpProxyTokenReceiverUrl: "http://backend:8080" tests: hookDeletePolicy: before-hook-creation diff --git a/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml b/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml index 98f3e4993..410a656f4 100644 --- a/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml +++ b/edc-tests/deployment/src/main/resources/helm/tractusx-connector-test.yaml @@ -36,15 +36,6 @@ iatp: id: "test-client-id" secret_alias: "test-alias" controlplane: - # the ssi object is still needed for the upgradeability test - # todo: remove this after 0.7.0 is released - ssi: - miw: - url: "http://localhost:8080" - authorityId: "authorityId" - oauth: - client: - secretAlias: "client-secret" service: type: NodePort endpoints: @@ -93,10 +84,6 @@ vault: hashicorp: url: http://{{ .Release.Name }}-vault:8200 token: root - secretNames: - # this must be set through CLI args: --set vault.secrets=$YOUR_VAULT_SECRETS where YOUR_VAULT_SECRETS should - # be a string in the format "key1:secret1;key2:secret2;..." - secrets: # the post-start object is still needed for the upgradeability test # todo: remove this after 0.7.0 is released @@ -112,7 +99,5 @@ vault: /bin/vault kv put secret/aes-keys content=YWVzX2VuY2tleV90ZXN0Cg== } -backendService: - httpProxyTokenReceiverUrl: "http://backend:8080" tests: hookDeletePolicy: before-hook-creation