PR fixes

bundle/Dockerfile

@@ -340,8 +340,8 @@ ENV HTTP_SNIPPET_SERVICE_PORT=9092
 ENV M2M_OAUTH_SERVER_PORT=9079
 ENV HTTP_M2M_OAUTH_SERVER_PORT=9080
 ENV GRPC_REFLECTION_PORT=9078
-ENV COAP_DEVICE_PROVISIONG_SERVICE_PORT=15684
-ENV HTTP_DEVICE_PROVISIONG_SERVICE_PORT=9093
+ENV COAP_DEVICE_PROVISIONING_SERVICE_PORT=15684
+ENV HTTP_DEVICE_PROVISIONING_SERVICE_PORT=9093
 
 # OAuth
 ENV DEVICE_PROVIDER=plgd

bundle/run.sh

@@ -29,8 +29,8 @@ export SNIPPET_SERVICE_HTTP_ADDRESS="localhost:${HTTP_SNIPPET_SERVICE_PORT}"
 export M2M_OAUTH_SERVER_ADDRESS="localhost:${M2M_OAUTH_SERVER_PORT}"
 export M2M_OAUTH_SERVER_HTTP_ADDRESS="localhost:${HTTP_M2M_OAUTH_SERVER_PORT}"
 export GRPC_REFLECTION_ADDRESS="localhost:${GRPC_REFLECTION_PORT}"
-export DEVICE_PROVISIONG_SERVICE_COAP_ADDRESS="localhost:${COAP_DEVICE_PROVISIONG_SERVICE_PORT}"
-export DEVICE_PROVISIONG_SERVICE_HTTP_ADDRESS="localhost:${HTTP_DEVICE_PROVISIONG_SERVICE_PORT}"
+export DEVICE_PROVISIONING_SERVICE_COAP_ADDRESS="localhost:${COAP_DEVICE_PROVISIONING_SERVICE_PORT}"
+export DEVICE_PROVISIONING_SERVICE_HTTP_ADDRESS="localhost:${HTTP_DEVICE_PROVISIONING_SERVICE_PORT}"
 
 export INTERNAL_CERT_DIR_PATH="$CERTIFICATES_PATH/internal"
 export GRPC_INTERNAL_CERT_NAME="endpoint.crt"
@@ -187,9 +187,9 @@ function copy_ca_pools() {
 
   while read -r line; do
     file=`echo $line | yq e '.[0]' - `
-    mkdir -p `dirname ${file}`
+    mkdir -p `dirname "${file}"`
     if [ "${OVERRIDE_FILES}" = "true" ] || [ ! -f "${file}" ]; then
-      cp $CA_POOL ${file}
+      cp $CA_POOL "${file}"
     fi
   done < <(yq e '[.. | select(has("caPool")) | .caPool]' "${CONFIG_FILE}" | sort | uniq)
 }
@@ -199,9 +199,9 @@ function copy_certificates() {
 
   while read -r line; do
     file=`echo $line | yq e '.[0]' - `
-    mkdir -p `dirname ${file}`
+    mkdir -p `dirname "${file}"`
     if [ "${OVERRIDE_FILES}" = "true" ] || [ ! -f "${file}" ]; then
-      cp $CERT_FILE ${file}
+      cp $CERT_FILE "${file}"
     fi
   done < <(yq e '[.. | select(has("certFile")) | .certFile]' "${CONFIG_FILE}" | sort | uniq)
 }
@@ -211,9 +211,9 @@ function copy_private_keys() {
 
   while read -r line; do
     file=`echo $line | yq e '.[0]' - `
-    mkdir -p `dirname ${file}`
+    mkdir -p `dirname "${file}"`
     if [ "${OVERRIDE_FILES}" = "true" ] || [ ! -f "${file}" ]; then
-      cp $KEY_FILE ${file}
+      cp $KEY_FILE "${file}"
     fi
   done < <(yq e '[.. | select(has("keyFile")) | .keyFile]' "${CONFIG_FILE}" | sort | uniq)
 }
@@ -285,7 +285,7 @@ if [ "${OVERRIDE_FILES}" = "true" ] || [ ! -f "${NGINX_PATH}/nginx.conf" ]; then
   sed -i "s/REPLACE_M2M_OAUTH_SERVER_PORT/$M2M_OAUTH_SERVER_PORT/g" ${NGINX_PATH}/nginx.conf
   sed -i "s/REPLACE_HTTP_M2M_OAUTH_SERVER_PORT/$HTTP_M2M_OAUTH_SERVER_PORT/g" ${NGINX_PATH}/nginx.conf
   sed -i "s/REPLACE_GRPC_REFLECTION_PORT/$GRPC_REFLECTION_PORT/g" ${NGINX_PATH}/nginx.conf
-  sed -i "s/REPLACE_HTTP_DEVICE_PROVISIONG_SERVICE_PORT/$HTTP_DEVICE_PROVISIONG_SERVICE_PORT/g" ${NGINX_PATH}/nginx.conf
+  sed -i "s/REPLACE_HTTP_DEVICE_PROVISIONG_SERVICE_PORT/$HTTP_DEVICE_PROVISIONING_SERVICE_PORT/g" ${NGINX_PATH}/nginx.conf
 fi
 
 # nats
@@ -1197,9 +1197,9 @@ cat /configs/device-provisioning-service.yaml |
   yq e '.apis.http.authorization.endpoints += [.apis.http.authorization.endpoints[0]]' |
   yq e "\
   .log.level = \"${LOG_LEVEL}\" |
-  .apis.coap.address = \"${DEVICE_PROVISIONG_SERVICE_COAP_ADDRESS}\" |
+  .apis.coap.address = \"${DEVICE_PROVISIONING_SERVICE_COAP_ADDRESS}\" |
   .apis.http.enabled = true |
-  .apis.http.address = \"${DEVICE_PROVISIONG_SERVICE_HTTP_ADDRESS}\" |
+  .apis.http.address = \"${DEVICE_PROVISIONING_SERVICE_HTTP_ADDRESS}\" |
   .apis.http.authorization.ownerClaim = \"${OWNER_CLAIM}\" |
   .apis.http.authorization.endpoints[0].http.tls.useSystemCAPool = true |
   .apis.http.authorization.endpoints[0].authority = \"https://${OAUTH_ENDPOINT}\" |
@@ -1229,10 +1229,10 @@ fi
 i=0
 while true; do
   i=$((i+1))
-  if openssl s_client -connect ${DEVICE_PROVISIONG_SERVICE_HTTP_ADDRESS} -cert ${INTERNAL_CERT_DIR_PATH}/${GRPC_INTERNAL_CERT_NAME} -key ${INTERNAL_CERT_DIR_PATH}/${GRPC_INTERNAL_CERT_KEY_NAME} <<< "Q" 2>/dev/null > /dev/null; then
+  if openssl s_client -connect ${DEVICE_PROVISIONING_SERVICE_HTTP_ADDRESS} -cert ${INTERNAL_CERT_DIR_PATH}/${GRPC_INTERNAL_CERT_NAME} -key ${INTERNAL_CERT_DIR_PATH}/${GRPC_INTERNAL_CERT_KEY_NAME} <<< "Q" 2>/dev/null > /dev/null; then
     break
   fi
-  echo "Try to reconnect to device-provisioning-service(${DEVICE_PROVISIONG_SERVICE_HTTP_ADDRESS}) $i"
+  echo "Try to reconnect to device-provisioning-service(${DEVICE_PROVISIONING_SERVICE_HTTP_ADDRESS}) $i"
   sleep 1
 done
 

charts/plgd-hub/templates/device-provisioning-service/client-crt.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.deviceProvisioningService.enabled }}
 {{- $clientCertName := include "plgd-hub.deviceProvisioningService.clientCertName" . }}
 {{- if and $clientCertName .Values.certmanager.enabled }}
 apiVersion: cert-manager.io/v1
@@ -29,3 +30,4 @@ spec:
     kind: {{ .Values.certmanager.internal.issuer.kind | default .Values.certmanager.default.issuer.kind }}
     group: {{ .Values.certmanager.internal.issuer.group | default .Values.certmanager.default.issuer.group }}
 {{- end }}
+{{- end }}

charts/plgd-hub/templates/device-provisioning-service/config.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.deviceProvisioningService.enabled }}
 {{- $cert := include "plgd-hub.deviceProvisioningService.serviceCertificateMountPath" . }}
 {{- $clientCert := "/certs/client" }}
 apiVersion: v1
@@ -238,3 +239,4 @@ data:
         {{- end }}
       {{- end }}
     {{- end }}
+{{- end }}

charts/plgd-hub/templates/device-provisioning-service/deployment.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.deviceProvisioningService.enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -211,3 +212,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+{{- end }}

charts/plgd-hub/templates/device-provisioning-service/dockerconfig-secret.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.deviceProvisioningService.image.dockerConfigSecret }}
+{{- if and .Values.deviceProvisioningService.enabled .Values.deviceProvisioningService.image.dockerConfigSecret }}
 apiVersion: v1
 kind: Secret
 metadata:

charts/plgd-hub/templates/device-provisioning-service/domain-crt.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.deviceProvisioningService.apis.http.enabled .Values.deviceProvisioningService.ingress.enabled (not .Values.deviceProvisioningService.ingress.domainCertName) }}
+{{- if and .Values.deviceProvisioningService.enabled .Values.deviceProvisioningService.apis.http.enabled .Values.deviceProvisioningService.ingress.enabled (not .Values.deviceProvisioningService.ingress.domainCertName) }}
 {{- $domainCertName := include "plgd-hub.deviceProvisioningService.domainCertName" . }}
 apiVersion: cert-manager.io/v1
 kind: Certificate

charts/plgd-hub/templates/device-provisioning-service/hub-ca-secrets.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.deviceProvisioningService.enabled }}
 {{- range $.Values.deviceProvisioningService.enrollmentGroups }}
 {{- if .hub }}{{ if .hub.caPool }}
 apiVersion: v1
@@ -14,3 +15,4 @@ data:
 ---
 {{- end }}{{ end }}
 {{- end }}
+{{- end }}

charts/plgd-hub/templates/device-provisioning-service/hub-oauth-secrets.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.deviceProvisioningService.enabled }}
 {{- range $.Values.deviceProvisioningService.enrollmentGroups }}
 {{- if .hub }}{{ if .hub.authorization }}{{ if .hub.authorization.provider }}{{ if .hub.authorization.provider.clientSecret }}
 apiVersion: v1
@@ -14,3 +15,4 @@ data:
 ---
 {{- end }}{{ end }}{{ end }}{{ end }}
 {{- end }}
+{{- end }}

charts/plgd-hub/templates/device-provisioning-service/hubs-ca-secrets.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.deviceProvisioningService.enabled }}
 {{- range $.Values.deviceProvisioningService.enrollmentGroups }}
 {{ $eg := . }}
 {{- if .hubs }}
@@ -17,3 +18,4 @@ data:
 ---
 {{- end }}{{ end }}{{ end }}
 {{- end }}
+{{- end }}

charts/plgd-hub/templates/device-provisioning-service/hubs-oauth-secrets.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.deviceProvisioningService.enabled }}
 {{- range $.Values.deviceProvisioningService.enrollmentGroups }}
 {{- $EG := . }}
 {{- if .hubs }}
@@ -18,4 +19,5 @@ data:
   clientsecret: {{ .authorization.provider.clientSecret | b64enc }}
 ---
 {{- end }}{{ end }}{{ end }}{{ end }}{{ end }}
-{{- end }}
+{{- end }}
+{{- end }}

charts/plgd-hub/templates/device-provisioning-service/ingress.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.deviceProvisioningService.apis.http.enabled .Values.deviceProvisioningService.ingress.enabled }}
+{{- if and .Values.deviceProvisioningService.enabled .Values.deviceProvisioningService.apis.http.enabled .Values.deviceProvisioningService.ingress.enabled }}
 {{- $fullname := include "plgd-hub.deviceProvisioningService.fullname" . }}
 {{- $port := .Values.deviceProvisioningService.apis.http.port }}
 apiVersion: networking.k8s.io/v1

charts/plgd-hub/templates/device-provisioning-service/psk-secrets.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.deviceProvisioningService.enabled }}
 {{- range $.Values.deviceProvisioningService.enrollmentGroups }}
 {{- if .preSharedKey }}
 apiVersion: v1
@@ -13,3 +14,4 @@ data:
 ---
 {{- end }}
 {{- end }}
+{{- end }}

charts/plgd-hub/templates/device-provisioning-service/role.yaml

@@ -1,3 +1,3 @@
-{{- if .Values.deviceProvisioningService.rbac.roleBindingDefinitionTpl }}
+{{- if and .Values.deviceProvisioningService.enabled .Values.deviceProvisioningService.rbac.roleBindingDefinitionTpl }}
 {{- tpl .Values.deviceProvisioningService.rbac.roleBindingDefinitionTpl $ }}
 {{- end }}

charts/plgd-hub/templates/device-provisioning-service/service-account.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.deviceProvisioningService.rbac.enabled }}
+{{- if and .Values.deviceProvisioningService.enabled .Values.deviceProvisioningService.rbac.enabled }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:

charts/plgd-hub/templates/device-provisioning-service/service-crt.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.deviceProvisioningService.enabled }}
 {{- $serviceCertName := include "plgd-hub.deviceProvisioningService.serviceCertName" . }}
 {{- $serviceDns := include "plgd-hub.deviceProvisioningService.fullname" . }}
 {{- $serviceCertificate := .Values.deviceProvisioningService.service.certificate -}}
@@ -48,3 +49,4 @@ spec:
     name: {{ $serviceIssuer.name | default ( $.Values.certmanager.coap.issuer.name  | default $.Values.certmanager.default.issuer.name ) }}
     kind: {{ $serviceIssuer.kind | default ( $.Values.certmanager.coap.issuer.kind  | default $.Values.certmanager.default.issuer.kind ) }}
     group: {{ $serviceIssuer.group | default ( $.Values.certmanager.coap.issuer.group  | default $.Values.certmanager.default.issuer.group ) }}
+{{- end }}

charts/plgd-hub/templates/device-provisioning-service/service-http.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.deviceProvisioningService.apis.http.enabled }}
+{{- if and .Values.deviceProvisioningService.enabled .Values.deviceProvisioningService.apis.http.enabled }}
 {{- $serviceType := .Values.deviceProvisioningService.service.http.type | default "ClusterIP" }}
 apiVersion: v1
 kind: Service
@@ -23,4 +23,4 @@ spec:
       name: {{ .Values.deviceProvisioningService.service.http.name }}
   selector:
   {{- include "plgd-hub.deviceProvisioningService.selectorLabels" . | nindent 4 }}
-  {{- end }}
+{{- end }}

charts/plgd-hub/templates/device-provisioning-service/service-tcp.yaml

@@ -1,4 +1,4 @@
-{{- if has "tcp" .Values.deviceProvisioningService.apis.coap.protocols -}}
+{{- if and .Values.deviceProvisioningService.enabled (has "tcp" .Values.deviceProvisioningService.apis.coap.protocols) -}}
 {{- $tcpServiceType := "" }}
 {{- $tcpNodePort := "" }}
 {{- if (has "tcp" .Values.deviceProvisioningService.apis.coap.protocols) -}}

charts/plgd-hub/templates/device-provisioning-service/service-udp.yaml

@@ -1,4 +1,4 @@
-{{- if has "udp" .Values.deviceProvisioningService.apis.coap.protocols -}}
+{{- if and .Values.deviceProvisioningService.enabled (has "udp" .Values.deviceProvisioningService.apis.coap.protocols) -}}
 {{- $tcpServiceType := "" }}
 {{- $tcpNodePort := "" }}
 {{- if (has "tcp" .Values.deviceProvisioningService.apis.coap.protocols) -}}

charts/plgd-hub/templates/device-provisioning-service/x509-chain-secrets.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.deviceProvisioningService.enabled }}
 {{- range $.Values.deviceProvisioningService.enrollmentGroups }}
 {{- if .attestationMechanism }}{{ if .attestationMechanism.x509 }}{{ if .attestationMechanism.x509.certificateChain }}
 apiVersion: v1
@@ -13,3 +14,4 @@ data:
 ---
 {{- end }}{{ end }}{{ end }}
 {{- end }}
+{{- end }}

charts/plgd-hub/values.yaml

@@ -3129,7 +3129,7 @@ deviceProvisioningService:
     # -- Service type
     type: LoadBalancer
     # -- Use nodePort, if specified, for one of the protocols. If both protocols are enabled, nodePort needs to be configured directly in the service to mutually different ports.
-    nodePort: 5684
+    nodePort: 15684
     tcp:
       # -- Service type
       type:

device-provisioning-service/README.md

@@ -34,7 +34,7 @@ A configuration template is available on [config.yaml](https://github.com/plgd-d
 | `log.encoding` | string | `Logging format. The supported values are: "json", "console"` | `"json"` |
 | `log.stacktrace.enabled` | bool | `Log stacktrace.` | `"false` |
 | `log.stacktrace.level` | string | `Stacktrace from level.` | `"warn` |
-| `log.encoderConfig.timeEncoder` | string | `Time format for logs. The supported values are: "rfc3339nano", "rfc3339".` | `"rfc3339nano` |
+| `log.encoderConfig.timeEncoder` | string | `Time format for logs. The supported values are: "rfc3339nano", "rfc3339".` | `"rfc3339nano"` |
 
 ### CoAP API
 
@@ -153,7 +153,7 @@ OAuth2.0 Client is used to obtain JWT with ownerClaim an deviceIDClaim via the c
 | ---------- | -------- | -------------- | ------- |
 | `enrollmentGroups.[].hub.authorization.ownerClaim` | string | `Claim used to identify owner of the device. If configured, your OAuth2.0 server has to set the owner id to the token as configured. OwnerClaim with sub is not supported. Custom owner claim needs to be configured also on the plgd hub instance. If used with the plgd mock OAuth Server, value https://plgd.dev/owner has to be set. **Required.**` | `""` |
 | `enrollmentGroups.[].hub.authorization.deviceIDClaim` | string | `Claim used to make JWT tokens device specific. If configured, your OAuth2.0 server has to set the device id to the token as configured. If used with the plgd mock OAuth Server, value https://plgd.dev/deviceId has to be set.` | `""` |
-| `enrollmentGroups.[].hub.authorization.provider.name` | string | `Provider name which is registered also on the instance of the plgd hub where the device connects after it's successfully provisioned. The grant type for this provider must to be set to ClientCredentials.` | `""` |
+| `enrollmentGroups.[].hub.authorization.provider.name` | string | `Provider name which is registered also on the instance of the plgd hub where the device connects after it's successfully provisioned. The grant type for this provider must be set to ClientCredentials.` | `""` |
 | `enrollmentGroups.[].hub.authorization.provider.authority` | string | `Authority is the address of the token-issuing authentication server. Services will use this URI to find token endpoint.` | `""` |
 | `enrollmentGroups.[].hub.authorization.provider.clientID` | string | `OAuth Client ID.` | `""` |
 | `enrollmentGroups.[].hub.authorization.provider.clientSecretFile` | string | `File path to client secret required to request an access token.` |  `""` |

device-provisioning-service/config.yaml

@@ -55,7 +55,7 @@ clients:
   storage:
     cacheExpiration: 10m
     mongoDB:
-      uri: mongodb://localhost:27017
+      uri:
       database: deviceProvisioningService
       maxPoolSize: 16
       maxConnIdleTime: 4m0s

device-provisioning-service/pb/hub.go

@@ -197,6 +197,21 @@ func ValidateCoapGatewayURI(coapGwURI string) (string, error) {
 	return u, nil
 }
 
+func (h *Hub) normalizeGateways() error {
+	for i, gw := range h.GetGateways() {
+		if gw == "" {
+			return fmt.Errorf("coapGateways[%d]('%v') - is empty", i, gw)
+		}
+		fixedGw, err := ValidateCoapGatewayURI(gw)
+		if err != nil {
+			return fmt.Errorf("coapGateways[%d]('%v') - %w", i, gw, err)
+		}
+		h.Gateways[i] = fixedGw
+	}
+	h.Gateways = strings.UniqueStable(h.GetGateways())
+	return nil
+}
+
 func (h *Hub) Validate(owner string) error {
 	if h.GetId() == "" {
 		return fmt.Errorf("id('%v')", h.GetId())
@@ -210,17 +225,9 @@ func (h *Hub) Validate(owner string) error {
 	if len(h.GetGateways()) == 0 {
 		return errors.New("coapGateways - is empty")
 	}
-	for i, gw := range h.GetGateways() {
-		if gw == "" {
-			return fmt.Errorf("coapGateways[%d]('%v') - is empty", i, gw)
-		}
-		fixedGw, err := ValidateCoapGatewayURI(gw)
-		if err != nil {
-			return fmt.Errorf("coapGateways[%d]('%v') - %w", i, gw, err)
-		}
-		h.Gateways[i] = fixedGw
+	if err := h.normalizeGateways(); err != nil {
+		return err
 	}
-	h.Gateways = strings.UniqueStable(h.GetGateways())
 	if h.GetCertificateAuthority() == nil {
 		return errors.New("certificateAuthority - is empty")
 	}