diff --git a/deployment/data-consumer/.helmignore b/deployment/data-consumer/.helmignore new file mode 100644 index 00000000..6b91edec --- /dev/null +++ b/deployment/data-consumer/.helmignore @@ -0,0 +1,48 @@ +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +# Ignore ENV specific values at release +values?*.yaml +values?*.yml diff --git a/deployment/data-consumer/Chart.yaml b/deployment/data-consumer/Chart.yaml new file mode 100644 index 00000000..67bcd575 --- /dev/null +++ b/deployment/data-consumer/Chart.yaml @@ -0,0 +1,38 @@ +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### +--- +apiVersion: v2 +name: tx-data-provider +description: A Helm chart for Kubernetes + +type: application +version: 0.1.3 +appVersion: 0.0.1 + +dependencies: + - name: tractusx-connector + repository: https://eclipse-tractusx.github.io/charts/dev + version: 0.7.7 + condition: tractusx-connector.enabled + - name: vault + version: 0.20.0 + repository: https://helm.releases.hashicorp.com + condition: vault.enabled diff --git a/deployment/data-consumer/README.md b/deployment/data-consumer/README.md new file mode 100644 index 00000000..54fbef6d --- /dev/null +++ b/deployment/data-consumer/README.md @@ -0,0 +1,57 @@ +# Dataprovider Helm Chart + +This chart includes EDC, Digital Twin Registry and a Submodel Server. +The Submodel Server images is based on an older Catena-X demo (catenax at home) since this is what we were using in our +testing environments. + + +-> values-int.yaml -> in + +## Prerequisites + +- Running Kubernetes cluster +- Helm is installed + +Example for local usage: + +- [Minikube](https://minikube.sigs.k8s.io/docs/start/) +- [Minikube ingress addon](https://minikube.sigs.k8s.io/docs/handbook/addons/ingress-dns/) + +## Installing + +Run the Chart with + +```shell +helm dependency update +helm install dataprovider . --timeout 10m0s +``` + +Remove the chart by running + +```shell +helm uninstall dataprovider +``` +## Configuration + +For Configuration of digital twin registry see [sldt-digital-twin-registry/tree/main/charts/registry](https://github.com/eclipse-tractusx/sldt-digital-twin-registry/tree/main/charts/registry) + +Configuration of EDC see [tractusx-edc/tree/main/charts/tractusx-connector](https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector) + +EDC requires connection to HashiCorp Vault and Manage Identity Wallet. These have to be configured for the dataprovider to be operative. + +The Chart can be used as dataprovider by setting `simple-data-backend.enabled`, `digital-twin-registry.enabled` and `seedTestdata` to `false`. + +## Testdata seeding + +After the installation, a Post-Install Helm Hook will be started which initiates the seeding of testdata. The Hook executes a python script which uploads a provided test dataset to the dataprovider. Documentation to the python script can be found here [README](https://github.com/eclipse-tractusx/item-relationship-service/blob/main/local/testing/testdata/README.md) + +Test data set and upload script are stored in [resources/](resources) and provided to the hook as config map. +A custom config map can be used to provided e.g. `testdataConfigMap: my-custom-testdata-configmap`. + +## NOTICE + +This work is licensed under the [CC-BY-4.0](https://creativecommons.org/licenses/by/4.0/legalcode). + +- SPDX-License-Identifier: CC-BY-4.0 +- SPDX-FileCopyrightText: 2025 Contributors to the Eclipse Foundation +- Source URL: https://github.com/eclipse-tractusx/tractusx-sdk \ No newline at end of file diff --git a/deployment/data-consumer/templates/_helpers.tpl b/deployment/data-consumer/templates/_helpers.tpl new file mode 100644 index 00000000..f2c1eae0 --- /dev/null +++ b/deployment/data-consumer/templates/_helpers.tpl @@ -0,0 +1,134 @@ +{{/* +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + */}} +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "dataprovider.fullname" -}} + {{- if .Values.fullnameOverride }} + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- $name := default .Chart.Name .Values.nameOverride }} + {{- if contains $name .Release.Name }} + {{- .Release.Name | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +Submodel URL helpers +*/}} +{{- define "simple-data-backend.host" -}} + {{- if .Values.backendUrl }} + {{- tpl .Values.backendUrl . }} + {{- else if (index .Values "simple-data-backend" "ingress" "enabled") }} + {{- with (first (index .Values "simple-data-backend" "ingress" "hosts")) }} + {{- printf "https://%s" .host }} + {{- end }} + {{- else }} + {{- printf "http://%s%s:8080" .Release.Name "-simple-data-backend" }} + {{- end }} +{{- end }} + +{{/* +Registry URL helpers +*/}} +{{- define "registry.host" -}} + {{- if index .Values "digital-twin-registry" "registry" "ingress" "enabled" }} + {{- printf "https://%s" (index .Values "digital-twin-registry" "registry" "host") }} + {{- else }} + {{- printf "http://%s-%s:8080" .Release.Name "digital-twin-registry" }} + {{- end }} +{{- end }} +{{- define "registry.path" -}} + {{- if index .Values "digital-twin-registry" "registry" "ingress" "enabled" }} + {{- index .Values "digital-twin-registry" "registry" "ingress" "urlPrefix" }} + {{- else }} + {{- print "" }} + {{- end }} +{{- end }} +{{- define "registry.url" -}} + {{- if .Values.registryUrl }} + {{- tpl .Values.registryUrl . }} + {{ else }} + {{- printf "%s%s%s" (include "registry.host" .) (include "registry.path" .) "/api/v3" }} + {{- end }} +{{- end }} + +{{/* +EDC URL helpers +*/}} + +{{- define "edc.controlplane.host" -}} + {{- if .Values.controlplanePublicUrl }} + {{- tpl .Values.controlplanePublicUrl . }} + {{ else }} + {{- with (first (index .Values "tractusx-connector" "controlplane" "ingresses")) }} + {{- if .enabled }} + {{- printf "https://%s" .hostname }} + {{- else }} + {{- printf "http://%s-%s:8084" $.Release.Name "tractusx-connector-controlplane" }} + {{- end }} + {{- end }} + {{ end }} +{{- end }} + +{{- define "edc.controlplane.management.host" -}} + {{- if .Values.controlplaneManagementUrl }} + {{- tpl .Values.controlplaneManagementUrl . }} + {{ else }} + {{- with (first (index .Values "tractusx-connector" "controlplane" "ingresses")) }} + {{- if .enabled }} + {{- printf "https://%s" .hostname }} + {{- else }} + {{- printf "http://%s-%s:8081" $.Release.Name "tractusx-connector-controlplane" }} + {{- end }} + {{- end }} + {{ end }} +{{- end }} + +{{- define "edc.dataplane.host" -}} + {{- if .Values.dataplaneUrl }} + {{- tpl .Values.dataplaneUrl . }} + {{ else }} + {{- with (first (index .Values "tractusx-connector" "dataplane" "ingresses")) }} + {{- if .enabled }} + {{- printf "https://%s" .hostname }} + {{- else }} + {{- printf "http://%s-%s:8081" $.Release.Name "tractusx-connector-dataplane" }} + {{- end }} + {{- end }} + {{ end }} +{{- end }} + +{{- define "edc.key" -}} + {{- index .Values "tractusx-connector" "controlplane" "endpoints" "management" "authKey" }} +{{- end }} + +{{- define "edc.bpn" -}} + {{- index .Values "tractusx-connector" "participant" "id" }} +{{- end }} + diff --git a/deployment/data-consumer/templates/post-install-vault-setup.yaml b/deployment/data-consumer/templates/post-install-vault-setup.yaml new file mode 100644 index 00000000..39d2fd29 --- /dev/null +++ b/deployment/data-consumer/templates/post-install-vault-setup.yaml @@ -0,0 +1,79 @@ +# ############################################################################# +# Copyright (c) 2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ############################################################################# +--- +{{ if .Values.vault.enabled }} +{{- $vaultToken := index .Values "tractusx-connector" "vault" "hashicorp" "token" -}} +{{- $vaultUrl := tpl (index .Values "tractusx-connector" "vault" "hashicorp" "url") . -}} +{{- $fullName := include "dataprovider.fullname" . -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $fullName }}-post-install-vault-setup + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + restartPolicy: Never + containers: + - name: post-install-job + image: "alpine:3.19" + imagePullPolicy: "IfNotPresent" + command: + - "/bin/sh" + - "-c" + - | + sleep 10 + {{- range $key, $value := .Values.secrets }} + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-data '{"data": {"content": "{{ $value }}"}}' "{{ $vaultUrl }}/v1/secret/data/{{ $key }}" + {{- end }} + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/cert.json "{{ $vaultUrl }}/v1/secret/data/tokenSignerPublicKey" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/key.json "{{ $vaultUrl }}/v1/secret/data/tokenSignerPrivateKey" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/aes-secret.json "{{ $vaultUrl }}/v1/secret/data/tokenEncryptionAesKey" + volumeMounts: + - name: config-volume + mountPath: /opt/config + volumes: + - name: config-volume + configMap: + name: {{ $fullName }}-vault-edc-configmap + defaultMode: 0777 +{{ end }} diff --git a/deployment/data-consumer/templates/vault-edc-configmap.yaml b/deployment/data-consumer/templates/vault-edc-configmap.yaml new file mode 100644 index 00000000..44542110 --- /dev/null +++ b/deployment/data-consumer/templates/vault-edc-configmap.yaml @@ -0,0 +1,46 @@ +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### +--- +{{ $fullName := include "dataprovider.fullname" . -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $fullName }}-vault-edc-configmap +data: + cert.json: |- + { + "data": { + "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsP1Wl50viKzVqw8HGFWP\nis+M8Im4daTFMned5Qr2z90FNgkj1EVhip0mOdD6kDg3bW4RxyL6z3jWi19JKBHZ\n68UTgZNdPbhhPNLEGcQpu8uwgFcWKL4P/IOykEeE8ResGOVg/HzNE7HkTgiBdr2C\nMTEXL3zTmdr0vbFGMbOTPyOvKMoy/2FaJaJAPXo3poGqfRvr6Gu6top2ktRd/z8N\nhBpuzx9QypIsE62ooLNPpqzjezfvzJbc3tko/cXNOyGoZWuEKMTfKwYq3ZjsTZKk\nbjVNgdoEFSWpd6Tqk76B1Cboxv1CD8xw0cQ149eW0IuLkAk3eF5eZR4iQ5YAOZqA\nUQIDAQAB\n-----END PUBLIC KEY-----\n" + } + } + + key.json: |- + { + "data": { + "content": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCw/VaXnS+IrNWr\nDwcYVY+Kz4zwibh1pMUyd53lCvbP3QU2CSPURWGKnSY50PqQODdtbhHHIvrPeNaL\nX0koEdnrxROBk109uGE80sQZxCm7y7CAVxYovg/8g7KQR4TxF6wY5WD8fM0TseRO\nCIF2vYIxMRcvfNOZ2vS9sUYxs5M/I68oyjL/YVolokA9ejemgap9G+voa7q2inaS\n1F3/Pw2EGm7PH1DKkiwTraigs0+mrON7N+/Mltze2Sj9xc07Iahla4QoxN8rBird\nmOxNkqRuNU2B2gQVJal3pOqTvoHUJujG/UIPzHDRxDXj15bQi4uQCTd4Xl5lHiJD\nlgA5moBRAgMBAAECggEAKD8XjYb8G+WHeexDJgSwzTUonLsIg9H52KHMORz+5mIh\nUPoPmHHFfj6BhoSvsZNjAUKWDtU0uPCGwu8iRNcYWa15I841lfcjP3BDEQPjJJXr\nNyf2fUHJA1gURwxIXgWOyCOC5C9h9/BMFPWIsQ5jeFmsJsuJF5OrcyZIar1lxqWu\nQ+HC7f/7JNkpR26uIyGjs1OXwfp+mHqze2Qf8hLWIXcN9tBCQZ75Cg7rarNVimMC\n59QD80JZCHTaCX1ZtE1T8HM+53Ob78lnFCuBfiBT/S3O/NXVsEN9q6rMWKhETVWR\nUX56EqZ7XGSMOzuZyK7kj1QsHzEMrrHjwDSNSjAqFQKBgQC6hEeAWPCEM+WVoF9n\nmhvwZVZv/PPyLAarykBTGoeHR2hqNyih9JmcXL+XQHMlhy1Ka8NtJHvfyB1xhXgF\n/d91i/Yq02+nZoJPNnVWo8zoXIAIq+xg9CBiu0agBxv45PjJkEkQmmEG4Iej1+Kf\n5/+dI7sFjE2T4q/lLK0Aw3x+zQKBgQDy7Ho7eRi5CV1Ks+r5lpGGdM15hbE5tviE\nfmJvaEUh3oWuwdkyFjD/QEPITG1bFuvhATdEEWxTbuswNEbELLhKCPcixcI0sLUO\n6BeNi1YD6ouuqsWBLvmE4hvoDR7RlkpUduxWpZ2tNIDJYYTwCERhcYK9OtHU15kc\nlS0pEjF/lQKBgEh+28/OQgYQqd7ji9GX+94PdW5n0mXBqQIixafHewAgyDvonpl8\nmixFfI6MlXTzuq3ffwEwGhncDV2vc/xYNf/ZW+A/eHmHhYTGdQss9ZsnQPid4m24\n1dGqWwQeX0f5r52gwFV8u9PRd8c+RS7EHP12At5gL1MY3CdmmwPd98jNAoGASvPV\n/xWtICKYi10aCip/+kl9wJoUhadD5LWOL6uvcPTUsIgVONQKCCfPAjU6pJlc7E7Q\nu4rYrqGRpYzrrMnTjtxXTH5SHqnLI69O3Rh50LmEob8FM4fH601MqPurX6WMh6Ut\n5Moy7Wc+uWQCfYE/gAVi/nnwlkhzcJNCnOKFLUUCgYA4nbhLrdEeCBJas2+Z9aGw\n/SurtHF2z2meAPO3VaYslf0D0xKzUIv5hkkzaNgs0pFGt0BcKfTWkYy/Hh4QXZhm\n//ZrqbkVsqzDOcqGwQcDmUEN/T+vprUJVKqpNHXT6fz3OTydxLQ7K7SXzwXWYfRW\ncpjdr0c1tVVLMyNG+Wahrg==\n-----END PRIVATE KEY-----\n" + } + } + aes-secret.json: |- + { + "data": { + "content": {{ randAlphaNum 32 | b64enc | quote }} + } + } diff --git a/deployment/data-consumer/values-int-vault.yaml b/deployment/data-consumer/values-int-vault.yaml new file mode 100644 index 00000000..285b5fff --- /dev/null +++ b/deployment/data-consumer/values-int-vault.yaml @@ -0,0 +1,135 @@ +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### +--- +secrets: + client-secret: + +tractusx-connector: + enabled: true + participant: + id: + + iatp: + # Decentralized IDentifier + id: "" + trustedIssuers: # array [] that needs to be expand but likely like (sorry unconfirmed on how this is done, as I also would need to check) + - "" + oauth: + token_url: "" + client: + id: "" + # content from the wallet secret, caution on pasting real secrets here! + + controlplane: + enabled: true + endpoints: + management: + # -- authentication key, must be attached to each 'X-Api-Key' request header + authKey: + bdrs: + server: + url: https://bpn-did-resolution-service.int.catena-x.net/api/directory + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "ichub-edc-provider.int.catena-x.net" + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "tls-secret-provider-controlplane" + dataplane: + enabled: true + endpoints: + proxy: + authKey: + token: + signer: + # alias under which the private key is stored in the vault (JWK or PEM format) + privatekey_alias: tokenSignerPrivateKey + verifier: + # alias under which the public key is stored in the vault, that belongs to the private key ("privatekey_alias", JWK or PEM format) + publickey_alias: tokenSignerPublicKey + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "ichub-edc-provider" + # -- Additional ingress annotations to add + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "tls-secret-provider-dataplane" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + postgresql: + auth: + database: edc + username: + postgresPassword: + password: + username: + password: + + vault: + hashicorp: + url: http://{{ .Release.Name }}-edc-provider-vault:8200 + secretNames: + transferProxyTokenSignerPrivateKey: tokenSignerPrivateKey + transferProxyTokenSignerPublicKey: tokenSignerPublicKey + transferProxyTokenEncryptionAesKey: tokenEncryptionAesKey + +vault: + enabled: true + nameOverride: edc-provider-vault + fullnameOverride: edc-provider-vault + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: root + ingress: + enabled: false diff --git a/deployment/data-consumer/values-int.yaml b/deployment/data-consumer/values-int.yaml new file mode 100644 index 00000000..91a2ce23 --- /dev/null +++ b/deployment/data-consumer/values-int.yaml @@ -0,0 +1,147 @@ +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### +--- +secrets: + client-secret: + +tractusx-connector: + enabled: true + participant: + id: + + iatp: + # Decentralized IDentifier + id: "" + trustedIssuers: # array [] that needs to be expand but likely like (sorry unconfirmed on how this is done, as I also would need to check) + - "" + sts: + dim: + url: "" + oauth: + token_url: "" + client: + id: "" + # content from the wallet secret, caution on pasting real secrets here! + + controlplane: + enabled: true + endpoints: + management: + # -- authentication key, must be attached to each 'X-Api-Key' request header + authKey: + bdrs: + server: + url: https://bpn-did-resolution-service.int.catena-x.net/api/directory + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-consumer-ichub-control.int.catena-x.net" + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + annotations: + # Add annotations for the ingress, e.g.: + cert-manager.io/cluster-issuer: letsencrypt-prod + endpoints: + - default + - management + - control + - protocol + - metrics + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "tls-secret-consumer-controlplane" + dataplane: + enabled: true + endpoints: + proxy: + authKey: + token: + signer: + # alias under which the private key is stored in the vault (JWK or PEM format) + privatekey_alias: tokenSignerPrivateKey + verifier: + # alias under which the public key is stored in the vault, that belongs to the private key ("privatekey_alias", JWK or PEM format) + publickey_alias: tokenSignerPublicKey + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-consumer-ichub-dataplane.int.catena-x.net" + # -- Additional ingress annotations to add + # -- Additional ingress annotations to add + annotations: + # Add annotations for the ingress, e.g.: + cert-manager.io/cluster-issuer: letsencrypt-prod + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "tls-secret-consumer-dataplane" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + postgresql: + auth: + database: edc + username: + postgresPassword: + password: + username: + password: + + vault: + fullnameOverride: "vault" + hashicorp: + url: + token: + paths: + secret: + health: /v1/sys/health + +vault: + enabled: false + nameOverride: edc-provider-vault + fullnameOverride: edc-provider-vault + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: root + ingress: + enabled: false diff --git a/deployment/data-consumer/values.yaml b/deployment/data-consumer/values.yaml new file mode 100644 index 00000000..353e9484 --- /dev/null +++ b/deployment/data-consumer/values.yaml @@ -0,0 +1,124 @@ +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + +configuration: + postgresuser: &postgresuser testuser + postgrespass: &postgrespass testpass + edcKey: &edcKey TEST + +nameOverride: "" +fullnameOverride: "" +seedTestdata: false # Toggle seeding of testdata. Can be enabled when the edc should be seeded with testdata on startup. +testdataConfigMap: "" # Provide a custom configmap for post-install-job-upload-testdata.yaml. +backendUrl: "" # Override the backend service url +registryUrl: "" # Override the digital twin registry url +controlplanePublicUrl: "" # Override the edc controlplane protocol url +controlplaneManagementUrl: "" # Override the edc controlplane management url +dataplaneUrl: "" # Override the edc dataplane public url + +tractusx-connector: + enabled: true + install: + postgresql: true + vault: false + participant: + id: changeme + iatp: + id: changeme + trustedIssuers: + - changeme + sts: + dim: + url: http://example.org + oauth: + token_url: http://example.org + client: + id: changeme + secret_alias: client-secret + + controlplane: + ingresses: + - enabled: false + bdrs: + server: + url: http://example.org + endpoints: + management: + authKey: *edcKey + securityContext: + readOnlyRootFilesystem: false + + dataplane: + ingresses: + - enabled: false + token: + signer: + privatekey_alias: changeme + verifier: + publickey_alias: changeme + + vault: + nameOverride: edc-dataprovider-vault + fullnameOverride: edc-dataprovider-vault + hashicorp: + url: http://{{ .Release.Name }}-edc-provider-vault:8200 + token: "root" + secretNames: + transferProxyTokenSignerPrivateKey: changeme + transferProxyTokenSignerPublicKey: changeme + transferProxyTokenEncryptionAesKey: aesKey + + + postgresql: + nameOverride: edc-postgresql + primary: + persistence: + enabled: false + size: 1Gi + auth: + database: edc + username: *postgresuser + postgresPassword: *postgrespass + password: *postgrespass + username: *postgresuser + password: *postgrespass + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-edc-postgresql:5432/edc" + +vault: + enabled: true + nameOverride: edc-provider-vault + injector: + enabled: false + server: + postStart: + - sh + - -c + - |- + { + sleep 5 + /bin/vault kv put secret/client-secret content=kEmH7QRPWhKfy8f+x0pFMw== + /bin/vault kv put secret/aesKey content=YWVzX2VuY2tleV90ZXN0Cg== + } + dev: + enabled: true + devRootToken: root + ingress: + enabled: true \ No newline at end of file diff --git a/deployment/data-provider/.helmignore b/deployment/data-provider/.helmignore new file mode 100644 index 00000000..6b91edec --- /dev/null +++ b/deployment/data-provider/.helmignore @@ -0,0 +1,48 @@ +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +# Ignore ENV specific values at release +values?*.yaml +values?*.yml diff --git a/deployment/data-provider/Chart.yaml b/deployment/data-provider/Chart.yaml new file mode 100644 index 00000000..21dcc332 --- /dev/null +++ b/deployment/data-provider/Chart.yaml @@ -0,0 +1,46 @@ +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### +--- +apiVersion: v2 +name: tx-data-provider +description: A Helm chart for Kubernetes + +type: application +version: 0.1.3 +appVersion: 0.0.1 + +dependencies: + - name: digital-twin-registry + version: 0.5.2 + repository: https://eclipse-tractusx.github.io/charts/dev + condition: digital-twin-registry.enabled + - name: simple-data-backend + repository: https://eclipse-tractusx.github.io/charts/dev + version: 0.1.0 + condition: simple-data-backend.enabled + - name: tractusx-connector + repository: https://eclipse-tractusx.github.io/charts/dev + version: 0.9.0 + condition: tractusx-connector.enabled + - name: vault + version: 0.20.0 + repository: https://helm.releases.hashicorp.com + condition: vault.enabled diff --git a/deployment/data-provider/README.md b/deployment/data-provider/README.md new file mode 100644 index 00000000..0e59bafa --- /dev/null +++ b/deployment/data-provider/README.md @@ -0,0 +1,57 @@ +# Dataprovider Helm Chart + +This chart includes EDC, Digital Twin Registry and a Submodel Server. +The Submodel Server images is based on an older Catena-X demo (catenax at home) since this is what we were using in our +testing environments. + + +-> values-int.yaml -> in + +## Prerequisites + +- Running Kubernetes cluster +- Helm is installed + +Example for local usage: + +- [Minikube](https://minikube.sigs.k8s.io/docs/start/) +- [Minikube ingress addon](https://minikube.sigs.k8s.io/docs/handbook/addons/ingress-dns/) + +## Installing + +Run the Chart with + +```shell +helm dependency update +helm install dataprovider . --timeout 10m0s +``` + +Remove the chart by running + +```shell +helm uninstall dataprovider +``` +## Configuration + +For Configuration of digital twin registry see [sldt-digital-twin-registry/tree/main/charts/registry](https://github.com/eclipse-tractusx/sldt-digital-twin-registry/tree/main/charts/registry) + +Configuration of EDC see [tractusx-edc/tree/main/charts/tractusx-connecto](https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector) + +EDC requires connection to HashiCorp Vault and Manage Identity Wallet. These have to be configured for the dataprovider to be operative. + +The Chart can be used as dataprovider by setting `simple-data-backend.enabled`, `digital-twin-registry.enabled` and `seedTestdata` to `false`. + +## Testdata seeding + +After the installation, a Post-Install Helm Hook will be started which initiates the seeding of testdata. The Hook executes a python script which uploads a provided test dataset to the dataprovider. Documentation to the python script can be found here [README](https://github.com/eclipse-tractusx/item-relationship-service/blob/main/local/testing/testdata/README.md) + +Test data set and upload script are stored in [resources/](resources) and provided to the hook as config map. +A custom config map can be used to provided e.g. `testdataConfigMap: my-custom-testdata-configmap`. + +## NOTICE + +This work is licensed under the [CC-BY-4.0](https://creativecommons.org/licenses/by/4.0/legalcode). + +- SPDX-License-Identifier: CC-BY-4.0 +- SPDX-FileCopyrightText: 2025 Contributors to the Eclipse Foundation +- Source URL: https://github.com/eclipse-tractusx/tractusx-sdk \ No newline at end of file diff --git a/deployment/data-provider/templates/_helpers.tpl b/deployment/data-provider/templates/_helpers.tpl new file mode 100644 index 00000000..f2c1eae0 --- /dev/null +++ b/deployment/data-provider/templates/_helpers.tpl @@ -0,0 +1,134 @@ +{{/* +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + */}} +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "dataprovider.fullname" -}} + {{- if .Values.fullnameOverride }} + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- $name := default .Chart.Name .Values.nameOverride }} + {{- if contains $name .Release.Name }} + {{- .Release.Name | trunc 63 | trimSuffix "-" }} + {{- else }} + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +Submodel URL helpers +*/}} +{{- define "simple-data-backend.host" -}} + {{- if .Values.backendUrl }} + {{- tpl .Values.backendUrl . }} + {{- else if (index .Values "simple-data-backend" "ingress" "enabled") }} + {{- with (first (index .Values "simple-data-backend" "ingress" "hosts")) }} + {{- printf "https://%s" .host }} + {{- end }} + {{- else }} + {{- printf "http://%s%s:8080" .Release.Name "-simple-data-backend" }} + {{- end }} +{{- end }} + +{{/* +Registry URL helpers +*/}} +{{- define "registry.host" -}} + {{- if index .Values "digital-twin-registry" "registry" "ingress" "enabled" }} + {{- printf "https://%s" (index .Values "digital-twin-registry" "registry" "host") }} + {{- else }} + {{- printf "http://%s-%s:8080" .Release.Name "digital-twin-registry" }} + {{- end }} +{{- end }} +{{- define "registry.path" -}} + {{- if index .Values "digital-twin-registry" "registry" "ingress" "enabled" }} + {{- index .Values "digital-twin-registry" "registry" "ingress" "urlPrefix" }} + {{- else }} + {{- print "" }} + {{- end }} +{{- end }} +{{- define "registry.url" -}} + {{- if .Values.registryUrl }} + {{- tpl .Values.registryUrl . }} + {{ else }} + {{- printf "%s%s%s" (include "registry.host" .) (include "registry.path" .) "/api/v3" }} + {{- end }} +{{- end }} + +{{/* +EDC URL helpers +*/}} + +{{- define "edc.controlplane.host" -}} + {{- if .Values.controlplanePublicUrl }} + {{- tpl .Values.controlplanePublicUrl . }} + {{ else }} + {{- with (first (index .Values "tractusx-connector" "controlplane" "ingresses")) }} + {{- if .enabled }} + {{- printf "https://%s" .hostname }} + {{- else }} + {{- printf "http://%s-%s:8084" $.Release.Name "tractusx-connector-controlplane" }} + {{- end }} + {{- end }} + {{ end }} +{{- end }} + +{{- define "edc.controlplane.management.host" -}} + {{- if .Values.controlplaneManagementUrl }} + {{- tpl .Values.controlplaneManagementUrl . }} + {{ else }} + {{- with (first (index .Values "tractusx-connector" "controlplane" "ingresses")) }} + {{- if .enabled }} + {{- printf "https://%s" .hostname }} + {{- else }} + {{- printf "http://%s-%s:8081" $.Release.Name "tractusx-connector-controlplane" }} + {{- end }} + {{- end }} + {{ end }} +{{- end }} + +{{- define "edc.dataplane.host" -}} + {{- if .Values.dataplaneUrl }} + {{- tpl .Values.dataplaneUrl . }} + {{ else }} + {{- with (first (index .Values "tractusx-connector" "dataplane" "ingresses")) }} + {{- if .enabled }} + {{- printf "https://%s" .hostname }} + {{- else }} + {{- printf "http://%s-%s:8081" $.Release.Name "tractusx-connector-dataplane" }} + {{- end }} + {{- end }} + {{ end }} +{{- end }} + +{{- define "edc.key" -}} + {{- index .Values "tractusx-connector" "controlplane" "endpoints" "management" "authKey" }} +{{- end }} + +{{- define "edc.bpn" -}} + {{- index .Values "tractusx-connector" "participant" "id" }} +{{- end }} + diff --git a/deployment/data-provider/templates/post-install-vault-setup.yaml b/deployment/data-provider/templates/post-install-vault-setup.yaml new file mode 100644 index 00000000..47ca0b99 --- /dev/null +++ b/deployment/data-provider/templates/post-install-vault-setup.yaml @@ -0,0 +1,81 @@ +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### +--- +{{ if .Values.vault.enabled }} +{{- $vaultToken := index .Values "tractusx-connector" "vault" "hashicorp" "token" -}} +{{- $vaultUrl := tpl (index .Values "tractusx-connector" "vault" "hashicorp" "url") . -}} +{{- $fullName := include "dataprovider.fullname" . -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $fullName }}-post-install-vault-setup + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + restartPolicy: Never + containers: + - name: post-install-job + image: "alpine:3.19" + imagePullPolicy: "IfNotPresent" + command: + - "/bin/sh" + - "-c" + - | + sleep 10 + {{- range $key, $value := .Values.secrets }} + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-data '{"data": {"content": "{{ $value }}"}}' "{{ $vaultUrl }}/v1/secret/data/{{ $key }}" + {{- end }} + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/cert.json "{{ $vaultUrl }}/v1/secret/data/tokenSignerPublicKey" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/key.json "{{ $vaultUrl }}/v1/secret/data/tokenSignerPrivateKey" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/aes-secret.json "{{ $vaultUrl }}/v1/secret/data/tokenEncryptionAesKey" + volumeMounts: + - name: config-volume + mountPath: /opt/config + volumes: + - name: config-volume + configMap: + name: {{ $fullName }}-vault-edc-configmap + defaultMode: 0777 +{{ end }} diff --git a/deployment/data-provider/templates/vault-edc-configmap.yaml b/deployment/data-provider/templates/vault-edc-configmap.yaml new file mode 100644 index 00000000..44542110 --- /dev/null +++ b/deployment/data-provider/templates/vault-edc-configmap.yaml @@ -0,0 +1,46 @@ +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### +--- +{{ $fullName := include "dataprovider.fullname" . -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $fullName }}-vault-edc-configmap +data: + cert.json: |- + { + "data": { + "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsP1Wl50viKzVqw8HGFWP\nis+M8Im4daTFMned5Qr2z90FNgkj1EVhip0mOdD6kDg3bW4RxyL6z3jWi19JKBHZ\n68UTgZNdPbhhPNLEGcQpu8uwgFcWKL4P/IOykEeE8ResGOVg/HzNE7HkTgiBdr2C\nMTEXL3zTmdr0vbFGMbOTPyOvKMoy/2FaJaJAPXo3poGqfRvr6Gu6top2ktRd/z8N\nhBpuzx9QypIsE62ooLNPpqzjezfvzJbc3tko/cXNOyGoZWuEKMTfKwYq3ZjsTZKk\nbjVNgdoEFSWpd6Tqk76B1Cboxv1CD8xw0cQ149eW0IuLkAk3eF5eZR4iQ5YAOZqA\nUQIDAQAB\n-----END PUBLIC KEY-----\n" + } + } + + key.json: |- + { + "data": { + "content": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCw/VaXnS+IrNWr\nDwcYVY+Kz4zwibh1pMUyd53lCvbP3QU2CSPURWGKnSY50PqQODdtbhHHIvrPeNaL\nX0koEdnrxROBk109uGE80sQZxCm7y7CAVxYovg/8g7KQR4TxF6wY5WD8fM0TseRO\nCIF2vYIxMRcvfNOZ2vS9sUYxs5M/I68oyjL/YVolokA9ejemgap9G+voa7q2inaS\n1F3/Pw2EGm7PH1DKkiwTraigs0+mrON7N+/Mltze2Sj9xc07Iahla4QoxN8rBird\nmOxNkqRuNU2B2gQVJal3pOqTvoHUJujG/UIPzHDRxDXj15bQi4uQCTd4Xl5lHiJD\nlgA5moBRAgMBAAECggEAKD8XjYb8G+WHeexDJgSwzTUonLsIg9H52KHMORz+5mIh\nUPoPmHHFfj6BhoSvsZNjAUKWDtU0uPCGwu8iRNcYWa15I841lfcjP3BDEQPjJJXr\nNyf2fUHJA1gURwxIXgWOyCOC5C9h9/BMFPWIsQ5jeFmsJsuJF5OrcyZIar1lxqWu\nQ+HC7f/7JNkpR26uIyGjs1OXwfp+mHqze2Qf8hLWIXcN9tBCQZ75Cg7rarNVimMC\n59QD80JZCHTaCX1ZtE1T8HM+53Ob78lnFCuBfiBT/S3O/NXVsEN9q6rMWKhETVWR\nUX56EqZ7XGSMOzuZyK7kj1QsHzEMrrHjwDSNSjAqFQKBgQC6hEeAWPCEM+WVoF9n\nmhvwZVZv/PPyLAarykBTGoeHR2hqNyih9JmcXL+XQHMlhy1Ka8NtJHvfyB1xhXgF\n/d91i/Yq02+nZoJPNnVWo8zoXIAIq+xg9CBiu0agBxv45PjJkEkQmmEG4Iej1+Kf\n5/+dI7sFjE2T4q/lLK0Aw3x+zQKBgQDy7Ho7eRi5CV1Ks+r5lpGGdM15hbE5tviE\nfmJvaEUh3oWuwdkyFjD/QEPITG1bFuvhATdEEWxTbuswNEbELLhKCPcixcI0sLUO\n6BeNi1YD6ouuqsWBLvmE4hvoDR7RlkpUduxWpZ2tNIDJYYTwCERhcYK9OtHU15kc\nlS0pEjF/lQKBgEh+28/OQgYQqd7ji9GX+94PdW5n0mXBqQIixafHewAgyDvonpl8\nmixFfI6MlXTzuq3ffwEwGhncDV2vc/xYNf/ZW+A/eHmHhYTGdQss9ZsnQPid4m24\n1dGqWwQeX0f5r52gwFV8u9PRd8c+RS7EHP12At5gL1MY3CdmmwPd98jNAoGASvPV\n/xWtICKYi10aCip/+kl9wJoUhadD5LWOL6uvcPTUsIgVONQKCCfPAjU6pJlc7E7Q\nu4rYrqGRpYzrrMnTjtxXTH5SHqnLI69O3Rh50LmEob8FM4fH601MqPurX6WMh6Ut\n5Moy7Wc+uWQCfYE/gAVi/nnwlkhzcJNCnOKFLUUCgYA4nbhLrdEeCBJas2+Z9aGw\n/SurtHF2z2meAPO3VaYslf0D0xKzUIv5hkkzaNgs0pFGt0BcKfTWkYy/Hh4QXZhm\n//ZrqbkVsqzDOcqGwQcDmUEN/T+vprUJVKqpNHXT6fz3OTydxLQ7K7SXzwXWYfRW\ncpjdr0c1tVVLMyNG+Wahrg==\n-----END PRIVATE KEY-----\n" + } + } + aes-secret.json: |- + { + "data": { + "content": {{ randAlphaNum 32 | b64enc | quote }} + } + } diff --git a/deployment/data-provider/values-int-vault.yaml b/deployment/data-provider/values-int-vault.yaml new file mode 100644 index 00000000..f6415e46 --- /dev/null +++ b/deployment/data-provider/values-int-vault.yaml @@ -0,0 +1,178 @@ +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### +--- +secrets: + client-secret: + +tractusx-connector: + enabled: true + participant: + id: + + iatp: + # Decentralized IDentifier + id: "" + trustedIssuers: # array [] that needs to be expand but likely like (sorry unconfirmed on how this is done, as I also would need to check) + - "" + oauth: + token_url: "" + client: + id: "" + # content from the wallet secret, caution on pasting real secrets here! + + controlplane: + enabled: true + endpoints: + management: + # -- authentication key, must be attached to each 'X-Api-Key' request header + authKey: + bdrs: + server: + url: https://bpn-did-resolution-service.int.catena-x.net/api/directory + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "ichub-edc-provider.int.catena-x.net" + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "tls-secret-provider-controlplane" + dataplane: + enabled: true + endpoints: + proxy: + authKey: + token: + signer: + # alias under which the private key is stored in the vault (JWK or PEM format) + privatekey_alias: tokenSignerPrivateKey + verifier: + # alias under which the public key is stored in the vault, that belongs to the private key ("privatekey_alias", JWK or PEM format) + publickey_alias: tokenSignerPublicKey + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "ichub-edc-provider" + # -- Additional ingress annotations to add + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "tls-secret-provider-dataplane" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + postgresql: + auth: + database: edc + username: + postgresPassword: + password: + username: + password: + + vault: + hashicorp: + url: http://{{ .Release.Name }}-edc-provider-vault:8200 + secretNames: + transferProxyTokenSignerPrivateKey: tokenSignerPrivateKey + transferProxyTokenSignerPublicKey: tokenSignerPublicKey + transferProxyTokenEncryptionAesKey: tokenEncryptionAesKey + +vault: + enabled: true + nameOverride: edc-provider-vault + fullnameOverride: edc-provider-vault + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: root + ingress: + enabled: false + +digital-twin-registry: + nameOverride: ichub-dtr + postgresql: + nameOverride: ichub-dtr-db + auth: + password: + existingSecret: ichub-dataprovider-secret-dtr-postgres-init + registry: + host: ichub-dtr.int.catena-x.net + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + tls: true + +simple-data-backend: + enabled: true + nameOverride: ichub-dataprovider-submodelserver + ingress: + enabled: true + ingressClassName: "" + annotations: + # uncomment the following line for tls + + # nginx.ingress.kubernetes.io/proxy-body-size: 50m + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: "ichub-data-service.int.catena-x.net" + paths: + - path: "/" + pathType: "ImplementationSpecific" + tls: + - secretName: "submodel-server.tx.test-tls" + hosts: + - "ichub-data-service.int.catena-x.net" + resources: + limits: + cpu: 500m + memory: 1024Mi + requests: + cpu: 500m + memory: 1024Mi \ No newline at end of file diff --git a/deployment/data-provider/values-int.yaml b/deployment/data-provider/values-int.yaml new file mode 100644 index 00000000..f39307d6 --- /dev/null +++ b/deployment/data-provider/values-int.yaml @@ -0,0 +1,199 @@ +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### +--- +secrets: + client-secret: + +tractusx-connector: + enabled: true + participant: + id: + + iatp: + # Decentralized IDentifier + id: "" + trustedIssuers: # array [] that needs to be expand but likely like (sorry unconfirmed on how this is done, as I also would need to check) + - "" + sts: + dim: + url: "" + oauth: + token_url: "" + client: + id: "" + # content from the wallet secret, caution on pasting real secrets here! + secret_alias: client-secret + + controlplane: + enabled: true + endpoints: + management: + # -- authentication key, must be attached to each 'X-Api-Key' request header + authKey: + bdrs: + server: + url: https://bpn-did-resolution-service.int.catena-x.net/api/directory + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-provider-ichub-control.int.catena-x.net" + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + annotations: + # Add annotations for the ingress, e.g.: + cert-manager.io/cluster-issuer: letsencrypt-prod + endpoints: + - default + - management + - control + - protocol + - metrics + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "tls-secret-provider-controlplane" + dataplane: + enabled: true + endpoints: + proxy: + authKey: + token: + signer: + # alias under which the private key is stored in the vault (JWK or PEM format) + privatekey_alias: tokenSignerPrivateKey + verifier: + # alias under which the public key is stored in the vault, that belongs to the private key ("privatekey_alias", JWK or PEM format) + publickey_alias: tokenSignerPublicKey + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "edc-provider-ichub-dataplane.int.catena-x.net" + # -- Additional ingress annotations to add + # -- Additional ingress annotations to add + annotations: + # Add annotations for the ingress, e.g.: + cert-manager.io/cluster-issuer: letsencrypt-prod + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "tls-secret-provider-dataplane" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "" + + postgresql: + auth: + database: edc + username: + postgresPassword: + password: + username: + password: + + vault: + fullnameOverride: "vault" + hashicorp: + url: + token: + paths: + secret: + health: /v1/sys/health + +vault: + enabled: false + nameOverride: edc-provider-vault + fullnameOverride: edc-provider-vault + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: root + ingress: + enabled: false + +digital-twin-registry: + nameOverride: ichub-dtr + postgresql: + nameOverride: ichub-dtr-db + auth: + password: + existingSecret: ichub-dataprovider-secret-dtr-postgres-init + registry: + host: dtr-ichub.int.catena-x.net + ingress: + enabled: true + tls: true + urlPrefix: /semantics/registry + className: nginx + annotations: + # Add annotations for the ingress, e.g.: + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/use-regex: "true" + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/cors-allow-credentials: "true" + nginx.ingress.kubernetes.io/x-forwarded-prefix: /semantics/registry + +simple-data-backend: + enabled: true + nameOverride: ichub-dataprovider-submodelserver + ingress: + enabled: true + ingressClassName: "" + annotations: + # uncomment the following line for tls + + # nginx.ingress.kubernetes.io/proxy-body-size: 50m + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: "storage-ichub.int.catena-x.net" + paths: + - path: "/" + pathType: "ImplementationSpecific" + tls: + - secretName: "submodel-server.tx.test-tls" + hosts: + - "storage-ichub.int.catena-x.net" + resources: + limits: + cpu: 500m + memory: 1024Mi + requests: + cpu: 500m + memory: 1024Mi diff --git a/deployment/data-provider/values.yaml b/deployment/data-provider/values.yaml new file mode 100644 index 00000000..7c0c601d --- /dev/null +++ b/deployment/data-provider/values.yaml @@ -0,0 +1,157 @@ +############################################################### +# Eclipse Tractus-X - Industry Core Hub +# +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +############################################################### + +configuration: + postgresuser: &postgresuser testuser + postgrespass: &postgrespass testpass + edcKey: &edcKey TEST + +nameOverride: "" +fullnameOverride: "" +seedTestdata: false # Toggle seeding of testdata. Can be enabled when the edc should be seeded with testdata on startup. +testdataConfigMap: "" # Provide a custom configmap for post-install-job-upload-testdata.yaml. +backendUrl: "" # Override the backend service url +registryUrl: "" # Override the digital twin registry url +controlplanePublicUrl: "" # Override the edc controlplane protocol url +controlplaneManagementUrl: "" # Override the edc controlplane management url +dataplaneUrl: "" # Override the edc dataplane public url + +tractusx-connector: + enabled: true + install: + postgresql: true + vault: false + participant: + id: changeme + iatp: + id: changeme + trustedIssuers: + - changeme + sts: + dim: + url: http://example.org + oauth: + token_url: http://example.org + client: + id: changeme + secret_alias: client-secret + + controlplane: + ingresses: + - enabled: false + bdrs: + server: + url: http://example.org + endpoints: + management: + authKey: *edcKey + securityContext: + readOnlyRootFilesystem: false + + dataplane: + ingresses: + - enabled: false + token: + signer: + privatekey_alias: changeme + verifier: + publickey_alias: changeme + + vault: + nameOverride: edc-dataprovider-vault + fullnameOverride: edc-dataprovider-vault + hashicorp: + url: http://{{ .Release.Name }}-edc-provider-vault:8200 + token: "root" + secretNames: + transferProxyTokenSignerPrivateKey: changeme + transferProxyTokenSignerPublicKey: changeme + transferProxyTokenEncryptionAesKey: aesKey + + + postgresql: + nameOverride: edc-postgresql + primary: + persistence: + enabled: false + size: 1Gi + auth: + database: edc + username: *postgresuser + postgresPassword: *postgrespass + password: *postgrespass + username: *postgresuser + password: *postgrespass + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-edc-postgresql:5432/edc" + +digital-twin-registry: + enabled: true + enableKeycloak: false + + postgresql: + auth: + existingSecret: registry-db-postresinit + primary: + persistence: + enabled: false + size: 1Gi + + registry: + host: digital-twin-registry.test + ingress: + enabled: false + authentication: false + livenessProbe: + failureThreshold: 10 + initialDelaySeconds: 60 + periodSeconds: 10 + readinessProbe: + failureThreshold: 10 + initialDelaySeconds: 60 + periodSeconds: 10 + +simple-data-backend: + enabled: true + image: + tag: "main" + ingress: + enabled: false + +vault: + enabled: true + nameOverride: edc-provider-vault + injector: + enabled: false + server: + postStart: + - sh + - -c + - |- + { + sleep 5 + /bin/vault kv put secret/client-secret content=kEmH7QRPWhKfy8f+x0pFMw== + /bin/vault kv put secret/aesKey content=YWVzX2VuY2tleV90ZXN0Cg== + } + dev: + enabled: true + devRootToken: root + ingress: + enabled: true \ No newline at end of file