diff --git a/.gitignore b/.gitignore index e4e5f6c..542b089 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ -*~ \ No newline at end of file +*~ +.idea +Chart.lock +charts/ \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/README.md b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/README.md index b9e8a7d..aa2c0ee 100644 --- a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/README.md +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/README.md @@ -3,9 +3,10 @@ The following describes how to setup a full instance of the FIWARE Business API Ecosystem (BAE) in the context of an i4Trust Data Space. This includes the BAE itself, as well as the required databases and an Identity Provider (Keyrock) for administrative -access to the BAE. +access to the BAE. If you would like to add login with [Verifiable Credentials](https://www.w3.org/TR/vc-data-model/) to +the Marketplace, there is optional section for that. -This repository provides examples of the [Helm values files](./values) which show the minimum configuration +This repository provides examples of the [Helm values files](./values), which shows the minimum configuration parameters to be set. Adapt these for your setup before proceeding with the instructions. The helm chart of the BAE with all possible configuration values can be found here: @@ -26,9 +27,10 @@ helm repo add fiware https://fiware.github.io/helm-charts/ helm repo update ``` -We will assume that all components will be deployed within the namespace `marketplace`. +We will assume that all components will be deployed within the namespace `demo-marketplace`. So, if you have another +name for the namespace, make sure to replace it everywhere. ```shell -kubectl create ns marketplace +kubectl create ns demo-marketplace ``` Due to the iSHARE specification, requests can contain very large headers with the signed JWTs. @@ -57,19 +59,25 @@ The following databases are required: First modify the corresponding [values files](./values) according to your needs and then deploy the required databases MongoDB, MySQL and elasticsearch using `helm`. ```shell +# Deploy MySQL for Credentials Config Service and Trusted Issuers List +helm dependency build mysql/ +helm install -f ./mysql/values.yaml --namespace demo-marketplace mysql ./mysql + # Deploy elasticsearch -helm install -f ./values/values-elastic.yml --namespace marketplace elasticsearch elastic/elasticsearch --version 7.5.1 +helm dependency build elastic/ +helm install -f ./elastic/values.yaml --namespace demo-marketplace elasticsearch ./elastic -# Deploy MySQL: -helm install -f ./values/values-mysql.yml --namespace marketplace mysql t3n/mysql --version 1.0.0 +# Deploy MySQL for Marketplace: +helm dependency build mysql-bae/ +helm install -f ./mysql-bae/values.yaml --namespace demo-marketplace mysql-bae ./mysql-bae # Deploy MongoDB -helm install -f ./values/values-mongodb.yml --namespace marketplace mongodb bitnami/mongodb --version 12.1.31 +helm dependency build mongodb/ +helm install -f ./mongodb/values.yaml --namespace demo-marketplace mongodb ./mongodb ``` - ## Identity Provider (Keyrock) An instance of the Keyrock Identity Provider dedicated to the BAE is required in order to have @@ -78,11 +86,12 @@ on the standard OAuth2 protocol, whereas the Identity Providers deployed at the service consumers follow the OpenID Connect protocol based on iSHARE specifications. Therefore this Keyrock instance does not require any iSHARE-specific configuration. -Modify the Keyrock [values file](./values/values-keyrock.yml) according to your needs and deploy the Keyrock Identity Provider. +Modify the Keyrock [values file](./values/keyrock/values.yaml) according to your needs and deploy the Keyrock Identity Provider. Make sure to setup an Ingress or OpenShift route in the values file for external access of the UI (e.g. https://keyrock.domain.org). ```shell -helm install -f ./values/values-keyrock.yml --namespace marketplace keyrock fiware/keyrock --version 0.6.0 +helm dependency build keyrock/ +helm install -f ./keyrock/values.yaml --namespace demo-marketplace keyrock ./keyrock ``` In a browser open the Keyrock UI (e.g. https://keyrock.domain.org) and login with the admin credentials provided in @@ -108,10 +117,96 @@ basically only need the `admin` role. Service providers and consumers will login +## Setting up environment for login with verifiable credentials + + +### WaltId + +Adjust values file for [waltid](./values/walt-id/values.yaml) +according to your needs and install it on your cluster. Default values could be checked at +[chart repo](https://github.com/i4Trust/helm-charts/blob/main/charts/vcwaltid/values.yaml) +```shell +helm dependency build walt-id/ +helm install --namespace demo-marketplace waltid ./walt-id/ -f ./walt-id/values.yaml +``` + + +### Keycloak + +Adjust values file for [keycloak](./values/keycloak/values.yaml) according +to your needs. Check the [chart repo](https://github.com/bitnami/charts/blob/main/bitnami/keycloak/values.yaml) +for default values. +```shell +helm dependency build keycloak/ +helm install --namespace demo-marketplace keycloak ./keycloak/ -f ./keycloak/values.yaml +``` + + +### Trusted Issuers List + +Modify values file for [trusted issuers list](./values/trusted-issuers-list/values.yaml) and install it on your cluster. +Check [chart repo](https://github.com/FIWARE/helm-charts/blob/main/charts/trusted-issuers-list/values.yaml) for more +details. +```shell +helm dependency build trusted-issuers-list/ +helm install --namespace demo-marketplace til ./trusted-issuers-list/ -f ./trusted-issuers-list/values.yaml +``` + + +### Orion-LD + +Orion-LD also needs to be installed, since TIR component depends on it. Check [chart repo](https://github.com/FIWARE/helm-charts/blob/main/charts/orion/values.yaml) +to see the default values to install it. +```shell +helm dependency build orion-ld/ +helm install --namespace demo-marketplace orion-ld ./orion-ld/ -f ./orion-ld/values.yaml +``` + + +### Trusted Issuers Registry + +Adjust values file for [trusted issuers registry](./values/trusted-issuers-registry/values.yaml) according to your needs +and install it on your cluster. Check [chart repo](https://github.com/FIWARE/helm-charts/blob/main/charts/trusted-issuers-registry/values.yaml) +for more details. +```shell +helm dependency build trusted-issuers-registry/ +helm install --namespace demo-marketplace til ./trusted-issuers-registry/ -f ./trusted-issuers-registry/values.yaml +``` + + +### Credentials Config Service + +[Verifier](https://github.com/FIWARE/VCVerifier) is responsible to communicate with wallets and verify the credentials +they provide. To get this done, it needs information about: + +* the credentials to be requested from a wallet +* the credentials and claims an issuer is allowed to issue + +To do so, it requires a service that provides such information, e.g. the [Credentials Config Service] +(https://github.com/fiware/credentials-config-service) + +Modify values file for [credentials-config-service](./values/credentials-config-service/values.yaml) +and install it on your cluster. To see the default values, see [chart repo](https://github.com/FIWARE/helm-charts/blob/main/charts/credentials-config-service/values.yaml). +```shell +helm dependency build credentials-config-service/ +helm install --namespace demo-marketplace ccs ./credentials-config-service/ -f ./credentials-config-service/values.yaml +``` + + +### Verifier + +Adjust values file for [verifier](./values/verifier/values.yaml) according to your needs and install it on your cluster. +Check the [chart repo](https://github.com/i4Trust/helm-charts/blob/main/charts/vcverifier/values.yaml) for more details. +```shell +helm dependency build verifier/ +helm install --namespace demo-marketplace verifier ./verifier/ -f ./verifier/values.yaml +``` + + ## Business API Ecosystem (Marketplace) Finally, install the Business API Ecosystem. Make sure to setup an Ingress or OpenShift route in the -[values file](./values/values-marketplace.yml) for external +[values file](values/bae/values.yaml) for external access of the Marketplace UI / Logic Proxy (e.g. https://marketplace.domain.org). Furthermore adapt the configuration options for the databases, elasticsearch and Keyrock instance which have been setup before. This includes setting the OAuth2 credentials noted down before (parameters `oauth.clientId` and `oauth.clientSecret`). @@ -124,7 +219,8 @@ login dialog of the marketplace UI. The private key and certificate chain issued for the marketplace must be added in PEM format. ```shell # Deploy BAE -helm install -f ./values/values-marketplace.yml --namespace marketplace bae fiware/business-api-ecosystem --version 0.5.0 +helm dependency build bae/ +helm install -f ./bae/values.yaml --namespace demo-marketplace bae ./bae ``` The deployment of all components will take some time. When the logic proxy component has been deployed and changed to the running state, diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/bae/Chart.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/bae/Chart.yaml new file mode 100644 index 0000000..0f0314b --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/bae/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: bae +description: BAE Chart + +type: application +version: 0.6.11 +appVersion: "8.1.0" + +dependencies: + - name: business-api-ecosystem + version: 0.6.4 + repository: https://fiware.github.io/helm-charts diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/bae/templates/secrets.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/bae/templates/secrets.yaml new file mode 100644 index 0000000..f2f3aa2 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/bae/templates/secrets.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Secret +metadata: + name: bae-apis-secret +type: Opaque +stringData: + dbPassword: 'password' +--- +apiVersion: v1 +kind: Secret +metadata: + name: bae-rss-secret +type: Opaque +stringData: + dbPassword: 'password' +--- +apiVersion: v1 +kind: Secret +metadata: + name: bae-cb-secret +type: Opaque +stringData: + dbPassword: 'password' + paypalClientSecret: 'password' + pluginsIdmPassword: 'password' + smtpPassword: 'password' +--- +apiVersion: v1 +kind: Secret +metadata: + name: bae-lp-secret +type: Opaque +stringData: + dbPassword: 'password' + oauthClientSecret: 'password' \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/bae/values.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/bae/values.yaml new file mode 100644 index 0000000..4eb03fd --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/bae/values.yaml @@ -0,0 +1,337 @@ +business-api-ecosystem: + # is the target environment openshift? + openshift: true + + initContainer: + mysql: + image: "quay.io/i4trust/mysql" + apis: + image: "quay.io/i4trust/busybox:1.32" + + ## Marketplace OAuth and IdM configuration + ## + oauth: + # URL of the FIWARE IDM used for user authentication + server: https://idp-marketplace.domain.org + # OAuth2 Client ID of the BAE applicaiton + clientId: marketplace-id + # -- Callback URL path of frontend logic proxy for receiving the access tokens + callbackPath: /auth/fiware/callback + # -- IDP provider for passport strategy (fiware, keycloak, github, ...) + provider: fiware + # -- Default role: Role to be used if no role is assigned to user (optional) + defaultRole: seller + + siop: + enabled: true + clientId: marketplace-client + verifier: + host: https://verifier-marketplace.domain.org + # Configuration for the Credential Config Service initiation + ccs: + endpoint: "http://ccs-credentials-config-service.demo.svc.cluster.local:8080" + credentials: + - type: "VerifiableCredential" + trustedParticipantsLists: [ + "https://tir.domain.org" + ] + trustedIssuersLists: [ + ] + - type: "MarketplaceUserCredential" + trustedParticipantsLists: [ + "https://tir.domain.org" + ] + trustedIssuersLists: [ + ] + + ## External URL used to access the BAE frontend (logic proxy) + ## Should match the host of the Ingress or Route of the Logic Proxy + ## + externalUrl: https://marketplace.domain.org + + ## Configuration for biz-ecosystem-apis component + ## + bizEcosystemApis: + + ## Service account + serviceAccount: + create: false + + ## Security context + securityContext: + ## -- specifies the user UID + runAsUser: 0 + ## -- specifies the group GID + runAsGroup: 0 + + # Existing Secret + existingSecret: bae-apis-secret + + ## -- deployment specific configuration + deployment: + ## -- configuration of the image to be used + image: + ## -- BAE APIs image name + ## ref: https://hub.docker.com/r/fiware/biz-ecosystem-apis + repository: quay.io/fiware/biz-ecosystem-apis + ## -- tag of the image to be used + tag: v8.1.0-rc1 + ## -- specification of the image pull policy + pullPolicy: IfNotPresent + + ## port that the APIs container uses + port: 8080 + + ## database configuration for APIs + db: + ## host of the database to be used + host: mysql-bae + ## password for connecting the database + #password: dbPassword + + + ## Configuration for biz-ecosystem-rss component + ## + bizEcosystemRss: + + ## Service account + serviceAccount: + create: false + + ## Security context + securityContext: + ## -- specifies the user UID + runAsUser: 0 + ## -- specifies the group GID + runAsGroup: 0 + + # Existing Secret + existingSecret: bae-rss-secret + + ## -- deployment specific configuration + deployment: + ## -- configuration of the image to be used + image: + ## -- BAE RSS image name + ## ref: https://hub.docker.com/r/fiware/biz-ecosystem-rss + repository: quay.io/fiware/biz-ecosystem-rss + ## -- tag of the image to be used + tag: v8.0.0 + ## -- specification of the image pull policy + pullPolicy: IfNotPresent + #pullPolicy: Always + + ## port that the RSS container uses + port: 8080 + + ## database configuration for RSS + db: + ## host of the database to be used + host: mysql-bae + ## URL connection string of the database to be used + url: jdbc:mysql://mysql-bae:3306/RSS + ## password for connecting the database + #password: dbPassword + + + ## Configuration for biz-ecosystem-charging-backend component + ## + bizEcosystemChargingBackend: + + ## Service account + serviceAccount: + create: false + + ## Security context + securityContext: + ## -- specifies the user UID + runAsUser: 0 + ## -- specifies the group GID + runAsGroup: 0 + + # Existing Secret + existingSecret: bae-cb-secret + + ## -- deployment specific configuration + deployment: + ## -- configuration of the image to be used + image: + ## -- BAE Charging backend image name + ## ref: https://hub.docker.com/r/fiware/biz-ecosystem-charging-backend + repository: quay.io/fiware/biz-ecosystem-charging-backend + ## -- tag of the image to be used + tag: v8.1.0-dev-rc1 + ## -- specification of the image pull policy + #pullPolicy: IfNotPresent + pullPolicy: Always + + ## -- PVC configuration for charging backend plugins + plugins: + ## -- Enable the PVC for plugins storage + enabled: true + ## -- Annotations + annotations: + helm.sh/resource-policy: "keep" + + ## -- PVC configuration for charging backend media directories (/assets and /bills) + media: + # -- Enable the PVC for media storage + enabled: true + + ## port that the charging backend container uses + port: 8006 + + # -- Loglevel + loglevel: debug + + ## payment configuration + payment: + ## method: paypal or None (testing mode payment disconected) + method: None + + ## database configuration for Charging backend (MongoDB) + db: + ## host of the database to be used + host: mongodb + ## Database name for connecting the database + database: charging_db + ## username for connecting the database + user: charging + ## password for connecting the database + #password: charging + + ## -- Configuration for backing up the pvcs of the charging backend into a gcs-bucket + backup: + ## -- should the backup for file data be enabled + enabled: false + + # -- Sets wehther to expect the user access token in each request from the logic proxy + propagateToken: false + + # -- Base app path of charging backend (for versions < 8.1.0: /business-ecosystem-charging-backend, for versions >= 8.1.0: /opt/business-ecosystem-charging-backend) + basePath: /opt/business-ecosystem-charging-backend + + # -- List of additional ENV vars to be set, e.g., to be used in asset plugins + extraEnvVars: + - name: BAE_PLUGIN_VC + value: "ewogICJ0eXBlIiA6IFsgIlZlcmlmaWFibGVDcmVkZW50aWFsIiwgIkFjdGl2YXRpb25TZXJ2aWNlIiBdLAogICJAY29udGV4dCIgOiBbICJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsICJodHRwczovL3czaWQub3JnL3NlY3VyaXR5L3N1aXRlcy9qd3MtMjAyMC92MSIgXSwKICAiaWQiIDogInVybjp1dWlkOmM3ZTdkNGExLTc1NzktNDBhMy1iNDE4LTU5ZjZhOWYyZjZiMSIsCiAgImlzc3VlciIgOiAiZGlkOndlYjptYXJrZXRwbGFjZS5kc2JhLmZpd2FyZS5kZXY6ZGlkIiwKICAiaXNzdWFuY2VEYXRlIiA6ICIyMDIzLTA2LTA3VDA3OjQ1OjA2WiIsCiAgImlzc3VlZCIgOiAiMjAyMy0wNi0wN1QwNzo0NTowNloiLAogICJ2YWxpZEZyb20iIDogIjIwMjMtMDYtMDdUMDc6NDU6MDZaIiwKICAiZXhwaXJhdGlvbkRhdGUiIDogIjIwMzItMTItMDhUMTM6MDU6MDZaIiwKICAiY3JlZGVudGlhbFNjaGVtYSIgOiB7CiAgICAiaWQiIDogImh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9GSVdBUkUtT3BzL2k0dHJ1c3QtcHJvdmlkZXIvbWFpbi9kb2NzL3NjaGVtYS5qc29uIiwKICAgICJ0eXBlIiA6ICJGdWxsSnNvblNjaGVtYVZhbGlkYXRvcjIwMjEiCiAgfSwKICAiY3JlZGVudGlhbFN1YmplY3QiIDogewogICAgImlkIiA6ICIwYjg3NjAwMC0zNmM3LTQ3ZWQtYjg5Ni01YjVlYzE2MzY2M2EiLAogICAgInJvbGVzIiA6IFsgewogICAgICAibmFtZXMiIDogWyAiQ1JFQVRFX0lTU1VFUiIgXSwKICAgICAgInRhcmdldCIgOiAiZGlkOndlYjpwYWNrZXRkZWxpdmVyeS5kc2JhLmZpd2FyZS5kZXY6ZGlkIgogICAgfSBdLAogICAgImVtYWlsIiA6ICJtYXJrZXRwbGFjZUBteW1haWwuY29tIgogIH0sCiAgInByb29mIiA6IHsKICAgICJ0eXBlIiA6ICJKc29uV2ViU2lnbmF0dXJlMjAyMCIsCiAgICAiY3JlYXRvciIgOiAiZGlkOndlYjptYXJrZXRwbGFjZS5kc2JhLmZpd2FyZS5kZXY6ZGlkIiwKICAgICJjcmVhdGVkIiA6ICIyMDIzLTA2LTA3VDA3OjQ1OjA2WiIsCiAgICAidmVyaWZpY2F0aW9uTWV0aG9kIiA6ICJkaWQ6d2ViOm1hcmtldHBsYWNlLmRzYmEuZml3YXJlLmRldjpkaWQjNmY0YzEyNTVmNGE1NDA5MGJjOGZmNzM2NWIxM2E5YjciLAogICAgImp3cyIgOiAiZXlKaU5qUWlPbVpoYkhObExDSmpjbWwwSWpwYkltSTJOQ0pkTENKaGJHY2lPaUpRVXpJMU5pSjkuLlRoU0pWNHZWaGx4WVUzTjdPU2s2LXRuS3ZkQUNmWTltaFJxQ1ZJZjBlTENDU2JrRXlZVjRzZXZkN0FDLUhHWUoyS1dtTXlKVG0tLWdOb2d0NUl1VGFhNS1vVGVnWUJUeVJJY190aFpneEo0NF83V2ZwTy13QVk0dXl1S3p0LVRZVmhRU1dRNWxBX0NwVDltTDcyTkFHUDR2bk5vVnZTa1hoSUNCX2c3YTJLcWw0eHNSLXdaNmh0VjhXNGJlRGV2aHUzYWpPLVE2NUtYUVBad0lub1VwV2gxcmNyRWl5Ukp6OXBJMzE0NmQ3NmlrakxEZTByUVNNTWttMGJEUTg2b3NuY3VHLUhZSWJ3VkY5eEtpZWI2V19NdXBtV2FaUlVudmV3am0xX1pRQ0ZyS3czVUNMNkplU2hkbzdMSnBNX2JSa1hjSU5FUFhCV0pwNzc0eXYxaXlpQSIKICB9Cn0=" + + ## -- Configuration of local key and certificate for validation and generation of tokens + token: + enabled: false + + + + ## Configuration for biz-ecosystem-logic-proxy component + ## + bizEcosystemLogicProxy: + + ## Service account + serviceAccount: + create: false + + ## Security context + securityContext: + ## -- specifies the user UID + runAsUser: 0 + ## -- specifies the group GID + runAsGroup: 0 + + # Existing Secret + existingSecret: bae-lp-secret + + ## -- statefulset specific configuration + statefulset: + ## -- configuration of the image to be used + image: + ## -- BAE Logic Proxy image name + ## ref: https://hub.docker.com/r/fiware/biz-ecosystem-logic-proxy + repository: fiware/biz-ecosystem-logic-proxy + ## -- tag of the image to be used + tag: v8.1.0-dev + ## -- specification of the image pull policy + pullPolicy: IfNotPresent + #pullPolicy: IfNotPresent + + ## openshift specific route definition. Will not work on plain k8s + route: + ## -- should the deployment create openshift routes + enabled: true + # -- Routes that should be created + routes: + - host: marketplace.domain.org + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + certificate: + issuer: + kind: ClusterIssuer + name: letsencrypt-aws-prod + + ## ingress configuration + ## OpenShift: oc label namespace marketplace ingress=nginx + ingress: + ## should there be an ingress to connect keyrock with the public internet + enabled: false + + + ## port that the logic proxy container uses + port: 8004 + + ## Deployment in development or in production + nodeEnvironment: development + + ## database configuration for Logic Proxy (MongoDB) + db: + # host of the database to be used + host: mongodb + # Database name for connecting the database + database: belp_db + # username for connecting the database + user: belp + # password for connecting the database + #password: belp + + ## -- elasticsearch configuration + elastic: + ## -- indexing engine of logic proxy + engine: elasticsearch + ## -- URL of elasticsearch service + url: elasticsearch-master:9200 + ## -- API version of elasticsearch + version: 7.5 + + # -- Base app path of logic proxy (for versions < 8.1.0: /business-ecosystem-logic-proxy, for versions >= 8.1.0: /opt/business-ecosystem-logic-proxy) + basePath: /opt/business-ecosystem-logic-proxy + #basePath: /business-ecosystem-logic-proxy + + ## -- Custom theme configuration + theme: + ## -- Enable theme + enabled: true + ## -- Name of the theme + name: i4trust + ## -- Size of PVC to be created + size: 4Gi + ## Image which holds the theme files + image: quay.io/wi_stefan/bae-i4trust-theme:1.0.1 + # -- specification of the image pull policy + imagePullPolicy: Always + ## Path to the source theme files inside the container + # Files will be copied to /themes/{{name}} with the PVC mounted at /themes + sourcePath: /bae-i4trust-theme + + ## -- Configuration for external IDPs + externalIdp: + # -- Enable usage of external IDPs + enabled: true + # -- Show login button for local IDP + showLocalLogin: true + + # -- Sets wehther the logic proxy should propagate the user access token to the backend components + propagateToken: false + + ## -- Configuration of local key and certificate for validation and generation of tokens + token: + enabled: false + diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/credentials-config-service/Chart.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/credentials-config-service/Chart.yaml new file mode 100644 index 0000000..fe36544 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/credentials-config-service/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: marketplace-ccs +description: CCS Chart + +type: application +version: 0.0.1 +appVersion: "0.0.1" + +dependencies: + - name: credentials-config-service + version: 0.0.1 + repository: https://fiware.github.io/helm-charts diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/credentials-config-service/values.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/credentials-config-service/values.yaml new file mode 100644 index 0000000..e5937d1 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/credentials-config-service/values.yaml @@ -0,0 +1,14 @@ +credentials-config-service: + deployment: + image: + repository: quay.io/fiware/credentials-config-service + tag: 0.0.1 + database: + persistence: true + host: mysql-marketplace + username: root + name: ccs + existingSecret: + enabled: true + name: mysql-secret + key: dbPassword \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/Chart.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/Chart.yaml new file mode 100644 index 0000000..b177ab2 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: elasticsearch +description: Elasticsearch Chart + +type: application +version: 0.1.0 +appVersion: "7.5.1" + +dependencies: +- name: elasticsearch + version: 7.5.1 + repository: https://helm.elastic.co \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/templates/role-binding.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/templates/role-binding.yaml new file mode 100644 index 0000000..75a8928 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/templates/role-binding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.openshift -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-elasticsearch-rb + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} +subjects: + - kind: ServiceAccount + name: elasticsearch-sa + namespace: {{ .Release.Namespace | quote }} +roleRef: + kind: Role + name: {{ .Release.Name }}-elasticsearch-scc-anyuid + apiGroup: rbac.authorization.k8s.io +{{- end -}} \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/templates/role-openshift.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/templates/role-openshift.yaml new file mode 100644 index 0000000..d2738db --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/templates/role-openshift.yaml @@ -0,0 +1,19 @@ +{{- if .Values.openshift }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-elasticsearch-scc-anyuid + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + - privileged + resources: + - securitycontextconstraints + verbs: + - use +{{- end }} diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/templates/service-account.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/templates/service-account.yaml new file mode 100644 index 0000000..375d022 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/templates/service-account.yaml @@ -0,0 +1,9 @@ +{{- if .Values.openshift -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: elasticsearch-sa + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} +{{- end -}} \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/values.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/values.yaml new file mode 100644 index 0000000..723f9a2 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/elastic/values.yaml @@ -0,0 +1,18 @@ +elasticsearch: + replicas: 1 + minimumMasterNodes: 1 + clusterHealthCheckParams: "wait_for_status=yellow&timeout=1s" + + persistence: + enabled: false + + rbac: + create: false + serviceAccountName: elasticsearch-sa + + image: "quay.io/i4trust/elasticsearch" + imageTag: "7.5.1" + imagePullPolicy: "IfNotPresent" + +openshift: + enabled: true diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/Chart.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/Chart.yaml new file mode 100644 index 0000000..b75ab00 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: keycloak +description: A Helm chart for Kubernetes to deploy Keycloak +type: application +version: 1.0.0 +appVersion: "17.0.1" +dependencies: +- name: keycloak + version: 13.0.3 + repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/_helpers.tpl b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/_helpers.tpl new file mode 100644 index 0000000..253d7ea --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/_helpers.tpl @@ -0,0 +1,53 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "keycloak.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "keycloak.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "keycloak.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "keycloak.labels" -}} +helm.sh/chart: {{ include "keycloak.chart" . }} +{{ include "keycloak.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app: {{ include "keycloak.name" . }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "keycloak.selectorLabels" -}} +app.kubernetes.io/name: {{ include "keycloak.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/certificate.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/certificate.yaml new file mode 100644 index 0000000..078d1dc --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/certificate.yaml @@ -0,0 +1,15 @@ +{{- if .Values.route.certificate -}} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "keycloak.fullname" . }} + labels: + {{ include "keycloak.labels" . | nindent 4 }} +spec: + secretName: {{ include "keycloak.fullname" . }}-tls-sec + issuerRef: + {{- toYaml .Values.route.certificate.issuer | nindent 4 }} + commonName: {{ .Values.route.host }} + dnsNames: + - {{ .Values.route.host }} +{{- end -}} \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/didConfigMap.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/didConfigMap.yaml new file mode 100644 index 0000000..8754a42 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/didConfigMap.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "keycloak.fullname" . }}-did-config +data: + import.sh: |- + export KEY=$(cat /opt/did/secret/tls.key) + export KEY_ID=$(curl --location "${WALTID_CORE_ADDRESS}/v1/key/import" --header 'Content-Type: text/plain' --data "${KEY}" | jq -r '.id') + echo The key id: ${KEY_ID} + curl --location "${WALTID_CORE_ADDRESS}/v1/did/create" \ + --header 'Content-Type: application/json' \ + --data "{ + \"method\": \"web\", + \"keyAlias\":\"${KEY_ID}\", + \"domain\": \"{{ .Values.waltid.host }}\", + \"path\": \"did\", + \"x5u\": \"https://{{ .Values.waltid.host }}/certs/tls.crt\" + }" diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/issuerKeyConfigMap.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/issuerKeyConfigMap.yaml new file mode 100644 index 0000000..d078c81 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/issuerKeyConfigMap.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "keycloak.fullname" . }}-key +data: + keyfile.json: |- + { + "kty": "OKP", + "d": "FoJjD3Q6Wh0JHt-tuN3bwGHmPSWa7p8pVe9P9cDIzWw", + "use": "sig", + "crv": "Ed25519", + "kid": "z6MkvdQnXeKgRceAhNsZYjpQjSFcmTXshyGDvnNw7gziQhjG", + "x": "8FSufgpQ8VXgxnR5svvi-j8_4iXxB0TIsVVb0EiRP7s", + "alg": "EdDSA" + } \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/profilesConfigMap.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/profilesConfigMap.yaml new file mode 100644 index 0000000..ba18b9a --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/profilesConfigMap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "keycloak.fullname" . }}-profile +data: + profile.properties: |- + feature.scripts=enabled + feature.upload_scripts=enabled \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/realmConfigMap.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/realmConfigMap.yaml new file mode 100644 index 0000000..ed0adcc --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/realmConfigMap.yaml @@ -0,0 +1,591 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "keycloak.fullname" . }}-realm +data: + realm.json: |- + { + "id": "fiware-server", + "realm": "fiware-server", + "accountTheme": "siop-2", + "displayName": "Keycloak Marketplace", + "displayNameHtml": "
Keycloak Marketplace
", + "enabled": true, + "attributes": { + "frontendUrl": "https://{{ .Values.route.host }}" + }, + "sslRequired": "none", + "roles": { + "realm": [ + { + "name": "user", + "description": "User privileges", + "composite": false, + "clientRole": false, + "containerId": "fiware-server", + "attributes": {} + } + ], + "client": { + "did:web:packetdelivery.dsba.fiware.dev:did": [ + { + "name": "CREATE_ISSUER", + "description": "Is allowed to create issuers", + "clientRole": true + }, + { + "name": "UPDATE_ISSUER", + "description": "Is allowed to update issuers", + "clientRole": true + }, + { + "name": "DELETE_ISSUER", + "description": "Is allowed to delete issuers", + "clientRole": true + } + ] + } + }, + "groups": [ + { + "name": "admin", + "path": "/admin", + "realmRoles": [ + "user" + ], + "clientRoles": { + } + }, + { + "name": "consumer", + "path": "/consumer", + "realmRoles": [ + "user" + ], + "clientRoles": { + } + } + ], + "users": [ + { + "username": "marketplace", + "enabled": true, + "email": "marketplace@mymail.com", + "credentials": [ + { + "type": "password", + "value": "marketplace" + } + ], + "clientRoles": { + "did:web:packetdelivery.dsba.fiware.dev:did": [ + "CREATE_ISSUER" + ], + "account": [ + "view-profile", + "manage-account" + ] + }, + "groups": [ + "/consumer" + ] + } + ], + "clients": [ + { + "clientId": "did:web:packetdelivery.dsba.fiware.dev:did", + "enabled": true, + "description": "Client to receive Verifiable Credentials targeted at verifier-one.batterypass.fiware.dev", + "surrogateAuthRequired": false, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "defaultRoles": [], + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "SIOP-2", + "attributes": { + "client.secret.creation.time": "1675260539", + "expiryInMin": "5000000", + "vctypes_ActivationService": "ldp_vc,jwt_vc_json", + "ActivationService_claims": "email,firstName,familyName,roles" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [], + "optionalClientScopes": [] + } + ], + "clientScopes": [ + { + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + }, + { + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + } + ] + }, + { + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + }, + { + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + } + ] + }, + { + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + }, + { + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + }, + { + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + } + ] + }, + { + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "String" + } + }, + { + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + } + ] + }, + { + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + } + ], + "defaultDefaultClientScopes": [ + "roles", + "role_list", + "email", + "web-origins", + "profile" + ], + "defaultOptionalClientScopes": [ + "microprofile-jwt", + "phone", + "address", + "offline_access" + ] + } \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/route.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/route.yaml new file mode 100644 index 0000000..ffc394c --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/templates/route.yaml @@ -0,0 +1,25 @@ +{{- if .Values.route.enabled -}} +{{- $fullName := include "keycloak.fullname" . -}} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "keycloak.fullname" . }} + labels: + {{ include "keycloak.labels" . | nindent 4 }} + annotations: + cert-utils-operator.redhat-cop.io/certs-from-secret: {{ include "keycloak.fullname" . }}-tls-sec + {{- with .Values.route.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + host: {{ .Values.route.host}} + to: + kind: Service + name: {{ $fullName }} + {{- if .Values.route.tls }} + tls: + {{- with .Values.route.tls }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/values.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/values.yaml new file mode 100644 index 0000000..b070a48 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keycloak/values.yaml @@ -0,0 +1,118 @@ +route: + enabled: true + host: marketplace-kc.domain.org + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + certificate: + issuer: + kind: ClusterIssuer + name: letsencrypt-aws-prod + +keycloak: + service: + type: ClusterIP + logging: + level: INFO + replicaCount: 1 + auth: + adminUser: fiwareAdmin + adminPassword: fiwareAdmin + serviceAccount: + create: true + rbac: + create: true + rules: + - apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - use + + + keycloakConfigCli: + enabled: true + # current image does not contain 20.0.3., thus we need this fix + command: + - java + - -jar + - /opt/bitnami/keycloak-config-cli/keycloak-config-cli-20.0.1.jar + + extraEnvVars: + - name: IMPORT_FILES_LOCATIONS + value: "/config/*" + containerSecurityContext: + enabled: false + podSecurityContext: + enabled: false + existingConfigmap: keycloak-realm + + extraEnvVars: + - name: KEYCLOAK_PROXY_ADDRESS_FORWARDING + value: "true" + - name: KEYCLOAK_LOG_LEVEL + value: INFO + - name: VCISSUER_ISSUER_DID + value: "did:web:marketplace.demo.fiware.dev:did" + - name: VCISSUER_WALTID_ADDRESS + value: "http://waltid-vcwaltid" + + + extraVolumeMounts: + - name: profiles + mountPath: /opt/bitnami/keycloak/conf/profile.properties + subPath: profile.properties + - name: providers + mountPath: /opt/bitnami/keycloak/providers/ + - name: issuer-key + mountPath: /opt/keys + + extraVolumes: + - name: profiles + configMap: + name: keycloak-profile + - name: providers + emptyDir: {} + - name: issuer-key + configMap: + name: keycloak-key + - name: did-config + configMap: + name: keycloak-did-config + - name: did-secret + secret: + secretName: waltid-vcwaltid-tls-sec + + + initContainers: + - name: add-vc-issuer + image: quay.io/fiware/keycloak-vc-issuer:0.4.0 + imagePullPolicy: Always + volumeMounts: + - name: providers + mountPath: /target + - name: load-did + image: quay.io/opencloudio/curl:4.2.0-build.8 + imagePullPolicy: Always + command: + - /bin/sh + - /opt/did/script/import.sh + env: + - name: WALTID_CORE_ADDRESS + value: "waltid-vcwaltid:7000" + volumeMounts: + - name: did-config + mountPath: /opt/did/script + - name: did-secret + mountPath: /opt/did/secret + + postgresql: + enabled: true + serviceAccount: + name: keycloak + +waltid: + host: marketplace.domain.org \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keyrock/Chart.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keyrock/Chart.yaml new file mode 100644 index 0000000..5f53c82 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keyrock/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: keyrock +description: Keyrock Chart + +type: application +version: 0.6.0 +appVersion: "8.1.0" + +dependencies: + - name: keyrock + version: 0.6.0 + repository: https://fiware.github.io/helm-charts diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keyrock/templates/post-hook.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keyrock/templates/post-hook.yaml new file mode 100644 index 0000000..417d59d --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keyrock/templates/post-hook.yaml @@ -0,0 +1,33 @@ +{{- if .Values.keyrock.initScript.initEnabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: keyrock-app-create-{{ randAlphaNum 5 | lower }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation + "helm.sh/hook-weight": "1" +spec: + containers: + - name: app-create + image: quay.io/wi_stefan/mysql:5.7 + command: + - /bin/sh + - /scripts/create.sh + volumeMounts: + - name: scripts + mountPath: /scripts + env: + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: keyrock-secret + key: dbPassword + - name: APP_SECRET + value: {{ .Values.marketplace.secret | quote }} + volumes: + - name: scripts + configMap: + name: keyrock-app-create-cm + restartPolicy: Never +{{- end }} diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keyrock/templates/script-cm.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keyrock/templates/script-cm.yaml new file mode 100644 index 0000000..51d4613 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/keyrock/templates/script-cm.yaml @@ -0,0 +1,27 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: keyrock-app-create-cm + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation + "helm.sh/hook-weight": "1" +data: + create.sh: |- + + mysql -h {{ .Values.keyrock.db.host }} -u {{ .Values.keyrock.db.user }} -p$DB_PASSWORD {{ .Values.keyrock.initScript.dbName }} < - -# In local environments, specific setup may be required. For more info, see: -# https://github.com/elastic/helm-charts/tree/master/elasticsearch#how-to-deploy-this-chart-on-a-specific-k8s-distribution diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/values-keyrock.yml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/values-keyrock.yml deleted file mode 100644 index 3c15c25..0000000 --- a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/values-keyrock.yml +++ /dev/null @@ -1,64 +0,0 @@ -# Values for fiware/keyrock Helm Chart -# -# Chart values file: -# ref: https://github.com/FIWARE/helm-charts/blob/main/charts/keyrock/values.yaml -# - -## deployment specific configuration -statefulset: - ## configuration of the image to be used - image: - ## keyrock image name - ## ref: https://hub.docker.com/r/fiware/idm - repository: fiware/idm - ## tag of the image to be used - tag: 8.1.0 - ## specification of the image pull policy - pullPolicy: IfNotPresent - -## Set either an ingress or openshift route for making Keyrock externally available -## -## openshift specific route definition. Will not work on plain k8s -route: - ## -- should the deployment create openshift routes - enabled: false -## ingress configuration -ingress: - ## should there be an ingress to connect keyrock with the public internet - enabled: false - -## database configuration for keyrock -db: - ## host of the database to be used (K8s internal service hostname) - host: mysql.marketplace.svc.cluster.local - ## user for connecting the database - user: root - ## password for connecting the database (MySQL root password) - password: - -## admin configuration for accessing keyrock -admin: - ## username of the initial keyrock admin - user: admin - ## password of the initial admin - password: - ## email address of the admin user - email: my@mail.org - -## -- Configuration of local key and certificate for validation and generation of tokens -token: - # -- Enable storage of local key and certificate - enabled: false - -## a list of additional env vars to be set, check the keyrock docu for all available options -## ref: https://fiware-idm.readthedocs.io/en/latest/installation_and_administration_guide/environment_variables/index.html -additionalEnvVars: - # Title to be displayed on default theme UI - - name: IDM_TITLE - value: i4Trust Marketplace IDP - # Name of the database to be created within the MySQL - - name: IDM_DB_NAME - value: idm - # Initialize and seed database on startup - - name: IDM_DB_SEED - value: "true" diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/values-marketplace.yml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/values-marketplace.yml deleted file mode 100644 index d84e610..0000000 --- a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/values-marketplace.yml +++ /dev/null @@ -1,291 +0,0 @@ -# Values for fiware/business-api-ecosystem Helm Chart -# -# Chart values file: -# ref: https://github.com/FIWARE/helm-charts/blob/main/charts/business-api-ecosystem/values.yaml -# - - -## Marketplace OAuth and IdM configuration -## -oauth: - # URL of the FIWARE IDM dedicated to the BAE used for user authentication (administrative access) - # Should match the host of the Ingress or Route of the Keyrock instance - server: https://keyrock.domain.org - # OAuth2 Client ID of the BAE application within Keyrock - clientId: - # OAuth2 Client Secret of the BAE application within Keyrock - clientSecret: - - -## External URL used to access the BAE frontend (logic proxy) -## Should match the host of the Ingress or Route of the Logic Proxy -## -externalUrl: https://marketplace.domain.org - - -## Configuration for biz-ecosystem-apis component -## -bizEcosystemApis: - ## -- deployment specific configuration - deployment: - ## -- configuration of the image to be used - image: - ## -- tag of the image to be used - tag: v8.1.0-rc1 - ## -- specification of the image pull policy - pullPolicy: IfNotPresent - - ## database configuration for APIs (MySQL) - db: - ## host of the database to be used (K8s internal service hostname) - host: mysql.marketplace.svc.cluster.local - ## password for connecting the database (MySQL root password) - password: - - ## port that the APIs container uses - port: 8080 - - ## Service account (might be necessary on OpenShift) - #serviceAccount: - # create: false - # name: - - ## Security context (might be necessary on OpenShift) - #securityContext: - ## -- specifies the user UID - # runAsUser: 0 - ## -- specifies the group GID - # runAsGroup: 0 - - -## Configuration for biz-ecosystem-rss component -## -bizEcosystemRss: - ## -- deployment specific configuration - deployment: - ## -- configuration of the image to be used - image: - ## -- tag of the image to be used - tag: v8.0.0 - ## -- specification of the image pull policy - pullPolicy: IfNotPresent - - ## database configuration for RSS (MySQL) - db: - ## host of the database to be used (K8s internal service hostname) - host: mysql.marketplace.svc.cluster.local - ## URL connection string of the database to be used (leave the port and DB name RSS unchanged) - url: jdbc:mysql://mysql.marketplace.svc.cluster.local:3306/RSS - ## password for connecting the database (MySQL root password) - password: - - ## port that the RSS container uses - port: 8080 - - ## Service account (might be necessary on OpenShift) - #serviceAccount: - # create: false - # name: - - ## Security context (might be necessary on OpenShift) - #securityContext: - ## -- specifies the user UID - # runAsUser: 0 - ## -- specifies the group GID - # runAsGroup: 0 - - -## Configuration for biz-ecosystem-charging-backend component -## -bizEcosystemChargingBackend: - ## -- deployment specific configuration - deployment: - ## -- configuration of the image to be used - image: - ## -- BAE Charging backend image name - ## ref: https://hub.docker.com/r/fiware/biz-ecosystem-charging-backend - repository: fiware/biz-ecosystem-charging-backend - ## -- tag of the image to be used - tag: v8.1.0-dev - ## -- specification of the image pull policy - pullPolicy: IfNotPresent - - ## -- PVC configuration for charging backend plugins - ## Enable to allow loading plugins from PVC. - plugins: - ## -- Enable the PVC for plugins storage - enabled: true - - ## database configuration for Charging backend (MongoDB) - db: - ## host of the database to be used (K8s internal service hostname) - host: mongodb.marketplace.svc.cluster.local - ## Database name for connecting the database - database: charging_db - ## username for connecting the database - user: charging - ## password for connecting the database (MongoDB password of user charging) - password: charging-password - - ## port that the charging backend container uses - port: 8006 - - ## payment configuration - payment: - ## method: paypal or None - method: None - - ## Paypal Oauth2 configuration (if payment.method == paypal) - #paypal: - ## Paypal Client-ID - # clientId: - ## Paypal Client-Secret - # clientSecret: - - # -- Sets wehther to expect the user access token in each request from the logic proxy - propagateToken: false - - ## -- Configuration of local key and certificate for validation and generation of tokens - token: - enabled: true - identifier: "EU.EORI.NLMARKETPLA" - key: | - -----BEGIN PRIVATE KEY----- - - -----END PRIVATE KEY----- - cert: | - -----BEGIN CERTIFICATE----- - - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - - -----END CERTIFICATE----- - - ## Service account (might be necessary on OpenShift) - #serviceAccount: - # create: false - # name: - - ## Security context (might be necessary on OpenShift) - #securityContext: - ## -- specifies the user UID - # runAsUser: 0 - ## -- specifies the group GID - # runAsGroup: 0 - - - -## Configuration for biz-ecosystem-logic-proxy component -## -bizEcosystemLogicProxy: - ## Set either an ingress or openshift route for making the Marketplace UI externally available - ## - ## openshift specific route definition. Will not work on plain k8s - route: - ## -- should the deployment create openshift routes - enabled: false - ## ingress configuration - ingress: - ## -- should there be an ingress to connect the logic proxy with the public internet - enabled: false - - ## -- statefulset specific configuration - statefulset: - ## -- configuration of the image to be used - image: - ## -- BAE Logic Proxy image name - ## ref: https://hub.docker.com/r/fiware/biz-ecosystem-logic-proxy - repository: fiware/biz-ecosystem-logic-proxy - ## -- tag of the image to be used - tag: v8.1.0-dev - ## -- specification of the image pull policy - pullPolicy: IfNotPresent - - ## database configuration for Logic Proxy (MongoDB) - db: - # host of the database to be used (K8s internal service hostname) - host: mongodb.marketplace.svc.cluster.local - # Database name for connecting the database - database: belp_db - # username for connecting the database - user: belp - # password for connecting the database (MongoDB password of user charging) - password: belp-password - - ## -- elasticsearch configuration - elastic: - ## -- indexing engine of logic proxy - engine: elasticsearch - ## -- URL of elasticsearch service - url: elasticsearch-master.marketplace.svc.cluster.local:9200 - ## -- API version of elasticsearch - version: 7.5 - - ## -- Base app path of logic proxy - basePath: /opt/business-ecosystem-logic-proxy - - ## Deployment in development or in production - nodeEnvironment: production - - ## port that the logic proxy container uses - port: 8004 - - ## -- Custom theme configuration - theme: - ## -- Enable theme - enabled: true - ## -- Name of the theme - name: i4trust - ## -- Size of PVC to be created - size: 4Gi - ## Image which holds the theme files - image: i4trust/bae-i4trust-theme:1.0.1 - # -- specification of the image pull policy - imagePullPolicy: Always - ## Path to the source theme files inside the container - # Files will be copied to /themes/{{name}} with the PVC mounted at /themes - sourcePath: /bae-i4trust-theme - - ## -- Configuration for external IDPs - externalIdp: - # -- Enable usage of external IDPs - enabled: true - # -- Show login button for local IDP - showLocalLogin: true - - # -- Sets wehther the logic proxy should propagate the user access token to the backend components - propagateToken: false - - ## -- Configuration of local key and certificate for validation and generation of tokens - token: - enabled: true - identifier: "EU.EORI.NLMARKETPLA" - key: | - -----BEGIN PRIVATE KEY----- - - -----END PRIVATE KEY----- - cert: | - -----BEGIN CERTIFICATE----- - - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - - -----END CERTIFICATE----- - - ## Service account (might be necessary on OpenShift) - #serviceAccount: - # create: false - # name: - - ## Security context (might be necessary on OpenShift) - #securityContext: - ## -- specifies the user UID - # runAsUser: 0 - ## -- specifies the group GID - # runAsGroup: 0 diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/values-mongodb.yml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/values-mongodb.yml deleted file mode 100644 index 81b9d77..0000000 --- a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/values-mongodb.yml +++ /dev/null @@ -1,85 +0,0 @@ -# Values for bitnami/mongodb Helm Chart -# -# Chart values file: -# ref: https://github.com/bitnami/charts/blob/master/bitnami/mongodb/values.yaml -# - -image: - ## Bitnami MongoDB image name - ## - repository: bitnami/mongodb - ## Bitnami MongoDB image tag - ## ref: https://hub.docker.com/r/bitnami/mongodb/tags/ - ## - tag: 4.4.13 - -## MongoDB architecture. Allowed values: standalone or replicaset -## -architecture: standalone - -## Use StatefulSet instead of Deployment when deploying standalone -## -useStatefulSet: false - -## MongoDB Authentication parameters -## -auth: - ## Enable authentication - ## ref: https://docs.mongodb.com/manual/tutorial/enable-authentication/ - ## - enabled: true - ## MongoDB root password - ## ref: https://github.com/bitnami/bitnami-docker-mongodb/blob/master/README.md#setting-the-root-password-on-first-run - ## - rootPassword: - -## initdb scripts -## Specify dictionary of scripts to be run at first boot -## -## This creates the required databases and users for the charging backend -## and logic proxy (belp) BAE components. Make sure to set these DB user -## configurations and databases for the corresponding components. -## -## If you omit the creation of databases and users during deployment, make sure -## to create these databases and users afterwards manually before proceeding with the -## BAE deployment. -## -initdbScripts: - init_db.js: | - // Setup charging DB - db = db.getSiblingDB('charging_db'); - db.createUser( - { - user: "charging", - pwd: "charging-password", - roles: [ - { - role: "readWrite", - db: "charging_db" - } - ] - }); - // Setup proxy DB - db = db.getSiblingDB('belp_db'); - db.createUser( - { - user: "belp", - pwd: "belp-password", - roles: [ - { - role: "readWrite", - db: "belp_db" - } - ] - }); -## MongoDB pods' Security Context. (might be necessary on OpenShift) -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod -## -#podSecurityContext: -# enabled: false - -## MongoDB containers' Security Context (main and metrics container). (might be necessary on OpenShift) -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -## -#containerSecurityContext: -# enabled: false diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/values-mysql.yml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/values-mysql.yml deleted file mode 100644 index fb3c941..0000000 --- a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/values-mysql.yml +++ /dev/null @@ -1,20 +0,0 @@ -# Values for t3n/mysql Helm Chart -# -# Chart values file: -# ref: https://github.com/t3n/helm-charts/blob/master/mysql/values.yaml -# - -image: "mysql" -imageTag: "5.7" - -## Specify password for root user -## -## Default: random 10 character string -## -## Make sure to set this password in the component configurations -## using the MySQL database. -mysqlRootPassword: - -## Security context (might be necessary on OpenShift) -#securityContext: -# enabled: false diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/verifier/Chart.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/verifier/Chart.yaml new file mode 100644 index 0000000..2a5e279 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/verifier/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: vcverifier +description: Verifier Chart + +type: application +version: 0.0.8 +appVersion: "0.0.1" + +dependencies: + - name: vcverifier + version: 1.0.9 + repository: https://i4Trust.github.io/helm-charts diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/verifier/values.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/verifier/values.yaml new file mode 100644 index 0000000..392611e --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/verifier/values.yaml @@ -0,0 +1,29 @@ +vcverifier: + deployment: + image: + repository: quay.io/fiware/vcverifier + tag: 2.0.5 + pullPolicy: Always + logging: + level: DEBUG + pathsToSkip: + - "/health" + ssikit: + auditorUrl: http://waltid-vcwaltid:7003 + verifier: + tirAddress: https://tir.domain.org/v3/issuers + did: did:web:marketplace.demo.fiware.dev:did + configRepo: + configEndpoint: http://ccs-credentials-config-service:8080/ + + route: + enabled: true + host: verifier-marketplace.domain.org + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + certificate: + issuer: + kind: ClusterIssuer + name: letsencrypt-aws-prod + diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/Chart.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/Chart.yaml new file mode 100644 index 0000000..bc64fb8 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: vcwaltid +description: Chart holder for argo-cd + +type: application +version: 0.0.16 +appVersion: "0.0.1" + +dependencies: + - name: vcwaltid + version: 0.0.17 + repository: https://i4Trust.github.io/helm-charts \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/_helpers.tpl b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/_helpers.tpl new file mode 100644 index 0000000..d20124b --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/_helpers.tpl @@ -0,0 +1,53 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "waltid.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "waltid.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "waltid.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "waltid.labels" -}} +helm.sh/chart: {{ include "waltid.chart" . }} +{{ include "waltid.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app: {{ include "waltid.name" . }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "waltid.selectorLabels" -}} +app.kubernetes.io/name: {{ include "waltid.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/certificate.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/certificate.yaml new file mode 100644 index 0000000..14d4bc8 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/certificate.yaml @@ -0,0 +1,15 @@ +{{- if .Values.route.certificate -}} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "waltid.fullname" . }} + labels: + {{ include "waltid.labels" . | nindent 4 }} +spec: + secretName: {{ include "waltid.fullname" . }}-tls-sec + issuerRef: + {{- toYaml .Values.route.certificate.issuer | nindent 4 }} + commonName: {{ .Values.route.host }} + dnsNames: + - {{ .Values.route.host }} +{{- end -}} \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/deployment.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/deployment.yaml new file mode 100644 index 0000000..3d4bb92 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/deployment.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "waltid.fullname" . }}-certs + labels: + app.kubernetes.io/name: {{ include "waltid.name" . }}-certs + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + replicas: 1 + revisionHistoryLimit: 3 + selector: + matchLabels: + app.kubernetes.io/name: {{ include "waltid.name" . }}-certs + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "waltid.name" . }}-certs + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + serviceAccountName: default + containers: + - name: {{ .Chart.Name }} + imagePullPolicy: Always + image: "lipanski/docker-static-website:2.1.0" + ports: + - name: http + containerPort: 3000 + protocol: TCP + volumeMounts: + - name: certs + mountPath: /home/static/certs + volumes: + - name: certs + secret: + secretName: {{ include "waltid.fullname" . }}-tls-sec + items: + - key: tls.crt + path: tls.crt \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/route-certs.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/route-certs.yaml new file mode 100644 index 0000000..94a8dcf --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/route-certs.yaml @@ -0,0 +1,28 @@ +{{- if .Values.route.enabled -}} +{{- $fullName := include "waltid.fullname" . -}} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "waltid.fullname" . }}-certs + labels: + {{ include "waltid.labels" . | nindent 4 }} + annotations: + cert-utils-operator.redhat-cop.io/certs-from-secret: {{ include "waltid.fullname" . }}-tls-sec + {{- with .Values.route.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + host: {{ .Values.route.host}} + path: /certs + port: + targetPort: 3000 + to: + kind: Service + name: {{ include "waltid.fullname" . }}-certs + {{- if .Values.route.tls }} + tls: + {{- with .Values.route.tls }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/route.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/route.yaml new file mode 100644 index 0000000..485a0c2 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/route.yaml @@ -0,0 +1,29 @@ +{{- if .Values.route.enabled -}} +{{- $fullName := include "waltid.fullname" . -}} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "waltid.fullname" . }} + labels: + {{ include "waltid.labels" . | nindent 4 }} + annotations: + haproxy.router.openshift.io/rewrite-target: /v1/did/{{ .Values.did }} + cert-utils-operator.redhat-cop.io/certs-from-secret: {{ include "waltid.fullname" . }}-tls-sec + {{- with .Values.route.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + host: {{ .Values.route.host}} + path: /did/did.json + port: + targetPort: 7000 + to: + kind: Service + name: {{ $fullName }} + {{- if .Values.route.tls }} + tls: + {{- with .Values.route.tls }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/service.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/service.yaml new file mode 100644 index 0000000..a50ca54 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "waltid.fullname" . }}-certs + labels: + {{ include "waltid.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: 3000 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: {{ include "waltid.name" . }}-certs + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/values.yaml b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/values.yaml new file mode 100644 index 0000000..2cb9750 --- /dev/null +++ b/PacketDelivery-ReferenceExample/i4Trust-Marketplace/values/walt-id/values.yaml @@ -0,0 +1,59 @@ +did: did:web:marketplace.demo.fiware.dev:did + +route: + enabled: true + host: marketplace.domain.org + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + certificate: + issuer: + kind: ClusterIssuer + name: letsencrypt-aws-prod + +vcwaltid: + deployment: + image: + repository: quay.io/fiware/waltid + tag: 1.14.1-SNAPSHOT + pullPolicy: Always + api: + core: + enabled: true + auditor: + enabled: true + signatory: + enabled: true + custodian: + enabled: true + essif: + enabled: true + + persistence: + enabled: true + pvc: + size: 1Gi + + templates: + ActivationService.json: | + { + "@context": ["https://www.w3.org/2018/credentials/v1"], + "credentialSchema": { + "id": "https://raw.githubusercontent.com/FIWARE-Ops/i4trust-provider/main/docs/schema.json", + "type": "FullJsonSchemaValidator2021" + }, + "credentialSubject": { + "id": "did:ebsi:2AEMAqXWKYMu1JHPAgGcga4dxu7ThgfgN95VyJBJGZbSJUtp", + "roles": [{ + "names": ["CREATE_ISSUER"], + "target": "did:elsi:packetdelivery" + }] + }, + "id": "urn:uuid:3add94f4-28ec-42a1-8704-4e4aa51006b4", + "issued": "2021-08-31T00:00:00Z", + "issuer": "did:ebsi:2A9BZ9SUe6BatacSpvs1V5CdjHvLpQ7bEsi2Jb6LdHKnQxaN", + "validFrom": "2021-08-31T00:00:00Z", + "issuanceDate": "2021-08-31T00:00:00Z", + "type": ["VerifiableCredential", "ActivationService"] + } +