Merge pull request #57 from eclipse-tractusx/chore/add-miw-and-vault

Chore/add miw and vault
eclipse-tractusx · Apr 4, 2024 · e3548fb · e3548fb
2 parents 61f5331 + 1e08179
commit e3548fb
Show file tree

Hide file tree

Showing 4 changed files with 128 additions and 1 deletion.
diff --git a/charts/umbrella/Chart.yaml b/charts/umbrella/Chart.yaml
@@ -28,7 +28,7 @@ sources:
   - https://github.com/eclipse-tractusx/e2e-testing
 
 type: application
-version: 0.5.0
+version: 0.6.0
 
 dependencies:
 #  # TODO: update edc components to R23.12
@@ -70,3 +70,13 @@ dependencies:
     name: sdfactory
     repository: https://eclipse-tractusx.github.io/charts/dev
     version: 2.1.12
+    # vault
+  - name: vault
+    condition: vault.enabled
+    repository: https://helm.releases.hashicorp.com
+    version: 0.20.0
+    # miw
+  - name: managed-identity-wallet
+    repository: https://eclipse-tractusx.github.io/charts/dev
+    version: 0.4.0
+    condition: managed-identity-wallet.enabled
diff --git a/charts/umbrella/templates/post-install-vault-setup.yaml b/charts/umbrella/templates/post-install-vault-setup.yaml
@@ -0,0 +1,62 @@
+# #############################################################################
+# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# #############################################################################
+---
+{{ if .Values.vault.enabled }}
+{{- $vaultToken := .Values.vault.token -}}
+{{- $vaultUrl := tpl .Values.vault.url . -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-post-install-vault-setup
+  labels:
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    metadata:
+      name: "{{ .Release.Name }}"
+      labels:
+        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: post-install-job
+          image: "ubuntu:mantic"
+          command:
+            - "/bin/sh"
+            - "-c"
+            - |
+              apt-get update && apt-get install -y --no-install-recommends wget
+              {{- range $key, $value := .Values.vault.secrets }}
+              wget --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 0 --header 'Content-Type: application/json' \
+              --header 'X-Vault-Token: {{ $vaultToken }}' \
+              --post-data '{"data": {"content": "{{ $value }}"}}' \
+              "{{ $vaultUrl }}/v1/secret/data/{{ $key }}"
+              {{- end }}
+{{ end }}
diff --git a/charts/umbrella/values.yaml b/charts/umbrella/values.yaml
@@ -216,3 +216,57 @@ sdfactory:
     clearingHouseClientId: ""
     # -- Details for Clearing House Client Secret
     clearingHouseClientSecret: ""
+
+vault:
+  enabled: true
+  token: &vault-token root
+  url: http://{{ .Release.Name }}-vault:8200
+  secrets:
+    # TODO add test secret or secret reference. Can this be generated?
+    edc-test-miw-keycloak-secret: miw_private_client
+    # TODO add certificate or secret reference. Can Key Pairs be generated?
+    tokenSignerPublicKey: >-
+      -----BEGIN CERTIFICATE-----\n
+      test\n
+      -----END CERTIFICATE-----
+    # TODO add certificate or secret reference. Can Key Pairs be generated?
+    tokenSignerPrivateKey: >-
+      -----BEGIN PRIVATE KEY-----\n
+      test\n
+      -----END PRIVATE KEY-----
+    # TODO add test secret or secret reference. Can this be generated?
+    tokenEncryptionAesKey: test
+  injector:
+    enabled: false
+  server:
+    dev:
+      enabled: true
+      devRootToken: *vault-token
+    ingress:
+      enabled: false
+
+managed-identity-wallet:
+  nameOverride: miw
+  fullnameOverride: miw
+  enabled: true
+  miw:
+    authorityWallet:
+      bpn: &authority-bpn "BPNL000000000000"
+    database:
+      host: "{{ .Release.Name }}-miw-postgres"
+      secret: "{{ .Release.Name }}-miw-postgres"
+    keycloak:
+      url: "https://centralidp.example.org"
+      clientId: &miw_client miw_private_client  # TODO switch to existing user
+  postgresql:
+    nameOverride: miw-postgres
+    primary:
+      persistence:
+        enabled: false
+        size: 1Gi
+  keycloak:
+    enabled: false
+  livenessProbe:
+    initialDelaySeconds: 90
+  readinessProbe:
+    initialDelaySeconds: 90
diff --git a/hack/helm-dependencies.bash b/hack/helm-dependencies.bash
@@ -4,6 +4,7 @@
 if ! helm repo list ; then
   echo "Need to add repos"
   helm repo add tractusx https://eclipse-tractusx.github.io/charts/dev
+  helm repo add hashicorp https://helm.releases.hashicorp.com
 fi
 
 # This hack script will download all chart/umbrella dependency charts.