From 4892669c653aa6ada50de0f5a3f03abaa1014e50 Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Thu, 7 Mar 2024 12:50:15 +0100 Subject: [PATCH 01/13] chore: add vault and secret seeding --- charts/umbrella/Chart.yaml | 7 +++- .../templates/post-install-vault-setup.yaml | 39 +++++++++++++++++++ charts/umbrella/values.yaml | 35 +++++++++++++++++ 3 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 charts/umbrella/templates/post-install-vault-setup.yaml diff --git a/charts/umbrella/Chart.yaml b/charts/umbrella/Chart.yaml index e93fc877..795e1c70 100644 --- a/charts/umbrella/Chart.yaml +++ b/charts/umbrella/Chart.yaml @@ -28,7 +28,7 @@ sources: - https://github.com/eclipse-tractusx/e2e-testing type: application -version: 0.4.1 +version: 0.5.0 dependencies: # # TODO: update edc components to R23.12 @@ -66,3 +66,8 @@ dependencies: name: bpndiscovery repository: https://eclipse-tractusx.github.io/charts/dev version: 0.2.2 + # vault + - name: vault + condition: vault.enabled + repository: https://helm.releases.hashicorp.com + version: 0.20.0 diff --git a/charts/umbrella/templates/post-install-vault-setup.yaml b/charts/umbrella/templates/post-install-vault-setup.yaml new file mode 100644 index 00000000..5ff795f5 --- /dev/null +++ b/charts/umbrella/templates/post-install-vault-setup.yaml @@ -0,0 +1,39 @@ +{{- if .Values.vault.enabled }} +{{- $vaultToken := .Values.vault.token -}} +{{- $vaultUrl := .Values.vault.host -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-post-install-vault-setup + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + restartPolicy: Never + containers: + - name: post-install-job + image: "alpine:3.19" + command: + - "/bin/sh" + - "-c" + - | + {{- range $key, $value := .Values.vault.secrets }} + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' --post-data '{"data": {"content": "{{ $value }}"}}' "{{ $vaultUrl }}/v1/secret/data/{{ $key }}" + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/umbrella/values.yaml b/charts/umbrella/values.yaml index 7b6ef66e..a2b5c630 100644 --- a/charts/umbrella/values.yaml +++ b/charts/umbrella/values.yaml @@ -188,3 +188,38 @@ discoveryfinder: initialDelaySeconds: 200 postgresql: nameOverride: "discoveryfinder-postgresql" + +vault: + enabled: true + host: &vault-host vault.test + token: &vault-token root + url: http://vault.test + secrets: + # TODO add test secret or secret reference. Can this be generated? + edc-test-miw-keycloak-secret: test + # TODO add certificate or secret reference. Can Key Pairs be generated? + tokenSignerPublicKey: >- + -----BEGIN CERTIFICATE-----\n + test\n + -----END CERTIFICATE----- + # TODO add certificate or secret reference. Can Key Pairs be generated? + tokenSignerPrivateKey: >- + -----BEGIN PRIVATE KEY-----\n + test\n + -----END PRIVATE KEY----- + # TODO add test secret or secret reference. Can this be generated? + tokenEncryptionAesKey: test + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: *vault-token + ingress: + enabled: true + annotations: + kubernetes.io/tls-acme: "true" + ingressClassName: "nginx" + hosts: + - host: *vault-host + paths: [] From be8323015de9b6794ceff4182837a5fac3e6ab1e Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Mon, 11 Mar 2024 15:21:10 +0100 Subject: [PATCH 02/13] chore: add miw with config --- charts/umbrella/Chart.yaml | 5 +++++ charts/umbrella/values.yaml | 29 +++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/charts/umbrella/Chart.yaml b/charts/umbrella/Chart.yaml index 795e1c70..ad73aa97 100644 --- a/charts/umbrella/Chart.yaml +++ b/charts/umbrella/Chart.yaml @@ -71,3 +71,8 @@ dependencies: condition: vault.enabled repository: https://helm.releases.hashicorp.com version: 0.20.0 + # miw + - name: managed-identity-wallet + repository: https://eclipse-tractusx.github.io/charts/dev + version: 0.4.0 + condition: managed-identity-wallet.enabled diff --git a/charts/umbrella/values.yaml b/charts/umbrella/values.yaml index a2b5c630..49112bad 100644 --- a/charts/umbrella/values.yaml +++ b/charts/umbrella/values.yaml @@ -223,3 +223,32 @@ vault: hosts: - host: *vault-host paths: [] + +managed-identity-wallet: + nameOverride: miw + enabled: true + miw: + database: + host: "{{ .Release.Name }}-miw-postgres" + secret: "{{ .Release.Name }}-miw-postgres" + keycloak: + url: "http://miw-keycloak.test" # TODO connect to central idp + postgresql: + nameOverride: miw-postgres + primary: + persistence: + enabled: false + size: 1Gi + keycloak: # TODO replace with central idp + nameOverride: miw-keycloak + enabled: true + ingress: + enabled: true + ingressClassName: nginx + hostname: miw-keycloak.test + postgresql: + nameOverride: miw-keycloak-postgres + livenessProbe: + initialDelaySeconds: 90 + readinessProbe: + initialDelaySeconds: 90 From 7c7a735b2a6f6c51c3c669f8d719bcb8b9f2d6c8 Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Mon, 11 Mar 2024 15:32:49 +0100 Subject: [PATCH 03/13] chore: add hashicorp to helm dependencies --- hack/helm-dependencies.bash | 1 + 1 file changed, 1 insertion(+) diff --git a/hack/helm-dependencies.bash b/hack/helm-dependencies.bash index 1d5e8c27..6bb6613d 100755 --- a/hack/helm-dependencies.bash +++ b/hack/helm-dependencies.bash @@ -4,6 +4,7 @@ if ! helm repo list ; then echo "Need to add repos" helm repo add tractusx https://eclipse-tractusx.github.io/charts/dev + helm repo add hashicorp https://helm.releases.hashicorp.com fi # This hack script will download all chart/umbrella dependency charts. From e9192d090662d6859289a064133de49e3c676e76 Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Tue, 12 Mar 2024 16:34:34 +0100 Subject: [PATCH 04/13] chore: increase timeout for helm install --- .github/workflows/helm-checks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-checks.yaml b/.github/workflows/helm-checks.yaml index c53c0267..d86e3cbb 100644 --- a/.github/workflows/helm-checks.yaml +++ b/.github/workflows/helm-checks.yaml @@ -116,7 +116,7 @@ jobs: node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.27.3' }} - name: Install chart and run tests - run: ct install --charts charts/umbrella --target-branch ${{ github.event.repository.default_branch }} + run: ct install --charts charts/umbrella --target-branch ${{ github.event.repository.default_branch }} --helm-extra-args string '--timeout 15m' ## Skip upgrade for now until a working chart is released From fed4449a819e1d837c4e66e20d663bcde6713ecd Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Tue, 12 Mar 2024 16:36:24 +0100 Subject: [PATCH 05/13] chore: update chart version --- charts/umbrella/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/umbrella/Chart.yaml b/charts/umbrella/Chart.yaml index 3ff2627e..4bff7924 100644 --- a/charts/umbrella/Chart.yaml +++ b/charts/umbrella/Chart.yaml @@ -28,7 +28,7 @@ sources: - https://github.com/eclipse-tractusx/e2e-testing type: application -version: 0.5.0 +version: 0.6.0 dependencies: # # TODO: update edc components to R23.12 From a1d400ba0d1ba5b67560d60e2b4e3255295fabed Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Tue, 12 Mar 2024 16:38:56 +0100 Subject: [PATCH 06/13] chore: increase timeout for helm install --- .github/workflows/helm-checks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-checks.yaml b/.github/workflows/helm-checks.yaml index d86e3cbb..01fcd196 100644 --- a/.github/workflows/helm-checks.yaml +++ b/.github/workflows/helm-checks.yaml @@ -116,7 +116,7 @@ jobs: node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.27.3' }} - name: Install chart and run tests - run: ct install --charts charts/umbrella --target-branch ${{ github.event.repository.default_branch }} --helm-extra-args string '--timeout 15m' + run: ct install --charts charts/umbrella --target-branch ${{ github.event.repository.default_branch }} --helm-extra-args '--timeout 15m' ## Skip upgrade for now until a working chart is released From 4b6a4d1e9737f85be1de7dcc134d7d63da92b9db Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Fri, 15 Mar 2024 13:07:52 +0100 Subject: [PATCH 07/13] chore: fix chart install --- .github/workflows/helm-checks.yaml | 2 +- .../templates/post-install-vault-setup.yaml | 2 +- charts/umbrella/values.yaml | 17 ++++------------- 3 files changed, 6 insertions(+), 15 deletions(-) diff --git a/.github/workflows/helm-checks.yaml b/.github/workflows/helm-checks.yaml index 01fcd196..c53c0267 100644 --- a/.github/workflows/helm-checks.yaml +++ b/.github/workflows/helm-checks.yaml @@ -116,7 +116,7 @@ jobs: node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.27.3' }} - name: Install chart and run tests - run: ct install --charts charts/umbrella --target-branch ${{ github.event.repository.default_branch }} --helm-extra-args '--timeout 15m' + run: ct install --charts charts/umbrella --target-branch ${{ github.event.repository.default_branch }} ## Skip upgrade for now until a working chart is released diff --git a/charts/umbrella/templates/post-install-vault-setup.yaml b/charts/umbrella/templates/post-install-vault-setup.yaml index 5ff795f5..65ae6620 100644 --- a/charts/umbrella/templates/post-install-vault-setup.yaml +++ b/charts/umbrella/templates/post-install-vault-setup.yaml @@ -1,6 +1,6 @@ {{- if .Values.vault.enabled }} {{- $vaultToken := .Values.vault.token -}} -{{- $vaultUrl := .Values.vault.host -}} +{{- $vaultUrl := tpl .Values.vault.url . -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/charts/umbrella/values.yaml b/charts/umbrella/values.yaml index 4669c4b9..cd91cab4 100644 --- a/charts/umbrella/values.yaml +++ b/charts/umbrella/values.yaml @@ -219,9 +219,8 @@ sdfactory: vault: enabled: true - host: &vault-host vault.test token: &vault-token root - url: http://vault.test + url: http://{{ .Release.Name }}-vault:8200 secrets: # TODO add test secret or secret reference. Can this be generated? edc-test-miw-keycloak-secret: test @@ -244,13 +243,7 @@ vault: enabled: true devRootToken: *vault-token ingress: - enabled: true - annotations: - kubernetes.io/tls-acme: "true" - ingressClassName: "nginx" - hosts: - - host: *vault-host - paths: [] + enabled: false managed-identity-wallet: nameOverride: miw @@ -260,7 +253,7 @@ managed-identity-wallet: host: "{{ .Release.Name }}-miw-postgres" secret: "{{ .Release.Name }}-miw-postgres" keycloak: - url: "http://miw-keycloak.test" # TODO connect to central idp + url: "http://{{ .Release.Name }}-miw-keycloak" # TODO connect to central idp postgresql: nameOverride: miw-postgres primary: @@ -271,9 +264,7 @@ managed-identity-wallet: nameOverride: miw-keycloak enabled: true ingress: - enabled: true - ingressClassName: nginx - hostname: miw-keycloak.test + enabled: false postgresql: nameOverride: miw-keycloak-postgres livenessProbe: From c49dfb1efb856a44548fe26b4535dbe5acac72a9 Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Fri, 15 Mar 2024 13:52:44 +0100 Subject: [PATCH 08/13] chore: increase timeout for helm install --- .github/workflows/helm-checks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-checks.yaml b/.github/workflows/helm-checks.yaml index c53c0267..f23b3549 100644 --- a/.github/workflows/helm-checks.yaml +++ b/.github/workflows/helm-checks.yaml @@ -116,7 +116,7 @@ jobs: node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.27.3' }} - name: Install chart and run tests - run: ct install --charts charts/umbrella --target-branch ${{ github.event.repository.default_branch }} + run: ct install --charts charts/umbrella --target-branch ${{ github.event.repository.default_branch }} --helm-extra-args '--timeout 10m' ## Skip upgrade for now until a working chart is released From 67f73cb1bf767684e1459316d5a4d259cc1b3220 Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Tue, 19 Mar 2024 10:10:17 +0100 Subject: [PATCH 09/13] chore: increase timeout for helm install --- .github/workflows/helm-checks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-checks.yaml b/.github/workflows/helm-checks.yaml index f23b3549..efcca324 100644 --- a/.github/workflows/helm-checks.yaml +++ b/.github/workflows/helm-checks.yaml @@ -116,7 +116,7 @@ jobs: node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.27.3' }} - name: Install chart and run tests - run: ct install --charts charts/umbrella --target-branch ${{ github.event.repository.default_branch }} --helm-extra-args '--timeout 10m' + run: ct install --charts charts/umbrella --target-branch ${{ github.event.repository.default_branch }} --helm-extra-args '--timeout 20m' ## Skip upgrade for now until a working chart is released From e7107c1f5345e028a0ac607388628ec5f96bb3c3 Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Fri, 22 Mar 2024 11:20:32 +0100 Subject: [PATCH 10/13] chore: change miw keycloak to centralidp --- .github/workflows/helm-checks.yaml | 2 +- charts/umbrella/values.yaml | 17 ++++++++--------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/.github/workflows/helm-checks.yaml b/.github/workflows/helm-checks.yaml index efcca324..c53c0267 100644 --- a/.github/workflows/helm-checks.yaml +++ b/.github/workflows/helm-checks.yaml @@ -116,7 +116,7 @@ jobs: node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.27.3' }} - name: Install chart and run tests - run: ct install --charts charts/umbrella --target-branch ${{ github.event.repository.default_branch }} --helm-extra-args '--timeout 20m' + run: ct install --charts charts/umbrella --target-branch ${{ github.event.repository.default_branch }} ## Skip upgrade for now until a working chart is released diff --git a/charts/umbrella/values.yaml b/charts/umbrella/values.yaml index cd91cab4..83a0eb49 100644 --- a/charts/umbrella/values.yaml +++ b/charts/umbrella/values.yaml @@ -223,7 +223,7 @@ vault: url: http://{{ .Release.Name }}-vault:8200 secrets: # TODO add test secret or secret reference. Can this be generated? - edc-test-miw-keycloak-secret: test + edc-test-miw-keycloak-secret: miw_private_client # TODO add certificate or secret reference. Can Key Pairs be generated? tokenSignerPublicKey: >- -----BEGIN CERTIFICATE-----\n @@ -247,26 +247,25 @@ vault: managed-identity-wallet: nameOverride: miw + fullnameOverride: miw enabled: true miw: + authorityWallet: + bpn: &authority-bpn "BPNL000000000000" database: host: "{{ .Release.Name }}-miw-postgres" secret: "{{ .Release.Name }}-miw-postgres" keycloak: - url: "http://{{ .Release.Name }}-miw-keycloak" # TODO connect to central idp + url: "https://centralidp.example.org" + clientId: &miw_client miw_private_client # TODO switch to existing user postgresql: nameOverride: miw-postgres primary: persistence: enabled: false size: 1Gi - keycloak: # TODO replace with central idp - nameOverride: miw-keycloak - enabled: true - ingress: - enabled: false - postgresql: - nameOverride: miw-keycloak-postgres + keycloak: + enabled: false livenessProbe: initialDelaySeconds: 90 readinessProbe: From 514639f442b157304f88ffa1fb84eaa4e360747f Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Fri, 22 Mar 2024 11:21:00 +0100 Subject: [PATCH 11/13] chore: change vault setup base image to ubuntu --- charts/umbrella/templates/post-install-vault-setup.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/charts/umbrella/templates/post-install-vault-setup.yaml b/charts/umbrella/templates/post-install-vault-setup.yaml index 65ae6620..7a1027e6 100644 --- a/charts/umbrella/templates/post-install-vault-setup.yaml +++ b/charts/umbrella/templates/post-install-vault-setup.yaml @@ -28,12 +28,16 @@ spec: restartPolicy: Never containers: - name: post-install-job - image: "alpine:3.19" + image: "ubuntu:mantic" command: - "/bin/sh" - "-c" - | + apt-get update && apt-get install -y --no-install-recommends wget {{- range $key, $value := .Values.vault.secrets }} - wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' --post-data '{"data": {"content": "{{ $value }}"}}' "{{ $vaultUrl }}/v1/secret/data/{{ $key }}" + wget --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 0 --header 'Content-Type: application/json' \ + --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-data '{"data": {"content": "{{ $value }}"}}' \ + "{{ $vaultUrl }}/v1/secret/data/{{ $key }}" {{- end }} {{- end }} \ No newline at end of file From 6de9fb328a129af6b48b11f73f0b99c1f422e3af Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Fri, 22 Mar 2024 16:25:36 +0100 Subject: [PATCH 12/13] chore: add license header --- .../templates/post-install-vault-setup.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/charts/umbrella/templates/post-install-vault-setup.yaml b/charts/umbrella/templates/post-install-vault-setup.yaml index 7a1027e6..2cae8cf3 100644 --- a/charts/umbrella/templates/post-install-vault-setup.yaml +++ b/charts/umbrella/templates/post-install-vault-setup.yaml @@ -1,3 +1,22 @@ +# ############################################################################# +# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ############################################################################# +--- {{- if .Values.vault.enabled }} {{- $vaultToken := .Values.vault.token -}} {{- $vaultUrl := tpl .Values.vault.url . -}} From 1e081798fba8c33ffeff7f32b9382eb9474435b4 Mon Sep 17 00:00:00 2001 From: Jaro Hartmann Date: Thu, 4 Apr 2024 09:37:56 +0200 Subject: [PATCH 13/13] chore: fix linting --- charts/umbrella/templates/post-install-vault-setup.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/umbrella/templates/post-install-vault-setup.yaml b/charts/umbrella/templates/post-install-vault-setup.yaml index 2cae8cf3..d947c9c7 100644 --- a/charts/umbrella/templates/post-install-vault-setup.yaml +++ b/charts/umbrella/templates/post-install-vault-setup.yaml @@ -17,7 +17,7 @@ # SPDX-License-Identifier: Apache-2.0 # ############################################################################# --- -{{- if .Values.vault.enabled }} +{{ if .Values.vault.enabled }} {{- $vaultToken := .Values.vault.token -}} {{- $vaultUrl := tpl .Values.vault.url . -}} apiVersion: batch/v1 @@ -59,4 +59,4 @@ spec: --post-data '{"data": {"content": "{{ $value }}"}}' \ "{{ $vaultUrl }}/v1/secret/data/{{ $key }}" {{- end }} -{{- end }} \ No newline at end of file +{{ end }} \ No newline at end of file