hyperledger · Jul 24, 2023 · Jul 21, 2023 · Jul 21, 2023 · Jul 24, 2023 · Jul 24, 2023
@@ -32,7 +32,7 @@ jobs:
           fetch-depth: 0
       - name: Mega-Linter
         id: ml
-        uses: megalinter/megalinter@v6
+        uses: megalinter/megalinter@v7.1.0
       - name: Archive production artifacts
         if: success() || failure()
         uses: actions/upload-artifact@v3

@@ -38,6 +38,8 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: "lts/*"
+      - name: Setup yq - portable yaml processor
+        uses: mikefarah/[email protected]
       - uses: crazy-max/ghaction-import-gpg@v3
         id: import_gpg
         with:

@@ -10,6 +10,7 @@ DISABLE_LINTERS: [
     REPOSITORY_TRIVY,
     REPOSITORY_CHECKOV,
     REPOSITORY_SECRETLINT,
+    REPOSITORY_KICS,
     SCALA_SCALAFIX,
     SQL_TSQLLINT,
     C_CPPLINT, # For pollux/lib/anoncreds/src/main/c
@@ -46,3 +47,6 @@ PRE_COMMANDS:
 MARKDOWN_MARKDOWN_LINK_CHECK_FILTER_REGEX_EXCLUDE: "CHANGELOG.md"
 MARKDOWN_MARKDOWNLINT_FILTER_REGEX_EXCLUDE: "CHANGELOG.md"
 SQL_SQL_LINT_ARGUMENTS: -d postgres --ignore-errors=postgres-invalid-alter-option
+YAML_YAMLLINT_FILTER_REGEX_EXCLUDE: "infrastructure/charts/agent/*"
+YAML_PRETTIER_FILTER_REGEX_EXCLUDE: "infrastructure/charts/agent/*"
+YAML_V8R_FILTER_REGEX_EXCLUDE: "infrastructure/charts/agent/*"
@@ -285,3 +285,35 @@ Linter - Suggested Change: Enabled but pass even with error
 *Change detail*
 
 OPENAPI_SPECTRAL generates lots of errors for files which are quite large and have been generated by the openapi generator which is going to be replaced with Tapir in future work. Suggest change to enable but pass even with error. Can be re enabled when files can be reviewed as a specific task / they get removed
+
+#### YAML_PRETTIER, YAML_LINT, YAML_V8R for helm-chart files
+
+Date Added: 2023-07-24
+
+Author: David Poltorak
+
+Date Added: 2023-07-24
+
+Linter - Current Status: Enabled
+
+Linter - Suggested Change: Disable
+
+*Change detail*
+
+YAML linters will fail on helm charts so excluding the folder for these linters
+
+#### kics (Keeping Infrastructure as Code Secure)
+
+Date Added: 2023-07-24
+
+Author: David Poltorak
+
+Date Added: 2023-07-24
+
+Linter - Current Status: Enabled
+
+Linter - Suggested Change: Disable
+
+*Change detail*
+
+Kics creates an error log consisting of thousands of review items. This is a new linter in a newer version of megalinter and needs to be reviewed before being enabled.
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
@@ -0,0 +1,6 @@
+dependencies:
+- name: vault
+  repository: https://helm.releases.hashicorp.com
+  version: 0.24.1
+digest: sha256:f9ee9a8708d36ff7fcf9334fe17404147be8c124ead65830ee72bd4f43c262cd
+generated: "2023-06-16T14:40:33.224500592+10:00"
@@ -0,0 +1,29 @@
+apiVersion: v2
+name: prism-agent
+description: A Helm chart for deploying prism-agent
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.6.0"
+
+dependencies:
+  - name: "vault"
+    version: "0.24.1"
+    repository: "https://helm.releases.hashicorp.com"
@@ -0,0 +1,22 @@
+{{- define "cors" }}
+    {{- if .Values.ingress.cors.enabled }}
+    - name: cors
+      enable: true
+      {{- if .Values.ingress.cors.allow_origins }}
+      config:
+        allow_origins: {{ .Values.ingress.cors.allow_origins | quote }}
+      {{- end }}
+    {{- end }}
+{{- end -}}
+{{- define "consumer-restriction" }}
+    - name: consumer-restriction
+      enable: true
+      config:
+        whitelist:
+        {{- range .Values.ingress.consumers }}
+          -  {{ regexReplaceAll "-" $.Release.Name "_" }}_{{ regexReplaceAll "-" . "_" | lower }}
+        {{- end }}
+{{- end -}}
+{{- define "labels.common" -}}
+app.kubernetes.io/part-of: prism-agent
+{{- end -}}
@@ -0,0 +1,18 @@
+{{- if .Values.ingress.enabled }}
+{{- $root := . -}}
+{{- range $consumer := .Values.ingress.consumers }}
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: "{{ $consumer | lower }}"
+  namespace: "{{ $root.Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  authParameter:
+    keyAuth:
+      secretRef:
+        name: "{{ $root.Release.Namespace }}-{{ $consumer | lower }}"
+---
+{{- end }}
+{{- end }}
@@ -0,0 +1,128 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: agent-route
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  http:
+  - name: agent-rule
+    match:
+      hosts:
+      {{- range .Values.ingress.applicationUrls }}
+        - {{ . }}
+      {{- end }}
+      paths:
+      - /prism-agent/*
+    backends:
+       - serviceName: agent-server-tapir-service
+         servicePort: 8085
+    authentication:
+      enable: true
+      type: keyAuth
+    plugins:
+    - name: proxy-rewrite
+      enable: true
+      config:
+        regex_uri: ["^/prism-agent/(.*)","/$1"]
+    - name: uri-blocker
+      enable: true
+      config:
+        block_rules: ["_system/metrics"]
+        rejected_message: "access to metrics resource is not allowed from an external location"
+    {{ template "cors" . }}
+    {{ template "consumer-restriction" . }}
+
+---
+
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: agent-didcomm-route
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  http:
+  - name: agent-didcomm-rule
+    match:
+      hosts:
+      {{- range .Values.ingress.applicationUrls }}
+        - {{ . }}
+      {{- end }}
+      paths:
+      - /prism-agent/didcomm*
+    backends:
+      - serviceName: agent-server-didcomm-service
+        servicePort: 8090
+    plugins:
+    - name: proxy-rewrite
+      enable: true
+      config:
+        regex_uri: ["^/prism-agent/didcomm(.*)", "/$1"]
+    {{ template "cors" . }}
+
+---
+
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: agent-schema-registry-route
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  http:
+  - name: agent-schema-registry-rule
+    match:
+      hosts:
+      {{- range .Values.ingress.applicationUrls }}
+        - {{ . }}
+      {{- end }}
+      paths:
+      - /prism-agent/schema-registry/schemas/*
+      methods:
+      - GET
+    backends:
+      - serviceName: agent-server-tapir-service
+        servicePort: 8085
+    plugins:
+    - name: proxy-rewrite
+      enable: true
+      config:
+        regex_uri: ["^/prism-agent/schema-registry/schemas/(.*)", "/schema-registry/schemas/$1"]
+    {{ template "cors" . }}
+
+---
+
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: agent-docs-route
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  http:
+  - name: agent-docs-rule
+    match:
+      hosts:
+      {{- range .Values.ingress.applicationUrls }}
+        - {{ . }}
+      {{- end }}
+      paths:
+      - /prism-agent/docs/*
+    backends:
+      - serviceName: agent-server-tapir-service
+        servicePort: 8085
+    plugins:
+    - name: proxy-rewrite
+      enable: true
+      config:
+        regex_uri: ["^/prism-agent/docs/(.*)","/docs/$1"]
+    {{ template "cors" . }}
+
+---
+{{- end }}
@@ -0,0 +1,17 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: apisix.apache.org/v2
+kind: ApisixTls
+metadata:
+  name: "prism-agent-base-path-tls"
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  hosts:
+  {{- range .Values.ingress.applicationUrls }}
+    - {{ . }}
+  {{- end }}
+  secret:
+    name: "prism-agent-base-path-secret"
+    namespace: "{{ .Release.Namespace }}"
+{{- end }}
@@ -0,0 +1,20 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: "prism-agent-base-path-cert"
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  secretName: "prism-agent-base-path-secret"
+  duration: 2160h0m0s # 90d
+  renewBefore: 360h0m0s # 15d
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+  {{- range .Values.ingress.applicationUrls }}
+    - {{ . }}
+  {{- end }}
+{{- end }}
@@ -0,0 +1,11 @@
+apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+kind: StringSecret
+metadata:
+  name: "prism-agent-server-wallet"
+  namespace: {{ .Release.Namespace }}
+spec:
+  forceRegenerate: false
+  fields:
+    - fieldName: "seed"
+      encoding: "hex"
+      length: "128"