From af64dbbe9fa4206617b8b02b23fe925882130578 Mon Sep 17 00:00:00 2001 From: Saud Khan Date: Wed, 8 Apr 2026 11:54:06 +0200 Subject: [PATCH] feat: adapted construct-x connector helm chart configurations --- .../templates/deployment-controlplane.yaml | 28 +- .../templates/deployment-dataplane.yaml | 12 +- .../templates/post-install-vault-setup.yaml | 66 ++ .../templates/vault-edc-configmap.yaml | 49 ++ .../tractusx-connector/values-consumer.yaml | 687 ++++++++++++++++++ .../tractusx-connector/values-provider.yaml | 687 ++++++++++++++++++ 6 files changed, 1509 insertions(+), 20 deletions(-) create mode 100644 charts/tractusx-connector/templates/post-install-vault-setup.yaml create mode 100644 charts/tractusx-connector/templates/vault-edc-configmap.yaml create mode 100644 charts/tractusx-connector/values-consumer.yaml create mode 100644 charts/tractusx-connector/values-provider.yaml diff --git a/charts/tractusx-connector/templates/deployment-controlplane.yaml b/charts/tractusx-connector/templates/deployment-controlplane.yaml index 9f7b748362..aedb7aacfa 100644 --- a/charts/tractusx-connector/templates/deployment-controlplane.yaml +++ b/charts/tractusx-connector/templates/deployment-controlplane.yaml @@ -142,6 +142,10 @@ spec: {{- end }} {{- end }} + - name: EDC_HOSTNAME + value: {{ .Values.controlplane.hostname | quote }} + - name: "EDC_SQL_SCHEMA_AUTOCREATE" + value: {{ .Values.controlplane.schema.autocreate | quote }} ######################## ## ID CONFIGURATION ## @@ -150,10 +154,8 @@ spec: value: {{ .Values.iatp.id | required ".Values.iatp.id is required" | quote }} - name: "EDC_IAM_ISSUER_ID" value: {{ .Values.iatp.id | required ".Values.iatp.id is required" | quote }} - - name: "EDC_PARTICIPANT_CONTEXT_ID" - value: {{ .Values.participant.contextId | required ".Values.participant.contextId is required" | quote }} - - name: "TRACTUSX_EDC_PARTICIPANT_BPN" - value: {{ .Values.participant.id | required ".Values.participant.id is required" | quote }} + - name: "EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID" + value: {{ .Values.iatp.trustedIssuerId | required ".Values.iatp.trustedIssuerId is required" | quote }} ########################### ## LOGGING CONFIGURATION ## @@ -194,9 +196,10 @@ spec: value: {{ .Values.controlplane.endpoints.protocol.port | quote }} - name: "WEB_HTTP_PROTOCOL_PATH" value: {{ .Values.controlplane.endpoints.protocol.path | quote }} - - name: "EDC_CONTROL_ENDPOINT" - value: {{ include "txdc.controlplane.url.control" .}} - + - name: "WEB_HTTP_VALIDATION_PORT" + value: {{ .Values.controlplane.endpoints.validation.port | quote }} + - name: "WEB_HTTP_VALIDATION_PATH" + value: {{ .Values.controlplane.endpoints.validation.path | quote }} ######### ## DSP ## @@ -259,17 +262,6 @@ spec: - name: "TX_EDC_DCP_CACHE_VALIDITY_SECONDS" value: {{ .Values.iatp.cache.validity | quote }} - ################# - ## BDRS CLIENT ## - ################# - - - name: "TX_EDC_IAM_IATP_BDRS_SERVER_URL" - value: {{ .Values.controlplane.bdrs.server.url | required ".Values.controlplane.bdrs.server.url is required" | quote }} - {{- if .Values.controlplane.bdrs.cache_validity_seconds }} - - name: "TX_EDC_IAM_IATP_BDRS_CACHE_VALIDITY" - value: {{ .Values.controlplane.bdrs.cache_validity_seconds | quote}} - {{- end}} - ########### ## VAULT ## ########### diff --git a/charts/tractusx-connector/templates/deployment-dataplane.yaml b/charts/tractusx-connector/templates/deployment-dataplane.yaml index 40510d5627..a800308313 100644 --- a/charts/tractusx-connector/templates/deployment-dataplane.yaml +++ b/charts/tractusx-connector/templates/deployment-dataplane.yaml @@ -140,16 +140,20 @@ spec: {{ printf "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=%v" .Values.dataplane.debug.port }} {{- end }} {{- end }} + - name: EDC_HOSTNAME + value: {{ .Values.dataplane.hostname | quote }} + - name: "EDC_SQL_SCHEMA_AUTOCREATE" + value: {{ .Values.dataplane.schema.autocreate | quote }} ######################## ## ID CONFIGURATION ## ######################## - name: EDC_PARTICIPANT_ID value: {{ .Values.participant.id | required ".Values.participant.id is required" | quote }} - - name: EDC_PARTICIPANT_CONTEXT_ID - value: {{ .Values.participant.contextId | required ".Values.participant.contextId is required" | quote}} - name: "EDC_IAM_ISSUER_ID" value: {{ .Values.iatp.id | required ".Values.iatp.id is required" | quote}} + - name: "EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID" + value: {{ .Values.iatp.trustedIssuerId | required ".Values.iatp.trustedIssuerId is required" | quote}} ########################### ## LOGGING CONFIGURATION ## @@ -162,6 +166,10 @@ spec: ####### # API # ####### + - name: "WEB_HTTP_MANAGEMENT_PORT" + value: {{ .Values.dataplane.endpoints.management.port | quote }} + - name: "WEB_HTTP_MANAGEMENT_PATH" + value: {{ .Values.dataplane.endpoints.management.path | quote }} - name: "TX_EDC_DPF_CONSUMER_PROXY_AUTH_APIKEY" value: {{ .Values.dataplane.endpoints.proxy.authKey | required ".Values.dataplane.endpoints.proxy.authKey is required" | quote }} - name: "WEB_HTTP_PORT" diff --git a/charts/tractusx-connector/templates/post-install-vault-setup.yaml b/charts/tractusx-connector/templates/post-install-vault-setup.yaml new file mode 100644 index 0000000000..a179a8aec0 --- /dev/null +++ b/charts/tractusx-connector/templates/post-install-vault-setup.yaml @@ -0,0 +1,66 @@ +{{- $vaultToken := index .Values "vault" "hashicorp" "token" -}} +{{- $vaultUrl := tpl (index .Values "vault" "hashicorp" "url") . -}} +{{- $fullName := .Values.nameOverride -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: post-install-vault-setup + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: "{{ .Release.Name }}" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + restartPolicy: Never + containers: + - name: post-install-job + image: busybox + imagePullPolicy: "IfNotPresent" + command: + - "/bin/sh" + - "-c" + - | + sleep 10 + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/cert.json "{{ $vaultUrl }}/v1/secret/data/tokenSignerPublicKey" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/key.json "{{ $vaultUrl }}/v1/secret/data/tokenSignerPrivateKey" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/aes-secret.json "{{ $vaultUrl }}/v1/secret/data/tokenEncryptionAesKey" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/cons_priv.json "{{ $vaultUrl }}/v1/secret/data/cons_priv" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/cons_pub.json "{{ $vaultUrl }}/v1/secret/data/cons_pub" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/prov_priv.json "{{ $vaultUrl }}/v1/secret/data/prov_priv" + + wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ + --post-file=/opt/config/prov_pub.json "{{ $vaultUrl }}/v1/secret/data/prov_pub" + volumeMounts: + - name: config-volume + mountPath: /opt/config + volumes: + - name: config-volume + configMap: + name: {{ $fullName }}-vault-edc-configmap + defaultMode: 0777 diff --git a/charts/tractusx-connector/templates/vault-edc-configmap.yaml b/charts/tractusx-connector/templates/vault-edc-configmap.yaml new file mode 100644 index 0000000000..efcff6b8e7 --- /dev/null +++ b/charts/tractusx-connector/templates/vault-edc-configmap.yaml @@ -0,0 +1,49 @@ +{{- $fullName := .Values.nameOverride -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $fullName }}-vault-edc-configmap +data: + cert.json: |- + { + "data": { + "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsP1Wl50viKzVqw8HGFWP\nis+M8Im4daTFMned5Qr2z90FNgkj1EVhip0mOdD6kDg3bW4RxyL6z3jWi19JKBHZ\n68UTgZNdPbhhPNLEGcQpu8uwgFcWKL4P/IOykEeE8ResGOVg/HzNE7HkTgiBdr2C\nMTEXL3zTmdr0vbFGMbOTPyOvKMoy/2FaJaJAPXo3poGqfRvr6Gu6top2ktRd/z8N\nhBpuzx9QypIsE62ooLNPpqzjezfvzJbc3tko/cXNOyGoZWuEKMTfKwYq3ZjsTZKk\nbjVNgdoEFSWpd6Tqk76B1Cboxv1CD8xw0cQ149eW0IuLkAk3eF5eZR4iQ5YAOZqA\nUQIDAQAB\n-----END PUBLIC KEY-----\n" + } + } + + key.json: |- + { + "data": { + "content": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCw/VaXnS+IrNWr\nDwcYVY+Kz4zwibh1pMUyd53lCvbP3QU2CSPURWGKnSY50PqQODdtbhHHIvrPeNaL\nX0koEdnrxROBk109uGE80sQZxCm7y7CAVxYovg/8g7KQR4TxF6wY5WD8fM0TseRO\nCIF2vYIxMRcvfNOZ2vS9sUYxs5M/I68oyjL/YVolokA9ejemgap9G+voa7q2inaS\n1F3/Pw2EGm7PH1DKkiwTraigs0+mrON7N+/Mltze2Sj9xc07Iahla4QoxN8rBird\nmOxNkqRuNU2B2gQVJal3pOqTvoHUJujG/UIPzHDRxDXj15bQi4uQCTd4Xl5lHiJD\nlgA5moBRAgMBAAECggEAKD8XjYb8G+WHeexDJgSwzTUonLsIg9H52KHMORz+5mIh\nUPoPmHHFfj6BhoSvsZNjAUKWDtU0uPCGwu8iRNcYWa15I841lfcjP3BDEQPjJJXr\nNyf2fUHJA1gURwxIXgWOyCOC5C9h9/BMFPWIsQ5jeFmsJsuJF5OrcyZIar1lxqWu\nQ+HC7f/7JNkpR26uIyGjs1OXwfp+mHqze2Qf8hLWIXcN9tBCQZ75Cg7rarNVimMC\n59QD80JZCHTaCX1ZtE1T8HM+53Ob78lnFCuBfiBT/S3O/NXVsEN9q6rMWKhETVWR\nUX56EqZ7XGSMOzuZyK7kj1QsHzEMrrHjwDSNSjAqFQKBgQC6hEeAWPCEM+WVoF9n\nmhvwZVZv/PPyLAarykBTGoeHR2hqNyih9JmcXL+XQHMlhy1Ka8NtJHvfyB1xhXgF\n/d91i/Yq02+nZoJPNnVWo8zoXIAIq+xg9CBiu0agBxv45PjJkEkQmmEG4Iej1+Kf\n5/+dI7sFjE2T4q/lLK0Aw3x+zQKBgQDy7Ho7eRi5CV1Ks+r5lpGGdM15hbE5tviE\nfmJvaEUh3oWuwdkyFjD/QEPITG1bFuvhATdEEWxTbuswNEbELLhKCPcixcI0sLUO\n6BeNi1YD6ouuqsWBLvmE4hvoDR7RlkpUduxWpZ2tNIDJYYTwCERhcYK9OtHU15kc\nlS0pEjF/lQKBgEh+28/OQgYQqd7ji9GX+94PdW5n0mXBqQIixafHewAgyDvonpl8\nmixFfI6MlXTzuq3ffwEwGhncDV2vc/xYNf/ZW+A/eHmHhYTGdQss9ZsnQPid4m24\n1dGqWwQeX0f5r52gwFV8u9PRd8c+RS7EHP12At5gL1MY3CdmmwPd98jNAoGASvPV\n/xWtICKYi10aCip/+kl9wJoUhadD5LWOL6uvcPTUsIgVONQKCCfPAjU6pJlc7E7Q\nu4rYrqGRpYzrrMnTjtxXTH5SHqnLI69O3Rh50LmEob8FM4fH601MqPurX6WMh6Ut\n5Moy7Wc+uWQCfYE/gAVi/nnwlkhzcJNCnOKFLUUCgYA4nbhLrdEeCBJas2+Z9aGw\n/SurtHF2z2meAPO3VaYslf0D0xKzUIv5hkkzaNgs0pFGt0BcKfTWkYy/Hh4QXZhm\n//ZrqbkVsqzDOcqGwQcDmUEN/T+vprUJVKqpNHXT6fz3OTydxLQ7K7SXzwXWYfRW\ncpjdr0c1tVVLMyNG+Wahrg==\n-----END PRIVATE KEY-----\n" + } + } + aes-secret.json: |- + { + "data": { + "content": {{ randAlphaNum 32 | b64enc | quote }} + } + } + cons_priv.json: |- + { + "data": { + "content": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC9zbB90iPotlvz\nsTCAt246XNL+dHoiSlEYgBsPgroqfEuLWQkVeM2F0L2fWEsvNc6ZU5SJBEDqPTVe\noaYnv6iXShbTaBaZVoFbt2L8+rJmQQ2YoB5qQwLtfsqIDIwuTwQUgiNe747NDtsb\nJmjMpib3fTsB6m+0CsWYDPuU/7bmUJvYytnw/MOLhaUiHAC68jKsgsAemyDzOSUN\nYJfcIbnS/o12OFZ4Na3nKdr96kMB1zN+PE4+K2oTgFRh69zq+z/G5au7mliBdwns\n5Efmf1ijlH6MFZeaeTVMjfHSq8IOIpOSvigjjK5p8T7vCSYettej2rfcgZpBRa44\n3V8m+F7zAgMBAAECggEAF/cnyMtG03RrKdr+p9IBbgcYcR6d6UR+9tv+DrhP71tg\nYojsd7SYJsRTnRIV9DEUFBIUmDRcSfdOjNNWWoB9thSZyznCWLwuezktm4nACt89\n6z6UeJBbh0dSJVmIPbSmbDx+YNdYrZWpnsT7yJNWKju6vqQuVIpjpq5E+exL2Mqu\nj44wW/5ro9jaOhm8mUbAacEctQYixBmy8HXPBm6AtezdD7HpftdI+VWN0LO7IlLn\naWICR8vx18dEF+706JHPKpsovZbolu0Zvl19RSG4Zj3dhVoTw+vbeXTOkHR2wNdP\nDfL4m0exKl6McPos3CG9kEAUwceGR2CZpy0xssBkGQKBgQD/K/Svv/xrMK8pVQVv\nY699OX9pwm6NBq3Ti8LIKejPUW5V2ZZVtSb8njWmgAi6RPp6vO/mWhuUrXahoUrY\nfe0AqW7wTgKmmjXbTvy47VS5Z5S30DT8DAYp8CJekibnU4jwsIgYJgao1TeOTOq3\ngnGdPLlvSa4BagyogWp7+keaTwKBgQC+a2nbyuL3e/Sk+qio0kDkpI6hYIKWg+7u\n0FOsHJjItcwkSkfRKIFRdI7iGYlukE/38xfizs0tLJXYRbdrlUgq/lTgd4i3UoVw\nOAXzEJX0lunZgXNd9jjnADh3pgVbwX9AKDhFz+nu3yL5Egc8FN+caP9Is5xPxYfg\n8J/Pp8DcHQKBgDOc6HlEFAJ6bnOlxtupBi4GG0eBFGtiFnbbpiJml7iXeAHVaRsc\n8S3XsnJjI2DJ4wBAhyXIxBtmmsBGp6Tyk6W2n8HrhY29U3dwmp2tI5383Y/whUcW\nB4kkEU+fsE7KDsDgdCauSlqMBhi6Zh+IOwLa7YcdGB0hHj5XLvq0vRbxAoGAQCpp\n7YqcmNDIS5+7ncfb3jAlb/PZjWa/6PGCgIjSYy//rmrpcG25xf0E+OOqD/vJNsBP\n2Dnfoc1YYRx9Bl+zhelWKJ2fEEdad8opFxMLtPP1sTmR6qPB4PWOEaN8QsMdYj0r\nWTsKlVfTrSKKFZDjGQ24mIMNtUPW2dG7yHm633ECgYEAqaLLo4VYUcjTKnYdBChA\nPFAk/ZwSR+/TY0vXw3Ghm/oiBNVSMVHFBoAFdbt4lWKJlryW+1Wi11cFYXfsBrmb\nJTnK1u7EZDebm9hFBzpp7/yY5uu38NduGKh5+goAVtPXZR9s/8ypyt3xVflcDxzA\nt7VMyFNRxj517ZJPCNN+ImU=\n-----END PRIVATE KEY-----\n" + } + } + cons_pub.json: |- + { + "data": { + "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvc2wfdIj6LZb87EwgLdu\nOlzS/nR6IkpRGIAbD4K6KnxLi1kJFXjNhdC9n1hLLzXOmVOUiQRA6j01XqGmJ7+o\nl0oW02gWmVaBW7di/PqyZkENmKAeakMC7X7KiAyMLk8EFIIjXu+OzQ7bGyZozKYm\n9307AepvtArFmAz7lP+25lCb2MrZ8PzDi4WlIhwAuvIyrILAHpsg8zklDWCX3CG5\n0v6NdjhWeDWt5yna/epDAdczfjxOPitqE4BUYevc6vs/xuWru5pYgXcJ7ORH5n9Y\no5R+jBWXmnk1TI3x0qvCDiKTkr4oI4yuafE+7wkmHrbXo9q33IGaQUWuON1fJvhe\n8wIDAQAB\n-----END PUBLIC KEY-----\n" + } + } + prov_priv.json: |- + { + "data": { + "content": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDN/ECrw6rbkvkw\nNGoJX1TatjytEvfwhFm/IViYPXfPccQHyVhG9YiQNS1e9v5UhUc8BGNvrZjIm7e9\nHNhPGlOlLiHh3wfU/wG5srcqz1aSV2omFVPz9Nc9TSkwaF6oJcs4AL+Z0+IyQN1e\nPThoqu9aVd5wtRXnS0nh5Dd0CC0spchZdUbtslQXs4c8uBDRGdT2/mkBu5isMxW0\nCg+muQWk1t8vgYVxlokGGvsKjQXFV3RPJQ6hNjsZjVmAqDGYFcA/AxK1WYBV5Hyu\nAZHUU2yityva/IqQPLXN/4fcXQcLxLjrl0MSpWUik/YeuV2bQFyakpvj5wox/w7E\nMNjWBodnAgMBAAECggEADELlO83Tm4ScQuNqPArJyGEYeIby0+uhufy+qZ7f3sab\nXO+xZDvuXpzDvO2zH8EO1FxAg2yc3E6LBkqAXikN7JaAtTf4K+FOe+LPADd3JEWC\nAvVT2edrpPFoYvWVGNymRAjYK7Lb019eesl/7f8ROcCqk1PvYCUjpzruybN8GOmq\naAuvCmrn9+zW8nPDSvFvNC7TTV4LnaRGsWabCA2589c6rDr52ddbXQZ2bXhIkVlw\n+RcfCIA2yZhrYfwDynQP/dPIwaC12y/phONIOFgDmurJHTTm0/3GmyDgU4xdfEan\nqWN2BwYfG2eOaGRTktUxjvmfj4kQF+6V8BiEA1KGAQKBgQDz0tuJBolkCn4nTMXl\nQx/QaacZBLJdHeniD2B6s7715TOgv+6DYzJypxYsNkKX4jLKykOJAQ3SUmWNq+ar\n6HJUE9Ral27zg8AAgZwQBCBr3hXulUkN3Ca2Qe3zhM6OtKlQvCY91zkXIecvQ7/s\ncLepmEXqMe0VXsR6c5C2VFiOAQKBgQDYRaeTcES+LSqHeAUqNytc4qy27lIEA4Vm\nzCd2oK0B1QuBCe2nVPsIMPnv92yfZ2RExEkqJXk0WfxB0fKM6BphTWFGnzbleHH3\nE+0BAfi/JmvOtJUbsbQdqTnV1OjCBL3YsubOJJwF+u9yzYoJdy7oldOmqrKC3zgs\nSOehRF9lZwKBgHEqwv58bDRkslznQ0q/tvpyrz3rciXKBo4H+Q26c72JnkbUDo4o\n8ndImf/3Rz1bnZuF+YaTWKjv2XbB/JR5lOb1NTC+7J5V3j3d6mN8pteqAp/z5i5q\nqgUZ4KmQUJbnv1ZbnZxCUpsr/zNuzJufTX+Hz5t9hL7Qd30mOlqGF3wBAoGBAKKb\nhIqTf+wpU2+1qtR51I2rFMcZ2uqPpy6KUyWbW1kkUNj9mQUWHQSkpldphe84MqiN\nmKEqub3F5qeqbh7JqIP+RSRvMzxHWhC2l50JWXiHL8mj9vRyoQUoJocC5Npz7DXR\nFT5rQjAw4vZDWgUR6mAPvqnyb/N8V+TcD+Qt3zgDAoGBAL001/N43dI6NR+Mlcw8\nYtrfTO5xoakVzx7tdC1g3gry/MiJn/+iftpFSf/hNp8HyQEHlRkubQuL4j0I/Fe3\nHjTc3wPIZhcOpitfbn9VMgpXXWmguK/s4oMMNxoe+Ey71/hlp5UdGOidGhaWq9Jk\nAsqJhS57iz0RP3ikSic9Tb3s\n-----END PRIVATE KEY-----\n" + } + } + prov_pub.json: |- + { + "data": { + "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfxAq8Oq25L5MDRqCV9U\n2rY8rRL38IRZvyFYmD13z3HEB8lYRvWIkDUtXvb+VIVHPARjb62YyJu3vRzYTxpT\npS4h4d8H1P8BubK3Ks9WkldqJhVT8/TXPU0pMGheqCXLOAC/mdPiMkDdXj04aKrv\nWlXecLUV50tJ4eQ3dAgtLKXIWXVG7bJUF7OHPLgQ0RnU9v5pAbuYrDMVtAoPprkF\npNbfL4GFcZaJBhr7Co0FxVd0TyUOoTY7GY1ZgKgxmBXAPwMStVmAVeR8rgGR1FNs\norcr2vyKkDy1zf+H3F0HC8S465dDEqVlIpP2Hrldm0BcmpKb4+cKMf8OxDDY1gaH\nZwIDAQAB\n-----END PUBLIC KEY-----\n" + } + } diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml new file mode 100644 index 0000000000..ecd8a0aa11 --- /dev/null +++ b/charts/tractusx-connector/values-consumer.yaml @@ -0,0 +1,687 @@ +################################################################################# +# Copyright (c) 2023,2024 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# + +--- +# Default values for eclipse-dataspace-connector. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +install: + postgresql: true + vault: true + +fullnameOverride: "" +nameOverride: "consumer-conn" + +imagePullSecrets: [] +customLabels: {} + +participant: + id: "did:web:consumer-idhub.staging.construct-x.net:consumer" + +iatp: + id: "did:web:consumer-idhub.staging.construct-x.net:consumer" + trustedIssuerId: did:web:local-issuer-service.staging.construct-x.net:issuer + trustedIssuers: + - id: "did:web:local-issuer-service.staging.construct-x.net:issuer" + + sts: + div: + url: + oauth: + token_url: https://consumer-idhub.staging.construct-x.net/api/sts/token + client: + # -- Client ID for requesting OAuth2 access token for DIV access + id: did:web:consumer-idhub.staging.construct-x.net:consumer + # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access + secret_alias: consumersecret + didService: + selfRegistration: + # -- Whether Service Self Registration is enabled + enabled: false + # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) + id: "did:web:consumer-idhub.staging.construct-x.net:consumer" + # - Configures the Verifiable Presentation cache + cache: + # -- Whether the Verifiable Presentation cache is enabled + enabled: true + # -- Validity of the Verifiable Presentation cache in seconds + validity: 86400 + +# -- Add custom ca certificates to the truststore +customCaCerts: {} + +log4j2: + # -- Whether to enable the json log config in log4j2.config + enableJsonLogs: true + # -- Log4j2 configuration for json log formatting. + config: |- + Appenders: + Console: + name: CONSOLE + JsonTemplateLayout: + eventTemplate: |- + { + "timestamp": { + "$resolver": "timestamp", + "pattern": { + "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", + "timeZone": "UTC" + } + }, + "level": { + "$resolver": "level", + "field": "severity", + "severity": { + "field": "keyword" + } + }, + "message": { + "$resolver": "message" + } + } + Loggers: + Root: + level: "OFF" + Logger: + name: org.eclipse.edc.monitor.logger + level: DEBUG + AppenderRef: + ref: CONSOLE + +controlplane: + nameOverride: "consumer-conn-controlplane" + fullnameOverride: "" + enabled: true + hostname: consumer-conn-controlplane + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "registry.onstackit.cloud/constructx/con-x-controlplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + imagePullSecrets: + - name: registry-creds + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + # -- endpoints of the control plane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 9000 + # -- path for incoming api calls + path: /api + # -- data management api, used by internal users, can be added to an ingress and must not be internet facing + management: + # -- port for incoming api calls + port: 9010 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- if the JWKS url is set, the DelegatedAuth service will be engaged + jwksUrl: + + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9050 + # -- path for incoming api calls + path: /control + # -- dsp api, used for inter connector communication and must be internet facing + protocol: + # -- port for incoming api calls + port: 9020 + # -- path for incoming api calls + path: /dsp + # -- metrics api, used for application metrics, must not be internet facing + validation: + # -- port for incoming api calls + port: 9030 + # -- path for incoming api calls + path: /validation + # -- dsp api, use + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + # -- configuration for policy engine + policy: + validation: + enabled: true + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be pass onto deployment pods + env: {} + # ENV_NAME: value + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + schema: + autocreate: true + + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_IAM_ISSUER_ID: did:web:consumer-idhub.staging.construct-x.net:consumer + TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: consumersecret + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + + ingresses: + - enabled: true + hostname: "consumer-conn-controlplane.staging.construct-x.net" + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: "consumer-conn-controlplane.staging.construct-x.net" + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - default + - protocol + - management + - dsp + - validation + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "consumer-conn-cp-tls" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + ## Private / Intranet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "consumer-conn-controlplane.staging.construct-x.net" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - control + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + + url: + control: "https://consumer-conn-controlplane.staging.construct-x.net/control" + # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) + protocol: "" + +dataplane: + nameOverride: "consumer-conn-dataplane" + fullnameOverride: "" + enabled: true + hostname: consumer-conn-dataplane + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "registry.onstackit.cloud/constructx/con-x-dataplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + imagePullSecrets: + - name: registry-creds + + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- endpoints of the dataplane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8181 + # -- path for incoming api calls + path: /api + # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. + public: + # -- port for incoming api calls + port: 9500 + # -- path for incoming api calls + path: /public + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9550 + # -- path for incoming api calls + path: /control + management: + # -- port for incoming api calls + port: 9510 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each request as `X-Api-Key` header + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + token: + refresh: + # -- TTL in seconds for access tokens (also known as EDR token) + expiry_seconds: 300 + # -- Tolerance for token expiry in seconds + expiry_tolerance_seconds: 10 + # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` + refresh_endpoint: + signer: + # -- Alias under which the private key (JWK or PEM format) is stored in the vault + privatekey_alias: cons_priv + verifier: + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` + publickey_alias: cons_pub + + schema: + autocreate: true + + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_DATA_PLANE_SELF_UNREGISTRATION: true + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + EDC_IAM_ISSUER_ID: did:web:consumer-idhub.staging.construct-x.net:consumer + EDC_SQL_SCHEMA_AUTOCREATE: true + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:local-issuer-service.staging.construct-x.net:issuer + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: consumersecret + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be pass onto deployment pods + env: {} + # ENV_NAME: value + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "consumer-conn-dataplane.staging.construct-x.net" + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: "consumer-conn-dataplane.staging.construct-x.net" + external-dns.alpha.kubernetes.io/ttl: "300" + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "consumer-conn-dp-tls" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) + public: "" + +postgresql: + image: + repository: "bitnamilegacy/postgresql" + tag: "16.2.0-debian-12-r10" + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" + primary: + persistence: + enabled: true + readReplicas: + persistence: + enabled: true + auth: + database: "edc" + username: "user" + password: "password" + +vault: + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: "root" + postStart: # must be set externally! + hashicorp: + url: "http://{{ .Release.Name }}-vault:8200" + token: "root" + timeout: 30 + healthCheck: + enabled: true + standbyOk: true + paths: + secret: /v1/secret + health: /v1/sys/health + folder: "" \ No newline at end of file diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml new file mode 100644 index 0000000000..a8f6fc74c8 --- /dev/null +++ b/charts/tractusx-connector/values-provider.yaml @@ -0,0 +1,687 @@ +################################################################################# +# Copyright (c) 2023,2024 ZF Friedrichshafen AG +# Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH +# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# + +--- +# Default values for eclipse-dataspace-connector. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +install: + postgresql: true + vault: true + +fullnameOverride: "" +nameOverride: "provider-conn" + +imagePullSecrets: [] +customLabels: {} + +participant: + id: "did:web:provider-idhub.staging.construct-x.net:provider" + +iatp: + id: "did:web:provider-idhub.staging.construct-x.net:provider" + trustedIssuerId: did:web:local-issuer-service.staging.construct-x.net:issuer + trustedIssuers: + - id: "did:web:local-issuer-service.staging.construct-x.net:issuer" + + sts: + div: + url: + oauth: + token_url: https://provider-idhub.staging.construct-x.net/api/sts/token + client: + # -- Client ID for requesting OAuth2 access token for DIV access + id: did:web:provider-idhub.staging.construct-x.net:provider + # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access + secret_alias: providersecret + didService: + selfRegistration: + # -- Whether Service Self Registration is enabled + enabled: false + # -- Unique id of connector to be used for register / unregister service inside did document (must be valid URI) + id: "did:web:provider-idhub.staging.construct-x.net:provider" + # - Configures the Verifiable Presentation cache + cache: + # -- Whether the Verifiable Presentation cache is enabled + enabled: true + # -- Validity of the Verifiable Presentation cache in seconds + validity: 86400 + +# -- Add custom ca certificates to the truststore +customCaCerts: {} + +log4j2: + # -- Whether to enable the json log config in log4j2.config + enableJsonLogs: true + # -- Log4j2 configuration for json log formatting. + config: |- + Appenders: + Console: + name: CONSOLE + JsonTemplateLayout: + eventTemplate: |- + { + "timestamp": { + "$resolver": "timestamp", + "pattern": { + "format": "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS", + "timeZone": "UTC" + } + }, + "level": { + "$resolver": "level", + "field": "severity", + "severity": { + "field": "keyword" + } + }, + "message": { + "$resolver": "message" + } + } + Loggers: + Root: + level: "OFF" + Logger: + name: org.eclipse.edc.monitor.logger + level: DEBUG + AppenderRef: + ref: CONSOLE + +controlplane: + nameOverride: "provider-conn-controlplane" + fullnameOverride: "" + enabled: true + hostname: provider-conn-controlplane + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "registry.onstackit.cloud/constructx/con-x-controlplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + imagePullSecrets: + - name: registry-creds + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a readiness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + # -- endpoints of the control plane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 9000 + # -- path for incoming api calls + path: /api + # -- data management api, used by internal users, can be added to an ingress and must not be internet facing + management: + # -- port for incoming api calls + port: 9010 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each request as `X-Api-Key` header + authKey: "password" + # -- if the JWKS url is set, the DelegatedAuth service will be engaged + jwksUrl: + + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9050 + # -- path for incoming api calls + path: /control + # -- dsp api, used for inter connector communication and must be internet facing + protocol: + # -- port for incoming api calls + port: 9020 + # -- path for incoming api calls + path: /dsp + # -- metrics api, used for application metrics, must not be internet facing + validation: + # -- port for incoming api calls + port: 9030 + # -- path for incoming api calls + path: /validation + # -- dsp api, use + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + # -- configuration for policy engine + policy: + validation: + enabled: true + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be pass onto deployment pods + env: {} + # ENV_NAME: value + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + schema: + autocreate: true + + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_IAM_ISSUER_ID: did:web:provider-idhub.staging.construct-x.net:provider + TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTDEFINITION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_CONTRACTNEGOTIATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_DATAPLANEINSTANCE_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_EDR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_FEDERATEDCATALOG_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_JTI-VALIDATION_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false + TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: providersecret + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + + ingresses: + - enabled: true + hostname: "provider-conn-controlplane.staging.construct-x.net" + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: "provider-conn-controlplane.staging.construct-x.net" + external-dns.alpha.kubernetes.io/ttl: "300" + endpoints: + - default + - protocol + - management + - dsp + - validation + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "provider-conn-cp-tls" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + ## Private / Intranet facing Ingress + - enabled: false + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "provider-conn-controlplane.staging.construct-x.net" + # -- Additional ingress annotations to add + annotations: {} + # -- EDC endpoints exposed by this ingress resource + endpoints: + - control + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + className: "nginx" + # -- TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource + tls: + # -- Enables TLS on the ingress resource + enabled: false + # -- If present overwrites the default secret name + secretName: "" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + + url: + control: "https://provider-conn-controlplane.staging.construct-x.net/control" + # -- Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) + protocol: "" + +dataplane: + nameOverride: "provider-conn-dataplane" + fullnameOverride: "" + enabled: true + hostname: provider-conn-dataplane + image: + # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically + repository: "registry.onstackit.cloud/constructx/con-x-dataplane-postgresql-hashicorp-vault" + # -- [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy) to use + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion + tag: "latest" + imagePullSecrets: + - name: registry-creds + + initContainers: [] + debug: + # -- Enables java debugging mode. + enabled: false + # -- Port where the debuggee can connect to. + port: 1044 + # -- Defines if the JVM should wait with starting the application until someone connected to the debugging port. + suspendOnStart: false + + logs: + # -- Defines the log granularity of the default Console Monitor. + level: DEBUG + + livenessProbe: + # -- Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first liveness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + readinessProbe: + # -- Whether to enable kubernetes [readiness-probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) + enabled: true + # -- seconds to wait before performing the first readiness check + initialDelaySeconds: 30 + # -- this fields specifies that kubernetes should perform a liveness check every 10 seconds + periodSeconds: 10 + # -- number of seconds after which the probe times out + timeoutSeconds: 5 + # -- when a probe fails kubernetes will try 6 times before giving up + failureThreshold: 6 + # -- number of consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + + service: + # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. + type: ClusterIP + # -- additional labels for the service + labels: {} + # -- additional annotations for the service + annotations: {} + + # -- endpoints of the dataplane + endpoints: + # -- default api for health checks, should not be added to any ingress + default: + # -- port for incoming api calls + port: 8181 + # -- path for incoming api calls + path: /api + # -- public endpoint where the data can be fetched from if HttpPull was used. Must be internet facing. + public: + # -- port for incoming api calls + port: 9500 + # -- path for incoming api calls + path: /public + # -- control api, used for internal control calls. can be added to the internal ingress, but should probably not + control: + # -- port for incoming api calls + port: 9550 + # -- path for incoming api calls + path: /control + management: + # -- port for incoming api calls + port: 9510 + # -- path for incoming api calls + path: /management + # -- authentication key, must be attached to each request as `X-Api-Key` header + # -- metrics api, used for application metrics, must not be internet facing + metrics: + # -- port for incoming api calls + port: 9090 + # -- path for incoming api calls + path: /metrics + + token: + refresh: + # -- TTL in seconds for access tokens (also known as EDR token) + expiry_seconds: 300 + # -- Tolerance for token expiry in seconds + expiry_tolerance_seconds: 10 + # -- Optional endpoint for an OAuth2 token refresh. Default endpoint is `/token` + refresh_endpoint: + signer: + # -- Alias under which the private key (JWK or PEM format) is stored in the vault + privatekey_alias: prov_priv + verifier: + # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` + publickey_alias: prov_pub + + schema: + autocreate: true + + env: + EDC_IAM_DID_WEB_USE_HTTPS: true + EDC_DATA_PLANE_SELF_UNREGISTRATION: true + EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + EDC_IAM_ISSUER_ID: did:web:provider-idhub.staging.construct-x.net:provider + EDC_SQL_SCHEMA_AUTOCREATE: true + EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:local-issuer-service.staging.construct-x.net:issuer + EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: providersecret + + # -- additional labels for the pod + podLabels: {} + # -- additional annotations for the pod + podAnnotations: {} + # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment + podSecurityContext: + seccompProfile: + # -- Restrict a Container's Syscalls with seccomp + type: RuntimeDefault + # -- Runs all processes within a pod with a special uid + runAsUser: 10001 + # -- Processes within a pod will belong to this guid + runAsGroup: 10001 + # -- The owner for volumes and any files created within volumes will belong to this guid + fsGroup: 10001 + # -- The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 + + # -- Extra environment variables that will be pass onto deployment pods + env: {} + # ENV_NAME: value + + # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # secretKeyRef: + # name: secret-name + # key: value_key + + # -- [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) names to load environment variables from + envSecretNames: [] + # - first-secret + # - second-secret + + # -- [Kubernetes ConfigMap Resource](https://kubernetes.io/docs/concepts/configuration/configmap/) names to load environment variables from + envConfigMapNames: [] + # - first-config-map + # - second-config-map + + ## Ingress declaration to expose the network service. + ingresses: + ## Public / Internet facing Ingress + - enabled: true + # -- The hostname to be used to precisely map incoming traffic onto the underlying network service + hostname: "provider-conn-dataplane.staging.construct-x.net" + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + external-dns.alpha.kubernetes.io/hostname: "provider-conn-dataplane.staging.construct-x.net" + external-dns.alpha.kubernetes.io/ttl: "300" + # -- EDC endpoints exposed by this ingress resource + endpoints: + - public + # -- Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use + + tls: + # -- Enables TLS on the ingress resource + enabled: true + # -- If present overwrites the default secret name + secretName: "provider-conn-dp-tls" + ## Adds [cert-manager](https://cert-manager.io/docs/) annotations to the ingress resource + certManager: + # -- If preset enables certificate generation via cert-manager namespace scoped issuer + issuer: "" + # -- If preset enables certificate generation via cert-manager cluster-wide issuer + clusterIssuer: "letsencrypt-staging" + + # -- declare where to mount [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) into the container + volumeMounts: + # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories + volumes: + + # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container + resources: + limits: + # -- Maximum CPU limit + cpu: 1.5 + # -- Maximum memory limit + memory: 1024Mi + requests: + # -- Initial CPU request + cpu: 500m + # -- Initial memory request + memory: 1024Mi + + replicaCount: 1 + + autoscaling: + # -- Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) + enabled: false + # -- Minimal replicas if resource consumption falls below resource threshholds + minReplicas: 1 + # -- Maximum replicas if resource consumption exceeds resource threshholds + maxReplicas: 100 + # -- targetAverageUtilization of cpu provided to a pod + targetCPUUtilizationPercentage: 80 + # -- targetAverageUtilization of memory provided to a pod + targetMemoryUtilizationPercentage: 80 + + # -- configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics + opentelemetry: |- + otel.javaagent.enabled=false + otel.javaagent.debug=false + + + # -- [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes + nodeSelector: {} + # -- [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes + tolerations: [] + # -- [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on + affinity: {} + url: + # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used) + public: "" + +postgresql: + image: + repository: "bitnamilegacy/postgresql" + tag: "16.2.0-debian-12-r10" + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" + primary: + persistence: + enabled: true + readReplicas: + persistence: + enabled: true + auth: + database: "edc" + username: "user" + password: "password" + +vault: + injector: + enabled: false + server: + dev: + enabled: true + devRootToken: "root" + postStart: # must be set externally! + hashicorp: + url: "http://{{ .Release.Name }}-vault:8200" + token: "root" + timeout: 30 + healthCheck: + enabled: true + standbyOk: true + paths: + secret: /v1/secret + health: /v1/sys/health + folder: "" \ No newline at end of file