diff --git a/.github/workflows/chart-lint.yml b/.github/workflows/chart-lint.yml index eee32d904..c898ba393 100644 --- a/.github/workflows/chart-lint.yml +++ b/.github/workflows/chart-lint.yml @@ -1,87 +1,87 @@ -################################################################################ -# Copyright (c) 2021,2023 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -################################################################################ +# /******************************************************************************** +# * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation +# * +# * See the NOTICE file(s) distributed with this work for additional +# * information regarding copyright ownership. +# * +# * This program and the accompanying materials are made available under the +# * terms of the Apache License, Version 2.0 which is available at +# * https://www.apache.org/licenses/LICENSE-2.0. +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# * License for the specific language governing permissions and limitations +# * under the License. +# * +# * SPDX-License-Identifier: Apache-2.0 +# ********************************************************************************/ -# name: Lint and Test Charts +name: Lint and Test Charts -# # Run chart linting and tests on each pull request -# on: -# pull_request: -# paths: -# - 'charts/**' +# Run chart linting and tests on each pull request +on: + pull_request: + paths: + - 'charts/**' -# jobs: -# chart-lint: -# runs-on: ubuntu-latest -# steps: -# - name: Checkout -# uses: actions/checkout@v2 -# with: -# fetch-depth: 0 +jobs: + chart-lint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 -# - name: Set up Helm -# uses: azure/setup-helm@v3 -# with: -# version: v3.11.3 + - name: Set up Helm + uses: azure/setup-helm@v3 + with: + version: v3.11.3 -# - name: Update Helm dependencies -# run: | -# cd charts/managed-identity-wallet -# helm dependency update + - name: Update Helm dependencies + run: | + cd charts/managed-identity-wallet + helm dependency update -# - name: Install Helm unittest plugin -# run: | -# helm plugin install https://github.com/helm-unittest/helm-unittest.git + - name: Install Helm unittest plugin + run: | + helm plugin install https://github.com/helm-unittest/helm-unittest.git -# # Setup python as a prerequisite for chart linting -# - uses: actions/setup-python@v2 -# with: -# python-version: 3.7 + # Setup python as a prerequisite for chart linting + - uses: actions/setup-python@v2 + with: + python-version: 3.9 -# - name: Set up chart-testing -# uses: helm/chart-testing-action@v2.3.1 + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.3.1 -# - name: Install Task -# uses: arduino/setup-task@v1 + - name: Install Task + uses: arduino/setup-task@v1 -# - name: Run chart-testing (list-changed) -# id: list-changed -# run: | -# changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) -# if [[ -n "$changed" ]]; then -# echo "::set-output name=changed::true" -# fi + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + fi -# # run chart linting -# - name: Run chart-testing (lint) -# run: ct lint --config charts/chart-testing-config.yaml --charts ./charts/managed-identity-wallet + # run chart linting + - name: Run chart-testing (lint) + run: ct lint --config charts/chart-testing-config.yaml --charts ./charts/managed-identity-wallet -# # run chart unittest -# - name: Run Helm unittests -# run: task helm:unittest + # run chart unittest + - name: Run Helm unittests + run: task helm:unittest -# # Preparing a kind cluster to install and test charts on -# - name: Create kind cluster -# uses: helm/kind-action@v1.7.0 -# if: steps.list-changed.outputs.changed == 'true' + # Preparing a kind cluster to install and test charts on + - name: Create kind cluster + uses: helm/kind-action@v1.7.0 + if: steps.list-changed.outputs.changed == 'true' -# # install the chart to the kind cluster and run helm test -# # define charts to test with the --charts parameter -# - name: Run chart-testing (install) -# run: ct install --charts charts/managed-identity-wallet --config charts/chart-testing-config.yaml -# if: steps.list-changed.outputs.changed == 'true' + # install the chart to the kind cluster and run helm test + # define charts to test with the --charts parameter + - name: Run chart-testing (install) + run: ct install --charts charts/managed-identity-wallet --config charts/chart-testing-config.yaml + if: steps.list-changed.outputs.changed == 'true' diff --git a/charts/managed-identity-wallet/Chart.lock b/charts/managed-identity-wallet/Chart.lock index 665a873a6..dcbfd7103 100644 --- a/charts/managed-identity-wallet/Chart.lock +++ b/charts/managed-identity-wallet/Chart.lock @@ -2,5 +2,5 @@ dependencies: - name: postgresql repository: https://charts.bitnami.com/bitnami version: 11.9.13 -digest: sha256:051285066cef2799e39e2953c4abd405c36510a09e9e1bd1833a29224daffddb -generated: "2023-05-31T12:06:07.066291+02:00" +digest: sha256:09e3316dcc19431e38274d225f5749fe197f70e92209418bbe63c9df83a44df7 +generated: "2023-08-02T09:02:48.457769+02:00" diff --git a/charts/managed-identity-wallet/Chart.yaml b/charts/managed-identity-wallet/Chart.yaml index e726f719e..753b45e2b 100644 --- a/charts/managed-identity-wallet/Chart.yaml +++ b/charts/managed-identity-wallet/Chart.yaml @@ -25,7 +25,7 @@ description: | type: application -version: 1.0.1 +version: 1.1.0 appVersion: 0.0.1 home: https://github.com/eclipse-tractusx/managed-identity-wallet @@ -45,4 +45,4 @@ dependencies: - name: postgresql version: 11.9.13 repository: https://charts.bitnami.com/bitnami - condition: postgresql.enabled + condition: postgresql.internal.enabled diff --git a/charts/managed-identity-wallet/README.md b/charts/managed-identity-wallet/README.md index c1dde17a2..f894b2787 100644 --- a/charts/managed-identity-wallet/README.md +++ b/charts/managed-identity-wallet/README.md @@ -1,6 +1,6 @@ # managed-identity-wallet -![Version: 1.0.1](https://img.shields.io/badge/Version-1.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square) +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square) Managed Identity Wallet is supposed to supply a secure data source and data sink for Digital Identity Documents (DID), in order to enable Self-Sovereign Identity founding on those DIDs. And at the same it shall support an uninterrupted tracking and tracing and documenting the usage of those DIDs, e.g., within logistical supply chains. @@ -55,21 +55,51 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document | backup.database.storage.diskSize | string | `"10G"` | Disk size for backup content | | backup.database.storage.keepStorage | bool | `true` | Set to true, if the PV should stay even when the chart release is uninstalled | | backup.database.storage.storageClassName | string | `"-"` | storageClassName | -| envs | object | `{}` | Parameters for the application (will be provided as plain environment variables) | +| envs | object | `{"APPLICATION_ENVIRONMENT":"dev","AUTHORITY_WALLET_BPN":"","AUTHORITY_WALLET_DID":"","AUTHORITY_WALLET_NAME":"","AUTH_SERVER_URL":"","DB_POOL_SIZE":"","KEYCLOAK_MIW_PUBLIC_CLIENT":"","KEYCLOAK_REALM":"","MANAGEMENT_PORT":null,"MIW_HOST_NAME":"localhost","USE_SSL":false,"VC_EXPIRY_DATE":"","VC_SCHEMA_LINK":""}` | Parameters for the application (will be provided as plain environment variables) | +| envs.APPLICATION_ENVIRONMENT | string | `"dev"` | Application environments like dev, int, prod | +| envs.AUTHORITY_WALLET_BPN | string | `""` | Authority/base wallet/root wallet BPN | +| envs.AUTHORITY_WALLET_DID | string | `""` | Authority/base wallet/root wallet web did | +| envs.AUTHORITY_WALLET_NAME | string | `""` | Authority/base wallet/root wallet name | +| envs.AUTH_SERVER_URL | string | `""` | Keycloak server url | +| envs.DB_POOL_SIZE | string | `""` | Initial database connection pool size | +| envs.KEYCLOAK_MIW_PUBLIC_CLIENT | string | `""` | Keycloak public client id, used only if we want to enable login in swagger using keycloak | +| envs.KEYCLOAK_REALM | string | `""` | Keycloak realm name | +| envs.MANAGEMENT_PORT | string | `nil` | Spring actuator port | +| envs.MIW_HOST_NAME | string | `"localhost"` | Hostname of miw application | +| envs.USE_SSL | bool | `false` | Whether database connection with SSL, true if the database connection is done using SSL | +| envs.VC_EXPIRY_DATE | string | `""` | Default expiry date of issued VC | +| envs.VC_SCHEMA_LINK | string | `""` | Verifiable credential schema URL, which will be part of @context in VC | | fullnameOverride | string | `""` | | -| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/catenax-ng/tx-managed-identity-wallets_miw_service","tag":""}` | Image of the main container | +| image | object | `{"pullPolicy":"Always","repository":"tractusx/managed-identity-wallet","tag":""}` | Image of the main container | | image.pullPolicy | string | `"Always"` | PullPolicy | -| image.repository | string | `"ghcr.io/catenax-ng/tx-managed-identity-wallets_miw_service"` | Image repository | +| image.repository | string | `"tractusx/managed-identity-wallet"` | Image repository | | image.tag | string | `""` | Image tag (empty one will use "appVersion" value from chart definition) | -| imagePullSecrets | list | `[{"name":"acr-credential"}]` | Credentials for a private repo | +| imagePullSecrets | list | `[]` | Credentials name for private repos | | ingress | object | `{"annotations":{},"enabled":false,"hosts":[{"host":"chart-example.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}],"tls":[]}` | Ingress configuration | | nameOverride | string | `""` | | | nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector configuration | | podAnnotations | object | `{}` | PodAnnotation configuration | | podSecurityContext | object | `{}` | PodSecurityContext | +| postgresql | object | `{"auth":{"database":"miw","username":"miw"},"external":{"auth":{"existingSecret":"","existingSecretKey":"password","password":"","username":""},"config":{"database":"","host":"","port":5432}},"internal":{"enabled":true}}` | Configuration of the Postgresql database (internal and external) | +| postgresql.auth | object | `{"database":"miw","username":"miw"}` | Default settings for the primary database and user | +| postgresql.auth.database | string | `"miw"` | MIW database name | +| postgresql.auth.username | string | `"miw"` | username for MIW database | +| postgresql.external | object | `{"auth":{"existingSecret":"","existingSecretKey":"password","password":"","username":""},"config":{"database":"","host":"","port":5432}}` | Configure own postgresql database | +| postgresql.external.auth.existingSecret | string | `""` | Existing secret with provided password | +| postgresql.external.auth.existingSecretKey | string | `"password"` | Key name of password in secret | +| postgresql.external.auth.password | string | `""` | DB password | +| postgresql.external.auth.username | string | `""` | DB username | +| postgresql.external.config | object | `{"database":"","host":"","port":5432}` | General config | +| postgresql.external.config.database | string | `""` | Existing database to use | +| postgresql.external.config.host | string | `""` | Instance host or IP | +| postgresql.external.config.port | int | `5432` | Instance port | +| postgresql.internal | object | `{"enabled":true}` | Configure bundled postgresql | +| postgresql.internal.enabled | bool | `true` | Enable bundled database | | replicaCount | int | `1` | The amount of replicas to run | | resources | object | `{"limits":{"cpu":4,"memory":"1Gi"},"requests":{"cpu":"250m","memory":"500Mi"}}` | Resource boundaries | -| secrets | object | `{}` | Parameters for the application (will be stored as secrets - so, for passwords, ...) | +| secrets | object | `{"ENCRYPTION_KEY":"","KEYCLOAK_CLIENT_ID":""}` | Parameters for the application (will be stored as secrets - so, for important values, ...) | +| secrets.ENCRYPTION_KEY | string | `""` | AES encryption key used to encrypt/decrypt private keys (random 32 chars) | +| secrets.KEYCLOAK_CLIENT_ID | string | `""` | Keycloak confidential client id for MIW application | | securityContext | object | `{"allowPrivilegeEscalation":false,"privileged":false,"runAsGroup":11111,"runAsNonRoot":true,"runAsUser":11111}` | Preconfigured SecurityContext | | service | object | `{"port":8080,"type":"ClusterIP"}` | Service configuration | | serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | ServiceAccount configuration | diff --git a/charts/managed-identity-wallet/templates/backup/cronjob.yaml b/charts/managed-identity-wallet/templates/backup/cronjob.yaml index 9c6108fc5..b435e1c7b 100644 --- a/charts/managed-identity-wallet/templates/backup/cronjob.yaml +++ b/charts/managed-identity-wallet/templates/backup/cronjob.yaml @@ -17,7 +17,7 @@ # * SPDX-License-Identifier: Apache-2.0 # ********************************************************************************/ -{{ if .Values.backup.database.enabled -}} +{{ if and .Values.backup.database.enabled .Values.postgresql.internal.enabled -}} apiVersion: batch/v1 kind: CronJob metadata: @@ -41,13 +41,13 @@ spec: - "/bin/sh" args: - "-c" - - 'pg_dump -v -Fc -U {{ .Values.secrets.DB_USER_NAME }} -h {{ .Values.envs.DB_HOST }} miw > /backup/miw-postgres-$(date +"%m-%d-%Y-%H:%M:%S").pgdump' + - 'pg_dump -v -Fc -U {{ .Values.postgresql.auth.username }} -h {{ .Release.Name }}-postgresql {{ .Values.postgresql.auth.database }} > /backup/miw-postgres-$(date +"%m-%d-%Y-%H:%M:%S").pgdump' env: - name: PGPASSWORD valueFrom: secretKeyRef: - name: {{ include "managed-identity-wallet.fullname" . }} - key: DB_PASSWORD + name: {{ .Release.Name }}-postgresql + key: password restartPolicy: Never volumes: - name: data diff --git a/charts/managed-identity-wallet/templates/deployment.yaml b/charts/managed-identity-wallet/templates/deployment.yaml index a6e0d38d0..dddcc4234 100644 --- a/charts/managed-identity-wallet/templates/deployment.yaml +++ b/charts/managed-identity-wallet/templates/deployment.yaml @@ -53,18 +53,52 @@ spec: env: - name: APPLICATION_PORT value: "8080" + {{- if .Values.postgresql.internal.enabled }} + - name: DB_HOST + value: {{ .Release.Name }}-postgresql + - name: DB_USER_NAME + value: {{ .Values.postgresql.auth.username }} + - name: DB_NAME + value: {{ .Values.postgresql.auth.database }} + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgresql + key: password + {{- else }} + - name: DB_HOST + value: {{ .Values.postgresql.external.config.host }} + - name: DB_PORT + value: {{ .Values.postgresql.external.config.port | quote }} + - name: DB_USER_NAME + value: {{ .Values.postgresql.external.auth.username }} + - name: DB_NAME + value: {{ .Values.postgresql.external.config.database }} + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.postgresql.external.auth.existingSecret }} + name: {{ .Values.postgresql.external.auth.existingSecret }} + key: {{ .Values.postgresql.external.auth.existingSecretKey }} + {{- else }} + name: {{ include "managed-identity-wallet.fullname" . }}-postgresql + key: password + {{- end }} + {{- end }} {{- if or .Values.envs .Values.secrets }} {{- range $key, $val := .Values.envs }} + {{- if $val }} - name: {{ $key }} - value: {{ $val }} - {{- end}} + value: {{ $val | quote }} + {{- end }} + {{- end }} {{- range $key, $val := .Values.secrets }} - name: {{ $key }} valueFrom: secretKeyRef: name: {{ include "managed-identity-wallet.fullname" $ }} key: {{ $key }} - {{- end}} + {{- end }} {{- end }} ports: - name: http diff --git a/charts/managed-identity-wallet/templates/secret-database.yaml b/charts/managed-identity-wallet/templates/secret-database.yaml new file mode 100644 index 000000000..8b5cfa3a7 --- /dev/null +++ b/charts/managed-identity-wallet/templates/secret-database.yaml @@ -0,0 +1,30 @@ +# /******************************************************************************** +# * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation +# * +# * See the NOTICE file(s) distributed with this work for additional +# * information regarding copyright ownership. +# * +# * This program and the accompanying materials are made available under the +# * terms of the Apache License, Version 2.0 which is available at +# * https://www.apache.org/licenses/LICENSE-2.0. +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# * License for the specific language governing permissions and limitations +# * under the License. +# * +# * SPDX-License-Identifier: Apache-2.0 +# ********************************************************************************/ + +{{- if and (not .Values.postgresql.internal.enabled) ( not .Values.postgresql.external.auth.existingSecret ) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "managed-identity-wallet.fullname" . }}-postgresql + labels: + {{- include "managed-identity-wallet.labels" . | nindent 4 }} +type: Opaque +data: + password: {{ .Values.postgresql.external.auth.password | b64enc }} +{{- end -}} diff --git a/charts/managed-identity-wallet/tests/custom-values/backup/cronjob_test.yaml b/charts/managed-identity-wallet/tests/custom-values/backup/cronjob_test.yaml index 5d23ee352..7eab8720d 100644 --- a/charts/managed-identity-wallet/tests/custom-values/backup/cronjob_test.yaml +++ b/charts/managed-identity-wallet/tests/custom-values/backup/cronjob_test.yaml @@ -77,8 +77,8 @@ tests: name: PGPASSWORD valueFrom: secretKeyRef: - name: RELEASE-NAME-managed-identity-wallet - key: DB_PASSWORD + name: RELEASE-NAME-postgresql + key: password - it: should have default command and args asserts: @@ -90,4 +90,11 @@ tests: path: spec.jobTemplate.spec.template.spec.containers[0].args value: - "-c" - - 'pg_dump -v -Fc -U dbuser -h postgres-host miw > /backup/miw-postgres-$(date +"%m-%d-%Y-%H:%M:%S").pgdump' + - 'pg_dump -v -Fc -U miw -h RELEASE-NAME-postgresql miw > /backup/miw-postgres-$(date +"%m-%d-%Y-%H:%M:%S").pgdump' + + - it: should not render, if external DB is used + set: + postgresql.internal.enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/managed-identity-wallet/tests/custom-values/deployment_test.yaml b/charts/managed-identity-wallet/tests/custom-values/deployment_test.yaml index 7433cdf54..49442cef7 100644 --- a/charts/managed-identity-wallet/tests/custom-values/deployment_test.yaml +++ b/charts/managed-identity-wallet/tests/custom-values/deployment_test.yaml @@ -40,91 +40,36 @@ tests: path: spec.template.spec.containers[0].env - lengthEqual: path: spec.template.spec.containers[0].env - count: 5 - - contains: - path: spec.template.spec.containers[0].env - content: - name: APPLICATION_PORT - value: "8080" - - contains: - path: spec.template.spec.containers[0].env - content: - name: DB_HOST - value: postgres-host - - contains: - path: spec.template.spec.containers[0].env - content: - name: MIW_HOST_NAME - value: miw - - contains: - path: spec.template.spec.containers[0].env - content: - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: DB_PASSWORD - name: RELEASE-NAME-managed-identity-wallet - - contains: - path: spec.template.spec.containers[0].env - content: - name: DB_USER_NAME - valueFrom: - secretKeyRef: - key: DB_USER_NAME - name: RELEASE-NAME-managed-identity-wallet - - - it: should have environment variables set (only envs set) - values: - - values-envs.yml - asserts: - - isNotEmpty: - path: spec.template.spec.containers[0].env - - lengthEqual: - path: spec.template.spec.containers[0].env - count: 3 - - contains: - path: spec.template.spec.containers[0].env - content: - name: APPLICATION_PORT - value: "8080" - - contains: - path: spec.template.spec.containers[0].env - content: - name: DB_HOST - value: postgres-host - - contains: - path: spec.template.spec.containers[0].env - content: - name: MIW_HOST_NAME - value: miw - - - it: should have environment variables set (envs and secrets set) - values: - - values-secrets.yml - asserts: - - isNotEmpty: - path: spec.template.spec.containers[0].env - - lengthEqual: - path: spec.template.spec.containers[0].env - count: 3 - - contains: - path: spec.template.spec.containers[0].env - content: - name: APPLICATION_PORT - value: "8080" - - contains: - path: spec.template.spec.containers[0].env - content: - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: DB_PASSWORD - name: RELEASE-NAME-managed-identity-wallet - - contains: - path: spec.template.spec.containers[0].env - content: - name: DB_USER_NAME - valueFrom: - secretKeyRef: - key: DB_USER_NAME - name: RELEASE-NAME-managed-identity-wallet + count: 10 # One hard-wired, four because Values.postgresql.internal.enabled == true and five from values.yaml "secrets" and "envs" + - equal: + path: spec.template.spec.containers[0].env + value: + - name: APPLICATION_PORT + value: "8080" + - name: DB_HOST + value: "RELEASE-NAME-postgresql" + - name: DB_USER_NAME + value: "miw" + - name: DB_NAME + value: "miw" + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: RELEASE-NAME-postgresql + - name: APPLICATION_ENVIRONMENT + value: "dev" + - name: MIW_HOST_NAME + value: "localhost" + - name: USE_SSL + value: "false" + - name: ENCRYPTION_KEY + valueFrom: + secretKeyRef: + key: ENCRYPTION_KEY + name: RELEASE-NAME-managed-identity-wallet + - name: KEYCLOAK_CLIENT_ID + valueFrom: + secretKeyRef: + key: KEYCLOAK_CLIENT_ID + name: RELEASE-NAME-managed-identity-wallet diff --git a/charts/managed-identity-wallet/tests/custom-values/secret-database_test.yaml b/charts/managed-identity-wallet/tests/custom-values/secret-database_test.yaml new file mode 100644 index 000000000..0f53f5b9e --- /dev/null +++ b/charts/managed-identity-wallet/tests/custom-values/secret-database_test.yaml @@ -0,0 +1,46 @@ +# /******************************************************************************** +# * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation +# * +# * See the NOTICE file(s) distributed with this work for additional +# * information regarding copyright ownership. +# * +# * This program and the accompanying materials are made available under the +# * terms of the Apache License, Version 2.0 which is available at +# * https://www.apache.org/licenses/LICENSE-2.0. +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# * License for the specific language governing permissions and limitations +# * under the License. +# * +# * SPDX-License-Identifier: Apache-2.0 +# ********************************************************************************/ + +suite: test custom-values secret for database +chart: + version: 9.9.9+test + appVersion: 9.9.9 +templates: + - templates/secret-database.yaml +values: + - values-external-db.yml +tests: + - it: should have own database secret enabled + asserts: + - hasDocuments: + count: 1 + + - it: should have correct password set + asserts: + - equal: + path: data.password + value: pass + decodeBase64: true + + - it: should have own database secret disabled, when "existingSecret" is provided + set: + postgresql.external.auth.existingSecret: own-secret + asserts: + - hasDocuments: + count: 0 diff --git a/charts/managed-identity-wallet/tests/custom-values/secret_test.yaml b/charts/managed-identity-wallet/tests/custom-values/secret_test.yaml index 3bc1560ca..ead9d9ccd 100644 --- a/charts/managed-identity-wallet/tests/custom-values/secret_test.yaml +++ b/charts/managed-identity-wallet/tests/custom-values/secret_test.yaml @@ -56,11 +56,8 @@ tests: - it: must have values in data asserts: - - equal: - path: data.DB_USER_NAME - value: dbuser - decodeBase64: true - - equal: - path: data.DB_PASSWORD - value: password - decodeBase64: true + - exists: + path: data.KEYCLOAK_CLIENT_ID + - exists: + path: data.ENCRYPTION_KEY + diff --git a/charts/managed-identity-wallet/tests/custom-values/values-secrets.yml b/charts/managed-identity-wallet/tests/custom-values/values-external-db.yml similarity index 78% rename from charts/managed-identity-wallet/tests/custom-values/values-secrets.yml rename to charts/managed-identity-wallet/tests/custom-values/values-external-db.yml index ca85427c3..61471d5fe 100644 --- a/charts/managed-identity-wallet/tests/custom-values/values-secrets.yml +++ b/charts/managed-identity-wallet/tests/custom-values/values-external-db.yml @@ -17,6 +17,19 @@ # * SPDX-License-Identifier: Apache-2.0 # ********************************************************************************/ -secrets: - DB_USER_NAME: dbuser - DB_PASSWORD: password +image: + tag: "latest" + +postgresql: + internal: + enabled: false + external: + config: + host: localhost + port: 5432 + database: miw + auth: + username: user + password: pass + existingSecret: "" + existingSecretKey: password diff --git a/charts/managed-identity-wallet/tests/custom-values/values.yml b/charts/managed-identity-wallet/tests/custom-values/values.yml index cf3cdb466..0eed63a53 100644 --- a/charts/managed-identity-wallet/tests/custom-values/values.yml +++ b/charts/managed-identity-wallet/tests/custom-values/values.yml @@ -20,14 +20,6 @@ image: tag: "latest" -secrets: - DB_USER_NAME: dbuser - DB_PASSWORD: password - -envs: - DB_HOST: postgres-host - MIW_HOST_NAME: miw - ingress: enabled: true annotations: diff --git a/charts/managed-identity-wallet/tests/default/deployment_test.yaml b/charts/managed-identity-wallet/tests/default/deployment_test.yaml index 4a42a9fdd..54570cd54 100644 --- a/charts/managed-identity-wallet/tests/default/deployment_test.yaml +++ b/charts/managed-identity-wallet/tests/default/deployment_test.yaml @@ -41,7 +41,7 @@ tests: app.kubernetes.io/version: "9.9.9" app.kubernetes.io/managed-by: Helm - - it: must have important values set + - it: should have important values set asserts: - equal: path: spec.replicas @@ -58,14 +58,14 @@ tests: containerPort: 8080 protocol: TCP - - it: must have probes set + - it: should have probes set asserts: - isNotEmpty: path: spec.template.spec.containers[0].livenessProbe - isNotEmpty: path: spec.template.spec.containers[0].readinessProbe - - it: must have resource limits set + - it: should have resource limits set asserts: - isNotEmpty: path: spec.template.spec.containers[0].resources @@ -82,7 +82,7 @@ tests: - isNotEmpty: path: spec.template.spec.containers[0].resources.requests.memory - - it: must have a security context + - it: should have a security context asserts: - isSubset: path: spec.template.spec.containers[0].securityContext @@ -99,7 +99,39 @@ tests: path: spec.template.spec.containers[0].env - lengthEqual: path: spec.template.spec.containers[0].env - count: 1 + count: 10 # One hard-wired, four because Values.postgresql.internal.enabled == true and five from values.yaml "secrets" and "envs" + - equal: + path: spec.template.spec.containers[0].env + value: + - name: APPLICATION_PORT + value: "8080" + - name: DB_HOST + value: "RELEASE-NAME-postgresql" + - name: DB_USER_NAME + value: "miw" + - name: DB_NAME + value: "miw" + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: RELEASE-NAME-postgresql + - name: APPLICATION_ENVIRONMENT + value: "dev" + - name: MIW_HOST_NAME + value: "localhost" + - name: USE_SSL + value: "false" + - name: ENCRYPTION_KEY + valueFrom: + secretKeyRef: + key: ENCRYPTION_KEY + name: RELEASE-NAME-managed-identity-wallet + - name: KEYCLOAK_CLIENT_ID + valueFrom: + secretKeyRef: + key: KEYCLOAK_CLIENT_ID + name: RELEASE-NAME-managed-identity-wallet - it: should have empty values asserts: @@ -116,3 +148,8 @@ tests: path: spec.template.spec.nodeSelector content: "kubernetes.io/os": linux + + - it: should not have "imagePullSecrets" set + asserts: + - notExists: + path: spec.template.spec.imagePullSecrets diff --git a/charts/managed-identity-wallet/tests/custom-values/values-envs.yml b/charts/managed-identity-wallet/tests/default/secret-database_test.yaml similarity index 79% rename from charts/managed-identity-wallet/tests/custom-values/values-envs.yml rename to charts/managed-identity-wallet/tests/default/secret-database_test.yaml index 782fcacb6..f8ad39f01 100644 --- a/charts/managed-identity-wallet/tests/custom-values/values-envs.yml +++ b/charts/managed-identity-wallet/tests/default/secret-database_test.yaml @@ -17,6 +17,14 @@ # * SPDX-License-Identifier: Apache-2.0 # ********************************************************************************/ -envs: - DB_HOST: postgres-host - MIW_HOST_NAME: miw +suite: test default secret for database +chart: + version: 9.9.9+test + appVersion: 9.9.9 +templates: + - templates/secret-database.yaml +tests: + - it: should have own database secret disabled + asserts: + - hasDocuments: + count: 0 diff --git a/charts/managed-identity-wallet/tests/default/service_test.yaml b/charts/managed-identity-wallet/tests/default/service_test.yaml index 89509c916..a42879748 100644 --- a/charts/managed-identity-wallet/tests/default/service_test.yaml +++ b/charts/managed-identity-wallet/tests/default/service_test.yaml @@ -41,13 +41,13 @@ tests: app.kubernetes.io/version: "9.9.9" app.kubernetes.io/managed-by: Helm - - it: must have type set to ClusterIP + - it: should have type set to ClusterIP asserts: - equal: path: spec.type value: ClusterIP - - it: must have ports set + - it: should have ports set asserts: - contains: path: spec.ports diff --git a/charts/managed-identity-wallet/values-dev.yaml b/charts/managed-identity-wallet/values-dev.yaml index f0eb88beb..d5fea65d7 100644 --- a/charts/managed-identity-wallet/values-dev.yaml +++ b/charts/managed-identity-wallet/values-dev.yaml @@ -21,16 +21,13 @@ image: tag: "latest-java-did-web" secrets: - DB_USER_NAME: - DB_PASSWORD: - ENCRYPTION_KEY: 76a7834fb37e090c2789a9b1a76748d3 + ENCRYPTION_KEY: "76a7834fb37e090c2789a9b1a76748d3" KEYCLOAK_CLIENT_ID: envs: - DB_HOST: managed-identity-wallets-new-postgresql - MIW_HOST_NAME: managed-identity-wallets-new.dev.demo.catena-x.net # Depend on ingress host name (managed-identity-wallets-new.dev.demo.catena-x.net) - KEYCLOAK_REALM: CX-Central - AUTH_SERVER_URL: https://centralidp.dev.demo.catena-x.net/auth + MIW_HOST_NAME: "managed-identity-wallets-new.dev.demo.catena-x.net" # Depend on ingress host name (managed-identity-wallets-new.dev.demo.catena-x.net) + KEYCLOAK_REALM: "CX-Central" + AUTH_SERVER_URL: "https://centralidp.dev.demo.catena-x.net/auth" AUTHORITY_WALLET_DID: "did:web:managed-identity-wallets-new.dev.demo.catena-x.net:BPNL00000003CRHK" AUTHORITY_WALLET_BPN: "BPNL00000003CRHK" @@ -49,10 +46,9 @@ ingress: - managed-identity-wallets-new.dev.demo.catena-x.net postgresql: - primary: - initdb: - password: + internal: + enabled: true auth: password: - postgresPassword: username: + postgresPassword: diff --git a/charts/managed-identity-wallet/values-int.yaml b/charts/managed-identity-wallet/values-int.yaml index b8897a267..d03fd25a6 100644 --- a/charts/managed-identity-wallet/values-int.yaml +++ b/charts/managed-identity-wallet/values-int.yaml @@ -21,16 +21,13 @@ image: tag: "latest-java-did-web" secrets: - DB_USER_NAME: - DB_PASSWORD: - ENCRYPTION_KEY: 76a7834fb37e090c2789a9b1a76748d3 + ENCRYPTION_KEY: "76a7834fb37e090c2789a9b1a76748d3" KEYCLOAK_CLIENT_ID: envs: - DB_HOST: managed-identity-wallets-new-postgresql - MIW_HOST_NAME: managed-identity-wallets-new.int.demo.catena-x.net # Depend on ingress host name (managed-identity-wallets-new.int.demo.catena-x.net) - KEYCLOAK_REALM: CX-Central - AUTH_SERVER_URL: https://centralidp.int.demo.catena-x.net/auth + MIW_HOST_NAME: "managed-identity-wallets-new.int.demo.catena-x.net" # Depend on ingress host name (managed-identity-wallets-new.int.demo.catena-x.net) + KEYCLOAK_REALM: "CX-Central" + AUTH_SERVER_URL: "https://centralidp.int.demo.catena-x.net/auth" AUTHORITY_WALLET_DID: "did:web:managed-identity-wallets-new.int.demo.catena-x.net:BPNL00000003CRHK" AUTHORITY_WALLET_BPN: "BPNL00000003CRHK" @@ -49,10 +46,9 @@ ingress: - managed-identity-wallets-new.int.demo.catena-x.net postgresql: - primary: - initdb: - password: + internal: + enabled: true auth: password: - postgresPassword: username: + postgresPassword: diff --git a/charts/managed-identity-wallet/values-local.yaml b/charts/managed-identity-wallet/values-local.yaml index 2499f4efb..2260eb725 100644 --- a/charts/managed-identity-wallet/values-local.yaml +++ b/charts/managed-identity-wallet/values-local.yaml @@ -21,16 +21,13 @@ image: tag: "latest-java-did-web" secrets: - DB_USER_NAME: postgres - DB_PASSWORD: xxx - ENCRYPTION_KEY: 76a7834fb37e090c2789a9b1a76748d3 - KEYCLOAK_CLIENT_ID: z445srtzr5g + ENCRYPTION_KEY: "76a7834fb37e090c2789a9b1a76748d3" + KEYCLOAK_CLIENT_ID: "z445srtzr5g" envs: - DB_HOST: miw-postgresql - MIW_HOST_NAME: localhost - KEYCLOAK_REALM: miw_test - AUTH_SERVER_URL: http:///auth + MIW_HOST_NAME: "localhost" + KEYCLOAK_REALM: "miw_test" + AUTH_SERVER_URL: "http://:/auth" AUTHORITY_WALLET_DID: "did:web:managed-identity-wallets-new.dev.demo.catena-x.net:BPNL000000000000" AUTHORITY_WALLET_BPN: "BPNL000000000000" @@ -57,10 +54,18 @@ backup: storageClassName: hostpath postgresql: - primary: - initdb: - password: xxx + internal: + enabled: true + external: + config: + host: + port: 5432 + database: miw + auth: + username: + password: + existingSecret: "" + existingSecretKey: password auth: - password: xxx - postgresPassword: xxx - username: postgres + username: miw + database: miw diff --git a/charts/managed-identity-wallet/values.yaml b/charts/managed-identity-wallet/values.yaml index 34d8f9061..169990282 100644 --- a/charts/managed-identity-wallet/values.yaml +++ b/charts/managed-identity-wallet/values.yaml @@ -27,36 +27,49 @@ image: # -- PullPolicy pullPolicy: Always # -- Image tag (empty one will use "appVersion" value from chart definition) - tag: "" + tag: "" + +# -- Credentials name for private repos +imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -# -- Parameters for the application (will be stored as secrets - so, for passwords, ...) -secrets: {} -# DB_USER_NAME: xxx # Has to be the same as below in "postgresql" section -# DB_PASSWORD: xxx # Has to be the same as below in "postgresql" section -# KEYCLOAK_CLIENT_ID: xxx -# ENCRYPTION_KEY: xxx # 64 chars +# -- Parameters for the application (will be stored in a secret and attached to the container) +secrets: + # -- Keycloak confidential client id for MIW application + KEYCLOAK_CLIENT_ID: "" + # -- AES encryption key used to encrypt/decrypt private keys (random 32 chars - ex.: openssl rand -hex 32) + ENCRYPTION_KEY: "" # -- Parameters for the application (will be provided as plain environment variables) -envs: {} -# APPLICATION_ENVIRONMENT: xxx -# DB_HOST: auto -# DB_PORT: xxx -# DB_NAME: xxx # set it also in the init script in the postgres initdb section below!! -# USE_SSL: xxx -# DB_POOL_SIZE: xxx -# KEYCLOAK_MIW_PUBLIC_CLIENT: xxx -# MANAGEMENT_PORT: xxx -# MIW_HOST_NAME: xxx -# AUTHORITY_WALLET_BPN: xxx -# AUTHORITY_WALLET_NAME: xxx -# AUTHORITY_WALLET_DID: xxx -# VC_SCHEMA_LINK: xxx -# VC_EXPIRY_DATE: xxx -# KEYCLOAK_REALM: xxx -# AUTH_SERVER_URL: xxx +envs: + # -- Application environments like dev, int, prod + APPLICATION_ENVIRONMENT: "dev" + # -- Whether database connection with SSL, true if the database connection is done using SSL + USE_SSL: "false" + # -- Initial database connection pool size + DB_POOL_SIZE: "" + # -- Keycloak public client id, used only if we want to enable login in swagger using keycloak + KEYCLOAK_MIW_PUBLIC_CLIENT: "" + # -- Spring actuator port + MANAGEMENT_PORT: + # -- Hostname of miw application + MIW_HOST_NAME: "localhost" + # -- Authority/base wallet/root wallet BPN + AUTHORITY_WALLET_BPN: "" + # -- Authority/base wallet/root wallet name + AUTHORITY_WALLET_NAME: "" + # -- Authority/base wallet/root wallet web did + AUTHORITY_WALLET_DID: "" + # -- Verifiable credential schema URL, which will be part of @context in VC + VC_SCHEMA_LINK: "" + # -- Default expiry date of issued VC + VC_EXPIRY_DATE: "" + # -- Keycloak realm name + KEYCLOAK_REALM: "" + # -- Keycloak server url + AUTH_SERVER_URL: "" # -- ServiceAccount configuration serviceAccount: @@ -133,17 +146,35 @@ backup: # -- storageClassName storageClassName: "-" -# @ignored +# -- Configuration of the Postgresql database (internal and external) postgresql: - primary: - initdb: - scripts: - init_db_script.sh: | - #!/bin/sh - createdb -O postgres miw - user: postgres - password: postgres + # -- Configure bundled postgresql + internal: + # -- Enable bundled database + enabled: true + # -- Configure own postgresql database + external: + # -- General config + config: + # -- Instance host or IP + host: "" + # -- Instance port + port: 5432 + # -- Existing database to use + database: "" + auth: + # -- DB username + username: "" + # -- DB password + password: "" + # -- Existing secret with provided password + existingSecret: "" + # -- Key name of password in secret + existingSecretKey: password + + # -- Default settings for the primary database and user auth: - password: postgres - username: postgres - postgresPassword: postgres + # -- username for MIW database + username: miw + # -- MIW database name + database: miw