chore: update SECURITY.md

.github/workflows/chart-lint-test.yml → .github/workflows/chart-verification.yml

@@ -17,7 +17,7 @@
 # * SPDX-License-Identifier: Apache-2.0
 # ********************************************************************************/
 
-name: Lint and Test Charts
+name: Verify and Test Helm Chart
 
 on:
   workflow_dispatch:
@@ -44,7 +44,7 @@ jobs:
 
       - name: Add bitnami repo
         run: |
-          helm repo add bitnami https://charts.bitnami.com/bitnami 
+          helm repo add bitnami https://charts.bitnami.com/bitnami
           helm repo update
 
       - name: Update Helm dependencies
@@ -63,6 +63,29 @@ jobs:
       - name: Run linting
         run: ct lint --config charts/chart-testing-config.yaml --charts ./charts/managed-identity-wallet
 
+  verify-helm-docs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run helm docs command
+        uses: addnab/docker-run-action@v3
+        with:
+          image: jnorwood/helm-docs:v1.11.3
+          options: -v ${{ github.workspace }}/charts:/helm-docs
+          run: helm-docs
+
+      - name: Verify that no changes are required
+        run: |
+          if $(git diff --quiet --exit-code); then
+            echo "Helm chart docs up to date"
+          else
+            echo "Helm chart docs not up to date:"
+            git diff
+            exit 1
+          fi
+
   chart-test:
     runs-on: ubuntu-latest
     steps:
@@ -86,7 +109,7 @@ jobs:
 
       - name: Add bitnami repo
         run: |
-          helm repo add bitnami https://charts.bitnami.com/bitnami 
+          helm repo add bitnami https://charts.bitnami.com/bitnami
           helm repo update
 
       - name: Update Helm dependencies

.gitignore

@@ -64,6 +64,8 @@ dev-assets/env-files/env.local
 dev-assets/env-files/env.docker
 dev-assets/env-files/env.environment
 dev-assets/docker-environment/postgres/db.sh
+dev-assets/docker-environment/pgAdmin/servers.json
+dev-assets/docker-environment/pgAdmin/storage/*
 
 .java-version
 

README.md

@@ -206,6 +206,27 @@ When you just run `task` without parameters, you will see all tasks available.
 5. Click on "Authorize" and "close"
 6. MIW is up and running
 
+### pgAdmin
+
+This local environment contains [pgAdmin](https://www.pgadmin.org/), which is also started (default: http://localhost:8888). 
+The default login is:
+
+``` 
+user: pg@admin.com (you can change it in the env.* files)
+password: the one you set for "POSTGRES_PASSWORD" in the env.* files
+```
+
+#### DB connection password
+
+When you log in into pgAdmin, the local Postgresql server is already configured.
+But you will be asked to enter the DB password on the first time you connect to the DB.
+(password: POSTGRES_PASSWORD in the env.* files)
+
+#### Storage folder
+
+The storage folder of pgAdmin is mounted to `dev-assets/docker-environment/pgAdmin/storage/`.
+For example, You can save DB backups there, so you can access them on your local machine.
+
 # End Users
 
 See OpenAPI documentation, which is automatically created from the source and available on each deployment at
@@ -344,4 +365,4 @@ See [Docker-hub-notice.md](./Docker-hub-notice.md)
 
 We would like to give credit to these projects, which we use in our project.
 
-[![semantic-release: angular](https://img.shields.io/badge/semantic--release-angular-e10079?logo=semantic-release)](https://github.com/semantic-release/semantic-release)
+[![semantic-release: angular](https://img.shields.io/badge/semantic--release-angular-e10079?logo=semantic-release)](https://github.com/semantic-release/semantic-release)

SECURITY.md

@@ -1,6 +1,17 @@
-# Security Policy
-
 ## Reporting a Vulnerability
 
-Please report a found vulnerability here:
-[https://www.eclipse.org/security/](https://www.eclipse.org/security/)
+Please do **not** report security vulnerabilities through public GitHub issues.
+
+Please report vulnerabilities to this repository via **GitHub security advisories** instead.
+
+How? Inside affected repository → security tab
+
+For contributors:  
+→ Report a vulnerability
+
+For committers:  
+→ Advisories → New draft security advisory
+
+In severe cases, you can also report a found vulnerability via mail or eclipse issue here: https://www.eclipse.org/security/
+
+See [Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/projects/handbook/#vulnerability)

charts/managed-identity-wallet/Chart.yaml

@@ -25,8 +25,8 @@ description: |
 
 type: application
 
-version: 0.2.0-develop.4
-appVersion: 0.2.0-develop.4
+version: 1.0.0
+appVersion: 1.0.0
 
 home: https://github.com/eclipse-tractusx/managed-identity-wallet
 keywords:

charts/managed-identity-wallet/README.md

@@ -2,7 +2,7 @@
 
 # managed-identity-wallet
 
-![Version: 0.1.0-rc.2](https://img.shields.io/badge/Version-0.1.0--rc.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0-rc.2](https://img.shields.io/badge/AppVersion-0.1.0--rc.2-informational?style=flat-square)
+![Version: 0.2.0-develop.4](https://img.shields.io/badge/Version-0.2.0--develop.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.0-develop.4](https://img.shields.io/badge/AppVersion-0.2.0--develop.4-informational?style=flat-square)
 
 Managed Identity Wallet is supposed to supply a secure data source and data sink for Digital Identity Documents (DID), in order to enable Self-Sovereign Identity founding on those DIDs.
 And at the same it shall support an uninterrupted tracking and tracing and documenting the usage of those DIDs, e.g. within logistical supply chains.
@@ -97,11 +97,15 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document
 | ingress.enabled | bool | `false` | Enable ingress controller resource |
 | ingress.hosts | list | `[]` | Ingress accepted hostnames |
 | ingress.tls | list | `[]` | Ingress TLS configuration |
+| initContainers | list | `[]` | add initContainers to the miw deployment |
 | keycloak.auth.adminPassword | string | `""` | Keycloak admin password |
 | keycloak.auth.adminUser | string | `"admin"` | Keycloak admin user |
 | keycloak.enabled | bool | `true` | Enable to deploy Keycloak |
-| keycloak.extraEnvVars[0].name | string | `"KEYCLOAK_HOSTNAME"` |  |
-| keycloak.extraEnvVars[0].value | string | `"{{ .Release.Name }}-keycloak"` |  |
+| keycloak.extraEnvVars | list | `[]` |  |
+| keycloak.ingress.annotations | object | `{}` |  |
+| keycloak.ingress.enabled | bool | `false` |  |
+| keycloak.ingress.hosts | list | `[]` |  |
+| keycloak.ingress.tls | list | `[]` |  |
 | keycloak.keycloakConfigCli.backoffLimit | int | `2` | Number of retries before considering a Job as failed |
 | keycloak.keycloakConfigCli.enabled | bool | `true` | Enable to create the miw playground realm |
 | keycloak.keycloakConfigCli.existingConfigmap | string | `"keycloak-realm-config"` | Existing configmap name for the realm configuration |
@@ -110,6 +114,12 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document
 | keycloak.postgresql.auth.username | string | `"miw_keycloak"` | Keycloak PostgreSQL user |
 | keycloak.postgresql.enabled | bool | `true` | Enable to deploy PostgreSQL |
 | keycloak.postgresql.nameOverride | string | `"keycloak-postgresql"` | Name of the PostgreSQL chart to deploy. Mandatory when the MIW deploys a PostgreSQL chart, too. |
+| livenessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":20,"periodSeconds":5,"timeoutSeconds":15}` | Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) |
+| livenessProbe.enabled | bool | `true` | Enables/Disables the livenessProbe at all |
+| livenessProbe.failureThreshold | int | `3` | When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. |
+| livenessProbe.initialDelaySeconds | int | `20` | Number of seconds after the container has started before readiness probe are initiated. |
+| livenessProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe |
+| livenessProbe.timeoutSeconds | int | `15` | Number of seconds after which the probe times out. |
 | miw.authorityWallet.bpn | string | `"BPNL000000000000"` | Authority Wallet BPNL |
 | miw.authorityWallet.name | string | `""` | Authority Wallet Name |
 | miw.database.encryptionKey.secret | string | `""` | Existing secret for database encryption key |
@@ -128,7 +138,7 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document
 | miw.keycloak.realm | string | `"miw_test"` | Keycloak realm |
 | miw.keycloak.url | string | `"http://{{ .Release.Name }}-keycloak"` | Keycloak URL |
 | miw.logging.level | string | `"INFO"` | Log level. Should be ether ERROR, WARN, INFO, DEBUG, or TRACE. |
-| miw.ssi.enforceHttpsInDidWebResolution | bool | `false` | Enable to use HTTPS in DID Web Resolution |
+| miw.ssi.enforceHttpsInDidWebResolution | bool | `true` | Enable to use HTTPS in DID Web Resolution |
 | miw.ssi.vcExpiryDate | string | `""` | Verifiable Credential expiry date. Format 'dd-MM-yyyy'. If empty it is set to 31-12-<current year> |
 | nameOverride | string | `""` | String to partially override common.names.fullname template (will maintain the release name) |
 | nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector configuration |
@@ -144,6 +154,13 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document
 | postgresql.backup.conjob.storage.size | string | `"8Gi"` | PVC Storage Request for the backup data volume |
 | postgresql.backup.enabled | bool | `false` | Enable to create a backup cronjob |
 | postgresql.enabled | bool | `true` | Enable to deploy Postgresql |
+| readinessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":30,"periodSeconds":5,"successThreshold":1,"timeoutSeconds":5}` | Kubernetes [readiness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) |
+| readinessProbe.enabled | bool | `true` | Enables/Disables the readinessProbe at all |
+| readinessProbe.failureThreshold | int | `3` | When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready. |
+| readinessProbe.initialDelaySeconds | int | `30` | Number of seconds after the container has started before readiness probe are initiated. |
+| readinessProbe.periodSeconds | int | `5` | How often (in seconds) to perform the probe |
+| readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed. |
+| readinessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out. |
 | replicaCount | int | `1` | The amount of replicas to run |
 | resources.limits.cpu | int | `2` | CPU resource limits |
 | resources.limits.memory | string | `"1Gi"` | Memory resource limits |
@@ -230,9 +247,10 @@ when deploying the MIW in a production environment:
 
 | Name | Email | Url |
 | ---- | ------ | --- |
+| Dominik Pinsel | <dominik.pinsel@mercedes-benz.com> | <https://github.com/DominikPinsel> |
 | Peter Motzko | <peter.motzko@volkswagen.de> | <https://github.com/pmoscode> |
 
 <p align="right">(<a href="#readme-top">back to top</a>)</p>
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/)

charts/managed-identity-wallet/README.md.gotmpl

@@ -155,4 +155,5 @@ when deploying the MIW in a production environment:
 
 <p align="right">(<a href="#readme-top">back to top</a>)</p>
 
-{{ template "helm-docs.versionFooter" . }}
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/)

charts/managed-identity-wallet/templates/deployment.yaml

@@ -44,6 +44,10 @@ spec:
       serviceAccountName: {{ include "managed-identity-wallet.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- if .Values.initContainers }}
+      initContainers:
+        {{- tpl (.Values.initContainers | toYaml) $ | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -113,26 +117,33 @@ spec:
             - name: http
               containerPort: 8080
               protocol: TCP
+          {{- with .Values.livenessProbe }}
+          {{- if .enabled }}
           livenessProbe:
-            failureThreshold: 3
             httpGet:
               path: /actuator/health/liveness
               port: 8090
               scheme: HTTP
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 5
-            initialDelaySeconds: 30
+            failureThreshold: {{ .failureThreshold }}
+            initialDelaySeconds: {{ .initialDelaySeconds }}
+            periodSeconds: {{ .periodSeconds }}
+            timeoutSeconds: {{ .timeoutSeconds }}
+          {{- end }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          {{- if .enabled }}
           readinessProbe:
-            failureThreshold: 3
             httpGet:
               path: /actuator/health/readiness
               port: 8090
               scheme: HTTP
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 5
-            initialDelaySeconds: 30
+            failureThreshold: {{ .failureThreshold }}
+            initialDelaySeconds: {{ .initialDelaySeconds }}
+            periodSeconds: {{ .periodSeconds }}
+            successThreshold: {{ .successThreshold }}
+            timeoutSeconds: {{ .timeoutSeconds }}
+          {{- end }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
 

charts/managed-identity-wallet/values.yaml

@@ -61,6 +61,10 @@ ingress:
   annotations: {}
   # -- Ingress accepted hostnames
   hosts: []
+  #   - host: chart-example.local
+  #     paths:
+  #       - path: /
+  #         pathType: Prefix
   # -- Ingress TLS configuration
   tls: []
   #  - secretName: chart-example-tls
@@ -82,6 +86,34 @@ securityContext:
   # -- Enable to run the container as a non-root user
   runAsNonRoot: true
 
+# -- Kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)
+livenessProbe:
+  # -- Enables/Disables the livenessProbe at all
+  enabled: true
+  # -- When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container.
+  failureThreshold: 3
+  # -- Number of seconds after the container has started before readiness probe are initiated.
+  initialDelaySeconds: 20
+  # -- Number of seconds after which the probe times out.
+  timeoutSeconds: 15
+  # -- How often (in seconds) to perform the probe
+  periodSeconds: 5
+
+# -- Kubernetes [readiness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)
+readinessProbe:
+  # -- Enables/Disables the readinessProbe at all
+  enabled: true
+  # -- When a probe fails, Kubernetes will try failureThreshold times before giving up. In case of readiness probe the Pod will be marked Unready.
+  failureThreshold: 3
+  # -- Number of seconds after the container has started before readiness probe are initiated.
+  initialDelaySeconds: 30
+  # -- How often (in seconds) to perform the probe
+  periodSeconds: 5
+  # -- Minimum consecutive successes for the probe to be considered successful after having failed.
+  successThreshold: 1
+  # -- Number of seconds after which the probe times out.
+  timeoutSeconds: 5
+
 resources:
   requests:
     # -- CPU resource requests
@@ -107,6 +139,9 @@ affinity: {}
 # -- PodAnnotation configuration
 podAnnotations: {}
 
+# -- add initContainers to the miw deployment
+initContainers: []
+
 ## @section Managed Identity Wallet Primary Parameters
 ##
 miw:

dev-assets/docker-environment/docker-compose.yaml

@@ -34,7 +34,7 @@
       - miw-net
 
   postgres:
-    image: postgres:15.3-alpine3.18
+    image: postgres:14.5-alpine3.16
     volumes:
       - postgres_data:/var/lib/postgresql/data
       - ./postgres/db.sh:/docker-entrypoint-initdb.d/init-database.sh
@@ -63,10 +63,30 @@
     networks:
       - miw-net
 
+  pgadmin:
+    image: dpage/pgadmin4
+    ports:
+      - "8888:80"
+    user: root # If removed, the storage mount won't work
+    env_file:
+      - ../env-files/env.$DEV_ENVIRONMENT
+    environment:
+      PGADMIN_DISABLE_POSTFIX: true
+    volumes:
+      - pgadmin_data:/var/lib/pgadmin
+      - ./pgAdmin/servers.json:/pgadmin4/servers.json
+      - ./pgAdmin/storage/:/var/lib/pgadmin/storage/pg_admin.com/
+    depends_on:
+      - postgres
+    networks:
+      - miw-net
+
 volumes:
   postgres_data:
     driver: local
+  pgadmin_data:
+    driver: local
 
 networks:
   miw-net:
-    name: miw-net
+    name: miw-net

dev-assets/docker-environment/pgAdmin/servers.json.tpl

@@ -0,0 +1,22 @@
+{
+    "Servers": {
+        "1": {
+            "Name": "Local",
+            "Group": "Servers",
+            "Host": "postgres",
+            "Port": 5432,
+            "MaintenanceDB": "postgres",
+            "Username": "$POSTGRES_USER",
+            "UseSSHTunnel": 0,
+            "TunnelPort": "22",
+            "TunnelAuthentication": 0,
+            "KerberosAuthentication": false,
+            "ConnectionParameters": {
+                "sslmode": "prefer",
+                "connect_timeout": 10,
+                "sslcert": "<STORAGE_DIR>/.postgresql/postgresql.crt",
+                "sslkey": "<STORAGE_DIR>/.postgresql/postgresql.key"
+            }
+        }
+    }
+}