feat: add internal/external Postgres config

.github/workflows/chart-lint.yml

@@ -1,68 +1,87 @@
-# name: Lint and Test Charts
+# /********************************************************************************
+# * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation
+# *
+# * See the NOTICE file(s) distributed with this work for additional
+# * information regarding copyright ownership.
+# *
+# * This program and the accompanying materials are made available under the
+# * terms of the Apache License, Version 2.0 which is available at
+# * https://www.apache.org/licenses/LICENSE-2.0.
+# *
+# * Unless required by applicable law or agreed to in writing, software
+# * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# * License for the specific language governing permissions and limitations
+# * under the License.
+# *
+# * SPDX-License-Identifier: Apache-2.0
+# ********************************************************************************/
 
-# # Run chart linting and tests on each pull request
-# on: 
-#   pull_request:
-#     paths:
-#       - 'charts/**'
+name: Lint and Test Charts
 
-# jobs:
-#   chart-lint:    
-#     runs-on: ubuntu-latest
-#     steps:
-#       - name: Checkout
-#         uses: actions/checkout@v2
-#         with:
-#           fetch-depth: 0
+# Run chart linting and tests on each pull request
+on:
+ pull_request:
+   paths:
+     - 'charts/**'
 
-#       - name: Set up Helm
-#         uses: azure/setup-helm@v3
-#         with:
-#           version: v3.11.3
+jobs:
+ chart-lint:
+   runs-on: ubuntu-latest
+   steps:
+     - name: Checkout
+       uses: actions/checkout@v2
+       with:
+         fetch-depth: 0
 
-#       - name: Update Helm dependencies
-#         run: |
-#           cd charts/managed-identity-wallet
-#           helm dependency update
+     - name: Set up Helm
+       uses: azure/setup-helm@v3
+       with:
+         version: v3.11.3
 
-#       - name: Install Helm unittest plugin
-#         run: |
-#           helm plugin install https://github.com/helm-unittest/helm-unittest.git
+     - name: Update Helm dependencies
+       run: |
+         cd charts/managed-identity-wallet
+         helm dependency update
 
-#       # Setup python as a prerequisite for chart linting 
-#       - uses: actions/setup-python@v2
-#         with:
-#           python-version: 3.7
+     - name: Install Helm unittest plugin
+       run: |
+         helm plugin install https://github.com/helm-unittest/helm-unittest.git
 
-#       - name: Set up chart-testing
-#         uses: helm/chart-testing-action@v2.3.1
+     # Setup python as a prerequisite for chart linting
+     - uses: actions/setup-python@v2
+       with:
+         python-version: 3.7
 
-#       - name: Install Task
-#         uses: arduino/setup-task@v1
+     - name: Set up chart-testing
+       uses: helm/chart-testing-action@v2.3.1
 
-#       - name: Run chart-testing (list-changed)
-#         id: list-changed
-#         run: |
-#           changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
-#           if [[ -n "$changed" ]]; then
-#             echo "::set-output name=changed::true"
-#           fi
+     - name: Install Task
+       uses: arduino/setup-task@v1
 
-#       # run chart linting 
-#       - name: Run chart-testing (lint)
-#         run: ct lint --config charts/chart-testing-config.yaml --charts ./charts/managed-identity-wallet
+     - name: Run chart-testing (list-changed)
+       id: list-changed
+       run: |
+         changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+         if [[ -n "$changed" ]]; then
+           echo "::set-output name=changed::true"
+         fi
 
-#       # run chart unittest
-#       - name: Run Helm unittests
-#         run: task helm:unittest
+     # run chart linting
+     - name: Run chart-testing (lint)
+       run: ct lint --config charts/chart-testing-config.yaml --charts ./charts/managed-identity-wallet
 
-#       # Preparing a kind cluster to install and test charts on
-#       - name: Create kind cluster
-#         uses: helm/kind-action@v1.7.0
-#         if: steps.list-changed.outputs.changed == 'true'
+     # run chart unittest
+     - name: Run Helm unittests
+       run: task helm:unittest
 
-#       # install the chart to the kind cluster and run helm test
-#       # define charts to test with the --charts parameter
-#       - name: Run chart-testing (install)
-#         run: ct install --charts charts/managed-identity-wallet --config charts/chart-testing-config.yaml
-#         if: steps.list-changed.outputs.changed == 'true'
+     # Preparing a kind cluster to install and test charts on
+     - name: Create kind cluster
+       uses: helm/kind-action@v1.7.0
+       if: steps.list-changed.outputs.changed == 'true'
+
+     # install the chart to the kind cluster and run helm test
+     # define charts to test with the --charts parameter
+     - name: Run chart-testing (install)
+       run: ct install --charts charts/managed-identity-wallet --config charts/chart-testing-config.yaml
+       if: steps.list-changed.outputs.changed == 'true'

charts/managed-identity-wallet/Chart.lock

@@ -2,5 +2,5 @@ dependencies:
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
   version: 11.9.13
-digest: sha256:051285066cef2799e39e2953c4abd405c36510a09e9e1bd1833a29224daffddb
-generated: "2023-05-31T12:06:07.066291+02:00"
+digest: sha256:09e3316dcc19431e38274d225f5749fe197f70e92209418bbe63c9df83a44df7
+generated: "2023-08-02T09:02:48.457769+02:00"

charts/managed-identity-wallet/Chart.yaml

@@ -25,7 +25,7 @@ description: |
 
 type: application
 
-version: 1.0.1
+version: 1.1.0
 appVersion: 0.0.1
 
 home: https://github.com/eclipse-tractusx/managed-identity-wallet
@@ -45,4 +45,4 @@ dependencies:
   - name: postgresql
     version: 11.9.13
     repository: https://charts.bitnami.com/bitnami
-    condition: postgresql.enabled
+    condition: postgresql.internal.enabled

charts/managed-identity-wallet/README.md

@@ -1,6 +1,6 @@
 # managed-identity-wallet
 
-![Version: 1.0.1](https://img.shields.io/badge/Version-1.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square)
 
 Managed Identity Wallet is supposed to supply a secure data source and data sink for Digital Identity Documents (DID), in order to enable Self-Sovereign Identity founding on those DIDs.
 And at the same it shall support an uninterrupted tracking and tracing and documenting the usage of those DIDs, e.g., within logistical supply chains.
@@ -55,21 +55,51 @@ See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command document
 | backup.database.storage.diskSize | string | `"10G"` | Disk size for backup content |
 | backup.database.storage.keepStorage | bool | `true` | Set to true, if the PV should stay even when the chart release is uninstalled |
 | backup.database.storage.storageClassName | string | `"-"` | storageClassName |
-| envs | object | `{}` | Parameters for the application (will be provided as plain environment variables) |
+| envs | object | `{"APPLICATION_ENVIRONMENT":"dev","AUTHORITY_WALLET_BPN":"","AUTHORITY_WALLET_DID":"","AUTHORITY_WALLET_NAME":"","AUTH_SERVER_URL":"","DB_POOL_SIZE":"","KEYCLOAK_MIW_PUBLIC_CLIENT":"","KEYCLOAK_REALM":"","MANAGEMENT_PORT":null,"MIW_HOST_NAME":"localhost","USE_SSL":false,"VC_EXPIRY_DATE":"","VC_SCHEMA_LINK":""}` | Parameters for the application (will be provided as plain environment variables) |
+| envs.APPLICATION_ENVIRONMENT | string | `"dev"` | Application environments like dev, int, prod |
+| envs.AUTHORITY_WALLET_BPN | string | `""` | Authority/base wallet/root wallet BPN |
+| envs.AUTHORITY_WALLET_DID | string | `""` | Authority/base wallet/root wallet web did |
+| envs.AUTHORITY_WALLET_NAME | string | `""` | Authority/base wallet/root wallet name |
+| envs.AUTH_SERVER_URL | string | `""` | Keycloak server url |
+| envs.DB_POOL_SIZE | string | `""` | Initial database connection pool size |
+| envs.KEYCLOAK_MIW_PUBLIC_CLIENT | string | `""` | Keycloak public client id, used only if we want to enable login in swagger using keycloak |
+| envs.KEYCLOAK_REALM | string | `""` | Keycloak realm name |
+| envs.MANAGEMENT_PORT | string | `nil` | Spring actuator port |
+| envs.MIW_HOST_NAME | string | `"localhost"` | Hostname of miw application |
+| envs.USE_SSL | bool | `false` | Whether database connection with SSL, true if the database connection is done using SSL |
+| envs.VC_EXPIRY_DATE | string | `""` | Default expiry date of issued VC |
+| envs.VC_SCHEMA_LINK | string | `""` | Verifiable credential schema URL, which will be part of @context in VC |
 | fullnameOverride | string | `""` |  |
 | image | object | `{"pullPolicy":"Always","repository":"ghcr.io/catenax-ng/tx-managed-identity-wallets_miw_service","tag":""}` | Image of the main container |
 | image.pullPolicy | string | `"Always"` | PullPolicy |
 | image.repository | string | `"ghcr.io/catenax-ng/tx-managed-identity-wallets_miw_service"` | Image repository |
 | image.tag | string | `""` | Image tag (empty one will use "appVersion" value from chart definition) |
-| imagePullSecrets | list | `[{"name":"acr-credential"}]` | Credentials for a private repo |
+| imagePullSecrets | list | `[]` | Credentials name for private repos |
 | ingress | object | `{"annotations":{},"enabled":false,"hosts":[{"host":"chart-example.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}],"tls":[]}` | Ingress configuration |
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector configuration |
 | podAnnotations | object | `{}` | PodAnnotation configuration |
 | podSecurityContext | object | `{}` | PodSecurityContext |
+| postgresql | object | `{"auth":{"database":"miw","username":"miw"},"external":{"auth":{"existingSecret":"","existingSecretKey":"password","password":"","username":""},"config":{"database":"","host":"","port":5432}},"internal":{"enabled":true}}` | Configuration of the Postgresql database (internal and external) |
+| postgresql.auth | object | `{"database":"miw","username":"miw"}` | Default settings for the primary database and user |
+| postgresql.auth.database | string | `"miw"` | MIW database name |
+| postgresql.auth.username | string | `"miw"` | username for MIW database |
+| postgresql.external | object | `{"auth":{"existingSecret":"","existingSecretKey":"password","password":"","username":""},"config":{"database":"","host":"","port":5432}}` | Configure own postgresql database |
+| postgresql.external.auth.existingSecret | string | `""` | Existing secret with provided password |
+| postgresql.external.auth.existingSecretKey | string | `"password"` | Key name of password in secret |
+| postgresql.external.auth.password | string | `""` | DB password |
+| postgresql.external.auth.username | string | `""` | DB username |
+| postgresql.external.config | object | `{"database":"","host":"","port":5432}` | General config |
+| postgresql.external.config.database | string | `""` | Existing database to use |
+| postgresql.external.config.host | string | `""` | Instance host or IP |
+| postgresql.external.config.port | int | `5432` | Instance port |
+| postgresql.internal | object | `{"enabled":true}` | Configure bundled postgresql |
+| postgresql.internal.enabled | bool | `true` | Enable bundled database |
 | replicaCount | int | `1` | The amount of replicas to run |
 | resources | object | `{"limits":{"cpu":4,"memory":"1Gi"},"requests":{"cpu":"250m","memory":"500Mi"}}` | Resource boundaries |
-| secrets | object | `{}` | Parameters for the application (will be stored as secrets - so, for passwords, ...) |
+| secrets | object | `{"ENCRYPTION_KEY":"","KEYCLOAK_CLIENT_ID":""}` | Parameters for the application (will be stored as secrets - so, for important values, ...) |
+| secrets.ENCRYPTION_KEY | string | `""` | AES encryption key used to encrypt/decrypt private keys (random 32 chars) |
+| secrets.KEYCLOAK_CLIENT_ID | string | `""` | Keycloak confidential client id for MIW application |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"privileged":false,"runAsGroup":11111,"runAsNonRoot":true,"runAsUser":11111}` | Preconfigured SecurityContext |
 | service | object | `{"port":8080,"type":"ClusterIP"}` | Service configuration |
 | serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | ServiceAccount configuration |

charts/managed-identity-wallet/templates/backup/cronjob.yaml

@@ -17,7 +17,7 @@
 # * SPDX-License-Identifier: Apache-2.0
 # ********************************************************************************/
 
-{{ if .Values.backup.database.enabled -}}
+{{ if and .Values.backup.database.enabled .Values.postgresql.internal.enabled -}}
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -41,13 +41,13 @@ spec:
                 - "/bin/sh"
               args:
                 - "-c"
-                - 'pg_dump -v -Fc -U {{ .Values.secrets.DB_USER_NAME }} -h {{ .Values.envs.DB_HOST }} miw > /backup/miw-postgres-$(date +"%m-%d-%Y-%H:%M:%S").pgdump'
+                - 'pg_dump -v -Fc -U {{ .Values.postgresql.auth.username }} -h {{ .Release.Name }}-postgresql {{ .Values.postgresql.auth.database }} > /backup/miw-postgres-$(date +"%m-%d-%Y-%H:%M:%S").pgdump'
               env:
                 - name: PGPASSWORD
                   valueFrom:
                     secretKeyRef:
-                      name: {{ include "managed-identity-wallet.fullname" . }}
-                      key: DB_PASSWORD
+                      name: {{ .Release.Name }}-postgresql
+                      key: password
           restartPolicy: Never
           volumes:
             - name: data

charts/managed-identity-wallet/templates/deployment.yaml

@@ -53,18 +53,52 @@ spec:
           env:
             - name: APPLICATION_PORT
               value: "8080"
+            {{- if .Values.postgresql.internal.enabled }}
+            - name: DB_HOST
+              value: {{ .Release.Name }}-postgresql
+            - name: DB_USER_NAME
+              value: {{ .Values.postgresql.auth.username }}
+            - name: DB_NAME
+              value: {{ .Values.postgresql.auth.database }}
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-postgresql
+                  key: password
+            {{- else }}
+            - name: DB_HOST
+              value: {{ .Values.postgresql.external.config.host }}
+            - name: DB_PORT
+              value: {{ .Values.postgresql.external.config.port | quote }}
+            - name: DB_USER_NAME
+              value: {{ .Values.postgresql.external.auth.username }}
+            - name: DB_NAME
+              value: {{ .Values.postgresql.external.config.database }}
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.postgresql.external.auth.existingSecret }}
+                  name: {{ .Values.postgresql.external.auth.existingSecret }}
+                  key: {{ .Values.postgresql.external.auth.existingSecretKey }}
+                  {{- else }}
+                  name: {{ include "managed-identity-wallet.fullname" . }}-postgresql
+                  key: password
+                  {{- end }}
+            {{- end }}
           {{- if or .Values.envs .Values.secrets }}
           {{- range $key, $val := .Values.envs }}
+            {{- if $val }}
             - name: {{ $key }}
               value: {{ $val }}
-          {{- end}}
+            {{- end }}
+          {{- end }}
           {{- range $key, $val := .Values.secrets }}
             - name: {{ $key }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "managed-identity-wallet.fullname" $ }}
                   key: {{ $key }}
-          {{- end}}
+          {{- end }}
           {{- end }}
           ports:
             - name: http

charts/managed-identity-wallet/templates/secret-database.yaml

@@ -0,0 +1,30 @@
+# /********************************************************************************
+# * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation
+# *
+# * See the NOTICE file(s) distributed with this work for additional
+# * information regarding copyright ownership.
+# *
+# * This program and the accompanying materials are made available under the
+# * terms of the Apache License, Version 2.0 which is available at
+# * https://www.apache.org/licenses/LICENSE-2.0.
+# *
+# * Unless required by applicable law or agreed to in writing, software
+# * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# * License for the specific language governing permissions and limitations
+# * under the License.
+# *
+# * SPDX-License-Identifier: Apache-2.0
+# ********************************************************************************/
+
+{{- if and (not .Values.postgresql.internal.enabled) ( not .Values.postgresql.external.auth.existingSecret ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "managed-identity-wallet.fullname" . }}-postgresql
+  labels:
+    {{- include "managed-identity-wallet.labels" . | nindent 4 }}
+type: Opaque
+data:
+  password: {{ .Values.postgresql.external.auth.password | b64enc }}
+{{- end -}}

charts/managed-identity-wallet/tests/custom-values/backup/cronjob_test.yaml

@@ -77,8 +77,8 @@ tests:
             name: PGPASSWORD
             valueFrom:
               secretKeyRef:
-                name: RELEASE-NAME-managed-identity-wallet
-                key: DB_PASSWORD
+                name: RELEASE-NAME-postgresql
+                key: password
 
   - it: should have default command and args
     asserts:
@@ -90,4 +90,11 @@ tests:
           path: spec.jobTemplate.spec.template.spec.containers[0].args
           value:
             - "-c"
-            - 'pg_dump -v -Fc -U dbuser -h postgres-host miw > /backup/miw-postgres-$(date +"%m-%d-%Y-%H:%M:%S").pgdump'
+            - 'pg_dump -v -Fc -U miw -h RELEASE-NAME-postgresql miw > /backup/miw-postgres-$(date +"%m-%d-%Y-%H:%M:%S").pgdump'
+
+  - it: should not render, if external DB is used
+    set:
+      postgresql.internal.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0