Skip to content

Latest commit

 

History

History
109 lines (75 loc) · 9.69 KB

File metadata and controls

109 lines (75 loc) · 9.69 KB

Gaia-X Lab Compliance Service

main branch: main pipeline status

development branch: development pipeline status

[[TOC]]

This repository contains the official implementation of the Gaia-X Compliance.

Warning: Gaia-X Compliance is not obtained by using a software but by using specific versions of the compliance instances. See GXDCH.

Try out

You can use an instance of the Gaia-X Wizard here.

Existing deployments

In addition to the GXDCH instances, the Gaia-X Lab maintains several instances:

Deployment URL Usage Content
v1, v1.x.x Used to verify and claim Gaia-X Compliance. Latest Tagus release.
v1-staging Used to verify and claim Gaia-X Compliance. Latest Tagus release. Production rules not enforced (non-EV SSL valid)
v2 Used to verify and claim Gaia-X Compliance. Latest Loire release. Production rules not enforced (non-EV SSL valid)
main Used for playground activities. Latest stable (main branch)
development Used for playground activities. Latest unstable (development branch)

Images tags

This repo provides several images tags.

tag content example
vX latest major version v1
vX.Y latest minor version v1.1
vX.Y.Z specific version v1.1.1
main latest stable
development latest unstable

Feature branches are also build and push to the container registry.

Deployment

A helm chart is provided inside k8s/gx-compliance folder.

It provides several environment variables for the application:

Env Variable Name in values file Default value Note
APP_PATH ingress.hosts[0].paths[0].path /main Deployment path of the application
BASE_URL https://<ingress.hosts[0].host>/<ingress.hosts[0].paths[0].path> URL of the deployed application
REGISTRY_URL urls.registry http://<ingress.hosts[0].host>.replace("compliance","registry")/<ingress.hosts[0].path[0].path> defaulted to same namespace registry
privateKey privateKey base64 value of "empty" This value is assigned automatically and contains the privateKey content. Stored in a secret in the cluster
PRIVATE_KEY_ALG privateKeyAlg PS256 the private key signature algorithm such as the ones described in the JsonWebSignature2020 library readme
X509_CERTIFICATE X509_CERTIFICATE base64 value of "empty" This value is assigned automatically and contains the x509 certificate chain. Stored in a secret in the cluster
SD_STORAGE_BASE_URL urls.storage https://example-storage.lab.gaia-x.eu
SD_STORAGE_API_KEY storageApiKey "Nothing"
production production true Whether the component is deployed on production mode. Enables more checks
dburl dburl bolt://{{ include "gx-compliance.fullname" . | trunc 50 | trimSuffix "-"}}-memgraph:7687 URL to connect to memgraph
ntpServers ntpServers 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org Array of NTP servers to call. Will be piped to toJson and quote

Usage example:

helm upgrade --install -n "<branch-name>" --create-namespace gx-compliance ./k8s/gx-compliance --set "nameOverride=<branch-name>,ingress.hosts[0].host=compliance.lab.gaia-x.eu,ingress.hosts[0].paths[0].path=/<branch-name>,image.tag=<branch-name>,ingress.hosts[0].paths[0].pathType=Prefix,privateKey=$complianceKey,privateKeyAlg=$complianceKeyAlg,X509_CERTIFICATE=$complianceCert"

For a tag:

helm upgrade --install -n "v1" --create-namespace gx-compliance ./k8s/gx-compliance --set "nameOverride=v1,ingress.hosts[0].host=compliance.lab.gaia-x.eu,ingress.hosts[0].paths[0].path=/v1,image.tag=v1,ingress.hosts[0].paths[0].pathType=Prefix,privateKey=$complianceKey,privateKeyAlg=$complianceKeyAlg,X509_CERTIFICATE=$complianceCert"

Syntax for ntpServers

helm upgrade ... --set "...,ntpServers[0]=firstServer.com,ntpServers[1]=secondServer.com"

This component requires a memgraph database. It is provided in the deployment and can be deactivated by putting memgraphEnabled to false. Please use dburl to then point on your memgraph database

The deployment is triggered automatically on development and main branches, as well as on release. Please refer to Gaia-X Lab Compliance Service for available instances.

Containers signature

Containers are signed using cosign since version v1.8.1. You can assert yourself that the containers are signed using cosign client verify

Example verifying the signature of the image built for tag v1.8.1:

docker run -it bitnami/cosign:latest verify --certificate-identity "https://gitlab.com/gaia-x/lab/compliance/gx-compliance//.gitlab-ci.yml@refs/tags/v1.8.1" --certificate-oidc-issuer "https://gitlab.com" registry.gitlab.com/gaia-x/lab/compliance/gx-compliance:v1.8.1

Cluster policy using Kyverno

The k8s folder contains a Kyverno ClusterPolicy ensuring the image you're deploying is properly signed and issued from Gaia-X AISBL

If you have deployed Kyverno on your cluster, this will be enforced automatically on each deployment.

See also