diff --git a/k8s/helm/tngkds/Chart.yaml b/k8s/helm/tngkds/Chart.yaml index 6a0f5bf..8af0ec6 100644 --- a/k8s/helm/tngkds/Chart.yaml +++ b/k8s/helm/tngkds/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: tngkds -description: A Helm chart for Kubernetes +description: A Helm chart for TNG Key Distribution Service # A chart can be either an 'application' or a 'library' chart. # @@ -15,18 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. appVersion: "1.16.0" - -dependencies: - - name: tngkds-postgres - condition: global.tngkds_postgres.enabled - version: 0.1.0 - - name: tngkds-backend - condition: global.tngkds_backend.enabled - version: 0.1.0 diff --git a/k8s/helm/tngkds/README.md b/k8s/helm/tngkds/README.md index b814bca..05ce437 100644 --- a/k8s/helm/tngkds/README.md +++ b/k8s/helm/tngkds/README.md @@ -1,44 +1,91 @@ + # tngkds ![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) -A Helm chart for Kubernetes - -## Requirements -The versions from umbrella chart are currently not used, please refer to to corresponding image tags in value files - -| Repository | Name | Version | -|------------|------|---------| -| | tngkds-backend | 0.1.0 | -| | tngkds-postgres | 0.1.0 | +A Helm chart for TNG Key Distribution Service ## Values -| Key | Type | Default | Description | -|-----------------------------------------------------------|--------|-------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| tngkds-backend.gateway.connector.enabled | bool | `true` | flag whether the kds is connected to the TNG | -| tngkds-backend.gateway.connector.endpoint | string | `""` | The url where the TNG can be reached | -| tngkds-backend.gateway.connector.max-cache-age | int | `300` | | -| tngkds-backend.gateway.connector.proxy.enabled | bool | `false` | used for development, when KDS is run behind a proxy. If set to true, _tngkds-backend.gateway.connector.proxy.port_ and _tngkds-backend.gateway.connector.proxy.host_ also need to be applied | -| tngkds-backend.gateway.connector.tls_key_store.alias | string | `"clientcredentials"` | | -| tngkds-backend.gateway.connector.tls_key_store.password | string | `""` | | -| tngkds-backend.gateway.connector.tls_key_store.path | string | `"/certs/tls_key_store.p12"` | | -| tngkds-backend.gateway.connector.tls_trust_store.alias | string | `"tng-tls-server-certificate"` | | -| tngkds-backend.gateway.connector.tls_trust_store.password | string | `""` | | -| tngkds-backend.gateway.connector.tls_trust_store.path | string | `"/certs/tng_tls_server_truststore.p12"` | | -| tngkds-backend.gateway.connector.trust_anchor.alias | string | `"trustanchor"` | | -| tngkds-backend.gateway.connector.trust_anchor.password | string | `""` | | -| tngkds-backend.gateway.connector.trust_anchor.path | string | `"/certs/trustanchor_store.jks"` | | -| tngkds-backend.image.tag | string | `""` | | -| tngkds-backend.liquibaseImage.tag | string | `""` | | -| tngkds-backend.path | string | `"/()(*)"` | | -| tngkds-backend.port | int | `8080` | | -| tngkds-backend.db.driverclass | String | `org.h2.Driver` | The JDBC driver class | -| tngkds-backend.db.plattform | String | `org.hibernate.dialect.H2Dialect` | The Hibernate dialect | -| tngkds-backend.db.url | String | `jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1;` | The JDBC URL for the database connection | -| tngkds-backend.db.username | String | `sa` | The username for the database connection | -| tngkds-backend.db.password | String | `''` | The password for the database connection | -| tngkds-postgres.asPod.enabled | bool | `false` | | -| tngkds-postgres.path | string | `"/()(*)"` | | -| tngkds-postgres.port | int | `5432` | | - +| Key | Type | Default | Description | +|--------------------------------------------|--------|---------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| affinity | object | `{}` | | +| autoscaling.enabled | bool | `false` | | +| autoscaling.maxReplicas | int | `100` | | +| autoscaling.minReplicas | int | `1` | | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| did.cron | string | `"*/10 * * * * *"` | spring cronjob configuration, how often shall the did file be generated | +| did.didUploadProvider | string | `"local-file"` | Upload provider for Did document, currently local-file | +| did.localFile.directory | string | `"trustlist"` | If upload provider is local-file: directory of the generated file | +| did.localFile.file-name | string | `"did.json"` | If upload provider is local-file: file-name of the generated file | +| did.did_controller | string | `"did:web:def"` | The controller that is generating the did.json / controlling its contents | +| did.did_id | string | `"did:web:abc"` | The ID of the did entry | +| did.enableDidGeneration | bool | `true` | Shall the did documents be generated | +| did.ld_proof_nonce | string | `"n0nc3"` | Nonce of the Did Document | +| did.ld_proof_verification_method | string | `"did:web:dummy.net"` | Verification Method of the DID Signer. Usually a did-link to a did.json containing the public key material that was used to sign this DID | +| did.trust_list_controller_prefix | string | `"did:web:abc"` | | +| did.trust_list_id_prefix | string | `"did:web:abc"` | | +| did.workdir | string | `"/tmp/kdsgituploader"` | local folder used for checkout and update git repository | +| did.prefix | string | `"v2.0.0"` | prefix used as root folder name for generated files | +| did.url | string | `"https://github.com/WorldHealthOrganization/tng-cdn-dev"` | the git repository to work in | +| did.pat | string | `"git did pat by secret tng-bot-dev"` | the personal access token of the technical user that has permission to write to the repository | +| did.didSigningProvider | string | `"dummy"`, `"local-keystore"` for configured private key | signing provider to be used to sign the did documents (proof section). dummy can be used for dev. "local-keystore"` should be used with configured private key in keystore. (see: How to setup signing material for DID Signing in [certs documentation](../../../../../certs/PlaceYourGatewayAccessKeysHere.md) | +| did.trust-list-path | string | `"trustlist"` | path that contains DID documents of trustlist | +| did.trust-list-ref-path | string | `"trustlist-ref"` | path that contains DID documents with references only | +| fullnameOverride | string | `""` | | +| gateway.connector.enabled | bool | `true` | | +| gateway.connector.endpoint | string | `""` | | +| gateway.connector.max-cache-age | int | `300` | | +| gateway.connector.proxy.enabled | bool | `false` | used for development, when your machine needs a proxy to access _tng.who.int_ | +| gateway.connector.tls_key_store.alias | string | `""` | KDS application accesses the cert via its alias | +| gateway.connector.tls_key_store.password | string | `""` | | +| gateway.connector.tls_key_store.path | string | `""` | | +| gateway.connector.tls_trust_store.alias | string | `""` | KDS application accesses the cert via its alias | +| gateway.connector.tls_trust_store.password | string | `""` | | +| gateway.connector.tls_trust_store.path | string | `""` | | +| gateway.connector.trust_anchor.alias | string | `""` | tng application access the cert via its alias | +| gateway.connector.trust_anchor.password | string | `""` | | +| gateway.connector.trust_anchor.path | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution"` | | +| image.tag | string | `"0.0.1-d890889"` | version of the container image to be used for deployment | +| imagePullSecrets | string | `"tng-distribution-pull-secret"` | | +| ingress.annotations | object | `{}` | | +| ingress.className | string | `""` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts[0].host | string | `"chart-example.local"` | | +| ingress.hosts[0].paths[0].path | string | `"/"` | | +| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | +| ingress.tls | list | `[]` | | +| liquibaseImage.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution-initcontainer"` | | +| liquibaseImage.tag | string | `""` | version of the initcontainer image to be used, the tag is the same as for _image.tag_ | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | | +| podSecurityContext | object | `{}` | | +| db.driverclass | String | `org.h2.Driver` | The JDBC driver class | +| db.plattform | String | `org.hibernate.dialect.H2Dialect` | The Hibernate dialect | +| db.url | String | `jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1;` | The JDBC URL for the database connection | +| db.username | String | `sa` | The username for the database connection | +| db.password | String | `''` | The password for the database connection | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| server.port | int | `8080` | port of the kds applications api server | +| service.ports[0].name | string | `"http"` | | +| service.ports[0].nodePort | int | `30166` | | +| service.ports[0].port | int | `8080` | | +| service.ports[0].protocol | string | `"TCP"` | | +| service.ports[0].targetPort | int | `8080` | | +| service.type | string | `"NodePort"` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | +| spring.profile | string | `"cloud"` | {_0..n_} Spring profiles to be activated, usually used for feature toggle, currently not in use (existing values will be ignored) | +| tolerations | list | `[]` | | +| secrets.didSigner | string | `` | base64 encoded DID signer certificate | +| secrets.dockerPull | string | `` | base64 encoded docker pull secret | +| secrets.trustStore | string | `` | base64 encoded trust store jks | +| secrets.mtls.tlsKeyStore | string | `` | base64 encoded mTLS trust store | +| secrets.mtls.tlsServerTrustStore | string | `` | base64 encoded mTLS server trust store | +| secrets.mtls.tlsTrustAnchorStore | string | `` | base64 encoded mTLS trustanchor store | \ No newline at end of file diff --git a/k8s/helm/tngkds/charts/tngkds-backend/.helmignore b/k8s/helm/tngkds/charts/tngkds-backend/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/k8s/helm/tngkds/charts/tngkds-backend/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/k8s/helm/tngkds/charts/tngkds-backend/Chart.yaml b/k8s/helm/tngkds/charts/tngkds-backend/Chart.yaml deleted file mode 100644 index 0d4f241..0000000 --- a/k8s/helm/tngkds/charts/tngkds-backend/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v2 -name: tngkds-backend -description: A Helm chart for TNG Key Distribution Service - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "1.16.0" diff --git a/k8s/helm/tngkds/charts/tngkds-backend/README.md b/k8s/helm/tngkds/charts/tngkds-backend/README.md deleted file mode 100644 index 42a95f8..0000000 --- a/k8s/helm/tngkds/charts/tngkds-backend/README.md +++ /dev/null @@ -1,86 +0,0 @@ - -# tngkds-backend - -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) - -A Helm chart for TNG Key Distribution Service - -## Values - -| Key | Type | Default | Description | -|--------------------------------------------|--------|---------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| affinity | object | `{}` | | -| autoscaling.enabled | bool | `false` | | -| autoscaling.maxReplicas | int | `100` | | -| autoscaling.minReplicas | int | `1` | | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | | -| did.cron | string | `"*/10 * * * * *"` | spring cronjob configuration, how often shall the did file be generated | -| did.didUploadProvider | string | `"local-file"` | Upload provider for Did document, currently local-file | -| did.localFile.directory | string | `"trustlist"` | If upload provider is local-file: directory of the generated file | -| did.localFile.file-name | string | `"did.json"` | If upload provider is local-file: file-name of the generated file | -| did.did_controller | string | `"did:web:def"` | The controller that is generating the did.json / controlling its contents | -| did.did_id | string | `"did:web:abc"` | The ID of the did entry | -| did.enableDidGeneration | bool | `true` | Shall the did documents be generated | -| did.ld_proof_nonce | string | `"n0nc3"` | Nonce of the Did Document | -| did.ld_proof_verification_method | string | `"did:web:dummy.net"` | Verification Method of the DID Signer. Usually a did-link to a did.json containing the public key material that was used to sign this DID | -| did.trust_list_controller_prefix | string | `"did:web:abc"` | | -| did.trust_list_id_prefix | string | `"did:web:abc"` | | -| did.workdir | string | `"/tmp/kdsgituploader"` | local folder used for checkout and update git repository | -| did.prefix | string | `"v2.0.0"` | prefix used as root folder name for generated files | -| did.url | string | `"https://github.com/WorldHealthOrganization/tng-cdn-dev"` | the git repository to work in | -| did.pat | string | `"git did pat by secret tng-bot-dev"` | the personal access token of the technical user that has permission to write to the repository | -| did.didSigningProvider | string | `"dummy"`, `"local-keystore"` for configured private key | signing provider to be used to sign the did documents (proof section). dummy can be used for dev. "local-keystore"` should be used with configured private key in keystore. (see: How to setup signing material for DID Signing in [certs documentation](../../../../../certs/PlaceYourGatewayAccessKeysHere.md) | -| did.trust-list-path | string | `"trustlist"` | path that contains DID documents of trustlist | -| did.trust-list-ref-path | string | `"trustlist-ref"` | path that contains DID documents with references only | -| fullnameOverride | string | `""` | | -| gateway.connector.enabled | bool | `true` | | -| gateway.connector.endpoint | string | `""` | | -| gateway.connector.max-cache-age | int | `300` | | -| gateway.connector.proxy.enabled | bool | `false` | used for development, when your machine needs a proxy to access _tng.who.int_ | -| gateway.connector.tls_key_store.alias | string | `""` | KDS application accesses the cert via its alias | -| gateway.connector.tls_key_store.password | string | `""` | | -| gateway.connector.tls_key_store.path | string | `""` | | -| gateway.connector.tls_trust_store.alias | string | `""` | KDS application accesses the cert via its alias | -| gateway.connector.tls_trust_store.password | string | `""` | | -| gateway.connector.tls_trust_store.path | string | `""` | | -| gateway.connector.trust_anchor.alias | string | `""` | tng application access the cert via its alias | -| gateway.connector.trust_anchor.password | string | `""` | | -| gateway.connector.trust_anchor.path | string | `""` | | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution"` | | -| image.tag | string | `"0.0.1-d890889"` | version of the container image to be used for deployment | -| imagePullSecrets | string | `"tng-distribution-pull-secret"` | | -| ingress.annotations | object | `{}` | | -| ingress.className | string | `""` | | -| ingress.enabled | bool | `false` | | -| ingress.hosts[0].host | string | `"chart-example.local"` | | -| ingress.hosts[0].paths[0].path | string | `"/"` | | -| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | -| ingress.tls | list | `[]` | | -| liquibaseImage.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution-initcontainer"` | | -| liquibaseImage.tag | string | `""` | version of the initcontainer image to be used, the tag is the same as for _image.tag_ | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podSecurityContext | object | `{}` | | -| db.driverclass | String | `org.h2.Driver` | The JDBC driver class | -| db.plattform | String | `org.hibernate.dialect.H2Dialect` | The Hibernate dialect | -| db.url | String | `jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1;` | The JDBC URL for the database connection | -| db.username | String | `sa` | The username for the database connection | -| db.password | String | `''` | The password for the database connection | -| replicaCount | int | `1` | | -| resources | object | `{}` | | -| securityContext | object | `{}` | | -| server.port | int | `8080` | port of the kds applications api server | -| service.ports[0].name | string | `"http"` | | -| service.ports[0].nodePort | int | `30166` | | -| service.ports[0].port | int | `8080` | | -| service.ports[0].protocol | string | `"TCP"` | | -| service.ports[0].targetPort | int | `8080` | | -| service.type | string | `"NodePort"` | | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | | -| serviceAccount.name | string | `""` | | -| spring.profile | string | `"cloud"` | {_0..n_} Spring profiles to be activated, usually used for feature toggle, currently not in use (existing values will be ignored) | -| tolerations | list | `[]` | | - diff --git a/k8s/helm/tngkds/charts/tngkds-backend/templates/_helpers.tpl b/k8s/helm/tngkds/charts/tngkds-backend/templates/_helpers.tpl deleted file mode 100644 index b30552c..0000000 --- a/k8s/helm/tngkds/charts/tngkds-backend/templates/_helpers.tpl +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -Template labels -*/}} -{{- define "tngkds-backend.templateLabels" -}} - app: {{ template "tngkds-backend.fullname" . }} -{{- end -}} - -{{- define "tngkds-backend.selectorLabels" -}} - app: {{ template "tngkds-backend.fullname" . }} -{{- end -}} - -{{- define "tngkds-backend.labels" -}} - app: {{ template "tngkds-backend.fullname" . }} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "tngkds-backend.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Expand the name of the chart. -*/}} -{{- define "tngkds-backend.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "tngkds-backend.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} diff --git a/k8s/helm/tngkds/charts/tngkds-backend/values.yaml b/k8s/helm/tngkds/charts/tngkds-backend/values.yaml deleted file mode 100644 index 84da4a4..0000000 --- a/k8s/helm/tngkds/charts/tngkds-backend/values.yaml +++ /dev/null @@ -1,178 +0,0 @@ -# Default values for tngkds-backend. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - # Create this image before your local installing with: "docker build -t kds:0.0.1" and load - # this image into your local minikube cluster with: "minikube image load kds:0.0.1" - repository: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "0.0.1-d890889" #"0.0.1-2840d04" - -#kubectl -n create secret docker-registry --docker-server=ghcr.io --docker-username= --docker-password= --docker-email= -o yaml -#kubectl -n kds create secret docker-registry tng-distribution-pull-secret --docker-server=ghcr.io --docker-username=anonymous --docker-password= --docker-email=anonymous@example.com -o yaml -imagePullSecrets: tng-distribution-pull-secret -nameOverride: "" -fullnameOverride: "" - -# Liquibase -liquibaseImage: - repository: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution-initcontainer - tag: - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: - {} - # fsGroup: 2000 - -securityContext: - {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: NodePort - ports: - - name: http - port: 8080 - targetPort: 8080 - nodePort: 30166 - protocol: TCP - -ingress: - enabled: false - className: "" - annotations: - {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# H2 -db: - driverclass: org.h2.Driver - plattform: org.hibernate.dialect.H2Dialect - url: jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1; - username: sa - password: '' - -# ConfigMap -# configMap: -# data: -# host: localhost -# dbName: postgres - -# Spring -spring: - profile: cloud - -# Server port -server: - port: 8080 - -# Smart TN Gateway -gateway: - connector: - enabled: true - endpoint: - proxy: - enabled: false - max-cache-age: 300 - tls_trust_store: #CA of TNG Gateway of TLS certificate - alias: - password: - path: - tls_key_store: # client cert key pair of participant - alias: - password: - path: - trust_anchor: # TA pem file of TNG that was used for signing - alias: - password: - path: -did: - cron: "*/10 * * * * *" - enableDidGeneration: true - didUploadProvider: local-file - localFile: - directory: /tmp/kdsgitworkdir/tng-cdn-dev/v2.0.0 - file-name: did.json - git: - workdir: /tmp/kdsgituploader # oon clonind will checkout e.g. tng-cdn-dev - prefix: v2.0.0 #for copy action into git workdir from local file exporter path - url: https://github.com/WorldHealthOrganization/tng-cdn-dev - pat: - didSigningProvider: local-keystore - localKeyStore: - alias: did-signer - password: secure-password - path: - ld-proof-verification-method: did:web:dummy.net - did-id: did:web:worldhealthorganization.github.io:tng-cdn-dev:v2.0.0 - trust-list-path: trustlist - trust-list-ref-path: trustlist-ref - did-controller: did:web:worldhealthorganization.github.io:tng-cdn-dev:v2.0.0 - contextMapping: - "[https://www.w3.org/ns/did/v1]": did_v1.json - "[https://w3id.org/security/suites/jws-2020/v1]": jws-2020_v1.json - virtualCountries: - XA: XXA - XB: XXB - XO: XXO - XL: XCL - EU: XEU - group-deny-list: - - UPLOAD - group-name-mapping: - CSCA: SCA diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/.helmignore b/k8s/helm/tngkds/charts/tngkds-postgres/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/k8s/helm/tngkds/charts/tngkds-postgres/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/Chart.yaml b/k8s/helm/tngkds/charts/tngkds-postgres/Chart.yaml deleted file mode 100644 index 8e1d514..0000000 --- a/k8s/helm/tngkds/charts/tngkds-postgres/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v2 -name: tngkds-postgres -description: A Helm chart for PostgreSQL database for TNG Key Distribution Service - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "1.16.0" diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/README.md b/k8s/helm/tngkds/charts/tngkds-postgres/README.md deleted file mode 100644 index 13a1375..0000000 --- a/k8s/helm/tngkds/charts/tngkds-postgres/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# tngkds-postgres - -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) - -A Helm chart for PostgreSQL database for TNG Key Distribution Service - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | | -| autoscaling.enabled | bool | `false` | Pod autoscaling | -| autoscaling.maxReplicas | int | `100` | | -| autoscaling.minReplicas | int | `1` | | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | | -| configMap.data.dbName | string | `"postgres"` | used as service name when db is deployed as pod | -| configMap.data.host | string | `"localhost"` | used as host name when db is deployed as pod | -| dbpassword | string | `""` | password of the dbuser | -| dbuser | string | `""` | username of the dbuser | -| fullnameOverride | string | `""` | | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.repository | string | `"nginx"` | | -| image.tag | string | `""` | | -| imagePullSecrets | list | `[]` | | -| ingress.annotations | object | `{}` | | -| ingress.className | string | `""` | | -| ingress.enabled | bool | `false` | | -| ingress.hosts[0].host | string | `"chart-example.local"` | | -| ingress.hosts[0].paths[0].path | string | `"/"` | | -| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | -| ingress.tls | list | `[]` | | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | | -| resources | object | `{}` | | -| securityContext | object | `{}` | | -| service.ports[0].port | int | `5432` | db service port | -| service.type | string | `"NodePort"` | | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | | -| serviceAccount.name | string | `""` | | -| tolerations | list | `[]` | | - diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/templates/_helpers.tpl b/k8s/helm/tngkds/charts/tngkds-postgres/templates/_helpers.tpl deleted file mode 100644 index c7471d9..0000000 --- a/k8s/helm/tngkds/charts/tngkds-postgres/templates/_helpers.tpl +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -Template labels -*/}} -{{- define "tngkds-postgres.templateLabels" -}} - app: {{ template "tngkds-postgres.fullname" . }} -{{- end -}} - -{{- define "tngkds-postgres.selectorLabels" -}} - app: {{ template "tngkds-postgres.fullname" . }} -{{- end -}} - -{{- define "tngkds-postgres.labels" -}} - app: {{ template "tngkds-postgres.fullname" . }} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "tngkds-postgres.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Expand the name of the chart. -*/}} -{{- define "tngkds-postgres.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "tngkds-postgres.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/templates/configmap.yml b/k8s/helm/tngkds/charts/tngkds-postgres/templates/configmap.yml deleted file mode 100644 index bf656fc..0000000 --- a/k8s/helm/tngkds/charts/tngkds-postgres/templates/configmap.yml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if .Values.asPod.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "tngkds-postgres.fullname" . }}-cfg - namespace: {{ .Release.Namespace }} -data: - host: "{{ .Values.configMap.data.host }}" - dbname: "{{ .Values.configMap.data.dbName }}" -{{- end }} diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/templates/deployment.yaml b/k8s/helm/tngkds/charts/tngkds-postgres/templates/deployment.yaml deleted file mode 100644 index e13ecd8..0000000 --- a/k8s/helm/tngkds/charts/tngkds-postgres/templates/deployment.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{{- if .Values.asPod.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "tngkds-postgres.fullname" . }} - labels: - {{- include "tngkds-postgres.labels" . | nindent 4 }} - tier: database - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - {{- include "tngkds-postgres.selectorLabels" . | nindent 6 }} - strategy: - type: Recreate - template: - metadata: - labels: - {{- include "tngkds-postgres.labels" . | nindent 8 }} - tier: database - spec: - containers: - - name: postgres - image: postgres - imagePullPolicy: "IfNotPresent" - env: - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: {{ include "tngkds-postgres.fullname" . }}-secret - key: pgUser - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "tngkds-postgres.fullname" . }}-secret - key: pgPassword - - name: POSTGRES_DB - valueFrom: - configMapKeyRef: - name: {{ include "tngkds-postgres.fullname" . }}-cfg - key: dbname - ports: - - containerPort: 5432 - name: postgres - volumeMounts: - - mountPath: /var/lib/postgresql/kds/data - name: postgres-persistance-storage - volumes: - - name: postgres-persistance-storage - persistentVolumeClaim: - claimName: {{ include "tngkds-postgres.fullname" . }}-pv-claim -{{- end }} diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/templates/pv-claim.yaml b/k8s/helm/tngkds/charts/tngkds-postgres/templates/pv-claim.yaml deleted file mode 100644 index c3c4d34..0000000 --- a/k8s/helm/tngkds/charts/tngkds-postgres/templates/pv-claim.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.asPod.enabled }} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "tngkds-postgres.fullname" . }}-pv-claim - labels: - {{- include "tngkds-postgres.labels" . | nindent 4 }} - tier: database - namespace: {{ .Release.Namespace }} -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi -{{- end }} diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/templates/secrets.yml b/k8s/helm/tngkds/charts/tngkds-postgres/templates/secrets.yml deleted file mode 100644 index 32bfca0..0000000 --- a/k8s/helm/tngkds/charts/tngkds-postgres/templates/secrets.yml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if .Values.asPod.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "tngkds-postgres.fullname" . }}-secret - namespace: {{ .Release.Namespace }} -stringData: - pgUser: {{ .Values.dbuser | quote }} - pgPassword: {{ .Values.dbpassword | quote }} -{{- end }} diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/templates/service.yaml b/k8s/helm/tngkds/charts/tngkds-postgres/templates/service.yaml deleted file mode 100644 index 5f28c27..0000000 --- a/k8s/helm/tngkds/charts/tngkds-postgres/templates/service.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.asPod.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: postgres - labels: - {{- include "tngkds-postgres.labels" . | nindent 4 }} - tier: database - namespace: {{ .Release.Namespace }} -spec: - type: NodePort - ports: - {{ range .Values.service.ports }} - - port: {{ .port }} - {{ end }} - selector: - {{- include "tngkds-postgres.selectorLabels" . | nindent 4 }} - tier: database -{{- end }} diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/values.yaml b/k8s/helm/tngkds/charts/tngkds-postgres/values.yaml deleted file mode 100644 index 4561a40..0000000 --- a/k8s/helm/tngkds/charts/tngkds-postgres/values.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Default values for tngkds-postgres. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: nginx - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "" - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: - {} - # fsGroup: 2000 - -securityContext: - {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: NodePort - ports: - - port: 5432 - -ingress: - enabled: false - className: "" - annotations: - {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# ConfigMap -configMap: - data: - host: localhost - dbName: postgres -dbuser: -dbpassword: diff --git a/k8s/helm/tngkds/templates/_helpers.tpl b/k8s/helm/tngkds/templates/_helpers.tpl index c0b246e..e594146 100644 --- a/k8s/helm/tngkds/templates/_helpers.tpl +++ b/k8s/helm/tngkds/templates/_helpers.tpl @@ -1,3 +1,25 @@ +{{/* +Template labels +*/}} +{{- define "tngkds.templateLabels" -}} + app: {{ template "tngkds.fullname" . }} +{{- end -}} + +{{- define "tngkds.selectorLabels" -}} + app: {{ template "tngkds.fullname" . }} +{{- end -}} + +{{- define "tngkds.labels" -}} + app: {{ template "tngkds.fullname" . }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "tngkds.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + {{/* Expand the name of the chart. */}} @@ -22,41 +44,3 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- end }} {{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "tngkds.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "tngkds.labels" -}} -helm.sh/chart: {{ include "tngkds.chart" . }} -{{ include "tngkds.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "tngkds.selectorLabels" -}} -app.kubernetes.io/name: {{ include "tngkds.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "tngkds.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "tngkds.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml b/k8s/helm/tngkds/templates/deployment.yaml similarity index 94% rename from k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml rename to k8s/helm/tngkds/templates/deployment.yaml index 65307f0..67698b1 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml +++ b/k8s/helm/tngkds/templates/deployment.yaml @@ -1,161 +1,161 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "tngkds-backend.fullname" . }} - labels: - {{- include "tngkds-backend.labels" . | nindent 4 }} - namespace: {{ .Release.Namespace }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "tngkds-backend.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "tngkds-backend.labels" . | nindent 8 }} - spec: - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - {{ range .Values.service.ports }} - - name: {{ .name }} - containerPort: {{ .port }} - protocol: {{ .protocol }} - {{ end }} - env: - - name: SERVER_PORT - value: "{{ .Values.server.port }}" - - name: SPRING_PROFILES_ACTIVE - value: {{ .Values.spring.profile }} - - name: SPRING_DATASOURCE_URL - value: {{ .Values.db.url | quote }} - - name: SPRING_DATASOURCE_DRIVERCLASSNAME - value: {{ .Values.db.driverclass | quote }} - - name: SPRING_DATASOURCE_JNDI_NAME - value: "false" - - name: SPRING_JPA_DATABASEPLATFORM - value: {{ .Values.db.plattform | quote }} - - name: SPRING_DATASOURCE_USERNAME - value: {{ .Values.db.username | quote }} - - name: SPRING_DATASOURCE_PASSWORD - value: {{ .Values.db.password | quote }} - - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PATH - value: {{ .Values.gateway.connector.tls_trust_store.path }} - - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PASSWORD - value: {{ .Values.gateway.connector.tls_trust_store.password | quote }} - - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_ALIAS - value: {{ .Values.gateway.connector.tls_trust_store.alias }} - - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PATH - value: {{ .Values.gateway.connector.tls_key_store.path }} - - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PASSWORD - value: {{ .Values.gateway.connector.tls_key_store.password | quote }} - - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_ALIAS - value: {{.Values.gateway.connector.tls_key_store.alias }} - - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PATH - value: {{ .Values.gateway.connector.trust_anchor.path }} - - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PASSWORD - value: {{ .Values.gateway.connector.trust_anchor.password | quote }} - - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_ALIAS - value: {{ .Values.gateway.connector.trust_anchor.alias }} - - name: DGC_GATEWAY_CONNECTOR_ENABLED - value: {{ .Values.gateway.connector.enabled | quote }} - - name: DGC_GATEWAY_CONNECTOR_ENDPOINT - value: {{ .Values.gateway.connector.endpoint }} - {{- if .Values.did.enableDidGeneration }} - - name: DGC_DID_CRON - value: "{{ .Values.did.cron }}" - - name: DGC_DID_DIDUPLOADPROVIDER - value: "{{ .Values.did.didUploadProvider }}" - - name: DGC_DID_LOCALFILE_DIRECTORY - value: "{{ .Values.did.localFile.directory }}" - - name: DGC_DID_LOCALFILE_FILENAME - value: "{{ .Values.did.localFile.filename }}" - - name: DGC_DID_GIT_WORKDIR - value: "{{ .Values.did.git.workdir }}" - - name: DGC_DID_GIT_PREFIX - value: "{{ .Values.did.git.prefix }}" - - name: DGC_DID_GIT_URL - value: "{{ .Values.did.git.url }}" - - name: DGC_DID_GIT_PAT - value: "{{ .Values.did.git.pat }}" - - name: DGC_DID_DIDSIGNINGPROVIDER - value: "{{ .Values.did.didSigningProvider }}" - - name: DGC_DID_LDPROOFVERIFICATIONMETHOD - value: "{{ index .Values.did "ld-proof-verification-method" }}" - - name: DGC_DID_DIDID - value: "{{ index .Values.did "did-id" }}" - - name: DGC_DID_TRUSTLISTPATH - value: "{{ index .Values.did "trust-list-path" }}" - - name: DGC_DID_TRUSTLISTREFPATH - value: "{{ index .Values.did "trust-list-ref-path" }}" - - name: DGC_DID_DIDCONTROLLER - value: "{{ index .Values.did "did-controller" }}" - - name: DGC_DID_LOCALKEYSTORE_ALIAS - value: {{ .Values.did.localKeyStore.alias | quote }} - - name: DGC_DID_LOCALKEYSTORE_PASSWORD - value: {{ .Values.did.localKeyStore.password | quote }} - - name: DGC_DID_LOCALKEYSTORE_PATH - value: {{ .Values.did.localKeyStore.path | quote }} - {{- range $key, $value := .Values.did.virtualCountries }} - - name: DGC_DID_VIRTUALCOUNTRIES_{{ $key | toString | upper }} - value: "{{ $value }}" - {{- end }} - - name: DGC_DID_GROUPDENYLIST - value: "{{ join "," (index .Values.did "group-deny-list") }}" - {{- range $key, $value := index .Values.did "group-name-mapping" }} - - name: DGC_DID_GROUPNAMEMAPPING_{{ $key | toString | upper }} - value: "{{ $value }}" - {{- end }} - {{- end }} - volumeMounts: - - name: secrets-jks - mountPath: /certs - readOnly: true - - name: did-signing - mountPath: /didcerts - readOnly: true - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: secrets-jks - secret: - secretName: mtls-secret - items: - - key: tls_key_store.p12 - path: tls_key_store.p12 - - key: trustanchor_store.jks - path: trustanchor_store.jks - - key: tng_tls_server_truststore.p12 - path: tng_tls_server_truststore.p12 - - name: did-signing - secret: - secretName: did-signer-secret - items: - - key: did-signer.p12 - path: did-signer.p12 - +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tngkds.fullname" . }} + labels: + {{- include "tngkds.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "tngkds.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "tngkds.labels" . | nindent 8 }} + spec: + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + {{ range .Values.service.ports }} + - name: {{ .name }} + containerPort: {{ .port }} + protocol: {{ .protocol }} + {{ end }} + env: + - name: SERVER_PORT + value: "{{ .Values.server.port }}" + - name: SPRING_PROFILES_ACTIVE + value: {{ .Values.spring.profile }} + - name: SPRING_DATASOURCE_URL + value: {{ .Values.db.url | quote }} + - name: SPRING_DATASOURCE_DRIVERCLASSNAME + value: {{ .Values.db.driverclass | quote }} + - name: SPRING_DATASOURCE_JNDI_NAME + value: "false" + - name: SPRING_JPA_DATABASEPLATFORM + value: {{ .Values.db.plattform | quote }} + - name: SPRING_DATASOURCE_USERNAME + value: {{ .Values.db.username | quote }} + - name: SPRING_DATASOURCE_PASSWORD + value: {{ .Values.db.password | quote }} + - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PATH + value: {{ .Values.gateway.connector.tls_trust_store.path }} + - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PASSWORD + value: {{ .Values.gateway.connector.tls_trust_store.password | quote }} + - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_ALIAS + value: {{ .Values.gateway.connector.tls_trust_store.alias }} + - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PATH + value: {{ .Values.gateway.connector.tls_key_store.path }} + - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PASSWORD + value: {{ .Values.gateway.connector.tls_key_store.password | quote }} + - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_ALIAS + value: {{.Values.gateway.connector.tls_key_store.alias }} + - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PATH + value: {{ .Values.gateway.connector.trust_anchor.path }} + - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PASSWORD + value: {{ .Values.gateway.connector.trust_anchor.password | quote }} + - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_ALIAS + value: {{ .Values.gateway.connector.trust_anchor.alias }} + - name: DGC_GATEWAY_CONNECTOR_ENABLED + value: {{ .Values.gateway.connector.enabled | quote }} + - name: DGC_GATEWAY_CONNECTOR_ENDPOINT + value: {{ .Values.gateway.connector.endpoint }} + {{- if .Values.did.enableDidGeneration }} + - name: DGC_DID_CRON + value: "{{ .Values.did.cron }}" + - name: DGC_DID_DIDUPLOADPROVIDER + value: "{{ .Values.did.didUploadProvider }}" + - name: DGC_DID_LOCALFILE_DIRECTORY + value: "{{ .Values.did.localFile.directory }}" + - name: DGC_DID_LOCALFILE_FILENAME + value: "{{ .Values.did.localFile.filename }}" + - name: DGC_DID_GIT_WORKDIR + value: "{{ .Values.did.git.workdir }}" + - name: DGC_DID_GIT_PREFIX + value: "{{ .Values.did.git.prefix }}" + - name: DGC_DID_GIT_URL + value: "{{ .Values.did.git.url }}" + - name: DGC_DID_GIT_PAT + value: "{{ .Values.did.git.pat }}" + - name: DGC_DID_DIDSIGNINGPROVIDER + value: "{{ .Values.did.didSigningProvider }}" + - name: DGC_DID_LDPROOFVERIFICATIONMETHOD + value: "{{ index .Values.did "ld-proof-verification-method" }}" + - name: DGC_DID_DIDID + value: "{{ index .Values.did "did-id" }}" + - name: DGC_DID_TRUSTLISTPATH + value: "{{ index .Values.did "trust-list-path" }}" + - name: DGC_DID_TRUSTLISTREFPATH + value: "{{ index .Values.did "trust-list-ref-path" }}" + - name: DGC_DID_DIDCONTROLLER + value: "{{ index .Values.did "did-controller" }}" + - name: DGC_DID_LOCALKEYSTORE_ALIAS + value: {{ .Values.did.localKeyStore.alias | quote }} + - name: DGC_DID_LOCALKEYSTORE_PASSWORD + value: {{ .Values.did.localKeyStore.password | quote }} + - name: DGC_DID_LOCALKEYSTORE_PATH + value: {{ .Values.did.localKeyStore.path | quote }} + {{- range $key, $value := .Values.did.virtualCountries }} + - name: DGC_DID_VIRTUALCOUNTRIES_{{ $key | toString | upper }} + value: "{{ $value }}" + {{- end }} + - name: DGC_DID_GROUPDENYLIST + value: "{{ join "," (index .Values.did "group-deny-list") }}" + {{- range $key, $value := index .Values.did "group-name-mapping" }} + - name: DGC_DID_GROUPNAMEMAPPING_{{ $key | toString | upper }} + value: "{{ $value }}" + {{- end }} + {{- end }} + volumeMounts: + - name: secrets-jks + mountPath: /certs + readOnly: true + - name: did-signing + mountPath: /didcerts + readOnly: true + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: secrets-jks + secret: + secretName: mtls-secret + items: + - key: tls_key_store.p12 + path: tls_key_store.p12 + - key: trustanchor_store.jks + path: trustanchor_store.jks + - key: tng_tls_server_truststore.p12 + path: tng_tls_server_truststore.p12 + - name: did-signing + secret: + secretName: did-signer-secret + items: + - key: did-signer.p12 + path: did-signer.p12 + diff --git a/k8s/helm/tngkds/templates/did-signer-secret.yaml b/k8s/helm/tngkds/templates/did-signer-secret.yaml index a1918d9..2807116 100644 --- a/k8s/helm/tngkds/templates/did-signer-secret.yaml +++ b/k8s/helm/tngkds/templates/did-signer-secret.yaml @@ -4,5 +4,5 @@ metadata: name: did-signer-secret namespace: {{ .Release.Namespace }} data: - did-signer.p12: {{ .Values.secrets.didSigner }} + did-signer.p12: {{ .Values.secrets.didSigner }} type: Opaque diff --git a/k8s/helm/tngkds/templates/mtls-secret.yaml b/k8s/helm/tngkds/templates/mtls-secret.yaml index 44fa91f..edd35cd 100644 --- a/k8s/helm/tngkds/templates/mtls-secret.yaml +++ b/k8s/helm/tngkds/templates/mtls-secret.yaml @@ -4,7 +4,7 @@ metadata: name: mtls-secret namespace: {{ .Release.Namespace }} data: - tls_key_store.p12: {{ .Values.secrets.mtls.tlsKeyStore }} + tls_key_store.p12: {{ .Values.secrets.mtls.tlsKeyStore }} tng_tls_server_truststore.p12: {{ .Values.secrets.mtls.tlsServerTrustStore }} - trustanchor_store.jks: {{ .Values.secrets.mtls.tlsTrustAnchorStore }} -type: Opaque \ No newline at end of file + trustanchor_store.jks: {{ .Values.secrets.mtls.tlsTrustAnchorStore }} +type: Opaque diff --git a/k8s/helm/tngkds/charts/tngkds-backend/templates/service.yaml b/k8s/helm/tngkds/templates/service.yaml similarity index 66% rename from k8s/helm/tngkds/charts/tngkds-backend/templates/service.yaml rename to k8s/helm/tngkds/templates/service.yaml index b41452a..ebf38df 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/templates/service.yaml +++ b/k8s/helm/tngkds/templates/service.yaml @@ -1,19 +1,19 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "tngkds-backend.fullname" . }}-service - labels: - {{- include "tngkds-backend.labels" . | nindent 4 }} - namespace: {{ .Release.Namespace }} -spec: - type: {{ .Values.service.type }} - ports: - {{ range .Values.service.ports }} - - port: {{ .port }} - targetPort: {{ .targetPort | int}} - nodePort: {{ .nodePort }} - protocol: {{ .protocol }} - name: {{ .name }} - {{ end }} - selector: - {{- include "tngkds-backend.selectorLabels" . | nindent 4 }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "tngkds.fullname" . }}-service + labels: + {{- include "tngkds.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +spec: + type: {{ .Values.service.type }} + ports: + {{ range .Values.service.ports }} + - port: {{ .port }} + targetPort: {{ .targetPort | int}} + nodePort: {{ .nodePort }} + protocol: {{ .protocol }} + name: {{ .name }} + {{ end }} + selector: + {{- include "tngkds.selectorLabels" . | nindent 4 }} diff --git a/k8s/helm/tngkds/templates/tng-distribution-pull-secret.yaml b/k8s/helm/tngkds/templates/tng-distribution-pull-secret.yaml index a0e8869..e984041 100644 --- a/k8s/helm/tngkds/templates/tng-distribution-pull-secret.yaml +++ b/k8s/helm/tngkds/templates/tng-distribution-pull-secret.yaml @@ -4,5 +4,5 @@ metadata: name: tng-distribution-pull-secret namespace: {{ .Release.Namespace }} data: - .dockerconfigjson: {{ .Values.secrets.dockerPull }} -type: kubernetes.io/dockerconfigjson \ No newline at end of file + .dockerconfigjson: {{ .Values.secrets.dockerPull }} +type: kubernetes.io/dockerconfigjson diff --git a/k8s/helm/tngkds/templates/truststore-secret.yaml b/k8s/helm/tngkds/templates/truststore-secret.yaml index a9ce58d..ac4e6ac 100644 --- a/k8s/helm/tngkds/templates/truststore-secret.yaml +++ b/k8s/helm/tngkds/templates/truststore-secret.yaml @@ -4,5 +4,5 @@ metadata: name: truststore-secret namespace: {{ .Release.Namespace }} data: - tls_trust_store.jks: {{ .Values.secrets.trustStore }} -type: Opaque \ No newline at end of file + tls_trust_store.jks: {{ .Values.secrets.trustStore }} +type: Opaque diff --git a/k8s/helm/tngkds/charts/tngkds-backend/values-local.yaml b/k8s/helm/tngkds/values-local.yaml similarity index 85% rename from k8s/helm/tngkds/charts/tngkds-backend/values-local.yaml rename to k8s/helm/tngkds/values-local.yaml index a2d6ed5..3b2fbf3 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/values-local.yaml +++ b/k8s/helm/tngkds/values-local.yaml @@ -1,111 +1,120 @@ -# Default values for tngkds-backend. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - # Create this image before your local installing with: "docker build -t kds:0.0.1" and load - # this image into your local minikube cluster with: "minikube image load kds:0.0.1" - repository: kds:0.0.1 - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "" - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: NodePort - ports: - - name: http - port: 8080 - targetPort: 8080 - nodePort: 30166 - protocol: TCP - -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# H2 -db: - driverclass: org.h2.Driver - plattform: org.hibernate.dialect.H2Dialect - url: jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1; - username: sa - password: '' - -# ConfigMap -configMap: - data: - host: localhost - dbName: postgres - -# Spring -spring: - profile: cloud - -# Server port -server: - port: 8080 +# Default values for tngkds. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + # Create this image before your local installing with: "docker build -t kds:0.0.1" and load + # this image into your local minikube cluster with: "minikube image load kds:0.0.1" + repository: kds:0.0.1 + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: NodePort + ports: + - name: http + port: 8080 + targetPort: 8080 + nodePort: 30166 + protocol: TCP + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# H2 +db: + driverclass: org.h2.Driver + plattform: org.hibernate.dialect.H2Dialect + url: jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1; + username: sa + password: '' + +# ConfigMap +configMap: + data: + host: localhost + dbName: postgres + +# Spring +spring: + profile: cloud + +# Server port +server: + port: 8080 + +secrets: # Below are all b64 encoded + didSigner: + dockerPull: + trustStore: + mtls: + tlsKeyStore: + tlsServerTrustStore: + tlsTrustAnchorStore: diff --git a/k8s/helm/tngkds/values.yaml b/k8s/helm/tngkds/values.yaml index 4a785c0..f8636e3 100644 --- a/k8s/helm/tngkds/values.yaml +++ b/k8s/helm/tngkds/values.yaml @@ -2,50 +2,182 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -tngkds-postgres: - path: /()(*) - port: 5432 - - asPod: - enabled: false # run db as Service or Pod,set in conjunction with tngkds-backend - -tngkds-backend: - image: - tag: - liquibaseImage: - tag: - path: /()(*) +replicaCount: 1 + +image: + # Create this image before your local installing with: "docker build -t kds:0.0.1" and load + # this image into your local minikube cluster with: "minikube image load kds:0.0.1" + repository: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "0.0.1-d890889" #"0.0.1-2840d04" + +#kubectl -n create secret docker-registry --docker-server=ghcr.io --docker-username= --docker-password= --docker-email= -o yaml +#kubectl -n kds create secret docker-registry tng-distribution-pull-secret --docker-server=ghcr.io --docker-username=anonymous --docker-password= --docker-email=anonymous@example.com -o yaml +imagePullSecrets: tng-distribution-pull-secret +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: + {} + # fsGroup: 2000 + +securityContext: + {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: NodePort + ports: + - name: http + port: 8080 + targetPort: 8080 + nodePort: 30166 + protocol: TCP + +ingress: + enabled: false + className: "" + annotations: + {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# H2 +db: + driverclass: org.h2.Driver + plattform: org.hibernate.dialect.H2Dialect + url: jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1; + username: sa + password: '' + +# ConfigMap +# configMap: +# data: +# host: localhost +# dbName: postgres + +# Spring +spring: + profile: cloud + +# Server port +server: port: 8080 - db: - driverclass: org.h2.Driver - plattform: org.hibernate.dialect.H2Dialect - url: jdbc:h2:mem:dgc;DB_CLOSE_ON_EXIT=FALSE;DB_CLOSE_DELAY=-1; - username: sa - password: '' - gateway: - connector: - enabled: true - endpoint: - proxy: - enabled: false - max-cache-age: 300 - tls_trust_store: #CA of TNG Gateway of TLS certificate - alias: tng-tls-server-certificate - password: - path: /certs/tng_tls_server_truststore.p12 - tls_key_store: # client cert key pair of participant - alias: clientcredentials - password: - path: /certs/tls_key_store.p12 - trust_anchor: # TA pem file of TNG that was used for signing - alias: trustanchor - password: - path: /certs/trustanchor_store.jks - secrets: # Below are all b64 encoded - didSigner: - dockerPull: - trustStore: - mtls: - tlsKeyStore: - tlsServerTrustStore: - tlsTrustAnchorStore: \ No newline at end of file + +# Smart TN Gateway +gateway: + connector: + enabled: true + endpoint: + proxy: + enabled: false + max-cache-age: 300 + tls_trust_store: #CA of TNG Gateway of TLS certificate + alias: + password: + path: + tls_key_store: # client cert key pair of participant + alias: + password: + path: + trust_anchor: # TA pem file of TNG that was used for signing + alias: + password: + path: +did: + cron: "*/10 * * * * *" + enableDidGeneration: true + didUploadProvider: local-file + localFile: + directory: /tmp/kdsgitworkdir/tng-cdn-dev/v2.0.0 + file-name: did.json + git: + workdir: /tmp/kdsgituploader # oon clonind will checkout e.g. tng-cdn-dev + prefix: v2.0.0 #for copy action into git workdir from local file exporter path + url: https://github.com/WorldHealthOrganization/tng-cdn-dev + pat: + didSigningProvider: local-keystore + localKeyStore: + alias: did-signer + password: secure-password + path: + ld-proof-verification-method: did:web:dummy.net + did-id: did:web:worldhealthorganization.github.io:tng-cdn-dev:v2.0.0 + trust-list-path: trustlist + trust-list-ref-path: trustlist-ref + did-controller: did:web:worldhealthorganization.github.io:tng-cdn-dev:v2.0.0 + contextMapping: + "[https://www.w3.org/ns/did/v1]": did_v1.json + "[https://w3id.org/security/suites/jws-2020/v1]": jws-2020_v1.json + virtualCountries: + XA: XXA + XB: XXB + XO: XXO + XL: XCL + EU: XEU + group-deny-list: + - UPLOAD + - AUTHENTICATION + group-name-mapping: + CSCA: SCA + +secrets: # Below are all b64 encoded + didSigner: + dockerPull: + trustStore: + mtls: + tlsKeyStore: + tlsServerTrustStore: + tlsTrustAnchorStore: