Merge pull request #37 from catenax-ng/feature/CXAR-921-agent-plane-qg5

chore: provide enough documentation and config to allow for a simple chart test

DEPENDENCIES

@@ -213,8 +213,8 @@ maven/mavencentral/org.eclipse.jetty/jetty-servlet/11.0.15, EPL-2.0 OR Apache-2.
 maven/mavencentral/org.eclipse.jetty/jetty-util/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-webapp/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
 maven/mavencentral/org.eclipse.jetty/jetty-xml/11.0.15, EPL-2.0 OR Apache-2.0, approved, rt.jetty
-maven/mavencentral/org.eclipse.tractusx.agents.edc.agent-plane/agent-plane-protocol/1.9.5-SNAPSHOT, Apache-2.0, approved, automotive.tractusx
-maven/mavencentral/org.eclipse.tractusx.edc/auth-jwt/1.9.5-SNAPSHOT, Apache-2.0, approved, automotive.tractusx
+maven/mavencentral/org.eclipse.tractusx.agents.edc.agent-plane/agent-plane-protocol/1.9.5-20230831.070321-5, Apache-2.0, approved, automotive.tractusx
+maven/mavencentral/org.eclipse.tractusx.edc/auth-jwt/1.9.5-20230831.070252-7, Apache-2.0, approved, automotive.tractusx
 maven/mavencentral/org.eclipse.tractusx.edc/core-spi/0.5.0, Apache-2.0, approved, automotive.tractusx
 maven/mavencentral/org.eclipse.tractusx.edc/edc-dataplane-azure-vault/0.5.0, Apache-2.0, approved, automotive.tractusx
 maven/mavencentral/org.eclipse.tractusx.edc/edc-dataplane-base/0.5.0, Apache-2.0, approved, automotive.tractusx

charts/agent-connector-azure-vault/Chart.yaml

@@ -42,7 +42,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.9.7-SNAPSHOT
+version: 1.9.8-SNAPSHOT
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.

charts/agent-connector-azure-vault/README.md

@@ -20,7 +20,7 @@
 
 # agent-connector-azure-vault
 
-![Version: 1.9.7-SNAPSHOT](https://img.shields.io/badge/Version-1.9.7--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.5-SNAPSHOT](https://img.shields.io/badge/AppVersion-1.9.5--SNAPSHOT-informational?style=flat-square)
+![Version: 1.9.8-SNAPSHOT](https://img.shields.io/badge/Version-1.9.8--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.5-SNAPSHOT](https://img.shields.io/badge/AppVersion-1.9.5--SNAPSHOT-informational?style=flat-square)
 
 A Helm chart for an Agent-Enabled Tractus-X Eclipse Data Space Connector configured against Azure Vault. This is a variant of [the Tractus-X Azure Vault Connector Helm Chart](https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector-azure-vault) which allows
 to deal with several data (and agent) planes. The connector deployment consists of at least two runtime consists of a
@@ -46,6 +46,15 @@ You should set your BPNL in the folloing property:
 - 'vault.azure.tenant': Id of the subscription that the vault runs into
 - 'vault.azure.secret' or 'vault.azure.certificate': the secret/credential to use when interacting with Azure Vault
 
+### Setting up the transfer token encryption
+
+Transfer tokens handed out from the provider to the consumer should be signed and encrypted. For that purpose
+you should setup a private/public certificate as well as a symmetric AES key.
+
+- 'vault.secretNames.transferProxyTokenSignerPrivateKey':
+- 'vault.secretNames.transferProxyTokenSignerPublicKey':
+- 'vault.secretNames.transferProxyTokenEncryptionAesKey':
+
 ## Setting up SSI
 
 ### Preconditions
@@ -103,7 +112,7 @@ Combined, run this shell command to start the in-memory Tractus-X EDC runtime:
 
 ```shell
 helm repo add eclipse-tractusx https://eclipse-tractusx.github.io/charts/dev
-helm install my-release eclipse-tractusx/agent-connector-azure-vault --version 1.9.7-SNAPSHOT\
+helm install my-release eclipse-tractusx/agent-connector-azure-vault --version 1.9.8-SNAPSHOT\
      -f <path-to>/tractusx-connector-azure-vault-test.yaml \
      --set vault.azure.name=$AZURE_VAULT_NAME \
      --set vault.azure.client=$AZURE_CLIENT_ID \
@@ -222,7 +231,7 @@ helm install my-release eclipse-tractusx/agent-connector-azure-vault --version 1
 | controlplane.ssi.miw.authorityId | string | `""` | The BPN of the issuer authority |
 | controlplane.ssi.miw.url | string | `""` | MIW URL |
 | controlplane.ssi.oauth.client.id | string | `""` | The client ID for KeyCloak |
-| controlplane.ssi.oauth.client.secretAlias | string | `"client-secret"` | The alias under which the client secret is stored in the vault. |
+| controlplane.ssi.oauth.client.secretAlias | string | `""` | The alias under which the client secret is stored in the vault. |
 | controlplane.ssi.oauth.tokenurl | string | `""` | The URL (of KeyCloak), where access tokens can be obtained |
 | controlplane.tolerations | list | `[]` |  |
 | controlplane.url.protocol | string | `""` | Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) |
@@ -344,7 +353,7 @@ helm install my-release eclipse-tractusx/agent-connector-azure-vault --version 1
 | networkPolicy.dataplane.from | list | `[{"namespaceSelector":{}}]` | Specify from rule network policy for dp (defaults to all namespaces) |
 | networkPolicy.enabled | bool | `false` | If `true` network policy will be created to restrict access to control- and dataplane |
 | participant.id | string | `""` | BPN Number |
-| postgresql | object | `{"auth":{"database":"edc","password":"password","username":"user"},"jdbcUrl":"jdbc:postgresql://postgresql:5432/edc","primary":{"persistence":{"enabled":false}},"readReplicas":{"persistence":{"enabled":false}}}` | Standard settings for persistence, "jdbcUrl", "username" and "password" need to be overridden |
+| postgresql | object | `{"auth":{"database":"edc","password":"password","username":"user"},"jdbcUrl":"jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc","primary":{"persistence":{"enabled":false}},"readReplicas":{"persistence":{"enabled":false}}}` | Standard settings for persistence, "jdbcUrl", "username" and "password" need to be overridden |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.imagePullSecrets | list | `[]` | Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry) |
@@ -356,7 +365,7 @@ helm install my-release eclipse-tractusx/agent-connector-azure-vault --version 1
 | vault.azure.name | string | `""` |  |
 | vault.azure.secret | string | `nil` |  |
 | vault.azure.tenant | string | `""` |  |
-| vault.secretNames.transferProxyTokenEncryptionAesKey | string | `"transfer-proxy-token-encryption-aes-key"` |  |
+| vault.secretNames.transferProxyTokenEncryptionAesKey | string | `nil` |  |
 | vault.secretNames.transferProxyTokenSignerPrivateKey | string | `nil` |  |
 | vault.secretNames.transferProxyTokenSignerPublicKey | string | `nil` |  |
 

charts/agent-connector-azure-vault/README.md.gotmpl

@@ -44,6 +44,15 @@ You should set your BPNL in the folloing property:
 - 'vault.azure.tenant': Id of the subscription that the vault runs into
 - 'vault.azure.secret' or 'vault.azure.certificate': the secret/credential to use when interacting with Azure Vault
 
+### Setting up the transfer token encryption
+
+Transfer tokens handed out from the provider to the consumer should be signed and encrypted. For that purpose
+you should setup a private/public certificate as well as a symmetric AES key.
+
+- 'vault.secretNames.transferProxyTokenSignerPrivateKey': 
+- 'vault.secretNames.transferProxyTokenSignerPublicKey':
+- 'vault.secretNames.transferProxyTokenEncryptionAesKey':
+
 ## Setting up SSI
 
 ### Preconditions

charts/agent-connector-azure-vault/ci/integration-values.yaml

@@ -0,0 +1,57 @@
+#
+#  Copyright (c) 2023 T-Systems International GmbH
+#  Copyright (c) 2023 ZF Friedrichshafen AG
+#  Copyright (c) 2023 Mercedes-Benz Tech Innovation GmbH
+#  Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+#  Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#
+
+install:
+  postgresql: true
+
+controlplane:
+  endpoints:
+    management:
+      authKey: "bla"
+  ssi:
+    miw:
+      url: "https://managed-identity-wallets.int"
+      authorityId: "BPNL0000000DUMMY"
+    oauth:
+      tokenurl: "https://keycloak/auth/realms/REALM/protocol/openid-connect/token"
+      client:
+        id: "serviceaccount"
+        secretAlias: "miw-secret"
+
+vault:
+  azure:
+    name: "AZURE_NAME"
+    tenant: "AZURE_TENANT"
+    client: "AZURE_CLIENT"
+    secret: "AZURE_SECRET"
+  hashicorp:
+    url: "https://vault.demo"
+    token: "VAULT_TOKEN"
+    paths:
+      secret: "/v1/secrets"
+  secretNames:
+    transferProxyTokenSignerPrivateKey: "key"
+    transferProxyTokenSignerPublicKey: "cert"
+    transferProxyTokenEncryptionAesKey: "symmetric-key"
+participant:
+  id: "BPNL0000000DUMMY"

charts/agent-connector-azure-vault/templates/deployment-controlplane.yaml

@@ -176,7 +176,7 @@ spec:
             - name: "EDC_DATASOURCE_ASSET_PASSWORD"
               value: {{ .Values.postgresql.auth.password | required ".Values.postgresql.auth.password is required" | quote }}
             - name: "EDC_DATASOURCE_ASSET_URL"
-              value: {{ .Values.postgresql.jdbcUrl | quote }}
+              value: {{ tpl .Values.postgresql.jdbcUrl . | quote }}
 
             # see extension https://github.com/eclipse-edc/Connector/tree/main/extensions/control-plane/store/sql/contract-definition-store-sql
             - name: "EDC_DATASOURCE_CONTRACTDEFINITION_NAME"

charts/agent-connector-azure-vault/templates/tests/test-dataplane-readiness.yaml

@@ -19,7 +19,7 @@
 {{- $root := . -}}
 {{- $allcommands := (dict "commands" (list)) -}}
 {{- range $dataplane_name, $dataplane := .Values.dataplanes -}}
-{{- printf "curl http://%s-%s:%v%s/check/readiness" $dataplane.name (include "txdc.fullname" $root ) $dataplane.endpoints.default.port $dataplane.endpoints.default.path  | append $allcommands.commands | set $allcommands "commands" -}}
+{{- printf "curl http://%s-%s:%v%s/check/readiness" (include "txdc.fullname" $root ) $dataplane.name $dataplane.endpoints.default.port $dataplane.endpoints.default.path  | append $allcommands.commands | set $allcommands "commands" -}}
 {{- end }}
 
 ---
@@ -36,6 +36,6 @@ spec:
   containers:
     - name: wget
       image: curlimages/curl
-      command: [ '/bin/bash','-c' ]
+      command: [ '/bin/sh','-c' ]
       args: [ {{ join "&&" $allcommands.commands | quote }} ]
   restartPolicy: Never

charts/agent-connector-azure-vault/values.yaml

@@ -134,7 +134,7 @@ controlplane:
         # -- The client ID for KeyCloak
         id: ""
         # -- The alias under which the client secret is stored in the vault.
-        secretAlias: "client-secret"
+        secretAlias: ""
 
   service:
     # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service.
@@ -561,7 +561,7 @@ dataplanes:
 
 # -- Standard settings for persistence, "jdbcUrl", "username" and "password" need to be overridden
 postgresql:
-  jdbcUrl: "jdbc:postgresql://postgresql:5432/edc"
+  jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc"
   primary:
     persistence:
       enabled: false
@@ -579,11 +579,10 @@ vault:
     tenant: ""
     secret:
     certificate:
-
   secretNames:
     transferProxyTokenSignerPrivateKey:
     transferProxyTokenSignerPublicKey:
-    transferProxyTokenEncryptionAesKey: transfer-proxy-token-encryption-aes-key
+    transferProxyTokenEncryptionAesKey:
 
 backendService:
   httpProxyTokenReceiverUrl: ""

charts/agent-connector-memory/Chart.yaml

@@ -42,7 +42,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.9.7-SNAPSHOT
+version: 1.9.8-SNAPSHOT
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.

charts/agent-connector-memory/README.md

@@ -20,7 +20,7 @@
 
 # agent-connector-memory
 
-![Version: 1.9.7-SNAPSHOT](https://img.shields.io/badge/Version-1.9.7--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.5-SNAPSHOT](https://img.shields.io/badge/AppVersion-1.9.5--SNAPSHOT-informational?style=flat-square)
+![Version: 1.9.8-SNAPSHOT](https://img.shields.io/badge/Version-1.9.8--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.5-SNAPSHOT](https://img.shields.io/badge/AppVersion-1.9.5--SNAPSHOT-informational?style=flat-square)
 
 A Helm chart for an Agent-Enabled Tractus-X Eclipse Data Space Connector using In-Memory Persistence. This is a variant of [the Tractus-X In-Memory Connector Helm Chart](https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector-memory) which allows
 to deal with several data (and agent) planes. The connector deployment consists of at least two runtime consists of a
@@ -40,9 +40,19 @@ You should set your BPNL in the folloing property:
 
 ## Setting up Hashicorp Vault
 
-You should set your BPNL in the folloing property:
+You should set configure access to required secrets as follows:
 - 'vault.hashicorp.url': URL of the vault API
 - 'vault.hashicorp.token': A valid, generated access token.
+- 'vault.hashicorp.paths.secret': Api path to the folder hosting the secrets (usually prepended with /v1)
+
+### Setting up the transfer token encryption
+
+Transfer tokens handed out from the provider to the consumer should be signed and encrypted. For that purpose
+you should setup a private/public certificate as well as a symmetric AES key.
+
+- 'vault.secretNames.transferProxyTokenSignerPrivateKey':
+- 'vault.secretNames.transferProxyTokenSignerPublicKey':
+- 'vault.secretNames.transferProxyTokenEncryptionAesKey':
 
 ## Setting up SSI
 
@@ -98,7 +108,7 @@ Combined, run this shell command to start the in-memory Tractus-X EDC runtime:
 
 ```shell
 helm repo add eclipse-tractusx https://eclipse-tractusx.github.io/charts/dev
-helm install my-release eclipse-tractusx/agent-connector --version 1.9.7-SNAPSHOT
+helm install my-release eclipse-tractusx/agent-connector --version 1.9.8-SNAPSHOT
 ```
 
 ## Maintainers
@@ -212,7 +222,7 @@ helm install my-release eclipse-tractusx/agent-connector --version 1.9.7-SNAPSHO
 | controlplane.ssi.miw.authorityId | string | `""` | The BPN of the issuer authority |
 | controlplane.ssi.miw.url | string | `""` | MIW URL |
 | controlplane.ssi.oauth.client.id | string | `""` | The client ID for KeyCloak |
-| controlplane.ssi.oauth.client.secretAlias | string | `"client-secret"` | The alias under which the client secret is stored in the vault. |
+| controlplane.ssi.oauth.client.secretAlias | string | `""` | The alias under which the client secret is stored in the vault. |
 | controlplane.ssi.oauth.tokenurl | string | `""` | The URL (of KeyCloak), where access tokens can be obtained |
 | controlplane.tolerations | list | `[]` |  |
 | controlplane.url.protocol | string | `""` | Explicitly declared url for reaching the dsp api (e.g. if ingresses not used) |
@@ -340,7 +350,14 @@ helm install my-release eclipse-tractusx/agent-connector --version 1.9.7-SNAPSHO
 | serviceAccount.name | string | `""` |  |
 | tests | object | `{"hookDeletePolicy":"before-hook-creation,hook-succeeded"}` | Configurations for Helm tests |
 | tests.hookDeletePolicy | string | `"before-hook-creation,hook-succeeded"` | Configure the hook-delete-policy for Helm tests |
-| vault | object | `{"hashicorp":{"healthCheck":{"enabled":true,"standbyOk":true},"paths":{"health":"/v1/sys/health","secret":"/v1/secret"},"timeout":30,"token":"","url":"http://{{ .Release.Name }}-vault:8200"},"injector":{"enabled":false},"secretNames":{"transferProxyTokenEncryptionAesKey":"transfer-proxy-token-encryption-aes-key","transferProxyTokenSignerPrivateKey":null,"transferProxyTokenSignerPublicKey":null},"server":{"dev":{"devRootToken":"root","enabled":true},"postStart":null}}` | Standard settings for persistence, "jdbcUrl", "username" and "password" need to be overridden |
+| vault | object | `{"hashicorp":{"healthCheck":{"enabled":true,"standbyOk":true},"paths":{"health":"/v1/sys/health","secret":"/v1/secret"},"timeout":30,"token":"","url":"http://{{ .Release.Name }}-vault:8200"},"injector":{"enabled":false},"secretNames":{"transferProxyTokenEncryptionAesKey":null,"transferProxyTokenSignerPrivateKey":null,"transferProxyTokenSignerPublicKey":null},"server":{"dev":{"devRootToken":"root","enabled":true},"postStart":null}}` | Standard settings for persistence, "jdbcUrl", "username" and "password" need to be overridden |
+| vault.hashicorp.paths.health | string | `"/v1/sys/health"` | Default health api |
+| vault.hashicorp.paths.secret | string | `"/v1/secret"` | Path to secrets needs to be changed if install.vault=false |
+| vault.hashicorp.token | string | `""` | Access token to the vault service needs to be changed if install.vault=false |
+| vault.hashicorp.url | string | `"http://{{ .Release.Name }}-vault:8200"` | URL to the vault service, needs to be changed if install.vault=false |
+| vault.secretNames.transferProxyTokenEncryptionAesKey | string | `nil` | encrypt handed out tokens with this symmetric key |
+| vault.secretNames.transferProxyTokenSignerPrivateKey | string | `nil` | sign handed out tokens with this key |
+| vault.secretNames.transferProxyTokenSignerPublicKey | string | `nil` | sign handed out tokens with this certificate |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

charts/agent-connector-memory/README.md.gotmpl

@@ -38,9 +38,19 @@ You should set your BPNL in the folloing property:
 
 ## Setting up Hashicorp Vault
 
-You should set your BPNL in the folloing property:
+You should set configure access to required secrets as follows:
 - 'vault.hashicorp.url': URL of the vault API
 - 'vault.hashicorp.token': A valid, generated access token.
+- 'vault.hashicorp.paths.secret': Api path to the folder hosting the secrets (usually prepended with /v1)
+
+### Setting up the transfer token encryption
+
+Transfer tokens handed out from the provider to the consumer should be signed and encrypted. For that purpose
+you should setup a private/public certificate as well as a symmetric AES key.
+
+- 'vault.secretNames.transferProxyTokenSignerPrivateKey': 
+- 'vault.secretNames.transferProxyTokenSignerPublicKey':
+- 'vault.secretNames.transferProxyTokenEncryptionAesKey':
 
 ## Setting up SSI
 
@@ -58,7 +68,6 @@ You should set your BPNL in the folloing property:
 - store your KeyCloak client secret in the HashiCorp vault. The exact procedure will depend on your deployment of HashiCorp Vault and
   is out of scope of this document. But by default, Tractus-X EDC expects to find the secret under `secret/client-secret`.
 
-
 ### Configure the chart
 
 Be sure to provide the following configuration entries to your Tractus-X EDC Helm chart: