From df22f3efc0a81d2eeb4b115c2dcfb2ecf8d1dee6 Mon Sep 17 00:00:00 2001 From: Simon Bergerfurth Date: Tue, 16 Jun 2026 09:40:52 +0200 Subject: [PATCH 01/12] feat(helm): change vault secrets to be generated on deployment --- .../templates/configmap-vault-init.yaml | 140 ++++++++++++++++++ .../templates/job-vault-init.yaml | 87 +++++++++++ .../templates/post-install-vault-setup.yaml | 86 ----------- .../templates/vault-edc-configmap.yaml | 69 --------- charts/tractusx-connector/values.yaml | 3 + 5 files changed, 230 insertions(+), 155 deletions(-) create mode 100644 charts/tractusx-connector/templates/configmap-vault-init.yaml create mode 100644 charts/tractusx-connector/templates/job-vault-init.yaml delete mode 100644 charts/tractusx-connector/templates/post-install-vault-setup.yaml delete mode 100644 charts/tractusx-connector/templates/vault-edc-configmap.yaml diff --git a/charts/tractusx-connector/templates/configmap-vault-init.yaml b/charts/tractusx-connector/templates/configmap-vault-init.yaml new file mode 100644 index 0000000000..a2c9d9d823 --- /dev/null +++ b/charts/tractusx-connector/templates/configmap-vault-init.yaml @@ -0,0 +1,140 @@ +################################################################################# +# Copyright (c) 2026 Zentralverband der Deutschen Elektro- und Informationstechnischen Handwerke (ZVEH) +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# + +# this configmap contains the initialization script to generate and store aes and rsa keys into the vault. + +{{ if .Values.vault.hashicorp.init.enabled }} +{{- $fullName := .Values.fullnameOverride -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $fullName }}-vault-init + namespace: {{ .Release.Namespace | default "default" | quote }} + labels: + {{- include "wallet.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +data: + init.sh: | + #!/usr/bin/env sh + set -eu + + VAULT="${VAULT_ADDR:?VAULT_ADDR is required}" + TOKEN="${VAULT_TOKEN:?VAULT_TOKEN is required}" + FORCE="${FORCE_REGENERATE:-false}" + SECRETS="${VAULT_SECRET_PATH:-/v1/secret}" + HEALTH="${VAULT_HEALTH_PATH:-/v1/sys/health}" + + AES_ALIAS="${AES_KEY_ALIAS:-}" + PRIV_ALIAS="${PRIVATE_KEY_ALIAS:-}" + PUB_ALIAS="${PUBLIC_KEY_ALIAS:-}" + + log() { echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] $*" >&2; } + + # Check provided Aliases for plausibility (AES or RSA pair must be requested) + if [ -z "$AES_ALIAS" ] && [ -z "$PRIV_ALIAS" ] && [ -z "$PUB_ALIAS" ]; then + log "ERROR: no alias provided. Set AES_KEY_ALIAS and/or PRIVATE_KEY_ALIAS+PUBLIC_KEY_ALIAS." + exit 1 + fi + if { [ -n "$PRIV_ALIAS" ] && [ -z "$PUB_ALIAS" ]; } || \ + { [ -z "$PRIV_ALIAS" ] && [ -n "$PUB_ALIAS" ]; }; then + log "ERROR: RSA generation requires BOTH PRIVATE_KEY_ALIAS and PUBLIC_KEY_ALIAS." + exit 1 + fi + + # Install required tools + if ! command -v openssl >/dev/null 2>&1 \ + || ! command -v curl >/dev/null 2>&1 \ + || ! command -v jq >/dev/null 2>&1; then + log "Installing curl, jq, openssl..." + apk add --no-cache curl jq openssl >/dev/null + fi + + log "Waiting for Vault at $VAULT$HEALTH..." + i=0 + until curl -fsS --connect-timeout 2 --max-time 5 "$VAULT$HEALTH" >/dev/null 2>&1; do + i=$((i+1)) + [ "$i" -gt 60 ] && { log "Vault not ready after 60 attempts."; exit 1; } + sleep 3 + done + log "Vault ready." + + # Check for existing Secret + secret_exists() { + [ "$(curl -sS -o /dev/null -w "%{http_code}" \ + -H "X-Vault-Token: $TOKEN" \ + "$VAULT$SECRETS/data/$1")" = "200" ] + } + + # Store Secret in Vault + put_secret() { + local alias="$1" payload="$2" + local code + code=$(printf '%s' "$payload" | curl -sS -o /dev/null -w "%{http_code}" \ + -H "X-Vault-Token: $TOKEN" \ + -H "Content-Type: application/json" \ + -X POST --data-binary @- \ + "$VAULT$SECRETS/data/$alias") + if [ "$code" != "200" ] && [ "$code" != "204" ]; then + log "Failed to store '$alias' (HTTP $code)" + exit 1 + fi + } + + # Generate AES Key + if [ -n "$AES_ALIAS" ]; then + if [ "$FORCE" != "true" ] && secret_exists "$AES_ALIAS"; then + log "AES key '$AES_ALIAS' already present — skipping." + else + log "Generating AES-256 key for '$AES_ALIAS'..." + key=$(openssl rand -base64 32 | tr -d '\n') + payload=$(jq -n --arg content "$key" '{data:{content:$content}}') + put_secret "$AES_ALIAS" "$payload" + log "AES key stored at $VAULT$SECRETS/data/$AES_ALIAS" + fi + fi + + # Generate RSA Keypair + if [ -n "$PRIV_ALIAS" ] && [ -n "$PUB_ALIAS" ]; then + if [ "$FORCE" != "true" ] \ + && secret_exists "$PRIV_ALIAS" \ + && secret_exists "$PUB_ALIAS"; then + log "RSA keypair ('$PRIV_ALIAS' / '$PUB_ALIAS') already present — skipping." + else + log "Generating RSA keypair ('$PRIV_ALIAS' / '$PUB_ALIAS')..." + umask 077 + dir=$(mktemp -d) + openssl genrsa -out "$dir/k.pem" 2048 2>/dev/null + openssl pkcs8 -topk8 -nocrypt -in "$dir/k.pem" -out "$dir/priv.pem" + openssl rsa -in "$dir/k.pem" -pubout -out "$dir/pub.pem" 2>/dev/null + + put_secret "$PRIV_ALIAS" \ + "$(jq -n --rawfile content "$dir/priv.pem" '{data:{content:$content}}')" + put_secret "$PUB_ALIAS" \ + "$(jq -n --rawfile content "$dir/pub.pem" '{data:{content:$content}}')" + + rm -rf "$dir" + log "RSA keypair stored at $VAULT$SECRETS/data/{$PRIV_ALIAS,$PUB_ALIAS}" + fi + fi + + log "Vault initialization complete." +{{- end }} diff --git a/charts/tractusx-connector/templates/job-vault-init.yaml b/charts/tractusx-connector/templates/job-vault-init.yaml new file mode 100644 index 0000000000..fd347f540e --- /dev/null +++ b/charts/tractusx-connector/templates/job-vault-init.yaml @@ -0,0 +1,87 @@ +################################################################################# +# Copyright (c) 2026 Zentralverband der Deutschen Elektro- und Informationstechnischen Handwerke (ZVEH) +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +################################################################################# + +{{ if .Values.vault.hashicorp.init.enabled -}} +{{- $fullName := .Values.fullnameOverride -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $fullName }}-vault-init + namespace: {{ .Release.Namespace | default "default" | quote }} + labels: + {{- include "wallet.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": before-hook-creation +spec: + backoffLimit: 3 + ttlSecondsAfterFinished: 600 + activeDeadlineSeconds: 300 + template: + metadata: + labels: + {{- include "wallet.labels" . | nindent 8 }} + spec: + restartPolicy: OnFailure + serviceAccountName: {{ include "wallet.serviceAccountName" . }} + containers: + - name: vault-init + {{- $img := index .Values "vault" "hashicorp" "init" "image" | default dict }} + image: {{ $img.repository | default "alpine" }}:{{ $img.tag | default "3.20" }} + command: ["/bin/sh", "-c"] + args: + - | + tr -d '\r' < /scripts/init.sh > /tmp/init.sh + exec sh /tmp/init.sh + env: + - name: VAULT_ADDR + value: {{ tpl .Values.vault.hashicorp.url . | quote }} + - name: VAULT_TOKEN + value: {{ .Values.vault.hashicorp.token | required "vault.hashicorp.token is required" }} + - name: VAULT_SECRET_PATH + value: {{ .Values.vault.hashicorp.paths.secret | quote }} + - name: VAULT_HEALTH_PATH + value: {{ .Values.vault.hashicorp.paths.health | quote }} + {{- with .Values.vault.hashicorp.init.forceRegenerate }} + - name: FORCE_REGENERATE + value: {{ . | quote }} + {{- end }} + {{- with .Values.vault.hashicorp.init.aesKeyAlias }} + - name: AES_KEY_ALIAS + value: {{ . | quote }} + {{- end }} + {{- with .Values.dataplane.token.signer.privatekey_alias }} + - name: PRIVATE_KEY_ALIAS + value: {{ . | quote }} + {{- end }} + {{- with .Values.dataplane.token.verifier.publickey_alias }} + - name: PUBLIC_KEY_ALIAS + value: {{ . | quote }} + {{- end }} + volumeMounts: + - name: script + mountPath: /scripts + readOnly: true + volumes: + - name: script + configMap: + name: {{ $fullName }}-vault-init + defaultMode: 0555 +{{- end }} diff --git a/charts/tractusx-connector/templates/post-install-vault-setup.yaml b/charts/tractusx-connector/templates/post-install-vault-setup.yaml deleted file mode 100644 index 7c01ea8523..0000000000 --- a/charts/tractusx-connector/templates/post-install-vault-setup.yaml +++ /dev/null @@ -1,86 +0,0 @@ -################################################################################# - - # Copyright (c) 2026 ARENA2036 e.V. - # - # See the NOTICE file(s) distributed with this work for additional - # information regarding copyright ownership. - # - # This program and the accompanying materials are made available under the - # terms of the Apache License, Version 2.0 which is available at - # https://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - # License for the specific language governing permissions and limitations - # under the License. - # - # SPDX-License-Identifier: Apache-2.0 - ################################################################################# ---- -{{- $vaultToken := index .Values "vault" "hashicorp" "token" -}} -{{- $vaultUrl := tpl (index .Values "vault" "hashicorp" "url") . -}} -{{- $fullName := .Values.nameOverride -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: post-install-vault-setup - labels: - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - template: - metadata: - name: "{{ .Release.Name }}" - labels: - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - spec: - restartPolicy: Never - containers: - - name: post-install-job - image: busybox - imagePullPolicy: "IfNotPresent" - command: - - "/bin/sh" - - "-c" - - | - sleep 10 - - wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ - --post-file=/opt/config/cert.json "{{ $vaultUrl }}/v1/secret/data/tokenSignerPublicKey" - - wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ - --post-file=/opt/config/key.json "{{ $vaultUrl }}/v1/secret/data/tokenSignerPrivateKey" - - wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ - --post-file=/opt/config/aes-secret.json "{{ $vaultUrl }}/v1/secret/data/tokenEncryptionAesKey" - - wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ - --post-file=/opt/config/cons_priv.json "{{ $vaultUrl }}/v1/secret/data/cons_priv" - - wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ - --post-file=/opt/config/cons_pub.json "{{ $vaultUrl }}/v1/secret/data/cons_pub" - - wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ - --post-file=/opt/config/prov_priv.json "{{ $vaultUrl }}/v1/secret/data/prov_priv" - - wget --header 'Content-Type: application/json' --header 'X-Vault-Token: {{ $vaultToken }}' \ - --post-file=/opt/config/prov_pub.json "{{ $vaultUrl }}/v1/secret/data/prov_pub" - volumeMounts: - - name: config-volume - mountPath: /opt/config - volumes: - - name: config-volume - configMap: - name: {{ $fullName }}-vault-edc-configmap - defaultMode: 0777 diff --git a/charts/tractusx-connector/templates/vault-edc-configmap.yaml b/charts/tractusx-connector/templates/vault-edc-configmap.yaml deleted file mode 100644 index 59148063ed..0000000000 --- a/charts/tractusx-connector/templates/vault-edc-configmap.yaml +++ /dev/null @@ -1,69 +0,0 @@ -################################################################################# - - # Copyright (c) 2026 ARENA2036 e.V. - # - # See the NOTICE file(s) distributed with this work for additional - # information regarding copyright ownership. - # - # This program and the accompanying materials are made available under the - # terms of the Apache License, Version 2.0 which is available at - # https://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - # License for the specific language governing permissions and limitations - # under the License. - # - # SPDX-License-Identifier: Apache-2.0 - ################################################################################# ---- -{{- $fullName := .Values.nameOverride -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ $fullName }}-vault-edc-configmap -data: - cert.json: |- - { - "data": { - "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsP1Wl50viKzVqw8HGFWP\nis+M8Im4daTFMned5Qr2z90FNgkj1EVhip0mOdD6kDg3bW4RxyL6z3jWi19JKBHZ\n68UTgZNdPbhhPNLEGcQpu8uwgFcWKL4P/IOykEeE8ResGOVg/HzNE7HkTgiBdr2C\nMTEXL3zTmdr0vbFGMbOTPyOvKMoy/2FaJaJAPXo3poGqfRvr6Gu6top2ktRd/z8N\nhBpuzx9QypIsE62ooLNPpqzjezfvzJbc3tko/cXNOyGoZWuEKMTfKwYq3ZjsTZKk\nbjVNgdoEFSWpd6Tqk76B1Cboxv1CD8xw0cQ149eW0IuLkAk3eF5eZR4iQ5YAOZqA\nUQIDAQAB\n-----END PUBLIC KEY-----\n" - } - } - - key.json: |- - { - "data": { - "content": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCw/VaXnS+IrNWr\nDwcYVY+Kz4zwibh1pMUyd53lCvbP3QU2CSPURWGKnSY50PqQODdtbhHHIvrPeNaL\nX0koEdnrxROBk109uGE80sQZxCm7y7CAVxYovg/8g7KQR4TxF6wY5WD8fM0TseRO\nCIF2vYIxMRcvfNOZ2vS9sUYxs5M/I68oyjL/YVolokA9ejemgap9G+voa7q2inaS\n1F3/Pw2EGm7PH1DKkiwTraigs0+mrON7N+/Mltze2Sj9xc07Iahla4QoxN8rBird\nmOxNkqRuNU2B2gQVJal3pOqTvoHUJujG/UIPzHDRxDXj15bQi4uQCTd4Xl5lHiJD\nlgA5moBRAgMBAAECggEAKD8XjYb8G+WHeexDJgSwzTUonLsIg9H52KHMORz+5mIh\nUPoPmHHFfj6BhoSvsZNjAUKWDtU0uPCGwu8iRNcYWa15I841lfcjP3BDEQPjJJXr\nNyf2fUHJA1gURwxIXgWOyCOC5C9h9/BMFPWIsQ5jeFmsJsuJF5OrcyZIar1lxqWu\nQ+HC7f/7JNkpR26uIyGjs1OXwfp+mHqze2Qf8hLWIXcN9tBCQZ75Cg7rarNVimMC\n59QD80JZCHTaCX1ZtE1T8HM+53Ob78lnFCuBfiBT/S3O/NXVsEN9q6rMWKhETVWR\nUX56EqZ7XGSMOzuZyK7kj1QsHzEMrrHjwDSNSjAqFQKBgQC6hEeAWPCEM+WVoF9n\nmhvwZVZv/PPyLAarykBTGoeHR2hqNyih9JmcXL+XQHMlhy1Ka8NtJHvfyB1xhXgF\n/d91i/Yq02+nZoJPNnVWo8zoXIAIq+xg9CBiu0agBxv45PjJkEkQmmEG4Iej1+Kf\n5/+dI7sFjE2T4q/lLK0Aw3x+zQKBgQDy7Ho7eRi5CV1Ks+r5lpGGdM15hbE5tviE\nfmJvaEUh3oWuwdkyFjD/QEPITG1bFuvhATdEEWxTbuswNEbELLhKCPcixcI0sLUO\n6BeNi1YD6ouuqsWBLvmE4hvoDR7RlkpUduxWpZ2tNIDJYYTwCERhcYK9OtHU15kc\nlS0pEjF/lQKBgEh+28/OQgYQqd7ji9GX+94PdW5n0mXBqQIixafHewAgyDvonpl8\nmixFfI6MlXTzuq3ffwEwGhncDV2vc/xYNf/ZW+A/eHmHhYTGdQss9ZsnQPid4m24\n1dGqWwQeX0f5r52gwFV8u9PRd8c+RS7EHP12At5gL1MY3CdmmwPd98jNAoGASvPV\n/xWtICKYi10aCip/+kl9wJoUhadD5LWOL6uvcPTUsIgVONQKCCfPAjU6pJlc7E7Q\nu4rYrqGRpYzrrMnTjtxXTH5SHqnLI69O3Rh50LmEob8FM4fH601MqPurX6WMh6Ut\n5Moy7Wc+uWQCfYE/gAVi/nnwlkhzcJNCnOKFLUUCgYA4nbhLrdEeCBJas2+Z9aGw\n/SurtHF2z2meAPO3VaYslf0D0xKzUIv5hkkzaNgs0pFGt0BcKfTWkYy/Hh4QXZhm\n//ZrqbkVsqzDOcqGwQcDmUEN/T+vprUJVKqpNHXT6fz3OTydxLQ7K7SXzwXWYfRW\ncpjdr0c1tVVLMyNG+Wahrg==\n-----END PRIVATE KEY-----\n" - } - } - aes-secret.json: |- - { - "data": { - "content": {{ randAlphaNum 32 | b64enc | quote }} - } - } - cons_priv.json: |- - { - "data": { - "content": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC9zbB90iPotlvz\nsTCAt246XNL+dHoiSlEYgBsPgroqfEuLWQkVeM2F0L2fWEsvNc6ZU5SJBEDqPTVe\noaYnv6iXShbTaBaZVoFbt2L8+rJmQQ2YoB5qQwLtfsqIDIwuTwQUgiNe747NDtsb\nJmjMpib3fTsB6m+0CsWYDPuU/7bmUJvYytnw/MOLhaUiHAC68jKsgsAemyDzOSUN\nYJfcIbnS/o12OFZ4Na3nKdr96kMB1zN+PE4+K2oTgFRh69zq+z/G5au7mliBdwns\n5Efmf1ijlH6MFZeaeTVMjfHSq8IOIpOSvigjjK5p8T7vCSYettej2rfcgZpBRa44\n3V8m+F7zAgMBAAECggEAF/cnyMtG03RrKdr+p9IBbgcYcR6d6UR+9tv+DrhP71tg\nYojsd7SYJsRTnRIV9DEUFBIUmDRcSfdOjNNWWoB9thSZyznCWLwuezktm4nACt89\n6z6UeJBbh0dSJVmIPbSmbDx+YNdYrZWpnsT7yJNWKju6vqQuVIpjpq5E+exL2Mqu\nj44wW/5ro9jaOhm8mUbAacEctQYixBmy8HXPBm6AtezdD7HpftdI+VWN0LO7IlLn\naWICR8vx18dEF+706JHPKpsovZbolu0Zvl19RSG4Zj3dhVoTw+vbeXTOkHR2wNdP\nDfL4m0exKl6McPos3CG9kEAUwceGR2CZpy0xssBkGQKBgQD/K/Svv/xrMK8pVQVv\nY699OX9pwm6NBq3Ti8LIKejPUW5V2ZZVtSb8njWmgAi6RPp6vO/mWhuUrXahoUrY\nfe0AqW7wTgKmmjXbTvy47VS5Z5S30DT8DAYp8CJekibnU4jwsIgYJgao1TeOTOq3\ngnGdPLlvSa4BagyogWp7+keaTwKBgQC+a2nbyuL3e/Sk+qio0kDkpI6hYIKWg+7u\n0FOsHJjItcwkSkfRKIFRdI7iGYlukE/38xfizs0tLJXYRbdrlUgq/lTgd4i3UoVw\nOAXzEJX0lunZgXNd9jjnADh3pgVbwX9AKDhFz+nu3yL5Egc8FN+caP9Is5xPxYfg\n8J/Pp8DcHQKBgDOc6HlEFAJ6bnOlxtupBi4GG0eBFGtiFnbbpiJml7iXeAHVaRsc\n8S3XsnJjI2DJ4wBAhyXIxBtmmsBGp6Tyk6W2n8HrhY29U3dwmp2tI5383Y/whUcW\nB4kkEU+fsE7KDsDgdCauSlqMBhi6Zh+IOwLa7YcdGB0hHj5XLvq0vRbxAoGAQCpp\n7YqcmNDIS5+7ncfb3jAlb/PZjWa/6PGCgIjSYy//rmrpcG25xf0E+OOqD/vJNsBP\n2Dnfoc1YYRx9Bl+zhelWKJ2fEEdad8opFxMLtPP1sTmR6qPB4PWOEaN8QsMdYj0r\nWTsKlVfTrSKKFZDjGQ24mIMNtUPW2dG7yHm633ECgYEAqaLLo4VYUcjTKnYdBChA\nPFAk/ZwSR+/TY0vXw3Ghm/oiBNVSMVHFBoAFdbt4lWKJlryW+1Wi11cFYXfsBrmb\nJTnK1u7EZDebm9hFBzpp7/yY5uu38NduGKh5+goAVtPXZR9s/8ypyt3xVflcDxzA\nt7VMyFNRxj517ZJPCNN+ImU=\n-----END PRIVATE KEY-----\n" - } - } - cons_pub.json: |- - { - "data": { - "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvc2wfdIj6LZb87EwgLdu\nOlzS/nR6IkpRGIAbD4K6KnxLi1kJFXjNhdC9n1hLLzXOmVOUiQRA6j01XqGmJ7+o\nl0oW02gWmVaBW7di/PqyZkENmKAeakMC7X7KiAyMLk8EFIIjXu+OzQ7bGyZozKYm\n9307AepvtArFmAz7lP+25lCb2MrZ8PzDi4WlIhwAuvIyrILAHpsg8zklDWCX3CG5\n0v6NdjhWeDWt5yna/epDAdczfjxOPitqE4BUYevc6vs/xuWru5pYgXcJ7ORH5n9Y\no5R+jBWXmnk1TI3x0qvCDiKTkr4oI4yuafE+7wkmHrbXo9q33IGaQUWuON1fJvhe\n8wIDAQAB\n-----END PUBLIC KEY-----\n" - } - } - prov_priv.json: |- - { - "data": { - "content": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDN/ECrw6rbkvkw\nNGoJX1TatjytEvfwhFm/IViYPXfPccQHyVhG9YiQNS1e9v5UhUc8BGNvrZjIm7e9\nHNhPGlOlLiHh3wfU/wG5srcqz1aSV2omFVPz9Nc9TSkwaF6oJcs4AL+Z0+IyQN1e\nPThoqu9aVd5wtRXnS0nh5Dd0CC0spchZdUbtslQXs4c8uBDRGdT2/mkBu5isMxW0\nCg+muQWk1t8vgYVxlokGGvsKjQXFV3RPJQ6hNjsZjVmAqDGYFcA/AxK1WYBV5Hyu\nAZHUU2yityva/IqQPLXN/4fcXQcLxLjrl0MSpWUik/YeuV2bQFyakpvj5wox/w7E\nMNjWBodnAgMBAAECggEADELlO83Tm4ScQuNqPArJyGEYeIby0+uhufy+qZ7f3sab\nXO+xZDvuXpzDvO2zH8EO1FxAg2yc3E6LBkqAXikN7JaAtTf4K+FOe+LPADd3JEWC\nAvVT2edrpPFoYvWVGNymRAjYK7Lb019eesl/7f8ROcCqk1PvYCUjpzruybN8GOmq\naAuvCmrn9+zW8nPDSvFvNC7TTV4LnaRGsWabCA2589c6rDr52ddbXQZ2bXhIkVlw\n+RcfCIA2yZhrYfwDynQP/dPIwaC12y/phONIOFgDmurJHTTm0/3GmyDgU4xdfEan\nqWN2BwYfG2eOaGRTktUxjvmfj4kQF+6V8BiEA1KGAQKBgQDz0tuJBolkCn4nTMXl\nQx/QaacZBLJdHeniD2B6s7715TOgv+6DYzJypxYsNkKX4jLKykOJAQ3SUmWNq+ar\n6HJUE9Ral27zg8AAgZwQBCBr3hXulUkN3Ca2Qe3zhM6OtKlQvCY91zkXIecvQ7/s\ncLepmEXqMe0VXsR6c5C2VFiOAQKBgQDYRaeTcES+LSqHeAUqNytc4qy27lIEA4Vm\nzCd2oK0B1QuBCe2nVPsIMPnv92yfZ2RExEkqJXk0WfxB0fKM6BphTWFGnzbleHH3\nE+0BAfi/JmvOtJUbsbQdqTnV1OjCBL3YsubOJJwF+u9yzYoJdy7oldOmqrKC3zgs\nSOehRF9lZwKBgHEqwv58bDRkslznQ0q/tvpyrz3rciXKBo4H+Q26c72JnkbUDo4o\n8ndImf/3Rz1bnZuF+YaTWKjv2XbB/JR5lOb1NTC+7J5V3j3d6mN8pteqAp/z5i5q\nqgUZ4KmQUJbnv1ZbnZxCUpsr/zNuzJufTX+Hz5t9hL7Qd30mOlqGF3wBAoGBAKKb\nhIqTf+wpU2+1qtR51I2rFMcZ2uqPpy6KUyWbW1kkUNj9mQUWHQSkpldphe84MqiN\nmKEqub3F5qeqbh7JqIP+RSRvMzxHWhC2l50JWXiHL8mj9vRyoQUoJocC5Npz7DXR\nFT5rQjAw4vZDWgUR6mAPvqnyb/N8V+TcD+Qt3zgDAoGBAL001/N43dI6NR+Mlcw8\nYtrfTO5xoakVzx7tdC1g3gry/MiJn/+iftpFSf/hNp8HyQEHlRkubQuL4j0I/Fe3\nHjTc3wPIZhcOpitfbn9VMgpXXWmguK/s4oMMNxoe+Ey71/hlp5UdGOidGhaWq9Jk\nAsqJhS57iz0RP3ikSic9Tb3s\n-----END PRIVATE KEY-----\n" - } - } - prov_pub.json: |- - { - "data": { - "content": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzfxAq8Oq25L5MDRqCV9U\n2rY8rRL38IRZvyFYmD13z3HEB8lYRvWIkDUtXvb+VIVHPARjb62YyJu3vRzYTxpT\npS4h4d8H1P8BubK3Ks9WkldqJhVT8/TXPU0pMGheqCXLOAC/mdPiMkDdXj04aKrv\nWlXecLUV50tJ4eQ3dAgtLKXIWXVG7bJUF7OHPLgQ0RnU9v5pAbuYrDMVtAoPprkF\npNbfL4GFcZaJBhr7Co0FxVd0TyUOoTY7GY1ZgKgxmBXAPwMStVmAVeR8rgGR1FNs\norcr2vyKkDy1zf+H3F0HC8S465dDEqVlIpP2Hrldm0BcmpKb4+cKMf8OxDDY1gaH\nZwIDAQAB\n-----END PUBLIC KEY-----\n" - } - } diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index d0db2aaa40..afd1cdd6a0 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -735,6 +735,9 @@ vault: secret: /v1/secret health: /v1/sys/health folder: "" + init: + # Whether to run the post-install vault-init job that seeds required secrets. Creates RSA Keys for dataplane.token.signer and dataplane.token.verifier. + enabled: true networkPolicy: # -- If `true` network policy will be created to restrict access to control- and dataplane From 2412aaa065b5498fddf0caeb4480e6ab6fb7af3d Mon Sep 17 00:00:00 2001 From: Simon Bergerfurth Date: Tue, 16 Jun 2026 09:46:17 +0200 Subject: [PATCH 02/12] fix(helm): change label and service account reference in vault init templates --- .../tractusx-connector/templates/configmap-vault-init.yaml | 2 +- charts/tractusx-connector/templates/job-vault-init.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/tractusx-connector/templates/configmap-vault-init.yaml b/charts/tractusx-connector/templates/configmap-vault-init.yaml index a2c9d9d823..6ec3a3b3a3 100644 --- a/charts/tractusx-connector/templates/configmap-vault-init.yaml +++ b/charts/tractusx-connector/templates/configmap-vault-init.yaml @@ -27,7 +27,7 @@ metadata: name: {{ $fullName }}-vault-init namespace: {{ .Release.Namespace | default "default" | quote }} labels: - {{- include "wallet.labels" . | nindent 4 }} + {{- include "txdc.controlplane.labels" . | nindent 4 }} annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-weight": "-5" diff --git a/charts/tractusx-connector/templates/job-vault-init.yaml b/charts/tractusx-connector/templates/job-vault-init.yaml index fd347f540e..13bebfa084 100644 --- a/charts/tractusx-connector/templates/job-vault-init.yaml +++ b/charts/tractusx-connector/templates/job-vault-init.yaml @@ -25,7 +25,7 @@ metadata: name: {{ $fullName }}-vault-init namespace: {{ .Release.Namespace | default "default" | quote }} labels: - {{- include "wallet.labels" . | nindent 4 }} + {{- include "txdc.controlplane.labels" . | nindent 4 }} annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-weight": "0" @@ -37,10 +37,10 @@ spec: template: metadata: labels: - {{- include "wallet.labels" . | nindent 8 }} + {{- include "txdc.controlplane.labels" . | nindent 4 }} spec: restartPolicy: OnFailure - serviceAccountName: {{ include "wallet.serviceAccountName" . }} + serviceAccountName: {{ include "txdc.serviceAccountName" . }} containers: - name: vault-init {{- $img := index .Values "vault" "hashicorp" "init" "image" | default dict }} From 88929aa3ece54e7caea601941de3c9e0f3b53132 Mon Sep 17 00:00:00 2001 From: Simon Bergerfurth Date: Tue, 16 Jun 2026 09:52:57 +0200 Subject: [PATCH 03/12] chore(helm): change default rsa token generation setting --- charts/tractusx-connector/values-consumer.yaml | 4 ++++ charts/tractusx-connector/values-provider.yaml | 4 ++++ charts/tractusx-connector/values.yaml | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index a1fa0e4c27..23d766b0e1 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -126,3 +126,7 @@ postgresql: readReplicas: persistence: enabled: true + +vault: + init: + enabled: true \ No newline at end of file diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index c04ccfd1b0..e69b30def1 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -126,3 +126,7 @@ postgresql: readReplicas: persistence: enabled: true + +vault: + init: + enabled: true \ No newline at end of file diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index afd1cdd6a0..4d11104859 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -737,7 +737,7 @@ vault: folder: "" init: # Whether to run the post-install vault-init job that seeds required secrets. Creates RSA Keys for dataplane.token.signer and dataplane.token.verifier. - enabled: true + enabled: false networkPolicy: # -- If `true` network policy will be created to restrict access to control- and dataplane From 7e1ea4fc9b05a135d38866c218862c8a315f3f6e Mon Sep 17 00:00:00 2001 From: Simon Bergerfurth Date: Tue, 16 Jun 2026 10:21:21 +0200 Subject: [PATCH 04/12] chore(helm): change override wallet names --- .../tractusx-connector/values-consumer.yaml | 26 +++++++++---------- .../tractusx-connector/values-provider.yaml | 26 +++++++++---------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index 23d766b0e1..874f861aaf 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -1,15 +1,15 @@ shared: - connectorId: &connectorId did:web:consumer-idhub.staging.construct-x.net:consumer + connectorId: &connectorId did:web:consumer-wallet.staging.construct-x.net:consumer secretAlias: &secretAlias consumersecret - trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer + trustedIssuerId: &trustedIssuerId did:web:issuer.staging.construct-x.net:issuer clusterIssuer: &clusterIssuer letsencrypt-staging ingressClass: &ingressClass nginx imagePullSecret: &imagePullSecret registry-creds - controlplaneFqdn: &controlplaneFqdn consumer-conn-controlplane.staging.construct-x.net - dataplaneFqdn: &dataplaneFqdn consumer-conn-dataplane.staging.construct-x.net + controlplaneFqdn: &controlplaneFqdn consumer-edc-controlplane.staging.construct-x.net + dataplaneFqdn: &dataplaneFqdn consumer-edc-dataplane.staging.construct-x.net -nameOverride: consumer-conn -fullnameOverride: consumer-conn +nameOverride: consumer-edc +fullnameOverride: consumer-edc participant: id: *connectorId @@ -21,7 +21,7 @@ iatp: - id: *trustedIssuerId sts: oauth: - token_url: https://consumer-idhub.staging.construct-x.net/api/sts/token + token_url: https://consumer-wallet.staging.construct-x.net/api/sts/token client: id: *connectorId secret_alias: *secretAlias @@ -30,7 +30,7 @@ iatp: id: *connectorId controlplane: - hostname: consumer-conn-controlplane + hostname: consumer-edc-controlplane imagePullSecrets: - name: *imagePullSecret env: @@ -49,7 +49,7 @@ controlplane: className: *ingressClass tls: enabled: true - secretName: consumer-conn-cp-tls + secretName: consumer-edc-cp-tls certManager: clusterIssuer: *clusterIssuer ## Private / Intranet facing Ingress @@ -67,12 +67,12 @@ controlplane: className: *ingressClass tls: enabled: true - secretName: consumer-conn-cp-int-tls + secretName: consumer-edc-cp-int-tls certManager: clusterIssuer: *clusterIssuer dataplane: - hostname: consumer-conn-dataplane + hostname: consumer-edc-dataplane imagePullSecrets: - name: *imagePullSecret token: @@ -98,7 +98,7 @@ dataplane: className: *ingressClass tls: enabled: true - secretName: consumer-conn-dp-tls + secretName: consumer-edc-dp-tls certManager: clusterIssuer: *clusterIssuer ## Private / Intranet facing Ingress @@ -115,7 +115,7 @@ dataplane: className: *ingressClass tls: enabled: true - secretName: consumer-conn-dp-int-tls + secretName: consumer-edc-dp-int-tls certManager: clusterIssuer: *clusterIssuer diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index e69b30def1..3a63a5f59c 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -1,15 +1,15 @@ shared: - connectorId: &connectorId did:web:provider-idhub.staging.construct-x.net:provider + connectorId: &connectorId did:web:provider-wallet.staging.construct-x.net:provider secretAlias: &secretAlias providersecret - trustedIssuerId: &trustedIssuerId did:web:local-issuer-service.staging.construct-x.net:issuer + trustedIssuerId: &trustedIssuerId did:web:issuer.staging.construct-x.net:issuer clusterIssuer: &clusterIssuer letsencrypt-staging ingressClass: &ingressClass nginx imagePullSecret: &imagePullSecret registry-creds - controlplaneFqdn: &controlplaneFqdn provider-conn-controlplane.staging.construct-x.net - dataplaneFqdn: &dataplaneFqdn provider-conn-dataplane.staging.construct-x.net + controlplaneFqdn: &controlplaneFqdn provider-edc-controlplane.staging.construct-x.net + dataplaneFqdn: &dataplaneFqdn provider-edc-dataplane.staging.construct-x.net -nameOverride: provider-conn -fullnameOverride: provider-conn +nameOverride: provider-edc +fullnameOverride: provider-edc participant: id: *connectorId @@ -21,7 +21,7 @@ iatp: - id: *trustedIssuerId sts: oauth: - token_url: https://provider-idhub.staging.construct-x.net/api/sts/token + token_url: https://provider-wallet.staging.construct-x.net/api/sts/token client: id: *connectorId secret_alias: *secretAlias @@ -30,7 +30,7 @@ iatp: id: *connectorId controlplane: - hostname: provider-conn-controlplane + hostname: provider-edc-controlplane imagePullSecrets: - name: *imagePullSecret env: @@ -49,7 +49,7 @@ controlplane: className: *ingressClass tls: enabled: true - secretName: provider-conn-cp-tls + secretName: provider-edc-cp-tls certManager: clusterIssuer: *clusterIssuer ## Private / Intranet facing Ingress @@ -67,12 +67,12 @@ controlplane: className: *ingressClass tls: enabled: true - secretName: provider-conn-cp-int-tls + secretName: provider-edc-cp-int-tls certManager: clusterIssuer: *clusterIssuer dataplane: - hostname: provider-conn-dataplane + hostname: provider-edc-dataplane imagePullSecrets: - name: *imagePullSecret token: @@ -98,7 +98,7 @@ dataplane: className: *ingressClass tls: enabled: true - secretName: provider-conn-dp-tls + secretName: provider-edc-dp-tls certManager: clusterIssuer: *clusterIssuer ## Private / Intranet facing Ingress @@ -115,7 +115,7 @@ dataplane: className: *ingressClass tls: enabled: true - secretName: provider-conn-dp-int-tls + secretName: provider-edc-dp-int-tls certManager: clusterIssuer: *clusterIssuer From c8d029c372149ceacba916d8d8b8e1446190679f Mon Sep 17 00:00:00 2001 From: Simon Bergerfurth Date: Tue, 16 Jun 2026 11:21:53 +0200 Subject: [PATCH 05/12] fix(helm): add missing hashicorp block in value overrides --- charts/tractusx-connector/values-consumer.yaml | 1 + charts/tractusx-connector/values-provider.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index 874f861aaf..fd82aab12e 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -128,5 +128,6 @@ postgresql: enabled: true vault: + hashicorp: init: enabled: true \ No newline at end of file diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index 3a63a5f59c..77c9ee310a 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -128,5 +128,6 @@ postgresql: enabled: true vault: + hashicorp: init: enabled: true \ No newline at end of file From d70e03c98a6c4acb563ac3f241248bdabe674d3e Mon Sep 17 00:00:00 2001 From: Simon Bergerfurth Date: Tue, 16 Jun 2026 11:25:57 +0200 Subject: [PATCH 06/12] feat(helm): change psql dependency to cloudpirates --- charts/tractusx-connector/Chart.yaml | 6 +-- .../tractusx-connector/values-consumer.yaml | 10 ++--- .../tractusx-connector/values-provider.yaml | 10 ++--- charts/tractusx-connector/values.yaml | 38 ++++++++++++------- 4 files changed, 35 insertions(+), 29 deletions(-) diff --git a/charts/tractusx-connector/Chart.yaml b/charts/tractusx-connector/Chart.yaml index ff4e000e0e..7a4d895c71 100644 --- a/charts/tractusx-connector/Chart.yaml +++ b/charts/tractusx-connector/Chart.yaml @@ -58,8 +58,8 @@ dependencies: repository: https://helm.releases.hashicorp.com condition: install.vault # PostgreSQL - - name: postgresql + - name: postgres alias: postgresql - version: "15.2.1" - repository: https://charts.bitnami.com/bitnami + version: 0.19.5 + repository: oci://registry-1.docker.io/cloudpirates condition: install.postgresql diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index fd82aab12e..9d27f12c91 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -120,12 +120,10 @@ dataplane: clusterIssuer: *clusterIssuer postgresql: - primary: - persistence: - enabled: true - readReplicas: - persistence: - enabled: true + persistence: + enabled: true + size: 10Gi + storageClass: "" vault: hashicorp: diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index 77c9ee310a..21b693e6a4 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -120,12 +120,10 @@ dataplane: clusterIssuer: *clusterIssuer postgresql: - primary: - persistence: - enabled: true - readReplicas: - persistence: - enabled: true + persistence: + enabled: true + size: 10Gi + storageClass: "" vault: hashicorp: diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index 4d11104859..cfe5f73c6b 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -701,20 +701,30 @@ dataplane: public: "" postgresql: - image: - repository: "bitnamilegacy/postgresql" - tag: "16.2.0-debian-12-r10" - jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" - primary: - persistence: - enabled: false - readReplicas: - persistence: - enabled: false - auth: - database: "edc" - username: "user" - password: "password" + # JDBC connection URL passed to the edc runtime. + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" + auth: + # Name of the PostgreSQL database created on first start. Must match with postgresql.jdbcUrl path. + database: "edc" + # PostgreSQL user that the issuer-wallet connects as. + username: "user" + # Password for the PostgreSQL user. Change before production use. + password: "password" + persistence: + # Persist data across pod restarts. + enabled: true + size: 10Gi + storageClass: "" + # Initialization scripts ConfigMap + initdb: + scriptsConfigMap: "" # Optional: ConfigMap with init scripts + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi vault: injector: From 53c0b0785b5ce6ba4b28cffee53e162d0cf0439b Mon Sep 17 00:00:00 2001 From: Simon Bergerfurth Date: Wed, 17 Jun 2026 16:47:22 +0200 Subject: [PATCH 07/12] fix(helm): add missing iatp default scope envs --- charts/tractusx-connector/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index cfe5f73c6b..6e40b98b78 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -285,6 +285,9 @@ controlplane: TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json + TX_EDC_IAM_IATP_DEFAULT-SCOPES_TEST_ALIAS: org.eclipse.dspace.dcp.vc.type + TX_EDC_IAM_IATP_DEFAULT-SCOPES_TEST_TYPE: MembershipCredential + TX_EDC_IAM_IATP_DEFAULT-SCOPES_TEST_OPERATION: read # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core From ad57dfc25fe8930bd31ec78d5c9b15c18c918863 Mon Sep 17 00:00:00 2001 From: Simon Bergerfurth Date: Thu, 18 Jun 2026 10:20:45 +0200 Subject: [PATCH 08/12] fix(helm): change vault-init labels and indentation --- charts/tractusx-connector/templates/configmap-vault-init.yaml | 2 +- charts/tractusx-connector/templates/job-vault-init.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/tractusx-connector/templates/configmap-vault-init.yaml b/charts/tractusx-connector/templates/configmap-vault-init.yaml index 6ec3a3b3a3..ed687da5ba 100644 --- a/charts/tractusx-connector/templates/configmap-vault-init.yaml +++ b/charts/tractusx-connector/templates/configmap-vault-init.yaml @@ -27,7 +27,7 @@ metadata: name: {{ $fullName }}-vault-init namespace: {{ .Release.Namespace | default "default" | quote }} labels: - {{- include "txdc.controlplane.labels" . | nindent 4 }} + {{- include "txdc.labels" . | nindent 4 }} annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-weight": "-5" diff --git a/charts/tractusx-connector/templates/job-vault-init.yaml b/charts/tractusx-connector/templates/job-vault-init.yaml index 13bebfa084..f2841474df 100644 --- a/charts/tractusx-connector/templates/job-vault-init.yaml +++ b/charts/tractusx-connector/templates/job-vault-init.yaml @@ -25,7 +25,7 @@ metadata: name: {{ $fullName }}-vault-init namespace: {{ .Release.Namespace | default "default" | quote }} labels: - {{- include "txdc.controlplane.labels" . | nindent 4 }} + {{- include "txdc.labels" . | nindent 4 }} annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-weight": "0" @@ -37,7 +37,7 @@ spec: template: metadata: labels: - {{- include "txdc.controlplane.labels" . | nindent 4 }} + {{- include "txdc.labels" . | nindent 8 }} spec: restartPolicy: OnFailure serviceAccountName: {{ include "txdc.serviceAccountName" . }} From a17fdd913f90936346a9f7e222d92f80265b3d3a Mon Sep 17 00:00:00 2001 From: Simon Bergerfurth Date: Thu, 18 Jun 2026 10:31:57 +0200 Subject: [PATCH 09/12] chore(helm): remove duplicate environment variables --- charts/tractusx-connector/values-consumer.yaml | 7 ------- charts/tractusx-connector/values-provider.yaml | 7 ------- charts/tractusx-connector/values.yaml | 5 ----- 3 files changed, 19 deletions(-) diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index 9d27f12c91..ad61ffc7e8 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -33,9 +33,6 @@ controlplane: hostname: consumer-edc-controlplane imagePullSecrets: - name: *imagePullSecret - env: - EDC_IAM_ISSUER_ID: *connectorId - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias ingresses: ## Public / Internet facing Ingress - enabled: true @@ -80,10 +77,6 @@ dataplane: privatekey_alias: cons_priv verifier: publickey_alias: cons_pub - env: - EDC_IAM_ISSUER_ID: *connectorId - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias ingresses: ## Public / Internet facing Ingress - enabled: true diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index 21b693e6a4..c2f0af2356 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -33,9 +33,6 @@ controlplane: hostname: provider-edc-controlplane imagePullSecrets: - name: *imagePullSecret - env: - EDC_IAM_ISSUER_ID: *connectorId - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias ingresses: ## Public / Internet facing Ingress - enabled: true @@ -80,10 +77,6 @@ dataplane: privatekey_alias: prov_priv verifier: publickey_alias: prov_pub - env: - EDC_IAM_ISSUER_ID: *connectorId - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: *trustedIssuerId - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: *secretAlias ingresses: ## Public / Internet facing Ingress - enabled: true diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index 6e40b98b78..93d713415b 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -270,7 +270,6 @@ controlplane: # -- Extra environment variables that will be passed onto deployment pods env: EDC_IAM_DID_WEB_USE_HTTPS: true - EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user TX_EDC_POSTGRESQL_MIGRATION_ASSET_ENABLED: false TX_EDC_POSTGRESQL_MIGRATION_AGREEMENTBPNS_ENABLED: false TX_EDC_POSTGRESQL_MIGRATION_BPN_ENABLED: false @@ -283,7 +282,6 @@ controlplane: TX_EDC_POSTGRESQL_MIGRATION_POLICY-MONITOR_ENABLED: false TX_EDC_POSTGRESQL_MIGRATION_POLICY_ENABLED: false TX_EDC_POSTGRESQL_MIGRATION_TRANSFERPROCESS_ENABLED: false - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json TX_EDC_IAM_IATP_DEFAULT-SCOPES_TEST_ALIAS: org.eclipse.dspace.dcp.vc.type TX_EDC_IAM_IATP_DEFAULT-SCOPES_TEST_TYPE: MembershipCredential @@ -579,9 +577,6 @@ dataplane: EDC_IAM_DID_WEB_USE_HTTPS: true EDC_DATA_PLANE_SELF_UNREGISTRATION: true EDC_IAM_CREDENTIAL_REVOCATION_MIMETYPE: application/json - EDC_IAM_ISSUER_ID: did:web:wallet.staging.construct-x.net:user - EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID: did:web:issuer-wallet.staging.construct-x.net:issuer - EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS: usersecret # -- "valueFrom" environment variable references that will be added to deployment pods. Name is templated. # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core From 776e0152c49e2e0cf5c024959076815796f5e649 Mon Sep 17 00:00:00 2001 From: Simon Bergerfurth Date: Thu, 18 Jun 2026 14:46:54 +0200 Subject: [PATCH 10/12] fix(helm): fix helm linting --- charts/tractusx-connector-memory/values.yaml | 12 ++++++------ charts/tractusx-connector/values.yaml | 10 +++++----- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/charts/tractusx-connector-memory/values.yaml b/charts/tractusx-connector-memory/values.yaml index a0e1008643..19c83d0fab 100644 --- a/charts/tractusx-connector-memory/values.yaml +++ b/charts/tractusx-connector-memory/values.yaml @@ -53,12 +53,12 @@ iatp: url: oauth: # -- URL where connectors can request OAuth2 access tokens for DIV access - token_url: + token_url: "https://change-me" client: # -- Client ID for requesting OAuth2 access token for DIV access - id: + id: "change-me" # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access - secret_alias: + secret_alias: "change-me" didService: selfRegistration: # -- Whether Service Self Registration is enabled @@ -217,17 +217,17 @@ runtime: refresh_endpoint: signer: # -- Alias under which the private key (JWK or PEM format) is stored in the vault - privatekey_alias: + privatekey_alias: "change-me" verifier: # -- Alias under which the public key (JWK or PEM format) is stored in the vault, that belongs to the private key which was referred to at `dataplane.token.signer.privatekey_alias` - publickey_alias: + publickey_alias: "change-me" bdrs: # -- Time that a cached BPN/DID resolution map is valid in seconds, default is 600 seconds (10 min) cache_validity_seconds: 600 server: # -- URL of the BPN/DID Resolution Service - url: + url: "https://change-me" # -- configuration for policy engine policy: diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index 93d713415b..be9f54fad3 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -43,7 +43,7 @@ iatp: # -- Decentralized IDentifier (DID) of the connector id: "did:web:changeme" # -- ID of the trusted issuer that is used for SI token validation (maps to EDC_IAM_TRUSTED-ISSUER_EXAMPLE_ID) - trustedIssuerId: "" + trustedIssuerId: "change-me" # -- Configures the trusted issuers for this runtime. If no supportedTypes are specified, the value defaults to "*" for that issuer trustedIssuers: [] # - id: "did:web:example1.com" @@ -56,12 +56,12 @@ iatp: url: oauth: # -- URL where connectors can request OAuth2 access tokens for DIV access - token_url: + token_url: "https://change-me" client: # -- Client ID for requesting OAuth2 access token for DIV access - id: + id: "change-me" # -- Alias under which the client secret is stored in the vault for requesting OAuth2 access token for DIV access - secret_alias: + secret_alias: "change-me" didService: selfRegistration: # -- Whether Service Self Registration is enabled @@ -731,7 +731,7 @@ vault: dev: enabled: true devRootToken: "root" - postStart: # must be set externally! + postStart: # must be set externally! hashicorp: url: "http://{{ .Release.Name }}-vault:8200" token: "root" From 8c1723664280f750a3113e47835e5ad56250102d Mon Sep 17 00:00:00 2001 From: Simon Bergerfurth Date: Thu, 18 Jun 2026 14:53:06 +0200 Subject: [PATCH 11/12] chore(helm): fix indentation for helm linting --- .../tractusx-connector/values-consumer.yaml | 8 ++-- .../tractusx-connector/values-provider.yaml | 8 ++-- charts/tractusx-connector/values.yaml | 48 +++++++++---------- 3 files changed, 32 insertions(+), 32 deletions(-) diff --git a/charts/tractusx-connector/values-consumer.yaml b/charts/tractusx-connector/values-consumer.yaml index ad61ffc7e8..40f950cd30 100644 --- a/charts/tractusx-connector/values-consumer.yaml +++ b/charts/tractusx-connector/values-consumer.yaml @@ -113,10 +113,10 @@ dataplane: clusterIssuer: *clusterIssuer postgresql: - persistence: - enabled: true - size: 10Gi - storageClass: "" + persistence: + enabled: true + size: 10Gi + storageClass: "" vault: hashicorp: diff --git a/charts/tractusx-connector/values-provider.yaml b/charts/tractusx-connector/values-provider.yaml index c2f0af2356..937f669611 100644 --- a/charts/tractusx-connector/values-provider.yaml +++ b/charts/tractusx-connector/values-provider.yaml @@ -113,10 +113,10 @@ dataplane: clusterIssuer: *clusterIssuer postgresql: - persistence: - enabled: true - size: 10Gi - storageClass: "" + persistence: + enabled: true + size: 10Gi + storageClass: "" vault: hashicorp: diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index be9f54fad3..06ca15726b 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -699,30 +699,30 @@ dataplane: public: "" postgresql: - # JDBC connection URL passed to the edc runtime. - jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" - auth: - # Name of the PostgreSQL database created on first start. Must match with postgresql.jdbcUrl path. - database: "edc" - # PostgreSQL user that the issuer-wallet connects as. - username: "user" - # Password for the PostgreSQL user. Change before production use. - password: "password" - persistence: - # Persist data across pod restarts. - enabled: true - size: 10Gi - storageClass: "" - # Initialization scripts ConfigMap - initdb: - scriptsConfigMap: "" # Optional: ConfigMap with init scripts - resources: - limits: - cpu: 500m - memory: 1Gi - requests: - cpu: 250m - memory: 256Mi + # JDBC connection URL passed to the edc runtime. + jdbcUrl: "jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/edc" + auth: + # Name of the PostgreSQL database created on first start. Must match with postgresql.jdbcUrl path. + database: "edc" + # PostgreSQL user that the issuer-wallet connects as. + username: "user" + # Password for the PostgreSQL user. Change before production use. + password: "password" + persistence: + # Persist data across pod restarts. + enabled: true + size: 10Gi + storageClass: "" + # Initialization scripts ConfigMap + initdb: + scriptsConfigMap: "" # Optional: ConfigMap with init scripts + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi vault: injector: From 680baa310d1d261e9dcfc325bb105af32eea7686 Mon Sep 17 00:00:00 2001 From: Simon Bergerfurth Date: Thu, 18 Jun 2026 14:56:31 +0200 Subject: [PATCH 12/12] chore(helm): fix indentation for helm linting --- charts/tractusx-connector/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/tractusx-connector/values.yaml b/charts/tractusx-connector/values.yaml index 06ca15726b..6c0c72c082 100644 --- a/charts/tractusx-connector/values.yaml +++ b/charts/tractusx-connector/values.yaml @@ -718,11 +718,11 @@ postgresql: scriptsConfigMap: "" # Optional: ConfigMap with init scripts resources: limits: - cpu: 500m - memory: 1Gi + cpu: 500m + memory: 1Gi requests: - cpu: 250m - memory: 256Mi + cpu: 250m + memory: 256Mi vault: injector: