sap-contributions · hemantxpatel · Jan 10, 2024 · Jan 11, 2024 · Jan 22, 2024 · Feb 9, 2024
diff --git a/mxd/ingress.tf → mxd/ingress.tfignore b/mxd/ingress.tf → mxd/ingress.tfignore
diff --git a/mxd/keycloak.tf b/mxd/keycloak.tf
@@ -17,6 +17,14 @@
 #  SPDX-License-Identifier: Apache-2.0
 #
 
+module "keycloak-postgres" {
+  source            = "./modules/postgres"
+  database-name     = "keycloak"
+  database-username = "keycloak"
+  database-password = "keycloak"
+  database-port     = var.postgres-port
+}
+
 resource "kubernetes_deployment" "keycloak" {
   metadata {
     name = "keycloak"
@@ -109,20 +117,21 @@ resource "kubernetes_config_map" "keycloak_env" {
   data = {
     KC_DB                      = "postgres"
     KC_DB_SCHEMA               = "public"
-    KC_DB_PASSWORD             = local.kc-pg-pwd
-    KC_DB_USERNAME             = var.keycloak-db-user
-    KC_DB_URL                  = "jdbc:postgresql://${local.pg-host}/${var.keycloak-database}"
+    KC_DB_PASSWORD             = module.keycloak-postgres.database-password
+    KC_DB_USERNAME             = module.keycloak-postgres.database-username
+    KC_DB_URL                  = "jdbc:postgresql://${module.keycloak-postgres.database-url}/${module.keycloak-postgres.database-name}"
     KEYCLOAK_MIW_PUBLIC_CLIENT = "miw_public"
     KEYCLOAK_ADMIN             = "admin"
     KEYCLOAK_ADMIN_PASSWORD    = "admin"
     # the KC_HOSTNAME must be known in advance, so that Keycloak's token contain valid `iss` claims
 
-    KC_HOSTNAME       = local.keycloak-ip
-    KC_HEALTH_ENABLED = true
-    MIW_BPN           = var.miw-bpn
-    ALICE_BPN         = var.alice-bpn
-    BOB_BPN           = var.bob-bpn
-    TRUDY_BPN         = var.trudy-bpn
+    KC_HOSTNAME              = local.keycloak-ip
+    KC_HEALTH_ENABLED        = true
+    MIW_BPN                  = var.miw-bpn
+    ALICE_BPN                = var.alice-bpn
+    BOB_BPN                  = var.bob-bpn
+    TRUDY_BPN                = var.trudy-bpn
+    PROXY_ADDRESS_FORWARDING = true
   }
 }
 
@@ -146,6 +155,6 @@ resource "kubernetes_service" "keycloak" {
 }
 
 locals {
-  keycloak-ip  = "10.96.103.80"
-  keycloak-url = "${local.keycloak-ip}:${var.keycloak-port}"
+  keycloak-ip  = "100.104.103.180"
+  keycloak-url = "http://${local.keycloak-ip}:${var.keycloak-port}"
 }
diff --git a/mxd/keycloak/miw_test_realm.json b/mxd/keycloak/miw_test_realm.json
@@ -26,7 +26,7 @@
   "oauth2DeviceCodeLifespan": 600,
   "oauth2DevicePollingInterval": 5,
   "enabled": true,
-  "sslRequired": "external",
+  "sslRequired": "none",
   "registrationAllowed": false,
   "registrationEmailAsUsername": false,
   "rememberMe": false,

diff --git a/mxd/main.tf b/mxd/main.tf
@@ -29,7 +29,7 @@ terraform {
 
     keycloak = {
       source  = "mrparkers/keycloak"
-      version = "4.3.1"
+      version = "4.4.0"
     }
     kubernetes = {
       source = "hashicorp/kubernetes"
@@ -38,12 +38,14 @@ terraform {
 }
 
 provider "kubernetes" {
-  config_path = "~/.kube/config"
+  config_path    = "~/.kube/config"
+  config_context = "shoot--edc-lpt--mxd"
 }
 
 provider "helm" {
   kubernetes {
-    config_path = "~/.kube/config"
+    config_path    = "~/.kube/config"
+    config_context = "shoot--edc-lpt--mxd"
   }
 }
 
@@ -52,11 +54,10 @@ module "alice-connector" {
   source            = "./modules/connector"
   humanReadableName = "alice"
   participantId     = var.alice-bpn
-  database-host     = local.pg-ip
   database-name     = "alice"
   database-credentials = {
-    user     = "postgres"
-    password = "postgres"
+    user     = "alice"
+    password = "alice"
   }
   ssi-config = {
     miw-url            = "http://${kubernetes_service.miw.metadata.0.name}:${var.miw-api-port}"
@@ -73,11 +74,10 @@ module "bob-connector" {
   source            = "./modules/connector"
   humanReadableName = "bob"
   participantId     = var.bob-bpn
-  database-host     = local.pg-ip
   database-name     = "bob"
   database-credentials = {
-    user     = "postgres"
-    password = "postgres"
+    user     = "bob"
+    password = "bob"
   }
   ssi-config = {
     miw-url            = "http://${kubernetes_service.miw.metadata.0.name}:${var.miw-api-port}"

diff --git a/mxd/miw.tf b/mxd/miw.tf
@@ -17,6 +17,14 @@
 #  SPDX-License-Identifier: Apache-2.0
 #
 
+module "miw-postgres" {
+  source            = "./modules/postgres"
+  database-name     = "miw"
+  database-username = "miw"
+  database-password = "miw"
+  database-port     = var.postgres-port
+}
+
 resource "kubernetes_deployment" "miw" {
   metadata {
     name = "miw"
@@ -41,7 +49,7 @@ resource "kubernetes_deployment" "miw" {
       spec {
         container {
           name              = "miw"
-          image             = "tractusx/managed-identity-wallet:main"
+          image             = "hemantxpatel/managed-identity-wallet:main"
           image_pull_policy = "Always"
 
           port {
@@ -79,12 +87,12 @@ resource "kubernetes_config_map" "miw-config" {
     name = "miw-config"
   }
   data = {
-    DB_HOST      = local.pg-ip
-    DB_PORT      = var.postgres-port
+    DB_HOST      = module.miw-postgres.database-host
+    DB_PORT      = module.miw-postgres.database-port
     DB_USER      = "postgres"
-    DB_NAME      = var.miw-database
-    DB_USER_NAME = var.miw-db-user
-    DB_PASSWORD  = local.miw-pg-pwd
+    DB_NAME      = module.miw-postgres.database-name
+    DB_USER_NAME = module.miw-postgres.database-username
+    DB_PASSWORD  = module.miw-postgres.database-password
 
     KEYCLOAK_CLIENT_ID              = "miw_private_client"
     ENCRYPTION_KEY                  = "Woh9waid4Ei5eez0aitieghoow9so4oe"
@@ -130,7 +138,7 @@ resource "kubernetes_service" "miw" {
 }
 
 locals {
-  miw-ip         = "10.96.81.222"
+  miw-ip         = "100.104.81.222"
   miw-url        = "${local.miw-ip}:${var.miw-api-port}"
   keycloak-realm = "miw_test"
 }
diff --git a/mxd/modules/connector/ingress.tf b/mxd/modules/connector/ingress.tf
@@ -28,6 +28,7 @@ resource "kubernetes_ingress_v1" "mxd-ingress" {
   spec {
     ingress_class_name = "nginx"
     rule {
+      host = "edc.ingress.mxd.edc-lpt.shoot.live.k8s-hana.ondemand.com"
       http {
         path {
           path = "/${var.humanReadableName}(/|$)(.*)"

diff --git a/mxd/modules/connector/main.tf b/mxd/modules/connector/main.tf
@@ -17,6 +17,15 @@
 #  SPDX-License-Identifier: Apache-2.0
 #
 
+module "postgres" {
+  source = "../postgres"
+
+  database-name     = var.database-name
+  database-username = var.database-credentials.user
+  database-password = var.database-credentials.password
+  database-port     = var.database-port
+}
+
 resource "helm_release" "connector" {
   name              = lower(var.humanReadableName)
   force_update      = true
@@ -27,6 +36,7 @@ resource "helm_release" "connector" {
 
   repository = "https://eclipse-tractusx.github.io/charts/dev"
   chart      = "tractusx-connector"
+  version    = "0.6.0"
 
   values = [
     file("${path.module}/values.yaml"),
@@ -37,7 +47,14 @@ resource "helm_release" "connector" {
           "postStart" : [
             "sh",
             "-c",
-            "sleep 5 && /bin/vault kv put secret/client-secret content=${local.client_secret} && /bin/vault kv put secret/aes-keys content=${local.aes_key_b64} && /bin/vault kv put secret/${var.ssi-config.oauth-secretalias} content=${var.ssi-config.oauth-clientsecret}"
+            join(" && ", [
+              "sleep 5",
+              "/bin/vault kv put secret/client-secret content=${local.client_secret}",
+              "/bin/vault kv put secret/aes-keys content=${local.aes_key_b64}",
+              "/bin/vault kv put secret/${var.ssi-config.oauth-secretalias} content=${var.ssi-config.oauth-clientsecret}",
+              "/bin/vault kv put secret/transferProxyTokenSignerPrivateKey content='${tls_private_key.transfer_proxy_privatekey.private_key_pem}'",
+              "/bin/vault kv put secret/transferProxyTokenSignerPublicKey content='${tls_private_key.transfer_proxy_privatekey.public_key_pem}'",
+            ])
           ]
         }
       }
@@ -47,6 +64,13 @@ resource "helm_release" "connector" {
         env : {
           "TX_SSI_ENDPOINT_AUDIENCE" : "http://${kubernetes_service.controlplane-service.metadata.0.name}:8084/api/v1/dsp"
           "EDC_DSP_CALLBACK_ADDRESS" : "http://${kubernetes_service.controlplane-service.metadata.0.name}:8084/api/v1/dsp"
+          "EDC_HOSTNAME" : "${var.humanReadableName}-tractusx-connector-controlplane"
+          "EDC_DATAPLANE_SELECTOR_DEFAULTPLANE_SOURCETYPES" : "HttpData,AmazonS3,AzureStorage"
+          "EDC_DATAPLANE_SELECTOR_DEFAULTPLANE_DESTINATIONTYPES" : "HttpProxy,AmazonS3,AzureStorage"
+          "EDC_DATASOURCE_POLICY-MONITOR_NAME" : "policy-monitor"
+          "EDC_DATASOURCE_POLICY-MONITOR_USER" : var.database-credentials.user
+          "EDC_DATASOURCE_POLICY-MONITOR_PASSWORD" : var.database-credentials.password
+          "EDC_DATASOURCE_POLICY-MONITOR_URL" : local.jdbcUrl
         }
         ssi : {
           miw : {
@@ -109,8 +133,12 @@ resource "random_string" "aes_key_raw" {
   length = 16
 }
 
+resource "tls_private_key" "transfer_proxy_privatekey" {
+  algorithm = "ED25519"
+}
+
 locals {
   aes_key_b64   = base64encode(random_string.aes_key_raw.result)
   client_secret = base64encode(random_string.kc_client_secret.result)
-  jdbcUrl       = "jdbc:postgresql://${var.database-host}:${var.database-port}/${var.database-name}"
+  jdbcUrl       = "jdbc:postgresql://${module.postgres.database-url}/${var.database-name}"
 }
diff --git a/mxd/modules/connector/outputs.tf b/mxd/modules/connector/outputs.tf
@@ -28,14 +28,14 @@ output "database-name" {
   value = var.database-name
 }
 
-output "urls" {
-  value = {
-    management = local.management_url
-    health     = local.health_url
-    proxy      = local.proxy_url
-    public     = local.public_url
-  }
-}
+#output "urls" {
+#  value = {
+#    management = local.management_url
+#    health     = local.health_url
+#    proxy      = local.proxy_url
+#    public     = local.public_url
+#  }
+#}
 
 output "node-ip" {
   value = kubernetes_service.controlplane-service.spec.0.cluster_ip

diff --git a/mxd/modules/connector/values.yaml b/mxd/modules/connector/values.yaml
@@ -34,7 +34,7 @@ controlplane:
       authKey: password
   image:
     pullPolicy: Never
-    tag: "latest"
+    #tag: "latest"
 #    repository: "edc-controlplane-postgresql-hashicorp-vault"
   securityContext:
     # avoids some errors in the log: cannot write temp files of large multipart requests when R/O
@@ -52,7 +52,7 @@ dataplane:
     port: 1044
   image:
     pullPolicy: Never
-    tag: "latest"
+    #tag: "latest"
 #    repository: "edc-dataplane-hashicorp-vault"
   securityContext:
     # avoids some errors in the log: cannot write temp files of large multipart requests when R/O
@@ -78,6 +78,8 @@ vault:
     token: root
   secretNames:
     transferProxyTokenEncryptionAesKey: aes-keys
+    transferProxyTokenSignerPrivateKey: transferProxyTokenSignerPrivateKey
+    transferProxyTokenSignerPublicKey: transferProxyTokenSignerPublicKey
     # this must be set through CLI args: --set vault.secrets=$YOUR_VAULT_SECRETS where YOUR_VAULT_SECRETS should
     #    # be a string in the format "key1:secret1;key2:secret2;..."
     secrets:

diff --git a/mxd/modules/connector/variables.tf b/mxd/modules/connector/variables.tf
@@ -33,10 +33,6 @@ variable "participantId" {
   description = "Participant ID of the connector. In Catena-X, this MUST be the BPN"
 }
 
-variable "database-host" {
-  description = "IP address (ClusterIP) or host name of the postgres database host"
-
-}
 variable "database-port" {
   default     = 5432
   description = "Port where the Postgres database is reachable, defaults to 5432."
-Original file line number
+Diff line change
@@ Expand Up / @@ -28,6 +28,7 @@ resource "kubernetes_ingress_v1" "mxd-ingress" { @@
       spec {
         ingress_class_name = "nginx"
         rule {
+          host = "edc.ingress.mxd.edc-lpt.shoot.live.k8s-hana.ondemand.com"
           http {
             path {
               path = "/${var.humanReadableName}(/|$)(.*)"
@@ Expand Down @@