Merge pull request #191 from catenax-ng/release/v2.1.0-refactor-dpp-h…

…elm-template [ 8° ] - Release/v2.1.0 dpp helm template: Refactor dpp helm template
eclipse-tractusx · Feb 2, 2024 · 6b087f7 · 6b087f7
2 parents 4c757ed + b47c217
commit 6b087f7
Show file tree

Hide file tree

Showing 15 changed files with 227 additions and 36 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,46 @@
 
 The changelog format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [released]
+## [v2.0.2] - 02-02-2024
+## Added
+- Added Frameagreement conditions to the provider configuration
+- Added Unit Tests for Managers and for Services
+- Added changes from version `v1.0.0` to version `v2.0.0` for every component involved
+- Added iconMapping for all components involved in DPP `v2.0.0`
+- Added multi-language feature that supports currently `EN` and `DE`
+- Added back button in the welcome page
+- Added `timeToLive` attribute to discovery service model in the dpp-backed
+- Added `readOnlyRootFilesystem` to the container security context in helm charts
+
+
+## Updated
+- Cleaned up necessary scripts
+-Refactored the DPP and IRS postman collections
+- Updated the deployment and testing directory structure and their references in relevant documentation
+- Updated license header and deployment directory references in the following readme files:
+    - Admin guide
+    - Arc42
+    - Getting-Started guide
+- Updated test directory stricture in dpp-backend
+- Updated the app url from [https://materialpass.int.demo.catena-x.net](https://materialpass.int.demo.catena-x.net) to [https://dpp.int.demo.catena-x.net](https://dpp.int.demo.catena-x.net)
+- Updated the payloads of asset, policies, contract definition, digital twin and its aspects to align with the DPPTriangle document `v1.1.0`
+- Updated the following frontend content:
+    - Condition for "commercial.warranty" in General Cards
+    - Mocked passports
+    - Loading page translation
+    - Translation files
+    - Characteristics component
+    - Identification component
+    - Sustainability component
+    - Typology component
+- Updated helm template to provide security context values from helm vaules file
+
+
+## Deleted
+- Filtered out unnecessary nnecessary/unused files
+
+
 ## [released]
 ## [v2.0.1] - 03-01-2024
 ## Added

diff --git a/charts/digital-product-pass/Chart.yaml b/charts/digital-product-pass/Chart.yaml
@@ -1,7 +1,8 @@
 #################################################################################
-# Catena-X - Product Passport Consumer Application
+# Catena-X - Digital Passport Passport Application
 #
 # Copyright (c) 2022, 2023 BASF SE, BMW AG, Henkel AG & Co. KGaA
+# Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -40,10 +41,10 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 2.0.1
+version: 2.0.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.0.1"
+appVersion: "2.0.2"
diff --git a/charts/digital-product-pass/README.md b/charts/digital-product-pass/README.md
@@ -1,6 +1,6 @@
 # digital-product-pass
 
-![Version: 2.0.1](https://img.shields.io/badge/Version-2.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.1](https://img.shields.io/badge/AppVersion-2.0.1-informational?style=flat-square)
+![Version: 2.0.2](https://img.shields.io/badge/Version-2.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.2](https://img.shields.io/badge/AppVersion-2.0.2-informational?style=flat-square)
 
 A Helm chart for Tractus-X Digital Product Pass Kubernetes
 
@@ -15,7 +15,7 @@ A Helm chart for Tractus-X Digital Product Pass Kubernetes
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
-| backend | object | `{"digitalTwinRegistry":{"endpoints":{"digitalTwin":"/shell-descriptors","search":"/lookup/shells","subModel":"/submodel-descriptors"},"temporaryStorage":{"enabled":true,"lifetime":12},"timeouts":{"digitalTwin":20,"negotiation":40,"search":10,"transfer":10}},"discovery":{"bpnDiscovery":{"key":"manufacturerPartId","path":"/api/v1.0/administration/connectors/bpnDiscovery/search"},"edcDiscovery":{"key":"bpn"},"hostname":""},"edc":{"apis":{"catalog":"/catalog/request","management":"/management/v2","negotiation":"/contractnegotiations","transfer":"/transferprocesses"},"delay":100,"hostname":"","participantId":"<Add participant id here>","xApiKey":"<Add API key here>"},"hostname":"localhost","image":{"pullPolicy":"Always","repository":"docker.io/tractusx/digital-product-pass-backend"},"imagePullSecrets":[],"ingress":{"enabled":false,"hosts":[{"host":"localhost","paths":[{"path":"/","pathType":"Prefix"}]}]},"irs":{"enabled":false,"hostname":""},"logging":{"level":{"root":"INFO","utils":"INFO"}},"maxRetries":5,"name":"dpp-backend","passport":{"aspects":["urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport","urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass","urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass"]},"process":{"encryptionKey":""},"securityCheck":{"bpn":false,"edc":false},"serverPort":8888,"service":{"port":8888,"type":"ClusterIP"}}` | Backend configuration |
+| backend | object | `{"digitalTwinRegistry":{"endpoints":{"digitalTwin":"/shell-descriptors","search":"/lookup/shells","subModel":"/submodel-descriptors"},"temporaryStorage":{"enabled":true,"lifetime":12},"timeouts":{"digitalTwin":20,"negotiation":40,"search":10,"transfer":10}},"discovery":{"bpnDiscovery":{"key":"manufacturerPartId","path":"/api/v1.0/administration/connectors/bpnDiscovery/search"},"edcDiscovery":{"key":"bpn"},"hostname":""},"edc":{"apis":{"catalog":"/catalog/request","management":"/management/v2","negotiation":"/contractnegotiations","transfer":"/transferprocesses"},"delay":100,"hostname":"","participantId":"<Add participant id here>","xApiKey":"<Add API key here>"},"hostname":"localhost","image":{"pullPolicy":"Always","repository":"docker.io/tractusx/digital-product-pass-backend"},"imagePullSecrets":[],"ingress":{"enabled":false,"hosts":[{"host":"localhost","paths":[{"path":"/","pathType":"Prefix"}]}]},"irs":{"enabled":false,"hostname":""},"logging":{"level":{"root":"INFO","utils":"INFO"}},"maxRetries":5,"name":"dpp-backend","passport":{"aspects":["urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport","urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass","urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass"]},"podSecurityContext":{"fsGroup":3000,"runAsGroup":3000,"runAsUser":10000,"seccompProfile":{"type":"RuntimeDefault"}},"process":{"encryptionKey":""},"securityCheck":{"bpn":false,"edc":false},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[],"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":3000,"runAsNonRoot":true,"runAsUser":10000},"serverPort":8888,"service":{"port":8888,"type":"ClusterIP"}}` | Backend configuration |
 | backend.digitalTwinRegistry.temporaryStorage | object | `{"enabled":true,"lifetime":12}` | temporary storage of dDTRs for optimization |
 | backend.digitalTwinRegistry.temporaryStorage.lifetime | int | `12` | lifetime of the temporaryStorage in hours |
 | backend.digitalTwinRegistry.timeouts | object | `{"digitalTwin":20,"negotiation":40,"search":10,"transfer":10}` | timeouts for the digital twin registry async negotiation |
@@ -36,9 +36,21 @@ A Helm chart for Tractus-X Digital Product Pass Kubernetes
 | backend.maxRetries | int | `5` | max retries for the backend services |
 | backend.passport | object | `{"aspects":["urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport","urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass","urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass"]}` | passport data transfer configuration |
 | backend.passport.aspects | list | `["urn:bamm:io.catenax.generic.digital_product_passport:1.0.0#DigitalProductPassport","urn:bamm:io.catenax.battery.battery_pass:3.0.1#BatteryPass","urn:bamm:io.catenax.transmission.transmission_pass:1.0.0#TransmissionPass"]` | passport versions and aspects allowed |
+| backend.podSecurityContext | object | `{"fsGroup":3000,"runAsGroup":3000,"runAsUser":10000,"seccompProfile":{"type":"RuntimeDefault"}}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment |
+| backend.podSecurityContext.fsGroup | int | `3000` | The owner for volumes and any files created within volumes will belong to this guid |
+| backend.podSecurityContext.runAsGroup | int | `3000` | Processes within a pod will belong to this guid |
+| backend.podSecurityContext.runAsUser | int | `10000` | Runs all processes within a pod with a special uid |
+| backend.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Restrict a Container's Syscalls with seccomp |
 | backend.process | object | `{"encryptionKey":""}` | digital twin registry configuration |
 | backend.process.encryptionKey | string | `""` | unique sha512 hash key used for the passport encryption |
 | backend.securityCheck | object | `{"bpn":false,"edc":false}` | security configuration |
+| backend.securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID |
+| backend.securityContext.capabilities.add | list | `[]` | Specifies which capabilities to add to issue specialized syscalls |
+| backend.securityContext.capabilities.drop | list | `["ALL"]` | Specifies which capabilities to drop to reduce syscall attack surface |
+| backend.securityContext.readOnlyRootFilesystem | bool | `true` | Whether the root filesystem is mounted in read-only mode |
+| backend.securityContext.runAsGroup | int | `3000` | The owner for volumes and any files created within volumes will belong to this guid |
+| backend.securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges |
+| backend.securityContext.runAsUser | int | `10000` | The container's process will run with the specified uid |
 | backend.serverPort | int | `8888` | configuration of the spring boot server |
 | backend.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service |
 | frontend.api | object | `{"delay":1000,"max_retries":30,"timeout":90000}` | api timeouts |
@@ -54,14 +66,26 @@ A Helm chart for Tractus-X Digital Product Pass Kubernetes
 | frontend.irs.maxWaitingTime | int | `30` | maximum waiting time to get the irs job status |
 | frontend.irs.requestDelay | int | `30000` | request timeout delay |
 | frontend.name | string | `"dpp-frontend"` |  |
+| frontend.podSecurityContext | object | `{"fsGroup":3000,"runAsGroup":3000,"runAsUser":10000,"seccompProfile":{"type":"RuntimeDefault"}}` | The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment |
+| frontend.podSecurityContext.fsGroup | int | `3000` | The owner for volumes and any files created within volumes will belong to this guid |
+| frontend.podSecurityContext.runAsGroup | int | `3000` | Processes within a pod will belong to this guid |
+| frontend.podSecurityContext.runAsUser | int | `10000` | Runs all processes within a pod with a special uid |
+| frontend.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Restrict a Container's Syscalls with seccomp |
 | frontend.portal.hostname | string | `""` |  |
+| frontend.securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID |
+| frontend.securityContext.capabilities.add | list | `[]` | Specifies which capabilities to add to issue specialized syscalls |
+| frontend.securityContext.capabilities.drop | list | `["ALL"]` | Specifies which capabilities to drop to reduce syscall attack surface |
+| frontend.securityContext.readOnlyRootFilesystem | bool | `false` | Whether the root filesystem is mounted in read-only mode |
+| frontend.securityContext.runAsGroup | int | `3000` | The owner for volumes and any files created within volumes will belong to this guid |
+| frontend.securityContext.runAsNonRoot | bool | `true` | Requires the container to run without root privileges |
+| frontend.securityContext.runAsUser | int | `10000` | The container's process will run with the specified uid |
 | frontend.service.port | int | `8080` |  |
 | frontend.service.type | string | `"ClusterIP"` | [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service |
 | frontend.supportContact.adminEmail | string | `"[email protected]"` |  |
 | name | string | `"digital-product-pass"` |  |
 | namespace | string | `""` |  |
 | nodeSelector | object | `{}` |  |
-| oauth | object | `{"appId":"","bpnCheck":{"bpn":"<Add participant id here>","enabled":false},"hostname":"","onLoad":"login-required","realm":"","roleCheck":{"enabled":false},"techUser":{"clientId":"<Add client id here>","clientSecret":"<Add client secret here>"}}` | oauth configuration |
+| oauth | object | `{"appId":"<app-id>","bpnCheck":{"bpn":"<Add participant id here>","enabled":false},"hostname":"","onLoad":"login-required","realm":"<realm>","roleCheck":{"enabled":false},"techUser":{"clientId":"<Add client id here>","clientSecret":"<Add client secret here>"}}` | oauth configuration |
 | oauth.bpnCheck | object | `{"bpn":"<Add participant id here>","enabled":false}` | configure here the bpn check for the application |
 | oauth.bpnCheck.bpn | string | `"<Add participant id here>"` | this bpn needs to be included in the user login information when the check is enabled |
 | oauth.hostname | string | `""` | url of the identity provider service |

diff --git a/charts/digital-product-pass/templates/deployment-backend.yaml b/charts/digital-product-pass/templates/deployment-backend.yaml
@@ -44,16 +44,13 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        runAsUser: 10000
-        fsGroup: 3000
+        {{- toYaml .Values.backend.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Values.backend.name }}
           image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.backend.image.pullPolicy }}
           securityContext:
-            allowPrivilegeEscalation: false
-            runAsUser: 10000
-            runAsGroup: 3000
+            {{- toYaml .Values.backend.securityContext | nindent 12 }}
           env:
             - name: "appId"
               valueFrom:
@@ -86,9 +83,16 @@ spec:
             - name: pvc-backend
               mountPath: /app/data/process
               subPath: data/process
-            - name: pvc-backend
+            - name: tmpfs
               mountPath: /app/log
               subPath: log
+            - name: tmpfs
+              mountPath: /tmp
+            - name: tmpfs
+              mountPath: /app/data/VaultConfig
+              subPath: VaultConfig/vault.token.yml
+            - name: tmpfs
+              mountPath: /app/tmp
           ports:
             - containerPort: 8888
               name: http
@@ -114,5 +118,7 @@ spec:
         - name: pvc-backend
           persistentVolumeClaim:
             claimName: pvc-data
+        - name: tmpfs
+          emptyDir: {}
 
 
diff --git a/charts/digital-product-pass/templates/deployment-frontend.yaml b/charts/digital-product-pass/templates/deployment-frontend.yaml
@@ -44,16 +44,13 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        runAsUser: 10000
-        fsGroup: 3000
+        {{- toYaml .Values.frontend.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Values.frontend.name }}
           image: "{{ .Values.frontend.image.repository }}:{{ .Values.frontend.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.frontend.image.pullPolicy }}
-          securityContext: 
-            allowPrivilegeEscalation: false
-            runAsUser: 10000
-            runAsGroup: 3000
+          securityContext:
+            {{- toYaml .Values.frontend.securityContext | nindent 12 }}
           env:          
             {{- with (first .Values.frontend.ingress.hosts) }}
             - name: "SERVER_URL"
@@ -107,7 +104,6 @@ spec:
 
             - name: "VERSION"
               value: "{{ .Chart.AppVersion }}"
-
           ports:
             - containerPort: 8080
               name: http