Merge branch 'main' into fix/hard-coded-api-key

# Conflicts:
#	charts/puris/Chart.yaml
#	charts/puris/README.md
#	charts/puris/templates/frontend-deployment.yaml
#	charts/puris/values.yaml

charts/puris/Chart.yaml

@@ -25,12 +25,12 @@ description: A helm chart for Kubernetes deployment of PURIS
 type: application
 home: https://github.com/eclipse-tractusx/puris
 sources:
-    - https://github.com/eclipse-tractusx/puris
+  - https://github.com/eclipse-tractusx/puris
 dependencies:
-    - condition: postgresql.enabled
-      name: postgresql
-      repository: https://charts.bitnami.com/bitnami
-      version: 12.12.x
+  - condition: postgresql.enabled
+    name: postgresql
+    repository: https://charts.bitnami.com/bitnami
+    version: 12.12.x
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.

charts/puris/README.md

@@ -156,6 +156,9 @@ $ helm install puris --namespace puris --create-namespace .
 | frontend.puris.keycloak.realm | string | `"Catena-X"` | Name of the Realm of the keycloak instance. |
 | frontend.puris.keycloak.redirectUrlFrontend | string | `"https://your-frontend-url.com"` | URL to use as keycloak redirect url. |
 | frontend.puris.keycloak.url | string | `"https://idp.com/auth"` | The URL to the IDP that should be used. |
+| frontend.puris.rateLimiting.burst | int | `30` | Burst rate limiting for nginx. |
+| frontend.puris.rateLimiting.limit | string | `"10m"` | Bucket zone limit for rate limiting in nginx. |
+| frontend.puris.rateLimiting.rate | string | `"10r/s"` | Allowed rates per second for nginx rate limiting. |
 | frontend.readinessProbe | object | `{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Checks if the pod is fully ready to operate |
 | frontend.readinessProbe.failureThreshold | int | `3` | Number of failures (threshold) for a readiness probe |
 | frontend.readinessProbe.initialDelaySeconds | int | `10` | Delay in seconds after which an initial readiness probe is checked |

charts/puris/templates/frontend-deployment.yaml

@@ -72,6 +72,12 @@ spec:
               value: "{{ .Values.frontend.puris.keycloak.clientId }}"
             - name: IDP_REDIRECT_URL_FRONTEND
               value: "{{ .Values.frontend.puris.keycloak.redirectUrlFrontend }}"
+            - name: NGINX_RATE_LIMIT
+              value: "{{ .Values.frontend.puris.rateLimiting.limit }}"
+            - name: NGINX_BURST
+              value: "{{ .Values.frontend.puris.rateLimiting.burst }}"
+            - name: NGINX_RATE
+              value: "{{ .Values.frontend.puris.rateLimiting.rate }}"
             ######################################
             ## Additional environment variables ##
             ######################################

charts/puris/values.yaml

@@ -162,7 +162,7 @@ frontend:
     # -- Delay in seconds after which an initial readiness probe is checked
     initialDelaySeconds: 10
     # -- Wait time in seconds between readiness probes
-    periodSeconds: 80
+    periodSeconds: 10
     # -- Number of trys until a pod is marked ready
     successThreshold: 1
     # -- Timeout in seconds of the readiness probe
@@ -206,6 +206,13 @@ frontend:
       clientId: "appXYZ"
       # -- URL to use as keycloak redirect url.
       redirectUrlFrontend: "https://your-frontend-url.com"
+    rateLimiting:
+      # -- Bucket zone limit for rate limiting in nginx.
+      limit: 10m
+      # -- Burst rate limiting for nginx.
+      burst: 30
+      # -- Allowed rates per second for nginx rate limiting.
+      rate: 10r/s
 
   # -- Extra environment variables that will be passed onto the frontend deployment pods
   env: {}
@@ -348,9 +355,9 @@ backend:
     # -- Number of failures (threshold) for a readiness probe
     failureThreshold: 3
     # -- Delay in seconds after which an initial readiness probe is checked
-    initialDelaySeconds: 120
+    initialDelaySeconds: 250
     # -- Wait time in seconds between readiness probes
-    periodSeconds: 60
+    periodSeconds: 25
     # -- Number of trys until a pod is marked ready
     successThreshold: 1
     # -- Timeout in seconds of the readiness probe
@@ -360,8 +367,8 @@ backend:
     # -- Secret for backend passwords. For more information look into 'backend-secrets.yaml' file.
     existingSecret: "secret-backend-puris"
     api:
-      # -- The API key of the PURIS application. Secret-key 'puris-api-key'.
-      key: "test2"
+      # -- The API key of the PURIS application
+      key: "test"
       # -- The root directory of the API
       rootDir: /catena
     datasource:
@@ -371,7 +378,7 @@ backend:
       url: jdbc:postgresql://postgresql-name:5432/puris-database
       # -- Username of the database. Ignored if postgres.enabled is true.
       username: db-user
-      # -- Password for the database user. Ignored if postgres.enabled is true. Secret-key 'puris-datasource-password'.
+      # -- Password for the database user. Ignored if postgres.enabled is true.
       password:
     edc:
       controlplane:
@@ -382,7 +389,7 @@ backend:
         protocol:
           # -- Url to the EDC controlplane protocol API of the edc
           url: "https://your-edc-address:8184/api/v1/dsp"
-        # -- Key for the EDC control plane. Secret-key 'puris-edc-controlplane-key'
+        # -- Key for the EDC control plane
         key: "password"
     own:
       # -- Own BPNL of the EDC
@@ -395,7 +402,7 @@ backend:
       country: "Germany"
       site:
         # -- Own site name
-        name: "puris-test"
+        name: "YOUR-SITE-NAME"
       # -- Own street and number
       streetnumber: "Musterstraße 110A"
       # -- Own zipcode and city
@@ -405,7 +412,7 @@ backend:
     demonstrator:
       # -- Current role of the PURIS demonstrator. Default value should be empty.
       # Can be set to "customer" or "supplier" to enable demonstration setup
-      role: "customer"
+      role:
     jpa:
       hibernate:
         # -- Initialises SQL database with Hibernate property "create" to allow Hibernate to first drop all tables and then create new ones

docs/adminGuide/Admin_Guide.md

@@ -94,6 +94,16 @@ Thus, it may seem that the Credential is available, but isn't. Same applies to t
 _Note: Please refer to
 the [Portal's documentation on how to sign use case agreements](https://github.com/eclipse-tractusx/portal-assets/blob/main/docs/user/06.%20Certificates/01.%20UseCase%20Participation.md)._
 
+## Rate Limiting using nginx
+
+Rate limiting is by default enabled in the puris frontend served by nginx and can be dynamically configured.
+In order to adjust any variables of nginx's rate limiting or disable it, one has to modify the respective variables in either the
+local docker deployment by setting the necessary environment variables, or by modifying the variables in the helm chart values.yaml.
+
+These variables then get dynamically injected in the nginx.conf file, which is then copied to the docker image to be used by nginx.
+That means that the rate limiting can be disabled by modifying the nginx.conf file in the frontend folder. This is also the place
+to insert and override any other nginx configurations.
+
 ## Serving with HTTPS / SSL
 
 Serving with SSL is available for Docker and Helm Deployment. In local deployment directly with mvn (backend) and

frontend/Dockerfile

@@ -56,6 +56,8 @@ ENV JSFOLDER=/usr/share/nginx/html/assets/*.js
 # use root user to install moreutils for sponge in start-nginx to substring env workaround
 USER root
 
+COPY ./nginx.conf /etc/nginx/nginx.conf
+RUN chmod 117 /etc/nginx/nginx.conf
 COPY ./start-nginx.sh /usr/bin/start-nginx.sh
 RUN apk --no-cache add moreutils
 

frontend/nginx.conf

@@ -0,0 +1,46 @@
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /tmp/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    proxy_temp_path /tmp/proxy_temp;
+    client_body_temp_path /tmp/client_temp;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /var/log/nginx/access.log main;
+
+    sendfile on;
+    #tcp_nopush on;
+
+    keepalive_timeout 65;
+
+    #gzip  on;
+
+    limit_req_zone $binary_remote_addr zone=zoneLimit:${NGINX_RATE_LIMIT} rate=${NGINX_RATE};
+    limit_req_status 503;
+
+    server {
+        listen 8080;
+        server_name localhost;
+
+        location / {
+            limit_req zone=zoneLimit burst=${NGINX_BURST} nodelay;
+            root /usr/share/nginx/html;
+            index index.html index.htm;
+        }
+    }
+}

frontend/start-nginx.sh

@@ -18,4 +18,7 @@ do
   envsubst $EXISTING_VARS < $file | sponge $file
   echo -e "\r\n"
 done
+
+envsubst $EXISTING_VARS < /etc/nginx/nginx.conf | sponge /etc/nginx/nginx.conf
+
 nginx -g 'daemon off;'

local/docker-compose.yaml

@@ -42,6 +42,9 @@ services:
             - ENDPOINT_UPDATE_REPORTED_PRODUCT_STOCKS=stockView/update-reported-product-stocks?ownMaterialNumber=
             - ENDPOINT_PARTNER_OWNSITES=partners/ownSites
             - IDP_DISABLE=true
+            - NGINX_RATE_LIMIT=10m
+            - NGINX_BURST=30
+            - NGINX_RATE=10r/s
         networks:
             - miw-net
         extra_hosts:
@@ -172,6 +175,9 @@ services:
             - ENDPOINT_UPDATE_REPORTED_PRODUCT_STOCKS=stockView/update-reported-product-stocks?ownMaterialNumber=
             - ENDPOINT_PARTNER_OWNSITES=partners/ownSites
             - IDP_DISABLE=true
+            - NGINX_RATE_LIMIT=10m
+            - NGINX_BURST=30
+            - NGINX_RATE=10r/s
         networks:
             - miw-net
         extra_hosts: