A Helm chart for Tractus-X Eclipse Data Space Connector. The connector deployment consists of two runtime consists of a Control Plane and a Data Plane. Note that no external dependencies such as a PostgreSQL database and Azure KeyVault are included.
This chart is intended for use with an existing PostgreSQL database and an existing Azure KeyVault.
Homepage: https://github.com/eclipse-tractusx/tractusx-edc/tree/main/charts/tractusx-connector
This chart uses Azure KeyVault, which is expected to contain the following secrets on application start:
daps-cert: contains the x509 certificate of the connector.daps-key: the private key of the x509 certificateaes-keys: a 128bit, 256bit or 512bit string used to encrypt data. Must be stored in base64 format.
These must be obtained from a DAPS instance, the process of which is out of the scope of this document. Alternatively, self-signed certificates can be used for testing:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout daps.key -out daps.cert -subj "/CN=test"
export DAPS_KEY="$(cat daps.key)"
export DAPS_CERT="$(cat daps.cert)"The following requirements must be met before launching the application:
- Write access to an Azure KeyVault instance is required to run this chart
- Secrets are seeded in advance
- The vault's client id, client secret, tenant id and vault name (not the url!) are known
Please also consider using this example configuration to launch the application. Combined, run this shell command to start the in-memory Tractus-X EDC runtime:
helm repo add tractusx-edc https://eclipse-tractusx.github.io/charts/dev
helm install my-release tractusx-edc/tractusx-connector-azure-vault --version 0.3.3 \
-f <path-to>/tractusx-connector-azure-vault-test.yaml \
--set vault.azure.name=$AZURE_VAULT_NAME \
--set vault.azure.client=$AZURE_CLIENT_ID \
--set vault.azure.secret=$AZURE_CLIENT_SECRET \
--set vault.azure.tenant=$AZURE_TENANT_IDNote that DAPS_CERT contains the x509 certificate, DAPS_KEY contains the private key.
| Key | Type | Default | Description |
|---|---|---|---|
| backendService.httpProxyTokenReceiverUrl | string | "" |
|
| controlplane.affinity | object | {} |
|
| controlplane.autoscaling.enabled | bool | false |
Enables horizontal pod autoscaling |
| controlplane.autoscaling.maxReplicas | int | 100 |
Maximum replicas if resource consumption exceeds resource threshholds |
| controlplane.autoscaling.minReplicas | int | 1 |
Minimal replicas if resource consumption falls below resource threshholds |
| controlplane.autoscaling.targetCPUUtilizationPercentage | int | 80 |
targetAverageUtilization of cpu provided to a pod |
| controlplane.autoscaling.targetMemoryUtilizationPercentage | int | 80 |
targetAverageUtilization of memory provided to a pod |
| controlplane.businessPartnerValidation.log.agreementValidation | bool | true |
|
| controlplane.debug.enabled | bool | false |
|
| controlplane.debug.port | int | 1044 |
|
| controlplane.debug.suspendOnStart | bool | false |
|
| controlplane.endpoints | object | {"control":{"path":"/control","port":8083},"default":{"path":"/api","port":8080},"management":{"authKey":"","path":"/management","port":8081},"metrics":{"path":"/metrics","port":9090},"observability":{"insecure":true,"path":"/observability","port":8085},"protocol":{"path":"/api/v1/ids","port":8084}} |
endpoints of the control plane |
| controlplane.endpoints.control | object | {"path":"/control","port":8083} |
control api, used for internal control calls. can be added to the internal ingress, but should probably not |
| controlplane.endpoints.control.path | string | "/control" |
path for incoming api calls |
| controlplane.endpoints.control.port | int | 8083 |
port for incoming api calls |
| controlplane.endpoints.default | object | {"path":"/api","port":8080} |
default api for health checks, should not be added to any ingress |
| controlplane.endpoints.default.path | string | "/api" |
path for incoming api calls |
| controlplane.endpoints.default.port | int | 8080 |
port for incoming api calls |
| controlplane.endpoints.management | object | {"authKey":"","path":"/management","port":8081} |
data management api, used by internal users, can be added to an ingress and must not be internet facing |
| controlplane.endpoints.management.authKey | string | "" |
authentication key, must be attached to each 'X-Api-Key' request header |
| controlplane.endpoints.management.path | string | "/management" |
path for incoming api calls |
| controlplane.endpoints.management.port | int | 8081 |
port for incoming api calls |
| controlplane.endpoints.metrics | object | {"path":"/metrics","port":9090} |
metrics api, used for application metrics, must not be internet facing |
| controlplane.endpoints.metrics.path | string | "/metrics" |
path for incoming api calls |
| controlplane.endpoints.metrics.port | int | 9090 |
port for incoming api calls |
| controlplane.endpoints.observability | object | {"insecure":true,"path":"/observability","port":8085} |
observability api with unsecured access, must not be internet facing |
| controlplane.endpoints.observability.insecure | bool | true |
allow or disallow insecure access, i.e. access without authentication |
| controlplane.endpoints.observability.path | string | "/observability" |
observability api, provides /health /readiness and /liveness endpoints |
| controlplane.endpoints.observability.port | int | 8085 |
port for incoming API calls |
| controlplane.endpoints.protocol | object | {"path":"/api/v1/ids","port":8084} |
ids api, used for inter connector communication and must be internet facing |
| controlplane.endpoints.protocol.path | string | "/api/v1/ids" |
path for incoming api calls |
| controlplane.endpoints.protocol.port | int | 8084 |
port for incoming api calls |
| controlplane.env | object | {} |
|
| controlplane.envConfigMapNames | list | [] |
|
| controlplane.envSecretNames | list | [] |
|
| controlplane.envValueFrom | object | {} |
|
| controlplane.image.pullPolicy | string | "IfNotPresent" |
Kubernetes image pull policy to use |
| controlplane.image.repository | string | "" |
Which derivate of the control plane to use. when left empty the deployment will select the correct image automatically |
| controlplane.image.tag | string | "" |
Overrides the image tag whose default is the chart appVersion |
| controlplane.ingresses[0].annotations | object | {} |
Additional ingress annotations to add |
| controlplane.ingresses[0].certManager.clusterIssuer | string | "" |
If preset enables certificate generation via cert-manager cluster-wide issuer |
| controlplane.ingresses[0].certManager.issuer | string | "" |
If preset enables certificate generation via cert-manager namespace scoped issuer |
| controlplane.ingresses[0].className | string | "" |
Defines the ingress class to use |
| controlplane.ingresses[0].enabled | bool | false |
|
| controlplane.ingresses[0].endpoints | list | ["ids"] |
EDC endpoints exposed by this ingress resource |
| controlplane.ingresses[0].hostname | string | "edc-control.local" |
The hostname to be used to precisely map incoming traffic onto the underlying network service |
| controlplane.ingresses[0].tls | object | {"enabled":false,"secretName":""} |
TLS tls class applied to the ingress resource |
| controlplane.ingresses[0].tls.enabled | bool | false |
Enables TLS on the ingress resource |
| controlplane.ingresses[0].tls.secretName | string | "" |
If present overwrites the default secret name |
| controlplane.ingresses[1].annotations | object | {} |
Additional ingress annotations to add |
| controlplane.ingresses[1].certManager.clusterIssuer | string | "" |
If preset enables certificate generation via cert-manager cluster-wide issuer |
| controlplane.ingresses[1].certManager.issuer | string | "" |
If preset enables certificate generation via cert-manager namespace scoped issuer |
| controlplane.ingresses[1].className | string | "" |
Defines the ingress class to use |
| controlplane.ingresses[1].enabled | bool | false |
|
| controlplane.ingresses[1].endpoints | list | ["management","control"] |
EDC endpoints exposed by this ingress resource |
| controlplane.ingresses[1].hostname | string | "edc-control.intranet" |
The hostname to be used to precisely map incoming traffic onto the underlying network service |
| controlplane.ingresses[1].tls | object | {"enabled":false,"secretName":""} |
TLS tls class applied to the ingress resource |
| controlplane.ingresses[1].tls.enabled | bool | false |
Enables TLS on the ingress resource |
| controlplane.ingresses[1].tls.secretName | string | "" |
If present overwrites the default secret name |
| controlplane.initContainers | list | [] |
|
| controlplane.internationalDataSpaces.catalogId | string | "TXDC-Catalog" |
|
| controlplane.internationalDataSpaces.curator | string | "" |
|
| controlplane.internationalDataSpaces.description | string | "Tractus-X Eclipse IDS Data Space Connector" |
|
| controlplane.internationalDataSpaces.id | string | "TXDC" |
|
| controlplane.internationalDataSpaces.maintainer | string | "" |
|
| controlplane.internationalDataSpaces.title | string | "" |
|
| controlplane.livenessProbe.enabled | bool | true |
Whether to enable kubernetes liveness-probe |
| controlplane.livenessProbe.failureThreshold | int | 6 |
when a probe fails kubernetes will try 6 times before giving up |
| controlplane.livenessProbe.initialDelaySeconds | int | 30 |
seconds to wait before performing the first liveness check |
| controlplane.livenessProbe.periodSeconds | int | 10 |
this fields specifies that kubernetes should perform a liveness check every 10 seconds |
| controlplane.livenessProbe.successThreshold | int | 1 |
number of consecutive successes for the probe to be considered successful after having failed |
| controlplane.livenessProbe.timeoutSeconds | int | 5 |
number of seconds after which the probe times out |
| controlplane.logging | string | ".level=INFO\norg.eclipse.edc.level=ALL\nhandlers=java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter\njava.util.logging.ConsoleHandler.level=ALL\njava.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n" |
configuration of the Java Util Logging Facade |
| controlplane.nodeSelector | object | {} |
|
| controlplane.opentelemetry | string | "otel.javaagent.enabled=false\notel.javaagent.debug=false" |
configuration of the Open Telemetry Agent to collect and expose metrics |
| controlplane.podAnnotations | object | {} |
additional annotations for the pod |
| controlplane.podLabels | object | {} |
additional labels for the pod |
| controlplane.podSecurityContext | object | {"fsGroup":10001,"runAsGroup":10001,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}} |
The pod security context defines privilege and access control settings for a Pod within the deployment |
| controlplane.podSecurityContext.fsGroup | int | 10001 |
The owner for volumes and any files created within volumes will belong to this guid |
| controlplane.podSecurityContext.runAsGroup | int | 10001 |
Processes within a pod will belong to this guid |
| controlplane.podSecurityContext.runAsUser | int | 10001 |
Runs all processes within a pod with a special uid |
| controlplane.podSecurityContext.seccompProfile.type | string | "RuntimeDefault" |
Restrict a Container's Syscalls with seccomp |
| controlplane.readinessProbe.enabled | bool | true |
Whether to enable kubernetes readiness-probes |
| controlplane.readinessProbe.failureThreshold | int | 6 |
when a probe fails kubernetes will try 6 times before giving up |
| controlplane.readinessProbe.initialDelaySeconds | int | 30 |
seconds to wait before performing the first readiness check |
| controlplane.readinessProbe.periodSeconds | int | 10 |
this fields specifies that kubernetes should perform a readiness check every 10 seconds |
| controlplane.readinessProbe.successThreshold | int | 1 |
number of consecutive successes for the probe to be considered successful after having failed |
| controlplane.readinessProbe.timeoutSeconds | int | 5 |
number of seconds after which the probe times out |
| controlplane.replicaCount | int | 1 |
|
| controlplane.resources | object | {} |
resource management for the container |
| controlplane.securityContext.allowPrivilegeEscalation | bool | false |
Controls Privilege Escalation enabling setuid binaries changing the effective user ID |
| controlplane.securityContext.capabilities.add | list | [] |
Specifies which capabilities to add to issue specialized syscalls |
| controlplane.securityContext.capabilities.drop | list | ["ALL"] |
Specifies which capabilities to drop to reduce syscall attack surface |
| controlplane.securityContext.readOnlyRootFilesystem | bool | true |
Whether the root filesystem is mounted in read-only mode |
| controlplane.securityContext.runAsNonRoot | bool | true |
Requires the container to run without root privileges |
| controlplane.securityContext.runAsUser | int | 10001 |
The container's process will run with the specified uid |
| controlplane.service.annotations | object | {} |
|
| controlplane.service.type | string | "ClusterIP" |
Service type to expose the running application on a set of Pods as a network service. |
| controlplane.tolerations | list | [] |
|
| controlplane.url.ids | string | "" |
Explicitly declared url for reaching the ids api (e.g. if ingresses not used) |
| controlplane.volumeMounts | list | [] |
declare where to mount volumes into the container |
| controlplane.volumes | list | [] |
volume directories |
| customLabels | object | {} |
|
| daps.clientId | string | "" |
|
| daps.paths.jwks | string | "/jwks.json" |
|
| daps.paths.token | string | "/token" |
|
| daps.url | string | "" |
|
| dataplane.affinity | object | {} |
|
| dataplane.autoscaling.enabled | bool | false |
Enables horizontal pod autoscaling |
| dataplane.autoscaling.maxReplicas | int | 100 |
Maximum replicas if resource consumption exceeds resource threshholds |
| dataplane.autoscaling.minReplicas | int | 1 |
Minimal replicas if resource consumption falls below resource threshholds |
| dataplane.autoscaling.targetCPUUtilizationPercentage | int | 80 |
targetAverageUtilization of cpu provided to a pod |
| dataplane.autoscaling.targetMemoryUtilizationPercentage | int | 80 |
targetAverageUtilization of memory provided to a pod |
| dataplane.aws.accessKeyId | string | "" |
|
| dataplane.aws.endpointOverride | string | "" |
|
| dataplane.aws.secretAccessKey | string | "" |
|
| dataplane.debug.enabled | bool | false |
|
| dataplane.debug.port | int | 1044 |
|
| dataplane.debug.suspendOnStart | bool | false |
|
| dataplane.endpoints.control.path | string | "/api/dataplane/control" |
|
| dataplane.endpoints.control.port | int | 8083 |
|
| dataplane.endpoints.default.path | string | "/api" |
|
| dataplane.endpoints.default.port | int | 8080 |
|
| dataplane.endpoints.metrics.path | string | "/metrics" |
|
| dataplane.endpoints.metrics.port | int | 9090 |
|
| dataplane.endpoints.observability.insecure | bool | true |
allow or disallow insecure access, i.e. access without authentication |
| dataplane.endpoints.observability.path | string | "/observability" |
observability api, provides /health /readiness and /liveness endpoints |
| dataplane.endpoints.observability.port | int | 8085 |
port for incoming API calls |
| dataplane.endpoints.public.path | string | "/api/public" |
|
| dataplane.endpoints.public.port | int | 8081 |
|
| dataplane.env | object | {} |
|
| dataplane.envConfigMapNames | list | [] |
|
| dataplane.envSecretNames | list | [] |
|
| dataplane.envValueFrom | object | {} |
|
| dataplane.image.pullPolicy | string | "IfNotPresent" |
Kubernetes image pull policy to use |
| dataplane.image.repository | string | "" |
Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically |
| dataplane.image.tag | string | "" |
Overrides the image tag whose default is the chart appVersion |
| dataplane.ingresses[0].annotations | object | {} |
Additional ingress annotations to add |
| dataplane.ingresses[0].certManager.clusterIssuer | string | "" |
If preset enables certificate generation via cert-manager cluster-wide issuer |
| dataplane.ingresses[0].certManager.issuer | string | "" |
If preset enables certificate generation via cert-manager namespace scoped issuer |
| dataplane.ingresses[0].className | string | "" |
Defines the ingress class to use |
| dataplane.ingresses[0].enabled | bool | false |
|
| dataplane.ingresses[0].endpoints | list | ["public"] |
EDC endpoints exposed by this ingress resource |
| dataplane.ingresses[0].hostname | string | "edc-data.local" |
The hostname to be used to precisely map incoming traffic onto the underlying network service |
| dataplane.ingresses[0].tls | object | {"enabled":false,"secretName":""} |
TLS tls class applied to the ingress resource |
| dataplane.ingresses[0].tls.enabled | bool | false |
Enables TLS on the ingress resource |
| dataplane.ingresses[0].tls.secretName | string | "" |
If present overwrites the default secret name |
| dataplane.initContainers | list | [] |
|
| dataplane.livenessProbe.enabled | bool | true |
Whether to enable kubernetes liveness-probe |
| dataplane.livenessProbe.failureThreshold | int | 6 |
when a probe fails kubernetes will try 6 times before giving up |
| dataplane.livenessProbe.initialDelaySeconds | int | 30 |
seconds to wait before performing the first liveness check |
| dataplane.livenessProbe.periodSeconds | int | 10 |
this fields specifies that kubernetes should perform a liveness check every 10 seconds |
| dataplane.livenessProbe.successThreshold | int | 1 |
number of consecutive successes for the probe to be considered successful after having failed |
| dataplane.livenessProbe.timeoutSeconds | int | 5 |
number of seconds after which the probe times out |
| dataplane.logging | string | ".level=INFO\norg.eclipse.edc.level=ALL\nhandlers=java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter\njava.util.logging.ConsoleHandler.level=ALL\njava.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n" |
configuration of the Java Util Logging Facade |
| dataplane.nodeSelector | object | {} |
|
| dataplane.opentelemetry | string | "otel.javaagent.enabled=false\notel.javaagent.debug=false" |
configuration of the Open Telemetry Agent to collect and expose metrics |
| dataplane.podAnnotations | object | {} |
additional annotations for the pod |
| dataplane.podLabels | object | {} |
additional labels for the pod |
| dataplane.podSecurityContext | object | {"fsGroup":10001,"runAsGroup":10001,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}} |
The pod security context defines privilege and access control settings for a Pod within the deployment |
| dataplane.podSecurityContext.fsGroup | int | 10001 |
The owner for volumes and any files created within volumes will belong to this guid |
| dataplane.podSecurityContext.runAsGroup | int | 10001 |
Processes within a pod will belong to this guid |
| dataplane.podSecurityContext.runAsUser | int | 10001 |
Runs all processes within a pod with a special uid |
| dataplane.podSecurityContext.seccompProfile.type | string | "RuntimeDefault" |
Restrict a Container's Syscalls with seccomp |
| dataplane.readinessProbe.enabled | bool | true |
Whether to enable kubernetes readiness-probes |
| dataplane.readinessProbe.failureThreshold | int | 6 |
when a probe fails kubernetes will try 6 times before giving up |
| dataplane.readinessProbe.initialDelaySeconds | int | 30 |
seconds to wait before performing the first readiness check |
| dataplane.readinessProbe.periodSeconds | int | 10 |
this fields specifies that kubernetes should perform a liveness check every 10 seconds |
| dataplane.readinessProbe.successThreshold | int | 1 |
number of consecutive successes for the probe to be considered successful after having failed |
| dataplane.readinessProbe.timeoutSeconds | int | 5 |
number of seconds after which the probe times out |
| dataplane.replicaCount | int | 1 |
|
| dataplane.resources | object | {} |
resource management for the container |
| dataplane.securityContext.allowPrivilegeEscalation | bool | false |
Controls Privilege Escalation enabling setuid binaries changing the effective user ID |
| dataplane.securityContext.capabilities.add | list | [] |
Specifies which capabilities to add to issue specialized syscalls |
| dataplane.securityContext.capabilities.drop | list | ["ALL"] |
Specifies which capabilities to drop to reduce syscall attack surface |
| dataplane.securityContext.readOnlyRootFilesystem | bool | true |
Whether the root filesystem is mounted in read-only mode |
| dataplane.securityContext.runAsNonRoot | bool | true |
Requires the container to run without root privileges |
| dataplane.securityContext.runAsUser | int | 10001 |
The container's process will run with the specified uid |
| dataplane.service.port | int | 80 |
|
| dataplane.service.type | string | "ClusterIP" |
Service type to expose the running application on a set of Pods as a network service. |
| dataplane.tolerations | list | [] |
|
| dataplane.url.public | string | "" |
Explicitly declared url for reaching the public api (e.g. if ingresses not used) |
| dataplane.volumeMounts | list | [] |
declare where to mount volumes into the container |
| dataplane.volumes | list | [] |
volume directories |
| fullnameOverride | string | "" |
|
| imagePullSecrets | list | [] |
Existing image pull secret to use to obtain the container image from private registries |
| nameOverride | string | "" |
|
| postgresql.enabled | bool | false |
|
| postgresql.jdbcUrl | string | "" |
|
| postgresql.password | string | "" |
|
| postgresql.username | string | "" |
|
| serviceAccount.annotations | object | {} |
|
| serviceAccount.create | bool | true |
|
| serviceAccount.imagePullSecrets | list | [] |
Existing image pull secret bound to the service account to use to obtain the container image from private registries |
| serviceAccount.name | string | "" |
|
| vault.azure.certificate | string | nil |
|
| vault.azure.client | string | "" |
|
| vault.azure.name | string | "" |
|
| vault.azure.secret | string | nil |
|
| vault.azure.tenant | string | "" |
|
| vault.secretNames.dapsPrivateKey | string | "daps-private-key" |
|
| vault.secretNames.dapsPublicKey | string | "daps-public-key" |
|
| vault.secretNames.transferProxyTokenEncryptionAesKey | string | "transfer-proxy-token-encryption-aes-key" |
|
| vault.secretNames.transferProxyTokenSignerPrivateKey | string | "transfer-proxy-token-signer-private-key" |
|
| vault.secretNames.transferProxyTokenSignerPublicKey | string | "transfer-proxy-token-signer-public-key" |
Autogenerated from chart metadata using helm-docs v1.10.0