Merge branch 'main' into addStartReqs

Author: wistefan

.github/workflows/release.yml

@@ -48,7 +48,7 @@ jobs:
         - uses: zwaldowski/semver-release-action@v2
           with:
             dry_run: true
-            bump: ${{ steps.match-label-bash.outputs.RELEASE_LABEL }}
+            bump: minor
             github_token: ${{ secrets.GITHUB_TOKEN }}
 
         - name: Set version output

README.md

@@ -85,20 +85,21 @@ Connector.
 
 Precisely, the connector bundles the following components:
 
-| Component       | Role            | Link |
-|-----------------|-----------------|------|
-| VCVerifier      | Verifier        | https://github.com/FIWARE/VCVerifier |
-| credentials-config-service | Credentials Config provider for the verifier | https://github.com/FIWARE/credentials-config-service |
-| Keycloak | Issuer of VCs | https://www.keycloak.org |
-| Scorpio        | Context Broker  | https://github.com/ScorpioBroker/ScorpioBroker |
-| trusted-issuers-list | Acts as Trusted Issuers List by providing an [EBSI Trusted Issuers Registry](https://api-pilot.ebsi.eu/docs/apis/trusted-issuers-registry) API | https://github.com/FIWARE/trusted-issuers-list |
-| APISIX | APISIX as API-Gateway with a sidecar OPA as PEP | https://apisix.apache.org/ / https://www.openpolicyagent.org/ |
-| odrl-pap        | PAP allowing to configure ODRL policies to be used by the OPA | https://github.com/wistefan/odrl-pap |
-| tmforum-api     | [TMForum APIs](https://www.tmforum.org/oda/open-apis/) for contract management | https://github.com/FIWARE/tmforum-api |
-| contract-management | Notification listener for contract management events out of TMForum | https://github.com/FIWARE/contract-management |
-| MySQL           | Database | https://www.mysql.com |
-| PostgreSQL      | Database | https://www.postgresql.org |
-| PostGIS         | PostgreSQL Database with PostGIS extensions | https://postgis.net/ |
+| Component       | Role            | Diagram field | Link |
+|-----------------|-----------------|---|------|
+| VCVerifier      | Validates VCs and exchanges them for tokens       |Verifier | https://github.com/FIWARE/VCVerifier |
+| credentials-config-service | Holds the information which VCs are required for accessing a service |PRP/PAP (authentication)| https://github.com/FIWARE/credentials-config-service |
+| Keycloak | Issuer of VCs on the Consumer side | | https://www.keycloak.org |
+| Scorpio        | Context Broker  | | https://github.com/ScorpioBroker/ScorpioBroker |
+| trusted-issuers-list | Acts as Trusted Issuers List by providing an [EBSI Trusted Issuers Registry](https://api-pilot.ebsi.eu/docs/apis/trusted-issuers-registry) API |Local Trusted Issuers List| https://github.com/FIWARE/trusted-issuers-list |
+| APISIX | APISIX as API-Gateway with a OPA plugin |PEP| https://apisix.apache.org/ / https://apisix.apache.org/docs/apisix/plugins/opa/ |
+| OPA | OpenPolicyAgent as the API Gateway's Sidecar |PDP | https://www.openpolicyagent.org/ |
+| odrl-pap        | Allowing to configure ODRL policies to be used by the OPA | PRP/PAP (authorization) | https://github.com/wistefan/odrl-pap |
+| tmforum-api     |  Implementation of the [TMForum APIs](https://www.tmforum.org/oda/open-apis/) for handling contracts|Contract Management| https://github.com/FIWARE/tmforum-api |
+| contract-management | Notification listener for contract management events out of TMForum |Contract Management | https://github.com/FIWARE/contract-management |
+| MySQL           | Database | | https://www.mysql.com |
+| PostgreSQL      | Database | | https://www.postgresql.org |
+| PostGIS         | PostgreSQL Database with PostGIS extensions | | https://postgis.net/ |
 
 **Note,** that some of the components shown in the diagram above are not implemented yet.
 

charts/README.md

@@ -6,15 +6,11 @@ This directory provides the actual charts of the connector.
 ## Data Space Connector
 
 The folder [data-space-connector](./data-space-connector) contains the actual FIWARE 
-Data Space Connector as a [Helm Umbrella Chart](https://helm.sh/docs/howto/charts_tips_and_tricks/#complex-charts-with-many-dependencies).  
-This includes the `Chart.yaml` with the different depending charts for the components, a `values.yaml` providing default values for the 
-configuration parameters of the different components, and additional Helm templates. 
+Data Space Connector as a [Helm Umbrella Chart](https://helm.sh/docs/howto/charts_tips_and_tricks/#complex-charts-with-many-dependencies). This includes the `Chart.yaml` with the different depending charts for the components, a `values.yaml` providing default values for the configuration parameters of the different components, and additional Helm templates. 
 
 
 ## Trust Anchor
 
 The folder [trust-anchor](./trust-anchor) contains a minimal example of a Trust Anchor, provided as 
-a [Helm Umbrella Chart](https://helm.sh/docs/howto/charts_tips_and_tricks/#complex-charts-with-many-dependencies).  
-Basically it consists of a Trusted Issuers Registry with an attached database. This is also used 
-in the local deployment of a Minimal Viable Dataspace described [here](../doc/local-deployment/LOCAL.MD).
+a [Helm Umbrella Chart](https://helm.sh/docs/howto/charts_tips_and_tricks/#complex-charts-with-many-dependencies). Basically it consists of a Trusted Issuers Registry with an attached database. This is also used in the local deployment of a Minimal Viable Dataspace described [here](../doc/deployment-integration/local-deployment/LOCAL.MD).
 

charts/data-space-connector/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: data-space-connector
 description: Umbrella Chart for the FIWARE Data Space Connector, combining all essential parts to be used by a participant.
 type: application
-version: 7.3.4
+version: 7.17.2
 dependencies:
   - name: postgresql
     condition: postgresql.enabled
@@ -48,7 +48,7 @@ dependencies:
   # issuance
   - name: keycloak
     condition: keycloak.enabled
-    version: 21.1.1
+    version: 24.0.1
     repository: https://charts.bitnami.com/bitnami
   # contract management
   - name: tm-forum-api

charts/data-space-connector/values.yaml

@@ -97,6 +97,9 @@ credentials-config-service:
 postgresql:
   # -- should it be enabled? set to false if one outside the chart is used.
   enabled: true
+  image:
+    # -- fixes the unpullable image referenced in the chart
+    tag: 13.18.0
   # -- allows to set a fixed name for the services
   fullnameOverride: postgresql
   generatePasswords:
@@ -194,12 +197,6 @@ apisix:
           config_provider: yaml
       apisix:
         extra_lua_path: /extra/apisix/plugins/?.lua
-    # -- configuration in regard to the apisix dashboard
-    dashboard:
-      # -- should it be enabled
-      enabled: true
-      # -- resource preset to have sufficient memory
-      resourcesPreset: small
     # -- extra volumes
     # we need `routes` to declaratively configure the routes
     # and the config for the opa sidecar
@@ -248,6 +245,13 @@ apisix:
         volumeMounts:
           - name: opa-config
             mountPath: /config
+  # -- configuration in regard to the apisix dashboard
+  dashboard:
+    # -- should it be enabled
+    enabled: false
+    # -- resource preset to have sufficient memory
+    resourcesPreset: small
+ 
   # -- configuration of a catchAll-route(e.g. /*)
   catchAllRoute:
     # -- should it be enabled
@@ -282,6 +286,9 @@ apisix:
 postgis:
   # -- should it be enabled? set to false if one outside the chart is used.
   enabled: true
+  image:
+    # -- fixes the unpullable image referenced in the chart
+    tag: 13.18.0
   # -- overrides the generated name, provides stable service names - this should be avoided if multiple instances are available in the same namespace
   fullnameOverride: data-service-postgis
   # -- overrides the generated name, provides stable service names - this should be avoided if multiple instances are available in the same namespace
@@ -369,22 +376,7 @@ keycloak:
   # -- disable the security context, required by the current quarkus container, will be solved in the future chart versions of keycloak
   containerSecurityContext:
     enabled: false
-  # -- keycloak image to be used - set to preview version of 25.0.0, since no other is available yet
-  image:
-    registry: quay.io
-    # until 25 is released, we have to use a snapshot version
-    repository: wi_stefan/keycloak
-    tag: 25.0.0-PRE
-    pullPolicy: Always
-  command:
-    - /bin/bash
-  # -- we need the did of the participant here. when its generated with the did-helper, we have to get it first and replace inside the realm.json through env-vars
-  args:
-    - -ec
-    - |
-      #!/bin/sh
-      export $(cat /did-material/did.env)
-      /opt/keycloak/bin/kc.sh start --features oid4vc-vci --import-realm
+ 
   service:
     ports:
       http: 8080
@@ -399,54 +391,25 @@ keycloak:
   # -- host of the external db to be used
   externalDatabase:
     host: postgresql
-
-  # -- the default init container is deactivated, since it conflicts with the non-bitnami image
-  enableDefaultInitContainers: false
+    database: keycloak
+    user: postgres
+    existingSecret: database-secret
+    existingSecretPasswordKey: postgres-admin-password
 
   # -- extra volumes to be mounted
   extraVolumeMounts:
-    - name: empty-dir
-      mountPath: /opt/keycloak/lib/quarkus
-      subPath: app-quarkus-dir
-    - name: qtm-temp
-      mountPath: /qtm-tmp
-    - name: did-material
-      mountPath: /did-material
-    - name: did-material
-      mountPath: "/etc/env"
-      readOnly: true
-    - name: realms
-      mountPath: /opt/keycloak/data/import
-
-  extraVolumes:
-    - name: did-material
-      emptyDir: { }
-    - name: qtm-temp
-      emptyDir: { }
     - name: realms
-      configMap:
-        name: test-realm-realm
+      mountPath: /opt/bitnami/keycloak/data/import
 
   # -- extra env vars to be set. we require them at the moment, since some of the chart config mechanisms only work with the bitnami-image
   extraEnvVars:
+    - name: KEYCLOAK_EXTRA_ARGS
+      value: "--import-realm"
+    - name: KC_FEATURES
+      value: "oid4vc-vci"
     # indicates ssl is terminated at the edge
     - name: KC_PROXY
       value: "edge"
-    # point the transaction store to the (writeable!) empty volume
-    - name: QUARKUS_TRANSACTION_MANAGER_OBJECT_STORE_DIRECTORY
-      value: /qtm-tmp
-    # config for the db connection
-    - name: KC_DB_URL_HOST
-      value: postgresql
-    - name: KC_DB_URL_DATABASE
-      value: keycloak
-    - name: KC_DB_USERNAME
-      value: postgres
-    - name: KC_DB_PASSWORD
-      valueFrom:
-        secretKeyRef:
-          name: database-secret
-          key: postgres-admin-password
     # password for reading the key store connected to the did
     - name: STORE_PASS
       valueFrom:
@@ -460,56 +423,6 @@ keycloak:
           name: issuance-secret
           key: keycloak-admin
 
-  # -- init containers to be run with keycloak
-  initContainers:
-    # workaround required by the current quarkus distribution, to make keycloak working
-    - name: read-only-workaround
-      image: quay.io/wi_stefan/keycloak:25.0.0-PRE
-      command:
-        - /bin/bash
-      args:
-        - -ec
-        - |
-          #!/bin/bash
-          cp -r /opt/keycloak/lib/quarkus/* /quarkus
-      volumeMounts:
-        - name: empty-dir
-          mountPath: /quarkus
-          subPath: app-quarkus-dir
-
-    # retrieve all did material required for the realm and store it to a shared folder
-    - name: get-did
-      image: ubuntu
-      command:
-        - /bin/bash
-      args:
-        - -ec
-        - |
-          #!/bin/bash
-          apt-get -y update; apt-get -y install wget
-          cd /did-material
-          wget http://did-helper:3000/did-material/cert.pfx
-          wget http://did-helper:3000/did-material/did.env
-      volumeMounts:
-        - name: did-material
-          mountPath: /did-material
-
-    # register the issuer at the trusted issuers registry - will only work if that one is publicly accessible
-    - name: register-at-tir
-      image: ubuntu
-      command:
-        - /bin/bash
-      args:
-        - -ec
-        - |
-          #!/bin/bash
-          source /did-material/did.env
-          apt-get -y update; apt-get -y install curl
-          curl -X 'POST' 'http://tir.trust-anchor.svc.cluster.local:8080/issuer' -H 'Content-Type: application/json' -d "{\"did\": \"${DID}\", \"credentials\": []}"
-      volumeMounts:
-        - name: did-material
-          mountPath: /did-material
-
   # -- configuration of the realm to be imported
   realm:
     # -- should the realm be imported

doc/deployment-integration/local-deployment/LOCAL.MD

@@ -19,6 +19,7 @@ Issues revealed by the script are most likely due to incompatibility of your sys
 ## Quick Start
 
 > :warning: The local deployment uses [k3s](https://k3s.io/) and is currently only tested on linux.
+> Its not recommended to use it on Windows or Mac Systems.
 
 To start the Data Space, just use:
 
@@ -168,7 +169,7 @@ Exchange the pre-authorized code from the offer with an AccessToken at the autho
       --header 'Accept: */*' \
       --header 'Content-Type: application/x-www-form-urlencoded' \
       --data grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code \
-      --data code=${PRE_AUTHORIZED_CODE} | jq '.access_token' -r); echo ${CREDENTIAL_ACCESS_TOKEN}
+      --data pre-authorized_code=${PRE_AUTHORIZED_CODE} | jq '.access_token' -r); echo ${CREDENTIAL_ACCESS_TOKEN}
 ```
 
 Use the returned access token to get the actual credential:
@@ -891,4 +892,4 @@ In order to build a concrete deployment, [maven](https://maven.apache.org/) exec
 3. Execute `helm template` on the charts, with the local values provided for each participant(e.g. [trust-anchor](../k3s/trust-anchor.yaml), [provider](../k3s/provider.yaml) and [consumer](../k3s/consumer.yaml)) and copy the manifests to the target folder(e.g. `target/k3s`)
 4. Spin up the cluster
 5. Apply the infrastructure resources to the cluster, via `kubectl apply`
-6. Apply the charts to the cluster, via `kubectl apply`
+6. Apply the charts to the cluster, via `kubectl apply`

it/pom.xml

@@ -51,13 +51,20 @@
             </dependency>
         </dependencies>
     </dependencyManagement>
+    <!-- workaround for https://github.com/java-json-tools/jackson-coreutils/issues/59 -->
     <repositories>
+        <repository>
+            <id>central</id>
+            <name>Maven Central</name>
+            <layout>default</layout>
+            <url>https://repo1.maven.org/maven2</url>
+        </repository>
         <repository>
             <id>jitpack.io</id>
             <url>https://jitpack.io</url>
         </repository>
     </repositories>
-
+         
     <dependencies>
         <dependency>
             <groupId>org.projectlombok</groupId>
@@ -397,4 +404,4 @@
             </build>
         </profile>
     </profiles>
-</project>
+</project>

it/src/test/java/org/fiware/dataspace/it/components/Wallet.java

@@ -226,7 +226,7 @@ private String requestOffer(String token, String credentialEndpoint, SupportedCo
     public String getAccessToken(String tokenEndpoint, String preAuthorizedCode) throws Exception {
         RequestBody requestBody = new FormEncodingBuilder()
                 .add("grant_type", PRE_AUTHORIZED_GRANT_TYPE)
-                .add("code", preAuthorizedCode)
+                .add("pre-authorized_code", preAuthorizedCode)
                 .build();
         Request tokenRequest = new Request.Builder()
                 .url(tokenEndpoint)

k3s/consumer.yaml

@@ -31,29 +31,17 @@ keycloak:
   ingress:
     enabled: true
     hostname: keycloak-consumer.127.0.0.1.nip.io
+  command:
+    - /bin/bash
   args:
     - -ec
     - |
       #!/bin/sh
       export $(cat /did-material/did.env)
       export KC_HOSTNAME=keycloak-consumer.127.0.0.1.nip.io
-      env | grep DID
-      /opt/keycloak/bin/kc.sh start --features oid4vc-vci --import-realm
+      /opt/bitnami/scripts/keycloak/entrypoint.sh
+      /opt/bitnami/scripts/keycloak/run.sh
   initContainers:
-    - name: read-only-workaround
-      image: quay.io/wi_stefan/keycloak:25.0.0-PRE
-      command:
-        - /bin/bash
-      args:
-        - -ec
-        - |
-          #!/bin/bash
-          cp -r /opt/keycloak/lib/quarkus/* /quarkus
-      volumeMounts:
-        - name: empty-dir
-          mountPath: /quarkus
-          subPath: app-quarkus-dir
-
     - name: get-did
       image: ubuntu
       command:
@@ -110,11 +98,18 @@ keycloak:
         - name: did-material
           mountPath: /did-material
 
+  extraVolumeMounts:
+    - name: did-material
+      mountPath: /did-material
+    - name: did-material
+      mountPath: "/etc/env"
+      readOnly: true
+    - name: realms
+      mountPath: /opt/bitnami/keycloak/data/import
+
   extraVolumes:
     - name: did-material
       emptyDir: { }
-    - name: qtm-temp
-      emptyDir: { }
     - name: realms
       configMap:
         name: test-realm-realm