feat: embed STS in IdentityHub (#340)

* use Remote STS client and IH as STS * update README * terraform fmt * provide sts token url as variable
eclipse-edc · Sep 20, 2024 · 5cf06ee · 5cf06ee
1 parent 0b62dcd
commit 5cf06ee
Show file tree

Hide file tree

Showing 20 changed files with 211 additions and 125 deletions.
diff --git a/.run/remote/Connector CONSUMER.run.xml → .run/remote/Connector .run.xml b/.run/remote/Connector CONSUMER.run.xml → .run/remote/Connector .run.xml
@@ -1,5 +1,6 @@
 <component name="ProjectRunConfigurationManager">
-  <configuration default="false" name="Connector CONSUMER" type="Remote">
+  <configuration default="false" name="Connector " type="Remote">
+    <module name="mvd.launchers.controlplane.main" />
     <option name="USE_SOCKET_TRANSPORT" value="true" />
     <option name="SERVER_MODE" value="false" />
     <option name="SHMEM_ADDRESS" />

diff --git a/.run/remote/Connector PROVIDER.run.xml b/.run/remote/Connector PROVIDER.run.xml
diff --git a/README.md b/README.md
diff --git a/deployment/consumer.tf b/deployment/consumer.tf
@@ -24,8 +24,9 @@ module "consumer-connector" {
     password = "consumer"
     url      = "jdbc:postgresql://${module.consumer-postgres.database-url}/consumer"
   }
-  vault-url = "http://consumer-vault:8200"
-  namespace = kubernetes_namespace.ns.metadata.0.name
+  vault-url     = "http://consumer-vault:8200"
+  namespace     = kubernetes_namespace.ns.metadata.0.name
+  sts-token-url = module.consumer-identityhub.sts-token-url
 }
 
 # consumer identity hub

diff --git a/deployment/modules/catalog-server/catalog-server.tf b/deployment/modules/catalog-server/catalog-server.tf
@@ -67,26 +67,29 @@ resource "kubernetes_deployment" "connector" {
           }
 
           liveness_probe {
-            exec {
-              command = ["curl", "-X GET", "http://localhost:${var.ports.web}/api/check/liveness"]
+            http_get {
+              path = "/api/check/liveness"
+              port = var.ports.web
             }
             failure_threshold = 10
             period_seconds    = 5
             timeout_seconds   = 30
           }
 
           readiness_probe {
-            exec {
-              command = ["curl", "-X GET", "http://localhost:${var.ports.web}/api/check/readiness"]
+            http_get {
+              path = "/api/check/readiness"
+              port = var.ports.web
             }
             failure_threshold = 10
             period_seconds    = 5
             timeout_seconds   = 30
           }
 
           startup_probe {
-            exec {
-              command = ["curl", "-X GET", "http://localhost:${var.ports.web}/api/check/startup"]
+            http_get {
+              path = "/api/check/startup"
+              port = var.ports.web
             }
             failure_threshold = 10
             period_seconds    = 5
@@ -119,10 +122,10 @@ resource "kubernetes_config_map" "catalog-server-config" {
   ## Create databases for keycloak and MIW, create users and assign privileges
   data = {
     EDC_API_AUTH_KEY                = "password"
-    EDC_IAM_ISSUER_ID               = var.participant-did
+    EDC_IAM_ISSUER_ID               = var.participantId
     EDC_IAM_DID_WEB_USE_HTTPS       = false
     WEB_HTTP_PORT                   = var.ports.web
-    WEB_HTTP_PATH                   = "/"
+    WEB_HTTP_PATH                   = "/api"
     WEB_HTTP_MANAGEMENT_PORT        = var.ports.management
     WEB_HTTP_MANAGEMENT_PATH        = "/api/management"
     WEB_HTTP_CONTROL_PORT           = var.ports.control
@@ -132,7 +135,7 @@ resource "kubernetes_config_map" "catalog-server-config" {
     EDC_API_AUTH_KEY                = "password"
     EDC_DSP_CALLBACK_ADDRESS        = "http://${local.controlplane-service-name}:${var.ports.protocol}/api/dsp"
     EDC_IAM_STS_PRIVATEKEY_ALIAS    = "${var.participantId}#${var.aliases.sts-private-key}"
-    EDC_IAM_STS_PUBLICKEY_ID        = "${var.participant-did}#${var.aliases.sts-public-key-id}"
+    EDC_IAM_STS_PUBLICKEY_ID        = "${var.participantId}#${var.aliases.sts-public-key-id}"
     JAVA_TOOL_OPTIONS               = "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=${var.ports.debug}"
     EDC_IH_AUDIENCE_REGISTRY_PATH   = "/etc/registry/registry.json"
     EDC_PARTICIPANT_ID              = var.participantId
@@ -142,5 +145,10 @@ resource "kubernetes_config_map" "catalog-server-config" {
     EDC_DATASOURCE_DEFAULT_URL      = var.database.url
     EDC_DATASOURCE_DEFAULT_USER     = var.database.user
     EDC_DATASOURCE_DEFAULT_PASSWORD = var.database.password
+
+    # remote STS configuration
+    EDC_IAM_STS_OAUTH_TOKEN_URL           = var.sts-token-url
+    EDC_IAM_STS_OAUTH_CLIENT_ID           = var.participantId
+    EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS = "${var.participantId}-sts-client-secret"
   }
 }
diff --git a/deployment/modules/catalog-server/outputs.tf b/deployment/modules/catalog-server/outputs.tf
@@ -28,7 +28,7 @@ output "ports" {
 output "audience-mapping" {
   value = {
     #    dspAudience  = "http://${local.connector-cluster-ip}:${var.ports.protocol}/api/dsp"
-    dcpAudience = var.participant-did
+    dcpAudience = var.participantId
   }
 }
 

diff --git a/deployment/modules/catalog-server/variables.tf b/deployment/modules/catalog-server/variables.tf
@@ -33,11 +33,6 @@ variable "humanReadableName" {
 }
 
 variable "participantId" {
-  type        = string
-  description = "Participant ID of the connector. Usually a DID"
-}
-
-variable "participant-did" {
   type        = string
   description = "DID:WEB identifier of the participant"
 }
@@ -93,6 +88,11 @@ variable "vault-url" {
   type        = string
 }
 
+variable "sts-token-url" {
+  description = "Full URL of the STS token endpoint"
+  type        = string
+}
+
 variable "aliases" {
   type = object({
     sts-private-key   = string

diff --git a/deployment/modules/connector/controlplane.tf b/deployment/modules/connector/controlplane.tf
@@ -67,26 +67,29 @@ resource "kubernetes_deployment" "controlplane" {
           }
 
           liveness_probe {
-            exec {
-              command = ["curl", "-X GET", "http://localhost:${var.ports.web}/api/check/liveness"]
+            http_get {
+              path = "/api/check/liveness"
+              port = var.ports.web
             }
             failure_threshold = 10
             period_seconds    = 5
             timeout_seconds   = 30
           }
 
           readiness_probe {
-            exec {
-              command = ["curl", "-X GET", "http://localhost:${var.ports.web}/api/check/readiness"]
+            http_get {
+              path = "/api/check/readiness"
+              port = var.ports.web
             }
             failure_threshold = 10
             period_seconds    = 5
             timeout_seconds   = 30
           }
 
           startup_probe {
-            exec {
-              command = ["curl", "-X GET", "http://localhost:${var.ports.web}/api/check/startup"]
+            http_get {
+              path = "/api/check/startup"
+              port = var.ports.web
             }
             failure_threshold = 10
             period_seconds    = 5
@@ -172,5 +175,10 @@ resource "kubernetes_config_map" "connector-config" {
     EDC_DATASOURCE_DEFAULT_URL                 = var.database.url
     EDC_DATASOURCE_DEFAULT_USER                = var.database.user
     EDC_DATASOURCE_DEFAULT_PASSWORD            = var.database.password
+
+    # remote STS configuration
+    EDC_IAM_STS_OAUTH_TOKEN_URL           = var.sts-token-url
+    EDC_IAM_STS_OAUTH_CLIENT_ID           = var.participantId
+    EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS = "${var.participantId}-sts-client-secret"
   }
 }
diff --git a/deployment/modules/connector/dataplane.tf b/deployment/modules/connector/dataplane.tf
@@ -66,26 +66,29 @@ resource "kubernetes_deployment" "dataplane" {
           }
 
           liveness_probe {
-            exec {
-              command = ["curl", "-X GET", "http://localhost:${var.ports.web}/api/check/liveness"]
+            http_get {
+              path = "/api/check/liveness"
+              port = var.ports.web
             }
             failure_threshold = 10
             period_seconds    = 5
             timeout_seconds   = 30
           }
 
           readiness_probe {
-            exec {
-              command = ["curl", "-X GET", "http://localhost:${var.ports.web}/api/check/readiness"]
+            http_get {
+              path = "/api/check/readiness"
+              port = var.ports.web
             }
             failure_threshold = 10
             period_seconds    = 5
             timeout_seconds   = 30
           }
 
           startup_probe {
-            exec {
-              command = ["curl", "-X GET", "http://localhost:${var.ports.web}/api/check/startup"]
+            http_get {
+              path = "/api/check/startup"
+              port = var.ports.web
             }
             failure_threshold = 10
             period_seconds    = 5
@@ -124,5 +127,10 @@ resource "kubernetes_config_map" "dataplane-config" {
     EDC_DATASOURCE_DEFAULT_URL                        = var.database.url
     EDC_DATASOURCE_DEFAULT_USER                       = var.database.user
     EDC_DATASOURCE_DEFAULT_PASSWORD                   = var.database.password
+
+    # remote STS configuration
+    EDC_IAM_STS_OAUTH_TOKEN_URL           = var.sts-token-url
+    EDC_IAM_STS_OAUTH_CLIENT_ID           = var.participantId
+    EDC_IAM_STS_OAUTH_CLIENT_SECRET_ALIAS = "consumer-participant-sts-client-secret"
   }
 }
diff --git a/deployment/modules/connector/variables.tf b/deployment/modules/connector/variables.tf
@@ -86,6 +86,11 @@ variable "vault-url" {
   type        = string
 }
 
+variable "sts-token-url" {
+  description = "Full URL of the STS token endpoint"
+  type        = string
+}
+
 variable "aliases" {
   type = object({
     sts-private-key   = string

diff --git a/deployment/modules/identity-hub/main.tf b/deployment/modules/identity-hub/main.tf
@@ -74,26 +74,29 @@ resource "kubernetes_deployment" "identityhub" {
           }
 
           liveness_probe {
-            exec {
-              command = ["curl", "-X GET", "http://localhost:${var.ports.web}/api/check/liveness"]
+            http_get {
+              path = "/api/check/liveness"
+              port = var.ports.web
             }
             failure_threshold = 10
             period_seconds    = 5
             timeout_seconds   = 30
           }
 
           readiness_probe {
-            exec {
-              command = ["curl", "-X GET", "http://localhost:${var.ports.web}/api/check/readiness"]
+            http_get {
+              path = "/api/check/readiness"
+              port = var.ports.web
             }
             failure_threshold = 10
             period_seconds    = 5
             timeout_seconds   = 30
           }
 
           startup_probe {
-            exec {
-              command = ["curl", "-X GET", "http://localhost:${var.ports.web}/api/check/startup"]
+            http_get {
+              path = "/api/check/startup"
+              port = var.ports.web
             }
             failure_threshold = 10
             period_seconds    = 5
@@ -146,6 +149,8 @@ resource "kubernetes_config_map" "identityhub-config" {
     WEB_HTTP_PRESENTATION_PATH      = "/api/presentation"
     WEB_HTTP_DID_PORT               = var.ports.ih-did
     WEB_HTTP_DID_PATH               = "/"
+    WEB_HTTP_STS_PORT               = var.ports.sts-api
+    WEB_HTTP_STS_PATH               = "/api/sts"
     JAVA_TOOL_OPTIONS               = "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=${var.ports.ih-debug}"
     EDC_IAM_STS_PRIVATEKEY_ALIAS    = var.aliases.sts-private-key
     EDC_IAM_STS_PUBLICKEY_ID        = var.aliases.sts-public-key-id

diff --git a/deployment/modules/identity-hub/outputs.tf b/deployment/modules/identity-hub/outputs.tf
@@ -35,4 +35,8 @@ output "credentials" {
     path    = var.credentials-dir
     content = fileset(var.credentials-dir, "*-credential.json")
   }
+}
+
+output "sts-token-url" {
+  value = "http://${kubernetes_service.ih-service.metadata.0.name}:${var.ports.sts-api}/api/sts/token"
 }
diff --git a/deployment/modules/identity-hub/services.tf b/deployment/modules/identity-hub/services.tf
@@ -38,5 +38,9 @@ resource "kubernetes_service" "ih-service" {
       name = "did"
       port = var.ports.ih-did
     }
+    port {
+      name = "sts"
+      port = var.ports.sts-api
+    }
   }
 }
diff --git a/deployment/modules/identity-hub/variables.tf b/deployment/modules/identity-hub/variables.tf
@@ -43,6 +43,7 @@ variable "ports" {
     ih-did           = number
     ih-identity-api  = number
     presentation-api = number
+    sts-api          = number
   })
   default = {
     web              = 7080
@@ -51,6 +52,7 @@ variable "ports" {
     ih-did           = 7083
     ih-identity-api  = 7081
     presentation-api = 7082
+    sts-api          = 7084
   }
 }
 

diff --git a/deployment/provider.tf b/deployment/provider.tf
@@ -25,8 +25,9 @@ module "provider-qna-connector" {
     password = "provider-qna"
     url      = "jdbc:postgresql://${module.provider-postgres.database-url}/provider_qna"
   }
-  namespace = kubernetes_namespace.ns.metadata.0.name
-  vault-url = "http://provider-vault:8200"
+  namespace     = kubernetes_namespace.ns.metadata.0.name
+  vault-url     = "http://provider-vault:8200"
+  sts-token-url = module.provider-identityhub.sts-token-url
 }
 
 # Second provider connector "provider-manufacturing"
@@ -39,8 +40,9 @@ module "provider-manufacturing-connector" {
     password = "provider-manufacturing"
     url      = "jdbc:postgresql://${module.provider-postgres.database-url}/provider_manufacturing"
   }
-  namespace = kubernetes_namespace.ns.metadata.0.name
-  vault-url = "http://provider-vault:8200"
+  namespace     = kubernetes_namespace.ns.metadata.0.name
+  vault-url     = "http://provider-vault:8200"
+  sts-token-url = module.provider-identityhub.sts-token-url
 }
 
 module "provider-identityhub" {
@@ -65,9 +67,10 @@ module "provider-catalog-server" {
   source            = "./modules/catalog-server"
   humanReadableName = "provider-catalog-server"
   participantId     = var.provider-did
-  participant-did   = var.provider-did
   namespace         = kubernetes_namespace.ns.metadata.0.name
   vault-url         = "http://provider-vault:8200"
+  sts-token-url     = module.provider-identityhub.sts-token-url
+
   database = {
     user     = "catalog_server"
     password = "catalog_server"