From c2262d2bb638f5586cc3a101b50c30332073418b Mon Sep 17 00:00:00 2001 From: Gavin Jaeger-Freeborn Date: Tue, 24 Sep 2024 13:15:57 -0700 Subject: [PATCH 1/5] add helm chart entry for managing the ttl index Signed-off-by: Gavin Jaeger-Freeborn --- charts/vc-authn-oidc/README.md | 97 ++++++++++--------- .../vc-authn-oidc/templates/deployment.yaml | 11 +++ charts/vc-authn-oidc/values.yaml | 2 + docker/docker-compose.yaml | 2 +- docker/manage | 2 +- .../{ => config}/sessiontimeout.json | 0 docs/README.md | 2 +- 7 files changed, 65 insertions(+), 51 deletions(-) rename docker/oidc-controller/{ => config}/sessiontimeout.json (100%) diff --git a/charts/vc-authn-oidc/README.md b/charts/vc-authn-oidc/README.md index 39ce91a1..673be764 100644 --- a/charts/vc-authn-oidc/README.md +++ b/charts/vc-authn-oidc/README.md @@ -89,54 +89,55 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release ### Controller Configuration -| Name | Description | Value | -| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------- | -| `acapyTenancyMode` | Agent tenancy mode, either `single` or `multi` | `single` | -| `setNonRevoked` | if True, the `non_revoked` attributed will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())` | `true` | -| `invitationLabel` | For the invitations sent that include the proof, what to add as the my_label field. Can be used to identify the requester to the prover | `"VC-AuthN"` | -| `useOobPresentProof` | if True, the present-proof request will be provided as a an [out of band](https://github.com/hyperledger/aries-rfcs/tree/main/features/0434-outofband) invitation with a [present-proof](https://github.com/hyperledger/aries-rfcs/tree/main/features/0037-present-proof) request inside. If False, the present-proof request will be use the [service-decorator](https://github.com/hyperledger/aries-rfcs/tree/main/features/0056-service-decorator) | `false` | -| `useOobLocalDIDService` | | `false` | -| `useUrlDeepLink` | if True, will use the new encoded URL (`didcomm://?_url={redirect URL}`) redirect form of the deep link | `false` | -| `walletDeepLinkPrefix` | Custom URI scheme and host to use for deep links (`{walletDeepLinkPrefix}?c_i={connection payload`) | `"bcwallet://aries_proof-request"` | -| `controllerCameraRedirectUrl` | The redirect url can be a web link or the name of a template | `wallet_howto` | -| `controllerPresentationExpireTime` | The number of time in seconds a proof request will be valid for | `300` | -| `useHTTPS` | Prepend Agent and Admin URLs with `https` | `true` | -| `logLevel` | Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG | `INFO` | -| `auth.api.existingSecret` | Specify the name of the secret containing `controllerApiKey` key. | `""` | -| `auth.token.privateKey.filename` | Specify the name of the signing key file | `jwt-token.pem` | -| `auth.token.privateKey.existingSecret` | Specify the name of the secret containing the signing key to be mounted, if not specified, a new secret will be created. | `""` | -| `database.existingSecret` | Specify existing secret containing the keys `mongodb-root-password`, `mongodb-replica-set-key`, and `mongodb-passwords`. `database.secret.create` must be set to `false` when using existing secret. | `""` | -| `podAnnotations` | Map of annotations to add to the acapy pods | `{}` | -| `podSecurityContext` | Pod Security Context | `{}` | -| `containerSecurityContext` | Container Security Context | `{}` | -| `networkPolicy.enabled` | Enable network policies | `true` | -| `networkPolicy.ingress.enabled` | Enable ingress rules | `true` | -| `networkPolicy.ingress.namespaceSelector` | Namespace selector label that is allowed to access the Tenant proxy pods. | `{}` | -| `networkPolicy.ingress.podSelector` | Pod selector label that is allowed to access the Tenant proxy pods. | `{}` | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.port` | | `5000` | -| `ingress.enabled` | Enable ingress record generation for controller | `true` | -| `ingress.className` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `ingress.annotations` | Additional annotations for the Ingress resource. | `[]` | -| `ingress.tls` | Enable TLS configuration for the host defined at ingress. | `[]` | -| `resources.limits.memory` | The memory limit for the controller containers | `512Mi` | -| `resources.limits.cpu` | The cpu limit for the controller containers | `100m` | -| `resources.requests.memory` | The requested memory for the controller containers | `128Mi` | -| `resources.requests.cpu` | The requested cpu for the controller containers | `10m` | -| `replicaCount` | Number of controller replicas to deploy | `1` | -| `autoscaling.enabled` | Enable Horizontal POD autoscaling forthe controller | `true` | -| `autoscaling.minReplicas` | Minimum number of controller replicas | `1` | -| `autoscaling.maxReplicas` | Maximum number of controller replicas | `2` | -| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization percentage | `80` | -| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization percentage | `""` | -| `autoscaling.stabilizationWindowSeconds` | Stabilization window in seconds | `300` | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | -| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | -| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | -| `serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | -| `affinity` | Affinity for pods assignment | `{}` | -| `nodeSelector` | Node labels for pods assignment | `{}` | -| `tolerations` | Tolerations for pods assignment | `[]` | +| Name | Description | Value | +|-------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| +| `acapyTenancyMode` | Agent tenancy mode, either `single` or `multi` | `single` | +| `setNonRevoked` | if True, the `non_revoked` attributed will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())` | `true` | +| `invitationLabel` | For the invitations sent that include the proof, what to add as the my_label field. Can be used to identify the requester to the prover | `"VC-AuthN"` | +| `useOobPresentProof` | if True, the present-proof request will be provided as a an [out of band](https://github.com/hyperledger/aries-rfcs/tree/main/features/0434-outofband) invitation with a [present-proof](https://github.com/hyperledger/aries-rfcs/tree/main/features/0037-present-proof) request inside. If False, the present-proof request will be use the [service-decorator](https://github.com/hyperledger/aries-rfcs/tree/main/features/0056-service-decorator) | `false` | +| `useOobLocalDIDService` | | `false` | +| `useUrlDeepLink` | if True, will use the new encoded URL (`didcomm://?_url={redirect URL}`) redirect form of the deep link | `false` | +| `walletDeepLinkPrefix` | Custom URI scheme and host to use for deep links (`{walletDeepLinkPrefix}?c_i={connection payload`) | `"bcwallet://aries_proof-request"` | +| `controllerCameraRedirectUrl` | The redirect url can be a web link or the name of a template | `wallet_howto` | +| `controllerPresentationExpireTime` | The number of time in seconds a proof request will be valid for | `300` | +| `controllerSessionTimeoutConfigFile` | The file containing a json list of auth session states that are safe for deletion | `/home/aries/sessiontimeout.json` | +| `useHTTPS` | Prepend Agent and Admin URLs with `https` | `true` | +| `logLevel` | Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG | `INFO` | +| `auth.api.existingSecret` | Specify the name of the secret containing `controllerApiKey` key. | `""` | +| `auth.token.privateKey.filename` | Specify the name of the signing key file | `jwt-token.pem` | +| `auth.token.privateKey.existingSecret` | Specify the name of the secret containing the signing key to be mounted, if not specified, a new secret will be created. | `""` | +| `database.existingSecret` | Specify existing secret containing the keys `mongodb-root-password`, `mongodb-replica-set-key`, and `mongodb-passwords`. `database.secret.create` must be set to `false` when using existing secret. | `""` | +| `podAnnotations` | Map of annotations to add to the acapy pods | `{}` | +| `podSecurityContext` | Pod Security Context | `{}` | +| `containerSecurityContext` | Container Security Context | `{}` | +| `networkPolicy.enabled` | Enable network policies | `true` | +| `networkPolicy.ingress.enabled` | Enable ingress rules | `true` | +| `networkPolicy.ingress.namespaceSelector` | Namespace selector label that is allowed to access the Tenant proxy pods. | `{}` | +| `networkPolicy.ingress.podSelector` | Pod selector label that is allowed to access the Tenant proxy pods. | `{}` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.port` | | `5000` | +| `ingress.enabled` | Enable ingress record generation for controller | `true` | +| `ingress.className` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `ingress.annotations` | Additional annotations for the Ingress resource. | `[]` | +| `ingress.tls` | Enable TLS configuration for the host defined at ingress. | `[]` | +| `resources.limits.memory` | The memory limit for the controller containers | `512Mi` | +| `resources.limits.cpu` | The cpu limit for the controller containers | `100m` | +| `resources.requests.memory` | The requested memory for the controller containers | `128Mi` | +| `resources.requests.cpu` | The requested cpu for the controller containers | `10m` | +| `replicaCount` | Number of controller replicas to deploy | `1` | +| `autoscaling.enabled` | Enable Horizontal POD autoscaling forthe controller | `true` | +| `autoscaling.minReplicas` | Minimum number of controller replicas | `1` | +| `autoscaling.maxReplicas` | Maximum number of controller replicas | `2` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization percentage | `80` | +| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization percentage | `""` | +| `autoscaling.stabilizationWindowSeconds` | Stabilization window in seconds | `300` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | +| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | +| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | +| `serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | +| `affinity` | Affinity for pods assignment | `{}` | +| `nodeSelector` | Node labels for pods assignment | `{}` | +| `tolerations` | Tolerations for pods assignment | `[]` | ### Acapy Configuration diff --git a/charts/vc-authn-oidc/templates/deployment.yaml b/charts/vc-authn-oidc/templates/deployment.yaml index 8e75c70f..a57dbfe9 100644 --- a/charts/vc-authn-oidc/templates/deployment.yaml +++ b/charts/vc-authn-oidc/templates/deployment.yaml @@ -36,6 +36,12 @@ spec: secret: secretName: {{ include "vc-authn-oidc.token.secretName" . }} defaultMode: 256 + - name: auth-session-ttl + configMap: + name: {{ include "vc-authn-oidc.fullname" . }}-session-timeout-config + items: + - key: sessiontimeout.json + path: sessiontimeout.json containers: - name: {{ .Chart.Name }} securityContext: @@ -67,6 +73,8 @@ spec: value: {{ .Values.controllerCameraRedirectUrl }} - name: CONTROLLER_PRESENTATION_EXPIRE_TIME value: {{ .Values.controllerPresentationExpireTime | quote }} + - name: CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE + value: {{ .Values.controllerSessionTimeoutConfigFile | quote }} - name: ACAPY_AGENT_URL value: {{ include "acapy.agent.url" . }} - name: ACAPY_ADMIN_URL @@ -121,6 +129,9 @@ spec: volumeMounts: - name: jwt-token mountPath: /opt/token + - name: auth-session-ttl + mountPath: {{ .Values.controllerSessionTimeoutConfigFile }} + subPath: sessiontimeout.json {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vc-authn-oidc/values.yaml b/charts/vc-authn-oidc/values.yaml index 2c343856..8038de6b 100644 --- a/charts/vc-authn-oidc/values.yaml +++ b/charts/vc-authn-oidc/values.yaml @@ -40,6 +40,8 @@ walletDeepLinkPrefix: bcwallet://aries_proof-request controllerCameraRedirectUrl: wallet_howto ## @param controllerPresentationExpireTime The number of time in seconds a proof request will be valid for controllerPresentationExpireTime: 300 +## @param controllerSessionTimeoutConfigFile The file containing a json list of auth session states that are safe for deletion +controllerSessionTimeoutConfigFile: /home/aries/sessiontimeout.json ## @param useHTTPS Prepend Agent and Admin URLs with `https` useHTTPS: true ## @param logLevel Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml index 9d46c83f..3264c6ae 100644 --- a/docker/docker-compose.yaml +++ b/docker/docker-compose.yaml @@ -44,7 +44,7 @@ services: - 5678:5678 volumes: - ../oidc-controller:/app:rw - - ./oidc-controller/sessiontimeout.json:/tmp/sessiontimeout.json + - ./oidc-controller/config/sessiontimeout.json:/home/aries/sessiontimeout.json networks: - vc_auth diff --git a/docker/manage b/docker/manage index 418f0341..605bd308 100755 --- a/docker/manage +++ b/docker/manage @@ -177,7 +177,7 @@ configureEnvironment() { export CONTROLLER_PRESENTATION_CLEANUP_TIME=86400 # The path to the auth_session timeouts config file - export CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE="/tmp/sessiontimeout.json" + export CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE="/home/aries/sessiontimeout.json" #controller app settings export INVITATION_LABEL=${INVITATION_LABEL:-"VC-AuthN"} diff --git a/docker/oidc-controller/sessiontimeout.json b/docker/oidc-controller/config/sessiontimeout.json similarity index 100% rename from docker/oidc-controller/sessiontimeout.json rename to docker/oidc-controller/config/sessiontimeout.json diff --git a/docs/README.md b/docs/README.md index a5530902..e1321ea7 100644 --- a/docs/README.md +++ b/docs/README.md @@ -345,7 +345,7 @@ The following additional metadata must be present at the OP's `/.well-known/open ## Auth Session Cleanup -For each authentication attempt, an auth session is created. Over Time, these can accumulate, increasing the database size. To address this issue, a configuration file specified by the environment variable CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE is used to automatically clean up auth sessions based on their current state. This file contains a JSON array of different auth session states as strings. +For each authentication attempt, an auth session is created. Over Time, these can accumulate, increasing the database size. To address this issue, a configuration file specified by the environment variable `CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE` is used to automatically clean up auth sessions based on their current state. This file contains a JSON array of different auth session states as strings. An example configuration file would contain the following text ```json From 578ab72d17f1184607f91cc7548dcf8feaef1748 Mon Sep 17 00:00:00 2001 From: Gavin Jaeger-Freeborn Date: Tue, 24 Sep 2024 13:54:52 -0700 Subject: [PATCH 2/5] migrated ttl config to use a configmap Signed-off-by: Gavin Jaeger-Freeborn --- charts/vc-authn-oidc/README.md | 99 ++++++++++--------- charts/vc-authn-oidc/templates/configmap.yaml | 8 ++ charts/vc-authn-oidc/values.yaml | 5 + 3 files changed, 63 insertions(+), 49 deletions(-) create mode 100644 charts/vc-authn-oidc/templates/configmap.yaml diff --git a/charts/vc-authn-oidc/README.md b/charts/vc-authn-oidc/README.md index 673be764..05ce510d 100644 --- a/charts/vc-authn-oidc/README.md +++ b/charts/vc-authn-oidc/README.md @@ -89,55 +89,56 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release ### Controller Configuration -| Name | Description | Value | -|-------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| -| `acapyTenancyMode` | Agent tenancy mode, either `single` or `multi` | `single` | -| `setNonRevoked` | if True, the `non_revoked` attributed will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())` | `true` | -| `invitationLabel` | For the invitations sent that include the proof, what to add as the my_label field. Can be used to identify the requester to the prover | `"VC-AuthN"` | -| `useOobPresentProof` | if True, the present-proof request will be provided as a an [out of band](https://github.com/hyperledger/aries-rfcs/tree/main/features/0434-outofband) invitation with a [present-proof](https://github.com/hyperledger/aries-rfcs/tree/main/features/0037-present-proof) request inside. If False, the present-proof request will be use the [service-decorator](https://github.com/hyperledger/aries-rfcs/tree/main/features/0056-service-decorator) | `false` | -| `useOobLocalDIDService` | | `false` | -| `useUrlDeepLink` | if True, will use the new encoded URL (`didcomm://?_url={redirect URL}`) redirect form of the deep link | `false` | -| `walletDeepLinkPrefix` | Custom URI scheme and host to use for deep links (`{walletDeepLinkPrefix}?c_i={connection payload`) | `"bcwallet://aries_proof-request"` | -| `controllerCameraRedirectUrl` | The redirect url can be a web link or the name of a template | `wallet_howto` | -| `controllerPresentationExpireTime` | The number of time in seconds a proof request will be valid for | `300` | -| `controllerSessionTimeoutConfigFile` | The file containing a json list of auth session states that are safe for deletion | `/home/aries/sessiontimeout.json` | -| `useHTTPS` | Prepend Agent and Admin URLs with `https` | `true` | -| `logLevel` | Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG | `INFO` | -| `auth.api.existingSecret` | Specify the name of the secret containing `controllerApiKey` key. | `""` | -| `auth.token.privateKey.filename` | Specify the name of the signing key file | `jwt-token.pem` | -| `auth.token.privateKey.existingSecret` | Specify the name of the secret containing the signing key to be mounted, if not specified, a new secret will be created. | `""` | -| `database.existingSecret` | Specify existing secret containing the keys `mongodb-root-password`, `mongodb-replica-set-key`, and `mongodb-passwords`. `database.secret.create` must be set to `false` when using existing secret. | `""` | -| `podAnnotations` | Map of annotations to add to the acapy pods | `{}` | -| `podSecurityContext` | Pod Security Context | `{}` | -| `containerSecurityContext` | Container Security Context | `{}` | -| `networkPolicy.enabled` | Enable network policies | `true` | -| `networkPolicy.ingress.enabled` | Enable ingress rules | `true` | -| `networkPolicy.ingress.namespaceSelector` | Namespace selector label that is allowed to access the Tenant proxy pods. | `{}` | -| `networkPolicy.ingress.podSelector` | Pod selector label that is allowed to access the Tenant proxy pods. | `{}` | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.port` | | `5000` | -| `ingress.enabled` | Enable ingress record generation for controller | `true` | -| `ingress.className` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `ingress.annotations` | Additional annotations for the Ingress resource. | `[]` | -| `ingress.tls` | Enable TLS configuration for the host defined at ingress. | `[]` | -| `resources.limits.memory` | The memory limit for the controller containers | `512Mi` | -| `resources.limits.cpu` | The cpu limit for the controller containers | `100m` | -| `resources.requests.memory` | The requested memory for the controller containers | `128Mi` | -| `resources.requests.cpu` | The requested cpu for the controller containers | `10m` | -| `replicaCount` | Number of controller replicas to deploy | `1` | -| `autoscaling.enabled` | Enable Horizontal POD autoscaling forthe controller | `true` | -| `autoscaling.minReplicas` | Minimum number of controller replicas | `1` | -| `autoscaling.maxReplicas` | Maximum number of controller replicas | `2` | -| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization percentage | `80` | -| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization percentage | `""` | -| `autoscaling.stabilizationWindowSeconds` | Stabilization window in seconds | `300` | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | -| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | -| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | -| `serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | -| `affinity` | Affinity for pods assignment | `{}` | -| `nodeSelector` | Node labels for pods assignment | `{}` | -| `tolerations` | Tolerations for pods assignment | `[]` | +| Name | Description | Value | +|-------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------| +| `acapyTenancyMode` | Agent tenancy mode, either `single` or `multi` | `single` | +| `setNonRevoked` | if True, the `non_revoked` attributed will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())` | `true` | +| `invitationLabel` | For the invitations sent that include the proof, what to add as the my_label field. Can be used to identify the requester to the prover | `"VC-AuthN"` | +| `useOobPresentProof` | if True, the present-proof request will be provided as a an [out of band](https://github.com/hyperledger/aries-rfcs/tree/main/features/0434-outofband) invitation with a [present-proof](https://github.com/hyperledger/aries-rfcs/tree/main/features/0037-present-proof) request inside. If False, the present-proof request will be use the [service-decorator](https://github.com/hyperledger/aries-rfcs/tree/main/features/0056-service-decorator) | `false` | +| `useOobLocalDIDService` | | `false` | +| `useUrlDeepLink` | if True, will use the new encoded URL (`didcomm://?_url={redirect URL}`) redirect form of the deep link | `false` | +| `walletDeepLinkPrefix` | Custom URI scheme and host to use for deep links (`{walletDeepLinkPrefix}?c_i={connection payload`) | `"bcwallet://aries_proof-request"` | +| `controllerCameraRedirectUrl` | The redirect url can be a web link or the name of a template | `wallet_howto` | +| `controllerPresentationExpireTime` | The number of time in seconds a proof request will be valid for | `300` | +| `controllerSessionTimeoutConfigFile` | The file containing a json list of auth session states that are safe for deletion | `/home/aries/sessiontimeout.json` | +| `controllerSessionTimeoutConfig` | The list of auth session states that are safe for deletion | `[expired', 'failed', 'abandoned']` | +| `useHTTPS` | Prepend Agent and Admin URLs with `https` | `true` | +| `logLevel` | Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG | `INFO` | +| `auth.api.existingSecret` | Specify the name of the secret containing `controllerApiKey` key. | `""` | +| `auth.token.privateKey.filename` | Specify the name of the signing key file | `jwt-token.pem` | +| `auth.token.privateKey.existingSecret` | Specify the name of the secret containing the signing key to be mounted, if not specified, a new secret will be created. | `""` | +| `database.existingSecret` | Specify existing secret containing the keys `mongodb-root-password`, `mongodb-replica-set-key`, and `mongodb-passwords`. `database.secret.create` must be set to `false` when using existing secret. | `""` | +| `podAnnotations` | Map of annotations to add to the acapy pods | `{}` | +| `podSecurityContext` | Pod Security Context | `{}` | +| `containerSecurityContext` | Container Security Context | `{}` | +| `networkPolicy.enabled` | Enable network policies | `true` | +| `networkPolicy.ingress.enabled` | Enable ingress rules | `true` | +| `networkPolicy.ingress.namespaceSelector` | Namespace selector label that is allowed to access the Tenant proxy pods. | `{}` | +| `networkPolicy.ingress.podSelector` | Pod selector label that is allowed to access the Tenant proxy pods. | `{}` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.port` | | `5000` | +| `ingress.enabled` | Enable ingress record generation for controller | `true` | +| `ingress.className` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `ingress.annotations` | Additional annotations for the Ingress resource. | `[]` | +| `ingress.tls` | Enable TLS configuration for the host defined at ingress. | `[]` | +| `resources.limits.memory` | The memory limit for the controller containers | `512Mi` | +| `resources.limits.cpu` | The cpu limit for the controller containers | `100m` | +| `resources.requests.memory` | The requested memory for the controller containers | `128Mi` | +| `resources.requests.cpu` | The requested cpu for the controller containers | `10m` | +| `replicaCount` | Number of controller replicas to deploy | `1` | +| `autoscaling.enabled` | Enable Horizontal POD autoscaling forthe controller | `true` | +| `autoscaling.minReplicas` | Minimum number of controller replicas | `1` | +| `autoscaling.maxReplicas` | Maximum number of controller replicas | `2` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization percentage | `80` | +| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization percentage | `""` | +| `autoscaling.stabilizationWindowSeconds` | Stabilization window in seconds | `300` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | +| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | +| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | +| `serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | +| `affinity` | Affinity for pods assignment | `{}` | +| `nodeSelector` | Node labels for pods assignment | `{}` | +| `tolerations` | Tolerations for pods assignment | `[]` | ### Acapy Configuration diff --git a/charts/vc-authn-oidc/templates/configmap.yaml b/charts/vc-authn-oidc/templates/configmap.yaml new file mode 100644 index 00000000..beabfe58 --- /dev/null +++ b/charts/vc-authn-oidc/templates/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "global.fullname" . }}-session-timeout + labels: {{- include "vc-authn-oidc.labels" . | nindent 4 }} +data: + sessiontimeout.json: | + {{ .Values.controllerSessionTimeoutConfig | toJson }} diff --git a/charts/vc-authn-oidc/values.yaml b/charts/vc-authn-oidc/values.yaml index 8038de6b..7385b366 100644 --- a/charts/vc-authn-oidc/values.yaml +++ b/charts/vc-authn-oidc/values.yaml @@ -42,6 +42,11 @@ controllerCameraRedirectUrl: wallet_howto controllerPresentationExpireTime: 300 ## @param controllerSessionTimeoutConfigFile The file containing a json list of auth session states that are safe for deletion controllerSessionTimeoutConfigFile: /home/aries/sessiontimeout.json +## @param controllerSessionTimeoutConfig The json list of auth session states that are safe for deletion +controllerSessionTimeoutConfig: + - expired + - failed + - abandoned ## @param useHTTPS Prepend Agent and Admin URLs with `https` useHTTPS: true ## @param logLevel Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG From e778e2604d9c44e76b0f84cf42e722510cb0b2b2 Mon Sep 17 00:00:00 2001 From: Gavin Jaeger-Freeborn Date: Tue, 24 Sep 2024 14:11:15 -0700 Subject: [PATCH 3/5] added duration that auth_sessions are kept for Signed-off-by: Gavin Jaeger-Freeborn --- charts/vc-authn-oidc/README.md | 2 +- charts/vc-authn-oidc/templates/deployment.yaml | 12 ++++-------- charts/vc-authn-oidc/values.yaml | 4 ++-- 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/charts/vc-authn-oidc/README.md b/charts/vc-authn-oidc/README.md index 05ce510d..f53ba665 100644 --- a/charts/vc-authn-oidc/README.md +++ b/charts/vc-authn-oidc/README.md @@ -100,7 +100,7 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release | `walletDeepLinkPrefix` | Custom URI scheme and host to use for deep links (`{walletDeepLinkPrefix}?c_i={connection payload`) | `"bcwallet://aries_proof-request"` | | `controllerCameraRedirectUrl` | The redirect url can be a web link or the name of a template | `wallet_howto` | | `controllerPresentationExpireTime` | The number of time in seconds a proof request will be valid for | `300` | -| `controllerSessionTimeoutConfigFile` | The file containing a json list of auth session states that are safe for deletion | `/home/aries/sessiontimeout.json` | +| `controllerSessionTimeoutDuration` | The number of seconds an auth_sessions in the states defined in `controllerSessionTimeoutConfig` is kept for | `86400` | | `controllerSessionTimeoutConfig` | The list of auth session states that are safe for deletion | `[expired', 'failed', 'abandoned']` | | `useHTTPS` | Prepend Agent and Admin URLs with `https` | `true` | | `logLevel` | Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG | `INFO` | diff --git a/charts/vc-authn-oidc/templates/deployment.yaml b/charts/vc-authn-oidc/templates/deployment.yaml index a57dbfe9..705825b2 100644 --- a/charts/vc-authn-oidc/templates/deployment.yaml +++ b/charts/vc-authn-oidc/templates/deployment.yaml @@ -36,12 +36,6 @@ spec: secret: secretName: {{ include "vc-authn-oidc.token.secretName" . }} defaultMode: 256 - - name: auth-session-ttl - configMap: - name: {{ include "vc-authn-oidc.fullname" . }}-session-timeout-config - items: - - key: sessiontimeout.json - path: sessiontimeout.json containers: - name: {{ .Chart.Name }} securityContext: @@ -74,7 +68,9 @@ spec: - name: CONTROLLER_PRESENTATION_EXPIRE_TIME value: {{ .Values.controllerPresentationExpireTime | quote }} - name: CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE - value: {{ .Values.controllerSessionTimeoutConfigFile | quote }} + value: /home/aries/sessiontimeout.json + - name: CONTROLLER_PRESENTATION_CLEANUP_TIME + value: {{ .Values.controllerSessionTimeoutDuration | quote }} - name: ACAPY_AGENT_URL value: {{ include "acapy.agent.url" . }} - name: ACAPY_ADMIN_URL @@ -130,7 +126,7 @@ spec: - name: jwt-token mountPath: /opt/token - name: auth-session-ttl - mountPath: {{ .Values.controllerSessionTimeoutConfigFile }} + mountPath: /home/aries/sessiontimeout.json subPath: sessiontimeout.json {{- with .Values.nodeSelector }} nodeSelector: diff --git a/charts/vc-authn-oidc/values.yaml b/charts/vc-authn-oidc/values.yaml index 7385b366..f0e6864f 100644 --- a/charts/vc-authn-oidc/values.yaml +++ b/charts/vc-authn-oidc/values.yaml @@ -40,8 +40,8 @@ walletDeepLinkPrefix: bcwallet://aries_proof-request controllerCameraRedirectUrl: wallet_howto ## @param controllerPresentationExpireTime The number of time in seconds a proof request will be valid for controllerPresentationExpireTime: 300 -## @param controllerSessionTimeoutConfigFile The file containing a json list of auth session states that are safe for deletion -controllerSessionTimeoutConfigFile: /home/aries/sessiontimeout.json +## @param controllerSessionTimeoutDuration The number of seconds an auth_sessions in the states defined in controllerSessionTimeoutConfig is kept for +controllerSessionTimeoutDuration: 86400 ## @param controllerSessionTimeoutConfig The json list of auth session states that are safe for deletion controllerSessionTimeoutConfig: - expired From 2205723da0ff32a897c427719c7fa8eda0235074 Mon Sep 17 00:00:00 2001 From: Gavin Jaeger-Freeborn Date: Tue, 24 Sep 2024 14:22:17 -0700 Subject: [PATCH 4/5] Split controller variables up Signed-off-by: Gavin Jaeger-Freeborn --- charts/vc-authn-oidc/README.md | 8 +++---- charts/vc-authn-oidc/templates/configmap.yaml | 2 +- .../vc-authn-oidc/templates/deployment.yaml | 6 ++--- charts/vc-authn-oidc/values.yaml | 24 ++++++++++--------- 4 files changed, 21 insertions(+), 19 deletions(-) diff --git a/charts/vc-authn-oidc/README.md b/charts/vc-authn-oidc/README.md index f53ba665..b419b87e 100644 --- a/charts/vc-authn-oidc/README.md +++ b/charts/vc-authn-oidc/README.md @@ -98,10 +98,10 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release | `useOobLocalDIDService` | | `false` | | `useUrlDeepLink` | if True, will use the new encoded URL (`didcomm://?_url={redirect URL}`) redirect form of the deep link | `false` | | `walletDeepLinkPrefix` | Custom URI scheme and host to use for deep links (`{walletDeepLinkPrefix}?c_i={connection payload`) | `"bcwallet://aries_proof-request"` | -| `controllerCameraRedirectUrl` | The redirect url can be a web link or the name of a template | `wallet_howto` | -| `controllerPresentationExpireTime` | The number of time in seconds a proof request will be valid for | `300` | -| `controllerSessionTimeoutDuration` | The number of seconds an auth_sessions in the states defined in `controllerSessionTimeoutConfig` is kept for | `86400` | -| `controllerSessionTimeoutConfig` | The list of auth session states that are safe for deletion | `[expired', 'failed', 'abandoned']` | +| `controller.CameraRedirectUrl` | The redirect url can be a web link or the name of a template | `wallet_howto` | +| `controller.PresentationExpire.Time` | The number of time in seconds a proof request will be valid for | `300` | +| `controller.SessionTimeout.Duration` | The number of seconds an auth_sessions in the states defined in `controllerSessionTimeoutConfig` is kept for | `86400` | +| `controller.SessionTimeout.Config` | The list of auth session states that are safe for deletion | `[expired', 'failed', 'abandoned']` | | `useHTTPS` | Prepend Agent and Admin URLs with `https` | `true` | | `logLevel` | Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG | `INFO` | | `auth.api.existingSecret` | Specify the name of the secret containing `controllerApiKey` key. | `""` | diff --git a/charts/vc-authn-oidc/templates/configmap.yaml b/charts/vc-authn-oidc/templates/configmap.yaml index beabfe58..30cbe274 100644 --- a/charts/vc-authn-oidc/templates/configmap.yaml +++ b/charts/vc-authn-oidc/templates/configmap.yaml @@ -5,4 +5,4 @@ metadata: labels: {{- include "vc-authn-oidc.labels" . | nindent 4 }} data: sessiontimeout.json: | - {{ .Values.controllerSessionTimeoutConfig | toJson }} + {{ .Values.controller.SessionTimeout.Config | toJson }} diff --git a/charts/vc-authn-oidc/templates/deployment.yaml b/charts/vc-authn-oidc/templates/deployment.yaml index 705825b2..03edfc80 100644 --- a/charts/vc-authn-oidc/templates/deployment.yaml +++ b/charts/vc-authn-oidc/templates/deployment.yaml @@ -64,13 +64,13 @@ spec: name: {{ include "vc-authn-oidc.apiSecretName" . }} key: controllerApiKey - name: CONTROLLER_CAMERA_REDIRECT_URL - value: {{ .Values.controllerCameraRedirectUrl }} + value: {{ .Values.controller.CameraRedirectUrl }} - name: CONTROLLER_PRESENTATION_EXPIRE_TIME - value: {{ .Values.controllerPresentationExpireTime | quote }} + value: {{ .Values.controller.PresentationExpireTime | quote }} - name: CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE value: /home/aries/sessiontimeout.json - name: CONTROLLER_PRESENTATION_CLEANUP_TIME - value: {{ .Values.controllerSessionTimeoutDuration | quote }} + value: {{ .Values.controller.SessionTimeout.Duration | quote }} - name: ACAPY_AGENT_URL value: {{ include "acapy.agent.url" . }} - name: ACAPY_ADMIN_URL diff --git a/charts/vc-authn-oidc/values.yaml b/charts/vc-authn-oidc/values.yaml index f0e6864f..ea335ba3 100644 --- a/charts/vc-authn-oidc/values.yaml +++ b/charts/vc-authn-oidc/values.yaml @@ -36,17 +36,19 @@ useOobLocalDIDService: false useUrlDeepLink: false ## @param walletDeepLinkPrefix URI scheme and host to use in deep links ((e.g. `{WALLET_DEEP_LINK_PREFIX}?c_i={connection invitation payload`)) walletDeepLinkPrefix: bcwallet://aries_proof-request -## @param controllerCameraRedirectUrl The redirect url can be a web link or the name of a template -controllerCameraRedirectUrl: wallet_howto -## @param controllerPresentationExpireTime The number of time in seconds a proof request will be valid for -controllerPresentationExpireTime: 300 -## @param controllerSessionTimeoutDuration The number of seconds an auth_sessions in the states defined in controllerSessionTimeoutConfig is kept for -controllerSessionTimeoutDuration: 86400 -## @param controllerSessionTimeoutConfig The json list of auth session states that are safe for deletion -controllerSessionTimeoutConfig: - - expired - - failed - - abandoned +## @param controller.CameraRedirectUrl The redirect url can be a web link or the name of a template +## @param controller.PresentationExpireTime The number of time in seconds a proof request will be valid for +## @param controller.SessionTimeout.Duration The number of seconds an auth_sessions in the states defined in controllerSessionTimeoutConfig is kept for +## @param controller.SessionTimeout.Config The json list of auth session states that are safe for deletion +controller: + CameraRedirectUrl: wallet_howto + PresentationExpireTime: 300 + SessionTimeout: + Duration: 86400 + Config: + - expired + - failed + - abandoned ## @param useHTTPS Prepend Agent and Admin URLs with `https` useHTTPS: true ## @param logLevel Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG From af57d9b11f88f26d60542f13df24d8247419da51 Mon Sep 17 00:00:00 2001 From: Gavin Jaeger-Freeborn Date: Wed, 25 Sep 2024 09:58:00 -0700 Subject: [PATCH 5/5] Make helm variables camelcase Signed-off-by: Gavin Jaeger-Freeborn --- charts/vc-authn-oidc/README.md | 8 ++++---- charts/vc-authn-oidc/templates/configmap.yaml | 2 +- charts/vc-authn-oidc/templates/deployment.yaml | 6 +++--- charts/vc-authn-oidc/values.yaml | 18 +++++++++--------- 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/charts/vc-authn-oidc/README.md b/charts/vc-authn-oidc/README.md index b419b87e..aa99b139 100644 --- a/charts/vc-authn-oidc/README.md +++ b/charts/vc-authn-oidc/README.md @@ -98,10 +98,10 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release | `useOobLocalDIDService` | | `false` | | `useUrlDeepLink` | if True, will use the new encoded URL (`didcomm://?_url={redirect URL}`) redirect form of the deep link | `false` | | `walletDeepLinkPrefix` | Custom URI scheme and host to use for deep links (`{walletDeepLinkPrefix}?c_i={connection payload`) | `"bcwallet://aries_proof-request"` | -| `controller.CameraRedirectUrl` | The redirect url can be a web link or the name of a template | `wallet_howto` | -| `controller.PresentationExpire.Time` | The number of time in seconds a proof request will be valid for | `300` | -| `controller.SessionTimeout.Duration` | The number of seconds an auth_sessions in the states defined in `controllerSessionTimeoutConfig` is kept for | `86400` | -| `controller.SessionTimeout.Config` | The list of auth session states that are safe for deletion | `[expired', 'failed', 'abandoned']` | +| `controller.cameraRedirectUrl` | The redirect url can be a web link or the name of a template | `wallet_howto` | +| `controller.presentationExpire.time` | The number of time in seconds a proof request will be valid for | `300` | +| `controller.sessionTimeout.duration` | The number of seconds an auth_sessions in the states defined in `controllerSessionTimeoutConfig` is kept for | `86400` | +| `controller.sessionTimeout.config` | The list of auth session states that are safe for deletion | `[expired', 'failed', 'abandoned']` | | `useHTTPS` | Prepend Agent and Admin URLs with `https` | `true` | | `logLevel` | Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG | `INFO` | | `auth.api.existingSecret` | Specify the name of the secret containing `controllerApiKey` key. | `""` | diff --git a/charts/vc-authn-oidc/templates/configmap.yaml b/charts/vc-authn-oidc/templates/configmap.yaml index 30cbe274..d5a691c9 100644 --- a/charts/vc-authn-oidc/templates/configmap.yaml +++ b/charts/vc-authn-oidc/templates/configmap.yaml @@ -5,4 +5,4 @@ metadata: labels: {{- include "vc-authn-oidc.labels" . | nindent 4 }} data: sessiontimeout.json: | - {{ .Values.controller.SessionTimeout.Config | toJson }} + {{ .Values.controller.sessionTimeout.config | toJson }} diff --git a/charts/vc-authn-oidc/templates/deployment.yaml b/charts/vc-authn-oidc/templates/deployment.yaml index 03edfc80..8a08966a 100644 --- a/charts/vc-authn-oidc/templates/deployment.yaml +++ b/charts/vc-authn-oidc/templates/deployment.yaml @@ -64,13 +64,13 @@ spec: name: {{ include "vc-authn-oidc.apiSecretName" . }} key: controllerApiKey - name: CONTROLLER_CAMERA_REDIRECT_URL - value: {{ .Values.controller.CameraRedirectUrl }} + value: {{ .Values.controller.cameraRedirectUrl }} - name: CONTROLLER_PRESENTATION_EXPIRE_TIME - value: {{ .Values.controller.PresentationExpireTime | quote }} + value: {{ .Values.controller.presentationExpireTime | quote }} - name: CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE value: /home/aries/sessiontimeout.json - name: CONTROLLER_PRESENTATION_CLEANUP_TIME - value: {{ .Values.controller.SessionTimeout.Duration | quote }} + value: {{ .Values.controller.sessionTimeout.duration | quote }} - name: ACAPY_AGENT_URL value: {{ include "acapy.agent.url" . }} - name: ACAPY_ADMIN_URL diff --git a/charts/vc-authn-oidc/values.yaml b/charts/vc-authn-oidc/values.yaml index ea335ba3..8a5aac04 100644 --- a/charts/vc-authn-oidc/values.yaml +++ b/charts/vc-authn-oidc/values.yaml @@ -36,16 +36,16 @@ useOobLocalDIDService: false useUrlDeepLink: false ## @param walletDeepLinkPrefix URI scheme and host to use in deep links ((e.g. `{WALLET_DEEP_LINK_PREFIX}?c_i={connection invitation payload`)) walletDeepLinkPrefix: bcwallet://aries_proof-request -## @param controller.CameraRedirectUrl The redirect url can be a web link or the name of a template -## @param controller.PresentationExpireTime The number of time in seconds a proof request will be valid for -## @param controller.SessionTimeout.Duration The number of seconds an auth_sessions in the states defined in controllerSessionTimeoutConfig is kept for -## @param controller.SessionTimeout.Config The json list of auth session states that are safe for deletion +## @param controller.cameraRedirectUrl The redirect url can be a web link or the name of a template +## @param controller.presentationExpireTime The number of time in seconds a proof request will be valid for +## @param controller.sessionTimeout.duration The number of seconds an auth_sessions in the states defined in controllerSessionTimeoutConfig is kept for +## @param controller.sessionTimeout.config The json list of auth session states that are safe for deletion controller: - CameraRedirectUrl: wallet_howto - PresentationExpireTime: 300 - SessionTimeout: - Duration: 86400 - Config: + cameraRedirectUrl: wallet_howto + presentationExpireTime: 300 + sessionTimeout: + duration: 86400 + config: - expired - failed - abandoned