Merge pull request #6 from AmadeusITGroup/docs/add_cve_info #20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy Connector | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - 'deployment/**' | |
| pull_request: | |
| paths: | |
| - 'deployment/**' | |
| permissions: | |
| contents: read | |
| jobs: | |
| Deploy-Connector: | |
| defaults: | |
| run: | |
| working-directory: ./deployment/connector | |
| env: | |
| CLUSTER_NAME: eonax-cluster | |
| DID_WEB: did:web:localhost:ih:did | |
| IH_RESOLUTION_URL: http://localhost/ih/resolution | |
| CP_DSP_URL: http://localhost/cp/dsp | |
| DP_PUBLIC_URL: http://localhost/dp/public | |
| permissions: | |
| checks: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| token: ${{ secrets.CICD_TOKEN }} | |
| - name: 'Setup Terraform' | |
| uses: hashicorp/[email protected] | |
| with: | |
| terraform_version: 1.6.0 | |
| terraform_wrapper: false | |
| - name: 'Install Vault CLI' | |
| shell: bash | |
| env: | |
| VAULT_VERSION: 1.16.0 | |
| run: | | |
| # Download the Vault binary | |
| curl -Lo vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip | |
| # Unzip the downloaded file | |
| unzip vault.zip | |
| # Move the vault binary to /usr/local/bin | |
| sudo mv vault /usr/local/bin/ | |
| # Display Vault version | |
| vault version | |
| - name: 'Create Kubernetes cluster' | |
| uses: helm/[email protected] | |
| with: | |
| cluster_name: ${{ env.CLUSTER_NAME }} | |
| config: ./deployment/kind.config.yaml | |
| - name: 'Create Ingress Controller' | |
| shell: bash | |
| run: | | |
| kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml | |
| kubectl wait \ | |
| --namespace ingress-nginx \ | |
| --for=condition=ready pod \ | |
| --selector=app.kubernetes.io/component=controller \ | |
| --timeout=90s | |
| - name: 'Install Vault and DB' | |
| working-directory: ./deployment/storage | |
| shell: bash | |
| run: | | |
| terraform init | |
| terraform apply -auto-approve | |
| - name: 'Login to Docker registry' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_TOKEN }} | |
| - name: 'Pull Docker images and Helm charts' | |
| shell: bash | |
| run: | | |
| for i in control-plane data-plane identity-hub; do \ | |
| image=eonax-$i-postgresql-hashicorpvault; \ | |
| ## pull the Docker image | |
| docker pull ${{ vars.DOCKER_REPO }}/$image:${{ vars.EONAX_VERSION }}; \ | |
| ## tag image with version latest | |
| docker tag ${{ vars.DOCKER_REPO }}/$image:${{ vars.EONAX_VERSION }} $image:latest; \ | |
| ## load image to the cluster | |
| kind load docker-image $image:latest --name ${{ env.CLUSTER_NAME }}; \ | |
| ## pull Helm charts | |
| chart=${i//-/}; \ | |
| helm pull ${{ vars.HELM_REPO }}/$chart --version ${{ vars.EONAX_VERSION }}; \ | |
| mv $chart-${{ vars.EONAX_VERSION }}.tgz $chart.tgz; \ | |
| done | |
| - name: 'Download SQL files' | |
| working-directory: ./deployment | |
| shell: bash | |
| run: | | |
| jq -r --arg version "${{ vars.EDC_VERSION }}" '.files[] | "https://raw.githubusercontent.com/eclipse-edc/\(.repo)/\($version)/\(.path)/src/main/resources/\(.file_name)"' sql.json | \ | |
| tr -d '\r' | \ | |
| while read -r url; do curl -o "./connector/sql/$(basename "$url")" "$url"; done | |
| - name: 'Create terraform.tfvars file' | |
| shell: bash | |
| run: | | |
| cat <<EOF > terraform.tfvars | |
| identity_hub_did_web_url = "${{ env.DID_WEB }}" | |
| control_plane_dsp_url = "${{ env.CP_DSP_URL }}" | |
| data_plane_public_url = "${{ env.DP_PUBLIC_URL }}" | |
| EOF | |
| - name: 'Install connector' | |
| shell: bash | |
| run: | | |
| terraform init | |
| terraform apply -auto-approve | |
| - name: 'Generate keys' | |
| shell: bash | |
| env: | |
| VAULT_TOKEN: root | |
| VAULT_ADDR: http://localhost/vault | |
| run: | | |
| openssl genpkey -algorithm RSA -out private-key.pem -pkeyopt rsa_keygen_bits:2048 && \ | |
| openssl rsa -pubout -in private-key.pem -out public-key.pem && \ | |
| for k in public-key private-key; do vault kv put secret/$k content=@$k.pem; done | |
| - name: 'Create participant context' | |
| shell: bash | |
| run: | | |
| didBase64Url=$(echo -n "$DID_WEB" | base64 | tr '+/' '-_' | tr -d '=') | |
| curl -X POST -H "Content-Type: application/json" -d "$(cat <<EOF | |
| { | |
| "participantId": "${{ env.DID_WEB }}", | |
| "did": "${{ env.DID_WEB }}", | |
| "active": true, | |
| "key": { | |
| "keyId": "my-key", | |
| "privateKeyAlias": "private-key", | |
| "publicKeyPem": "$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' public-key.pem)" | |
| }, | |
| "serviceEndpoints": [ | |
| { | |
| "id": "credential-service-url", | |
| "type": "CredentialService", | |
| "serviceEndpoint": "$IH_RESOLUTION_URL/v1/participants/$didBase64Url" | |
| }, | |
| { | |
| "id": "dsp-url", | |
| "type": "DSPMessaging", | |
| "serviceEndpoint": "$CP_DSP_URL" | |
| } | |
| ] | |
| } | |
| EOF | |
| )" http://localhost/ih/identity/v1alpha/participants | |
| - name: 'Add membership VC' | |
| shell: bash | |
| run: | | |
| didBase64Url=$(echo -n "$DID_WEB" | base64 | tr '+/' '-_' | tr -d '=') | |
| curl -X POST -H "Content-Type: application/json" -d "$(cat <<EOF | |
| { | |
| "participantId": "${{ env.DID_WEB }}", | |
| "verifiableCredentialContainer": { | |
| "rawVc": "eyJraWQiOiJkaWQ6d2ViOmF1dGhvcml0eS1pZGVudGl0eWh1YiUzQTgzODM6YXBpOmRpZCNteS1rZXkiLCJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJkaWQ6d2ViOmF1dGhvcml0eS1pZGVudGl0eWh1YiUzQTgzODM6YXBpOmRpZCIsInN1YiI6ImRpZDp3ZWI6cHJvdmlkZXItaWRlbnRpdHlodWIlM0E4MzgzOmFwaTpkaWQiLCJ2YyI6eyJjcmVkZW50aWFsU3ViamVjdCI6W3siaWQiOiJkaWQ6d2ViOnByb3ZpZGVyLWlkZW50aXR5aHViJTNBODM4MzphcGk6ZGlkIiwibmFtZSI6InByb3ZpZGVyIiwibWVtYmVyc2hpcCI6eyJtZW1iZXJzaGlwVHlwZSI6IkZ1bGxNZW1iZXIiLCJzaW5jZSI6IjIwMjMtMDEtMDFUMDA6MDA6MDBaIn19XSwiaWQiOiIzMTkxNWJjOC0wODhjLTQwZDYtYTAxNC03YTk4YmNkNzBiY2IiLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiTWVtYmVyc2hpcENyZWRlbnRpYWwiXSwiaXNzdWVyIjp7ImlkIjoiZGlkOndlYjphdXRob3JpdHktaWRlbnRpdHlodWIlM0E4MzgzOmFwaTpkaWQiLCJhZGRpdGlvbmFsUHJvcGVydGllcyI6e319LCJpc3N1YW5jZURhdGUiOiIyMDI0LTA4LTE0VDE0OjMzOjQwWiIsImV4cGlyYXRpb25EYXRlIjpudWxsLCJjcmVkZW50aWFsU3RhdHVzIjpbXSwiZGVzY3JpcHRpb24iOm51bGwsIm5hbWUiOm51bGx9LCJpYXQiOjE3MjM2NDYwMjB9.FD4vjPomuKusPdyWlMRcOgbzUhGC7kyliw6My6HFrQzdAcKGC6N_BW-Cg4pHAX4f2O4EhFn5WJr-uB2UaZOHlQ", | |
| "format": "JWT", | |
| "credential": { | |
| "credentialSubject": [ | |
| { | |
| "id": "${{ env.DID_WEB }}", | |
| "name": "provider", | |
| "membership": { | |
| "membershipType": "FullMember", | |
| "since": "2023-01-01T00:00:00Z" | |
| } | |
| } | |
| ], | |
| "id": "31915bc8-088c-40d6-a014-7a98bcd70bcb", | |
| "type": [ | |
| "VerifiableCredential", | |
| "MembershipCredential" | |
| ], | |
| "issuer": { | |
| "id": "did:web:eonax-authority-url:api:did", | |
| "additionalProperties": {} | |
| }, | |
| "issuanceDate": "2024-08-14T14:33:40Z", | |
| "expirationDate": null, | |
| "credentialStatus": [], | |
| "description": null, | |
| "name": null | |
| } | |
| } | |
| } | |
| EOF | |
| )" http://localhost/ih/identity/v1alpha/participants/$didBase64Url/credentials |