AmadeusITGroup
diff --git a/‎.github/workflows/deploy-connector.yaml
+186 b/‎.github/workflows/deploy-connector.yaml
+186
diff --git a/‎.github/workflows/terraform.yaml
+1-1 b/‎.github/workflows/terraform.yaml
+1-1
diff --git a/‎.gitignore
+4-1 b/‎.gitignore
+4-1
diff --git a/‎deployment/connector/controlplane.tf
+95 b/‎deployment/connector/controlplane.tf
+95
diff --git a/‎deployment/connector/dataplane.tf
+94 b/‎deployment/connector/dataplane.tf
+94
@@ -0,0 +1,186 @@
+name: Deploy Connector
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - 'deployment/**'
+  pull_request:
+    paths:
+      - 'deployment/**'
+
+permissions:
+  contents: read
+
+jobs:
+
+  Deploy-Connector:
+    defaults:
+      run:
+        working-directory: ./deployment
+
+    env:
+      CLUSTER_NAME: eonax-cluster
+      DID_WEB: did:web:localhost:ih:did
+    permissions:
+      checks: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.CICD_TOKEN }}
+
+      - name: 'Setup Terraform'
+        uses: hashicorp/[email protected]
+        with:
+          terraform_version: 1.6.0
+          terraform_wrapper: false
+
+      - name: 'Create Kubernetes cluster'
+        uses: helm/[email protected]
+        with:
+          cluster_name: ${{ env.CLUSTER_NAME }}
+          config: kind.config.yaml
+
+      - name: 'Create Ingress Controller'
+        shell: bash
+        run: |
+          kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+          kubectl wait \
+            --namespace ingress-nginx \
+            --for=condition=ready pod \
+            --selector=app.kubernetes.io/component=controller \
+            --timeout=90s
+
+      - name: 'Install Vault and DB'
+        working-directory: ./deployment/storage
+        shell: bash
+        run: |
+          terraform init
+          terraform apply -auto-approve
+
+      - name: 'Login to Docker registry'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: 'Pull Docker images and Helm charts'
+        working-directory: ./deployment/connector
+        shell: bash
+        run: |
+          for i in control-plane data-plane identity-hub; do \
+            image=eonax-$i-postgresql-hashicorpvault; \
+          
+            ## pull the Docker image
+            docker pull ${{ vars.DOCKER_REPO }}/$image:${{ vars.EONAX_VERSION }}; \
+            ## tag image with version latest
+            docker tag ${{ vars.DOCKER_REPO }}/$image:${{ vars.EONAX_VERSION }} $image:latest; \
+            ## load image to the cluster
+            kind load docker-image $image:latest --name ${{ env.CLUSTER_NAME }}; \
+          
+            ## pull Helm charts
+            chart=${i//-/}; \
+            helm pull ${{ vars.HELM_REPO }}/$chart --version ${{ vars.EONAX_VERSION }}; \
+            mv $chart-${{ vars.EONAX_VERSION }}.tgz $chart.tgz; \
+          done
+
+      - name: 'Download SQL files'
+        shell: bash
+        working-directory: ./deployment/connector
+        run: |
+          jq -r   --arg version "${{ vars.EDC_VERSION }}" '.files[] | "https://raw.githubusercontent.com/eclipse-edc/\(.repo)/\($version)/\(.path)/src/main/resources/\(.file_name)"' sql.json | \
+            tr -d '\r' | \
+            while read -r url; do curl -o "./connector/sql/$(basename "$url")"  "$url"; done
+
+      - name: 'Install connector'
+        shell: bash
+        working-directory: ./deployment/connector
+        run: |
+          terraform init
+          terraform apply -auto-approve
+
+      - name: 'Generate keys'
+        shell: bash
+        run: |
+          openssl genpkey -algorithm RSA -out private-key.pem -pkeyopt rsa_keygen_bits:2048 && \
+          openssl rsa -pubout -in private-key.pem -out public-key.pem && \
+          for k in public-key private-key; do VAULT_TOKEN=root VAULT_ADDR=http://localhost/vault vault kv put secret/$k content=@$k.pem; done
+
+      - name: 'Create participant context'
+        shell: bash
+        env:
+          IH_RESOLUTION_URL: http://localhost/ih/resolution
+          CP_DSP_URL: http://localhost/cp/dsp
+        run: |
+          didBase64Url=$(echo -n "$DID_WEB" | base64 | tr '+/' '-_' | tr -d '=')
+
+          curl -X POST -H "Content-Type: application/json" -d "$(cat <<EOF
+            {
+              "participantId": "${{ env.DID_WEB }}",
+              "did": "${{ env.DID_WEB }}",
+              "active": true,
+              "key": {
+                "keyId": "my-key",
+                "privateKeyAlias": "private-key",
+                "publicKeyPem": "$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' public-key.pem)"
+            },
+          "serviceEndpoints": [
+            {
+              "id": "credential-service-url",
+              "type": "CredentialService",
+              "serviceEndpoint": "$IH_RESOLUTION_URL/v1/participants/$didBase64Url"
+            },
+            {
+              "id": "dsp-url",
+              "type": "DSPMessaging",
+              "serviceEndpoint": "$CP_DSP_URL"
+            }
+          ]
+          }
+            EOF
+            )" http://localhost/ih/identity/v1alpha/participants
+
+      - name: 'Add membership VC'
+        shell: bash
+        run: |
+          didBase64Url=$(echo -n "$DID_WEB" | base64 | tr '+/' '-_' | tr -d '=')
+
+          curl -X POST -H "Content-Type: application/json" -d "$(cat <<EOF
+            {
+              "participantId": "${{ env.DID_WEB }}",
+              "verifiableCredentialContainer": {
+                "rawVc": "eyJraWQiOiJkaWQ6d2ViOmF1dGhvcml0eS1pZGVudGl0eWh1YiUzQTgzODM6YXBpOmRpZCNteS1rZXkiLCJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJkaWQ6d2ViOmF1dGhvcml0eS1pZGVudGl0eWh1YiUzQTgzODM6YXBpOmRpZCIsInN1YiI6ImRpZDp3ZWI6cHJvdmlkZXItaWRlbnRpdHlodWIlM0E4MzgzOmFwaTpkaWQiLCJ2YyI6eyJjcmVkZW50aWFsU3ViamVjdCI6W3siaWQiOiJkaWQ6d2ViOnByb3ZpZGVyLWlkZW50aXR5aHViJTNBODM4MzphcGk6ZGlkIiwibmFtZSI6InByb3ZpZGVyIiwibWVtYmVyc2hpcCI6eyJtZW1iZXJzaGlwVHlwZSI6IkZ1bGxNZW1iZXIiLCJzaW5jZSI6IjIwMjMtMDEtMDFUMDA6MDA6MDBaIn19XSwiaWQiOiIzMTkxNWJjOC0wODhjLTQwZDYtYTAxNC03YTk4YmNkNzBiY2IiLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiTWVtYmVyc2hpcENyZWRlbnRpYWwiXSwiaXNzdWVyIjp7ImlkIjoiZGlkOndlYjphdXRob3JpdHktaWRlbnRpdHlodWIlM0E4MzgzOmFwaTpkaWQiLCJhZGRpdGlvbmFsUHJvcGVydGllcyI6e319LCJpc3N1YW5jZURhdGUiOiIyMDI0LTA4LTE0VDE0OjMzOjQwWiIsImV4cGlyYXRpb25EYXRlIjpudWxsLCJjcmVkZW50aWFsU3RhdHVzIjpbXSwiZGVzY3JpcHRpb24iOm51bGwsIm5hbWUiOm51bGx9LCJpYXQiOjE3MjM2NDYwMjB9.FD4vjPomuKusPdyWlMRcOgbzUhGC7kyliw6My6HFrQzdAcKGC6N_BW-Cg4pHAX4f2O4EhFn5WJr-uB2UaZOHlQ",
+                "format": "JWT",
+                "credential": {
+                  "credentialSubject": [
+                    {
+                      "id": "${{ env.DID_WEB }}",
+                      "name": "provider",
+                      "membership": {
+                        "membershipType": "FullMember",
+                        "since": "2023-01-01T00:00:00Z"
+                      }
+                    }
+                  ],
+                  "id": "31915bc8-088c-40d6-a014-7a98bcd70bcb",
+                  "type": [
+                    "VerifiableCredential",
+                    "MembershipCredential"
+                  ],
+                  "issuer": {
+                    "id": "did:web:eonax-authority-url:api:did",
+                    "additionalProperties": {}
+                  },
+                  "issuanceDate": "2024-08-14T14:33:40Z",
+                  "expirationDate": null,
+                  "credentialStatus": [],
+                  "description": null,
+                  "name": null
+                }
+              }
+            }
+            EOF
+            )" http://localhost/ih/identity/v1alpha/participants/$didBase64Url/credentials
@@ -3,7 +3,7 @@ name: Terraform
 on:
   push:
     branches:
-      - master
+      - main
     paths:
       - 'deployment/**'
   pull_request:
 
@@ -36,4 +36,7 @@ hs_err_pid*
 ## Helm stuff
 requirements.lock
 Chart.lock
-**/charts/
+**/charts/
+
+# packages Helm charts
+*.tgz
@@ -0,0 +1,95 @@
+locals {
+  controlplane_release_name = "controlplane"
+}
+
+resource "helm_release" "controlplane" {
+  name              = local.controlplane_release_name
+  cleanup_on_fail   = true
+  dependency_update = true
+  recreate_pods     = true
+  chart             = "./controlplane.tgz"
+
+  values = [
+    yamlencode({
+      "controlplane" : {
+        "image" : {
+          "repository" : "eonax-control-plane-postgresql-hashicorpvault"
+          "tag" : "latest"
+          "pullPolicy" : "Never"
+        },
+        "keys" : {
+          "sts" : {
+            "privateKeyVaultAlias" : var.private_key_alias,
+            "publicKeyId" : "${var.identity_hub_did_web_url}#my-key"
+          }
+        },
+        "did" : {
+          "web" : {
+            "url" : var.identity_hub_did_web_url
+            "useHttps" : false
+          }
+        },
+
+        "url" : {
+          "protocol" : var.control_plane_dsp_url
+        },
+
+        "logging" : <<EOT
+        .level=DEBUG
+        org.eclipse.edc.level=ALL
+        handlers=java.util.logging.ConsoleHandler
+        java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter
+        java.util.logging.ConsoleHandler.level=ALL
+        java.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n
+               EOT
+
+        "config" : <<EOT
+edc.vault.hashicorp.token.scheduled-renew-enabled=false
+edc.negotiation.state-machine.iteration-wait-millis=${var.negotiation_state_machine_wait_millis}
+edc.transfer.state-machine.iteration-wait-millis=${var.transfer_state_machine_wait_millis}
+edc.policy.monitor.state-machine.iteration-wait-millis=${var.policy_monitor_state_machine_wait_millis}
+        EOT
+
+        "ingress" : {
+          "enabled" : true
+          "className" : "nginx"
+          "annotations" : {
+            "nginx.ingress.kubernetes.io/ssl-redirect" : "false"
+            "nginx.ingress.kubernetes.io/use-regex" : "true"
+            "nginx.ingress.kubernetes.io/rewrite-target" : "/api/$1$2"
+          },
+          "endpoints" : [
+            {
+              "port" : 8181,
+              "path" : "/cp/(management)(.*)"
+            },
+            {
+              "port" : 8282,
+              "path" : "/cp/(dsp)(.*)"
+            }
+          ]
+        },
+        "postgresql" : {
+          "jdbcUrl" : "jdbc:postgresql://${var.db_server_fqdn}/${var.db_name}",
+          "credentials" : {
+            "secret" : {
+              "name" : kubernetes_secret.db-user-credentials.metadata.0.name
+            }
+          }
+        },
+        "vault" : {
+          "hashicorp" : {
+            "url" : var.vault_url
+            "token" : {
+              "secret" : {
+                "name" : var.vault_token_secret_name
+              }
+            }
+          }
+        }
+      }
+    })
+  ]
+
+  depends_on = [module.db]
+}
@@ -0,0 +1,94 @@
+locals {
+  dataplane_release_name = "dataplane"
+
+  dpf_selector_url = "http://${local.controlplane_release_name}:8383/api/control/v1/dataplanes"
+}
+
+resource "helm_release" "dataplane" {
+  name              = local.dataplane_release_name
+  cleanup_on_fail   = true
+  dependency_update = true
+  recreate_pods     = true
+  chart             = "./dataplane.tgz"
+
+  values = [
+    yamlencode({
+      "dataplane" : {
+        "image" : {
+          "repository" : "eonax-data-plane-postgresql-hashicorpvault"
+          "tag" : "latest"
+          "pullPolicy" : "Never"
+        },
+        "keys" : {
+          // use the same key pair for simplicity
+          "dataplane" : {
+            "privateKeyVaultAlias" : var.private_key_alias,
+            "publicKeyVaultAlias" : var.public_key_alias
+          }
+        }
+
+        "logging" : <<EOT
+        .level=INFO
+        org.eclipse.edc.level=ALL
+        handlers=java.util.logging.ConsoleHandler
+        java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter
+        java.util.logging.ConsoleHandler.level=ALL
+        java.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n
+               EOT
+
+        "config" : <<EOT
+edc.vault.hashicorp.token.scheduled-renew-enabled=false
+edc.dataplane.state-machine.iteration-wait-millis=${var.data_plane_state_machine_wait_millis}
+        EOT
+        "ingress" : {
+          "enabled" : true
+          "className" : "nginx"
+          "annotations" : {
+            "nginx.ingress.kubernetes.io/ssl-redirect" : "false"
+            "nginx.ingress.kubernetes.io/use-regex" : "true"
+            "nginx.ingress.kubernetes.io/rewrite-target" : "/api/$1$2"
+          },
+          "endpoints" : [
+            {
+              "port" : 8181,
+              "path" : "/dp/(public)(.*)"
+            },
+            {
+              "port" : 8282,
+              "path" : "/dp/(data)(.*)"
+            }
+          ]
+        },
+
+        "selector" : {
+          "url" : local.dpf_selector_url
+        }
+
+        "url" : {
+          "public" : var.data_plane_public_url
+        },
+
+        "postgresql" : {
+          "jdbcUrl" : "jdbc:postgresql://${var.db_server_fqdn}/${var.db_name}",
+          "credentials" : {
+            "secret" : {
+              "name" : kubernetes_secret.db-user-credentials.metadata.0.name
+            }
+          }
+        },
+        "vault" : {
+          "hashicorp" : {
+            "url" : var.vault_url
+            "token" : {
+              "secret" : {
+                "name" : var.vault_token_secret_name
+              }
+            }
+          }
+        }
+      }
+    })
+  ]
+
+  depends_on = [module.db, helm_release.controlplane]
+}