feat: replace using hard-coded certs with dynamically generated ones (#342)

* feat: replace using hard-coded certs with dynamically generated ones

* added az login

* set AZ KeyVault secrets before deploy test

* allow no sub

* escape command

* avoid logging of sensitive info

Author: paullatzelsperger

.github/actions/run-deployment-test/action.yml

@@ -69,6 +69,11 @@ runs:
     ###################################################
     # Install the test infrastructure
     ###################################################
+    - name: "Generate test credentials"
+      shell: bash
+      run: |-
+        sh -c "edc-tests/deployment/src/main/resources/prepare-test.sh \
+               edc-tests/deployment/src/main/resources/helm/test-infrastructure/values.yaml"
     - name: Install Infrastructure
       shell: bash
       run: |-

.github/workflows/deploy-test-secrets

@@ -82,7 +82,7 @@ jobs:
           helm_command: |-
             helm install tx-inmem charts/tractusx-connector-memory \
             -f charts/tractusx-connector-memory/example.yaml \
-            --set vault.secrets="$(cat ./.github/workflows/deploy-test-secrets)" \
+            --set vault.secrets="daps-crt:$(cat daps.cert);daps-key:$(cat daps.key)" \
             --wait-for-jobs --timeout=120s
             
             # wait for the pod to become ready
@@ -123,12 +123,20 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/[email protected]
+      - uses: Azure/login@v1
+        with:
+          creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+          allow-no-subscriptions: true
       - uses: ./.github/actions/run-deployment-test
         name: "Run deployment test using KinD and Helm"
         with:
           imagename: "edc-controlplane-postgresql-azure-vault edc-dataplane-azure-vault"
           rootDir: "."
           helm_command: |-
+            az keyvault secret set --vault-name ${{ secrets.AZURE_VAULT_NAME }} --name daps-crt --value "$(cat daps.cert)" > /dev/null
+            az keyvault secret set --vault-name ${{ secrets.AZURE_VAULT_NAME }} --name daps-key --value "$(cat daps.key)" > /dev/null
+            az keyvault secret set --vault-name ${{ secrets.AZURE_VAULT_NAME }} --name aes-keys --value "$(cat aes.key)" > /dev/null
+            
             helm install tx-prod charts/tractusx-connector-azure-vault \
              -f edc-tests/deployment/src/main/resources/helm/tractusx-connector-azure-vault-test.yaml \
              --dependency-update \

.github/workflows/deployment-test.yaml

@@ -5,12 +5,9 @@
 
 fullnameOverride: ""
 nameOverride: ""
-
 # -- Existing image pull secret to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry)
 imagePullSecrets: []
-
 customLabels: {}
-
 runtime:
   controlplane:
     image:
@@ -214,17 +211,16 @@ runtime:
     # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories
     volumes: []
     # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container
-    resources:
-      {}
-      # We usually recommend not to specify default resources and to leave this as a conscious
-      # choice for the user. This also increases chances charts run on environments with little
-      # resources, such as Minikube. If you do want to specify resources, uncomment the following
-      # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-      # limits:
-      #   cpu: 100m
-      #   memory: 128Mi
-      # requests:
-      #   cpu: 100m
+    resources: {}
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
     #   memory: 128Mi
     replicaCount: 1
     autoscaling:
@@ -250,18 +246,15 @@ runtime:
       java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter
       java.util.logging.ConsoleHandler.level=ALL
       java.util.logging.SimpleFormatter.format=[%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS] [%4$-7s] %5$s%6$s%n
-
     # [node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain pods to nodes
     nodeSelector: {}
     # [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes
     tolerations: []
     # [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on
     affinity: {}
-
     url:
       # -- Explicitly declared url for reaching the ids api (e.g. if ingresses not used)
       ids: ""
-
   dataplane:
     image:
       # -- Which derivate of the data plane to use. when left empty the deployment will select the correct image automatically
@@ -415,17 +408,16 @@ runtime:
     # -- [volume](https://kubernetes.io/docs/concepts/storage/volumes/) directories
     volumes: []
     # -- [resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the container
-    resources:
-      {}
-      # We usually recommend not to specify default resources and to leave this as a conscious
-      # choice for the user. This also increases chances charts run on environments with little
-      # resources, such as Minikube. If you do want to specify resources, uncomment the following
-      # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-      # limits:
-      #   cpu: 100m
-      #   memory: 128Mi
-      # requests:
-      #   cpu: 100m
+    resources: {}
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
     #   memory: 128Mi
     replicaCount: 1
     autoscaling:
@@ -457,17 +449,14 @@ runtime:
     tolerations: []
     # [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on
     affinity: {}
-
     url:
       # -- Explicitly declared url for reaching the public api (e.g. if ingresses not used)
       public: ""
-
   postgresql:
     enabled: false
     jdbcUrl: ""
     username: ""
     password: ""
-
   vault:
     hashicorp:
       enabled: true
@@ -486,17 +475,14 @@ runtime:
       transferProxyTokenEncryptionAesKey: transfer-proxy-token-encryption-aes-key
       dapsPrivateKey: daps-private-key
       dapsPublicKey: daps-public-key
-
   daps:
     url: ""
     clientId: ""
     paths:
       jwks: /jwks.json
       token: /token
-
   backendService:
     httpProxyTokenReceiverUrl: ""
-
   serviceAccount:
     # Specifies whether a service account should be created
     create: true
@@ -507,8 +493,6 @@ runtime:
     name: ""
     # -- Existing image pull secret bound to the service account to use to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry)
     imagePullSecrets: []
-
-
 ########
 # DAPS #
 ########
@@ -520,34 +504,7 @@ idsdaps:
       attributes:
         referringConnector: http://sokrates-controlplane/BPNSOKRATES
       # Must be the same certificate that is stores in section 'sokrates-vault'
-      certificate: |-
-        -----BEGIN CERTIFICATE-----
-        MIIEAzCCAuugAwIBAgIUXFgjbN7jxGRUDkoUvEwcN3zcew8wDQYJKoZIhvcNAQEL
-        BQAwgZAxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJl
-        cmxpbjEMMAoGA1UECgwDQk1XMSAwHgYDVQQLDBdlZGMtcGxheWdyb3VuZC1wYXJ0
-        bmVyMTEvMC0GA1UEAwwmc29rcmF0ZXMtZWRjLmRlbW8uY2F0ZW5hLXgubmV0L0JQ
-        TjEyMzQwHhcNMjIwNTEwMDc1NzMzWhcNMjMwNTEwMDc1NzMzWjCBkDELMAkGA1UE
-        BhMCREUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVybGluMQwwCgYDVQQK
-        DANCTVcxIDAeBgNVBAsMF2VkYy1wbGF5Z3JvdW5kLXBhcnRuZXIxMS8wLQYDVQQD
-        DCZzb2tyYXRlcy1lZGMuZGVtby5jYXRlbmEteC5uZXQvQlBOMTIzNDCCASIwDQYJ
-        KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK/41S8rumkk+IzBk9pBDETvjlPmlXfw
-        78yRrLmbzaed3kGgygJ2GFFPLcR/Lv0WG8F8au4UEssbOxAU4RRjncCVt66ajaCa
-        llIqMlH8zaJ8rgxNpGeJU5YvmYRxlIo+Gwi0qnF0tqJh8Hry7OqSo0gK2YBBFJyV
-        grMsEz3EcsS3ENYJufNgUIeg4QsaL49M0gWxSexPdC4pon96Nvju90D8RlvAJB21
-        PInqLniMaFlSnRYzCrUaja6HMmzKA+ZPZ1r9lllzsE00RASxRIxlKkwfzTtMb9O6
-        ey2i2vM7hKGGlXjNsnYVX9WXEfvK4JrCadHzgX8qdez19RxFKtB+5gECAwEAAaNT
-        MFEwHQYDVR0OBBYEFOcHLXRWZjHwexDqtgMGTCN/7aZlMB8GA1UdIwQYMBaAFOcH
-        LXRWZjHwexDqtgMGTCN/7aZlMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
-        BQADggEBAD2a5kuIdICNXfYLpSe7AIONwZVucaArYtpXBxHEy5lMJsTEJgjZzypd
-        iIMU7onEQGVbii6yVNpWfIpJYM4e8ytVdJuk5evclVKZs/lZ2IshLyWFVj+ITh2E
-        28X4C/Hnmt4MPBCNowQf71nMp4LEziBgXp54qFV9C+qSTEVdrherRE0PU/zKyX10
-        S/P5o42weTHnAO/pBN/8AmL3AymynKVgcPaW46IjjRAuc6kfZWCrYQ0M4+/7Ws5r
-        uM55Zae/L+C82OTNNaaK324ogsCkORPeQ23OCrRD8rZJmQ9bpoOGglPminfwEOhB
-        UHtyKgmvqCyOV3G/4G93W/xsLV0kxLA=
-        -----END CERTIFICATE-----
-
-
-
+      certificate: |- # must be set externally!
 ##############
 # POSTGRESQL #
 ##############
@@ -563,7 +520,6 @@ postgresql:
     database: "edc"
     username: "user"
     password: "password"
-
 #########
 # VAULT #
 #########
@@ -576,74 +532,4 @@ vault:
       enabled: true
       devRootToken: "root"
     # Must be the same certificate that is configured in section 'ids-daps'
-    postStart:
-      - "sh"
-      - "-c"
-      - |
-        { 
-        
-        sleep 5
-
-        /bin/vault kv put secret/sokrates/data-encryption-aes-keys content=OcvxzWCK8ETSjt1jmZw3RA==
-        
-        cat << EOF | /bin/vault kv put secret/daps-key content=-
-        -----BEGIN PRIVATE KEY-----
-        MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCv+NUvK7ppJPiM
-        wZPaQQxE745T5pV38O/Mkay5m82nnd5BoMoCdhhRTy3Efy79FhvBfGruFBLLGzsQ
-        FOEUY53Albeumo2gmpZSKjJR/M2ifK4MTaRniVOWL5mEcZSKPhsItKpxdLaiYfB6
-        8uzqkqNICtmAQRSclYKzLBM9xHLEtxDWCbnzYFCHoOELGi+PTNIFsUnsT3QuKaJ/
-        ejb47vdA/EZbwCQdtTyJ6i54jGhZUp0WMwq1Go2uhzJsygPmT2da/ZZZc7BNNEQE
-        sUSMZSpMH807TG/TunstotrzO4ShhpV4zbJ2FV/VlxH7yuCawmnR84F/KnXs9fUc
-        RSrQfuYBAgMBAAECggEAO+KjsjTgcG3bhBNQnMLsSP15Y0Yicbn18ZlVvaivGS7Z
-        d14fwSytY+ZdPfTGaey/L16HCVSdfK9cr0Fbw9OO2P5ajzobnp9dLsMbctlkpbpm
-        hNtbarzKTF8QkIkSsuUl0BWjt46vpJ1N+Jl5VO7oUFkY4dPEDvG2lAEY3zlekWDm
-        cQeOC/YgpoW4xfRwPPS6QE0w3Q+H5NfNjfz+mSHeItTlVfTKDRliWQLPWeRZFuXh
-        FlRFUQnTmEE/9wpIe3Hn7WXJ3fQqcYDzxU7/zwwY9I7bB15SgVHlR0ENDPAD5X8F
-        MVZ3EcLlqGBy+WvTWALp6pc8YfhW3fiTWyuamXtNrQKBgQDonsIzBKEOOKdKGW0e
-        uyw79ErmnmzkY5nuMrMxrmTA4WKCfJ/YRRA+4sxiltWsIJ3UkHe3OBCSSCdj79hb
-        ugb/+UzE70hOdgrct2NUQqbrj3gvsVvU8ZRQgTRMqKpmC0zY7KOMx6NU85z3IvS1
-        z5fjszcUv4kLQlldYGSAuqPy+wKBgQDBqIkc8p/wcw7ygo1q/GerNeszfoxiIFp8
-        h4RWLVhkwrcXFz30wBlUWuv5/kxU8tmJcmXxe72EmUstd6wvNOAnYwCiile6zQiJ
-        vsr1axavZnGOtNGUp6DUAsd2iviBl7IZ7kAcqCrQo4ivGhfHmahH3hmg8wuAMjYB
-        8f+FSPgaMwKBgQC7W4tMrjDOFIFhJEOIWfcRvvxI7VcFSNelS76aiDzsQVwnfxr7
-        hPzFucQmsBgfUBHvMADMWGK4f1cCnh5kGtwidXgIsjVJxLeQ+EAPkLOCzQZfW3l8
-        dKshgD9QcxTzpaxal5ZPAEikVqaZQtVYToCmzCTUGETYBbOWitnH+Qut2wKBgQC6
-        Y6DcSLUhc0xOotLDxv1sbu/aVxF8nFEbDD+Vxf0Otc4MnmUWPRHj+8KlkVkcZcR0
-        IrP1kThd+EDAGS+TG9wmbIY+6tH3S8HM+eJUBWcHGJ1xUZ1p61DC3Y3nDWiTKlLT
-        3Fi+fCkBOHSku4Npq/2odh7Kp0JJd4o9oxJg0VNhuwKBgQDSFn7dqFE0Xmwc40Vr
-        0wJH8cPWXKGt7KJENpj894buk2DniLD4w2x874dzTjrOFi6fKxEzbBNA9Rq9UPo8
-        u9gKvl/IyWmV0c4zFCNMjRwVdnkMEte/lXcJZ67T4FXZByqAZlhrr/v0FD442Z9B
-        AjWFbUiBCFOo+gpAFcQGrkOQHA==
-        -----END PRIVATE KEY-----
-        EOF
-        
-        cat << EOF | /bin/vault kv put secret/daps-crt content=-
-        -----BEGIN CERTIFICATE-----
-        MIIEAzCCAuugAwIBAgIUXFgjbN7jxGRUDkoUvEwcN3zcew8wDQYJKoZIhvcNAQEL
-        BQAwgZAxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJl
-        cmxpbjEMMAoGA1UECgwDQk1XMSAwHgYDVQQLDBdlZGMtcGxheWdyb3VuZC1wYXJ0
-        bmVyMTEvMC0GA1UEAwwmc29rcmF0ZXMtZWRjLmRlbW8uY2F0ZW5hLXgubmV0L0JQ
-        TjEyMzQwHhcNMjIwNTEwMDc1NzMzWhcNMjMwNTEwMDc1NzMzWjCBkDELMAkGA1UE
-        BhMCREUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVybGluMQwwCgYDVQQK
-        DANCTVcxIDAeBgNVBAsMF2VkYy1wbGF5Z3JvdW5kLXBhcnRuZXIxMS8wLQYDVQQD
-        DCZzb2tyYXRlcy1lZGMuZGVtby5jYXRlbmEteC5uZXQvQlBOMTIzNDCCASIwDQYJ
-        KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK/41S8rumkk+IzBk9pBDETvjlPmlXfw
-        78yRrLmbzaed3kGgygJ2GFFPLcR/Lv0WG8F8au4UEssbOxAU4RRjncCVt66ajaCa
-        llIqMlH8zaJ8rgxNpGeJU5YvmYRxlIo+Gwi0qnF0tqJh8Hry7OqSo0gK2YBBFJyV
-        grMsEz3EcsS3ENYJufNgUIeg4QsaL49M0gWxSexPdC4pon96Nvju90D8RlvAJB21
-        PInqLniMaFlSnRYzCrUaja6HMmzKA+ZPZ1r9lllzsE00RASxRIxlKkwfzTtMb9O6
-        ey2i2vM7hKGGlXjNsnYVX9WXEfvK4JrCadHzgX8qdez19RxFKtB+5gECAwEAAaNT
-        MFEwHQYDVR0OBBYEFOcHLXRWZjHwexDqtgMGTCN/7aZlMB8GA1UdIwQYMBaAFOcH
-        LXRWZjHwexDqtgMGTCN/7aZlMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
-        BQADggEBAD2a5kuIdICNXfYLpSe7AIONwZVucaArYtpXBxHEy5lMJsTEJgjZzypd
-        iIMU7onEQGVbii6yVNpWfIpJYM4e8ytVdJuk5evclVKZs/lZ2IshLyWFVj+ITh2E
-        28X4C/Hnmt4MPBCNowQf71nMp4LEziBgXp54qFV9C+qSTEVdrherRE0PU/zKyX10
-        S/P5o42weTHnAO/pBN/8AmL3AymynKVgcPaW46IjjRAuc6kfZWCrYQ0M4+/7Ws5r
-        uM55Zae/L+C82OTNNaaK324ogsCkORPeQ23OCrRD8rZJmQ9bpoOGglPminfwEOhB
-        UHtyKgmvqCyOV3G/4G93W/xsLV0kxLA=
-        -----END CERTIFICATE-----
-        EOF
-        
-         /bin/vault kv put secret/aes-keys content=OcvxzWCK8ETSjt1jmZw3RA==
-        
-        }
+    postStart: # must be set externally!

edc-tests/deployment/src/main/resources/helm/test-infrastructure/values.yaml

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+#
+# Copyright (c) 2023 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Contributors:
+#       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+#
+#
+
+set -euo pipefail
+
+if [ "$#" -lt 1 ]; then
+  echo "usage prepare-test.sh PATH_TO_YAML"
+  echo ""
+  echo "Please provide the path to the YAML file, which contains the config for the test infrastructure! In most cases
+  this will be edc-tests/deployment/src/main/resources/helm/test-infrastructure/values.yaml"
+  exit 42
+fi
+
+VALUES_FILE=$1
+KEY_FILE=daps.key
+CERT_FILE=daps.cert
+
+# generate a new short-lived certificate and export the private key
+openssl req -newkey rsa:2048 -new -nodes -x509 -days 1 -keyout $KEY_FILE -out $CERT_FILE -subj "/CN=test"
+
+DAPSCRT=$(cat $CERT_FILE)
+DAPSKEY=$(cat $KEY_FILE)
+AES_KEY=$( echo aes_enckey_test | base64)
+echo $AES_KEY > aes.key
+
+# replace the cert for DAPS
+yq -i ".idsdaps.connectors[0].certificate=\"$DAPSCRT\"" "$VALUES_FILE"
+
+# add a "postStart" command to the vault config, that creates a daps-key, daps-cert and an aes-keys secret
+yq -i ".vault.server.postStart |= [\"sh\",\"-c\",\"{\nsleep 5\n\ncat << EOF | /bin/vault kv put secret/daps-crt content=-\n$DAPSCRT\nEOF\n\n
+cat << EOF | /bin/vault kv put secret/daps-key content=-\n$DAPSKEY\nEOF\n\n
+/bin/vault kv put secret/aes-keys content=$AES_KEY\n\n}\"]" "$VALUES_FILE"