Merge branch 'release/0.0.4-RC' into 'main'

Release/0.0.4 rc

See merge request simpl/simpl-open/development/iaa/simpl-cloud-gateway!18

charts/.helmignore

+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/Chart.yaml

+apiVersion: v2
+name: simpl-cloud-gateway
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: ${PROJECT_RELEASE_VERSION}
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: ${PROJECT_RELEASE_VERSION}

charts/templates/_helpers.tpl

+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "microservices.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "microservices.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "microservices.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "microservices.labels" -}}
+helm.sh/chart: {{ include "microservices.chart" . }}
+{{ include "microservices.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "microservices.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "microservices.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "microservices.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "microservices.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+Microservices url backend
+*/}}
+{{- define "microservices.backend.url" -}}
+{{- printf "%s%s" "https://" .Values.global.hostBe }}
+{{- end }}
+
+{{/*
+TLS gateway url
+*/}}
+{{- define "tls.gateway.url" -}}
+{{- printf "%s%s" "https://" .Values.global.hostTls }}
+{{- end }}

charts/templates/aruba-cluster-issuer.yaml

+{{- $hostBe := printf "%s" .Values.global.hostBe -}}
+{{- if contains "aruba" $hostBe }}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: issuer-ingress-test
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: dario.andrei@staff.aruba.it
+    privateKeySecretRef:
+      name: issuer-ingress
+    solvers:
+      - 
+        http01:
+          ingress:
+            class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: issuer-ingress
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: dario.andrei@staff.aruba.it
+    privateKeySecretRef:
+      name: issuer-ingress
+    solvers:
+      - 
+        http01:
+          ingress:
+            class: nginx
+{{- end -}}
+

charts/templates/configmap.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Chart.Name }}-configmap
+data:
+  {{- if eq .Values.global.profile "authority" }}
+  ONBOARDING_URL:  "{{ .Values.microservices.onboardingUrl }}"
+  EJBCA_URL: "{{ .Values.microservices.ejbcaUrl }}"
+  {{- end }}
+
+  {{- if eq .Values.global.profile "participant" }}
+  AUTHORITY_URL: {{ .Values.global.authorityUrl }}
+  {{- end }}
+
+  CORS_ALLOWED_ORIGINS: {{ .Values.global.cors.allowOrigin }}
+  SPRING_PROFILES_ACTIVE: {{ .Values.global.profile }}
+  GATEWAY_URL: "{{- include "microservices.backend.url" . }}"
+  USERSROLES_URL: "{{ .Values.microservices.usersRolesUrl }}"
+  SAP_URL: "{{ .Values.microservices.securityAttributesProviderUrl }}"
+  KEYCLOAK_URL: "{{ .Values.microservices.keycloakUrl }}"
+  CORS_ALLOWED_HEADERS: Access-Control-Allow-Headers,Access-Control-Allow-Credentials,Access-Control-Allow-Origin,Access-Control-Allow-Methods,Keep-Alive,User-Agent,Content-Type,Authorization,Tenant,Channel,Platform,Set-Cookie,geolocation,x-mobility-mode,device,Cache-Control,X-Request-With,Accept,Origin
+
+

charts/templates/deployment.yaml

+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    {{- include "microservices.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "microservices.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "microservices.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ .Chart.Name }}-svc-account
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          {{- with .Values.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/templates/hpa.yaml

+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "microservices.fullname" . }}
+  labels:
+    {{- include "microservices.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "microservices.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

charts/templates/ingress.yaml

+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: simpl-ingress
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+    cert-manager.io/cluster-issuer: {{ .Values.global.ingress.issuer }}
+    cert-manager.io/renew-before: "720h"
+    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
+spec:
+  tls:
+    - hosts:
+        - {{ .Values.global.hostBe }}
+      secretName: {{ .Values.global.hostBe }}-cert
+  rules:
+    - host: {{ .Values.global.hostBe }}
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: simpl-cloud-gateway
+                port:
+                  number: 9000

charts/templates/service.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    {{- include "microservices.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "microservices.selectorLabels" . | nindent 4 }}

charts/templates/serviceaccount.yaml

+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Chart.Name }}-svc-account
+  labels:
+    {{- include "microservices.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}

charts/values.yaml

+server-port: &server-port 9000
+replicaCount: 1
+image:
+  repository: ${CI_REGISTRY_IMAGE}
+  pullPolicy: Always
+  tag: ${PROJECT_RELEASE_VERSION}
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: *server-port
+
+resources: 
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  limits:
+    cpu: 500m
+    memory: 1Gi
+  requests:
+    cpu: 500m
+    memory: 1Gi
+
+livenessProbe:
+  httpGet:
+    path: "/actuator/health/liveness"
+    port: *server-port
+  initialDelaySeconds: 120
+  periodSeconds: 5
+  failureThreshold: 10
+readinessProbe:
+  httpGet:
+    path: "/actuator/health/readiness"
+    port: *server-port
+  initialDelaySeconds: 120
+  periodSeconds: 5
+  failureThreshold: 10
+
+autoscaling:
+  enabled: true
+  minReplicas: 1
+  maxReplicas: 1
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+# Additional volumes on the output Deployment definition.
+volumes: {}
+
+# - name: foo
+#   secret:
+#     secretName: mysecret
+#     optional: false
+
+# Additional volumeMounts on the output Deployment definition.
+volumeMounts: {}
+
+envFrom:
+  - configMapRef:
+      name: simpl-cloud-gateway-configmap
+
+microservices:
+  usersRolesUrl: http://users-roles.{{ .Release.Namespace }}.svc.cluster.local:8080
+  securityAttributesProviderUrl: http://security-attributes-provider.{{ .Release.Namespace }}.svc.cluster.local:8080
+  keycloakUrl: http://keycloak.{{ .Release.Namespace }}.svc.cluster.local
+  onboardingUrl: http://onboarding.{{ .Release.Namespace }}.svc.cluster.local:8080
+  ejbcaUrl: http://ejbca-community-helm.{{ .Release.Namespace }}.svc.cluster.local:30080
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
\ No newline at end of file

pipeline.variables.sh

-PROJECT_VERSION_NUMBER="0.0.3"
\ No newline at end of file
+PROJECT_VERSION_NUMBER="0.0.4"
\ No newline at end of file

pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>com.aruba.simpl</groupId>
 		<artifactId>simpl-parent</artifactId>
-		<version>0.0.2-SNAPSHOT</version>
+		<version>0.0.4-SNAPSHOT</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 
@@ -35,6 +35,12 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springdoc</groupId>
+			<artifactId>springdoc-openapi-starter-webflux-ui</artifactId>
+			<version>2.6.0</version>
+		</dependency>
+
 	</dependencies>
 
 	<build>

src/main/java/com/aruba/simpl/gatewayserver/configurations/SecurityConfig.java

@@ -11,6 +11,7 @@ import org.springframework.http.HttpMethod;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.reactive.CorsConfigurationSource;
@@ -37,9 +38,21 @@ public class SecurityConfig {
             publicUrl.add(ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, "/ocsp"));
             publicUrl.add(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/ca/**"));
             publicUrl.add(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/crl/**"));
+            publicUrl.add(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/public/sap-api/participant"));
+            addSwaggerPublicUrl(publicUrl, "sap-api");
+            addSwaggerPublicUrl(publicUrl, "onboarding-api");
+            addSwaggerPublicUrl(publicUrl, "user-api");
         };
     }
 
+    private void addSwaggerPublicUrl(List<ServerWebExchangeMatcher> publicUrl, String servicePrefix) {
+        publicUrl.add(ServerWebExchangeMatchers.pathMatchers(
+                HttpMethod.GET,
+                "public/%s/swagger-ui.html".formatted(servicePrefix),
+                "public/%s/swagger-ui/**".formatted(servicePrefix),
+                "public/%s/v3/api-docs/**".formatted(servicePrefix)));
+    }
+
     @Bean
     @Order
     public SecurityWebFilterChain jwtAuth(ServerHttpSecurity security) {

src/main/resources/application-authority.yml

@@ -45,6 +45,15 @@ spring:
           filters:
             - RewritePath=/crl/?(?<segment>.*), /ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN%3D$\{segment}
 
+springdoc:
+  swagger-ui:
+    urls:
+      - url: /public/sap-api/v3/api-docs
+        name: Security Attributes Provider Service
+      - url: /public/onboarding-api/v3/api-docs
+        name: Onboarding Service
+      - url: /public/user-api/v3/api-docs
+        name: Users & Roles Service
 keycloak:
   app:
     realm: authority

src/main/resources/application-participant.yml

@@ -15,6 +15,12 @@ spring:
           filters:
             - StripPrefix=2
 
+springdoc:
+  swagger-ui:
+    urls:
+      - url: /public/user-api/v3/api-docs
+        name: Users & Roles Service
+
 keycloak:
   app:
     realm: participant

src/main/resources/application.yml

@@ -18,5 +18,13 @@ management:
     gateway:
       enabled: true
 
+springdoc:
+  api-docs:
+    enabled: true
+  swagger-ui:
+    enabled: true
+    path: /swagger-ui/index.html
+    config-url: /v3/api-docs/swagger-config
+
 server:
   port: 9000