From 4019d0f1a42dee589e3781c1f0d614ff05124f3f Mon Sep 17 00:00:00 2001 From: "Dr. Christoph \"Schorsch\" Jung" Date: Tue, 4 Jun 2024 13:43:21 +0200 Subject: [PATCH] docs: document usage of ssl within container. --- charts/aas-bridge/README.md | 49 ++++++++++--------- charts/aas-bridge/templates/NOTES.txt | 4 +- charts/aas-bridge/values.yaml | 5 +- sparql-aas/README.md | 22 ++++----- sparql-aas/src/main/docker/Dockerfile | 20 ++++---- .../tractusx/agents/aasbridge/AasBridge.java | 2 +- 6 files changed, 52 insertions(+), 50 deletions(-) diff --git a/charts/aas-bridge/README.md b/charts/aas-bridge/README.md index 3261994..53fd1b9 100644 --- a/charts/aas-bridge/README.md +++ b/charts/aas-bridge/README.md @@ -1,4 +1,6 @@ -# conforming-agent +# aas-bridge -![Version: 1.9.6-SNAPSHOT](https://img.shields.io/badge/Version-1.9.6--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.5-SNAPSHOT](https://img.shields.io/badge/AppVersion-1.9.5--SNAPSHOT-informational?style=flat-square) +![Version: 0.13.6-SNAPSHOT](https://img.shields.io/badge/Version-0.13.6--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.13.6-SNAPSHOT](https://img.shields.io/badge/AppVersion-0.13.6--SNAPSHOT-informational?style=flat-square) -A Helm chart for the Tractus-X Conforming Agent which is a container to assess the conformity of all other parts of the Agent-Enabled Dataspace. +A Helm chart for the Tractus-X Knowledge Agents AAS Bridge which is a container to provide an AAS server/registry on top of a knowledge graph/SPARQL landscape. This chart has no prerequisites. -**Homepage:** +**Homepage:** ## TL;DR ```shell $ helm repo add eclipse-tractusx https://eclipse-tractusx.github.io/charts/dev -$ helm install my-release eclipse-tractusx/conforming-agent --version 1.9.6-SNAPSHOT +$ helm install my-release eclipse-tractusx/aas-bridge --version 0.13.6-SNAPSHOT ``` ## Maintainers @@ -42,17 +43,20 @@ $ helm install my-release eclipse-tractusx/conforming-agent --version 1.9.6-SNAP ## Source Code -* +* ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| +| aas.endpoints.default.auth | object | `{}` | An auth object for default security | +| aas.endpoints.default.path | string | `""` | The path mapping the "default" api is going to be exposed by | +| aas.endpoints.default.port | string | `"8443"` | The network port, which the "default" api is going to be exposed by the container, pod and service | +| aas.endpoints.default.regex | string | `""` | An optional regex path match (whose match groups could be used in an nginx-annotation of the ingress) | +| aas.persistence.auth.key | string | `"Basic "` | The key that should be used in the authorization header when talking to the sparql server | +| aas.persistence.log | bool | `false` | whether the results of the queries should be logged | +| aas.persistence.sparql | string | `"http://sparql.local"` | The default sparql server is embedded | | affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) constrains which nodes the Pod can be scheduled on based on node labels. | -| agent.endpoints.default.auth | object | `{}` | An auth object for default security | -| agent.endpoints.default.path | string | `""` | The path mapping the "default" api is going to be exposed by | -| agent.endpoints.default.port | string | `"8080"` | The network port, which the "default" api is going to be exposed by the container, pod and service | -| agent.endpoints.default.regex | string | `"/(.*)"` | An optional regex path match (whose match groups could be used in an nginx-annotation of the ingress) | | automountServiceAccountToken | bool | `false` | Whether to [automount kubernetes API credentials](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) into the pod | | autoscaling.enabled | bool | `false` | Enables [horizontal pod autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) | | autoscaling.maxReplicas | int | `100` | Maximum replicas if resource consumption exceeds resource threshholds | @@ -60,14 +64,14 @@ $ helm install my-release eclipse-tractusx/conforming-agent --version 1.9.6-SNAP | autoscaling.targetCPUUtilizationPercentage | int | `80` | targetAverageUtilization of cpu provided to a pod | | autoscaling.targetMemoryUtilizationPercentage | int | `80` | targetAverageUtilization of memory provided to a pod | | customLabels | object | `{}` | Additional custom Labels to add | -| env | object | `{}` | Container environment variables e.g. for configuring [JAVA_TOOL_OPTIONS](https://docs.oracle.com/javase/8/docs/technotes/guides/troubleshoot/envvars002.html) Ex.: JAVA_TOOL_OPTIONS: > -Dhttp.proxyHost=proxy -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts="localhost|127.*|[::1]" -Dhttps.proxyHost=proxy -Dhttps.proxyPort=443 | +| env | object | `{}` | Container environment variables e.g. for configuring [JAVA_TOOL_OPTIONS](https://docs.oracle.com/javase/8/docs/technotes/guides/troubleshoot/envvars002.html) Ex.: JAVA_TOOL_OPTIONS: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:4040" | | envSecretName | string | `nil` | [Kubernetes Secret Resource](https://kubernetes.io/docs/concepts/configuration/secret/) name to load environment variables from | | fullnameOverride | string | `""` | Overrides the releases full name | -| image.digest | string | `""` | Overrides the image digest | +| image.digest | string | `""` | Overrides the image digest | | image.pullPolicy | string | `"IfNotPresent"` | | | image.pullSecrets | list | `[]` | | -| image.registry | string | `"docker.io"` | target regirtry | -| image.repository | string | `"tractusx/conforming-agent"` | Which derivate of agent to use | +| image.registry | string | `"docker.io/"` | target registry | +| image.repository | string | `"tractusx/aas-bridge"` | Which derivate of agent to use | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | ingresses[0].annotations | string | `nil` | Additional ingress annotations to add, for example when implementing more complex routings you may set { nginx.ingress.kubernetes.io/rewrite-target: /$1, nginx.ingress.kubernetes.io/use-regex: "true" } | | ingresses[0].certManager.clusterIssuer | string | `""` | If preset enables certificate generation via cert-manager cluster-wide issuer | @@ -75,17 +79,18 @@ $ helm install my-release eclipse-tractusx/conforming-agent --version 1.9.6-SNAP | ingresses[0].className | string | `""` | Defines the [ingress class](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) to use | | ingresses[0].enabled | bool | `false` | | | ingresses[0].endpoints | list | `["default"]` | Agent endpoints exposed by this ingress resource | -| ingresses[0].hostname | string | `"conforming-agent.local"` | The hostname to be used to precisely map incoming traffic onto the underlying network service | +| ingresses[0].hostname | string | `"aas-bridge.local"` | The hostname to be used to precisely map incoming traffic onto the underlying network service | | ingresses[0].prefix | string | `""` | Optional prefix that will be prepended to the paths of the endpoints | | ingresses[0].tls | object | `{"enabled":false,"secretName":""}` | TLS [tls class](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) applied to the ingress resource | | ingresses[0].tls.enabled | bool | `false` | Enables TLS on the ingress resource | | ingresses[0].tls.secretName | string | `""` | If present overwrites the default secret name | | livenessProbe.enabled | bool | `true` | Whether to enable kubernetes [liveness-probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) | | livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the probe to be considered failed after having succeeded | -| livenessProbe.periodSeconds | int | `60` | Number of seconds each period lasts. | +| livenessProbe.periodSeconds | int | `60` | Number of seconds each period lasts. | | livenessProbe.timeoutSeconds | int | `5` | number of seconds until a timeout is assumed | | nameOverride | string | `""` | Overrides the charts name | | nodeSelector | object | `{}` | [Node-Selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) to constrain the Pod to nodes with specific labels. | +| opentelemetry | string | `"otel.javaagent.enabled=false\notel.javaagent.debug=false"` | configuration of the [Open Telemetry Agent](https://opentelemetry.io/docs/instrumentation/java/automatic/agent-config/) to collect and expose metrics | | podAnnotations | object | `{}` | [Annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) added to deployed [pods](https://kubernetes.io/docs/concepts/workloads/pods/) | | podSecurityContext.fsGroup | int | `30000` | The owner for volumes and any files created within volumes will belong to this guid | | podSecurityContext.runAsGroup | int | `30000` | Processes within a pod will belong to this guid | @@ -93,10 +98,10 @@ $ helm install my-release eclipse-tractusx/conforming-agent --version 1.9.6-SNAP | podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Restrict a Container's Syscalls with seccomp | | readinessProbe.enabled | bool | `true` | Whether to enable kubernetes readiness-probes | | readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the probe to be considered failed after having succeeded | -| readinessProbe.periodSeconds | int | `300` | Number of seconds each period lasts. | +| readinessProbe.periodSeconds | int | `300` | Number of seconds each period lasts. | | readinessProbe.timeoutSeconds | int | `5` | number of seconds until a timeout is assumed | | replicaCount | int | `1` | Specifies how many replicas of a deployed pod shall be created during the deployment Note: If horizontal pod autoscaling is enabled this setting has no effect | -| resources | object | `{"limits":{"cpu":"400m","memory":"256Mi"},"requests":{"cpu":"200m","memory":"256Mi"}}` | [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) applied to the deployed pod We recommend 20% of a cpu and 256MB per endpoint | +| resources | object | `{"limits":{"cpu":"400m","memory":"1Gi"},"requests":{"cpu":"400m","memory":"1Gi"}}` | [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) applied to the deployed pod We recommend 40% of a cpu and unfortunately 1Gi to initialise the library | | securityContext.allowPrivilegeEscalation | bool | `false` | Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID | | securityContext.capabilities.add | list | `["NET_BIND_SERVICE"]` | Specifies which capabilities to add to issue specialized syscalls | | securityContext.capabilities.drop | list | `["ALL"]` | Specifies which capabilities to drop to reduce syscall attack surface | @@ -109,11 +114,11 @@ $ helm install my-release eclipse-tractusx/conforming-agent --version 1.9.6-SNAP | serviceAccount.create | bool | `true` | Specifies whether a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) should be created per release | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the release's fullname template | | startupProbe.enabled | bool | `true` | Whether to enable kubernetes startup-probes | -| startupProbe.failureThreshold | int | `18` | Minimum consecutive failures for the probe to be considered failed after having succeeded | +| startupProbe.failureThreshold | int | `4` | Minimum consecutive failures for the probe to be considered failed after having succeeded | | startupProbe.initialDelaySeconds | int | `60` | Number of seconds after the container has started before liveness probes are initiated. | -| startupProbe.periodSeconds | int | `30` | Number of seconds each period lasts. | +| startupProbe.periodSeconds | int | `30` | Number of seconds each period lasts. | | startupProbe.timeoutSeconds | int | `5` | number of seconds until a timeout is assumed | | tolerations | list | `[]` | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) are applied to Pods to schedule onto nodes with matching taints. | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.11.2](https://github.com/norwoodj/helm-docs/releases/v1.11.2) diff --git a/charts/aas-bridge/templates/NOTES.txt b/charts/aas-bridge/templates/NOTES.txt index 1bca5fb..d16e9ba 100644 --- a/charts/aas-bridge/templates/NOTES.txt +++ b/charts/aas-bridge/templates/NOTES.txt @@ -57,12 +57,12 @@ Get the application URL by running these commands: export CONTAINER_PORT_DEFAULT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - echo "Visit http://127.0.0.1:8080 to access the default api" + echo "Visit http://127.0.0.1:8443 to access the default api" echo "Visit http://127.0.0.1:8185 to access the public data transfer api" echo "Visit http://127.0.0.1:9999 to access the control api" echo "Visit http://127.0.0.1:9090 to access the metrics api" kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME \ - 8080:$CONTAINER_PORT_DEFAULT + 8443:$CONTAINER_PORT_DEFAULT {{- end }} diff --git a/charts/aas-bridge/values.yaml b/charts/aas-bridge/values.yaml index 4de9a02..c3a1e38 100644 --- a/charts/aas-bridge/values.yaml +++ b/charts/aas-bridge/values.yaml @@ -156,13 +156,13 @@ aas: ## Default api exposing health checks etc default: # -- The network port, which the "default" api is going to be exposed by the container, pod and service - port: "8080" + port: "8443" # -- An auth object for default security auth: {} # -- The path mapping the "default" api is going to be exposed by path: "" # -- An optional regex path match (whose match groups could be used in an nginx-annotation of the ingress) - regex: /(.*) + regex: "" service: # -- [Service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) to expose the running application on a set of Pods as a network service. @@ -179,6 +179,7 @@ ingresses: # Example if you want more complex routings in interplay with the endpoints regex property # nginx.ingress.kubernetes.io/rewrite-target: /$1 # nginx.ingress.kubernetes.io/use-regex: "true" + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # -- Optional prefix that will be prepended to the paths of the endpoints prefix: "" # -- Agent endpoints exposed by this ingress resource diff --git a/sparql-aas/README.md b/sparql-aas/README.md index 707883c..ccf8a20 100644 --- a/sparql-aas/README.md +++ b/sparql-aas/README.md @@ -35,7 +35,6 @@ Each domain describes a set of equally structured digital twins (in above exampl All twins of a domain are hosted in the same graph and they share the same set of submodels. We require that the domain id (folder name) coincides to the first part of all asset and submodel ids (separated via "/"). - #### Mapping Configuration The structure (shell) of such a twin as well as the submodels are each described by a mapping configuration which is backed @@ -44,21 +43,20 @@ by a set of files which share a common prefix and end with a suffix which descri A mapping configuration (for the sample the "partAsPlanned" submodel) consists of three files: - An [Unbound Query select-all.rq](resources/traceability/partAsPlanned-select-all.rq) is a non-parameterized SPARQL query that when executed against the graph will generated a dataset of part information for all parts appearing in the graph. - A [Bound Query select-some.rq](resources/traceability/partAsPlanned-select-some.rq) is a parameterized SPARQL query that will be given an argument ("%s") which will be formatted with the set of IRI literals coinciding to the IDs of the selected twins/parts. -- A [Mapping Specification mapping.json](resources/traceability/partAsPlanned-mapping.json) that is an template (AAS4J Mapping Specification) which transforms the SPARQL result sets of above queries into an temporary AAS4J environment. This environment will be used to answer the respective endpoint query against the AAS server. After the query, the environment will be freed from memory, again. +- A [Mapping Specification mapping.xslt](resources/traceability/partAsPlanned-mapping.xslt) that hosts a XML stylesheet template which transforms the SPARQL result sets of above queries into an temporary AAS4J environment following this [AAS XML Schema](https://github.com/eclipse-aas4j/aas4j/blob/main/dataformat-xml/src/main/resources/AAS.xsd). This environment will be used to answer the respective endpoint query against the AAS server. After the query, the environment will be freed from memory, again. -Each mapping configuration (mapping.json) will introduce the namespace "semanticId". +Each mapping configuration (mapping.xslt) will introduce the namespace "semanticId". If the "semanticId" is "https://w3id.org/catenax/ontology/aas#", then the mapping configuration will be used to build AssetAdministationShells (the actual twin "headers"). -Otherwise, the "semanticId" will be used to identifiy the respective submodel (and will be referred to in the [Shell mapping.json](resources/traceability/aas-mapping.json), the [Shell select-all.rq](resources/traceability/aas-select-all.rq) and [Shell select-some.rq](resources/traceability/aas-select-some.rq)) +Otherwise, the "semanticId" will be used to identifiy the respective submodel (and will be referred to in the [Shell mapping.xslt](resources/traceability/aas-mapping.xslt), the [Shell select-all.rq](resources/traceability/aas-select-all.rq) and [Shell select-some.rq](resources/traceability/aas-select-some.rq)) #### Mapping Specification The AAS-Bridge makes a couple of assumptions about the content of the MappingSpecification: -1. The @namespaces- AND the @variables-section of the @header both hold the semanticId of the Submodel that is to +1. The xsl:stylesheet namespaces AND the xsl:variable section both hold the semanticId of the Submodel that is to be transformed -2. IDs of submodel-instances must always start with the domain id and the semanticId of the submodel and the identifier of -the asset (separated by "/"). How this can be achieved via configuration is demonstrated in the examples' @header-@definitions-section -under `genSubmodelId`. -3. If not provided explicitly, the function `AasUtils.loadConfigsFromResources()` will search the AAS-Bridge's resources +2. IDs of submodel-instances must always start with the domain id (tracability/) followed by the semanticId of the submodel (/urn:bamm:io.catenax.part_as_planned:1.0.1#PartAsPlanned) and the identifier of +the asset ("/urn:uuid:0733946c-59c6-41ae-9570-cb43a6e4c79e" - all separated by "/"). How this can be achieved via a template function is demonstrated in the examples' under `xsl:template name="genSubmodelId"`. +3. The function `AasUtils.loadConfigsFromResources()` will search the AAS-Bridge's working directory "resources" folder for a set of the necessary data. The folder- and naming-convention must be adhered to strictly. #### Connection to the Knowledge Graph @@ -94,17 +92,17 @@ docker build -t tractusx/aas-bridge:0.13.6-SNAPSHOT -f src/main/docker/Dockerfil To run the docker image against a local knowledge graph, you could invoke this command ```console -docker run -p 8080:8080 \ +docker run -p 8443:8443 \ -v $(pwd)/resources:/app/resources \ -e "PROVIDER_SPARQL_ENDPOINT=http://oem-provider-agent:8082/sparql" \ -e "PROVIDER_CREDENTIAL_BASIC=Basic Zm9vOg==" \ tractusx/aas-bridge:0.13.6-SNAPSHOT ```` -Afterwards, you should be able to access the [local AAS endpoint](http://localhost:8080/) via REST +Afterwards, you should be able to access the [local AAS endpoint](https://localhost:8443/) via REST ```console -curl --request GET 'http://localhost:8080/serialization?includeConceptDescriptions=true' +curl --request GET 'https://localhost:8443/api/v3.0/description' ``` ### Notice for Docker Image diff --git a/sparql-aas/src/main/docker/Dockerfile b/sparql-aas/src/main/docker/Dockerfile index 414d72b..c763eb4 100644 --- a/sparql-aas/src/main/docker/Dockerfile +++ b/sparql-aas/src/main/docker/Dockerfile @@ -1,6 +1,6 @@ +# Copyright (c) 2023,2024 T-Systems International GmbH # Copyright (c) 2023 SAP SE -# Copyright (c) 2023 T-Systems International GmbH -# Copyright (c) 2023 Contributors to the Eclipse Foundation +# Copyright (c) 2023,2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. @@ -17,19 +17,17 @@ # # SPDX-License-Identifier: Apache-2.0 -FROM alpine:3.18.2 as otel -ENV OTEL_AGENT_LOCATION "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v1.12.1/opentelemetry-javaagent.jar" +FROM alpine:3.19.0 AS otel -HEALTHCHECK NONE +ENV OTEL_AGENT_LOCATION "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v1.27.0/opentelemetry-javaagent.jar" -RUN wget ${OTEL_AGENT_LOCATION} -O /tmp/opentelemetry-javaagent.jar +HEALTHCHECK NONE -FROM eclipse-temurin:17-jre-alpine +RUN apk update && apk add curl=8.5.0-r0 --no-cache +RUN curl -L --proto "=https" -sSf ${OTEL_AGENT_LOCATION} --output /tmp/opentelemetry-javaagent.jar -ARG JAR -ARG LIB -ARG RESOURCES resources +FROM eclipse-temurin:22_36-jre-alpine ARG APP_USER=faaast ARG APP_UID=10100 @@ -69,7 +67,7 @@ COPY target/aas-bridge.jar aas-bridge.jar COPY target/lib ./lib/ COPY resources ./resources/ -EXPOSE 8080 +EXPOSE 8443 HEALTHCHECK NONE diff --git a/sparql-aas/src/main/java/org/eclipse/tractusx/agents/aasbridge/AasBridge.java b/sparql-aas/src/main/java/org/eclipse/tractusx/agents/aasbridge/AasBridge.java index cfa0cd6..54d2910 100644 --- a/sparql-aas/src/main/java/org/eclipse/tractusx/agents/aasbridge/AasBridge.java +++ b/sparql-aas/src/main/java/org/eclipse/tractusx/agents/aasbridge/AasBridge.java @@ -72,7 +72,7 @@ public static void main(String[] args) throws ConfigurationException, AssetConne HttpEndpointConfig httpConfig = HttpEndpointConfig .builder() .cors(true) - .port(8080) + .port(8443) .sni(false) .build();