Kubernetes
or any K8 cluster in a Cloud Environment
Overview
The Trust1Validation and its utilities can also be deployed on Kubernetes. We have provided example configurations, secrets and services which can be used on any cloud provider.
Using the docker images you can also deploy these with Docker-compose if necessary.
We provide the necessary configurations. How to set up the k8s or docker environment is out of scope.
Trust1Validation
Overview
Here you will find references for deploying in a Kubernetes environment.
Configuration
Config map
# https://cloud.spring.io/spring-cloud-static/spring-cloud-kubernetes/1.0.2.RELEASE/multi/multi__kubernetes_propertysource_implementations.html
# $ kubectl create configmap gs-spring-boot-k8s --from-file=./k8s/application.properties
apiVersion: v1
kind: ConfigMap
metadata:
name: t1c-dss-api-config
namespace: t1c
data:
dss.properties: >-
# JDBC database config
datasource.jdbc.enabled = true
datasource.driver.class = org.hsqldb.jdbcDriver
datasource.url = jdbc:hsqldb:mem:testdb
datasource.username = sa
datasource.password =
# Cache config (values in seconds)
cache.expiration = 86400
cache.crl.default.next.update = 600
cache.crl.max.next.update = 10800
cache.ocsp.default.next.update = 60
cache.ocsp.max.next.update = 180
# EU LOTL config
oj.content.keystore.type = PKCS12
oj.content.keystore.filename = keystore.p12
oj.content.keystore.password = dss-password
current.oj.url =
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.C_.2019.276.01.0001.01.ENG
current.lotl.url = https://ec.europa.eu/tools/lotl/eu-lotl.xml
lotl.country.code = EU
# AdES LOTL config
tl.loader.ades.enabled=false
tl.loader.ades.lotlUrl=https://ec.europa.eu/tools/lotl/mra/ades-lotl.xml
tl.loader.ades.keystore.type=PKCS12
tl.loader.ades.keystore.filename=ades/ades-keystore.p12
tl.loader.ades.keystore.password=ks-password
tl.loader.ades.tsl.type=http://ec.europa.eu/tools/lotl/mra/ades-lotl-tsl-type
# Server signing token
dss.server.signing.keystore.type = PKCS12
dss.server.signing.keystore.filename = user_a_rsa.p12
dss.server.signing.keystore.password = password
# TSA
tsp-source = classpath:config/tsp-config.xml
# LOTL/TLs loading
cron.tl.loader.enable = true
cron.initial.delay.tl.loader = 0
cron.delay.tl.loader = 3600000
# File size limit
multipart.maxFileSize = 52428800
multipart.maxInMemorySize = 52428800
# default validation policy (in dss-policy-jaxb/src/main/resources/)
default.validation.policy = policy/constraint.xml
# validation policy for a certificate validation (in
dss-policy-jaxb/src/main/resources/)
default.certificate.validation.policy = policy/certificate-constraint.xml
# Custom trusted key store
trusted.source.keystore.type = PKCS12
trusted.source.keystore.filename = keystore.p12
trusted.source.keystore.password = dss-password
# Custom trusted adjacent key store
trusted.source.keystore-intermediate.type = PKCS12
trusted.source.keystore-intermediate.filename = keystore-intermediate.p12
trusted.source.keystore-intermediate.password = dss-password
# CommonsDataLoader configuration (timeouts in milliseconds)
dataloader.connection.timeout = 5000
dataloader.connection.request.timeout = 5000
dataloader.redirect.enabled = true
# Defines a number of secure validation tests to be performed on imported
RSA keys (disabled by default, use value '1' or higher to enable)
bc.rsa.max_mr_tests = 0
proxy.http.enabled = false
#proxy.http.host =
#proxy.http.scheme =
#proxy.http.port = 0
#proxy.http.user =
#proxy.http.password =
#proxy.http.exclude =
# e.g.: proxy.http.exclude = test.site.lu, test.website.com
proxy.https.enabled = false
#proxy.https.host =
#proxy.https.scheme =
#proxy.https.port = 0
#proxy.https.user =
#proxy.https.password =
#proxy.https.exclude =
# e.g.: proxy.https.exclude = test.site.lu, test.website.com
cxf.debug = true
cxf.mtom.enabled = true
cookie.secure = false
nexuDownloadUrl=https://github.com/nowina-solutions/nexu/releases/download/nexu-${nexu.version}/nexu-bundle-${nexu.version}.zip
nexuVersion = 1.
nexuUrl=http://localhost:9795
dssVersion = ${project.version}
# https://webgate.ec.europa.eu/tl-browser/# (old link)
tl.browser.root.url = https://eidas.ec.europa.eu/efda/tl-browser/#/screen
# Default digest algo to be checked in the web interface
default.digest.algo = SHA256
# Defines the "SameSite" parameter value for "Set-Cookie" header
web.security.cookie.samesite = strict
# Defines the "X-Content-Security-Policy" header value
web.security.csp = default-src 'self' ${nexuUrl} 'unsafe-inline' data:;Secrets
apiVersion: v1
kind: Secret
metadata:
name: t1c-dss-api-secrets
namespace: t1c
type: Opaque
stringData:
NO_USE: "t1c-dss-api-secrets"Service
---
apiVersion: v1
kind: Service
metadata:
labels:
app: t1c-dss-api-service
name: t1c-dss-api-service
namespace: t1c
spec:
type: NodePort
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: t1c-dss-api
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: t1c-dss-api
namespace: t1c
labels:
app: t1c-dss-api
spec:
replicas: 1
selector:
matchLabels:
app: t1c-dss-api
template:
metadata:
labels:
app: t1c-dss-api
spec:
restartPolicy: Always
containers:
- name: t1c-dss-api
image: europe-west1-docker.pkg.dev/t1t-pre-prod/t1t-images/t1c-dss-api:5.13.RC3
imagePullPolicy: Always
ports:
- name: http
containerPort: 8080
envFrom:
- configMapRef:
name: t1c-dss-api-config
# - secretRef:
# name: t1c-dss-api-secretsTrust1Validation Utilities
Configuration
Configmap
# https://cloud.spring.io/spring-cloud-static/spring-cloud-kubernetes/1.0.2.RELEASE/multi/multi__kubernetes_propertysource_implementations.html
# $ kubectl create configmap gs-spring-boot-k8s --from-file=./k8s/application.properties
apiVersion: v1
kind: ConfigMap
metadata:
name: t1c-dss-utils-api-config
namespace: t1c
data:
Secrets
apiVersion: v1
kind: Secret
metadata:
name: t1c-dss-utils-api-secrets
namespace: t1c
type: Opaque
stringData:
PLAY_SECRET: "AthG6t7v0;xk]g=gAVP;]cu<k<FkhR4TK??Ij3VNHCjsc7H=QZZdf?i1Gr[^^I_s"
Service
---
apiVersion: v1
kind: Service
metadata:
labels:
app: t1c-dss-utils-api-service
name: t1c-dss-utils-api-service
namespace: t1c
spec:
type: NodePort
ports:
- name: http
port: 80
protocol: TCP
targetPort: 9000
selector:
app: t1c-dss-utils-api
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: t1c-dss-utils-api
namespace: t1c
labels:
app: t1c-dss-utils-api
spec:
replicas: 1
selector:
matchLabels:
app: t1c-dss-utils-api
template:
metadata:
labels:
app: t1c-dss-utils-api
spec:
restartPolicy: Always
containers:
- name: t1c-dss-utils-api
image: europe-west1-docker.pkg.dev/t1c-pre-prod/t1c-images/t1c-dss-utils-api:1.0.0-SNAPSHOT
imagePullPolicy: Always
resources:
requests:
memory: "512Mi"
limits:
memory: "768Mi"
ports:
- name: http
containerPort: 9000
envFrom:
- configMapRef:
name: t1c-dss-utils-api-config
- secretRef:
name: t1c-dss-utils-api-secrets
Last updated