diff --git a/charts/vc-authn-oidc/README.md b/charts/vc-authn-oidc/README.md index 39ce91a1..aa99b139 100644 --- a/charts/vc-authn-oidc/README.md +++ b/charts/vc-authn-oidc/README.md @@ -89,54 +89,56 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release ### Controller Configuration -| Name | Description | Value | -| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------- | -| `acapyTenancyMode` | Agent tenancy mode, either `single` or `multi` | `single` | -| `setNonRevoked` | if True, the `non_revoked` attributed will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())` | `true` | -| `invitationLabel` | For the invitations sent that include the proof, what to add as the my_label field. Can be used to identify the requester to the prover | `"VC-AuthN"` | -| `useOobPresentProof` | if True, the present-proof request will be provided as a an [out of band](https://github.com/hyperledger/aries-rfcs/tree/main/features/0434-outofband) invitation with a [present-proof](https://github.com/hyperledger/aries-rfcs/tree/main/features/0037-present-proof) request inside. If False, the present-proof request will be use the [service-decorator](https://github.com/hyperledger/aries-rfcs/tree/main/features/0056-service-decorator) | `false` | -| `useOobLocalDIDService` | | `false` | -| `useUrlDeepLink` | if True, will use the new encoded URL (`didcomm://?_url={redirect URL}`) redirect form of the deep link | `false` | -| `walletDeepLinkPrefix` | Custom URI scheme and host to use for deep links (`{walletDeepLinkPrefix}?c_i={connection payload`) | `"bcwallet://aries_proof-request"` | -| `controllerCameraRedirectUrl` | The redirect url can be a web link or the name of a template | `wallet_howto` | -| `controllerPresentationExpireTime` | The number of time in seconds a proof request will be valid for | `300` | -| `useHTTPS` | Prepend Agent and Admin URLs with `https` | `true` | -| `logLevel` | Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG | `INFO` | -| `auth.api.existingSecret` | Specify the name of the secret containing `controllerApiKey` key. | `""` | -| `auth.token.privateKey.filename` | Specify the name of the signing key file | `jwt-token.pem` | -| `auth.token.privateKey.existingSecret` | Specify the name of the secret containing the signing key to be mounted, if not specified, a new secret will be created. | `""` | -| `database.existingSecret` | Specify existing secret containing the keys `mongodb-root-password`, `mongodb-replica-set-key`, and `mongodb-passwords`. `database.secret.create` must be set to `false` when using existing secret. | `""` | -| `podAnnotations` | Map of annotations to add to the acapy pods | `{}` | -| `podSecurityContext` | Pod Security Context | `{}` | -| `containerSecurityContext` | Container Security Context | `{}` | -| `networkPolicy.enabled` | Enable network policies | `true` | -| `networkPolicy.ingress.enabled` | Enable ingress rules | `true` | -| `networkPolicy.ingress.namespaceSelector` | Namespace selector label that is allowed to access the Tenant proxy pods. | `{}` | -| `networkPolicy.ingress.podSelector` | Pod selector label that is allowed to access the Tenant proxy pods. | `{}` | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.port` | | `5000` | -| `ingress.enabled` | Enable ingress record generation for controller | `true` | -| `ingress.className` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `ingress.annotations` | Additional annotations for the Ingress resource. | `[]` | -| `ingress.tls` | Enable TLS configuration for the host defined at ingress. | `[]` | -| `resources.limits.memory` | The memory limit for the controller containers | `512Mi` | -| `resources.limits.cpu` | The cpu limit for the controller containers | `100m` | -| `resources.requests.memory` | The requested memory for the controller containers | `128Mi` | -| `resources.requests.cpu` | The requested cpu for the controller containers | `10m` | -| `replicaCount` | Number of controller replicas to deploy | `1` | -| `autoscaling.enabled` | Enable Horizontal POD autoscaling forthe controller | `true` | -| `autoscaling.minReplicas` | Minimum number of controller replicas | `1` | -| `autoscaling.maxReplicas` | Maximum number of controller replicas | `2` | -| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization percentage | `80` | -| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization percentage | `""` | -| `autoscaling.stabilizationWindowSeconds` | Stabilization window in seconds | `300` | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | -| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | -| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | -| `serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | -| `affinity` | Affinity for pods assignment | `{}` | -| `nodeSelector` | Node labels for pods assignment | `{}` | -| `tolerations` | Tolerations for pods assignment | `[]` | +| Name | Description | Value | +|-------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------| +| `acapyTenancyMode` | Agent tenancy mode, either `single` or `multi` | `single` | +| `setNonRevoked` | if True, the `non_revoked` attributed will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())` | `true` | +| `invitationLabel` | For the invitations sent that include the proof, what to add as the my_label field. Can be used to identify the requester to the prover | `"VC-AuthN"` | +| `useOobPresentProof` | if True, the present-proof request will be provided as a an [out of band](https://github.com/hyperledger/aries-rfcs/tree/main/features/0434-outofband) invitation with a [present-proof](https://github.com/hyperledger/aries-rfcs/tree/main/features/0037-present-proof) request inside. If False, the present-proof request will be use the [service-decorator](https://github.com/hyperledger/aries-rfcs/tree/main/features/0056-service-decorator) | `false` | +| `useOobLocalDIDService` | | `false` | +| `useUrlDeepLink` | if True, will use the new encoded URL (`didcomm://?_url={redirect URL}`) redirect form of the deep link | `false` | +| `walletDeepLinkPrefix` | Custom URI scheme and host to use for deep links (`{walletDeepLinkPrefix}?c_i={connection payload`) | `"bcwallet://aries_proof-request"` | +| `controller.cameraRedirectUrl` | The redirect url can be a web link or the name of a template | `wallet_howto` | +| `controller.presentationExpire.time` | The number of time in seconds a proof request will be valid for | `300` | +| `controller.sessionTimeout.duration` | The number of seconds an auth_sessions in the states defined in `controllerSessionTimeoutConfig` is kept for | `86400` | +| `controller.sessionTimeout.config` | The list of auth session states that are safe for deletion | `[expired', 'failed', 'abandoned']` | +| `useHTTPS` | Prepend Agent and Admin URLs with `https` | `true` | +| `logLevel` | Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG | `INFO` | +| `auth.api.existingSecret` | Specify the name of the secret containing `controllerApiKey` key. | `""` | +| `auth.token.privateKey.filename` | Specify the name of the signing key file | `jwt-token.pem` | +| `auth.token.privateKey.existingSecret` | Specify the name of the secret containing the signing key to be mounted, if not specified, a new secret will be created. | `""` | +| `database.existingSecret` | Specify existing secret containing the keys `mongodb-root-password`, `mongodb-replica-set-key`, and `mongodb-passwords`. `database.secret.create` must be set to `false` when using existing secret. | `""` | +| `podAnnotations` | Map of annotations to add to the acapy pods | `{}` | +| `podSecurityContext` | Pod Security Context | `{}` | +| `containerSecurityContext` | Container Security Context | `{}` | +| `networkPolicy.enabled` | Enable network policies | `true` | +| `networkPolicy.ingress.enabled` | Enable ingress rules | `true` | +| `networkPolicy.ingress.namespaceSelector` | Namespace selector label that is allowed to access the Tenant proxy pods. | `{}` | +| `networkPolicy.ingress.podSelector` | Pod selector label that is allowed to access the Tenant proxy pods. | `{}` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.port` | | `5000` | +| `ingress.enabled` | Enable ingress record generation for controller | `true` | +| `ingress.className` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `ingress.annotations` | Additional annotations for the Ingress resource. | `[]` | +| `ingress.tls` | Enable TLS configuration for the host defined at ingress. | `[]` | +| `resources.limits.memory` | The memory limit for the controller containers | `512Mi` | +| `resources.limits.cpu` | The cpu limit for the controller containers | `100m` | +| `resources.requests.memory` | The requested memory for the controller containers | `128Mi` | +| `resources.requests.cpu` | The requested cpu for the controller containers | `10m` | +| `replicaCount` | Number of controller replicas to deploy | `1` | +| `autoscaling.enabled` | Enable Horizontal POD autoscaling forthe controller | `true` | +| `autoscaling.minReplicas` | Minimum number of controller replicas | `1` | +| `autoscaling.maxReplicas` | Maximum number of controller replicas | `2` | +| `autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization percentage | `80` | +| `autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization percentage | `""` | +| `autoscaling.stabilizationWindowSeconds` | Stabilization window in seconds | `300` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | +| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | +| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | +| `serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | +| `affinity` | Affinity for pods assignment | `{}` | +| `nodeSelector` | Node labels for pods assignment | `{}` | +| `tolerations` | Tolerations for pods assignment | `[]` | ### Acapy Configuration diff --git a/charts/vc-authn-oidc/templates/configmap.yaml b/charts/vc-authn-oidc/templates/configmap.yaml new file mode 100644 index 00000000..d5a691c9 --- /dev/null +++ b/charts/vc-authn-oidc/templates/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "global.fullname" . }}-session-timeout + labels: {{- include "vc-authn-oidc.labels" . | nindent 4 }} +data: + sessiontimeout.json: | + {{ .Values.controller.sessionTimeout.config | toJson }} diff --git a/charts/vc-authn-oidc/templates/deployment.yaml b/charts/vc-authn-oidc/templates/deployment.yaml index 8e75c70f..8a08966a 100644 --- a/charts/vc-authn-oidc/templates/deployment.yaml +++ b/charts/vc-authn-oidc/templates/deployment.yaml @@ -64,9 +64,13 @@ spec: name: {{ include "vc-authn-oidc.apiSecretName" . }} key: controllerApiKey - name: CONTROLLER_CAMERA_REDIRECT_URL - value: {{ .Values.controllerCameraRedirectUrl }} + value: {{ .Values.controller.cameraRedirectUrl }} - name: CONTROLLER_PRESENTATION_EXPIRE_TIME - value: {{ .Values.controllerPresentationExpireTime | quote }} + value: {{ .Values.controller.presentationExpireTime | quote }} + - name: CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE + value: /home/aries/sessiontimeout.json + - name: CONTROLLER_PRESENTATION_CLEANUP_TIME + value: {{ .Values.controller.sessionTimeout.duration | quote }} - name: ACAPY_AGENT_URL value: {{ include "acapy.agent.url" . }} - name: ACAPY_ADMIN_URL @@ -121,6 +125,9 @@ spec: volumeMounts: - name: jwt-token mountPath: /opt/token + - name: auth-session-ttl + mountPath: /home/aries/sessiontimeout.json + subPath: sessiontimeout.json {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vc-authn-oidc/values.yaml b/charts/vc-authn-oidc/values.yaml index 2c343856..8a5aac04 100644 --- a/charts/vc-authn-oidc/values.yaml +++ b/charts/vc-authn-oidc/values.yaml @@ -36,10 +36,19 @@ useOobLocalDIDService: false useUrlDeepLink: false ## @param walletDeepLinkPrefix URI scheme and host to use in deep links ((e.g. `{WALLET_DEEP_LINK_PREFIX}?c_i={connection invitation payload`)) walletDeepLinkPrefix: bcwallet://aries_proof-request -## @param controllerCameraRedirectUrl The redirect url can be a web link or the name of a template -controllerCameraRedirectUrl: wallet_howto -## @param controllerPresentationExpireTime The number of time in seconds a proof request will be valid for -controllerPresentationExpireTime: 300 +## @param controller.cameraRedirectUrl The redirect url can be a web link or the name of a template +## @param controller.presentationExpireTime The number of time in seconds a proof request will be valid for +## @param controller.sessionTimeout.duration The number of seconds an auth_sessions in the states defined in controllerSessionTimeoutConfig is kept for +## @param controller.sessionTimeout.config The json list of auth session states that are safe for deletion +controller: + cameraRedirectUrl: wallet_howto + presentationExpireTime: 300 + sessionTimeout: + duration: 86400 + config: + - expired + - failed + - abandoned ## @param useHTTPS Prepend Agent and Admin URLs with `https` useHTTPS: true ## @param logLevel Accepts one of the following values: CRITICAL, ERROR, WARNING, INFO, DEBUG diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml index 9d46c83f..3264c6ae 100644 --- a/docker/docker-compose.yaml +++ b/docker/docker-compose.yaml @@ -44,7 +44,7 @@ services: - 5678:5678 volumes: - ../oidc-controller:/app:rw - - ./oidc-controller/sessiontimeout.json:/tmp/sessiontimeout.json + - ./oidc-controller/config/sessiontimeout.json:/home/aries/sessiontimeout.json networks: - vc_auth diff --git a/docker/manage b/docker/manage index 418f0341..605bd308 100755 --- a/docker/manage +++ b/docker/manage @@ -177,7 +177,7 @@ configureEnvironment() { export CONTROLLER_PRESENTATION_CLEANUP_TIME=86400 # The path to the auth_session timeouts config file - export CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE="/tmp/sessiontimeout.json" + export CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE="/home/aries/sessiontimeout.json" #controller app settings export INVITATION_LABEL=${INVITATION_LABEL:-"VC-AuthN"} diff --git a/docker/oidc-controller/sessiontimeout.json b/docker/oidc-controller/config/sessiontimeout.json similarity index 100% rename from docker/oidc-controller/sessiontimeout.json rename to docker/oidc-controller/config/sessiontimeout.json diff --git a/docs/README.md b/docs/README.md index a5530902..e1321ea7 100644 --- a/docs/README.md +++ b/docs/README.md @@ -345,7 +345,7 @@ The following additional metadata must be present at the OP's `/.well-known/open ## Auth Session Cleanup -For each authentication attempt, an auth session is created. Over Time, these can accumulate, increasing the database size. To address this issue, a configuration file specified by the environment variable CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE is used to automatically clean up auth sessions based on their current state. This file contains a JSON array of different auth session states as strings. +For each authentication attempt, an auth session is created. Over Time, these can accumulate, increasing the database size. To address this issue, a configuration file specified by the environment variable `CONTROLLER_SESSION_TIMEOUT_CONFIG_FILE` is used to automatically clean up auth sessions based on their current state. This file contains a JSON array of different auth session states as strings. An example configuration file would contain the following text ```json