From ed7c25658a4d7a19067934834ae45958e3ec4539 Mon Sep 17 00:00:00 2001 From: Enrico Risa Date: Mon, 22 Dec 2025 13:25:47 +0100 Subject: [PATCH] chore: enable aes encr --- k8s/apps/controlplane-config.yaml | 5 ++--- k8s/apps/identityhub-config.yaml | 5 ++--- k8s/apps/issuerservice-config.yaml | 5 ++--- k8s/base/vault.yaml | 9 +++++++++ 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/k8s/apps/controlplane-config.yaml b/k8s/apps/controlplane-config.yaml index 3731bcd..2d36984 100644 --- a/k8s/apps/controlplane-config.yaml +++ b/k8s/apps/controlplane-config.yaml @@ -54,6 +54,7 @@ data: edc.datasource.default.password: "cp" edc.sql.schema.autocreate: "true" + edc.encryption.aes.key.alias: "aes-key-alias" # Oauth2 config # KeyCloak takes the `iss` claim's host from the request URL. For now, this is the URL defined in the ingress route. @@ -71,6 +72,4 @@ data: # Trusted Issuers edc.iam.trusted-issuer.issuer.id: "did:web:issuerservice.edc-v.svc.cluster.local%3A10016:issuer" - JAVA_TOOL_OPTIONS: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=1044" - - edc.encryption.strict: "false" \ No newline at end of file + JAVA_TOOL_OPTIONS: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=1044" \ No newline at end of file diff --git a/k8s/apps/identityhub-config.yaml b/k8s/apps/identityhub-config.yaml index ffd7089..71086bf 100644 --- a/k8s/apps/identityhub-config.yaml +++ b/k8s/apps/identityhub-config.yaml @@ -45,12 +45,11 @@ data: # grace period for credential expiry, 3600*24 = 1 day edc.iam.credential.renewal.graceperiod: "86400" + edc.encryption.aes.key.alias: "aes-key-alias" # Oauth2 config # KeyCloak takes the `iss` claim's host from the request URL. For now, this is the URL defined in the ingress route. # to do this properly, we should probably configure the following properties on the ingress route: # proxy_set_header Host $host; # proxy_set_header X-Forwarded-Proto $scheme; edc.iam.oauth2.issuer: "http://keycloak.edc-v.svc.cluster.local:8080/realms/edcv" - edc.iam.oauth2.jwks.url: "http://keycloak.edc-v.svc.cluster.local:8080/realms/edcv/protocol/openid-connect/certs" - - edc.encryption.strict: "false" \ No newline at end of file + edc.iam.oauth2.jwks.url: "http://keycloak.edc-v.svc.cluster.local:8080/realms/edcv/protocol/openid-connect/certs" \ No newline at end of file diff --git a/k8s/apps/issuerservice-config.yaml b/k8s/apps/issuerservice-config.yaml index 8645e67..9d5b9a0 100644 --- a/k8s/apps/issuerservice-config.yaml +++ b/k8s/apps/issuerservice-config.yaml @@ -49,6 +49,7 @@ data: edc.sql.schema.autocreate: "true" edc.iam.accesstoken.jti.validation: "true" + edc.encryption.aes.key.alias: "aes-key-alias" # Oauth2 config # KeyCloak takes the `iss` claim's host from the request URL. For now, this is the URL defined in the ingress route. # to do this properly, we should probably configure the following properties on the ingress route: @@ -63,6 +64,4 @@ data: # that is configured in the AttestationDefinition edc.datasource.membership.url: "jdbc:postgresql://postgres.edc-v.svc.cluster.local:5432/issuerservice" edc.datasource.membership.user: "issuer" - edc.datasource.membership.password: "issuer" - - edc.encryption.strict: "false" \ No newline at end of file + edc.datasource.membership.password: "issuer" \ No newline at end of file diff --git a/k8s/base/vault.yaml b/k8s/base/vault.yaml index 36eba9b..2485674 100644 --- a/k8s/base/vault.yaml +++ b/k8s/base/vault.yaml @@ -166,6 +166,15 @@ spec: "clock_skew_leeway": 60 } EOF + + vault write secret/data/aes-key-alias -<