Metaform · wolf4ood · Dec 22, 2025 · Dec 22, 2025
diff --git a/k8s/apps/controlplane-config.yaml b/k8s/apps/controlplane-config.yaml
@@ -54,6 +54,7 @@ data:
   edc.datasource.default.password: "cp"
   edc.sql.schema.autocreate: "true"
 
+  edc.encryption.aes.key.alias: "aes-key-alias"
 
   # Oauth2 config
   # KeyCloak takes the `iss` claim's host from the request URL. For now, this is the URL defined in the ingress route.
@@ -71,6 +72,4 @@ data:
   # Trusted Issuers
   edc.iam.trusted-issuer.issuer.id: "did:web:issuerservice.edc-v.svc.cluster.local%3A10016:issuer"
 
-  JAVA_TOOL_OPTIONS: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=1044"
-
-  edc.encryption.strict: "false"
+  JAVA_TOOL_OPTIONS: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=1044"
diff --git a/k8s/apps/identityhub-config.yaml b/k8s/apps/identityhub-config.yaml
@@ -45,12 +45,11 @@ data:
   # grace period for credential expiry, 3600*24 = 1 day
   edc.iam.credential.renewal.graceperiod: "86400"
 
+  edc.encryption.aes.key.alias: "aes-key-alias"
   # Oauth2 config
   # KeyCloak takes the `iss` claim's host from the request URL. For now, this is the URL defined in the ingress route.
   # to do this properly, we should probably configure the following properties on the ingress route:
   #    proxy_set_header Host $host;
   #    proxy_set_header X-Forwarded-Proto $scheme;
   edc.iam.oauth2.issuer: "http://keycloak.edc-v.svc.cluster.local:8080/realms/edcv"
-  edc.iam.oauth2.jwks.url: "http://keycloak.edc-v.svc.cluster.local:8080/realms/edcv/protocol/openid-connect/certs"
-
-  edc.encryption.strict: "false"
+  edc.iam.oauth2.jwks.url: "http://keycloak.edc-v.svc.cluster.local:8080/realms/edcv/protocol/openid-connect/certs"
diff --git a/k8s/apps/issuerservice-config.yaml b/k8s/apps/issuerservice-config.yaml
@@ -49,6 +49,7 @@ data:
   edc.sql.schema.autocreate: "true"
   edc.iam.accesstoken.jti.validation: "true"
 
+  edc.encryption.aes.key.alias: "aes-key-alias"
   # Oauth2 config
   # KeyCloak takes the `iss` claim's host from the request URL. For now, this is the URL defined in the ingress route.
   # to do this properly, we should probably configure the following properties on the ingress route:
@@ -63,6 +64,4 @@ data:
   # that is configured in the AttestationDefinition
   edc.datasource.membership.url: "jdbc:postgresql://postgres.edc-v.svc.cluster.local:5432/issuerservice"
   edc.datasource.membership.user: "issuer"
-  edc.datasource.membership.password: "issuer"
-
-  edc.encryption.strict: "false"
+  edc.datasource.membership.password: "issuer"
diff --git a/k8s/base/vault.yaml b/k8s/base/vault.yaml
@@ -166,6 +166,15 @@ spec:
                 "clock_skew_leeway": 60
               }
               EOF
+
+              vault write secret/data/aes-key-alias -<<EOF || { echo "Failed to create ase key entry"; exit 1; }
+              {
+                "data": {
+                  "content": "yHo9w6m2KOI3FE7vI+fcN6j86JDQ6V10lJPlv9lLWoE="
+                }
+              }
+              EOF
+
               echo "Vault bootstrap completed successfully!"
       restartPolicy: OnFailure