There are 2 misspelled words in annotation part of values.yaml and Chart.yaml
url: https://github.com/tmforum-oda/oda-canvas/blob/master/installation/canvas-oda/values.yaml
Row number: 114
#We reuse the admin user created on keycloak instalation [installation]

url: https://github.com/tmforum-oda/oda-canvas/blob/master/installation/canvas-oda/Chart.yaml
Row number: 3
description: A Helm of helm to orchestrate the ODA instalation [installation]

Description

This issue is to add a BDD feature (in compliance-test-kit/BDD-and-TDD/features ) for Feature: Secure User and Role Information Communication

This is from the authentication workshop:

we need to allow secure transmission of user information as JSON objects using JWT
we may need a common set of minimum mandatory JWT claims for interoperability

This links to the decision https://github.com/tmforum-oda/oda-ca-docs/blob/master/Decision-Log/006-common-set-of-minimum-mandatory-JWT-claims-for-interoperability.md

Hello, not sure if this is a bug or if there is something I miss from the documentation. I am trying to install the oda-canvas locally using microk8s by following the instructions here:

When I reach the point where I'm calling bash install_canvas_cert-manager.sh, I am being shown the following message:

*********************************************************************
Installing base canvas
*********************************************************************

Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: [resource mapping not found for name: "odacomponent-role-cluster" namespace: "" from "": no matches for kind "ClusterRole" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "odacomponent-rolebinding-cluster" namespace: "" from "": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "odacomponent-role-namespaced" namespace: "components" from "": no matches for kind "Role" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "odacomponent-rolebinding-namespaced" namespace: "components" from "": no matches for kind "RoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "component-gateway" namespace: "components" from "": no matches for kind "Gateway" in version "networking.istio.io/v1alpha3"
ensure CRDs are installed first]

It seems that there are some CRDs that I haven't got installed. Is there anything I am missing from the documentation, or is there some other repository where those CRDs are available so that I can install them first?

This is the output from running microk8s kubectl version

$ microk8s kubectl version

WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.3", GitCommit:"434bfd82814af038ad94d62ebe59b133fcb50506", GitTreeState:"clean", BuildDate:"2022-10-12T10:47:25Z", GoVersion:"go1.19.2", Compiler:"gc", Platform:"darwin/arm64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"22+", GitVersion:"v1.22.16-3+024782121eb186", GitCommit:"024782121eb1866f575ad5d06b5b58722e76d29c", GitTreeState:"clean", BuildDate:"2022-11-10T18:14:08Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/arm64"}
WARNING: version difference between client (1.25) and server (1.22) exceeds the supported minor version skew of +/-1

Thank you in advance

Trying to deploy a component in the ODA-CA-CLUSTER-2 we found an error related with an error about an expired certificate

Error: INSTALLATION FAILED: conversion webhook for oda.tmforum.org/v1alpha3, Kind=component failed: Post "https://compcrdwebhook.canvas.svc:443/?timeout=30s": x509: certificate has expired or is not yet valid: current time 2022-01-26T10:24:39Z is after 2021-12-19T15:47:14Z

The certificates issued by cert-manager are valid just for three months only and it rotates them automatically. The one configured in the canvas namespaces is this
kubectl get certificate -n canvas -o yaml

apiVersion: v1
items:
- apiVersion: cert-manager.io/v1
  kind: Certificate
  metadata:
    creationTimestamp: "2021-09-20T15:28:57Z"
    generation: 1
    name: compcrdwebhook.canvas.svc
    namespace: canvas
  spec:
    commonName: compcrdwebhook.canvas.svc
    dnsNames:
    - compcrdwebhook
    - compcrdwebhook.canvas
    - compcrdwebhook.canvas.svc
    - compcrdwebhook.canvas.svc.cluster.local
    isCA: false
    issuerRef:
      name: selfsigned-issuer
    privateKey:
      algorithm: RSA
      encoding: PKCS1
      size: 2048
    secretName: compcrdwebhook.canvas.svc-tls
    usages:
    - digital signature
    - content commitment
    - key encipherment
    - server auth
  status:
    conditions:
    - lastTransitionTime: "2021-09-20T15:47:14Z"
      message: Certificate is up to date and has not expired
      observedGeneration: 1
      reason: Ready
      status: "True"
      type: Ready
    notAfter: "2022-04-18T15:47:14Z"
    notBefore: "2022-01-18T15:47:14Z"
    renewalTime: "2022-03-19T15:47:14Z"
    revision: 3
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

Relevant here are the
secretName: compcrdwebhook.canvas.svc-tls
where the cert-manager store the cert
and the times

    notAfter: "2022-04-18T15:47:14Z"
    notBefore: "2022-01-18T15:47:14Z"
    renewalTime: "2022-03-19T15:47:14Z"

The certificate in the compcrdwebhook.canvas.svc-tls seems correct

 kubectl get secrets -n canvas compcrdwebhook.canvas.svc-tls -ojsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5d:f6:aa:e0:ed:82:50:bc:c8:a4:98:67:5c:ec:b2:31
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = compcrdwebhook.canvas.svc
        Validity
            Not Before: Jan 18 15:47:14 2022 GMT
            Not After : Apr 18 15:47:14 2022 GMT

but the compcrdwebhook deployment seems to use another tls-secret

kubectl get deploy -n canvas compcrdwebhook -o yaml | grep secret
        - mountPath: /etc/secret-volume
          name: secret-volume
      - name: secret-volume
        secret:
          secretName: compcrdwebhook-secret

That secret contains an already expired certificate that correlates with the time stated in the error found

 kubectl get secrets -n canvas compcrdwebhook-secret -ojsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b9:c8:4b:8a:d7:dd:02:36:67:ea:f7:1f:a0:d6:21:63
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = compcrdwebhook.canvas.svc
        Validity
            Not Before: Sep 20 15:47:14 2021 GMT
            Not After : Dec 19 15:47:14 2021 GMT

This secret is created manually in an installation script https://github.com/tmforum-oda/oda-canvas-charts/blob/master/create_tls_certificates_cert-manager_v1.sh from the secret managed by cert-manager, but when the first get rotated, the latter is unaware of the change
I don't know if the manually created cert has another use to justify its existence, if not I guess the managed secret should be used to prevent these expiration errors

Description

The webhook (used to translate versions of Component CRD) requires https. Create a script to automatically create and sign TLS certificates and put them in Kubernetes secrets (that are used by webhook).

Long story short

When deploying ODA components, the component ingress is not created and the deployment status is In-Progress-CompCon

For instance with the sigscale-ocs component provided in https://github.com/tmforum-rand/oda-component-definitions, we get

❯ k get components -A
NAMESPACE          NAME                     EXPOSED_APIS                               DEVELOPER_UI   DEPLOYMENT_STATUS
components         sigscale-ocs             http://172.16.0.100/partyManagement/v1/                   In-Progress-CompCon

I will provide some logs of oda-controller-ingress asap (I have no access to the cluster right now), do not hesitate to point us some hints meanwhile

Configure API Gateway for Authentication use cases UC007 and UC008

Configure the Kong API Gateway to integrate to Keycloak to validate API Requests as per UC007 and optionally UC008.

For UC008 (internal authentication), if a Service Mesh is used instead of the API Gateway, we do the same configuration on Istio to Validate API requests against Keycloak.

Description

In some Kubernetes distributions, mainly for local development, some issues arise when LoadBalancer services share ports.
We must let configurable the Keycloak service port, updating the KEYCLOAK_BASE environment variable simultaneously.

Update the helm chart to support tmforum-oda/oda-ca#95

Description

Proposal is to

• Merge oda-ca, oda-canvas-ctk, canvas-in-a-bottle, canvas-in-a-bottle-gui into the oda-canvas-charts repo, and rename it oda-canvas.
• The existing content in oda-canvas-charts will move to an installation folder.
• The oda-ca content will move to an operators folder.
• The oda-canvas-ctk will move to a compliance-test-kit folder
• The canvas-in-a-bottle and canvas-in-a-bottle-gui will move to sub-folders under installation

It seems that the compcrdwebhook webhook, in https://hub.docker.com/r/tmforumodacanvas/compcrdwebhook is built for x64 architectures. This is fine in most scenarios, but it causes issues when being present in an environment where there is another architecture (like Apple Silicon, or an arm machine).

Since the arm archtiecture is becoming more common even in clouds, I believe it could be beneficial to support docker manifest lists to support multiple architectures with the same build.

Description

There are errors when execute install_canvas.sh:

helm repo add stable https://kubernetes-charts.storage.googleapis.com
Error: repo "https://kubernetes-charts.storage.googleapis.com" is no longer available; try "https://charts.helm.sh/stable" instead

as the repos moved to new location: https://helm.sh/blog/new-location-stable-incubator-charts/

Description

Sometimes, when installing the canvas, the install script continues faster than cert-manager can handle the creation of certificate resources in K8s.

Insert a check in the script to ensure the resources have been created before continuing.

RBAC for the controller is failing in new canvas.

Addiional permissions are required for odacomponent-account

FFollowing the current instructions to install Istio Gateway Helm Chart leave the system unusable because some component relies on these elements being labelled in a particular way.
For that, we need to update the instructions to install the Istio Gateway with the right labelsollowing the current instrucctions to install Istio Gateway Helm Chart leave the system unausable because some component rely on this elements being labeled in a particular way
For that we need to update the instrucction to use

Description

Add the istio controller, including adding a istio gateway for the components to use.

The istio controller creates a virtual service for each API that is exposed. The virtual service resources link to a single istio gateway called components.

Description

Make the canvas-simplified-install the default installation approach. Also integrate the canvas-in-a-bottle installations as subfolders of the installation folder, and include a table to show which versions have been tested against which environment.

Description

For the end of this sprint, we need to upgrade the ODL so that we have 2 clusters with two different versions of Kubernetes - 1.22 and 1.24

Description

For the end of sprint 2, we will document supported versions of K8s that the canvas has been tested with. We need to test the install of the canvas on the full range of Kubernetes versions, and on as many different environments as possible.

Ideally, we would include in the documentation a walkthrough of installing on different environments with screenshots.

The Kubernetes versions are v1.22 through to v1.24.
Possible test environments are;

Feel free to add any other ck8s cluster implementations you would like us to test against in the comments below. Please comment in this issue if you have tested against a particular deployment and I'll update the table above.

In the initial release, the canvas controller manages Services and Deployments (it makes and Services or Deployments that are labeled as belonging to a component a child of that component.

The latest release of the canvas controller extends this to PersistentVolumeClaims (PVCs). We need to add to the permissions to allow it to manage PVCs.

Description

Change the permissions to allow the component operator to monitor and patch jobs, cronjobs, statefulsets, configmap, secret, serviceaccount, role, rolebinding (in addition to the services, deployments, persistentvolumeclaims it already monitors).

Description

To support amendments and additions to the Component and API custom resources, create version 1alpha3 of Component and API custom resource definitions. The definitions are part of the Canvas Helm chart here: https://github.com/tmforum-oda/oda-canvas-charts/tree/master/canvas/crds

The simple ingress controller from ODA-CA defaults to nginx. This means without extra configuration other ingress controllers will not function correctly (e.g. K3s defaults to Traefik)

Update the controller chart to add the environment variable INGRESS_CLASS, defaulted to nginx to reflect the default in the simple ingress controller and disabled unless required.

Description

There are 2 misspelled words in annotation part of values.yaml

url: https://github.com/tmforum-oda/oda-canvas/blob/master/installation/canvas-oda/values.yaml
Row number: 32-33
#The lease can survive among instalations [installations], so cainjectot can waits up to 60s to become leader
#If cainjector is not fully initilizaded [initialized] we can find the following error

url: https://github.com/tmforum-oda/oda-canvas/blob/master/installation/cert-manager-init/values.yaml
Row number: 15-16
#The lease can survive among instalations [installations], so cainjectot can waits up to 60s to become leader
#If cainjector is not fully initilizaded [initialized] we can find the following error

Description

Create v1Alpha4 version of Component and API CRD to support the additional management section for metrics endpoints (to support Observability).

Long story short

When a component deployment fails and status is In-Progress-CompCon, it's not possible to delete the component definition.

workaround

edit the component definition and remove the finalizers section

apiVersion: oda.tmforum.org/v1alpha3
kind: component
metadata:
  ...
  finalizers:
  - kopf.zalando.org/KopfFinalizerMarker

Update docs for Canvas environment specification and reference implementation details.

Description

Hi Postgres 10.8.0 is not part of Bitnami chart anymore, we will need to update /canvas/charts/keycloak/Chart.yaml

I'm using the wildcard operator, but we may want to fix on a specific version, there are a couple of people waiting for this fix.

Add support for Identity Management and security controller

The canvas requires an Identity Provider and a security controller to manage that roles in components.

This issue is to achieve two things:

• Add first commit of keycloak chart for testing in ODA-CA environment.
• Add configuration for the security controller.

long story short

In Orange current deployments, k8s cluster where the canvas is deployed do not have direct access to internet, all outgoing access pass through a forward proxy that have to be configured at the cluster level but also inside each payload.

This proxy support feature is available for most of the products we use on the cluster but the documentation / helm charts of the canvas does not seem to state anything about it.

potential problems and attempts to bypass them

• the specification of exposedAPIs of a component CRD might be fetched from internet

setting some environment variables in the deployment chart of the oda-controller-ingress deployment does not seems to be taken in account

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oda-controller-ingress
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "controller.labels" . | nindent 4 }}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oda-controller-ingress
  template:
    metadata:
      namespace: {{ .Release.Namespace }}
      labels:
        app: oda-controller-ingress
        {{- include "controller.labels" . | nindent 8 }}
    spec:
      serviceAccountName: odacomponent-account
      containers:
      - name: oda-controller-ingress
        image: {{.Values.deployment.compconimage}}
        imagePullPolicy: IfNotPresent
        envFrom:
          - configMapRef:
              name: {{ .Release.Name }}-configmap
          - secretRef:
              name: {{ .Release.Name }}-secret

# proxy conf
        env:
        - name: "HTTP_PROXY"
          value: "http://xxx:3128"
        - name: "HTTPS_PROXY"
          value: "http://xxx:3128"
        - name: "NO_PROXY"
          value: "no_proxy=localhost,127.0.0.1,0.0.0.0,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,cattle-system.svc,.svc,.cluster.local"
# end proxy conf

      - name: seccon
        image: {{.Values.deployment.secconimage}}
        imagePullPolicy: IfNotPresent
        envFrom:
          - configMapRef:
              name: {{ .Release.Name }}-configmap
          - secretRef:
              name: {{ .Release.Name }}-secret
        ports:
        - name: seccon
          containerPort: 5000

Set up Reference IDM service for authentication and authorisation

To enable the authentication and authorisation use cases, we need to configure and test Keycloak in the Reference Implementation to be able to provide full end-to-end authentication services.

This will include some reconfiguration to address @peeterko2's comment around seccon naming conventions in #62.

The intent is to document the Canvas interactions for other members to implement the same configuration against their own IDM platforms.

Description

This contribution descibes the Workflow for setting up a Vault which can be used by each component to store its own secrets without having any security issues.
It is the last Canvas-Service Use-Case "CRUD secrets in a Canvas password vault" here: https://projects.tmforum.org/wiki/pages/viewpage.action?pageId=233118152

We asked Hugo Vaugh, how to best contribute to this repository and said we should create a fork and the create a pull request.

We created a fork and would be happy about a review:

https://github.com/ferenc-hechler/oda-canvas/blob/master/usecase-library/UC0XX-Component-Vault.md

Description

This issue is to add a BDD feature (in compliance-test-kit/BDD-and-TDD/features ) for Feature: Component Exposes Permission Specification Set Towards Canvas

The authentication system should support assigning roles and permissions to users and their identity attributes, ensuring they only have access to the resources and functionality required for their specific role.

Decision 002-role-vs-permission defined that we will use TMF672 User Roles and Permissions in a component to expose Permission Specification Sets to be mapped as technical roles (what role, or combination of permissions the user has in relation to the component) into identity management.

Identities will receive a JWT with an audience that lists context-relevant Permission Specification Sets, such that the component can validate that:

• The user is correctly authenticated
• The user has a Permission Set that matches the Permission Specification Set name passed in the JWT.

The feature should describe scenarios for components receiving permission specification sets (including happy-path and unhappy-path scenarios).

Description

For early development, before we had versioning sorted out, we set the ImagePullPolicy to "Always". Now we are using decent version numbers for the images, we can change it to "IfNotPresent" for all images.

Current images are in personal accounts.

This issue is raised to make the changes necessary to move the images to the tmforumodacanvas organisation on Ducker Hub and establish the tag "master" to indicate the images that match the current master branch, alongside semver and "latest" tags.

Description

Current postgresql dependency version in canvas/charts/keycloak/Chart.yaml is 10.x.x, which can't be found in repository.

pls upgrade the version and related parameters in values.yaml

Description

Please use this issue thread to capture any feedback on the Authentication use-cases:

• UC001-Bootstrap-role-for-component
• UC002-Expose-APIs-for-Component
• UC003-Discover-dependent-APIs-for-Component
• UC007-Authentication-external
• UC008-Authentication-internal

Description

The Component Operator should be updated to create publishedNotification & subscribedNotification resources.

Description

Update the Component and API custom resource definitions to v1beta1. This issue is linked to tmforum-oda/oda-ca#76

Description

As canvas is growing with more and more functionalities (and this is a very good thing !) it should be possible to disable some of the features and being able to run it in a minimal configuration. Benefits would be:

• incremental approach for the newcomers, easier troubleshooting
• lighter deployment, especially when deployed on a workstation, only deploy what you need / what you rely on
• promote a modular approach for the canvas (source code organization, documentation, configuration...) might help contributions

Maybe this feature could be addressed first with documentation / deployments examples... as opposed to code change.

Description

As we move the ODA Component standard to a beta version, we should define the range of supported Kubernetes versions, upgrade the operators to support these versions and test against the range.

We will be making some changes to the meta-data in the Custom Resource Definitions (CRDs) in sprint 2 (e.g. to support the security work).

I propose we upgrade the CRD version for each sprint, so it becomes 'v1alpha2'. The plan is to deploy duplicate Component and API CRDs with the new version numbers, to allow components to continue to use the old versions (until they become deprecated and eventually removed).

I also propose that the CTK recognizes this version: A component that self-describes as v1alpha1 will still pass the static/dynamic tests from sprint 1 and only components that self-describe as v1alpha2 will be subject to the enhanced CTK that comes with sprint 2. (we can at some point in the future deprecate previous versions to cause the CTK to fail).

Description

The component CRD needs to be updated so that all required information for Notification publishing and subscriptions can be configured.
New publishedNotification and subscribedNotification should be created to maintain status for the enableEventPublishing and enableEventSubscription operators

Long story short

My deployment of the chart fails; kubectl reports a repeating restart and error backoff for the secon container.

Description

Environment

kopf --version
-bash: kopf: command not found
$ pip show kopf
-bash: pip: command not found
kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.2", GitCommit:"092fbfbf53427de67cac1e9fa54aaa09a28371d7", GitTreeState:"clean", BuildDate:"2021-06-16T12:59:11Z", GoVersion:"go1.16.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.7", GitCommit:"132a687512d7fb058d0f5890f07d4121b3f0a2e2", GitTreeState:"clean", BuildDate:"2021-05-12T12:32:49Z", GoVersion:"go1.15.12", Compiler:"gc", Platform:"linux/amd64"}
$ python --version
-bash: python: command not found
$ python3 --version
Python 3.6.8

cat /etc/os-release file
NAME="CentOS Linux"
VERSION="8 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Linux 8 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-8"
CENTOS_MANTISBT_PROJECT_VERSION="8"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="8"

Description

Use the {{.Values.global.namespaceDefault.name}} in the deployment of the component operator (so that it watches the appropriate components namespace)

##Description

This issue is to add a BDD feature (in compliance-test-kit/BDD-and-TDD/features ) for Feature: Component-Specified Rate Limiting and Throttling of API Requests.

This is from the authentication workshop:

We need to be able to rate limit/throttle authentication requests

This does not currently link to a decision in the Decision Log.

apiOperatorSimpleIngress.py not update with new K8S version (1.24)

For example:

    client = kubernetes.client
    try:
        networking_v1_beta1_api = client.NetworkingV1beta1Api()  #NetworkingV1Api

        hostname = None
        if 'hostname' in spec.keys():
            hostname=spec['hostname']

        ingress_spec=client.NetworkingV1beta1IngressSpec(  #V1IngressSpec
            rules=[client.NetworkingV1beta1IngressRule(    #V1IngressRule
                host=hostname,
                http=client.NetworkingV1beta1HTTPIngressRuleValue(  #V1HTTPIngressRuleValue
                    paths=[client.NetworkingV1beta1HTTPIngressPath(    #V1HTTPIngressPath
                        path=spec['path'],
                        backend=client.NetworkingV1beta1IngressBackend(    #V1IngressBackend
                            service_port=spec['port'],               # There are significant changes in the definition method
                            service_name=spec['implementation'])
                    )]
                )
            )]
        )
        body = {
            "apiVersion": "networking.k8s.io/v1beta1",     #networking.k8s.io/v1
            "kind": "Ingress",
            "metadata": {
                "name": name,
                "annotations": {"kubernetes.io/ingress.class": ingress_class}
                },
            "spec": ingress_spec
        }

url:
https://github.com/tmforum-oda/oda-canvas/blob/dd08b4667252629b6fc4269fc910e60d8882cba5/source/operators/apiOperatorSimpleIngress/apiOperatorSimpleIngress.py

The current canvas charts use K8s API version that are being deprecated. Helm install on K8s 1.20 gives the following warnings:

W0215 16:15:36.551914    8143 warnings.go:70] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
W0215 16:15:36.610086    8143 warnings.go:70] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
W0215 16:15:36.654040    8143 warnings.go:70] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
W0215 16:15:38.673837    8143 warnings.go:70] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
W0215 16:15:38.686349    8143 warnings.go:70] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
W0215 16:15:38.692402    8143 warnings.go:70] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
W0215 16:15:38.697468    8143 warnings.go:70] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
W0215 16:15:39.838352    8143 warnings.go:70] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
W0215 16:15:39.845444    8143 warnings.go:70] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
W0215 16:15:39.853979    8143 warnings.go:70] rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role
W0215 16:15:39.860710    8143 warnings.go:70] rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding
W0215 16:15:40.106198    8143 warnings.go:70] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
W0215 16:15:40.120092    8143 warnings.go:70] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
W0215 16:15:40.134541    8143 warnings.go:70] rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role
W0215 16:15:40.147665    8143 warnings.go:70] rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding

Move working canvas code from old repo to this one.

When keycloak upgrade to v13.0.2, postgresql parameter in file located installation/canvas-oda/values.yaml

  postgresql:
    enabled: true
    postgresqlUsername: "keycloak"
    postgresqlPassword: "keycloakdbuser"
    postgresqlDatabase: "keycloak"

should be changed with:

  postgresql:
    enabled: true
    auth:
      username: "keycloak"
      password: "keycloakdbuser"
      database: "keycloak"

Description

To implement the Authentication services, we need to deploy an API Gateway (in addition to the existing service mesh) in the Canvas.

The proposed API Gatwway is the open source Kong API Gateway (see decision 0003-reference-api-gateway ).