Helm chart: add support for entity creation via Helm configuration

Signed-off-by: Thomas Jäckle <thomas.jaeckle@beyonnex.io>
eclipse-ditto · Jul 10, 2023 · 87c9f67 · 87c9f67
1 parent 42ea47f
commit 87c9f67
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 1 deletion.
diff --git a/deployment/helm/ditto/Chart.yaml b/deployment/helm/ditto/Chart.yaml
@@ -16,7 +16,7 @@ description: |
   A digital twin is a virtual, cloud based, representation of his real world counterpart
   (real world “Things”, e.g. devices like sensors, smart heating, connected cars, smart grids, EV charging stations etc).
 type: application
-version: 3.3.3  # chart version is effectively set by release-job
+version: 3.3.4  # chart version is effectively set by release-job
 appVersion: 3.3.3
 keywords:
   - iot-chart

diff --git a/deployment/helm/ditto/local-values.yaml b/deployment/helm/ditto/local-values.yaml
@@ -40,6 +40,12 @@ policies:
         - "ditto-originator"
         - "ditto-origin"
         - "correlation-id"
+    entityCreation:
+      grants:
+        - namespaces:
+          - "org.eclipse.ditto.room"
+          authSubjects:
+          - "connection:some"
 
 ## ----------------------------------------------------------------------------
 ## things configuration
@@ -58,6 +64,12 @@ things:
           - "ditto-originator"
           - "ditto-origin"
           - "correlation-id"
+    entityCreation:
+      grants:
+        - namespaces:
+          - "org.eclipse.ditto.room"
+          authSubjects:
+          - "connection:some"
 
 ## ----------------------------------------------------------------------------
 ## things-search configuration

diff --git a/deployment/helm/ditto/templates/policies-deployment.yaml b/deployment/helm/ditto/templates/policies-deployment.yaml
@@ -126,6 +126,24 @@ spec:
                 {{- range $index, $header := .Values.policies.config.persistence.events.historicalHeadersToPersist }}
                 "{{ printf "%s%d=%s" "-Dditto.policies.policy.event.historical-headers-to-persist." $index $header }}"
                 {{- end }}
+                {{- range $grantIdx, $grant := .Values.policies.config.entityCreation.grants }}
+                "{{ printf "%s%d%s=%s" "-Dditto.entity-creation.grant." $grantIdx ".resource-types.0" "policy" }}"
+                {{- range $namespaceIdx, $namespace := $grant.namespaces }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.grant." $grantIdx ".namespaces." $namespaceIdx $namespace }}"
+                {{- end }}
+                {{- range $subjectIdx, $subject := $grant.authSubjects }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.grant." $grantIdx ".auth-subjects." $subjectIdx $subject }}"
+                {{- end }}
+                {{- end }}
+                {{- range $revokeIdx, $revoke := .Values.policies.config.entityCreation.revokes }}
+                "{{ printf "%s%d%s=%s" "-Dditto.entity-creation.revoke." $revokeIdx ".resource-types.0" "policy" }}"
+                {{- range $namespaceIdx, $namespace := $revoke.namespaces }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.revoke." $revokeIdx ".namespaces." $namespaceIdx $namespace }}"
+                {{- end }}
+                {{- range $subjectIdx, $subject := $revoke.authSubjects }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.revoke." $revokeIdx ".auth-subjects." $subjectIdx $subject }}"
+                {{- end }}
+                {{- end }}
                 {{ join " " .Values.policies.systemProps }}
             - name: MONGO_DB_SSL_ENABLED
               value: "{{ if .Values.dbconfig.policies.ssl }}true{{ else }}false{{ end }}"

diff --git a/deployment/helm/ditto/templates/things-deployment.yaml b/deployment/helm/ditto/templates/things-deployment.yaml
@@ -126,6 +126,24 @@ spec:
                 {{- range $index, $header := .Values.things.config.persistence.events.historicalHeadersToPersist }}
                 "{{ printf "%s%d=%s" "-Dditto.things.thing.event.historical-headers-to-persist." $index $header }}"
                 {{- end }}
+                {{- range $grantIdx, $grant := .Values.things.config.entityCreation.grants }}
+                "{{ printf "%s%d%s=%s" "-Dditto.entity-creation.grant." $grantIdx ".resource-types.0" "thing" }}"
+                {{- range $namespaceIdx, $namespace := $grant.namespaces }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.grant." $grantIdx ".namespaces." $namespaceIdx $namespace }}"
+                {{- end }}
+                {{- range $subjectIdx, $subject := $grant.authSubjects }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.grant." $grantIdx ".auth-subjects." $subjectIdx $subject }}"
+                {{- end }}
+                {{- end }}
+                {{- range $revokeIdx, $revoke := .Values.things.config.entityCreation.revokes }}
+                "{{ printf "%s%d%s=%s" "-Dditto.entity-creation.revoke." $revokeIdx ".resource-types.0" "thing" }}"
+                {{- range $namespaceIdx, $namespace := $revoke.namespaces }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.revoke." $revokeIdx ".namespaces." $namespaceIdx $namespace }}"
+                {{- end }}
+                {{- range $subjectIdx, $subject := $revoke.authSubjects }}
+                "{{ printf "%s%d%s%d=%s" "-Dditto.entity-creation.revoke." $revokeIdx ".auth-subjects." $subjectIdx $subject }}"
+                {{- end }}
+                {{- end }}
                 '-Dditto.things.wot.to-thing-description.json-template={{ .Values.things.config.wot.tdJsonTemplate | replace "\n" "" | replace "\\\"" "\"" }}'
                 {{ join " " .Values.things.systemProps }}
             - name: MONGO_DB_SSL_ENABLED

diff --git a/deployment/helm/ditto/values.yaml b/deployment/helm/ditto/values.yaml
@@ -553,6 +553,23 @@ policies:
         interval: 15m
         # threshold configures the threshold after how many changes to a Policy to do a snapshot
         threshold: 5
+    # entityCreation by default, Ditto allows anyone to create a new entity (policy in this case) in any namespace.
+    #  However, this behavior can be customized, and the ability to create new entities can be restricted:
+    entityCreation:
+      # grants contains the list of creation config entries which would allow the creation of entities
+      #  An empty list would *not* allow any entity to be created.
+      #  You must have at least one entry, even if it is without restrictions.
+      grants:
+        -  # namespaces holds the list of namespaces this entry applies to. An empty list would match any.
+          #  Wildcards `*` (Matching any number of any character) and `?` (Matches any single character) are supported in entries of this list.
+          namespaces: []
+           # authSubjects holds list of authentication subjects this entry applies to. An empty list would match any.
+           #  Wildcards `*` (Matching any number of any character) and `?` (Matches any single character) are supported in entries of this list.
+          authSubjects: []
+      # revokes contains the list of creation config entries which would reject the creation of entities
+      revokes: []
+      # - namespaces: []
+      #   authSubjects: []
 
 ## ----------------------------------------------------------------------------
 ## things configuration
@@ -724,6 +741,23 @@ things:
         interval: 15m
         # the threshold after how many changes to a Thing to do a snapshot
         threshold: 50
+    # entityCreation by default, Ditto allows anyone to create a new entity (thing in this case) in any namespace.
+    #  However, this behavior can be customized, and the ability to create new entities can be restricted:
+    entityCreation:
+      # grants contains the list of creation config entries which would allow the creation of entities
+      #  An empty list would *not* allow any entity to be created.
+      #  You must have at least one entry, even if it is without restrictions.
+      grants:
+        -  # namespaces holds the list of namespaces this entry applies to. An empty list would match any.
+          #  Wildcards `*` (Matching any number of any character) and `?` (Matches any single character) are supported in entries of this list.
+          namespaces: []
+          # authSubjects holds list of authentication subjects this entry applies to. An empty list would match any.
+          #  Wildcards `*` (Matching any number of any character) and `?` (Matches any single character) are supported in entries of this list.
+          authSubjects: []
+      # revokes contains the list of creation config entries which would reject the creation of entities
+      revokes: []
+      # - namespaces: []
+      #   authSubjects: []
     # policiesEnforcer contains configuration for Ditto "Policy Enforcers", e.g. regarding caching
     policiesEnforcer:
       # cache holds the configuration of policy enforcer caching