feat: add IdentityHub Agent as dedicated resource (#98)

* feat: add IdentityHub Agent as dedicated resource

* use other JWKS resolver

Author: paullatzelsperger

extensions/data-plane-certs/build.gradle.kts

@@ -31,6 +31,7 @@ dependencies {
     implementation(libs.edc.lib.util)
     implementation(libs.edc.lib.sql)
     implementation(libs.edc.lib.token)
+    implementation(libs.edc.lib.keys)
     implementation(libs.edc.lib.oauth2.authn)
     implementation(libs.edc.core.sql.bootstrapper)
     implementation(libs.edc.core.sql)

extensions/data-plane-certs/src/main/java/org/eclipse/edc/virtualized/dataplane/cert/CertExchangeExtension.java

@@ -14,15 +14,14 @@
 
 package org.eclipse.edc.virtualized.dataplane.cert;
 
-import org.eclipse.edc.api.authentication.JwksResolver;
 import org.eclipse.edc.api.authentication.filter.JwtValidatorFilter;
+import org.eclipse.edc.keys.resolver.JwksPublicKeyResolver;
 import org.eclipse.edc.keys.spi.KeyParserRegistry;
 import org.eclipse.edc.runtime.metamodel.annotation.Configuration;
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
 import org.eclipse.edc.runtime.metamodel.annotation.Setting;
 import org.eclipse.edc.runtime.metamodel.annotation.Settings;
-import org.eclipse.edc.spi.EdcException;
 import org.eclipse.edc.spi.system.Hostname;
 import org.eclipse.edc.spi.system.ServiceExtension;
 import org.eclipse.edc.spi.system.ServiceExtensionContext;
@@ -39,8 +38,6 @@
 import org.eclipse.edc.web.spi.configuration.PortMapping;
 import org.eclipse.edc.web.spi.configuration.PortMappingRegistry;
 
-import java.net.MalformedURLException;
-import java.net.URL;
 import java.time.Clock;
 import java.util.List;
 
@@ -89,15 +86,9 @@ public void initialize(ServiceExtensionContext context) {
         var portMapping = new PortMapping(API_CONTEXT, apiConfiguration.port(), apiConfiguration.path());
         portMappingRegistry.register(portMapping);
 
-        URL url;
-        try {
-            url = new URL(sigletConfig.jwksUrl());
-        } catch (MalformedURLException e) {
-            throw new EdcException(e);
-        }
-
         webService.registerResource(API_CONTEXT, new CertExchangePublicController(certStore, transactionContext));
-        webService.registerResource(API_CONTEXT, new JwtValidatorFilter(tokenValidationService, new JwksResolver(url, keyParserRegistry, sigletConfig.cacheValidityInMillis), getRules()));
+        var resolver = JwksPublicKeyResolver.create(keyParserRegistry, sigletConfig.jwksUrl(), context.getMonitor(), sigletConfig.cacheValidityInMillis());
+        webService.registerResource(API_CONTEXT, new JwtValidatorFilter(tokenValidationService, resolver, getRules()));
 
         webService.registerResource("control", new CertInternalExchangeController(certStore, transactionContext));
 

gradle/libs.versions.toml

@@ -30,6 +30,7 @@ edc-lib-http = { module = "org.eclipse.edc:http-lib", version.ref = "edc" }
 edc-lib-util = { module = "org.eclipse.edc:util-lib", version.ref = "edc" }
 edc-lib-sql = { module = "org.eclipse.edc:sql-lib", version.ref = "edc" }
 edc-lib-token = { module = "org.eclipse.edc:token-lib", version.ref = "edc" }
+edc-lib-keys = { module = "org.eclipse.edc:keys-lib", version.ref = "edc" }
 edc-lib-oauth2-authn = { module = "org.eclipse.edc:auth-authentication-oauth2-lib", version.ref = "edc" }
 edc-core-sql-bootstrapper = { module = "org.eclipse.edc:sql-bootstrapper", version.ref = "edc" }
 edc-core-http = { module = "org.eclipse.edc:http", version.ref = "edc" }

k8s/apps/cfm-agents.yaml

@@ -61,6 +61,20 @@ spec:
             - name: edcv-agent-config
               mountPath: /etc/appname
               readOnly: true
+        - name: ih-agent
+          image: ghcr.io/eclipse-cfm/cfm/ihagent:latest
+          imagePullPolicy: Always
+          command: [ "/ihagent" ]
+          args: [
+            "--mode=debug"
+          ]
+          envFrom:
+            - configMapRef:
+                name: telemetry-config
+          volumeMounts:
+            - name: ih-agent-config
+              mountPath: /etc/appname
+              readOnly: true
         - name: registration-agent
           image: ghcr.io/eclipse-cfm/cfm/regagent:latest
           imagePullPolicy: Always
@@ -96,6 +110,9 @@ spec:
         - name: edcv-agent-config
           configMap:
             name: edcv-agent-config
+        - name: ih-agent-config
+          configMap:
+            name: ih-agent-config
         - name: registration-agent-config
           configMap:
             name: reg-agent-config

k8s/apps/ih-agent-config.yaml

@@ -0,0 +1,42 @@
+#
+# Copyright (c) 2025 Metaform Systems, Inc.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Contributors:
+#      Metaform Systems, Inc. - initial API and implementation
+#
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ih-agent-config
+  namespace: edc-v
+
+data:
+  # the file must be called "tm", and the extension must be one of
+  # "json", "toml", "yaml", "yml", "properties", "props", "prop", "hcl", "tfvars", "dotenv", "env", "ini"
+  ihagent.env: |
+    uri: nats://nats.edc-v.svc.cluster.local:4222
+    bucket: cfm-bucket
+    stream: cfm-stream
+    httpport: 8080
+    postgres: true
+    dsn: postgres://cfm:cfm@postgres.edc-v.svc.cluster.local:5432/cfm?sslmode=disable
+    vault.url: http://vault.edc-v.svc.cluster.local:8200
+    vault.path: secret
+    vault.clientId: provisioner
+    vault.clientSecret: provisioner-secret
+    vault.tokenUrl: http://keycloak.edc-v.svc.cluster.local:8080/realms/edcv/protocol/openid-connect/token
+    vault.softDelete: true
+    keycloak.clientID: provisioner
+    keycloak.clientSecret: provisioner-secret
+    keycloak.tokenUrl:  http://keycloak.edc-v.svc.cluster.local:8080/realms/edcv/protocol/openid-connect/token
+    identityhub.url: http://identityhub.edc-v.svc.cluster.local:7081/api/identity
+    identityhub.cs.url: http://identityhub.edc-v.svc.cluster.local:7082/api/credentials/v1/participants/%s
+    controlplane.protocol.url: http://controlplane.edc-v.svc.cluster.local:8082/api/dsp/%s/2025-1

k8s/apps/kustomization.yaml

@@ -22,6 +22,7 @@ resources:
   - identityhub-config.yaml
   - identityhub.yaml
   - edcv-agent-config.yaml
+  - ih-agent-config.yaml
   - keycloak-agent-config.yaml
   - onboarding-agent-config.yaml
   - registration-agent-config.yaml

k8s/apps/provision-manager-seed-job.yaml

@@ -88,9 +88,24 @@ spec:
                 }'
 
               echo "✓ edcv-activity created"
+              
+              echo ""
+              echo "Step 3: Create identityhub-activity ActivityDefinition"
+              echo "------------------------------------------------"
+
+              curl -sfS -w "\nHTTP_STATUS:%{http_code}\n" -X POST "${PM_BASE_URL}/api/v1alpha1/activity-definitions" \
+                -H "Content-Type: application/json" \
+                -d '{
+                  "description": "Provisions IdentityHub entries",
+                  "inputSchema": {},
+                  "outputSchema": {},
+                  "type": "identityhub-activity"
+                }'
+
+              echo "✓ identityhub-activity created"
 
               echo ""
-              echo "Step 3: Create registration-activity ActivityDefinition"
+              echo "Step 4: Create registration-activity ActivityDefinition"
               echo "--------------------------------------------------------"
 
               curl -sfS -w "\nHTTP_STATUS:%{http_code}\n" -X POST "${PM_BASE_URL}/api/v1alpha1/activity-definitions" \
@@ -105,7 +120,7 @@ spec:
               echo "✓ registration-activity created"
 
               echo ""
-              echo "Step 4: Create keycloak-activity ActivityDefinition"
+              echo "Step 5: Create keycloak-activity ActivityDefinition"
               echo "----------------------------------------------------"
 
               curl -sfS -w "\nHTTP_STATUS:%{http_code}\n" -X POST "${PM_BASE_URL}/api/v1alpha1/activity-definitions" \
@@ -120,7 +135,7 @@ spec:
               echo "✓ keycloak-activity created"
 
               echo ""
-              echo "Step 5: Create onboarding-activity ActivityDefinition"
+              echo "Step 6: Create onboarding-activity ActivityDefinition"
               echo "------------------------------------------------------"
 
               curl -sfS -w "\nHTTP_STATUS:%{http_code}\n" -X POST "${PM_BASE_URL}/api/v1alpha1/activity-definitions" \
@@ -135,7 +150,7 @@ spec:
               echo "✓ onboarding-activity created"
 
               echo ""
-              echo "Step 6: Create Orchestration Definition (deploy + dispose)"
+              echo "Step 7: Create Orchestration Definition (deploy + dispose)"
               echo "------------------------------------------------"
 
               DEPLOY_ORCH_ID=$(cat /proc/sys/kernel/random/uuid)
@@ -179,6 +194,14 @@ spec:
                     {
                       "id": "connector-provisioner",
                       "type": "edcv-activity",
+                      "dependsOn": [
+                        "kc-client-provisioner", 
+                        "identityhub-provisioner"
+                      ]
+                    },
+                    {
+                      "id": "identityhub-provisioner",
+                      "type": "identityhub-activity",
                       "dependsOn": [
                         "kc-client-provisioner"
                       ]
@@ -188,6 +211,7 @@ spec:
                       "type": "onboarding-activity",
                       "dependsOn": [
                         "connector-provisioner",
+                        "identityhub-provisioner",
                         "registration-agent"
                       ]
                     }]