updates

.github/workflows/ci-registry-avatar.yml

@@ -18,7 +18,6 @@ on:
 env:
   DH_USERNAME: ${{ secrets.DOCKER_HUB_LOGIN }}
   DH_TOKEN: ${{ secrets.DOCKER_HUB_PWD }}
-  IMAGE_TAG: ${GITHUB_REF##*/}
   IMAGE_NAME: "2060-demos-avatar-front"
 jobs:
   build:
@@ -32,5 +31,5 @@ jobs:
           cd containers/citizen-registry/kubernetes/registry-avatar/
           docker login -u $DH_USERNAME -p $DH_TOKEN
           echo "Build and push 2060-demos-avatar-front image for docker hub..."
-          docker build -f Dockerfile -t $IMAGE_NAME:$IMAGE_TAG .
-          docker push $IMAGE_NAME:$IMAGE_TAG
+          docker build -f Dockerfile -t $DH_USERNAME/$IMAGE_NAME:${GITHUB_REF##*/} .
+          docker push $DH_USERNAME/$IMAGE_NAME:${GITHUB_REF##*/}

containers/citizen-registry/kubernetes/README.md

@@ -7,20 +7,31 @@
 In the [citizen-registry demos](../README.md), we provided demos based on the citizen-registry service.
 In this document, we will learn how to deploy the same demos services in a Kubernetes cluster.
 
-The demo deployment descriptors are these 2 directories: [registry-gaia](registry-gaia) and [registry-avatar](registry-avatar). Let's the [registry-avatar](registry-avatar).
+These 2 directories [registry-gaia](registry-gaia) and [registry-avatar](registry-avatar) contains:
 
-```
-$ docker login -u io2060 -p $DOCKER_HUB_TOKEN
-$ docker build -f Dockerfile -t $IMAGE_DH:$IMAGE_TAG .
-$ docker push $IMAGE_DH:$IMAGE_TAG
+- a Dockerfile to build a simple nginx-based image to expose a simple front-end, including the service's icon. See [github workflows](/.github/workflows) for build info.
+- a k8s directory with kubernetes deployment files we are using for deploying the demos. To deploy the demos, you need a configured nginx ingress on your cluster. Our demos are deployed in ovh.com, but should work out of the box anywhere.
+
+Just clone one of these directories, customize it and you're done!
+
+## Customize configuration
+
+All files in k8s directory should be customized.
+
+### 2060-service-agent container
 
-```
 
+## Deploy
 
 ```
-$ kubectl --kubeconfig=~/.kube/config apply -f /builds/${CI_PROJECT_PATH}/k8s/main/namespace.yml
-$ kubectl --kubeconfig=~/.kube//config apply -f /builds/${CI_PROJECT_PATH}/k8s/main/deployment.yml
-$ kubectl --kubeconfig=~/.kube//config apply -f /builds/${CI_PROJECT_PATH}/k8s/main/service.yml
-$ kubectl --kubeconfig=~/.kube//config apply -f /builds/${CI_PROJECT_PATH}/k8s/main/ingress-ds.yml
-$ kubectl --kubeconfig=~/.kube//config apply -f /builds/${CI_PROJECT_PATH}/k8s/main/ingress-public.yml
-```
+$ kubectl --kubeconfig=~/.kube/config apply -f k8s/namespace.yml
+$ kubectl --kubeconfig=~/.kube/config apply -f k8s/deployment.yml
+$ kubectl --kubeconfig=~/.kube/config apply -f k8s/service.yml
+$ kubectl --kubeconfig=~/.kube/config apply -f k8s/ingress-ds.yml
+$ kubectl --kubeconfig=~/.kube/config apply -f k8s/ingress-public.yml
+```
+
+
+
+
+

containers/citizen-registry/kubernetes/registry-avatar/k8s/main/deployment.yml

@@ -28,17 +28,17 @@ spec:
             image: io2060/2060-service-agent:main
             imagePullPolicy: Always
             env:
-            - name: AGENT_ENDPOINT
+            - name: AGENT_ENDPOINT # Service endpoint where Wallet will connect. Must accept upgraded https connections.
               value: "wss://avatar.demos.m.2060.io:443"
-            - name: AGENT_NAME
+            - name: AGENT_NAME # Name of the Service, as shown in user's Wallet
               value: "AvatarID"
-            - name: AGENT_INVITATION_IMAGE_URL
+            - name: AGENT_INVITATION_IMAGE_URL # The icon (avatar) of the service. Here, we put the icon in the front-end container
               value: "https://i.avatar.demos.m.2060.io/avatar.jpg"
-            - name: EVENTS_BASE_URL
+            - name: EVENTS_BASE_URL # Url of the backend that will receive messages, events, etc
               value: "http://localhost:2903"
-            - name: AGENT_PUBLIC_DID
+            - name: AGENT_PUBLIC_DID # DID of the service. **Must** be same domain than service endpoint
               value: "did:web:avatar.demos.m.2060.io"
-            - name: ANONCREDS_SERVICE_BASE_URL
+            - name: ANONCREDS_SERVICE_BASE_URL # Base URL of the anoncreds service. **Must** be same domain than service endpoint
               value: "https://avatar.demos.m.2060.io"
             volumeMounts:
             - name: avatar-sa-pv-main
@@ -50,71 +50,69 @@ spec:
             image: io2060/2060-demos-citizen-registry:main
             imagePullPolicy: Always
             env:
-            - name: SERVICE_AGENT_ADMIN_BASE_URL
-              value: "http://localhost:3000"
-            - name: PUBLIC_BASE_URL
-              value: "https://avatar.demos.m.2060.io"
-            - name: PNVS_SERVICE_AGENT_ADMIN_BASE_URL
-              value: "https://a.avatar.demos.m.2060.io"
             - name: DEBUG
               value: "1"
-            - name: QUARKUS_HTTP_PORT
+            - name: QUARKUS_HTTP_PORT # Port of the backend
               value: "2903"
-            - name: IO_GAIAID_VISION_REDIRDOMAIN
+            - name: IO_GAIAID_VISION_REDIRDOMAIN # Redirection base domain for the vision service. Used to send face capture/verification result to backend, and to access datastore container
               value: "avatar.demos.m.2060.io"
-            - name: IO_TWENTYSIXTY_SA_RES_C_MESSAGERESOURCE_MP_REST_URL
+            - name: IO_TWENTYSIXTY_SA_RES_C_MESSAGERESOURCE_MP_REST_URL # Local endpoint of the service-agent, for the backend to send messages, credentials,...
               value: "http://localhost:3000"
-            - name: IO_TWENTYSIXTY_SA_RES_C_CREDENTIALTYPERESOURCE_MP_REST_URL
+            - name: IO_TWENTYSIXTY_SA_RES_C_CREDENTIALTYPERESOURCE_MP_REST_URL # Local endpoint of the service-agent, for the credential type querying
               value: "http://localhost:3000"
-            - name: IO_GAIAID_REGISTRY_RES_C_MEDIARESOURCE_MP_REST_URL
+            - name: IO_GAIAID_REGISTRY_RES_C_MEDIARESOURCE_MP_REST_URL # Local endpoint of the datastore container, used to store user's data
               value: "http://localhost:2904"
-            - name: QUARKUS_SWAGGER_UI_ALWAYS_INCLUDE
+            - name: QUARKUS_SWAGGER_UI_ALWAYS_INCLUDE # If you want to export the swagger-ui
               value: "1"
             - name: QUARKUS_DATASOURCE_PASSWORD
               value: "2060demo"
             - name: QUARKUS_ARTEMIS_PASSWORD
               value: "Quar2060enbPi26"
-            - name: IO_GAIAID_VISION_FACE_CAPTURE_URL
+            - name: IO_GAIAID_VISION_FACE_CAPTURE_URL # Redir URL for sending user to vision service for face capture
               value: "https://m.vision.2060.io/face/capture/?token=TOKEN"
             - name: IO_GAIAID_VISION_FACE_VERIFICATION_URL
-              value: "https://m.vision.2060.io/face/verification/?token=TOKEN"
-            - name: IO_GAIAID_IDENTITY_DEF_NAME
+              value: "https://m.vision.2060.io/face/verification/?token=TOKEN" # Redir URL for sending user to vision service for face verification
+            - name: IO_GAIAID_IDENTITY_DEF_NAME # Name of credential
               value: "AvatarID"
-            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_CITIZENID
+            # Identity creation: if you do not set one of the attributes with "unique constraint",
+            # then the unique constraint will be the combination of all attributes and
+            # all attributes will be needed for restoration
+            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_CITIZENID # Does credential include a CitizenID? (unique constraint)
               value: "0"
-            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_FIRSTNAME
+            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_FIRSTNAME # Does credential include a firstname?
               value: "0"
-            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_LASTNAME
+            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_LASTNAME # Does credential include a lastname?
               value: "0"
-            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_AVATARNAME
+            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_AVATARNAME # Does credential include an avatarname? (unique constraint)
               value: "1"
-            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_AVATARPIC
+            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_AVATARPIC # Does credential include an avatar picture?
               value: "1"
-            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_AVATARPIC_MAXDIMENSION
+            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_AVATARPIC_MAXDIMENSION # maxdim of avatar picture
               value: "320"
-            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_BIRTHDATE
+            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_BIRTHDATE # Does credential include a birthdate?
               value: "0"
-            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_BIRTHPLACE
+            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_BIRTHPLACE # Does credential include a birthplace?
               value: "0"
-            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_PHOTO
+            - name: IO_GAIAID_IDENTITY_DEF_CLAIM_PHOTO # Does credential include a photo?
               value: "0"
-            - name: IO_GAIAID_IDENTITY_RESTORE_CLAIM_CITIZENID
+            # Restoration: you should only put a combination that will ensure a unique result.
+            - name: IO_GAIAID_IDENTITY_RESTORE_CLAIM_CITIZENID # Will the service prompt user for a CitizenID when restoring an Identity?
               value: "0"
-            - name: IO_GAIAID_IDENTITY_RESTORE_CLAIM_FIRSTNAME
+            - name: IO_GAIAID_IDENTITY_RESTORE_CLAIM_FIRSTNAME # Will the service prompt user for a firstname when restoring an Identity?
               value: "0"
-            - name: IO_GAIAID_IDENTITY_RESTORE_CLAIM_LASTNAME
+            - name: IO_GAIAID_IDENTITY_RESTORE_CLAIM_LASTNAME # Will the service prompt user for a lastname when restoring an Identity?
               value: "0"
-            - name: IO_GAIAID_IDENTITY_RESTORE_CLAIM_AVATARNAME
+            - name: IO_GAIAID_IDENTITY_RESTORE_CLAIM_AVATARNAME # Will the service prompt user for an avatarname when restoring an Identity?
               value: "1"
-            - name: IO_GAIAID_IDENTITY_RESTORE_CLAIM_BIRTHDATE
+            - name: IO_GAIAID_IDENTITY_RESTORE_CLAIM_BIRTHDATE # Will the service prompt user for a birthdate when restoring an Identity?
               value: "0"
-            - name: IO_GAIAID_IDENTITY_RESTORE_CLAIM_BIRTHPLACE
+            - name: IO_GAIAID_IDENTITY_RESTORE_CLAIM_BIRTHPLACE # Will the service prompt user for a birthplace when restoring an Identity?
               value: "0"
-            - name: IO_GAIAID_LANGUAGE
+            - name: IO_GAIAID_LANGUAGE # Language of the bot. Supported: en, es, fr. If you need more languages, contribute!
               value: "en"
-            - name: IO_GAIAID_MESSAGES_WELCOME
+            - name: IO_GAIAID_MESSAGES_WELCOME # Welcome message. Also available WELCOME2, WELCOME3
               value: "Welcome to AvatarID! Use the contextual menu to get started."
-            - name: IO_GAIAID_MESSAGES_ROOTMENU_TITLE
+            - name: IO_GAIAID_MESSAGES_ROOTMENU_TITLE # Title of contextual menu
               value: "AvatarID" 
             - name: IO_GAIAID_JMS_MO_QUEUE_NAME
               value: "avatar-mo"
@@ -136,7 +134,7 @@ spec:
               value: "/home/data/tmp"
             - name: IO_TWENTYSIXTY_DATASTORE_TMP_LIFETIMEDAYS
               value: "5"
-            - name: IO_TWENTYSIXTY_DATASTORE_REPO_LIFETIMEDAYS
+            - name: IO_TWENTYSIXTY_DATASTORE_REPO_LIFETIMEDAYS # Make sure not to delete user data
               value: "43800"              
             - name: IO_TWENTYSIXTY_DATASTORE_REPO_FS_DIR
               value: "/home/data/repo"

containers/citizen-registry/kubernetes/registry-avatar/k8s/main/ingress-ds.yml

@@ -5,7 +5,7 @@ metadata:
   namespace: demos-main
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/whitelist-source-range: "51.79.89.27/32"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "51.79.89.27/32" # only m.vision.2060.io can access backend and datastore
 spec:
   ingressClassName: nginx
   tls: