main
branch:
development
branch:
[[TOC]]
This repository contains the official implementation of the Gaia-X Compliance.
Warning: Gaia-X Compliance is not obtained by using a software but by using specific versions of the compliance instances. See GXDCH.
You can use an instance of the Gaia-X Wizard here.
In addition to the GXDCH instances, the Gaia-X Lab maintains several instances:
| Deployment URL | Usage | Content |
|---|---|---|
v1, v1.x.x |
Used to verify and claim Gaia-X Compliance. | Latest Tagus release. |
v1-staging |
Used to verify and claim Gaia-X Compliance. | Latest Tagus release. Production rules not enforced (non-EV SSL valid) |
v2 |
Used to verify and claim Gaia-X Compliance. | Latest Loire release. Production rules not enforced (non-EV SSL valid) |
| main | Used for playground activities. | Latest stable (main branch) |
| development | Used for playground activities. | Latest unstable (development branch) |
This repo provides several images tags.
| tag | content | example |
|---|---|---|
vX |
latest major version | v1 |
vX.Y |
latest minor version | v1.1 |
vX.Y.Z |
specific version | v1.1.1 |
main |
latest stable | |
development |
latest unstable |
Feature branches are also build and push to the container registry.
A helm chart is provided inside k8s/gx-compliance folder.
It provides several environment variables for the application:
| Env Variable | Name in values file | Default value | Note |
|---|---|---|---|
| APP_PATH | ingress.hosts[0].paths[0].path | /main | Deployment path of the application |
| BASE_URL | https://<ingress.hosts[0].host>/<ingress.hosts[0].paths[0].path> | URL of the deployed application | |
| REGISTRY_URL | urls.registry | http://<ingress.hosts[0].host>.replace("compliance","registry")/<ingress.hosts[0].path[0].path> | defaulted to same namespace registry |
| privateKey | privateKey | base64 value of "empty" | This value is assigned automatically and contains the privateKey content. Stored in a secret in the cluster |
| PRIVATE_KEY_ALG | privateKeyAlg | PS256 | the private key signature algorithm such as the ones described in the JsonWebSignature2020 library readme |
| X509_CERTIFICATE | X509_CERTIFICATE | base64 value of "empty" | This value is assigned automatically and contains the x509 certificate chain. Stored in a secret in the cluster |
| SD_STORAGE_BASE_URL | urls.storage | https://example-storage.lab.gaia-x.eu | |
| SD_STORAGE_API_KEY | storageApiKey | "Nothing" | |
| production | production | true | Whether the component is deployed on production mode. Enables more checks |
| dburl | dburl | bolt://{{ include "gx-compliance.fullname" . | trunc 50 | trimSuffix "-"}}-memgraph:7687 | URL to connect to memgraph |
| ntpServers | ntpServers | 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org | Array of NTP servers to call. Will be piped to toJson and quote |
Usage example:
helm upgrade --install -n "<branch-name>" --create-namespace gx-compliance ./k8s/gx-compliance --set "nameOverride=<branch-name>,ingress.hosts[0].host=compliance.lab.gaia-x.eu,ingress.hosts[0].paths[0].path=/<branch-name>,image.tag=<branch-name>,ingress.hosts[0].paths[0].pathType=Prefix,privateKey=$complianceKey,privateKeyAlg=$complianceKeyAlg,X509_CERTIFICATE=$complianceCert"For a tag:
helm upgrade --install -n "v1" --create-namespace gx-compliance ./k8s/gx-compliance --set "nameOverride=v1,ingress.hosts[0].host=compliance.lab.gaia-x.eu,ingress.hosts[0].paths[0].path=/v1,image.tag=v1,ingress.hosts[0].paths[0].pathType=Prefix,privateKey=$complianceKey,privateKeyAlg=$complianceKeyAlg,X509_CERTIFICATE=$complianceCert"Syntax for ntpServers
helm upgrade ... --set "...,ntpServers[0]=firstServer.com,ntpServers[1]=secondServer.com"This component requires a memgraph database. It is provided in the deployment and can be deactivated by putting memgraphEnabled to false. Please use dburl to then point on your memgraph database
The deployment is triggered automatically on development and main branches, as well as on release. Please refer
to Gaia-X Lab Compliance Service for available instances.
Containers are signed using cosign since version v1.8.1. You can assert yourself
that the containers are signed using cosign client verify
Example verifying the signature of the image built for tag v1.8.1:
docker run -it bitnami/cosign:latest verify --certificate-identity "https://gitlab.com/gaia-x/lab/compliance/gx-compliance//.gitlab-ci.yml@refs/tags/v1.8.1" --certificate-oidc-issuer "https://gitlab.com" registry.gitlab.com/gaia-x/lab/compliance/gx-compliance:v1.8.1The k8s folder contains a Kyverno ClusterPolicy ensuring the image you're deploying is properly signed and issued from Gaia-X AISBL
If you have deployed Kyverno on your cluster, this will be enforced automatically on each deployment.