EDC
Edit

Deployment Guide

About this Guide

This is a productive deployment guide for deploying the Data Space Portal from scratch.

For the latest Data Space Portal version and compatible other components see: Latest releases

Prerequisites

Technical Skills

  • Ability to deploy, run and expose containered applications to the internet.

  • Ability to configure ingress routes or a reverse proxy of your choice to merge multiple services under a single domain.

  • Ability to maintain a Keycloak

Dataspace

  • Each configured Dataspace Deployment Environment must have a running sovity Keycloak DAPS.

  • Each configured Dataspace Deployment Environment must have a running Logging House.

  • To make use of the Data Catalog, each configured Dataspace Deployment Environment must have configured a running Catalog Crawler (based on the sovity EDC Connector).

The respective compatible versions can be found in the CHANGELOG.md.

Third Party

  • Information about a running instance of the sovity CaaS-Portal ist required.

    • URL of the CaaS-Portal, referred to as [CAAS_PORTAL_FQDN] in this guide.

    • URL of the Keycloak for authorizing at the CaaS-Portal, referred to as [CAAS_KC_FQDN] in this guide.

    • Credentials for the CaaS-Portal, referred to as [CAAS_CLIENT_ID] and [CAAS_CLIENT_SECRET] in this guide.

  • You can use Uptime Kuma for monitoring of components the Portal depends on

    • This should track the DAPS and Catalog Crawler status. If the Logging House is used, its status should be tracked as well

    • The statuses must be available via the API (/metrics endpoint)

      • The output per component should look like this:

    • URL of the Uptime Kuma, referred to as [UPTIME_KUMA_FQDN] in this guide.

    • API key for the Uptime Kuma, referred to as [UPTIME_KUMA_API_KEY] in this guide.

    • To configure the Portal to utilize Uptime Kuma, see optional configuration for the Portal Backend further down in this guide.

Deployment

Deployment Units

Deployment Unit
Version / Details

Reverse Proxy / Ingress

Infrastructure dependent

Keycloak Deployment

Version 24.0.4 or compatible version

OAuth2 Proxy

quay.io/oauth2-proxy/oauth2-proxy:7.5.0

Caddy behind OAuth2 Proxy

caddy:2.7

Data Space Portal Backend

authority-portal-backend, see CHANGELOG.md for compatible versions.

Data Space Portal Frontend

authority-portal-frontend, see CHANGELOG.md for compatible versions.

Catalog Crawler (one per environment)

authority-portal-crawler, see CHANGELOG.md for compatible versions.

Postgresql

Version 16 or compatible version

Configuration

Reverse Proxy / Ingress

  • Data Space Portal needs to be deployed with TLS/HTTPS.

  • The domain under which the Data Space Portal should be reachable on the internet will be referred to as [DSPORTAL_FQDN] in this guide.

  • Path mapping:

    • Frontend: https://[DSPORTAL_FQDN] -> caddy:8080 -> frontend:8080

    • Backend: https://[DSPORTAL_FQDN]/api -> caddy:8080 -> oauth2-proxy:8080 -> caddy:8081 -> backend:8080/api

Keycloak IAM Deployment

  • The Keycloak needs to get the following env variables it uses in the container:

  • Consider consulting Keycloak's server administration guide.

  • You need to have a running Keycloak with the aforementioned compatible version.

  • The domain under which the Keycloak should be reachable on the internet will be referred to as [KC_FQDN] in this guide and should differ from the [DSPORTAL_FQDN].

  • The steps to set up the realm are the following

    • sovity theme

      1. Copy sovity-theme directory to {keycloakRoot}/themes/ directory

      2. Import realm.json to create the authority-portal realm

      3. Adjust settings for oauth2-proxy client (Clients > oauth2-proxy > Settings)

        • Root URL: URL of the auth proxy, e.g. https://authority-portal.example.url

        • Home URL: (Relative) sign in URL of auth proxy, e.g. /oauth2/sign_in

        • Valid Redirect URIs: (Relative) callback URL of auth proxy, e.g. /oauth2/callback

        • Valid post logout redirect URIs: /*

      4. Adjust settings for authority-portal-client client (Clients > authority-portal-client > Settings)

        • Root URL: URL of the Data Space Portal, e.g. https://authority-portal.example.url

        • Home URL: (Most likely) same as Root URL

      5. Regenerate client secrets for oauth2-proxy and authority-portal-client clients

        • Clients > [client] > Credentials > Regenerate (Client secret)

      6. Select sovity theme for login & email templates

        • Select authority-portal realm

        • Realm settings > Themes > Login theme: Select sovity-theme

        • Realm settings > Themes > Email theme: Select sovity-theme

      7. Add email settings (Realm settings > Email)

        • At least From and Host are required

    • MDS theme

      1. Copy mds-theme directory to {keycloakRoot}/themes/ directory

      2. Import realm-mds.json to create the mds-portal realm

      3. Adjust settings for oauth2-proxy client (Clients > oauth2-proxy > Settings)

        • Root URL: URL of the auth proxy, e.g. https://authority-portal.example.url

        • Home URL: (Relative) sign in URL of auth proxy, e.g. /oauth2/sign_in

        • Valid Redirect URIs: (Relative) callback URL of auth proxy, e.g. /oauth2/callback

        • Valid post logout redirect URIs: /*

      4. Adjust settings for authority-portal-client client (Clients > authority-portal-client > Settings)

        • Root URL: URL of the Data Space Portal, e.g. https://authority-portal.example.url

        • Home URL: (Most likely) same as Root URL

      5. Regenerate client secrets for oauth2-proxy and authority-portal-client clients

        • Clients > [client] > Credentials > Regenerate (Client secret)

      6. Select MDS theme for login & email templates

        • Select mds-portal realm

        • Realm settings > Themes > Login theme: Select mds-theme

        • Realm settings > Themes > Email theme: Select mds-theme

      7. Add email settings (Realm settings > Email)

        • At least From and Host are required

Caddy

The Caddyfile needs to be mounted to /etc/caddy/Caddyfile in the Caddy container. See the list of deployment units for the compatible Caddy image.

The Caddy needs to get the following env variables it uses in the container:

OAuth2 Proxy

  • The Data Space Portal is meant to be deployed with an OAuth2 Proxy in front of the Portal Backend.

  • The OAuth2 Proxy should be configured to use the Keycloak (IAM) as OAuth2 Provider.

  • Copy the contents from resources to a directory the OAuth2 proxy can access (CUSTOM_TEMPLATES_DIR)

Keycloak DAPS Client Creation

The Data Space Portal requires a client to register new connector certificates. This client must have the following settings:

  • Section Authentication flow (Tab Settings)

    • Everything disabled

    • Service accounts roles enabled

  • Tab Client scopes

    • Add client scope roles as a default scope to the client

  • Service account roles (Tab Service Account Roles)

    • realm-management > manage-clients enabled

    • realm-management > create-client enabled

    • realm-management > view-clients enabled

    • realm-management > query-clients enabled

Data Space Portal Backend

  • Image: ghcr.io/sovity/authority-portal-backend

  • Set environment variables according to the following documentation (mandatory, except log level)

Optional configuration variables

Adjusting the log level at runtime

The log level can be changed during runtime via a request to the /api/config/log-level endpoint. The API key is required for this. Example:

Data Space Portal Frontend

  • Image: ghcr.io/sovity/authority-portal-frontend

  • Set environment variables according to the following table (mandatory)

Data Catalog Crawlers

  • The Data Catalog only displays the Data Catalog as it exists in the database.

  • Each deployment environment requires a Data Catalog Crawler.

    • A Data Catalog Crawler is based on the EDC Connector and crawls the catalogs of all connectors in the dataspace.

    • You will need an SKI/AKI client ID to register the crawler. Please refer to the EDC documentation on how to generate one.

Reverse Proxy Configuration

  • The catalog crawler is meant to be served via TLS/HTTPS.

  • The catalog crawler is meant to be deployed with a reverse proxy terminating TLS / providing HTTPS.

  • All requests are meant to be redirected to the deployment's 11003 port.

Catalog Crawler Configuration

A productive configuration will require you to join a DAPS.

For that you will need a SKI/AKI client ID. Please refer to edc-extension's Getting Started Guide on how to generate one.

The DAPS needs to contain the claim referringConnector=broker for the broker. Although it is discouraged to do so, the expected value broker could be overridden by specifying a different value for MY_EDC_PARTICIPANT_ID.

You can also optionally override the following defaults:

Initial Setup

The first user that registers at the portal does not need to be approved and will automatically become an Authority Admin. This means this should be done by the Dataspace Authority

Last updated

Was this helpful?