Notice

This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0).

System overview

The deployment contains the components required to connect Trace-X to an existing Catena-X network. This includes:

  • Trace-X frontend

  • Trace-X backend

Optionally these components can be installed using the Trace-X backend Helm chart as well:

  • PostgreSQL for Trace-X backend

  • pgAdmin 4

  • IRS

  • EDC consumer

Everything else needs to be provided externally.

integrated overview

Rights and role matrix of Trace-X

Currently, Trace-X API handles three roles: 'User' and 'Supervisor' and 'Admin':

Category

Action

User

Supervisor

Admin

View

View Dashboard

x

x

x

View Parts

x

x

x

View Quality notifications

x

x

x

View Administration panel

x

Quality notification

Create

x

x

Edit

x

x

Send (Approve)

x

Read

x

x

x

Cancel

x

x

Acknowledge

x

x

Accept

x

x

Decline

x

x

Close

x

Administration panel

Access "BPN EDC config panel"

x

Access "Registry lookup panel"

x

Access "Data import interface"

x

Installation

The Trace-X Helm repository can be found here:

Use the latest release of the "trace-x-helm" chart. It contains all required dependencies.

Supply the required configuration properties (see chapter Configuration) in a values.yaml file or override the settings directly.

Deployment using Helm

Add the Trace-X Helm repository:

$ helm repo add traceability-foss https://eclipse-tractusx.github.io/traceability-foss

Then install the Helm chart into your cluster:

$ helm install -f your-values.yaml traceability-foss traceability-foss/traceability-foss

Dependent values

Following values need to match in order for application to start and have a valid PostgreSQL connection:

datasource:
    password: # database password
postgresql:
    auth:
        password: # database password

Deployment using ArgoCD

Create a new Helm chart and use Trace-X as a dependency.

dependencies:
  - name: traceability-foss
    alias: traceability-foss
    version: x.x.x
    repository: "https://eclipse-tractusx.github.io/traceability-foss/"

Then provide your configuration as the values.yaml of that chart.

Create a new application in ArgoCD and point it to your repository / Helm chart folder.

Configuration

Frontend configuration

Take the following template and adjust the configuration parameters (<placeholders> mark the relevant spots). You can define the URLs as well as most of the secrets yourself.

The OAuth2, Vault configuration / secrets depend on your setup and might need to be provided externally.

Helm configuration Trace-X frontend (values.yaml)

Values explained
<ingress.enabled>

Enables <true> or disables <false> the ingress proxy for the frontend app.

<ingress.className>

The class name of the ingress proxy. E.g. nginx

<ingress.annotations>

Annotation for the ingress. E.g. cert-manager.io/cluster-issuer: letsencrypt-prod

<ingress.hosts>

The hostname of the app.

<ingress.tls>

The TLS settings of the app.

<livenessProbe>

Following Tractus-X Helm Best Practices https://eclipse-tractusx.github.io/docs/release/

<readinessProbe>

Following Tractus-X Helm Best Practices https://eclipse-tractusx.github.io/docs/release/

Backend configuration

Take the following template and adjust the configuration parameters (<placeholders> mark the relevant spots). You can define the URLs as well as most of the secrets yourself.

The OAuth2, Vault configuration / secrets depend on your setup and might need to be provided externally.

Helm configuration Trace-X backend (values.yaml)

Values explained
<springprofile>

The profiles for the different supported environments to bootstrap the resources which are required for the respective environment.

Springprofile Description

dev

Development environment

int

Integration environment

<healthCheck.enabled>

Enables <true> or disables <false> livenessProbe and readinessProbe

<traceability.bpn>

BPN (Business Partner Number) for the traceability app used to identify the partner in the network.

<datasource.url>

The jdbc connection string to the database. jdbc:postgresql://${url}:${port}/trace

<datasource.username>

The username of the datasource e.g. "trace".

<datasource.password>

The password of the datasource or the path to the vault which contains the secret. <path:../data/int/database#tracePassword>

<oauth2.clientId>

Client ID for OAuth2 (Keycloak). Request this from your Keycloak operator.

<oauth2.clientSecret>

Client secret for OAuth2. Request this from your OAuth2 operator.

<oauth2.clientTokenUri>

The URL of the Keycloak token API. Used by Trace-X for token creation to authenticate with other services.

<oauth2.jwkSetUri>

The URL of the Keycloak JWK Set. Used by Trace-X to validate tokens when Trace-X API is called.

<oauth2.resourceClient>

The client which is used to authenticate the backend.

<edc.apiKey>

The EDC api key or the path to the secret inside a vault. E.g. <path:../data/int/edc/controlplane#edc.api.control.auth.apikey.value>

<postgresql.enabled>

Enables <true> or disables <false> the PostgresSQL database.

<postgresql.auth.postgresPassword>

Database password for the postgres user or the path to the secret inside a vault. <path:…​/data/int/database#password>

<postgresql.auth.password>

Database password for the application user of the path to the secret inside a vault. <path:…​/data/int/database#password>

<postgresql.auth.database>

The name of the database instance.

<postgresql.auth.username>

The user for the database instance.

<global.enablePrometheus>

Enables <true> or disables <false> the Prometheus instance.

<global.enableGrafana>

Enables <true> or disables <false> the Grafana instance used for resource and application monitoring.

<irs-helm.enabled>

Enables <true> or disables <false> IRS helm charts.

<pgadmin4.enabled>

Enables <true> or disables <false> pgAdmin 4 console for the PostgreSQL database instance.

<pgadmin4.ingress.enabled>

Enables <true> or disables <false> a K8S Ingress for the pgAdmin 4 console.

Portal configuration

The following process is required to successfully connect to the portal:

  • Company registration with BPN and company name

  • User registration with e-mail

  • Get e-mail to reset your password

  • Reset the password and log in

  • Make sure your user has the role 'App Management'

  • Navigate to 'App Overview'

  • Create app

  • Choose a selection of managed roles which is necessary (currently: BPDM, Dataspace Discovery, Semantic Model Management, Identity Wallet Management)

  • Wait for app approval by the portal team

  • Subscribe to the app

  • As app creator navigate to subscription management and click on configure

  • Add the frontend url of the application and click approve

  • Save technical user and secret

  • Navigate to 'Register Connector'

  • Add managed connector

  • Select existing technical user (from app subscription)

  • Enter name "EDC Provider A"

  • Enter base url of control plane (EDC)

  • Confirm

  • Go to other company which wants to participate (subscribe)

  • Login and navigate to app overview

  • Search for the created app

  • Subscribe to the app

  • Go to the app creator company

  • Navigate to the inbox of the portal

  • Click on the link to give approval for the company which wants to subscribe

  • Enter name "EDC Provider B"

  • Enter base url of control plane (EDC)

  • Make sure to populate the new client id, secrets and app id within Trace-X for each company to let it run properly with the new portal configuration.

Company registration

Additional info

Each instance of Trace-X reflects an own company, which is associated with one BPN.

User registration

Additional info

The user registration is a self-service. Each user can have one or multiple Trace-X roles assigned.

Connector registration

Additional info

A connector in the context of Trace-X is a Eclipse-Dataspace-Connector. This connector needs to be configured by the public control plane URL.

App registration

Additional info

A connector in the context of trace-x is a Eclipse-Dataspace-Connector. This connector needs to be configured by the public control plane URL.

Create app subscription

Additional info

An app subscription is necessary to be able to set up a frontend url which will be authorized through Keycloak and accessible with the portal.

Activate App subscription

Additional info

The app subscription needs to be activated from all instances which want to participate in the Trace-X use case.

Retrieve wallet configuration

Troubleshooting

Coming soon…​