Merge branch 'main' into test-driver-did-andorra

Author: BernhardFuchs

.github/workflows/kubernetes-deploy-to-cluster.yml

@@ -4,39 +4,42 @@ on:
   workflow_dispatch:
 
 jobs:
-  build:
+  deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - name: Checkout repository
+      uses: actions/checkout@v4
 
     - name: Import Secrets
-      uses: hashicorp/vault-action@v2.3.0
+      uses: hashicorp/vault-action@v3
       with:
         url: ${{ secrets.VAULT_ADDR }}
         token: ${{ secrets.CI_SECRET_READER_PERIODIC_TOKEN }}
         caCertificate: ${{ secrets.VAULTCA }}
         secrets: |
-          ci/data/gh-workflows/universal-resolver-cluster dif-cluster-kube-config | KUBE_CONFIG_DATA ;
           ci/data/gh-workflows/universal-resolver-cluster aws-access-key-id | AWS_ACCESS_KEY_ID ;
           ci/data/gh-workflows/universal-resolver-cluster aws-secret-access-key | AWS_SECRET_ACCESS_KEY ;
           ci/data/gh-workflows/universal-resolver-cluster rpc-url-testnet | RPC_URL_TESTNET ;
-          ci/data/gh-workflows/universal-resolver-cluster rpc-cert-testnet | RPC_CERT_TESTNET ;
-          ci/data/gh-workflows/deployment-status slack-webhook-url | SLACK_WEBHOOK_URL
+          ci/data/gh-workflows/universal-resolver-cluster rpc-cert-testnet | RPC_CERT_TESTNET
 
-    - name: Deploy to AWS
+    - name: Deploy to AWS Kubernetes Cluster
       uses: ./ci/deploy-k8s-aws
-      env:
-        KUBE_CONFIG_DATA: ${{secrets.KUBE_CONFIG_DATA_BASE64_UNI_RESOLVER_PROD}}
-        AWS_ACCESS_KEY_ID: ${{env.AWS_ACCESS_KEY_ID}}
-        AWS_SECRET_ACCESS_KEY: ${{env.AWS_SECRET_ACCESS_KEY}}
-        RPC_URL_TESTNET: ${{env.RPC_URL_TESTNET}}
-        RPC_CERT_TESTNET: ${{env.RPC_CERT_TESTNET}}
+      with:
+        kube-config-data: ${{ secrets.KUBE_CONFIG_DATA_BASE64_UNI_RESOLVER_PROD }}
+        aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+        rpc-url-testnet: ${{ env.RPC_URL_TESTNET }}
+        rpc-cert-testnet: ${{ env.RPC_CERT_TESTNET }}
+        slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
+        github-server-url: ${{ github.server_url }}
+        github-repository: ${{ github.repository }}
+        github-run-id: ${{ github.run_id }}
 
     - name: Slack notification
-      if: failure() # Send message only on failure
+      if: failure()
       uses: 8398a7/action-slack@v3
       with:
         status: ${{ job.status }}
-        fields: repo,commit,action,eventName,ref,workflow # selectable (default: repo,message)
+        fields: repo,commit,action,eventName,ref,workflow
       env:
-        SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }} # required
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/nightly-did-lint-check.yml

@@ -19,5 +19,5 @@ jobs:
           status: ${{ job.status }}
           fields: repo,commit,action,eventName,ref,workflow
         env:
-          SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
         if: failure()

.github/workflows/nightly-did-test-suite.yml

@@ -8,14 +8,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@master
-      - name: Import Secrets
-        uses: hashicorp/vault-action@v2.3.0
-        with:
-          url: ${{ secrets.VAULT_ADDR }}
-          token: ${{ secrets.CI_SECRET_READER_PERIODIC_TOKEN }}
-          caCertificate: ${{ secrets.VAULTCA }}
-          secrets: |
-            ci/data/gh-workflows/deployment-status slack-webhook-url | SLACK_WEBHOOK_URL
       - name: Get driver status
         uses: ./ci/get-driver-status
         with:
@@ -34,5 +26,5 @@ jobs:
           status: ${{ job.status }}
           fields: repo,commit,action,eventName,ref,workflow
         env:
-          SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
         if: failure()

README.md

@@ -97,12 +97,9 @@ You should then be able to resolve identifiers locally using simple `curl` reque
 	curl -X GET 'http://localhost:8080/1.0/identifiers/did:iden3:polygon:amoy:xC8VZLUUfo5p9DWUawReh7QSstmYN6zR7qsQhQCsw?gist=f12d4f6fddeed78cb8b1faf1c6f4f171a590c1b05c484118a09847f5caa74d03'
 	curl -X GET 'http://localhost:8080/1.0/identifiers/did:iden3:polygon:amoy:xC8VZLUUfo5p9DWUawReh7QSstmYN6zR7qsQhQCsw?state=7a1a45d22b686cf1bd2f9fbecbed38b725a555e6d8ad68d3780feda9124b1a13'
     curl -X GET http://localhost:8080/1.0/identifiers/did:cndid:sf24eYrmwXt6nx4fig3XJm7n9UP6PNRJ3
-	curl -X GET http://localhost:8080/1.0/identifiers/did:btcr2:k1qypcylxwhf8sykn2dztm6z8lxm43kwkyzf07qmp9jafv3zfntmpwtks9hmnrw
-
+	curl -X GET http://localhost:8080/1.0/identifiers/did:btcr2:k1q5ppmnfjqp0qe5klmnll9tazz9jd5ds43x5xfsr3hu9jdgaldu0d3jgs0vj4r
 	curl -X GET http://localhost:8080/1.0/identifiers/did:tgrid:trustgrid:dev:QjA1qdXKmxzgK4u8mFoBpF
-
 	curl -X GET http://localhost:8080/1.0/identifiers/did:near:CF5RiJYh4EVmEt8UADTjoP3XaZo1NPWxv6w5TmkLqjpR
-
 	curl -X GET http://localhost:8080/1.0/identifiers/did:empe:testnet:006308981b61932c5eaae1c39ace8ee3892f4a1f
 
 
@@ -186,7 +183,6 @@ Are you developing a DID method and Universal Resolver driver? Click [Driver Dev
 | [did-evrc](https://github.com/vcian/uni-resolver-driver-did-evrc)                                              | 1.0            | 1.0                                                                                                               | [viitorcloud/uni-resolver-driver-did-evrc](https://hub.docker.com/r/viitorcloud/uni-resolver-driver-did-evrc)                                                      | EveryCRED DID Method                                                                |
 | [did-keri](https://github.com/hyperledger-labs/did-webs-resolver)                                              | 0.1            | [0.1](https://trustoverip.github.io/tswg-did-method-webs-specification/)                                          | [gleif/did-keri-resolver](https://hub.docker.com/r/gleif/did-keri-resolver)                                                                                        | KERI                                                                                |
 | [did-webs](https://github.com/hyperledger-labs/did-webs-resolver)                                              | 0.2.1            | [0.1](https://trustoverip.github.io/tswg-did-method-webs-specification/)                                          | [gleif/did-webs-resolver](https://hub.docker.com/r/gleif/did-webs-resolver)                                                                                        | KERI, Web                                                                           |
-| [did-content](https://github.com/KataruInc/did-content-spec)                                                   | 0.1            | [0.1](https://github.com/KataruInc/did-content-spec)                                                              | [kataru/content-did-driver](https://hub.docker.com/repository/docker/kataru/content-did-driver)                                                                    | Content DID                                                                         |
 | [did-algo](https://github.com/algorandfoundation/did-algo)                                                     | 1.0.0          | [2.0](https://github.com/algorandfoundation/did-algo/blob/main/SPEC.md)                                           | [ghcr.io/algorandfoundation/did-algo](https://ghcr.io/algorandfoundation/did-algo)                                                                                 | Algorand Blockchain DID Method                                                      |
 | [did-itn](https://github.com/itn-trust/uni-resolver-driver-did-itn)                                            | 1.0.0          | [1.0](https://github.com/itn-trust/itn-did-spec)                                                                  | [ghcr.io/itn-trust/driver-did-itn](https://ghcr.io/itn-trust/driver-did-itn)                                                                                       | Integrated Trust Network (ITN) DID Method                                           |
 | [did-iota](https://github.com/iotaledger/uni-resolver-driver-iota)									                                    | 0.2		 	 | 2.0																												                                                                                   | [iotaledger/uni-resolver-driver-iota](https://hub.docker.com/r/iotaledger/uni-resolver-driver-iota)															  	                                              | IOTA DID																			                                                         |

ci/deploy-k8s-aws/Dockerfile

@@ -1,26 +1,35 @@
-FROM python:3.8-slim
+FROM debian:bookworm-slim
 
 LABEL "name"="Deployment of the Universal Resolver to a Kubernetes Cluster"
 LABEL "maintainer"="Bernhard Fuchs <bernhard.fuchs@danubetech.com>"
-LABEL "version"="1.0.0"
+LABEL "version"="2.0.0"
 
 LABEL "com.github.actions.name"="GitHub Action for deploying the Universal Resolver"
-LABEL "com.github.actions.description"="Deployes the Universal Resolver to a Kubernetes cluster."
+LABEL "com.github.actions.description"="Deploys the Universal Resolver to a Kubernetes cluster with smart deployment strategy."
 LABEL "com.github.actions.icon"="package"
 LABEL "com.github.actions.color"="blue"
 
+# Install base tools and AWS CLI
 RUN apt-get update -y && \
-    apt-get install -y curl gnupg openssh-client git && \
-    curl -Lso /bin/aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.11.5/2018-12-06/bin/linux/amd64/aws-iam-authenticator && \
+    apt-get install -y curl gnupg openssh-client git unzip jq ca-certificates && \
+    # Install AWS CLI v2
+    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
+    unzip awscliv2.zip && \
+    ./aws/install && \
+    rm -rf awscliv2.zip aws && \
+    # Install AWS IAM Authenticator (latest version compatible with EKS 1.33)
+    curl -Lso /bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.6.30/aws-iam-authenticator_0.6.30_linux_amd64 && \
     chmod +x /bin/aws-iam-authenticator && \
-    curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.23.6/bin/linux/amd64/kubectl && \
-    chmod +x ./kubectl && \
-    mv ./kubectl /usr/local/bin/kubectl && \
+    # Note: kubectl will be installed dynamically in entrypoint.sh to match EKS cluster version
+    # Install yq for YAML parsing
+    curl -Lso /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 && \
+    chmod +x /usr/local/bin/yq && \
+    # Cleanup
     apt-get -y clean && apt-get -y autoclean && apt-get -y autoremove && \
-    pip install setuptools awscli
+    rm -rf /var/lib/apt/lists/*
 
-COPY app-specs /app-specs
-COPY namespace /namespace
-COPY scripts /
-RUN chmod +x /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
+# Copy deployment scripts
+COPY scripts /scripts
+RUN chmod +x /scripts/*.sh
+
+ENTRYPOINT ["/scripts/entrypoint.sh"]

ci/deploy-k8s-aws/README.md

@@ -1,54 +1,186 @@
 # Kubernetes Deployment of the Universal Resolver
 
-## Usage with Docker
-Setting the environment:
+## Overview
 
-    export KUBE_CONFIG_DATA=$(cat /home/pp/dev/devops/universal-resolver-kubernetes/aws/danubetech-dev-cluster10/danubetech-dev-cluster10-KUBE_CONFIG_DATA.txt)
+This GitHub Action deploys the Universal Resolver to a Kubernetes cluster using a smart deployment strategy that minimizes downtime and only updates services when their container images have changed.
 
-Build:
+**Version:** 2.0.0
 
-    docker build -t ur-deployer .
+## Features
 
-Run:
+- **Smart Deployment**: Only updates deployments when container images differ from the running version
+- **Zero Downtime**: Unchanged services continue running without interruption
+- **Automatic Cleanup**: Removes orphaned deployments not defined in docker-compose.yml
+- **ConfigMap Management**: Automatically creates ConfigMaps from .env file
+- **Health Verification**: Verifies all deployments are healthy before completing
+- **Special Case Handling**: Manages secrets for driver-did-btcr
 
-    docker run -t ur-deployer
+## Architecture
 
+The action is composed of modular bash scripts that handle different aspects of deployment:
 
-## Usage via script
-Setting the environment:
+1. **parse-compose.sh** - Parses docker-compose.yml and extracts service definitions
+2. **process-env.sh** - Creates ConfigMaps from .env file
+3. **deploy-services.sh** - Implements smart deployment logic
+4. **handle-btcr-secret.sh** - Handles driver-did-btcr secret configuration
+5. **cleanup-orphaned.sh** - Removes orphaned resources
+6. **verify-deployment.sh** - Verifies deployment health
+7. **entrypoint.sh** - Orchestrates all scripts
 
-    export KUBECONFIG=/home/pp/dev/devops/universal-resolver-kubernetes/aws/danubetech-dev-cluster10/kubeconfig-danubetech-dev-cluster10.yaml
+## Usage in GitHub Actions
 
-Run:
-
-    cd scripts
-    ./entrypoint.sh
+```yaml
+- name: Deploy to AWS Kubernetes Cluster
+  uses: ./ci/deploy-k8s-aws
+  with:
+    kube-config-data: ${{ secrets.KUBE_CONFIG_DATA }}
+    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+    namespace: 'uni-resolver'
+    rpc-url-testnet: ${{ secrets.RPC_URL_TESTNET }}
+    rpc-cert-testnet: ${{ secrets.RPC_CERT_TESTNET }}
+```
 
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `kube-config-data` | Base64-encoded Kubernetes configuration | Yes | - |
+| `aws-access-key-id` | AWS Access Key ID | Yes | - |
+| `aws-secret-access-key` | AWS Secret Access Key | Yes | - |
+| `namespace` | Kubernetes namespace | No | `uni-resolver` |
+| `rpc-url-testnet` | RPC URL for driver-did-btcr | No | - |
+| `rpc-cert-testnet` | RPC certificate for driver-did-btcr | No | - |
+
+## How It Works
+
+### 1. Parse docker-compose.yml
+The action reads your docker-compose.yml file (the source of truth) and extracts all service definitions including:
+- Container images and tags
+- Port mappings
+- Environment variables
+- Volume mounts
+
+### 2. Smart Deployment Logic
+For each service in docker-compose.yml:
+- **If deployment exists**: Compare current image with desired image
+  - If different: Update deployment and wait for rollout
+  - If same: Skip (no downtime)
+- **If deployment doesn't exist**: Create new deployment and service
+
+### 3. Automatic Cleanup
+After deploying all services:
+- Identify deployments with `managed-by=github-action` label
+- Compare with services in docker-compose.yml
+- Remove any orphaned resources (deployments, services, configmaps)
+
+### 4. Health Verification
+Verify that all deployments are healthy:
+- Check ready replicas match desired replicas
+- Display pod status and recent events
+- Exit with error if any deployment is unhealthy
+
+## Benefits Over Previous Approach
+
+### Previous (Destructive)
+- Deleted entire namespace on every deployment
+- All services restarted, causing downtime
+- No version checking
+- Inefficient for versioned containers
+
+### Current (Smart)
+- Only updates changed services
+- Zero downtime for unchanged services
+- Faster deployments
+- Maintains persistent state
+- Better observability
+
+## Local Development
+
+### Build Docker Image
+```bash
+cd ci/deploy-k8s-aws
+docker build -t ur-deployer .
+```
 
-## Usage as GitHub Action
+### Run Locally
+```bash
+docker run -t \
+  -e KUBE_CONFIG_DATA="$(cat ~/.kube/config | base64)" \
+  -e AWS_ACCESS_KEY_ID="your-key" \
+  -e AWS_SECRET_ACCESS_KEY="your-secret" \
+  -e NAMESPACE="uni-resolver" \
+  -v $(pwd)/../..:/workspace \
+  -w /workspace \
+  ur-deployer
+```
 
-Github Action workflow-file:
+## Directory Structure
 
 ```
-name: CI/CD Workflow for universal-resolver
-
-on:
-  push:
-    branches:
-      - master
-  pull_request:
-    branches:
-      - master
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@master
-    - name: Deploy to AWS
-      uses: philpotisk/universal-resolver-k8s-deployment@master
-      env:
-        KUBE_CONFIG_DATA: ${{secrets.KUBE_CONFIG_DATA}}
-        AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
-        AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
-```
+ci/deploy-k8s-aws/
+├── action.yml              # GitHub Action definition
+├── Dockerfile             # Container image with tools
+├── README.md              # This file
+└── scripts/
+    ├── entrypoint.sh      # Main orchestration script
+    ├── parse-compose.sh   # Parse docker-compose.yml
+    ├── process-env.sh     # Create ConfigMaps
+    ├── deploy-services.sh # Smart deployment logic
+    ├── handle-btcr-secret.sh  # Special case handling
+    ├── cleanup-orphaned.sh    # Remove orphaned resources
+    └── verify-deployment.sh   # Health verification
+```
+
+## Requirements
+
+### Container Image Includes
+- AWS CLI v2
+- AWS IAM Authenticator
+- kubectl (latest stable)
+- yq (YAML processor)
+- jq (JSON processor)
+
+### Source of Truth
+- **docker-compose.yml** - All services must be defined here
+- **.env** - Environment variables (optional)
+
+## Troubleshooting
+
+### Deployment Fails
+Check the logs for each step. The action provides detailed output for:
+- Parsing errors
+- Connection issues
+- Deployment failures
+- Health check failures
+
+### Service Not Updating
+Ensure the image tag in docker-compose.yml is different from the deployed version.
+
+### Orphaned Resources Not Cleaned
+Only resources with the `managed-by=github-action` label are cleaned up. Manually created resources are not affected.
+
+## Migration from Previous Version
+
+The previous version used Python scripts and a destructive deployment strategy. This version:
+1. Uses bash scripts for better maintainability
+2. Implements smart deployment logic
+3. Eliminates unnecessary downtime
+4. Removes dependency on manually maintained deployment specs
+
+All services must now be defined in docker-compose.yml. The app-specs and namespace folders are no longer used.
+
+## Version History
+
+### 2.0.0 (Current)
+- Complete refactor to bash-based approach
+- Smart deployment strategy
+- Automatic cleanup of orphaned resources
+- ConfigMap management from .env
+- Improved health verification
+- Zero downtime for unchanged services
+
+### 1.0.0 (Legacy)
+- Python-based scripts
+- Destructive deployment (delete namespace)
+- Manual deployment spec maintenance