From b6044704ef7521a7efcf51000f3baa495f3b113c Mon Sep 17 00:00:00 2001
From: Paul Latzelsperger <paul.latzelsperger@beardyinc.com>
Date: Wed, 29 Apr 2026 17:45:40 +0200
Subject: [PATCH 1/2] feat: add IdentityHub Agent as dedicated resource

---
 k8s/apps/cfm-agents.yaml                 | 17 ++++++++++
 k8s/apps/ih-agent-config.yaml            | 42 ++++++++++++++++++++++++
 k8s/apps/kustomization.yaml              |  1 +
 k8s/apps/provision-manager-seed-job.yaml | 32 +++++++++++++++---
 4 files changed, 88 insertions(+), 4 deletions(-)
 create mode 100644 k8s/apps/ih-agent-config.yaml

diff --git a/k8s/apps/cfm-agents.yaml b/k8s/apps/cfm-agents.yaml
index f53d48b..8508bf3 100644
--- a/k8s/apps/cfm-agents.yaml
+++ b/k8s/apps/cfm-agents.yaml
@@ -61,6 +61,20 @@ spec:
             - name: edcv-agent-config
               mountPath: /etc/appname
               readOnly: true
+        - name: ih-agent
+          image: ghcr.io/eclipse-cfm/cfm/ihagent:latest
+          imagePullPolicy: Always
+          command: [ "/ihagent" ]
+          args: [
+            "--mode=debug"
+          ]
+          envFrom:
+            - configMapRef:
+                name: telemetry-config
+          volumeMounts:
+            - name: ih-agent-config
+              mountPath: /etc/appname
+              readOnly: true
         - name: registration-agent
           image: ghcr.io/eclipse-cfm/cfm/regagent:latest
           imagePullPolicy: Always
@@ -96,6 +110,9 @@ spec:
         - name: edcv-agent-config
           configMap:
             name: edcv-agent-config
+        - name: ih-agent-config
+          configMap:
+            name: ih-agent-config
         - name: registration-agent-config
           configMap:
             name: reg-agent-config
diff --git a/k8s/apps/ih-agent-config.yaml b/k8s/apps/ih-agent-config.yaml
new file mode 100644
index 0000000..a430a41
--- /dev/null
+++ b/k8s/apps/ih-agent-config.yaml
@@ -0,0 +1,42 @@
+#
+# Copyright (c) 2025 Metaform Systems, Inc.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Contributors:
+#      Metaform Systems, Inc. - initial API and implementation
+#
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ih-agent-config
+  namespace: edc-v
+
+data:
+  # the file must be called "tm", and the extension must be one of
+  # "json", "toml", "yaml", "yml", "properties", "props", "prop", "hcl", "tfvars", "dotenv", "env", "ini"
+  ihagent.env: |
+    uri: nats://nats.edc-v.svc.cluster.local:4222
+    bucket: cfm-bucket
+    stream: cfm-stream
+    httpport: 8080
+    postgres: true
+    dsn: postgres://cfm:cfm@postgres.edc-v.svc.cluster.local:5432/cfm?sslmode=disable
+    vault.url: http://vault.edc-v.svc.cluster.local:8200
+    vault.path: secret
+    vault.clientId: provisioner
+    vault.clientSecret: provisioner-secret
+    vault.tokenUrl: http://keycloak.edc-v.svc.cluster.local:8080/realms/edcv/protocol/openid-connect/token
+    vault.softDelete: true
+    keycloak.clientID: provisioner
+    keycloak.clientSecret: provisioner-secret
+    keycloak.tokenUrl:  http://keycloak.edc-v.svc.cluster.local:8080/realms/edcv/protocol/openid-connect/token
+    identityhub.url: http://identityhub.edc-v.svc.cluster.local:7081/api/identity
+    identityhub.cs.url: http://identityhub.edc-v.svc.cluster.local:7082/api/credentials/v1/participants/%s
+    controlplane.protocol.url: http://controlplane.edc-v.svc.cluster.local:8082/api/dsp/%s/2025-1
\ No newline at end of file
diff --git a/k8s/apps/kustomization.yaml b/k8s/apps/kustomization.yaml
index 5dfb82d..b110057 100644
--- a/k8s/apps/kustomization.yaml
+++ b/k8s/apps/kustomization.yaml
@@ -22,6 +22,7 @@ resources:
   - identityhub-config.yaml
   - identityhub.yaml
   - edcv-agent-config.yaml
+  - ih-agent-config.yaml
   - keycloak-agent-config.yaml
   - onboarding-agent-config.yaml
   - registration-agent-config.yaml
diff --git a/k8s/apps/provision-manager-seed-job.yaml b/k8s/apps/provision-manager-seed-job.yaml
index 31e3e27..b1c6d8d 100644
--- a/k8s/apps/provision-manager-seed-job.yaml
+++ b/k8s/apps/provision-manager-seed-job.yaml
@@ -88,9 +88,24 @@ spec:
                 }'
 
               echo "✓ edcv-activity created"
+              
+              echo ""
+              echo "Step 3: Create identityhub-activity ActivityDefinition"
+              echo "------------------------------------------------"
+
+              curl -sfS -w "\nHTTP_STATUS:%{http_code}\n" -X POST "${PM_BASE_URL}/api/v1alpha1/activity-definitions" \
+                -H "Content-Type: application/json" \
+                -d '{
+                  "description": "Provisions IdentityHub entries",
+                  "inputSchema": {},
+                  "outputSchema": {},
+                  "type": "identityhub-activity"
+                }'
+
+              echo "✓ identityhub-activity created"
 
               echo ""
-              echo "Step 3: Create registration-activity ActivityDefinition"
+              echo "Step 4: Create registration-activity ActivityDefinition"
               echo "--------------------------------------------------------"
 
               curl -sfS -w "\nHTTP_STATUS:%{http_code}\n" -X POST "${PM_BASE_URL}/api/v1alpha1/activity-definitions" \
@@ -105,7 +120,7 @@ spec:
               echo "✓ registration-activity created"
 
               echo ""
-              echo "Step 4: Create keycloak-activity ActivityDefinition"
+              echo "Step 5: Create keycloak-activity ActivityDefinition"
               echo "----------------------------------------------------"
 
               curl -sfS -w "\nHTTP_STATUS:%{http_code}\n" -X POST "${PM_BASE_URL}/api/v1alpha1/activity-definitions" \
@@ -120,7 +135,7 @@ spec:
               echo "✓ keycloak-activity created"
 
               echo ""
-              echo "Step 5: Create onboarding-activity ActivityDefinition"
+              echo "Step 6: Create onboarding-activity ActivityDefinition"
               echo "------------------------------------------------------"
 
               curl -sfS -w "\nHTTP_STATUS:%{http_code}\n" -X POST "${PM_BASE_URL}/api/v1alpha1/activity-definitions" \
@@ -135,7 +150,7 @@ spec:
               echo "✓ onboarding-activity created"
 
               echo ""
-              echo "Step 6: Create Orchestration Definition (deploy + dispose)"
+              echo "Step 7: Create Orchestration Definition (deploy + dispose)"
               echo "------------------------------------------------"
 
               DEPLOY_ORCH_ID=$(cat /proc/sys/kernel/random/uuid)
@@ -179,6 +194,14 @@ spec:
                     {
                       "id": "connector-provisioner",
                       "type": "edcv-activity",
+                      "dependsOn": [
+                        "kc-client-provisioner", 
+                        "identityhub-provisioner"
+                      ]
+                    },
+                    {
+                      "id": "identityhub-provisioner",
+                      "type": "identityhub-activity",
                       "dependsOn": [
                         "kc-client-provisioner"
                       ]
@@ -188,6 +211,7 @@ spec:
                       "type": "onboarding-activity",
                       "dependsOn": [
                         "connector-provisioner",
+                        "identityhub-provisioner",
                         "registration-agent"
                       ]
                     }]

From 4cf641ed47df72348d7b4876579623194ae29564 Mon Sep 17 00:00:00 2001
From: Paul Latzelsperger <paul.latzelsperger@beardyinc.com>
Date: Wed, 29 Apr 2026 19:16:24 +0200
Subject: [PATCH 2/2] use other JWKS resolver

---
 extensions/data-plane-certs/build.gradle.kts      |  1 +
 .../dataplane/cert/CertExchangeExtension.java     | 15 +++------------
 gradle/libs.versions.toml                         |  1 +
 3 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/extensions/data-plane-certs/build.gradle.kts b/extensions/data-plane-certs/build.gradle.kts
index 88db7e2..ba6bccb 100644
--- a/extensions/data-plane-certs/build.gradle.kts
+++ b/extensions/data-plane-certs/build.gradle.kts
@@ -31,6 +31,7 @@ dependencies {
     implementation(libs.edc.lib.util)
     implementation(libs.edc.lib.sql)
     implementation(libs.edc.lib.token)
+    implementation(libs.edc.lib.keys)
     implementation(libs.edc.lib.oauth2.authn)
     implementation(libs.edc.core.sql.bootstrapper)
     implementation(libs.edc.core.sql)
diff --git a/extensions/data-plane-certs/src/main/java/org/eclipse/edc/virtualized/dataplane/cert/CertExchangeExtension.java b/extensions/data-plane-certs/src/main/java/org/eclipse/edc/virtualized/dataplane/cert/CertExchangeExtension.java
index 51d165d..97acb72 100644
--- a/extensions/data-plane-certs/src/main/java/org/eclipse/edc/virtualized/dataplane/cert/CertExchangeExtension.java
+++ b/extensions/data-plane-certs/src/main/java/org/eclipse/edc/virtualized/dataplane/cert/CertExchangeExtension.java
@@ -14,15 +14,14 @@
 
 package org.eclipse.edc.virtualized.dataplane.cert;
 
-import org.eclipse.edc.api.authentication.JwksResolver;
 import org.eclipse.edc.api.authentication.filter.JwtValidatorFilter;
+import org.eclipse.edc.keys.resolver.JwksPublicKeyResolver;
 import org.eclipse.edc.keys.spi.KeyParserRegistry;
 import org.eclipse.edc.runtime.metamodel.annotation.Configuration;
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
 import org.eclipse.edc.runtime.metamodel.annotation.Setting;
 import org.eclipse.edc.runtime.metamodel.annotation.Settings;
-import org.eclipse.edc.spi.EdcException;
 import org.eclipse.edc.spi.system.Hostname;
 import org.eclipse.edc.spi.system.ServiceExtension;
 import org.eclipse.edc.spi.system.ServiceExtensionContext;
@@ -39,8 +38,6 @@
 import org.eclipse.edc.web.spi.configuration.PortMapping;
 import org.eclipse.edc.web.spi.configuration.PortMappingRegistry;
 
-import java.net.MalformedURLException;
-import java.net.URL;
 import java.time.Clock;
 import java.util.List;
 
@@ -89,15 +86,9 @@ public void initialize(ServiceExtensionContext context) {
         var portMapping = new PortMapping(API_CONTEXT, apiConfiguration.port(), apiConfiguration.path());
         portMappingRegistry.register(portMapping);
 
-        URL url;
-        try {
-            url = new URL(sigletConfig.jwksUrl());
-        } catch (MalformedURLException e) {
-            throw new EdcException(e);
-        }
-
         webService.registerResource(API_CONTEXT, new CertExchangePublicController(certStore, transactionContext));
-        webService.registerResource(API_CONTEXT, new JwtValidatorFilter(tokenValidationService, new JwksResolver(url, keyParserRegistry, sigletConfig.cacheValidityInMillis), getRules()));
+        var resolver = JwksPublicKeyResolver.create(keyParserRegistry, sigletConfig.jwksUrl(), context.getMonitor(), sigletConfig.cacheValidityInMillis());
+        webService.registerResource(API_CONTEXT, new JwtValidatorFilter(tokenValidationService, resolver, getRules()));
 
         webService.registerResource("control", new CertInternalExchangeController(certStore, transactionContext));
 
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 30a987f..61de1f3 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -30,6 +30,7 @@ edc-lib-http = { module = "org.eclipse.edc:http-lib", version.ref = "edc" }
 edc-lib-util = { module = "org.eclipse.edc:util-lib", version.ref = "edc" }
 edc-lib-sql = { module = "org.eclipse.edc:sql-lib", version.ref = "edc" }
 edc-lib-token = { module = "org.eclipse.edc:token-lib", version.ref = "edc" }
+edc-lib-keys = { module = "org.eclipse.edc:keys-lib", version.ref = "edc" }
 edc-lib-oauth2-authn = { module = "org.eclipse.edc:auth-authentication-oauth2-lib", version.ref = "edc" }
 edc-core-sql-bootstrapper = { module = "org.eclipse.edc:sql-bootstrapper", version.ref = "edc" }
 edc-core-http = { module = "org.eclipse.edc:http", version.ref = "edc" }