Merge pull request 'OZG-4939-SpringSecurityKeyCloakSetup' (#28) from...

Merge pull request 'OZG-4939-SpringSecurityKeyCloakSetup' (#28) from OZG-4939-SpringSecurityKeyCloakSetup into master

Reviewed-on: https://git.ozg-sh.de/ozgcloud-app/administration/pulls/28

src/main/helm/templates/_helpers.tpl

@@ -3,19 +3,23 @@
 {{- printf "%s-%s.%s" (.Values.ozgcloud).bezeichner (.Values.ozgcloud).adminDomainSuffix .Values.baseUrl }}
 {{- end -}}
 
+{{/* Namespace */}}
+{{- define "app.namespace" -}}
+{{- default .Release.Namespace | toString | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
 
 {{/* Default Labels: Helm recommended best-practice labels https://helm.sh/docs/chart_best_practices/labels/ */}}
 {{- define "app.defaultLabels" }}
 app.kubernetes.io/instance: administration
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/name: {{ .Release.Name }}
-app.kubernetes.io/namespace: {{ .Release.Namespace }}
+app.kubernetes.io/namespace: {{ include "app.namespace" . }}
 helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version }}
 {{- end -}}
 
 {{- define "app.matchLabels" }}
 app.kubernetes.io/name: {{ .Release.Name }}
-app.kubernetes.io/namespace: {{ .Release.Namespace }}
+app.kubernetes.io/namespace: {{ include "app.namespace" . }}
 {{- end -}}
 
 {{- define "app.imagePullSecret" }}

src/main/helm/templates/configmap_bindings_type.yaml

@@ -23,7 +23,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: administration-bindings-type
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
 data:
   type: |
         ca-certificates
\ No newline at end of file

src/main/helm/templates/deployment.yaml

@@ -26,7 +26,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ .Release.Name }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
   labels:
     {{- include "app.defaultLabels" . | indent 4 }}
 spec:
@@ -36,7 +36,7 @@ spec:
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ .Release.Name }}
-      app.kubernetes.io/namespace: {{ .Release.Namespace }}
+      app.kubernetes.io/namespace: {{ include "app.namespace" . }}
   strategy:
     rollingUpdate:
       maxSurge: 1

src/main/helm/templates/keycloak-client-crd.yaml → src/main/helm/templates/keycloak_client_crd.yaml

 {{- if not (.Values.sso).disableOzgOperator -}}
+{{ range $client := (.Values.sso).keycloak_clients }}
+---
 apiVersion: operator.ozgcloud.de/v1
 kind: OzgCloudKeycloakClient
 metadata:
   name: administration-keycloak-client
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" $ }}
 spec:
-  keep_after_delete: {{ (.Values.sso).keep_after_delete | default false }}
-  client_name: admin
-  client_base_url: https://{{ include "app.baseDomain" $ }}
+  keep_after_delete: {{ $.Values.sso.keep_after_delete | default false }}
+  client_name: {{ $client.client_name }}
+  client_base_url: https://{{ include "app.baseDomain" $ }}  
+
   client_web_origins:
     - https://{{ include "app.baseDomain" $ }}
+  {{- if $client.additional_client_web_origins }}
+    {{- with $client.additional_client_web_origins }}
+{{ toYaml . | indent 4 }}
+    {{- end }}
+  {{- end }}
   client_redirect_uris:
     - https://{{ include "app.baseDomain" $ }}
     - https://{{ include "app.baseDomain" $ }}/*
-  {{- if ((.Values.sso).client).additional_redirect_uris }}
-    {{- with ((.Values.sso).client).additional_redirect_uris }}
+  {{- if $client.additional_redirect_uris }}
+    {{- with $client.additional_redirect_uris }}
 {{ toYaml . | indent 4 }}
     {{- end }}
   {{- end }}
-  {{- if ((.Values.sso).client).client_roles }}
+  {{- if $client.client_roles }}
   client_roles:
-    {{- with ((.Values.sso).client).client_roles }}
+    {{- with $client.client_roles }}
 {{ toYaml . | indent 4 }}
     {{- end }}
   {{- end }}
+{{ end }}
 {{- end -}}
\ No newline at end of file

src/main/helm/templates/keycloak_user_crd.yaml

@@ -5,7 +5,7 @@ apiVersion: operator.ozgcloud.de/v1
 kind: OzgCloudKeycloakUser
 metadata:
   name: {{ include "app.nameToIdentifier" $user.name }}-keycloak-user
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ include "app.namespace" $ }}
 spec:
   keep_after_delete: {{ $.Values.sso.keep_after_delete | default false }}
   update_user: {{ $user.update_user | default false }}

src/main/helm/templates/network_policy.yaml

@@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: network-policy-administration
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
 spec:
   podSelector:
     matchLabels:

src/main/helm/templates/ozgcloud_keycloak_operator_secrets_read_role.yaml

@@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: ozgcloud-keycloak-operator-secrets-read-role-administration
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ include "app.namespace" $ }}
 rules:
   - apiGroups:
       - "*"

src/main/helm/templates/ozgcloud_keycloak_operator_secrets_read_role_binding.yaml

@@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: ozgcloud-keycloak-operator-secrets-read-role-binding-administration
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
 subjects:
   - kind: ServiceAccount
     name: ozgcloud-keycloak-operator-serviceaccount

src/main/helm/templates/ozgcloud_keycloak_operator_secrets_write_role.yaml

@@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: ozgcloud-keycloak-operator-secrets-write-role-administration
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
 rules:
   - apiGroups:
       - "*"

src/main/helm/templates/ozgcloud_keycloak_operator_secrets_write_role_binding.yaml

@@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: ozgcloud-keycloak-operator-secrets-write-role-binding-administration
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
 subjects:
   - kind: ServiceAccount
     name: ozgcloud-keycloak-operator-serviceaccount

src/main/helm/templates/service.yaml

@@ -25,7 +25,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ .Release.Name }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
   labels:
     {{- include "app.defaultLabels" . | indent 4 }}
     component: administration-service

src/test/helm/keycloak_client_crd_test.yaml

@@ -27,7 +27,7 @@ release:
   name: administration
   namespace: by-helm-test
 templates:
-  - templates/keycloak-client-crd.yaml
+  - templates/keycloak_client_crd.yaml
 set:
   ozgcloud:
     bundesland: by
@@ -35,12 +35,20 @@ set:
     environment: test
 tests:
   - it: should contain header data
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - isAPIVersion:
           of: operator.ozgcloud.de/v1
       - isKind:
           of: OzgCloudKeycloakClient
   - it: should have metadata
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: metadata.name
@@ -49,6 +57,10 @@ tests:
           path: metadata.namespace
           value: by-helm-test
   - it: should set keep after delete default to false
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: spec.keep_after_delete
@@ -57,39 +69,73 @@ tests:
     set:
       sso:
         keep_after_delete: true
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: spec.keep_after_delete
           value: true
   - it: has client name value
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: spec.client_name
           value: admin
   - it: should set client base url
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: spec.client_base_url
           value: https://helm-admin.ozg-sh.de
   - it: should set client redirect uris
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: spec.client_web_origins
           value:
             - https://helm-admin.ozg-sh.de
   - it: should set client web origins
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: spec.client_redirect_uris
           value:
             - https://helm-admin.ozg-sh.de
             - https://helm-admin.ozg-sh.de/*
+  - it: should use additional client web origins
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
+            additional_client_web_origins:
+              - https://some.origin.de
+              - https://some.other.origin.de
+    asserts:
+      - equal:
+          path: spec.client_web_origins
+          value:
+            - https://helm-admin.ozg-sh.de
+            - https://some.origin.de
+            - https://some.other.origin.de
   - it: should use additional redirect uris for client web origins
     set:
       sso:
-        client:
-          additional_redirect_uris:
-            - https://additional.url.de
+        keycloak_clients:
+          - client_name: admin
+            additional_redirect_uris:
+              - https://additional.url.de
     asserts:
       - equal:
           path: spec.client_redirect_uris
@@ -100,7 +146,9 @@ tests:
   - it: should not create client cr if ozg operator is disabled
     set:
       sso:
+        keycloak_clients:
+          - client_name: admin
         disableOzgOperator: true
     asserts:
       - hasDocuments:
-          count: 0
\ No newline at end of file
+          count: 0