Merge pull request 'ozg-3938-grpc-tls' (#561) from ozg-3938-grpc-tls into master

Reviewed-on: https://git.ozg-sh.de/ozgcloud-app/alfa/pulls/561


Reviewed-by: OZGCloud <ozgcloud@mgm-tp.com>

alfa-server/src/main/resources/application-local.yml

@@ -12,6 +12,8 @@ grpc:
     user-manager:
       address: static://127.0.0.1:9000
       negotiationType: PLAINTEXT
+    vorgang-manager:
+      negotiationType: PLAINTEXT
 
 ozgcloud:
   feature:

alfa-server/src/main/resources/application.yml

@@ -57,7 +57,7 @@ grpc:
   client:
     vorgang-manager:
       address: static://127.0.0.1:9090
-      negotiationType: PLAINTEXT
+      negotiationType: TLS
     user-manager:
       address: static://127.0.0.1:9000
       negotiationType: TLS

src/main/helm/templates/deployment.yaml

@@ -72,6 +72,8 @@ spec:
           value: "/bindings"
         - name: grpc_client_vorgang-manager_address
           value: {{ include "app.grpc_client_vorgang_manager_address" . }}
+        - name: grpc_client_vorgang-manager_negotiationType
+          value: {{ (.Values.vorgangManager).grpcClientNegotiationType | default "TLS" }}
         - name: grpc_client_user-manager_address
           value: {{ include "app.grpc_client_user-manager_address" . }}
         - name: grpc_client_user-manager_negotiationType
@@ -176,12 +178,6 @@ spec:
            mountPath: "/bindings/ca-certificates/type"
            subPath: type
            readOnly: true
-        {{- if not .Values.disableUserManagerGrpcTls }}
-         - name: user-manager-tls-certificate
-           mountPath: "/bindings/ca-certificates/user-manager-tls-ca.pem"
-           subPath: ca.crt
-           readOnly: true
-        {{- end }}
          - name: temp-dir
            mountPath: "/tmp"
         {{- if (.Values.sso).tlsCertName }}
@@ -190,15 +186,13 @@ spec:
            subPath: tls.crt
            readOnly: true
         {{- end }}
+         - name: namespace-ca-cert
+           mountPath: "/bindings/namespace-certificate"
+           readOnly: true
       volumes:
          - name: bindings
            configMap:
               name: alfa-bindings-type
-        {{- if not .Values.disableUserManagerGrpcTls }}
-         - name: user-manager-tls-certificate
-           secret:
-              secretName: user-manager-tls-cert
-        {{- end }}
          - name: temp-dir
            emptyDir: {}
         {{- if (.Values.sso).tlsCertName }}
@@ -206,6 +200,17 @@ spec:
            secret:
               secretName: {{ .Values.sso.tlsCertName }}
         {{- end }}
+         - name: namespace-ca-cert
+           projected:
+             sources:
+             - secret:
+                 name: {{ include "app.namespace" . }}-ca-cert
+                 optional: true
+                 items:
+                   - key: ca.crt
+                     path: ca.crt
+             - configMap:
+                 name: alfa-bindings-type
       dnsConfig: {}
       dnsPolicy: ClusterFirst
       imagePullSecrets:

src/test/helm/deployment_bindings_test.yaml

@@ -38,7 +38,7 @@ set:
   baseUrl: test.company.local
   imagePullSecret: image-pull-secret
 tests:
-  - it: should have volumes
+  - it: should have volume mounts
     set: 
        usermanagerName: user-manager
     asserts:
@@ -49,13 +49,6 @@ tests:
             mountPath: "/bindings/ca-certificates/type"
             subPath: type
             readOnly: true
-      - contains:
-          path: spec.template.spec.containers[0].volumeMounts
-          content:
-            name: user-manager-tls-certificate
-            mountPath: "/bindings/ca-certificates/user-manager-tls-ca.pem"
-            subPath: ca.crt
-            readOnly: true
       - contains:
           path: spec.template.spec.containers[0].volumeMounts
           content:
@@ -68,7 +61,13 @@ tests:
             mountPath: "/bindings/ca-certificates/ssl-tls-ca.pem"
             subPath: ca.crt
             readOnly: true
-  - it: should have volume mounts
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: namespace-ca-cert
+            mountPath: "/bindings/namespace-certificate"
+            readOnly: true
+  - it: should have volumes
     set: 
        usermanagerName: user-manager
     asserts:
@@ -78,12 +77,6 @@ tests:
             name: bindings
             configMap:
               name: alfa-bindings-type
-      - contains:
-          path: spec.template.spec.volumes
-          content:
-            name: user-manager-tls-certificate
-            secret:
-              secretName: user-manager-tls-cert
       - contains:
           path: spec.template.spec.volumes
           content:
@@ -93,6 +86,20 @@ tests:
           path: spec.template.spec.volumes
           content:
             name: sso-tls-certificate
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+              name: namespace-ca-cert
+              projected:
+                sources:
+                  - secret:
+                      items:
+                        - key: ca.crt
+                          path: ca.crt
+                      name: sh-helm-test-ca-cert
+                      optional: true
+                  - configMap:
+                      name: alfa-bindings-type
   - it: should have sso tls cert mount
     set:
       usermanagerName: user-manager

src/test/helm/deployment_defaults_env_test.yaml

@@ -132,3 +132,21 @@ tests:
           content:
             name: grpc_client_user-manager_negotiationType
             value: TLS
+
+  - it: should set vorgang-manager negotiationType plaintext
+    set:
+      vorgangManager.grpcClientNegotiationType: PLAINTEXT
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: grpc_client_vorgang-manager_negotiationType
+            value: PLAINTEXT
+
+  - it: should contain default vorgang-manager negotiationType tls
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: grpc_client_vorgang-manager_negotiationType
+            value: TLS