From 50d53485afdde6dcb05c53868f7784d857049601 Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Thu, 18 Apr 2024 16:32:01 +0200
Subject: [PATCH] ozg-3938 grpc tls
---
.../src/main/resources/application-local.yml | 2 ++
.../src/main/resources/application.yml | 2 +-
src/main/helm/templates/deployment.yaml | 20 ++++++-------
src/test/helm/deployment_bindings_test.yaml | 30 +++++++++----------
.../helm/deployment_defaults_env_test.yaml | 18 +++++++++++
5 files changed, 45 insertions(+), 27 deletions(-)
diff --git a/alfa-server/src/main/resources/application-local.yml b/alfa-server/src/main/resources/application-local.yml
index 6e08f1833d..12a55bb104 100644
--- a/alfa-server/src/main/resources/application-local.yml
+++ b/alfa-server/src/main/resources/application-local.yml
@@ -12,6 +12,8 @@ grpc:
user-manager:
address: static://127.0.0.1:9000
negotiationType: PLAINTEXT
+ vorgang-manager:
+ negotiationType: PLAINTEXT
ozgcloud:
feature:
diff --git a/alfa-server/src/main/resources/application.yml b/alfa-server/src/main/resources/application.yml
index 37fafad40e..8e17178fea 100644
--- a/alfa-server/src/main/resources/application.yml
+++ b/alfa-server/src/main/resources/application.yml
@@ -57,7 +57,7 @@ grpc:
client:
vorgang-manager:
address: static://127.0.0.1:9090
- negotiationType: PLAINTEXT
+ negotiationType: TLS
user-manager:
address: static://127.0.0.1:9000
negotiationType: TLS
diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index b101df4656..6c4661c8d6 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -72,6 +72,8 @@ spec:
value: "/bindings"
- name: grpc_client_vorgang-manager_address
value: {{ include "app.grpc_client_vorgang_manager_address" . }}
+ - name: grpc_client_vorgang-manager_negotiationType
+ value: {{ (.Values.vorgangManager).grpcClientNegotiationType | default "TLS" }}
- name: grpc_client_user-manager_address
value: {{ include "app.grpc_client_user-manager_address" . }}
- name: grpc_client_user-manager_negotiationType
@@ -170,12 +172,6 @@ spec:
mountPath: "/bindings/ca-certificates/type"
subPath: type
readOnly: true
- {{- if not .Values.disableUserManagerGrpcTls }}
- - name: user-manager-tls-certificate
- mountPath: "/bindings/ca-certificates/user-manager-tls-ca.pem"
- subPath: ca.crt
- readOnly: true
- {{- end }}
- name: temp-dir
mountPath: "/tmp"
{{- if (.Values.sso).tlsCertName }}
@@ -184,15 +180,13 @@ spec:
subPath: tls.crt
readOnly: true
{{- end }}
+ - name: namespace-ca-cert
+ mountPath: "/bindings/ca-certificates/"
+ readOnly: true
volumes:
- name: bindings
configMap:
name: alfa-bindings-type
- {{- if not .Values.disableUserManagerGrpcTls }}
- - name: user-manager-tls-certificate
- secret:
- secretName: user-manager-tls-cert
- {{- end }}
- name: temp-dir
emptyDir: {}
{{- if (.Values.sso).tlsCertName }}
@@ -200,6 +194,10 @@ spec:
secret:
secretName: {{ .Values.sso.tlsCertName }}
{{- end }}
+ - name: namespace-ca-cert
+ secret:
+ secretName: {{ .Release.Namespace }}-ca-cert
+ optional: true
dnsConfig: {}
dnsPolicy: ClusterFirst
imagePullSecrets:
diff --git a/src/test/helm/deployment_bindings_test.yaml b/src/test/helm/deployment_bindings_test.yaml
index fc77e8acfc..39f9cb582e 100644
--- a/src/test/helm/deployment_bindings_test.yaml
+++ b/src/test/helm/deployment_bindings_test.yaml
@@ -38,7 +38,7 @@ set:
baseUrl: test.company.local
imagePullSecret: image-pull-secret
tests:
- - it: should have volumes
+ - it: should have volume mounts
set:
usermanagerName: user-manager
asserts:
@@ -49,13 +49,6 @@ tests:
mountPath: "/bindings/ca-certificates/type"
subPath: type
readOnly: true
- - contains:
- path: spec.template.spec.containers[0].volumeMounts
- content:
- name: user-manager-tls-certificate
- mountPath: "/bindings/ca-certificates/user-manager-tls-ca.pem"
- subPath: ca.crt
- readOnly: true
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
@@ -68,7 +61,13 @@ tests:
mountPath: "/bindings/ca-certificates/ssl-tls-ca.pem"
subPath: ca.crt
readOnly: true
- - it: should have volume mounts
+ - contains:
+ path: spec.template.spec.containers[0].volumeMounts
+ content:
+ name: namespace-ca-cert
+ mountPath: "/bindings/ca-certificates/"
+ readOnly: true
+ - it: should have volumes
set:
usermanagerName: user-manager
asserts:
@@ -78,12 +77,6 @@ tests:
name: bindings
configMap:
name: alfa-bindings-type
- - contains:
- path: spec.template.spec.volumes
- content:
- name: user-manager-tls-certificate
- secret:
- secretName: user-manager-tls-cert
- contains:
path: spec.template.spec.volumes
content:
@@ -93,6 +86,13 @@ tests:
path: spec.template.spec.volumes
content:
name: sso-tls-certificate
+ - contains:
+ path: spec.template.spec.volumes
+ content:
+ name: namespace-ca-cert
+ secret:
+ secretName: sh-helm-test-ca-cert
+ optional: true
- it: should have sso tls cert mount
set:
usermanagerName: user-manager
diff --git a/src/test/helm/deployment_defaults_env_test.yaml b/src/test/helm/deployment_defaults_env_test.yaml
index 46fa731257..d5e3054594 100644
--- a/src/test/helm/deployment_defaults_env_test.yaml
+++ b/src/test/helm/deployment_defaults_env_test.yaml
@@ -132,4 +132,22 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: grpc_client_user-manager_negotiationType
+ value: TLS
+
+ - it: should set vorgang-manager negotiationType plaintext
+ set:
+ vorgangManager.grpcClientNegotiationType: PLAINTEXT
+ asserts:
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: grpc_client_vorgang-manager_negotiationType
+ value: PLAINTEXT
+
+ - it: should contain default vorgang-manager negotiationType tls
+ asserts:
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: grpc_client_vorgang-manager_negotiationType
value: TLS
\ No newline at end of file
--
GitLab