Merge branch 'master' of ../helm-migration/goofy/base-apps into OZG-3075-migrate-helm-chart

helm-chart/.helmignore

+unit-tests/
+tests/
\ No newline at end of file

helm-chart/CHANGELOG.md

+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [0.2.0] - 2021-11-19
+
+### Added
+
+- OZG-1710: Add Susanne Fischer as stage test user
+- OZG-1710: Activate password reset allowed in keycloak realm
+- OZG-1710: Add VERWALTUNG_USER role to client
+- OZG-1710: Add localhost redirect urls for dev stage deployents for e2e testing
+- Add changelog to project. On upper level this did not make sense. Document version changes in 0.2.0.
+
+### Fixes
+
+- OZG-1719: Revert KeycloakRealm filename to state of version 0.1.14, test keycloakrealm naming to be fixed. Changes to the name of the file deletes and creates the realm at upgrade.
+
+### Removed
+
+- OZG-1710: Remove VERWALTUNG_USER role from realm
+- OZG-1710: Remove VERWALTUNG_USER default role from realm
+
+## [0.1.17] - 2021-11-15

helm-chart/Chart.yaml

+apiVersion: v1
+appVersion: "1.1"
+description: A Helm chart for Goofy
+name: goofy
+version: 0.20.0-SNAPSHOT
+icon: https://simpleicons.org/icons/helm.svg

helm-chart/app-readme.md

+# Goofy
+
+Das helm chart zur Installation des allgemeinen Fachverfahrens - goofy.
+
+## FAQ
+
+### Benutzung beliebiger environment Werte
+
+In jedem der Projekte kann man beliebige weitere environments setzen. Dazu muss man in der jeweiligen values.yaml unter env.customList ein name value Paar setzen:
+
+```yaml
+env:
+  customList:
+    - name: Dinge
+      value: true
+    - name: ...
+      value: ...
+```

helm-chart/questions.yml

+questions:
+  - variable: image.tag
+    default: latest
+    type: string
+    label: The deployed version tag
+    group: "Container"
+  - variable: replicaCount
+    group: "Container"
+    type: string
+    default: "2"
+    label: "Deployment Replica count"
+  - variable: env.overrideSpringProfiles
+    type: string
+    label: "Override Spring boot profile"
+    group: "Container"
+  - variable: kop.bundesland
+    group: "KOP"
+    label: Bundesland
+    type: string
+    required: true
+  - variable: kop.bezeichner
+    group: "KOP"
+    label: "Bezeichner"
+    type: string
+    required: true
+  - variable: kop.environment
+    group: "KOP"
+    label: "Environment"
+    type: string
+    required: true
+  - variable: plutoName
+    group: "Other"
+    type: string
+    default: "pluto"
+    label: "Name of the pluto deployment in the namespace"
+  - variable: sso.role_einheitlicher_ansprechpartner
+    group: "Other"
+    type: boolean
+    default: false
+    label: "Add role for EA"
+  - variable: sso.displayName
+    group: "Other"
+    type: string
+    default: ""
+    label: "The custom display name to write on top of the login page. Defaults to 'Realm für <app.name>', Works on initial Install only."
+  - variable: sso.apiPassword
+    group: "Other"
+    type: string
+    default: " "
+    label: "SSO API User Password"
+  - variable: useKeycloakNamespace
+    group: "Other"
+    type: boolean
+    default: false
+    label: "Use keycloak namespace for keycloak templates"
\ No newline at end of file

helm-chart/templates/_helpers.tpl

+{{/* vim: set filetype=mustache: */}}
+
+{{/* Truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec) */}}
+{{/* Name */}}
+{{- define "app.name" -}}
+{{- default .Release.Name | toString | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/* Namespace */}}
+{{- define "app.namespace" -}}
+{{- default .Release.Namespace | toString | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/* Version */}}
+{{- define "app.version" -}}
+{{- default .Chart.Version | toString | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/* Chart: Name + Version */}}
+{{- define "app.chart" -}}
+{{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{/* Managed-by -> On Helm, this value is always Helm */}}
+{{- define "app.managedBy" -}}
+{{- default .Release.Service | toString | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/* Default Labels: Helm recommended best-practice labels https://helm.sh/docs/chart_best_practices/labels/ */}}
+{{- define "app.defaultLabels" }}
+app.kubernetes.io/instance: goofy
+app.kubernetes.io/managed-by: {{ include "app.managedBy" . }}
+app.kubernetes.io/name: {{ include "app.name" . }}
+app.kubernetes.io/part-of: kop
+app.kubernetes.io/version: {{ include "app.version" . }}
+app.kubernetes.io/namespace: {{ include "app.namespace" . }}
+helm.sh/chart: {{ include "app.chart" . }}
+{{- end -}}
+
+{{- define "app.matchLabels" }}
+app.kubernetes.io/name: {{ include "app.name" . }}
+app.kubernetes.io/namespace: {{ include "app.namespace" . }}
+{{- end -}}
+
+{{- define "app.envSpringProfiles" }}
+{{- if (.Values.env).overrideSpringProfiles -}}
+{{ printf "%s" (.Values.env).overrideSpringProfiles }}
+{{- else -}}
+{{ printf "oc, %s" (include "app.kopEnvironment" . ) }}
+{{- end -}}
+{{- end -}}
+
+{{- define "app.grpc_client_pluto_address" -}}
+{{ printf "%s.%s:9090" ( coalesce .Values.plutoName "pluto" ) .Release.Namespace | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{- define "app.kop_user-manager_url" -}}
+{{- if eq (include "app.kopEnvironment" . ) "prod" -}}
+{{ printf "https://%s-%s.ozg-sh.de" (include "app.kopBezeichner" .) .Values.usermanagerName }}
+{{- else -}}
+{{ printf "https://%s-%s.%s.ozg-sh.de" (include "app.kopBezeichner" .) .Values.usermanagerName (include "app.kopEnvironment" . ) }}
+{{- end -}}
+{{- end -}}
+
+{{- define "app.imagePullSecret" }}
+{{- with .Values.imageCredentials }}
+{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }}
+{{- end }}
+{{- end }}
+
+{{/* --- region keycoak --- */}} 
+{{/* namespace sh-kiel-dev means <bundesland>-<name>-<level> */}}
+{{/* depending on level the server url is sso.dev.ozg-sh.de or sso.ozg-sh.de  */}}
+{{/* values can be overwritten */}}
+
+{{- define "app.kopBundesland" -}}
+{{- required "Bundesland muss angegeben sein" (.Values.kop).bundesland }}
+{{- end -}}
+
+{{- define "app.kopBezeichner" -}}
+{{ $length := len (.Values.kop).bezeichner }}
+{{- if ge 27 $length -}}
+{{- required "Bezeichner muss angegeben sein" (.Values.kop).bezeichner -}}
+{{- else -}}
+{{ required (printf "Bezichner %s ist zu lang (max. 27 Zeichen)" (.Values.kop).bezeichner) nil }}
+{{- end -}}
+{{- end -}}
+
+{{- define "app.kopEnvironment" -}}
+{{- required "Environment muss angegeben sein" (.Values.kop).environment -}}
+{{- end -}}
+
+{{- define "app.ssoRealm" -}}
+{{ printf "%s-%s-%s" (include "app.kopBundesland" .) ( include "app.kopBezeichner" . ) ( include "app.kopEnvironment" . ) | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{- define "app.ssoRealmDisplayName" -}}
+{{- if (.Values.sso).displayName -}}
+{{ printf "%s" (.Values.sso).displayName }}
+{{- else if eq (include "app.kopEnvironment" . ) "prod" -}}
+{{ printf "Realm für %s" (include "app.kopBezeichner" . | title ) }}
+{{- else -}}
+{{ printf "Realm für %s (%s)" (include "app.kopBezeichner" . | title ) (include "app.kopEnvironment" .) }}
+{{- end -}}
+{{- end -}}
+
+{{- define "app.ssoServerUrl" -}}
+{{- if (.Values.sso).serverUrl -}}
+{{- printf "%s" .Values.sso.serverUrl -}}
+{{- else if eq (include "app.kopEnvironment" . ) "dev" -}} 
+{{ printf "https://sso.dev.ozg-sh.de" }}
+{{- else if eq (include "app.kopEnvironment" . ) "test" -}}
+{{ printf "https://sso.test.ozg-sh.de" }}
+{{- else -}}
+{{ printf "https://sso.ozg-sh.de" }}
+{{- end -}}
+{{- end -}}
+
+{{- define "app.baseUrl" -}}
+{{- if .Values.host -}}
+{{- printf "%s" .Values.host -}}
+{{- else if eq (include "app.kopEnvironment" . ) "prod" -}}
+{{ printf "https://%s.ozg-sh.de" (include "app.kopBezeichner" .) }}
+{{- else -}}
+{{ printf "https://%s.%s.ozg-sh.de" (include "app.kopBezeichner" .) (include "app.kopEnvironment" . ) }}
+{{- end -}}
+{{- end -}}
+
+{{- define "app.keycloakClientId" -}}
+{{ printf "%s-%s-%s-%s" (include "app.kopBundesland" .) ( include "app.kopBezeichner" . ) ( include "app.kopEnvironment" . ) ( include "app.name" . ) | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{- define "app.resources" }}
+{{- if eq (include "app.kopEnvironment" . ) "prod" }}
+  limits:
+    cpu: "500m"
+    memory: "1000Mi"
+  requests:
+    cpu: "50m"
+    memory: "250Mi"
+{{- else }}
+  limits:
+    cpu: "500m"
+    memory: "1000Mi"
+  requests:
+    cpu: "50m"
+    memory: "250Mi"
+{{- end }}
+{{- end -}}

helm-chart/templates/deployment.yaml

+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "app.name" . }}
+  namespace: {{ include "app.namespace" . }}
+  labels:
+    {{- include "app.defaultLabels" . | indent 4 }}
+spec:
+  progressDeadlineSeconds: 600
+  replicas: {{ .Values.replicaCount }}
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      {{- include "app.matchLabels" . | indent 6 }}
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        {{- include "app.defaultLabels" . | indent 8 }}
+        component: goofy
+    spec:
+      topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: ScheduleAnyway
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: {{ include "app.name" . }}
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: goofyable
+                operator: NotIn
+                values:
+                - "false"
+      containers:
+      - env:
+        - name: grpc_client_pluto_address
+          value: {{ include "app.grpc_client_pluto_address" . }}
+        - name: spring_profiles_active
+          value: {{ include "app.envSpringProfiles" . }}
+        - name: keycloak_realm
+          value: {{ include "app.ssoRealm" . }}
+        - name: keycloak_resource
+          value: {{ include "app.keycloakClientId" . }}
+        - name: keycloak_auth-server-url
+          value: {{ include "app.ssoServerUrl" . }}
+        - name: goofy_keycloak_api_password
+          value: {{ required "A sso apiPassword is required!" (.Values.sso).apiPassword }}
+        - name: kop_user-manager_url
+          value: {{ include "app.kop_user-manager_url" . }}
+        {{- with (.Values.env).customList }}
+{{ toYaml . | indent 8 }}
+        {{- end }}
+        image: "{{ .Values.image.repo }}/{{ .Values.image.name }}:{{ coalesce (.Values.image).tag "latest" }}"
+        imagePullPolicy: Always
+        name: goofy
+        ports:
+        - containerPort: 8080
+          name: 8080tcp1
+          protocol: TCP
+        - containerPort: 8081
+          name: metrics
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /actuator/health/readiness
+            port: 8081
+            scheme: HTTP
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 3
+        startupProbe:
+          failureThreshold: 10
+          httpGet:
+            path: /actuator/health/readiness
+            port: 8081
+            scheme: HTTP
+          initialDelaySeconds: 30
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 5
+        resources:
+          {{- include "app.resources" . | indent 8 }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: false
+          runAsNonRoot: false
+        stdin: true
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        tty: true
+      dnsConfig: {}
+      dnsPolicy: ClusterFirst
+      imagePullSecrets:
+      - name: goofy-image-pull-secret
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30

helm-chart/templates/image-pull-secret.yaml

+apiVersion: v1
+kind: Secret
+metadata:
+  name: goofy-image-pull-secret
+  namespace: {{ include "app.namespace" . }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ include "app.imagePullSecret" . }}
\ No newline at end of file

helm-chart/templates/ingress.yaml

+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  {{- with .Values.ingressAnnotations }}
+  annotations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "app.name" . }}
+  namespace: {{ include "app.namespace" . }}
+spec:
+  rules:
+    - http:
+        paths:
+          - backend:
+              service:
+                port:
+                  number: 8080
+                name: {{ include "app.name" . }}
+            path: ''
+            pathType: ImplementationSpecific
+      host: {{ trimPrefix "https://" ( include "app.baseUrl" . ) }}
+  tls:
+    - hosts:
+      - {{ trimPrefix "https://" ( include "app.baseUrl" . ) }}
\ No newline at end of file

helm-chart/templates/service.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "app.name" . }}
+  namespace: {{ include "app.namespace" . }}
+  labels:
+    {{- include "app.defaultLabels" . | indent 4 }}
+    component: goofy-service
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 8080
+      protocol: TCP
+      targetPort: 8080
+    - name: metrics
+      port: 8081
+      protocol: TCP
+  selector:
+    {{- include "app.matchLabels" . | indent 4 }}
+    component: goofy
\ No newline at end of file

helm-chart/templates/service_monitor.yaml

+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "app.name" . }}
+  namespace: {{ include "app.namespace" . }}
+  labels:
+    {{- include "app.defaultLabels" . | indent 4 }}
+    component: goofy-service-monitor
+spec:
+  endpoints:
+  - port: metrics
+    path: /actuator/prometheus
+  namespaceSelector:
+    matchNames:
+    - {{ include "app.namespace" . }}
+  selector:
+    matchLabels:
+      {{- include "app.matchLabels" . | indent 6 }}
+      component: goofy-service
\ No newline at end of file

helm-chart/templates/tests/test-ingress-connection.yaml

+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "app.name" . }}-test-ingress"
+  labels:
+    {{- include "app.matchLabels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: 
+        - {{ include "app.baseUrl" . }}
+  restartPolicy: Never

helm-chart/templates/tests/test-service-connection.yaml

+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "app.name" . }}-test-connection"
+  labels:
+    {{- include "app.matchLabels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "app.name" . }}:8080']
+  restartPolicy: Never

helm-chart/test-values.yaml

+kop:
+  bundesland: sh
+  bezeichner: helm
+  environment: test
+
+sso:
+  apiPassword: test1234

helm-chart/unit-tests/deployment_defaults_affinity_test.yaml

+suite: test deployment
+release:
+  name: goofy
+  namespace: sh-helm-test
+templates:
+  - templates/deployment.yaml
+tests:
+  - it: should work
+    set:
+      kop.bundesland: sh
+      kop.bezeichner: helm
+      kop.environment: test
+      sso.apiPassword: test1234
+    asserts:
+      - isKind:
+          of: Deployment
+      - equal:
+          path: spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key
+          value: goofyable
+      - equal:
+          path: spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator
+          value: NotIn
+      - equal:
+          path: spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0]
+          value: "false"

helm-chart/unit-tests/deployment_defaults_annotaion_test.yaml

+suite: test deployment
+release:
+  name: goofy
+  namespace: sh-helm-test
+templates:
+  - templates/ingress.yaml
+tests:
+  - it: check ingress annotaions if traefik v2
+    set:
+      kop.bundesland: sh
+      kop.bezeichner: helm
+      kop.environment: test
+    asserts:
+      - isKind:
+          of: Ingress
+      - equal:
+          path: metadata.annotations.[kubernetes.io/ingress.class]
+          value: traefik
+      - equal:
+          path: metadata.annotations.[traefik.ingress.kubernetes.io/router.entrypoints]
+          value: websecure
+      - equal:
+          path: metadata.annotations.[traefik.ingress.kubernetes.io/router.tls]
+          value: "true"
\ No newline at end of file

helm-chart/unit-tests/deployment_defaults_env_test.yaml

+suite: test deployment
+release:
+  name: goofy
+  namespace: sh-helm-prod
+templates:
+  - templates/deployment.yaml
+tests:
+  - it: check default values
+    set:
+      kop.bundesland: sh
+      kop.bezeichner: helm
+      kop.environment: prod
+      sso.apiPassword: test1234
+    asserts:
+      - isKind:
+          of: Deployment
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: grpc_client_pluto_address
+            value: pluto.sh-helm-prod:9090
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: spring_profiles_active
+            value: oc, prod
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: keycloak_realm
+            value: sh-helm-prod
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: keycloak_resource
+            value: sh-helm-prod-goofy      
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: keycloak_auth-server-url
+            value: https://sso.ozg-sh.de
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: goofy_keycloak_api_password
+            value: test1234
\ No newline at end of file

helm-chart/unit-tests/deployment_defaults_labels_test.yaml

+suite: test deployment
+release:
+  name: goofy
+  namespace: sh-helm-test
+templates:
+  - templates/deployment.yaml
+  - templates/service_monitor.yaml
+  - templates/service.yaml
+tests:
+  - it: check default labels
+    set:
+      kop.bundesland: sh
+      kop.bezeichner: helm
+      kop.environment: test
+      sso.apiPassword: test1234
+    asserts:
+      - equal:
+          path: metadata.labels.[app.kubernetes.io/instance]
+          value: goofy
+      - equal:
+          path: metadata.labels.[app.kubernetes.io/name]
+          value: goofy
+      - equal:
+          path: metadata.labels.[app.kubernetes.io/part-of]
+          value: kop
+      - equal:
+          path: metadata.labels.[app.kubernetes.io/namespace]
+          value: sh-helm-test

helm-chart/unit-tests/deployment_defaults_spec_containers_health_test.yaml

+suite: test deployment
+release:
+  name: goofy
+  namespace: sh-helm-test
+templates:
+  - templates/deployment.yaml
+tests:
+  - it: should work
+    set:
+      kop.bundesland: sh
+      kop.bezeichner: helm
+      kop.environment: test
+      sso.apiPassword: test1234
+    asserts:
+      - isKind:
+          of: Deployment
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.failureThreshold
+          value: 3
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.httpGet.path
+          value: /actuator/health/readiness
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.httpGet.port
+          value: 8081
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.httpGet.scheme
+          value: HTTP
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.periodSeconds
+          value: 10
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.successThreshold
+          value: 1
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
+          value: 3  
+      - equal:
+          path: spec.template.spec.containers[0].startupProbe.failureThreshold
+          value: 10
+      - equal:
+          path: spec.template.spec.containers[0].startupProbe.httpGet.path
+          value: /actuator/health/readiness
+      - equal:
+          path: spec.template.spec.containers[0].startupProbe.httpGet.port
+          value: 8081
+      - equal:
+          path: spec.template.spec.containers[0].startupProbe.httpGet.scheme
+          value: HTTP
+      - equal:
+          path: spec.template.spec.containers[0].startupProbe.initialDelaySeconds
+          value: 30
+      - equal:
+          path: spec.template.spec.containers[0].startupProbe.periodSeconds
+          value: 5
+      - equal:
+          path: spec.template.spec.containers[0].startupProbe.successThreshold
+          value: 1
+      - equal:
+          path: spec.template.spec.containers[0].startupProbe.timeoutSeconds
+          value: 5
+      
\ No newline at end of file