Merge branch 'master' of git.ozg-sh.de:ozgcloud-app/eingang-manager

src/main/helm/templates/deployment.yaml

@@ -113,6 +113,17 @@ spec:
           periodSeconds: 5
           successThreshold: 1
           timeoutSeconds: 5
+        {{- if .Values.enableLivenessProbe }}
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /actuator/health/liveness
+            port: 8081
+            scheme: HTTP
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 3
+        {{- end }}
         resources:
         {{- with .Values.resources }}
 {{ toYaml . | indent 10 }}
@@ -128,6 +139,10 @@ spec:
           {{- with (.Values.securityContext).runAsGroup }}
           runAsGroup: {{ . }}
           {{- end }}
+          {{- with (.Values.securityContext).capabilities }}
+          capabilities:
+{{ toYaml . | indent 12 }}
+          {{- end }}
         stdin: true
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
@@ -152,5 +167,8 @@ spec:
 {{ toYaml . | indent 8 }}
       {{- end }}
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+{{ toYaml . | indent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: 30
\ No newline at end of file

src/main/helm/templates/ingress.yaml

@@ -27,20 +27,20 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
-    {{- if (.Values.ingress).certManagerAnnotations -}}
-    {{- range (.Values.ingress).certManagerAnnotations }}
-{{ . | indent 4 }}
+    {{- with (.Values.ingress).annotations }}
+{{ toYaml . | indent 4 }}
     {{- end }}
-    {{- else if (.Values.ingress).use_staging_cert }}
+    {{- if not (.Values.ingress).disableDefaultCertManager }}
+    {{- if (.Values.ingress).use_staging_cert }}
     cert-manager.io/cluster-issuer: letsencrypt-staging
     {{- else }}
     cert-manager.io/cluster-issuer: letsencrypt-prod
     {{- end }}
-    nginx.ingress.kubernetes.io/proxy-body-size: 42m
+    {{- end }}
   name: {{ .Release.Name }}
   namespace: {{ include "app.namespace" . }}
 spec:
-  {{- if and (.Values.ingress).className (ne (.Values).cluster_env "dataport") }}
+  {{- if and (.Values.ingress).className }}
   ingressClassName: {{ .Values.ingress.className }}
   {{- end }}
   rules:
@@ -57,9 +57,11 @@ spec:
   tls:
     - hosts:
       - {{ include "app.ingress.host" . }}
+      {{- if not (.Values.ingress).skipTlsSecret -}}
       {{- if (.Values.ingress).tlsSecretName }}
       secretName: {{ (.Values.ingress).tlsSecretName }}
-      {{- else if ne (.Values).cluster_env "dataport" }}
+      {{- else }}
       secretName: {{ .Values.ozgcloud.bezeichner }}-{{ .Release.Name }}-tls
       {{- end }}
+      {{- end }}
 {{- end -}}
\ No newline at end of file

src/main/helm/values.yaml

@@ -22,8 +22,6 @@
 # unter der Lizenz sind dem Lizenztext zu entnehmen.
 #
 
-cluster_env: ""
-
 baseUrl: test.sh.ozg-cloud.de
 
 image:

src/test/helm/deployment_container_security_context_test.yaml

@@ -51,6 +51,10 @@ tests:
           path: spec.template.spec.containers[0].securityContext.runAsUser
       - isNull:
           path: spec.template.spec.containers[0].securityContext.runAsGroup
+      - isNull:
+          path: spec.template.spec.securityContext.fsGroup
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext.capabilities
   - it: check runAsUser
     set:
       securityContext.runAsUser: 1000
@@ -64,4 +68,23 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].securityContext.runAsGroup
-          value: 1000
\ No newline at end of file
+          value: 1000
+  - it: check fsGroup
+    set:
+      podSecurityContext.fsGroup: 1000
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext.fsGroup
+          value: 1000
+  - it: check capabilities
+    set:
+      securityContext:
+        capabilities:
+          drop:
+            - ALL
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.capabilities
+          value:
+            drop:
+              - ALL
\ No newline at end of file

src/test/helm/deployment_liveness_probe_test.yaml

+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+
+suite: test deployment
+templates:
+  - templates/deployment.yaml
+set:
+  ozgcloud.environment: test
+tests:
+  - it: livenessProbe should be disabled by default
+    template: deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe
+
+  - it: enable livenessProbe
+    template: deployment.yaml
+    set:
+      enableLivenessProbe: true
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            failureThreshold: 3
+            httpGet:
+              path: /actuator/health/liveness
+              port: 8081
+              scheme: HTTP
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 3

src/test/helm/ingress-nginx-tests.yaml

@@ -48,27 +48,13 @@ tests:
           path: spec.tls[0].secretName
           value: helm-fs-adapter-tls
 
-  - it: should not create afm ingress tls/ingressClass
-    release:
-      name: afm-adapter
-    set:
-      cluster_env: dataport
-    asserts:
-      - isNull:
-          path: spec.ingressClassName
-      - isNull:
-          path: spec.tls[0].secretName
-  - it: should not create afm ingress tls/ingressClass
-    release:
-      name: fs-adapter
+  - it: should not set secretName
     set:
-      image.name: formsolutions-adapter
-      cluster_env: dataport
+      ingress.skipTlsSecret: true
     asserts:
-      - isNull:
-          path: spec.ingressClassName
       - isNull:
           path: spec.tls[0].secretName
+
   - it: should not set ingressClassName
     asserts:
       - isNull:

src/test/helm/ingress_test.yaml

@@ -128,7 +128,19 @@ tests:
       - equal:
           path: metadata.annotations["cert-manager.io/cluster-issuer"]
           value: letsencrypt-prod
-  - it: should set proxy body size to 42m
+
+  - it: should disable default cert-manager
+    set:
+      ingress.disableDefaultCertManager: true
+    asserts:
+      - notExists:
+          path: metadata.annotations["cert-manager.io/cluster-issuer"]
+
+  - it: should set ingress annotation proxy body size to 42m
+    set:
+      ingress:
+        annotations:
+          nginx.ingress.kubernetes.io/proxy-body-size: 42m
     asserts:
       - equal:
           path: metadata.annotations["nginx.ingress.kubernetes.io/proxy-body-size"]

xta-adapter/src/main/helm/templates/xta_adapter_cronjob.yaml

@@ -64,7 +64,7 @@ spec:
                 - name: ozgcloud_xta_server_protocol
                   value: {{ (.Values.xta).server.protocol }}
                 - name: ozgcloud_xta_identifier
-                  value: {{ (.Values.xta).identifier }}
+                  value: {{ quote (.Values.xta).identifier }}
                 - name: ozgcloud_xta_keystore_file
                   value: "keystore/xta-keystore.p12"
                 - name: ozgcloud_xta_keystore_password
@@ -111,6 +111,10 @@ spec:
                 {{- with (.Values.securityContext).runAsGroup }}
                 runAsGroup: {{ . }}
                 {{- end }}
+                {{- with (.Values.securityContext).capabilities }}
+                capabilities:
+{{ toYaml . | indent 18 }}
+                {{- end }}
               resources:
               {{- with .Values.resources }}
 {{ toYaml . | indent 16 }}
@@ -163,4 +167,8 @@ spec:
             - name: {{ .Values.imagePullSecret }}
             {{ else }}
             - name: {{ .Release.Name }}-image-pull-secret
-            {{- end }}
\ No newline at end of file
+            {{- end }}
+          {{- with .Values.podSecurityContext }}
+          securityContext:
+{{ toYaml . | indent 12 }}
+          {{- end }}
\ No newline at end of file

xta-adapter/src/test/helm/xta_adapter_cronjob_basic_test.yaml

@@ -105,6 +105,10 @@ tests:
         path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsUser
     - isNull:
         path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsGroup
+    - isNull:
+        path: spec.jobTemplate.spec.template.spec.securityContext.fsGroup
+    - isNull:
+        path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities
   - it: check runAsUser
     set:
       securityContext.runAsUser: 1000
@@ -127,3 +131,22 @@ tests:
         value: 
           ozg-component: xta-adapter
           workload: xta-adapter-cronjob
+  - it: check fsGroup
+    set:
+      podSecurityContext.fsGroup: 1000
+    asserts:
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.securityContext.fsGroup
+          value: 1000
+  - it: check capabilities
+    set:
+      securityContext:
+        capabilities:
+          drop:
+            - ALL
+    asserts:
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities
+          value:
+            drop:
+              - ALL
\ No newline at end of file