diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index 83555f3672f28cf2bb9c537538efefff166c54fe..700bdd9fb705ff655998f12c23c3af4dfb1cde54 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -113,6 +113,17 @@ spec:
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
+ {{- if .Values.enableLivenessProbe }}
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /actuator/health/liveness
+ port: 8081
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 3
+ {{- end }}
resources:
{{- with .Values.resources }}
{{ toYaml . | indent 10 }}
@@ -128,6 +139,10 @@ spec:
{{- with (.Values.securityContext).runAsGroup }}
runAsGroup: {{ . }}
{{- end }}
+ {{- with (.Values.securityContext).capabilities }}
+ capabilities:
+{{ toYaml . | indent 12 }}
+ {{- end }}
stdin: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
@@ -152,5 +167,8 @@ spec:
{{ toYaml . | indent 8 }}
{{- end }}
schedulerName: default-scheduler
- securityContext: {}
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+{{ toYaml . | indent 8 }}
+ {{- end }}
terminationGracePeriodSeconds: 30
\ No newline at end of file
diff --git a/src/main/helm/templates/ingress.yaml b/src/main/helm/templates/ingress.yaml
index d04a5339b339305216839079f193bd7f4de0c012..fa2ba46fea9549d096b59469ce9a3ac821883986 100644
--- a/src/main/helm/templates/ingress.yaml
+++ b/src/main/helm/templates/ingress.yaml
@@ -27,20 +27,20 @@ apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
- {{- if (.Values.ingress).certManagerAnnotations -}}
- {{- range (.Values.ingress).certManagerAnnotations }}
-{{ . | indent 4 }}
+ {{- with (.Values.ingress).annotations }}
+{{ toYaml . | indent 4 }}
{{- end }}
- {{- else if (.Values.ingress).use_staging_cert }}
+ {{- if not (.Values.ingress).disableDefaultCertManager }}
+ {{- if (.Values.ingress).use_staging_cert }}
cert-manager.io/cluster-issuer: letsencrypt-staging
{{- else }}
cert-manager.io/cluster-issuer: letsencrypt-prod
{{- end }}
- nginx.ingress.kubernetes.io/proxy-body-size: 42m
+ {{- end }}
name: {{ .Release.Name }}
namespace: {{ include "app.namespace" . }}
spec:
- {{- if and (.Values.ingress).className (ne (.Values).cluster_env "dataport") }}
+ {{- if and (.Values.ingress).className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
rules:
@@ -57,9 +57,11 @@ spec:
tls:
- hosts:
- {{ include "app.ingress.host" . }}
+ {{- if not (.Values.ingress).skipTlsSecret -}}
{{- if (.Values.ingress).tlsSecretName }}
secretName: {{ (.Values.ingress).tlsSecretName }}
- {{- else if ne (.Values).cluster_env "dataport" }}
+ {{- else }}
secretName: {{ .Values.ozgcloud.bezeichner }}-{{ .Release.Name }}-tls
{{- end }}
+ {{- end }}
{{- end -}}
\ No newline at end of file
diff --git a/src/main/helm/values.yaml b/src/main/helm/values.yaml
index 240501d36a5cc48d18ae5bc3a324b985f47ca550..11fdeb4ae386e81f51da0db2f35833333c0079f8 100644
--- a/src/main/helm/values.yaml
+++ b/src/main/helm/values.yaml
@@ -22,8 +22,6 @@
# unter der Lizenz sind dem Lizenztext zu entnehmen.
#
-cluster_env: ""
-
baseUrl: test.sh.ozg-cloud.de
image:
diff --git a/src/test/helm/deployment_container_security_context_test.yaml b/src/test/helm/deployment_container_security_context_test.yaml
index a68002ce4e4e6bba0792c6dc13ee15133549bba5..ddaa3ee20b9b707914a69d75e00e77ab6df702ca 100644
--- a/src/test/helm/deployment_container_security_context_test.yaml
+++ b/src/test/helm/deployment_container_security_context_test.yaml
@@ -51,6 +51,10 @@ tests:
path: spec.template.spec.containers[0].securityContext.runAsUser
- isNull:
path: spec.template.spec.containers[0].securityContext.runAsGroup
+ - isNull:
+ path: spec.template.spec.securityContext.fsGroup
+ - isNull:
+ path: spec.template.spec.containers[0].securityContext.capabilities
- it: check runAsUser
set:
securityContext.runAsUser: 1000
@@ -64,4 +68,23 @@ tests:
asserts:
- equal:
path: spec.template.spec.containers[0].securityContext.runAsGroup
- value: 1000
\ No newline at end of file
+ value: 1000
+ - it: check fsGroup
+ set:
+ podSecurityContext.fsGroup: 1000
+ asserts:
+ - equal:
+ path: spec.template.spec.securityContext.fsGroup
+ value: 1000
+ - it: check capabilities
+ set:
+ securityContext:
+ capabilities:
+ drop:
+ - ALL
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].securityContext.capabilities
+ value:
+ drop:
+ - ALL
\ No newline at end of file
diff --git a/src/test/helm/deployment_liveness_probe_test.yaml b/src/test/helm/deployment_liveness_probe_test.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..bca6419f5c5bcf34a4d6c1bb533f22a20256bede
--- /dev/null
+++ b/src/test/helm/deployment_liveness_probe_test.yaml
@@ -0,0 +1,52 @@
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+
+suite: test deployment
+templates:
+ - templates/deployment.yaml
+set:
+ ozgcloud.environment: test
+tests:
+ - it: livenessProbe should be disabled by default
+ template: deployment.yaml
+ asserts:
+ - notExists:
+ path: spec.template.spec.containers[0].livenessProbe
+
+ - it: enable livenessProbe
+ template: deployment.yaml
+ set:
+ enableLivenessProbe: true
+ asserts:
+ - isSubset:
+ path: spec.template.spec.containers[0].livenessProbe
+ content:
+ failureThreshold: 3
+ httpGet:
+ path: /actuator/health/liveness
+ port: 8081
+ scheme: HTTP
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 3
diff --git a/src/test/helm/ingress-nginx-tests.yaml b/src/test/helm/ingress-nginx-tests.yaml
index 7aa49a0ee4325ae682f15af24a40140d13e6707d..f968300409794fbe83e56b70fd48e1dea3cee088 100644
--- a/src/test/helm/ingress-nginx-tests.yaml
+++ b/src/test/helm/ingress-nginx-tests.yaml
@@ -48,27 +48,13 @@ tests:
path: spec.tls[0].secretName
value: helm-fs-adapter-tls
- - it: should not create afm ingress tls/ingressClass
- release:
- name: afm-adapter
- set:
- cluster_env: dataport
- asserts:
- - isNull:
- path: spec.ingressClassName
- - isNull:
- path: spec.tls[0].secretName
- - it: should not create afm ingress tls/ingressClass
- release:
- name: fs-adapter
+ - it: should not set secretName
set:
- image.name: formsolutions-adapter
- cluster_env: dataport
+ ingress.skipTlsSecret: true
asserts:
- - isNull:
- path: spec.ingressClassName
- isNull:
path: spec.tls[0].secretName
+
- it: should not set ingressClassName
asserts:
- isNull:
diff --git a/src/test/helm/ingress_test.yaml b/src/test/helm/ingress_test.yaml
index 87c314c030a5eb3053c2874230628185b4fd831d..ee0b43da744be9805ca8e9a5930f532f34e502db 100644
--- a/src/test/helm/ingress_test.yaml
+++ b/src/test/helm/ingress_test.yaml
@@ -128,7 +128,19 @@ tests:
- equal:
path: metadata.annotations["cert-manager.io/cluster-issuer"]
value: letsencrypt-prod
- - it: should set proxy body size to 42m
+
+ - it: should disable default cert-manager
+ set:
+ ingress.disableDefaultCertManager: true
+ asserts:
+ - notExists:
+ path: metadata.annotations["cert-manager.io/cluster-issuer"]
+
+ - it: should set ingress annotation proxy body size to 42m
+ set:
+ ingress:
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-body-size: 42m
asserts:
- equal:
path: metadata.annotations["nginx.ingress.kubernetes.io/proxy-body-size"]
diff --git a/xta-adapter/src/main/helm/templates/xta_adapter_cronjob.yaml b/xta-adapter/src/main/helm/templates/xta_adapter_cronjob.yaml
index ce8935ad14950c80b342f4477fa62d939eb36ce8..1523ad46d16c466f8126d74fbfff97cd2d2d2229 100644
--- a/xta-adapter/src/main/helm/templates/xta_adapter_cronjob.yaml
+++ b/xta-adapter/src/main/helm/templates/xta_adapter_cronjob.yaml
@@ -111,6 +111,10 @@ spec:
{{- with (.Values.securityContext).runAsGroup }}
runAsGroup: {{ . }}
{{- end }}
+ {{- with (.Values.securityContext).capabilities }}
+ capabilities:
+{{ toYaml . | indent 18 }}
+ {{- end }}
resources:
{{- with .Values.resources }}
{{ toYaml . | indent 16 }}
@@ -163,4 +167,8 @@ spec:
- name: {{ .Values.imagePullSecret }}
{{ else }}
- name: {{ .Release.Name }}-image-pull-secret
- {{- end }}
\ No newline at end of file
+ {{- end }}
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+{{ toYaml . | indent 12 }}
+ {{- end }}
\ No newline at end of file
diff --git a/xta-adapter/src/test/helm/xta_adapter_cronjob_basic_test.yaml b/xta-adapter/src/test/helm/xta_adapter_cronjob_basic_test.yaml
index 2172150bbbaa94bd8d3237f5afe77b78f1259bfa..b17ff7452fb6022ce9d20bdfd58b5b28b538e393 100644
--- a/xta-adapter/src/test/helm/xta_adapter_cronjob_basic_test.yaml
+++ b/xta-adapter/src/test/helm/xta_adapter_cronjob_basic_test.yaml
@@ -105,6 +105,10 @@ tests:
path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsUser
- isNull:
path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsGroup
+ - isNull:
+ path: spec.jobTemplate.spec.template.spec.securityContext.fsGroup
+ - isNull:
+ path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities
- it: check runAsUser
set:
securityContext.runAsUser: 1000
@@ -127,3 +131,22 @@ tests:
value:
ozg-component: xta-adapter
workload: xta-adapter-cronjob
+ - it: check fsGroup
+ set:
+ podSecurityContext.fsGroup: 1000
+ asserts:
+ - equal:
+ path: spec.jobTemplate.spec.template.spec.securityContext.fsGroup
+ value: 1000
+ - it: check capabilities
+ set:
+ securityContext:
+ capabilities:
+ drop:
+ - ALL
+ asserts:
+ - equal:
+ path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities
+ value:
+ drop:
+ - ALL
\ No newline at end of file