diff --git a/src/main/helm/templates/_helpers.tpl b/src/main/helm/templates/_helpers.tpl
index af6ba3eade67c3db52de7f493becae39e1330649..49b22dd9ec7d6f3e7caec4866f8725039d809e09 100644
--- a/src/main/helm/templates/_helpers.tpl
+++ b/src/main/helm/templates/_helpers.tpl
@@ -99,8 +99,12 @@ app.kubernetes.io/namespace: {{ include "app.namespace" . }}
{{- end -}}
{{- define "app.baseDomain" -}}
+{{- if (.Values.baseDomain) -}}
+{{ .Values.baseDomain }}
+{{- else -}}
{{ printf "%s-%s.%s" (include "app.ozgcloudBezeichner" .) (include "app.name" .) (include "app.baseUrl" .) }}
{{- end -}}
+{{- end -}}
{{- define "app.alfaAddress" -}}
{{ printf "https://%s.%s" (include "app.ozgcloudBezeichner" .) (required "baseUrl must be set" .Values.baseUrl) }}
diff --git a/src/main/helm/templates/cert_issuer.yaml b/src/main/helm/templates/cert_issuer.yaml
index 1e87578410a3e22f53f67ff24e35427587b9d3d5..34f56bce9f67c2880a417598b966be799298dd38 100644
--- a/src/main/helm/templates/cert_issuer.yaml
+++ b/src/main/helm/templates/cert_issuer.yaml
@@ -22,10 +22,12 @@
# unter der Lizenz sind dem Lizenztext zu entnehmen.
#
+{{- if not .Values.disableGrpcServerTls }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: user-manager-issuer
namespace: {{ include "app.namespace" . }}
spec:
- selfSigned: {}
\ No newline at end of file
+ selfSigned: {}
+{{- end }}
\ No newline at end of file
diff --git a/src/main/helm/templates/certificate.yaml b/src/main/helm/templates/certificate.yaml
index 02e60de385e513b9fd1450e9a48876b3cf5b8d56..f90349548a71d69b31262afee0286939b5732c14 100644
--- a/src/main/helm/templates/certificate.yaml
+++ b/src/main/helm/templates/certificate.yaml
@@ -22,6 +22,7 @@
# unter der Lizenz sind dem Lizenztext zu entnehmen.
#
+{{- if not .Values.disableGrpcServerTls }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
@@ -41,4 +42,5 @@ spec:
- "{{ include "app.name" . }}.{{ include "app.namespace" . }}.svc.cluster"
- "{{ include "app.name" . }}.{{ include "app.namespace" . }}.svc"
- "{{ include "app.name" . }}.{{ include "app.namespace" . }}"
- - "{{ include "app.name" . }}"
\ No newline at end of file
+ - "{{ include "app.name" . }}"
+{{- end }}
\ No newline at end of file
diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index 346ee183251aac415d827ba477a6ca4c4a8bb6f1..c99926c431e62ae9895c18fead4ba6503653d409 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -107,6 +107,12 @@ spec:
{{- end }}
- name: QUARKUS_HTTP_CORS_ORIGINS
value: {{ (include "app.alfaAddress" .) }}
+ {{- if .Values.disableGrpcServerTls }}
+ - name: QUARKUS_GRPC_SERVER_SSL_CERTIFICATE
+ value: ""
+ - name: QUARKUS_GRPC_SERVER_SSL_KEY
+ value: ""
+ {{- end }}
{{- with (.Values.env).customList }}
{{ toYaml . | indent 8 }}
{{- end }}
@@ -150,6 +156,18 @@ spec:
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
+ {{- if .Values.enableLivenessProbe }}
+ livenessProbe:
+ failureThreshold: 10
+ httpGet:
+ path: /q/health/started
+ port: 8080
+ scheme: HTTP
+ initialDelaySeconds: 15
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 5
+ {{- end }}
resources:
{{- with .Values.resources }}
{{ toYaml . | indent 10 }}
@@ -165,11 +183,17 @@ spec:
{{- with (.Values.securityContext).runAsGroup }}
runAsGroup: {{ . }}
{{- end }}
+ {{- with (.Values.securityContext).capabilities }}
+ capabilities:
+{{ toYaml . | indent 12 }}
+ {{- end }}
stdin: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
tty: true
+ {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
volumeMounts:
+ {{- if not .Values.disableGrpcServerTls }}
- name: user-manager-tls-certificate
mountPath: "/user-manager-tls-certificate/tls.crt"
subPath: tls.crt
@@ -178,21 +202,27 @@ spec:
mountPath: "/user-manager-tls-certificate/tls.key"
subPath: tls.key
readOnly: true
+ {{- end }}
{{- if .Values.optionalTrustStoreSecretName }}
- name: optional-trust-store
mountPath: "/optional-trust-store/truststore.jks"
subPath: truststore.jks
readOnly: true
{{- end }}
+ {{- end }}
+ {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
volumes:
+ {{- if not .Values.disableGrpcServerTls }}
- name: user-manager-tls-certificate
secret:
secretName: user-manager-tls-cert
+ {{- end }}
{{- if .Values.optionalTrustStoreSecretName }}
- name: optional-trust-store
secret:
secretName: {{ .Values.optionalTrustStoreSecretName }}
{{- end }}
+ {{- end }}
dnsConfig: {}
dnsPolicy: ClusterFirst
imagePullSecrets:
@@ -207,5 +237,8 @@ spec:
{{ toYaml . | indent 8 }}
{{- end }}
schedulerName: default-scheduler
- securityContext: {}
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+{{ toYaml . | indent 8 }}
+ {{- end }}
terminationGracePeriodSeconds: 30
\ No newline at end of file
diff --git a/src/main/helm/templates/ingress.yaml b/src/main/helm/templates/ingress.yaml
index 4b8a34978263469c5af9925f504703c8a3a92368..1a1a9357b8c38c12a0fa12201667a1f35d7d5adb 100644
--- a/src/main/helm/templates/ingress.yaml
+++ b/src/main/helm/templates/ingress.yaml
@@ -25,24 +25,22 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
- {{- with .Values.ingress.configuration_snippet}}
- annotations: {{- toYaml . | nindent 4 }}
- {{- end }}
- more_set_headers "Access-Control-Allow-Origin: {{ (include "app.alfaAddress" .) }}";
- {{- if (.Values.ingress).certManagerAnnotations -}}
- {{- range (.Values.ingress).certManagerAnnotations }}
-{{ . | indent 4 }}
+ annotations:
+ {{- with (.Values.ingress).annotations }}
+ {{- toYaml . | nindent 4 }}
{{- end }}
- {{- else if (.Values.ingress).use_staging_cert }}
+ {{- if not (.Values.ingress).disableDefaultCertManager }}
+ {{- if (.Values.ingress).use_staging_cert }}
cert-manager.io/cluster-issuer: letsencrypt-staging
{{- else }}
cert-manager.io/cluster-issuer: letsencrypt-prod
- {{- end }}
+ {{- end }}
+ {{- end }}
name: {{ include "app.name" . }}
namespace: {{ include "app.namespace" . }}
spec:
- {{- if and (.Values.ingress).className (ne (.Values).cluster_env "dataport") }}
- ingressClassName: {{ .Values.ingress.className }}
+ {{- if (.Values.ingress).className }}
+ ingressClassName: {{ (.Values.ingress).className }}
{{- end }}
rules:
- http:
@@ -58,8 +56,10 @@ spec:
tls:
- hosts:
- {{ ( include "app.baseDomain" . ) }}
+ {{- if not (.Values.ingress).skipTlsSecret -}}
{{- if (.Values.ingress).tlsSecretName }}
secretName: {{ (.Values.ingress).tlsSecretName }}
- {{- else if ne (.Values).cluster_env "dataport" }}
+ {{- else }}
secretName: {{ .Values.ozgcloud.bezeichner }}-{{ include "app.name" . }}-tls
+ {{- end }}
{{- end }}
\ No newline at end of file
diff --git a/src/main/helm/values.yaml b/src/main/helm/values.yaml
index daa6f7ce4cfe5f3660282d2a063e9f709a08c1f4..76db8b5e09654da9c106ae69bc01a830523c50f8 100644
--- a/src/main/helm/values.yaml
+++ b/src/main/helm/values.yaml
@@ -22,8 +22,6 @@
# unter der Lizenz sind dem Lizenztext zu entnehmen.
#
-cluster_env: ""
-
replicaCount: 2
image:
@@ -38,10 +36,3 @@ ozgcloud:
keycloak:
api:
user: userManagerApiUser
-
-ingress:
- configuration_snippet:
- nginx.ingress.kubernetes.io/configuration-snippet: |
- more_set_headers "Access-Control-Allow-Methods: GET,PATCH,OPTIONS";
- more_set_headers "Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-XSRF-TOKEN";
- more_set_headers "Access-Control-Expose-Headers: Content-Length,Content-Range";
diff --git a/src/test/helm/cert_issuer_test.yaml b/src/test/helm/cert_issuer_test.yaml
index b2e1448f6d1be3d1fda4bbedab0e4c6a29a11515..224328094cedca428efb1185bed7d13906a329b4 100644
--- a/src/test/helm/cert_issuer_test.yaml
+++ b/src/test/helm/cert_issuer_test.yaml
@@ -47,4 +47,10 @@ tests:
asserts:
- equal:
path: spec.selfSigned
- value: {}
\ No newline at end of file
+ value: {}
+ - it: should not create cert issuer
+ set:
+ disableGrpcServerTls: true
+ asserts:
+ - hasDocuments:
+ count: 0
\ No newline at end of file
diff --git a/src/test/helm/certificate_test.yaml b/src/test/helm/certificate_test.yaml
index ac111fb2284e8d718f0c08598fa3170472089444..0fe136c561849439f67b32d1f51bd92eda6de2bd 100644
--- a/src/test/helm/certificate_test.yaml
+++ b/src/test/helm/certificate_test.yaml
@@ -90,4 +90,10 @@ tests:
value: "user-manager.sh-helm-test"
- equal:
path: spec.dnsNames[5]
- value: "user-manager"
\ No newline at end of file
+ value: "user-manager"
+ - it: should not create certificate
+ set:
+ disableGrpcServerTls: true
+ asserts:
+ - hasDocuments:
+ count: 0
\ No newline at end of file
diff --git a/src/test/helm/deployment-url-value-test.yaml b/src/test/helm/deployment-url-value-test.yaml
index f5b2b82fd3f3e3e9a9ce459d304b3742ede6aba0..49a89498d0844bf7ff414088a9aa44f0808f228c 100644
--- a/src/test/helm/deployment-url-value-test.yaml
+++ b/src/test/helm/deployment-url-value-test.yaml
@@ -44,4 +44,15 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: OZGCLOUD_USER_MANAGER_URL
- value: https://helm-user-manager.test.company.local
\ No newline at end of file
+ value: https://helm-user-manager.test.company.local
+
+ - it: set baseDomain for ozgcloud_user_manager_url
+ template: deployment.yaml
+ set:
+ baseDomain: helm-usm.test.company.local
+ asserts:
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: OZGCLOUD_USER_MANAGER_URL
+ value: https://helm-usm.test.company.local
\ No newline at end of file
diff --git a/src/test/helm/deployment_container_security_context_test.yaml b/src/test/helm/deployment_container_security_context_test.yaml
index 92090bb6e2310c9a31906c1e808d199a35198ea0..22bb64d3db0f662fd8212d060a4c940f1ce41a74 100644
--- a/src/test/helm/deployment_container_security_context_test.yaml
+++ b/src/test/helm/deployment_container_security_context_test.yaml
@@ -56,6 +56,10 @@ tests:
path: spec.template.spec.containers[0].securityContext.runAsUser
- isNull:
path: spec.template.spec.containers[0].securityContext.runAsGroup
+ - isNull:
+ path: spec.template.spec.securityContext.fsGroup
+ - isNull:
+ path: spec.template.spec.containers[0].securityContext.capabilities
- it: check runAsUser
set:
securityContext.runAsUser: 1000
@@ -69,4 +73,23 @@ tests:
asserts:
- equal:
path: spec.template.spec.containers[0].securityContext.runAsGroup
- value: 1000
\ No newline at end of file
+ value: 1000
+ - it: check fsGroup
+ set:
+ podSecurityContext.fsGroup: 1000
+ asserts:
+ - equal:
+ path: spec.template.spec.securityContext.fsGroup
+ value: 1000
+ - it: check capabilities
+ set:
+ securityContext:
+ capabilities:
+ drop:
+ - ALL
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].securityContext.capabilities
+ value:
+ drop:
+ - ALL
diff --git a/src/test/helm/deployment_env_test.yaml b/src/test/helm/deployment_env_test.yaml
index e2ede3f3e19c0b92f205522bacf6c2243717e082..c767c8d80dc705b5258d1a8c7ac3c10820a7c5b5 100644
--- a/src/test/helm/deployment_env_test.yaml
+++ b/src/test/helm/deployment_env_test.yaml
@@ -97,4 +97,30 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: OZGCLOUD_USERSYNC_PERIOD
- value: "6h"
\ No newline at end of file
+ value: "6h"
+ - it: check disable grpc server
+ set:
+ disableGrpcServerTls: true
+ asserts:
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: QUARKUS_GRPC_SERVER_SSL_CERTIFICATE
+ value: ""
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: QUARKUS_GRPC_SERVER_SSL_KEY
+ value: ""
+ - it: check default grpc server settings
+ asserts:
+ - notContains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: QUARKUS_GRPC_SERVER_SSL_CERTIFICATE
+ any: true
+ - notContains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: QUARKUS_GRPC_SERVER_SSL_KEY
+ any: true
\ No newline at end of file
diff --git a/src/test/helm/deployment_liveness_probe_test.yaml b/src/test/helm/deployment_liveness_probe_test.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..195c0cc771f9e1c8dd0f98addc3356a642aa2288
--- /dev/null
+++ b/src/test/helm/deployment_liveness_probe_test.yaml
@@ -0,0 +1,62 @@
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+
+suite: deployment
+release:
+ name: user-manager
+ namespace: by-helm-test
+templates:
+ - templates/deployment.yaml
+set:
+ ozgcloud:
+ bundesland: by
+ bezeichner: helm
+ environment: dev
+ sso:
+ serverUrl: https://sso.company.local
+ baseUrl: test.by.company.local
+tests:
+ - it: livenessProbe should be disabled by default
+ template: deployment.yaml
+ asserts:
+ - notExists:
+ path: spec.template.spec.containers[0].livenessProbe
+
+ - it: enable livenessProbe
+ template: deployment.yaml
+ set:
+ enableLivenessProbe: true
+ asserts:
+ - isSubset:
+ path: spec.template.spec.containers[0].livenessProbe
+ content:
+ failureThreshold: 10
+ httpGet:
+ path: /q/health/started
+ port: 8080
+ scheme: HTTP
+ initialDelaySeconds: 15
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 5
diff --git a/src/test/helm/deplyoment_cert_bindings_test.yaml b/src/test/helm/deplyoment_cert_bindings_test.yaml
index 416c7ef3fac69aabeef6b795239535382ce73103..3fec0d1b00b5d5750bfb97bb558de92287837d98 100644
--- a/src/test/helm/deplyoment_cert_bindings_test.yaml
+++ b/src/test/helm/deplyoment_cert_bindings_test.yaml
@@ -63,4 +63,43 @@ tests:
content:
name: user-manager-tls-certificate
secret:
- secretName: user-manager-tls-cert
\ No newline at end of file
+ secretName: user-manager-tls-cert
+
+ - it: should not mount volumes for user-manager root ca
+ set:
+ disableGrpcServerTls: true
+ optionalTrustStoreSecretName: optional-trust-store-secret
+ asserts:
+ - notContains:
+ path: spec.template.spec.containers[0].volumeMounts
+ content:
+ name: user-manager-tls-certificate
+ any: true
+ - notContains:
+ path: spec.template.spec.containers[0].volumeMounts
+ content:
+ name: user-manager-tls-certificate
+ any: true
+
+ - it: should not have volume mounts
+ set:
+ disableGrpcServerTls: true
+ asserts:
+ - notExists:
+ path: spec.template.spec.containers[0].volumeMounts
+
+ - it: should not have volume for user-manager root certificate
+ set:
+ disableGrpcServerTls: true
+ optionalTrustStoreSecretName: optional-trust-store-secret
+ asserts:
+ - notContains:
+ path: spec.template.spec.volumes
+ any: true
+
+ - it: should not have volume
+ set:
+ disableGrpcServerTls: true
+ asserts:
+ - notExists:
+ path: spec.template.spec.volumes
diff --git a/src/test/helm/ingress-nginx-tests.yaml b/src/test/helm/ingress-nginx-tests.yaml
index bd52d6a0ee1595207f54167a1ca605d7138772c3..970ad9afff5e7a2d159835a2863de519a6c7a2e7 100644
--- a/src/test/helm/ingress-nginx-tests.yaml
+++ b/src/test/helm/ingress-nginx-tests.yaml
@@ -49,13 +49,11 @@ tests:
- equal:
path: spec.ingressClassName
value: nginx
- - it: should not create ingress tls/ingressClassName
+ - it: should not create ingress tls secret name
set:
- cluster_env: dataport
+ ingress.skipTlsSecret: true
asserts:
- - isNull:
- path: spec.ingressClassName
- - isNull:
+ - notExists:
path: spec.tls[0].secretName
- it: should use default letsencrypt-prod cluster-issuer
asserts:
@@ -77,6 +75,13 @@ tests:
path: metadata.annotations["cert-manager.io/cluster-issuer"]
value: letsencrypt-prod
+ - it: should disable default cert-manager
+ set:
+ ingress.disableDefaultCertManager: true
+ asserts:
+ - notExists:
+ path: metadata.annotations["cert-manager.io/cluster-issuer"]
+
- it: should create hostname correctly
asserts:
- equal:
@@ -87,4 +92,20 @@ tests:
asserts:
- equal:
path: spec.tls[0].hosts[0]
- value: helm-user-manager.test.sh.ozg-cloud.de
\ No newline at end of file
+ value: helm-user-manager.test.sh.ozg-cloud.de
+
+ - it: should set ingress host
+ set:
+ baseDomain: helm-usm.test.company.local
+ asserts:
+ - equal:
+ path: spec.rules[0].host
+ value: helm-usm.test.company.local
+
+ - it: should set ingress tls host
+ set:
+ baseDomain: helm-usm.test.company.local
+ asserts:
+ - equal:
+ path: spec.tls[0].hosts[0]
+ value: helm-usm.test.company.local
\ No newline at end of file
diff --git a/src/test/helm/ingress_nginx_cors_test.yaml b/src/test/helm/ingress_nginx_cors_test.yaml
index f415a7e2018f5b73ce10322e963a237386a36c1c..3b85133a849fb01c86d5373f4d2937b9f9c52996 100644
--- a/src/test/helm/ingress_nginx_cors_test.yaml
+++ b/src/test/helm/ingress_nginx_cors_test.yaml
@@ -34,6 +34,14 @@ set:
bezeichner: helm
tests:
- it: check ingress annotations if nginx test environment
+ set:
+ ingress:
+ annotations:
+ nginx.ingress.kubernetes.io/configuration-snippet: |
+ more_set_headers "Access-Control-Allow-Methods: GET,PATCH,OPTIONS";
+ more_set_headers "Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-XSRF-TOKEN";
+ more_set_headers "Access-Control-Expose-Headers: Content-Length,Content-Range";
+ more_set_headers "Access-Control-Allow-Origin: https://helm.test.sh.ozg-cloud.de";
asserts:
- isKind:
of: Ingress
@@ -44,3 +52,23 @@ tests:
more_set_headers "Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-XSRF-TOKEN";
more_set_headers "Access-Control-Expose-Headers: Content-Length,Content-Range";
more_set_headers "Access-Control-Allow-Origin: https://helm.test.sh.ozg-cloud.de";
+ - it: Should disable nginx configuration snippet
+ set:
+ ingress:
+ configuration_snippet: null
+ asserts:
+ - notExists:
+ path: metadata.annotations["nginx.ingress.kubernetes.io/configuration-snippet"]
+ - it: Should contain annotations
+ set:
+ ingress:
+ annotations:
+ foo: bar
+ hello: world
+ asserts:
+ - equal:
+ path: metadata.annotations.foo
+ value: bar
+ - equal:
+ path: metadata.annotations.hello
+ value: world
\ No newline at end of file