Merge pull request 'knecht-root-recht-stage' (#103) from knecht-root-recht-stage into master

Reviewed-on: https://git.ozg-sh.de/ozgcloud-app/user-manager/pulls/103 Reviewed-by: OZGCloud <ozgcloud@mgm-tp.com>

Merge pull request 'knecht-root-recht-stage' (#103) from knecht-root-recht-stage into master
1d352551 · OZGCloud · e5134a20 · f086b651 · 1d352551 · 1d352551
Commit 1d352551 authored 1 year ago by OZGCloud
--- a/src/main/helm/templates/_helpers.tpl
+++ b/src/main/helm/templates/_helpers.tpl
@@ -99,8 +99,12 @@ app.kubernetes.io/namespace: {{ include "app.namespace" . }}
 {{- end -}}

 {{- define "app.baseDomain" -}}
+{{- if (.Values.baseDomain) -}}
+{{ .Values.baseDomain }}
+{{- else -}}
 {{ printf "%s-%s.%s" (include "app.ozgcloudBezeichner" .) (include "app.name" .) (include "app.baseUrl" .) }}
 {{- end -}}
+{{- end -}}

 {{- define "app.alfaAddress" -}}
 {{ printf "https://%s.%s" (include "app.ozgcloudBezeichner" .) (required "baseUrl must be set" .Values.baseUrl) }}

--- a/src/main/helm/templates/cert_issuer.yaml
+++ b/src/main/helm/templates/cert_issuer.yaml
@@ -22,6 +22,7 @@
 # unter der Lizenz sind dem Lizenztext zu entnehmen.
 #

+{{- if not .Values.disableGrpcServerTls }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -29,3 +30,4 @@ metadata:
  namespace: {{ include "app.namespace" . }}
 spec:
  selfSigned: {}
+{{- end }}
\ No newline at end of file
--- a/src/main/helm/templates/certificate.yaml
+++ b/src/main/helm/templates/certificate.yaml
@@ -22,6 +22,7 @@
 # unter der Lizenz sind dem Lizenztext zu entnehmen.
 #

+{{- if not .Values.disableGrpcServerTls }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -42,3 +43,4 @@ spec:
    - "{{ include "app.name" . }}.{{ include "app.namespace" . }}.svc"
    - "{{ include "app.name" . }}.{{ include "app.namespace" . }}"
    - "{{ include "app.name" . }}"
+{{- end }}
\ No newline at end of file
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -107,6 +107,12 @@ spec:
        {{- end }}
        - name: QUARKUS_HTTP_CORS_ORIGINS
          value: {{ (include "app.alfaAddress" .) }}
+        {{- if .Values.disableGrpcServerTls }}
+        - name: QUARKUS_GRPC_SERVER_SSL_CERTIFICATE
+          value: ""
+        - name: QUARKUS_GRPC_SERVER_SSL_KEY
+          value: ""
+        {{- end }}
        {{- with (.Values.env).customList }}
 {{ toYaml . | indent 8 }}
        {{- end }}
@@ -150,6 +156,18 @@ spec:
          periodSeconds: 5
          successThreshold: 1
          timeoutSeconds: 5
+        {{- if .Values.enableLivenessProbe }}
+        livenessProbe:
+          failureThreshold: 10
+          httpGet:
+            path: /q/health/started
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 15
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 5
+        {{- end }}
        resources:
        {{- with .Values.resources }}
 {{ toYaml . | indent 10 }}
@@ -165,11 +183,17 @@ spec:
          {{- with (.Values.securityContext).runAsGroup }}
          runAsGroup: {{ . }}
          {{- end }}
+          {{- with (.Values.securityContext).capabilities }}
+          capabilities:
+{{ toYaml . | indent 12 }}
+          {{- end }}
        stdin: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        tty: true
+        {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
        volumeMounts:
+          {{- if not .Values.disableGrpcServerTls }}
          - name: user-manager-tls-certificate
            mountPath: "/user-manager-tls-certificate/tls.crt"
            subPath: tls.crt
@@ -178,21 +202,27 @@ spec:
            mountPath: "/user-manager-tls-certificate/tls.key"
            subPath: tls.key
            readOnly: true
+          {{- end }}
          {{- if .Values.optionalTrustStoreSecretName }}
          - name: optional-trust-store
            mountPath: "/optional-trust-store/truststore.jks"
            subPath: truststore.jks
            readOnly: true
          {{- end }}
+        {{- end }}
+      {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
      volumes:
+        {{- if not .Values.disableGrpcServerTls }}
         - name: user-manager-tls-certificate
           secret:
              secretName: user-manager-tls-cert
+        {{- end }}
        {{- if .Values.optionalTrustStoreSecretName }}
         - name: optional-trust-store
           secret:
              secretName: {{ .Values.optionalTrustStoreSecretName }}
        {{- end }}
+        {{- end }}
      dnsConfig: {}
      dnsPolicy: ClusterFirst
      imagePullSecrets:
@@ -207,5 +237,8 @@ spec:
 {{ toYaml . | indent 8 }}
      {{- end }}
      schedulerName: default-scheduler
-      securityContext: {}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+{{ toYaml . | indent 8 }}
+      {{- end }}
      terminationGracePeriodSeconds: 30
\ No newline at end of file
--- a/src/main/helm/templates/ingress.yaml
+++ b/src/main/helm/templates/ingress.yaml
@@ -25,24 +25,22 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  {{- with .Values.ingress.configuration_snippet}}
-  annotations: {{- toYaml . | nindent 4 }}
+  annotations:
+    {{- with (.Values.ingress).annotations }}
+      {{- toYaml . | nindent 4 }}
    {{- end }}
-      more_set_headers "Access-Control-Allow-Origin: {{ (include "app.alfaAddress" .) }}";
-    {{- if (.Values.ingress).certManagerAnnotations -}}
-    {{- range (.Values.ingress).certManagerAnnotations }}
-{{ . | indent 4 }}
-    {{- end }}
-    {{- else if (.Values.ingress).use_staging_cert }}
+    {{- if not (.Values.ingress).disableDefaultCertManager }}
+    {{- if (.Values.ingress).use_staging_cert }}
    cert-manager.io/cluster-issuer: letsencrypt-staging
    {{- else }}
    cert-manager.io/cluster-issuer: letsencrypt-prod
    {{- end }}
+    {{- end }}
  name: {{ include "app.name" . }}
  namespace: {{ include "app.namespace" . }}
 spec:
-  {{- if and (.Values.ingress).className (ne (.Values).cluster_env "dataport") }}
-  ingressClassName: {{ .Values.ingress.className }}
+  {{- if (.Values.ingress).className }}
+  ingressClassName: {{ (.Values.ingress).className }}
  {{- end }}
  rules:
    - http:
@@ -58,8 +56,10 @@ spec:
  tls:
    - hosts:
      - {{ ( include "app.baseDomain" . ) }}
+      {{- if not (.Values.ingress).skipTlsSecret -}}
      {{- if (.Values.ingress).tlsSecretName }}
      secretName: {{ (.Values.ingress).tlsSecretName }}
-      {{- else if ne (.Values).cluster_env "dataport" }}
+      {{- else }}
      secretName: {{ .Values.ozgcloud.bezeichner }}-{{ include "app.name" . }}-tls
      {{- end }}
+      {{- end }}
\ No newline at end of file
--- a/src/main/helm/values.yaml
+++ b/src/main/helm/values.yaml
@@ -22,8 +22,6 @@
 # unter der Lizenz sind dem Lizenztext zu entnehmen.
 #

-cluster_env: ""
-
 replicaCount: 2

 image:
@@ -38,10 +36,3 @@ ozgcloud:
  keycloak:
    api:
      user: userManagerApiUser
-
-ingress:
-  configuration_snippet:
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      more_set_headers "Access-Control-Allow-Methods: GET,PATCH,OPTIONS";
-      more_set_headers "Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-XSRF-TOKEN";
-      more_set_headers "Access-Control-Expose-Headers: Content-Length,Content-Range";
--- a/src/test/helm/cert_issuer_test.yaml
+++ b/src/test/helm/cert_issuer_test.yaml
@@ -48,3 +48,9 @@ tests:
      - equal:
          path: spec.selfSigned
          value: {}
+  - it: should not create cert issuer
+    set:
+      disableGrpcServerTls: true
+    asserts:
+      - hasDocuments:
+        count: 0
\ No newline at end of file
--- a/src/test/helm/certificate_test.yaml
+++ b/src/test/helm/certificate_test.yaml
@@ -91,3 +91,9 @@ tests:
     - equal:
          path: spec.dnsNames[5]
          value: "user-manager"
+  - it: should not create certificate
+    set:
+      disableGrpcServerTls: true
+    asserts:
+      - hasDocuments:
+        count: 0
\ No newline at end of file
--- a/src/test/helm/deployment-url-value-test.yaml
+++ b/src/test/helm/deployment-url-value-test.yaml
@@ -45,3 +45,14 @@ tests:
          content:
            name: OZGCLOUD_USER_MANAGER_URL
            value: https://helm-user-manager.test.company.local
+
+  - it: set baseDomain for ozgcloud_user_manager_url
+    template: deployment.yaml
+    set:
+      baseDomain: helm-usm.test.company.local
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: OZGCLOUD_USER_MANAGER_URL
+            value: https://helm-usm.test.company.local
\ No newline at end of file
--- a/src/test/helm/deployment_container_security_context_test.yaml
+++ b/src/test/helm/deployment_container_security_context_test.yaml
@@ -56,6 +56,10 @@ tests:
          path: spec.template.spec.containers[0].securityContext.runAsUser
      - isNull:
          path: spec.template.spec.containers[0].securityContext.runAsGroup
+      - isNull:
+          path: spec.template.spec.securityContext.fsGroup
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext.capabilities
  - it: check runAsUser
    set:
      securityContext.runAsUser: 1000
@@ -70,3 +74,22 @@ tests:
      - equal:
          path: spec.template.spec.containers[0].securityContext.runAsGroup
          value: 1000
+  - it: check fsGroup
+    set:
+      podSecurityContext.fsGroup: 1000
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext.fsGroup
+          value: 1000
+  - it: check capabilities
+    set:
+      securityContext:
+        capabilities:
+          drop:
+            - ALL
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.capabilities
+          value:
+            drop:
+              - ALL
--- a/src/test/helm/deployment_env_test.yaml
+++ b/src/test/helm/deployment_env_test.yaml
@@ -98,3 +98,29 @@ tests:
          content:
            name: OZGCLOUD_USERSYNC_PERIOD
            value: "6h"
+  - it: check disable grpc server
+    set:
+      disableGrpcServerTls: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: QUARKUS_GRPC_SERVER_SSL_CERTIFICATE
+            value: ""
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: QUARKUS_GRPC_SERVER_SSL_KEY
+            value: ""
+  - it: check default grpc server settings
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: QUARKUS_GRPC_SERVER_SSL_CERTIFICATE
+          any: true
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: QUARKUS_GRPC_SERVER_SSL_KEY
+          any: true
\ No newline at end of file
--- a/src/test/helm/deployment_liveness_probe_test.yaml
+++ b/src/test/helm/deployment_liveness_probe_test.yaml
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+
+suite: deployment
+release:
+  name: user-manager
+  namespace: by-helm-test
+templates:
+  - templates/deployment.yaml
+set:
+  ozgcloud:
+    bundesland: by
+    bezeichner: helm
+    environment: dev
+  sso:
+    serverUrl: https://sso.company.local
+  baseUrl: test.by.company.local
+tests:
+  - it: livenessProbe should be disabled by default
+    template: deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe
+
+  - it: enable livenessProbe
+    template: deployment.yaml
+    set:
+      enableLivenessProbe: true
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            failureThreshold: 10
+            httpGet:
+              path: /q/health/started
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 15
+            periodSeconds: 5
+            successThreshold: 1
+            timeoutSeconds: 5
--- a/src/test/helm/deplyoment_cert_bindings_test.yaml
+++ b/src/test/helm/deplyoment_cert_bindings_test.yaml
@@ -64,3 +64,42 @@ tests:
             name: user-manager-tls-certificate
             secret:
               secretName: user-manager-tls-cert
+
+  - it: should not mount volumes for user-manager root ca
+    set:
+      disableGrpcServerTls: true
+      optionalTrustStoreSecretName: optional-trust-store-secret
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: user-manager-tls-certificate
+          any: true
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: user-manager-tls-certificate
+          any: true
+
+  - it: should not have volume mounts
+    set:
+      disableGrpcServerTls: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].volumeMounts
+
+  - it: should not have volume for user-manager root certificate
+    set:
+      disableGrpcServerTls: true
+      optionalTrustStoreSecretName: optional-trust-store-secret
+    asserts:
+      - notContains:
+          path: spec.template.spec.volumes
+        any: true
+
+  - it: should not have volume
+    set:
+      disableGrpcServerTls: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.volumes
--- a/src/test/helm/ingress-nginx-tests.yaml
+++ b/src/test/helm/ingress-nginx-tests.yaml
@@ -49,13 +49,11 @@ tests:
      - equal:
          path: spec.ingressClassName
          value: nginx
-  - it: should not create ingress tls/ingressClassName
+  - it: should not create ingress tls secret name
    set:
-      cluster_env: dataport
+      ingress.skipTlsSecret: true
    asserts:
-      - isNull:
-          path: spec.ingressClassName
-      - isNull:
+      - notExists:
          path: spec.tls[0].secretName
  - it: should use default letsencrypt-prod cluster-issuer
    asserts:
@@ -77,6 +75,13 @@ tests:
          path: metadata.annotations["cert-manager.io/cluster-issuer"]
          value: letsencrypt-prod

+  - it: should disable default cert-manager
+    set:
+      ingress.disableDefaultCertManager: true
+    asserts:
+      - notExists:
+          path: metadata.annotations["cert-manager.io/cluster-issuer"]
+
  - it: should create hostname correctly
    asserts:
      - equal:
@@ -88,3 +93,19 @@ tests:
      - equal:
          path: spec.tls[0].hosts[0]
          value: helm-user-manager.test.sh.ozg-cloud.de
+
+  - it: should set ingress host
+    set:
+      baseDomain: helm-usm.test.company.local
+    asserts:
+      - equal:
+          path: spec.rules[0].host
+          value: helm-usm.test.company.local
+
+  - it: should set ingress tls host
+    set:
+      baseDomain: helm-usm.test.company.local
+    asserts:
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: helm-usm.test.company.local
\ No newline at end of file
--- a/src/test/helm/ingress_nginx_cors_test.yaml
+++ b/src/test/helm/ingress_nginx_cors_test.yaml
@@ -34,6 +34,14 @@ set:
    bezeichner: helm
 tests:
  - it: check ingress annotations if nginx test environment
+    set:
+      ingress:
+        annotations:
+          nginx.ingress.kubernetes.io/configuration-snippet: |
+            more_set_headers "Access-Control-Allow-Methods: GET,PATCH,OPTIONS";
+            more_set_headers "Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-XSRF-TOKEN";
+            more_set_headers "Access-Control-Expose-Headers: Content-Length,Content-Range";
+            more_set_headers "Access-Control-Allow-Origin: https://helm.test.sh.ozg-cloud.de";
    asserts:
      - isKind:
          of: Ingress
@@ -44,3 +52,23 @@ tests:
                   more_set_headers "Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-XSRF-TOKEN";
                   more_set_headers "Access-Control-Expose-Headers: Content-Length,Content-Range";
                   more_set_headers "Access-Control-Allow-Origin: https://helm.test.sh.ozg-cloud.de";
+  - it: Should disable nginx configuration snippet
+    set:
+      ingress:
+        configuration_snippet: null
+    asserts:
+      - notExists:
+          path: metadata.annotations["nginx.ingress.kubernetes.io/configuration-snippet"]
+  - it: Should contain annotations
+    set:
+      ingress:
+        annotations:
+          foo: bar
+          hello: world
+    asserts:
+      - equal:
+          path: metadata.annotations.foo
+          value: bar
+      - equal:
+          path: metadata.annotations.hello
+          value: world
\ No newline at end of file