disable grpc server tls for dataport

6efe067e · OZGCloud · 85f2f540 · 6efe067e · 6efe067e · 6efe067e
Commit 6efe067e authored 1 year ago by OZGCloud
--- a/src/main/helm/templates/cert_issuer.yaml
+++ b/src/main/helm/templates/cert_issuer.yaml
@@ -22,10 +22,12 @@
 # unter der Lizenz sind dem Lizenztext zu entnehmen.
 #

+{{- if not .Values.disableGrpcServerTls }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: user-manager-issuer
  namespace: {{ include "app.namespace" . }}
 spec:
-  selfSigned: {}
\ No newline at end of file
+  selfSigned: {}
+{{- end }}
\ No newline at end of file
--- a/src/main/helm/templates/certificate.yaml
+++ b/src/main/helm/templates/certificate.yaml
@@ -22,6 +22,7 @@
 # unter der Lizenz sind dem Lizenztext zu entnehmen.
 #

+{{- if not .Values.disableGrpcServerTls }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -41,4 +42,5 @@ spec:
    - "{{ include "app.name" . }}.{{ include "app.namespace" . }}.svc.cluster"
    - "{{ include "app.name" . }}.{{ include "app.namespace" . }}.svc"
    - "{{ include "app.name" . }}.{{ include "app.namespace" . }}"
-    - "{{ include "app.name" . }}"
\ No newline at end of file
+    - "{{ include "app.name" . }}"
+{{- end }}
\ No newline at end of file
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -107,6 +107,12 @@ spec:
        {{- end }}
        - name: QUARKUS_HTTP_CORS_ORIGINS
          value: {{ (include "app.alfaAddress" .) }}
+        {{- if .Values.disableGrpcServerTls }}
+        - name: QUARKUS_GRPC_SERVER_SSL_CERTIFICATE
+          value: ""
+        - name: QUARKUS_GRPC_SERVER_SSL_KEY
+          value: ""
+        {{- end }}
        {{- with (.Values.env).customList }}
 {{ toYaml . | indent 8 }}
        {{- end }}
@@ -169,7 +175,9 @@ spec:
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        tty: true
+        {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
        volumeMounts:
+          {{- if not .Values.disableGrpcServerTls }}
          - name: user-manager-tls-certificate
            mountPath: "/user-manager-tls-certificate/tls.crt"
            subPath: tls.crt
@@ -178,21 +186,27 @@ spec:
            mountPath: "/user-manager-tls-certificate/tls.key"
            subPath: tls.key
            readOnly: true
+          {{- end }}
          {{- if .Values.optionalTrustStoreSecretName }}
          - name: optional-trust-store
            mountPath: "/optional-trust-store/truststore.jks"
            subPath: truststore.jks
            readOnly: true
          {{- end }}
+        {{- end }}
+      {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
      volumes:
+        {{- if not .Values.disableGrpcServerTls }}
         - name: user-manager-tls-certificate
           secret:
              secretName: user-manager-tls-cert
+        {{- end }}
        {{- if .Values.optionalTrustStoreSecretName }}
         - name: optional-trust-store
           secret:
              secretName: {{ .Values.optionalTrustStoreSecretName }}
        {{- end }}
+        {{- end }}
      dnsConfig: {}
      dnsPolicy: ClusterFirst
      imagePullSecrets:

--- a/src/test/helm/cert_issuer_test.yaml
+++ b/src/test/helm/cert_issuer_test.yaml
@@ -47,4 +47,10 @@ tests:
    asserts:
      - equal:
          path: spec.selfSigned
-          value: {}
\ No newline at end of file
+          value: {}
+  - it: should not create cert issuer
+    set:
+      disableGrpcServerTls: true
+    asserts:
+      - hasDocuments:
+        count: 0
\ No newline at end of file
--- a/src/test/helm/certificate_test.yaml
+++ b/src/test/helm/certificate_test.yaml
@@ -90,4 +90,10 @@ tests:
          value: "user-manager.sh-helm-test"
     - equal:
          path: spec.dnsNames[5]
-          value: "user-manager"
\ No newline at end of file
+          value: "user-manager"
+  - it: should not create certificate
+    set:
+      disableGrpcServerTls: true
+    asserts:
+      - hasDocuments:
+        count: 0
\ No newline at end of file
--- a/src/test/helm/deployment_env_test.yaml
+++ b/src/test/helm/deployment_env_test.yaml
@@ -97,4 +97,30 @@ tests:
          path: spec.template.spec.containers[0].env
          content:
            name: OZGCLOUD_USERSYNC_PERIOD
-            value: "6h"
\ No newline at end of file
+            value: "6h"
+  - it: check disable grpc server
+    set:
+      disableGrpcServerTls: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: QUARKUS_GRPC_SERVER_SSL_CERTIFICATE
+            value: ""
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: QUARKUS_GRPC_SERVER_SSL_KEY
+            value: ""
+  - it: check default grpc server settings
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: QUARKUS_GRPC_SERVER_SSL_CERTIFICATE
+          any: true
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: QUARKUS_GRPC_SERVER_SSL_KEY
+          any: true
\ No newline at end of file
--- a/src/test/helm/deplyoment_cert_bindings_test.yaml
+++ b/src/test/helm/deplyoment_cert_bindings_test.yaml
@@ -63,4 +63,43 @@ tests:
           content:
             name: user-manager-tls-certificate
             secret:
-               secretName: user-manager-tls-cert
\ No newline at end of file
+               secretName: user-manager-tls-cert
+
+  - it: should not mount volumes for user-manager root ca
+    set:
+      disableGrpcServerTls: true
+      optionalTrustStoreSecretName: optional-trust-store-secret
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: user-manager-tls-certificate
+          any: true
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: user-manager-tls-certificate
+          any: true
+
+  - it: should not have volume mounts
+    set:
+      disableGrpcServerTls: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].volumeMounts
+
+  - it: should not have volume for user-manager root certificate
+    set:
+      disableGrpcServerTls: true
+      optionalTrustStoreSecretName: optional-trust-store-secret
+    asserts:
+      - notContains:
+          path: spec.template.spec.volumes
+        any: true
+
+  - it: should not have volume
+    set:
+      disableGrpcServerTls: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.volumes