From 6efe067e55820f062c52393595b55005368f6721 Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Fri, 23 Feb 2024 13:01:56 +0100
Subject: [PATCH] disable grpc server tls for dataport
---
src/main/helm/templates/cert_issuer.yaml | 4 +-
src/main/helm/templates/certificate.yaml | 4 +-
src/main/helm/templates/deployment.yaml | 14 +++++++
src/test/helm/cert_issuer_test.yaml | 8 +++-
src/test/helm/certificate_test.yaml | 8 +++-
src/test/helm/deployment_env_test.yaml | 28 ++++++++++++-
.../helm/deplyoment_cert_bindings_test.yaml | 41 ++++++++++++++++++-
7 files changed, 101 insertions(+), 6 deletions(-)
diff --git a/src/main/helm/templates/cert_issuer.yaml b/src/main/helm/templates/cert_issuer.yaml
index 1e875784..34f56bce 100644
--- a/src/main/helm/templates/cert_issuer.yaml
+++ b/src/main/helm/templates/cert_issuer.yaml
@@ -22,10 +22,12 @@
# unter der Lizenz sind dem Lizenztext zu entnehmen.
#
+{{- if not .Values.disableGrpcServerTls }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: user-manager-issuer
namespace: {{ include "app.namespace" . }}
spec:
- selfSigned: {}
\ No newline at end of file
+ selfSigned: {}
+{{- end }}
\ No newline at end of file
diff --git a/src/main/helm/templates/certificate.yaml b/src/main/helm/templates/certificate.yaml
index 02e60de3..f9034954 100644
--- a/src/main/helm/templates/certificate.yaml
+++ b/src/main/helm/templates/certificate.yaml
@@ -22,6 +22,7 @@
# unter der Lizenz sind dem Lizenztext zu entnehmen.
#
+{{- if not .Values.disableGrpcServerTls }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
@@ -41,4 +42,5 @@ spec:
- "{{ include "app.name" . }}.{{ include "app.namespace" . }}.svc.cluster"
- "{{ include "app.name" . }}.{{ include "app.namespace" . }}.svc"
- "{{ include "app.name" . }}.{{ include "app.namespace" . }}"
- - "{{ include "app.name" . }}"
\ No newline at end of file
+ - "{{ include "app.name" . }}"
+{{- end }}
\ No newline at end of file
diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index 346ee183..b4d22676 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -107,6 +107,12 @@ spec:
{{- end }}
- name: QUARKUS_HTTP_CORS_ORIGINS
value: {{ (include "app.alfaAddress" .) }}
+ {{- if .Values.disableGrpcServerTls }}
+ - name: QUARKUS_GRPC_SERVER_SSL_CERTIFICATE
+ value: ""
+ - name: QUARKUS_GRPC_SERVER_SSL_KEY
+ value: ""
+ {{- end }}
{{- with (.Values.env).customList }}
{{ toYaml . | indent 8 }}
{{- end }}
@@ -169,7 +175,9 @@ spec:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
tty: true
+ {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
volumeMounts:
+ {{- if not .Values.disableGrpcServerTls }}
- name: user-manager-tls-certificate
mountPath: "/user-manager-tls-certificate/tls.crt"
subPath: tls.crt
@@ -178,21 +186,27 @@ spec:
mountPath: "/user-manager-tls-certificate/tls.key"
subPath: tls.key
readOnly: true
+ {{- end }}
{{- if .Values.optionalTrustStoreSecretName }}
- name: optional-trust-store
mountPath: "/optional-trust-store/truststore.jks"
subPath: truststore.jks
readOnly: true
{{- end }}
+ {{- end }}
+ {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
volumes:
+ {{- if not .Values.disableGrpcServerTls }}
- name: user-manager-tls-certificate
secret:
secretName: user-manager-tls-cert
+ {{- end }}
{{- if .Values.optionalTrustStoreSecretName }}
- name: optional-trust-store
secret:
secretName: {{ .Values.optionalTrustStoreSecretName }}
{{- end }}
+ {{- end }}
dnsConfig: {}
dnsPolicy: ClusterFirst
imagePullSecrets:
diff --git a/src/test/helm/cert_issuer_test.yaml b/src/test/helm/cert_issuer_test.yaml
index b2e1448f..22432809 100644
--- a/src/test/helm/cert_issuer_test.yaml
+++ b/src/test/helm/cert_issuer_test.yaml
@@ -47,4 +47,10 @@ tests:
asserts:
- equal:
path: spec.selfSigned
- value: {}
\ No newline at end of file
+ value: {}
+ - it: should not create cert issuer
+ set:
+ disableGrpcServerTls: true
+ asserts:
+ - hasDocuments:
+ count: 0
\ No newline at end of file
diff --git a/src/test/helm/certificate_test.yaml b/src/test/helm/certificate_test.yaml
index ac111fb2..0fe136c5 100644
--- a/src/test/helm/certificate_test.yaml
+++ b/src/test/helm/certificate_test.yaml
@@ -90,4 +90,10 @@ tests:
value: "user-manager.sh-helm-test"
- equal:
path: spec.dnsNames[5]
- value: "user-manager"
\ No newline at end of file
+ value: "user-manager"
+ - it: should not create certificate
+ set:
+ disableGrpcServerTls: true
+ asserts:
+ - hasDocuments:
+ count: 0
\ No newline at end of file
diff --git a/src/test/helm/deployment_env_test.yaml b/src/test/helm/deployment_env_test.yaml
index e2ede3f3..c767c8d8 100644
--- a/src/test/helm/deployment_env_test.yaml
+++ b/src/test/helm/deployment_env_test.yaml
@@ -97,4 +97,30 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: OZGCLOUD_USERSYNC_PERIOD
- value: "6h"
\ No newline at end of file
+ value: "6h"
+ - it: check disable grpc server
+ set:
+ disableGrpcServerTls: true
+ asserts:
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: QUARKUS_GRPC_SERVER_SSL_CERTIFICATE
+ value: ""
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: QUARKUS_GRPC_SERVER_SSL_KEY
+ value: ""
+ - it: check default grpc server settings
+ asserts:
+ - notContains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: QUARKUS_GRPC_SERVER_SSL_CERTIFICATE
+ any: true
+ - notContains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: QUARKUS_GRPC_SERVER_SSL_KEY
+ any: true
\ No newline at end of file
diff --git a/src/test/helm/deplyoment_cert_bindings_test.yaml b/src/test/helm/deplyoment_cert_bindings_test.yaml
index 416c7ef3..3fec0d1b 100644
--- a/src/test/helm/deplyoment_cert_bindings_test.yaml
+++ b/src/test/helm/deplyoment_cert_bindings_test.yaml
@@ -63,4 +63,43 @@ tests:
content:
name: user-manager-tls-certificate
secret:
- secretName: user-manager-tls-cert
\ No newline at end of file
+ secretName: user-manager-tls-cert
+
+ - it: should not mount volumes for user-manager root ca
+ set:
+ disableGrpcServerTls: true
+ optionalTrustStoreSecretName: optional-trust-store-secret
+ asserts:
+ - notContains:
+ path: spec.template.spec.containers[0].volumeMounts
+ content:
+ name: user-manager-tls-certificate
+ any: true
+ - notContains:
+ path: spec.template.spec.containers[0].volumeMounts
+ content:
+ name: user-manager-tls-certificate
+ any: true
+
+ - it: should not have volume mounts
+ set:
+ disableGrpcServerTls: true
+ asserts:
+ - notExists:
+ path: spec.template.spec.containers[0].volumeMounts
+
+ - it: should not have volume for user-manager root certificate
+ set:
+ disableGrpcServerTls: true
+ optionalTrustStoreSecretName: optional-trust-store-secret
+ asserts:
+ - notContains:
+ path: spec.template.spec.volumes
+ any: true
+
+ - it: should not have volume
+ set:
+ disableGrpcServerTls: true
+ asserts:
+ - notExists:
+ path: spec.template.spec.volumes
--
GitLab