diff --git a/src/main/helm/templates/_helpers.tpl b/src/main/helm/templates/_helpers.tpl
index f0fef2523d2dcb26333470a59ce1b12de1a105ea..5008dfc8c7a8d29ebb772192f8613bdbf128902f 100644
--- a/src/main/helm/templates/_helpers.tpl
+++ b/src/main/helm/templates/_helpers.tpl
@@ -145,4 +145,12 @@ app.kubernetes.io/namespace: {{ include "app.namespace" . }}
{{- define "app.serviceAccountName" -}}
{{ printf "%s" ( (.Values.serviceAccount).name | default "user-manager-service-account" ) }}
+{{- end -}}
+
+{{- define "app.truststoreSecretName" -}}
+{{- if .Values.optionalTrustStoreSecretName -}}
+{{ .Values.optionalTrustStoreSecretName }}
+{{- else -}}
+{{ printf "%s-truststore" .Release.Namespace }}
+{{- end -}}
{{- end -}}
\ No newline at end of file
diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index e8f5ea015ea704e945a155d1cda4075846feeb51..9f6d8e4a2ac1480c95c9f3e5b5524db0bcf904f7 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -116,16 +116,16 @@ spec:
{{- with (.Values.env).customList }}
{{ toYaml . | indent 8 }}
{{- end }}
- {{- if .Values.optionalTrustStoreSecretName }}
- - name: TRUST_STORE_PASSWORD
+ {{- if not .Values.disableNamespaceTruststore }}
+ - name: TRUSTSTORE_PASSWORD
valueFrom:
secretKeyRef:
- name: {{ .Values.optionalTrustStoreSecretName }}
+ name: {{ include "app.truststoreSecretName" . }}
key: password
optional: false
args:
- - '-Djavax.net.ssl.trustStore=/optional-trust-store/truststore.jks'
- - '-Djavax.net.ssl.trustStorePassword=$(TRUST_STORE_PASSWORD)'
+ - '-Djavax.net.ssl.trustStore=/namespace-truststore/truststore.jks'
+ - '-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)'
{{- end }}
image: "{{ .Values.image.repo }}/{{ .Values.image.name }}:{{ coalesce (.Values.image).tag "latest" }}"
imagePullPolicy: Always
@@ -191,7 +191,6 @@ spec:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
tty: true
- {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
volumeMounts:
{{- if not .Values.disableGrpcServerTls }}
- name: user-manager-tls-certificate
@@ -203,25 +202,21 @@ spec:
subPath: tls.key
readOnly: true
{{- end }}
- {{- if .Values.optionalTrustStoreSecretName }}
- - name: optional-trust-store
- mountPath: "/optional-trust-store/truststore.jks"
- subPath: truststore.jks
+ {{- if not .Values.disableNamespaceTruststore }}
+ - name: namespace-truststore
+ mountPath: "/namespace-truststore"
readOnly: true
{{- end }}
- {{- end }}
- {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
volumes:
{{- if not .Values.disableGrpcServerTls }}
- name: user-manager-tls-certificate
secret:
secretName: user-manager-tls-cert
{{- end }}
- {{- if .Values.optionalTrustStoreSecretName }}
- - name: optional-trust-store
+ {{- if not .Values.disableNamespaceTruststore }}
+ - name: namespace-truststore
secret:
- secretName: {{ .Values.optionalTrustStoreSecretName }}
- {{- end }}
+ secretName: {{ include "app.truststoreSecretName" . }}
{{- end }}
dnsConfig: {}
dnsPolicy: ClusterFirst
diff --git a/src/test/helm/deployment_optional_trust_store_test.yaml b/src/test/helm/deployment_namespace_truststore_test.yaml
similarity index 54%
rename from src/test/helm/deployment_optional_trust_store_test.yaml
rename to src/test/helm/deployment_namespace_truststore_test.yaml
index d31e8fbce052a613a9c889c34d543c38431f0549..ae7b2a042624719e4ccba689c26975d994d0197e 100644
--- a/src/test/helm/deployment_optional_trust_store_test.yaml
+++ b/src/test/helm/deployment_namespace_truststore_test.yaml
@@ -22,66 +22,98 @@
# unter der Lizenz sind dem Lizenztext zu entnehmen.
#
-suite: test environments
+suite: test namespace truststore
templates:
- templates/deployment.yaml
+release:
+ name: user-manager
+ namespace: by-helm-test
set:
ozgcloud:
bundesland: by
bezeichner: helm
- environment: dev
+ environment: test
sso:
serverUrl: sso.test.sh.ozg-cloud.de
baseUrl: test.sh.ozg-cloud.de
tests:
- it: check without truststore
+ set:
+ disableNamespaceTruststore: true
asserts:
- notExists:
path: spec.template.spec.containers[0].args
- notContains:
path: spec.template.spec.containers[0].env
content:
- name: TRUST_STORE_PASSWORD
+ name: TRUSTSTORE_PASSWORD
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
- name: optional-trust-store
- mountPath: "/optional-trust-store/truststore.jks"
- subPath: truststore.jks
- readOnly: true
+ name: namespace-truststore
+ any: true
- notContains:
path: spec.template.spec.volumes
content:
- name: optional-trust-store
+ name: namespace-truststore
+ any: true
+
+ - it: check with default namespace truststore
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].args
+ value:
+ - '-Djavax.net.ssl.trustStore=/namespace-truststore/truststore.jks'
+ - '-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)'
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: TRUSTSTORE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: by-helm-test-truststore
+ key: password
+ optional: false
+ - contains:
+ path: spec.template.spec.containers[0].volumeMounts
+ content:
+ name: namespace-truststore
+ mountPath: "/namespace-truststore"
+ readOnly: true
+ - contains:
+ path: spec.template.spec.volumes
+ content:
+ name: namespace-truststore
+ secret:
+ secretName: by-helm-test-truststore
- - it: check with truststore
+ - it: check with optional truststore
set:
- optionalTrustStoreSecretName: optional-trust-store-secret
+ optionalTrustStoreSecretName: optional-truststore-secret
asserts:
- equal:
path: spec.template.spec.containers[0].args
value:
- - '-Djavax.net.ssl.trustStore=/optional-trust-store/truststore.jks'
- - '-Djavax.net.ssl.trustStorePassword=$(TRUST_STORE_PASSWORD)'
+ - '-Djavax.net.ssl.trustStore=/namespace-truststore/truststore.jks'
+ - '-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)'
- contains:
path: spec.template.spec.containers[0].env
content:
- name: TRUST_STORE_PASSWORD
+ name: TRUSTSTORE_PASSWORD
valueFrom:
secretKeyRef:
- name: optional-trust-store-secret
+ name: optional-truststore-secret
key: password
optional: false
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
- name: optional-trust-store
- mountPath: "/optional-trust-store/truststore.jks"
- subPath: truststore.jks
+ name: namespace-truststore
+ mountPath: "/namespace-truststore"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
- name: optional-trust-store
+ name: namespace-truststore
secret:
- secretName: optional-trust-store-secret
\ No newline at end of file
+ secretName: optional-truststore-secret
\ No newline at end of file
diff --git a/src/test/helm/deplyoment_cert_bindings_test.yaml b/src/test/helm/deplyoment_cert_bindings_test.yaml
index 3fec0d1b00b5d5750bfb97bb558de92287837d98..2ac5c0cb0773eb12682dc32a34486b3d3899787c 100644
--- a/src/test/helm/deplyoment_cert_bindings_test.yaml
+++ b/src/test/helm/deplyoment_cert_bindings_test.yaml
@@ -81,13 +81,6 @@ tests:
name: user-manager-tls-certificate
any: true
- - it: should not have volume mounts
- set:
- disableGrpcServerTls: true
- asserts:
- - notExists:
- path: spec.template.spec.containers[0].volumeMounts
-
- it: should not have volume for user-manager root certificate
set:
disableGrpcServerTls: true
@@ -96,10 +89,3 @@ tests:
- notContains:
path: spec.template.spec.volumes
any: true
-
- - it: should not have volume
- set:
- disableGrpcServerTls: true
- asserts:
- - notExists:
- path: spec.template.spec.volumes