From d30eaf57951f8dd6cd871f633dce35e3637d49cd Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Tue, 9 Apr 2024 12:55:26 +0200
Subject: [PATCH] ozg-3322 use namespace truststore
---
src/main/helm/templates/_helpers.tpl | 8 +++
src/main/helm/templates/deployment.yaml | 27 +++----
...deployment_namespace_truststore_test.yaml} | 70 ++++++++++++++-----
.../helm/deplyoment_cert_bindings_test.yaml | 14 ----
4 files changed, 70 insertions(+), 49 deletions(-)
rename src/test/helm/{deployment_optional_trust_store_test.yaml => deployment_namespace_truststore_test.yaml} (54%)
diff --git a/src/main/helm/templates/_helpers.tpl b/src/main/helm/templates/_helpers.tpl
index f0fef252..5008dfc8 100644
--- a/src/main/helm/templates/_helpers.tpl
+++ b/src/main/helm/templates/_helpers.tpl
@@ -145,4 +145,12 @@ app.kubernetes.io/namespace: {{ include "app.namespace" . }}
{{- define "app.serviceAccountName" -}}
{{ printf "%s" ( (.Values.serviceAccount).name | default "user-manager-service-account" ) }}
+{{- end -}}
+
+{{- define "app.truststoreSecretName" -}}
+{{- if .Values.optionalTrustStoreSecretName -}}
+{{ .Values.optionalTrustStoreSecretName }}
+{{- else -}}
+{{ printf "%s-truststore" .Release.Namespace }}
+{{- end -}}
{{- end -}}
\ No newline at end of file
diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index e8f5ea01..9f6d8e4a 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -116,16 +116,16 @@ spec:
{{- with (.Values.env).customList }}
{{ toYaml . | indent 8 }}
{{- end }}
- {{- if .Values.optionalTrustStoreSecretName }}
- - name: TRUST_STORE_PASSWORD
+ {{- if not .Values.disableNamespaceTruststore }}
+ - name: TRUSTSTORE_PASSWORD
valueFrom:
secretKeyRef:
- name: {{ .Values.optionalTrustStoreSecretName }}
+ name: {{ include "app.truststoreSecretName" . }}
key: password
optional: false
args:
- - '-Djavax.net.ssl.trustStore=/optional-trust-store/truststore.jks'
- - '-Djavax.net.ssl.trustStorePassword=$(TRUST_STORE_PASSWORD)'
+ - '-Djavax.net.ssl.trustStore=/namespace-truststore/truststore.jks'
+ - '-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)'
{{- end }}
image: "{{ .Values.image.repo }}/{{ .Values.image.name }}:{{ coalesce (.Values.image).tag "latest" }}"
imagePullPolicy: Always
@@ -191,7 +191,6 @@ spec:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
tty: true
- {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
volumeMounts:
{{- if not .Values.disableGrpcServerTls }}
- name: user-manager-tls-certificate
@@ -203,25 +202,21 @@ spec:
subPath: tls.key
readOnly: true
{{- end }}
- {{- if .Values.optionalTrustStoreSecretName }}
- - name: optional-trust-store
- mountPath: "/optional-trust-store/truststore.jks"
- subPath: truststore.jks
+ {{- if not .Values.disableNamespaceTruststore }}
+ - name: namespace-truststore
+ mountPath: "/namespace-truststore"
readOnly: true
{{- end }}
- {{- end }}
- {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
volumes:
{{- if not .Values.disableGrpcServerTls }}
- name: user-manager-tls-certificate
secret:
secretName: user-manager-tls-cert
{{- end }}
- {{- if .Values.optionalTrustStoreSecretName }}
- - name: optional-trust-store
+ {{- if not .Values.disableNamespaceTruststore }}
+ - name: namespace-truststore
secret:
- secretName: {{ .Values.optionalTrustStoreSecretName }}
- {{- end }}
+ secretName: {{ include "app.truststoreSecretName" . }}
{{- end }}
dnsConfig: {}
dnsPolicy: ClusterFirst
diff --git a/src/test/helm/deployment_optional_trust_store_test.yaml b/src/test/helm/deployment_namespace_truststore_test.yaml
similarity index 54%
rename from src/test/helm/deployment_optional_trust_store_test.yaml
rename to src/test/helm/deployment_namespace_truststore_test.yaml
index d31e8fbc..ae7b2a04 100644
--- a/src/test/helm/deployment_optional_trust_store_test.yaml
+++ b/src/test/helm/deployment_namespace_truststore_test.yaml
@@ -22,66 +22,98 @@
# unter der Lizenz sind dem Lizenztext zu entnehmen.
#
-suite: test environments
+suite: test namespace truststore
templates:
- templates/deployment.yaml
+release:
+ name: user-manager
+ namespace: by-helm-test
set:
ozgcloud:
bundesland: by
bezeichner: helm
- environment: dev
+ environment: test
sso:
serverUrl: sso.test.sh.ozg-cloud.de
baseUrl: test.sh.ozg-cloud.de
tests:
- it: check without truststore
+ set:
+ disableNamespaceTruststore: true
asserts:
- notExists:
path: spec.template.spec.containers[0].args
- notContains:
path: spec.template.spec.containers[0].env
content:
- name: TRUST_STORE_PASSWORD
+ name: TRUSTSTORE_PASSWORD
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
- name: optional-trust-store
- mountPath: "/optional-trust-store/truststore.jks"
- subPath: truststore.jks
- readOnly: true
+ name: namespace-truststore
+ any: true
- notContains:
path: spec.template.spec.volumes
content:
- name: optional-trust-store
+ name: namespace-truststore
+ any: true
+
+ - it: check with default namespace truststore
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].args
+ value:
+ - '-Djavax.net.ssl.trustStore=/namespace-truststore/truststore.jks'
+ - '-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)'
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: TRUSTSTORE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: by-helm-test-truststore
+ key: password
+ optional: false
+ - contains:
+ path: spec.template.spec.containers[0].volumeMounts
+ content:
+ name: namespace-truststore
+ mountPath: "/namespace-truststore"
+ readOnly: true
+ - contains:
+ path: spec.template.spec.volumes
+ content:
+ name: namespace-truststore
+ secret:
+ secretName: by-helm-test-truststore
- - it: check with truststore
+ - it: check with optional truststore
set:
- optionalTrustStoreSecretName: optional-trust-store-secret
+ optionalTrustStoreSecretName: optional-truststore-secret
asserts:
- equal:
path: spec.template.spec.containers[0].args
value:
- - '-Djavax.net.ssl.trustStore=/optional-trust-store/truststore.jks'
- - '-Djavax.net.ssl.trustStorePassword=$(TRUST_STORE_PASSWORD)'
+ - '-Djavax.net.ssl.trustStore=/namespace-truststore/truststore.jks'
+ - '-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)'
- contains:
path: spec.template.spec.containers[0].env
content:
- name: TRUST_STORE_PASSWORD
+ name: TRUSTSTORE_PASSWORD
valueFrom:
secretKeyRef:
- name: optional-trust-store-secret
+ name: optional-truststore-secret
key: password
optional: false
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
- name: optional-trust-store
- mountPath: "/optional-trust-store/truststore.jks"
- subPath: truststore.jks
+ name: namespace-truststore
+ mountPath: "/namespace-truststore"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
- name: optional-trust-store
+ name: namespace-truststore
secret:
- secretName: optional-trust-store-secret
\ No newline at end of file
+ secretName: optional-truststore-secret
\ No newline at end of file
diff --git a/src/test/helm/deplyoment_cert_bindings_test.yaml b/src/test/helm/deplyoment_cert_bindings_test.yaml
index 3fec0d1b..2ac5c0cb 100644
--- a/src/test/helm/deplyoment_cert_bindings_test.yaml
+++ b/src/test/helm/deplyoment_cert_bindings_test.yaml
@@ -81,13 +81,6 @@ tests:
name: user-manager-tls-certificate
any: true
- - it: should not have volume mounts
- set:
- disableGrpcServerTls: true
- asserts:
- - notExists:
- path: spec.template.spec.containers[0].volumeMounts
-
- it: should not have volume for user-manager root certificate
set:
disableGrpcServerTls: true
@@ -96,10 +89,3 @@ tests:
- notContains:
path: spec.template.spec.volumes
any: true
-
- - it: should not have volume
- set:
- disableGrpcServerTls: true
- asserts:
- - notExists:
- path: spec.template.spec.volumes
--
GitLab