ozg-3322 use namespace truststore

src/main/helm/templates/_helpers.tpl

@@ -146,3 +146,11 @@ app.kubernetes.io/namespace: {{ include "app.namespace" . }}
 {{- define "app.serviceAccountName" -}}
 {{ printf "%s" ( (.Values.serviceAccount).name | default "user-manager-service-account" ) }}
 {{- end -}}
+
+{{- define "app.truststoreSecretName" -}}
+{{- if .Values.optionalTrustStoreSecretName -}}
+{{ .Values.optionalTrustStoreSecretName }}
+{{- else -}}
+{{ printf "%s-truststore" .Release.Namespace }}
+{{- end -}}
+{{- end -}}
\ No newline at end of file

src/main/helm/templates/deployment.yaml

@@ -116,16 +116,16 @@ spec:
         {{- with (.Values.env).customList }}
 {{ toYaml . | indent 8 }}
         {{- end }}
-        {{- if .Values.optionalTrustStoreSecretName }}
-        - name: TRUST_STORE_PASSWORD
+        {{- if not .Values.disableNamespaceTruststore }}
+        - name: TRUSTSTORE_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: {{ .Values.optionalTrustStoreSecretName }}
+              name: {{ include "app.truststoreSecretName" . }}
               key: password
               optional: false
         args:
-          - '-Djavax.net.ssl.trustStore=/optional-trust-store/truststore.jks'
-          - '-Djavax.net.ssl.trustStorePassword=$(TRUST_STORE_PASSWORD)'
+          - '-Djavax.net.ssl.trustStore=/namespace-truststore/truststore.jks'
+          - '-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)'
         {{- end }}
         image: "{{ .Values.image.repo }}/{{ .Values.image.name }}:{{ coalesce (.Values.image).tag "latest" }}"
         imagePullPolicy: Always
@@ -191,7 +191,6 @@ spec:
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         tty: true
-        {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
         volumeMounts:
           {{- if not .Values.disableGrpcServerTls }}
           - name: user-manager-tls-certificate
@@ -203,25 +202,21 @@ spec:
             subPath: tls.key
             readOnly: true
           {{- end }}
-          {{- if .Values.optionalTrustStoreSecretName }}
-          - name: optional-trust-store
-            mountPath: "/optional-trust-store/truststore.jks"
-            subPath: truststore.jks
+          {{- if not .Values.disableNamespaceTruststore }}
+          - name: namespace-truststore
+            mountPath: "/namespace-truststore"
             readOnly: true
           {{- end }}
-        {{- end }}
-      {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
       volumes:
         {{- if not .Values.disableGrpcServerTls }}
          - name: user-manager-tls-certificate
            secret:
               secretName: user-manager-tls-cert
         {{- end }}
-        {{- if .Values.optionalTrustStoreSecretName }}
-         - name: optional-trust-store
+        {{- if not .Values.disableNamespaceTruststore }}
+         - name: namespace-truststore
            secret:
-              secretName: {{ .Values.optionalTrustStoreSecretName }}
-        {{- end }}
+              secretName: {{ include "app.truststoreSecretName" . }}
         {{- end }}
       dnsConfig: {}
       dnsPolicy: ClusterFirst

src/test/helm/deployment_optional_trust_store_test.yaml → src/test/helm/deployment_namespace_truststore_test.yaml

@@ -22,66 +22,98 @@
 # unter der Lizenz sind dem Lizenztext zu entnehmen.
 #
 
-suite: test environments
+suite: test namespace truststore
 templates:
   - templates/deployment.yaml
+release:
+  name: user-manager
+  namespace: by-helm-test
 set:
   ozgcloud:
     bundesland: by
     bezeichner: helm
-    environment: dev
+    environment: test
   sso:
     serverUrl: sso.test.sh.ozg-cloud.de
   baseUrl: test.sh.ozg-cloud.de
 tests:
   - it: check without truststore
+    set:
+      disableNamespaceTruststore: true
     asserts:
       - notExists:
           path: spec.template.spec.containers[0].args
       - notContains:
           path: spec.template.spec.containers[0].env
           content:
-            name: TRUST_STORE_PASSWORD
+            name: TRUSTSTORE_PASSWORD
       - notContains:
           path: spec.template.spec.containers[0].volumeMounts
           content:
-            name: optional-trust-store
-            mountPath: "/optional-trust-store/truststore.jks"
-            subPath: truststore.jks
-            readOnly: true
+            name: namespace-truststore
+          any: true
       - notContains:
           path: spec.template.spec.volumes
           content:
-            name: optional-trust-store
+            name: namespace-truststore
+          any: true
+
+  - it: check with default namespace truststore
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].args
+          value: 
+          - '-Djavax.net.ssl.trustStore=/namespace-truststore/truststore.jks' 
+          - '-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)'
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: TRUSTSTORE_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: by-helm-test-truststore
+                key: password
+                optional: false
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: namespace-truststore
+            mountPath: "/namespace-truststore"
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: namespace-truststore
+            secret:
+              secretName: by-helm-test-truststore
 
-  - it: check with truststore
+  - it: check with optional truststore
     set:
-      optionalTrustStoreSecretName: optional-trust-store-secret
+      optionalTrustStoreSecretName: optional-truststore-secret
     asserts:
       - equal:
           path: spec.template.spec.containers[0].args
           value: 
-          - '-Djavax.net.ssl.trustStore=/optional-trust-store/truststore.jks' 
-          - '-Djavax.net.ssl.trustStorePassword=$(TRUST_STORE_PASSWORD)'
+          - '-Djavax.net.ssl.trustStore=/namespace-truststore/truststore.jks' 
+          - '-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)'
       - contains:
           path: spec.template.spec.containers[0].env
           content:
-            name: TRUST_STORE_PASSWORD
+            name: TRUSTSTORE_PASSWORD
             valueFrom:
               secretKeyRef:
-                name: optional-trust-store-secret
+                name: optional-truststore-secret
                 key: password
                 optional: false
       - contains:
           path: spec.template.spec.containers[0].volumeMounts
           content:
-            name: optional-trust-store
-            mountPath: "/optional-trust-store/truststore.jks"
-            subPath: truststore.jks
+            name: namespace-truststore
+            mountPath: "/namespace-truststore"
             readOnly: true
       - contains:
           path: spec.template.spec.volumes
           content:
-            name: optional-trust-store
+            name: namespace-truststore
             secret:
-              secretName: optional-trust-store-secret
\ No newline at end of file
+              secretName: optional-truststore-secret
\ No newline at end of file

src/test/helm/deplyoment_cert_bindings_test.yaml

@@ -81,13 +81,6 @@ tests:
             name: user-manager-tls-certificate
           any: true
 
-  - it: should not have volume mounts
-    set:
-      disableGrpcServerTls: true
-    asserts:
-      - notExists:
-          path: spec.template.spec.containers[0].volumeMounts
-
   - it: should not have volume for user-manager root certificate
     set:
       disableGrpcServerTls: true
@@ -96,10 +89,3 @@ tests:
       - notContains:
           path: spec.template.spec.volumes
         any: true
-
-  - it: should not have volume
-    set:
-      disableGrpcServerTls: true
-    asserts:
-      - notExists:
-          path: spec.template.spec.volumes