diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index d39c08c77eccc29604fe19c79e9de5c81b731665..938946431b8c929bd0bd636f933072eedbe44fca 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -63,7 +63,7 @@ spec:
value: "/bindings"
- name: spring_profiles_active
value: {{ include "app.envSpringProfiles" . }}
- - name: ozgcloud_nachrichten-manager_url
+ - name: ozgcloud_nachrichten-manager_address
value: {{ include "app.ozgcloud_vorgangmanager_address" . }}
{{- if .Values.env.ozgcloudAktenzeichen.enabled }}
- name: ozgcloud_aktenzeichen
@@ -186,12 +186,12 @@ spec:
value: {{ quote .Values.ozgcloud.antragraum.enabled }}
- name: ozgcloud_antragraum_url
value: {{ quote (required "ozgcloud.antragraum.url must be set if ozgcloud.antragraum is enabled" ((.Values.ozgcloud).antragraum).url) }}
- - name: ozgcloud_antragraum_metadatauri
+ - name: ozgcloud_antragraum_metadataUri
value: {{ quote (required "ozgcloud.antragraum.metadataUri must be set if ozgcloud.antragraum is enabled" ((.Values.ozgcloud).antragraum).metadataUri) }}
- - name: ozgcloud_antragraum_decryptionprivatekey
- value: {{ quote (required "ozgcloud.antragraum.decryptionPrivateKey must be set if ozgcloud.antragraum is enabled" ((.Values.ozgcloud).antragraum).decryptionPrivateKey) }}
- - name: ozgcloud_antragraum_decryptioncertificate
- value: {{ quote (required "ozgcloud.antragraum.decryptionCertificate must be set if ozgcloud.antragraum is enabled" ((.Values.ozgcloud).antragraum).decryptionCertificate) }}
+ - name: ozgcloud_antragraum_decryptionPrivateKey
+ value: "file:/keystore/bayernid/bayern-id.key"
+ - name: ozgcloud_antragraum_decryptionCertificate
+ value: "file:/keystore/bayernid/bayern-id.crt"
{{- end }}
{{- if (((.Values.ozgcloud).feature).bescheid).enableDummyDocumentProcessor }}
- name: ozgcloud_feature_bescheid_enableDummyDocumentProcessor
@@ -315,6 +315,12 @@ spec:
subPath: ca.crt
readOnly: true
{{- end }}
+
+ {{- if ((.Values.ozgcloud).antragraum).enabled }}
+ - name: bayernid-certificate
+ mountPath: "/keystore/bayernid"
+ readOnly: true
+ {{- end }}
- name: namespace-ca-cert
mountPath: "/bindings/namespace-certificate"
readOnly: true
@@ -336,6 +342,12 @@ spec:
secret:
secretName: user-manager-tls-cert
{{- end }}
+ {{- if ((.Values.ozgcloud).antragraum).enabled }}
+ - name: bayernid-certificate
+ secret:
+ secretName: bayernid-certificate
+ optional: false
+ {{- end }}
- name: vorgang-manager-grpc-tls-cert
secret:
secretName: vorgang-manager-grpc-tls-cert
diff --git a/src/main/helm/templates/network_policy.yaml b/src/main/helm/templates/network_policy.yaml
index 4e92477186bd11308c58de1cc1c5f05c3d6207f0..f660d0c7ed61ccf8669f917e6381bd711938b78e 100644
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -45,6 +45,16 @@ spec:
- podSelector:
matchLabels:
ozg-component: eingangsadapter
+{{- if ((.Values.ozgcloud).antragraum).enabled }}
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: {{ required "ozgcloud.antragraum.namespace must be set if antragraum is enabled" ((.Values.ozgcloud).antragraum).namespace }}
+ podSelector:
+ matchLabels:
+ component: antragsraum-server
+{{- end }}
+
{{- with (.Values.networkPolicy).additionalIngressConfigLocal }}
{{ toYaml . | indent 2 }}
{{- end }}
@@ -87,6 +97,15 @@ spec:
ports:
- port: 9090
protocol: TCP
+{{- end }}
+{{- if ((.Values.ozgcloud).antragraum).enabled }}
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: {{ required "ozgcloud.antragraum.namespace must be set if antragraum is enabled" ((.Values.ozgcloud).antragraum).namespace }}
+ podSelector:
+ matchLabels:
+ component: info-manager
{{- end }}
- to:
- namespaceSelector:
diff --git a/src/test/helm/deployment_antragraum_test.yaml b/src/test/helm/deployment_antragraum_test.yaml
index 9d8cc1af7e263702ba1e354064c5459800a00269..7905ec79487182bc1e11c667a1a85528bad162af 100644
--- a/src/test/helm/deployment_antragraum_test.yaml
+++ b/src/test/helm/deployment_antragraum_test.yaml
@@ -32,93 +32,120 @@ set:
imagePullSecret: image-pull-secret
ozgcloud:
environment: dev
- antragraum:
- enabled: true
- url: https://antragraum.address
- metadataUri: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
- decryptionPrivateKey: "decryptionPrivateKey_secret"
- decryptionCertificate: "decryptionCertificate_secret"
tests:
- - it: should enable antragraum
- templates:
- - templates/deployment.yaml
+ - it: should set antragraum values
+ set:
+ ozgcloud:
+ antragraum:
+ enabled: true
+ url: https://antragraum.address
+ metadataUri: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: ozgcloud_antragraum_enabled
value: "true"
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: ozgcloud_antragraum_url
+ value: https://antragraum.address
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: ozgcloud_antragraum_metadataUri
+ value: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: ozgcloud_antragraum_decryptionPrivateKey
+ value: "file:/keystore/bayernid/bayern-id.key"
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: ozgcloud_antragraum_decryptionCertificate
+ value: "file:/keystore/bayernid/bayern-id.crt"
+
+ - it: should not generate antragsraum config if disabled
+ set:
+ ozgcloud.antragraum.enabled: false
+ asserts:
+ - notContains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: ozgcloud_antragraum_enabled
+ value: "true"
+
- it: should fail if antragraum url is not set
set:
ozgcloud:
- environment: dev
antragraum:
enabled: true
- url:
+ metadataUri: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
asserts:
- failedTemplate:
errorMessage: "ozgcloud.antragraum.url must be set if ozgcloud.antragraum is enabled"
- - it: should set metadataUri
- asserts:
- - contains:
- path: spec.template.spec.containers[0].env
- content:
- name: ozgcloud_antragraum_metadatauri
- value: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
- it: should fail if metadataUri is not set
set:
ozgcloud:
antragraum:
- metadataUri:
+ enabled: true
+ url: https://antragraum.address
asserts:
- failedTemplate:
errorMessage: "ozgcloud.antragraum.metadataUri must be set if ozgcloud.antragraum is enabled"
-
- - it: should set metadataUri
- asserts:
- - contains:
- path: spec.template.spec.containers[0].env
- content:
- name: ozgcloud_antragraum_metadatauri
- value: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
- - it: should fail if metadataUri is not set
+
+
+ - it: should set volumeMounts
set:
ozgcloud:
antragraum:
- metadataUri:
- asserts:
- - failedTemplate:
- errorMessage: "ozgcloud.antragraum.metadataUri must be set if ozgcloud.antragraum is enabled"
-
- - it: should set decryptionPrivateKey
+ enabled: true
+ url: https://antragraum.address
+ metadataUri: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
asserts:
- contains:
- path: spec.template.spec.containers[0].env
+ path: spec.template.spec.containers[0].volumeMounts
content:
- name: ozgcloud_antragraum_decryptionprivatekey
- value: "decryptionPrivateKey_secret"
- - it: should fail if decryptionPrivateKey is not set
+ name: bayernid-certificate
+ mountPath: "/keystore/bayernid"
+ readOnly: true
+ - it: should not set volumeMounts if antragsraum is disabled
+ set:
+ ozgcloud.antragraum.enabled: false
+ asserts:
+ - notContains:
+ path: spec.template.spec.containers[0].volumeMounts
+ content:
+ name: bayernid-certificate
+ mountPath: "/keystore/bayernid"
+ readOnly: true
+
+ - it: should have volumes
set:
ozgcloud:
antragraum:
- decryptionPrivateKey:
- asserts:
- - failedTemplate:
- errorMessage: "ozgcloud.antragraum.decryptionPrivateKey must be set if ozgcloud.antragraum is enabled"
-
- - it: should set decryptionPrivateKey
+ enabled: true
+ url: https://antragraum.address
+ metadataUri: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
asserts:
- contains:
- path: spec.template.spec.containers[0].env
+ path: spec.template.spec.volumes
content:
- name: ozgcloud_antragraum_decryptioncertificate
- value: "decryptionCertificate_secret"
- - it: should fail if decryptionCertificate is not set
+ name: bayernid-certificate
+ secret:
+ secretName: bayernid-certificate
+ optional: false
+ - it: should not have volumes if antragsraum is disabled
set:
- ozgcloud:
- antragraum:
- decryptionCertificate:
+ ozgcloud.antragraum.enabled: false
asserts:
- - failedTemplate:
- errorMessage: "ozgcloud.antragraum.decryptionCertificate must be set if ozgcloud.antragraum is enabled"
\ No newline at end of file
+ - notContains:
+ path: spec.template.spec.volumes
+ content:
+ name: bayernid-certificate
+ secret:
+ secretName: bayernid-certificate
+ optional: false
\ No newline at end of file
diff --git a/src/test/helm/deployment_bayernid_test.yaml b/src/test/helm/deployment_bayernid_test.yaml
index f0dee5aaac2e396ea171e929e934bc1b71ddf51e..2a73c2761d442304840198966a1641a74081124a 100644
--- a/src/test/helm/deployment_bayernid_test.yaml
+++ b/src/test/helm/deployment_bayernid_test.yaml
@@ -31,132 +31,161 @@ templates:
set:
ozgcloud:
environment: dev
- bayernid:
- enabled: true
- proxy:
- address: https://proxy.address.local
- absender:
- postkorbId: "postkorbId"
- name: "name"
- anschrift: "anschrift"
- dienst: "dienst"
- mandant: "mandant"
- gemeindeSchluessel: "gemeindeSchluessel"
imagePullSecret: test-image-pull-secret
tests:
- - it: should enable bayernid
+ - it: should set bayernid values
+ set:
+ ozgcloud:
+ bayernid:
+ enabled: true
+ proxy:
+ address: https://proxy.address.local
+ absender:
+ postkorbId: "postkorbId"
+ name: "name"
+ anschrift: "anschrift"
+ dienst: "dienst"
+ mandant: "mandant"
+ gemeindeSchluessel: "gemeindeSchluessel"
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: ozgcloud_bayernid_enabled
value: "true"
-
- - it: should set absender name
- asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: ozgcloud_bayernid_absender_name
value: "name"
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: ozgcloud_bayernid_absender_anschrift
+ value: "anschrift"
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: ozgcloud_bayernid_absender_dienst
+ value: "dienst"
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: ozgcloud_bayernid_absender_mandant
+ value: "mandant"
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: ozgcloud_bayernid_absender_gemeindeSchluessel
+ value: "gemeindeSchluessel"
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: grpc_client_bayern-id_address
+ value: https://proxy.address.local
+ - contains:
+ path: spec.template.spec.containers[0].env
+ content:
+ name: grpc_client_bayern-id_negotiationType
+ value: PLAINTEXT
+
- it: should fail if absender name is not set
set:
ozgcloud:
bayernid:
+ enabled: true
+ proxy:
+ address: https://proxy.address.local
absender:
- name:
+ postkorbId: "postkorbId"
+ anschrift: "anschrift"
+ dienst: "dienst"
+ mandant: "mandant"
+ gemeindeSchluessel: "gemeindeSchluessel"
asserts:
- failedTemplate:
errorMessage: "ozgcloud.bayernid.absender.name must be set if ozgcloud.bayernid is enabled"
- - it: should set absender anschrift
- asserts:
- - contains:
- path: spec.template.spec.containers[0].env
- content:
- name: ozgcloud_bayernid_absender_anschrift
- value: "anschrift"
- it: should fail if absender anschrift is not set
set:
ozgcloud:
bayernid:
+ enabled: true
+ proxy:
+ address: https://proxy.address.local
absender:
- anschrift:
+ postkorbId: "postkorbId"
+ name: "name"
+ dienst: "dienst"
+ mandant: "mandant"
+ gemeindeSchluessel: "gemeindeSchluessel"
asserts:
- failedTemplate:
errorMessage: "ozgcloud.bayernid.absender.anschrift must be set if ozgcloud.bayernid is enabled"
- - it: should set absender dienst
- asserts:
- - contains:
- path: spec.template.spec.containers[0].env
- content:
- name: ozgcloud_bayernid_absender_dienst
- value: "dienst"
- it: should fail if absender dienst is not set
set:
ozgcloud:
bayernid:
+ enabled: true
+ proxy:
+ address: https://proxy.address.local
absender:
- dienst:
+ postkorbId: "postkorbId"
+ name: "name"
+ anschrift: "anschrift"
+ mandant: "mandant"
+ gemeindeSchluessel: "gemeindeSchluessel"
asserts:
- failedTemplate:
errorMessage: "ozgcloud.bayernid.absender.dienst must be set if ozgcloud.bayernid is enabled"
- - it: should set absender mandant
- asserts:
- - contains:
- path: spec.template.spec.containers[0].env
- content:
- name: ozgcloud_bayernid_absender_mandant
- value: "mandant"
- it: should fail if absender mandant is not set
set:
ozgcloud:
bayernid:
+ enabled: true
+ proxy:
+ address: https://proxy.address.local
absender:
- mandant:
+ postkorbId: "postkorbId"
+ name: "name"
+ anschrift: "anschrift"
+ dienst: "dienst"
+ gemeindeSchluessel: "gemeindeSchluessel"
asserts:
- failedTemplate:
errorMessage: "ozgcloud.bayernid.absender.mandant must be set if ozgcloud.bayernid is enabled"
-
- - it: should contains absender gemeindeSchluessel
- asserts:
- - contains:
- path: spec.template.spec.containers[0].env
- content:
- name: ozgcloud_bayernid_absender_gemeindeSchluessel
- value: "gemeindeSchluessel"
- it: should fail if absender gemeindeSchluessel is not set
set:
ozgcloud:
bayernid:
+ enabled: true
+ proxy:
+ address: https://proxy.address.local
absender:
- gemeindeSchluessel:
+ postkorbId: "postkorbId"
+ name: "name"
+ anschrift: "anschrift"
+ dienst: "dienst"
+ mandant: "mandant"
asserts:
- failedTemplate:
errorMessage: "ozgcloud.bayernid.absender.gemeindeSchluessel must be set if ozgcloud.bayernid is enabled"
-
- - it: should set the bayernid proxy grpc address
- set:
- ozgcloud:
- bayernid:
- proxy:
- address: https://bayernid-proxy.my-wonderful-domain.local:9000
- asserts:
- - contains:
- path: spec.template.spec.containers[0].env
- content:
- name: grpc_client_bayern-id_address
- value: https://bayernid-proxy.my-wonderful-domain.local:9000
- it: should fail if bayernid proxy is enabled but proxy address is not configured
set:
ozgcloud:
bayernid:
- proxy:
- address:
+ enabled: true
+ absender:
+ postkorbId: "postkorbId"
+ name: "name"
+ anschrift: "anschrift"
+ dienst: "dienst"
+ mandant: "mandant"
+ gemeindeSchluessel: "gemeindeSchluessel"
asserts:
- failedTemplate:
errorMessage: "ozgcloud.bayernid.proxy.address must be set if ozgcloud.bayernid is enabled"
@@ -165,18 +194,20 @@ tests:
set:
ozgcloud:
bayernid:
+ enabled: true
proxy:
+ address: https://proxy.address.local
negotiationType: NOT_DEFAULT
+ absender:
+ postkorbId: "postkorbId"
+ name: "name"
+ anschrift: "anschrift"
+ dienst: "dienst"
+ mandant: "mandant"
+ gemeindeSchluessel: "gemeindeSchluessel"
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: grpc_client_bayern-id_negotiationType
value: NOT_DEFAULT
- - it: should set the bayernid proxy grpc default
- asserts:
- - contains:
- path: spec.template.spec.containers[0].env
- content:
- name: grpc_client_bayern-id_negotiationType
- value: PLAINTEXT
\ No newline at end of file
diff --git a/src/test/helm/deployment_nachrichten_manager_address_test.yaml b/src/test/helm/deployment_nachrichten_manager_address_test.yaml
index df50cbe8a66fdf4b2509a757ef468012499e0392..c473b5dd34e7e75f4132b0ae359f9eb47a042f44 100644
--- a/src/test/helm/deployment_nachrichten_manager_address_test.yaml
+++ b/src/test/helm/deployment_nachrichten_manager_address_test.yaml
@@ -38,5 +38,5 @@ tests:
- contains:
path: spec.template.spec.containers[0].env
content:
- name: ozgcloud_nachrichten-manager_url
+ name: ozgcloud_nachrichten-manager_address
value: dns://vorgang-manager.sh-helm-test:9090
diff --git a/src/test/helm/network_policy_test.yaml b/src/test/helm/network_policy_test.yaml
index 21ac219c19905e33604d003d0c5f7ba32da173ef..34d66bbdf6d295ec32184aa96013ee5a44acc143 100644
--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -27,27 +27,21 @@ release:
namespace: by-helm-test
templates:
- templates/network_policy.yaml
+set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
tests:
- it: should match apiVersion
- set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
asserts:
- isAPIVersion:
of: networking.k8s.io/v1
- it: should match kind
- set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
asserts:
- isKind:
of: NetworkPolicy
- it: validate metadata
- set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
asserts:
- equal:
path: metadata
@@ -56,9 +50,6 @@ tests:
namespace: by-helm-test
- it: should set policy target matchLabel
- set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
asserts:
- equal:
path: spec.podSelector
@@ -68,27 +59,18 @@ tests:
- it: should add policyType Egress
- set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.policyTypes
content: Egress
- it: should add policyType Ingress
- set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.policyTypes
content: Ingress
- it: should add ingress rule for eingangsmanager and alfa
- set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.ingress
@@ -103,11 +85,53 @@ tests:
matchLabels:
ozg-component: eingangsadapter
+ - it: should add ingress rule for antragraum if antragraum is enabled
+ set:
+ ozgcloud:
+ antragraum:
+ enabled: true
+ namespace: antragraum02
+ asserts:
+ - contains:
+ path: spec.ingress
+ content:
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: antragraum02
+ podSelector:
+ matchLabels:
+ component: antragsraum-server
- - it: should add egress rule to elasticsearch
+
+ - it: should not add ingress rule for antragraum if antragraum is disabled
set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
+ ozgcloud:
+ antragraum:
+ enabled: false
+ asserts:
+ - notContains:
+ path: spec.ingress
+ content:
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: antragraum02
+ podSelector:
+ matchLabels:
+ component: antragraum-server
+
+ - it: should throw error if antragraum is enabled but antragraum namespace is not set
+ set:
+ ozgcloud:
+ antragraum:
+ enabled: true
+ asserts:
+ - failedTemplate:
+ errorMessage: ozgcloud.antragraum.namespace must be set if antragraum is enabled
+
+
+ - it: should add egress rule to elasticsearch
asserts:
- contains:
path: spec.egress
@@ -124,9 +148,6 @@ tests:
protocol: TCP
- it: should add egress rule to mongodb
- set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
@@ -140,9 +161,6 @@ tests:
protocol: TCP
- it: should add egress rule to user-manager
- set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
@@ -155,32 +173,8 @@ tests:
- port: 9000
protocol: TCP
- - it: should add egress rule to dns service
- set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
- asserts:
- - contains:
- path: spec.egress
- content:
- to:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: test-dns-namespace
- ports:
- - port: 53
- protocol: UDP
- - port: 53
- protocol: TCP
- - port: 5353
- protocol: UDP
- - port: 5353
- protocol: TCP
-
- it: should add egress rule to nachrichten-bayernid-proxy if bayernid is enabled
set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
ozgcloud:
bayernid:
enabled: true
@@ -203,8 +197,6 @@ tests:
- it: should not add egress rule to bayernid-proxy if bayernid is disabled
set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
ozgcloud:
bayernid:
enabled: false
@@ -225,8 +217,6 @@ tests:
- it: should throw error if bayernid-proxy is enabled but bayernid namespace is not set
set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
ozgcloud:
bayernid:
enabled: true
@@ -234,11 +224,65 @@ tests:
- failedTemplate:
errorMessage: ozgcloud.bayernid.proxy.namespace must be set if bayernid is enabled
+ - it: should add egress rule to info-manager if antragraum is enabled
+ set:
+ ozgcloud:
+ antragraum:
+ enabled: true
+ namespace: antragraum02
+ asserts:
+ - contains:
+ path: spec.egress
+ content:
+ to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: antragraum02
+ podSelector:
+ matchLabels:
+ component: info-manager
+
+ - it: should not add egress rule to info-manager if antragraum is disabled
+ set:
+ ozgcloud:
+ antragraum:
+ enabled: false
+ asserts:
+ - notContains:
+ path: spec.egress
+ content:
+ to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: antragraum02
+ podSelector:
+ matchLabels:
+ component: info-manager
+
+
+ - it: should add egress rule to dns service
+ asserts:
+ - contains:
+ path: spec.egress
+ content:
+ to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: test-dns-namespace
+ ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ - port: 5353
+ protocol: UDP
+ - port: 5353
+ protocol: TCP
+
- it: add ingress rule local by values
set:
networkPolicy:
ssoPublicIp: 51.89.117.53/32
- dnsServerNamespace: test-namespace-dns
additionalIngressConfigGlobal:
- from:
- podSelector:
@@ -256,7 +300,6 @@ tests:
set:
networkPolicy:
ssoPublicIp: 51.89.117.53/32
- dnsServerNamespace: test-namespace-dns
additionalIngressConfigLocal:
- from:
- podSelector:
@@ -285,8 +328,6 @@ tests:
ports:
- port: 12345
protocol: TCP
-
- dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
@@ -307,7 +348,6 @@ tests:
- it: add egress rules global by values
set:
networkPolicy:
- dnsServerNamespace: test-dns-namespace
additionalEgressConfigLocal:
- to:
- ipBlock:
@@ -329,7 +369,6 @@ tests:
set:
networkPolicy:
disabled: true
- dnsServerNamespace: test-dns-namespace
asserts:
- hasDocuments:
count: 0
@@ -338,7 +377,6 @@ tests:
set:
networkPolicy:
disabled: false
- dnsServerNamespace: test-dns-namespace
asserts:
- hasDocuments:
count: 1
\ No newline at end of file
diff --git a/vorgang-manager-server/pom.xml b/vorgang-manager-server/pom.xml
index c8f90d5eada01439f5c476210b2d754fa203f527..e8c2998ba130191b12c45334736e390a61231cd8 100644
--- a/vorgang-manager-server/pom.xml
+++ b/vorgang-manager-server/pom.xml
@@ -55,8 +55,8 @@
<user-manager-interface.version>2.1.0</user-manager-interface.version>
<bescheid-manager.version>1.12.0-SNAPSHOT</bescheid-manager.version>
<processor-manager.version>0.4.0</processor-manager.version>
+ <nachrichten-manager.version>2.8.0-SNAPSHOT</nachrichten-manager.version>
<ozgcloud-starter.version>0.9.0-SNAPSHOT</ozgcloud-starter.version>
- <nachrichten-manager.version>2.7.0</nachrichten-manager.version>
<notification-manager.version>2.7.0</notification-manager.version>
<zip.version>2.11.1</zip.version>
@@ -374,7 +374,7 @@
</image>
<profiles>
<profile>local</profile>
- <profile>a12proc</profile>
+ <profile>bayernlocal</profile>
</profiles>
</configuration>
</plugin>
diff --git a/vorgang-manager-server/src/main/resources/application-local.yml b/vorgang-manager-server/src/main/resources/application-local.yml
index 7a357e4a607a0032fcf3221062add010258965e2..b1aa3707359cf0cc5a250ea5b76b2a86016d7c06 100644
--- a/vorgang-manager-server/src/main/resources/application-local.yml
+++ b/vorgang-manager-server/src/main/resources/application-local.yml
@@ -115,7 +115,6 @@ spring:
activate:
on-profile: bayern-id
ozgcloud:
- osi:
bayernid:
enabled: true
absender:
diff --git a/vorgang-manager-server/src/main/resources/application.yml b/vorgang-manager-server/src/main/resources/application.yml
index 199ca973f38f2efa7bc7a93b79c20cf21c0d21e0..a818b0099a7f111e8927bea58d7ed725f6d6beaa 100644
--- a/vorgang-manager-server/src/main/resources/application.yml
+++ b/vorgang-manager-server/src/main/resources/application.yml
@@ -80,6 +80,9 @@ ozgcloud:
mail-from: EA-Poststelle@itvsh.de
notification:
mail-from: hilfe@ozgcloud.support
+ nachrichten-manager:
+ address: self:self
+ negotiation-type: plaintext
# vorgang-manager:
# address: self:self
# negotiation-type: plaintext
@@ -94,4 +97,5 @@ ozgcloud:
negotiation-type: ${grpc.client.user-manager.negotiationType}
antragraum:
entityId: https://antragsraum.ozgcloud.de/
+ metadataUri: "classpath:/bayernid/bayernid-idp-infra.xml"
diff --git a/vorgang-manager-server/src/main/resources/bayernid/bayernid-dev-enc.crt b/vorgang-manager-server/src/main/resources/bayernid/bayernid-dev-enc.crt
new file mode 100644
index 0000000000000000000000000000000000000000..507f4efba6ed6cd40ce764f9cb8db3a86df7e394
--- /dev/null
+++ b/vorgang-manager-server/src/main/resources/bayernid/bayernid-dev-enc.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEGzCCAwOgAwIBAgIUWPZFfhB4+iI3XdjUTMqhhDkljGgwDQYJKoZIhvcNAQEL
+BQAwgZwxCzAJBgNVBAYTAkRFMRswGQYDVQQIDBJCYWRlbi1XdWVydHRlbWJlcmcx
+EjAQBgNVBAcMCVN0dXR0Z2FydDEhMB8GA1UECgwYbWdtIHRlY2hub2xvZ2llIHBh
+cnRuZXJzMRIwEAYDVQQLDAlvemctY2xvdWQxJTAjBgkqhkiG9w0BCQEWFmplbnMu
+cmVlc2VAZ21nbS10cC5jb20wHhcNMjQwMzIwMDc0MDA5WhcNMjUwMzIwMDc0MDA5
+WjCBnDELMAkGA1UEBhMCREUxGzAZBgNVBAgMEkJhZGVuLVd1ZXJ0dGVtYmVyZzES
+MBAGA1UEBwwJU3R1dHRnYXJ0MSEwHwYDVQQKDBhtZ20gdGVjaG5vbG9naWUgcGFy
+dG5lcnMxEjAQBgNVBAsMCW96Zy1jbG91ZDElMCMGCSqGSIb3DQEJARYWamVucy5y
+ZWVzZUBnbWdtLXRwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANogQ1D22S1V53sAch82/LvbbqjMUQWCNOAyUEzrbEW0SqJ3ED+93ZL0rTwstiAj
+XQzPydKmo6keHlexm4f3EfBgJzUG6Y0O8BL/GG02n2ZaXZa3rtbY1y7CSBgICUGe
+9QPmHADUqTkzXwUVuKf6Ie1uyEbqLTr5T5PGOcESsQxVFkHG6/i2H7QhoeLDAWw5
+2ENwDRigM/mDaMliI5TWmM4T8DxKLZ7FUiQGDt/7vpQdBs+vit2ndaoQvQbpraBd
+/KVsbB3epXXFFX/y37+/lHMYtkCnPvHQljYjBz1hH6zcf1VcJLrmSElXHK74HLl5
+D/xYpUCCQX8EU0YIbPULejMCAwEAAaNTMFEwHQYDVR0OBBYEFFfqF7V0PscLpeAx
+Vj3ADkWSftbnMB8GA1UdIwQYMBaAFFfqF7V0PscLpeAxVj3ADkWSftbnMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAK70r5o4oLPu5JXJmKWnI7CD
+wjZR0XQX8x1+tWtqT/v6Trz4p6SGxdPzA+Z9dKl5TrHWn0Jue79NCTQO1fgn/L5Q
+ZblOCxFhe+yvgeqyMPRHtlF1RicMn+yPwS3QKON0INmsch64IVXJZgJms0d7HRcF
+GAn644FdxZH9IX39eqs1Y7l1Ac++4O9uSiB6N+js2ZTOI+KDrvVhKblE+0ehx3bM
++hqsXpRE6iq9wD1wAGiMxMTetG1kI0PMgDiDXTfG3ZkvpYtTyU2Mkl+F9FFWhwGI
+LrLKJeLZRRpwkDvWNUpER5UveXJvY8TKV8HZDhEzWB3IAjRYufHnP5MHLgMZmXk=
+-----END CERTIFICATE-----
diff --git a/vorgang-manager-server/src/main/resources/bayernid/bayernid-idp-infra.xml b/vorgang-manager-server/src/main/resources/bayernid/bayernid-idp-infra.xml
new file mode 100644
index 0000000000000000000000000000000000000000..ec1ed7ca7099b8be7a8cff7448a740f0b9404c34
--- /dev/null
+++ b/vorgang-manager-server/src/main/resources/bayernid/bayernid-idp-infra.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?><md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+ <md:EntityDescriptor entityID="https://infra-pre-id.bayernportal.de/idp">
+ <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+ <md:KeyDescriptor use="signing">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:X509Data>
+ <ds:X509Certificate>MIIFbzCCA1egAwIBAgIJAPdFXXarkBN2MA0GCSqGSIb3DQEBCwUAME4xCzAJBgNV
+ BAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xETAPBgNVBAcMCE11ZW5jaGVuMQ0wCwYD
+ VQQKDARBS0RCMQwwCgYDVQQLDANJRE0wHhcNMjAxMDI3MTMxODQxWhcNMjUxMDI2
+ MTMxODQxWjBOMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMREwDwYDVQQH
+ DAhNdWVuY2hlbjENMAsGA1UECgwEQUtEQjEMMAoGA1UECwwDSURNMIICIjANBgkq
+ hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzDtWAEdC3J9FD+ti1exRhN1lzNgKWqO2
+ gQNdJvlt7KGHA2VGGO7tqRogTuoqi/ydtiHJ8+lhp4kcWqyfv7i9HXOncvcsRRmR
+ dZjUY2Iui6ozJqD5LVm/vP5YfdP7vQPdbqyyfpoJhf3mbMEtdNDdGRnGIPUfDn+C
+ Fbo37f9tPwMgf3jgh4gxaujtLIhhr9gevVTEeZAFu9EvzLNd3kEtRb7MuXqIOdu1
+ rW8HlGYFwwVLqEyBn8XG0QAIfhMmGjFMG7z+Kco2quwOmmZVzWQfeH/3AlN2KbcP
+ t7j+pl+6Bew2AAivP7O+95YKORqQjTu3rPWMF4txPId37MSjoytwBRyd5EACTvhQ
+ BOGrDFKQUOx6fTtRc8+7XGVz8MdQaZQWQXXh1ByU783twNdnRSrSVIyLdjiy1uCb
+ jvsSAtbzGBygPIvDo3skCNLNFXsChtHIfFFDK20KPGb0ghEDf2q3hDbFG3ZDGGyn
+ ZmJcZKuZhJqodJ/++sAXADyTJNAPVYDjKCF4ypELp2Eu/p1gaQPJEb74L/ZFZVOE
+ JFyXIiaqB9J+fcn/biqHHOmcCi8n9aIiNt1fatr1Z4lQRWoGtKaGU0+bzUSH4Bgs
+ 2EG4u1CI2MKDWqK2aEsHrtu8tbS9LrUmDVKtaEUOeul8xWVa036vp/YUIdiJNZSx
+ ZG4iTmSOATECAwEAAaNQME4wHQYDVR0OBBYEFFYeltslkaolOmcINXQeSe7nURwp
+ MB8GA1UdIwQYMBaAFFYeltslkaolOmcINXQeSe7nURwpMAwGA1UdEwQFMAMBAf8w
+ DQYJKoZIhvcNAQELBQADggIBAKqAlXoO41SAiycYUOrR90pfwTCysmbtHF5RWSCM
+ jF2aCG8URJ7bXwC0lBH8E5zCetFZwdqZziQtxzRkIOfhS5uWbH0RDhwuxZG+5RTP
+ yaHPAZI6e5xHDu8vHl/VbC3lnL/6K8l+Purr/yo8qkJqrPgThZRL9jBQyYRhDSsJ
+ UyIw5zcKKUQC/JWtMQAQcopbjekCs6xDT1HqIN90Sc/gOfYjNo0dGMNmro9mxcw8
+ 2Iow18KNVdtEexfD+/6x4NPD61pzuQEe09TR+Cv3XyzBoGQ/2arijcPnGvth79ff
+ VFtRSf3fSs7wEKV9g3mEWXFDtPBhDj6K0kKU/kJfEZixkXl92MY+bmugrtTIrazj
+ tfrgMglIAHu9XCYWd/gef0J+PNfHsxgbTEr3XSC+5/xoFKPQSw3PgV8lkUDq4mJU
+ Ky/q4YmA37XQxourFR5pWvF03YACdtq6zPjtVeI7Cvkte6k0YW5S3cx9RmPv6YZh
+ laZ5ERpWNiv6IjokLsvNeemf2PApjO7Q2EDBIoHBYH31wwJSsyRDrSVmbaqLFI15
+ fLXeh2A4YbaBDZdGvDiLOAk+dG1wdZ2aGw/uNBzMtc8VeKqI1HPcqIluBA3uUPpy
+ LLA+9hDPf6Pp4j0gkXxBikz+/h22bFxE1HmDiOSkEn+2NmOHuEFeA+D8jsCAL5VJ
+ 3emK</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </md:KeyDescriptor>
+ <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+ <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://infra-pre-id.bayernportal.de/idp/profile/SAML2/POST/SSO"/>
+ <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://infra-pre-id.bayernportal.de/idp/profile/SAML2/Redirect/SSO"/>
+ </md:IDPSSODescriptor>
+ </md:EntityDescriptor>
+</md:EntitiesDescriptor>
\ No newline at end of file
diff --git a/vorgang-manager-server/src/test/resources/bayernid/bsp-nachricht b/vorgang-manager-server/src/test/resources/bayernid/bsp-nachricht
deleted file mode 100644
index 531b80b0923fc7beb2dc147c62211019c539311f..0000000000000000000000000000000000000000
--- a/vorgang-manager-server/src/test/resources/bayernid/bsp-nachricht
+++ /dev/null
@@ -1 +0,0 @@
-<ns4:sendBspNachrichtNative xmlns:ns3="http://www.akdb.de/egov/bsp/nachrichten" xmlns:ns4="urn:akdb:bsp:postkorb:komm:webservice"><bspNachricht><?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns2:BspNachricht xmlns:ns2="http://www.akdb.de/egov/bsp/nachrichten" xmlns:ns3="urn:akdb:bsp:postkorb:komm:webservice"><ns2:NachrichtenKopf><ns2:Identifikation.Nachricht><ns2:Erstellungszeitpunkt>2020-04-01T10:30:10.000Z</ns2:Erstellungszeitpunkt><ns2:NachrichtenId>1</ns2:NachrichtenId></ns2:Identifikation.Nachricht><ns2:Absender><ns2:Dienst>Stadtverwaltung</ns2:Dienst><ns2:Mandant>Fürth</ns2:Mandant><ns2:Gemeindeschluessel><ns2:Tabelle>36</ns2:Tabelle><ns2:Schluessel>09563000</ns2:Schluessel></ns2:Gemeindeschluessel></ns2:Absender><ns2:Empfaenger><ns2:PostkorbId>1</ns2:PostkorbId></ns2:Empfaenger></ns2:NachrichtenKopf><ns2:NachrichtenInhalt><ns2:Betreff>Test Subject</ns2:Betreff><ns2:StorkQaaLevel>LEVEL_1</ns2:StorkQaaLevel><ns2:ZuVorgang><ns2:VorgangsId>1</ns2:VorgangsId></ns2:ZuVorgang><ns2:FreiText><ns2:Encoding><ns2:Tabelle>9004</ns2:Tabelle><ns2:Schluessel>text/plain</ns2:Schluessel></ns2:Encoding><ns2:Text>BodyString</ns2:Text></ns2:FreiText></ns2:NachrichtenInhalt></ns2:BspNachricht></bspNachricht></ns4:sendBspNachrichtNative>
\ No newline at end of file
diff --git a/vorgang-manager-server/src/test/resources/bayernid/test.txt b/vorgang-manager-server/src/test/resources/bayernid/test.txt
deleted file mode 100644
index 814be41a4bbeee81df9c0f296e3fcc3a3cef33f0..0000000000000000000000000000000000000000
--- a/vorgang-manager-server/src/test/resources/bayernid/test.txt
+++ /dev/null
@@ -1 +0,0 @@
-some simple text
\ No newline at end of file