Merge pull request 'OZG-5682-durchstich-antragsraum' (#373) from...

Merge pull request 'OZG-5682-durchstich-antragsraum' (#373) from OZG-5682-durchstich-antragsraum into master

Reviewed-on: https://git.ozg-sh.de/ozgcloud-app/vorgang-manager/pulls/373


Reviewed-by: OZGCloud <ozgcloud@mgm-tp.com>
Reviewed-by: OZGCloud <ozgcloud@mgm-tp.com>

src/main/helm/templates/deployment.yaml

@@ -63,7 +63,7 @@ spec:
             value: "/bindings"
           - name: spring_profiles_active
             value: {{ include "app.envSpringProfiles" . }}
-          - name: ozgcloud_nachrichten-manager_url
+          - name: ozgcloud_nachrichten-manager_address
             value: {{ include "app.ozgcloud_vorgangmanager_address" . }}
           {{- if .Values.env.ozgcloudAktenzeichen.enabled }}
           - name: ozgcloud_aktenzeichen
@@ -186,12 +186,12 @@ spec:
             value: {{ quote .Values.ozgcloud.antragraum.enabled }}
           - name: ozgcloud_antragraum_url
             value: {{ quote (required "ozgcloud.antragraum.url must be set if ozgcloud.antragraum is enabled" ((.Values.ozgcloud).antragraum).url) }}
-          - name: ozgcloud_antragraum_metadatauri
+          - name: ozgcloud_antragraum_metadataUri
             value: {{ quote (required "ozgcloud.antragraum.metadataUri must be set if ozgcloud.antragraum is enabled" ((.Values.ozgcloud).antragraum).metadataUri) }}
-          - name: ozgcloud_antragraum_decryptionprivatekey
-            value: {{ quote (required "ozgcloud.antragraum.decryptionPrivateKey must be set if ozgcloud.antragraum is enabled" ((.Values.ozgcloud).antragraum).decryptionPrivateKey) }}
-          - name: ozgcloud_antragraum_decryptioncertificate
-            value: {{ quote (required "ozgcloud.antragraum.decryptionCertificate must be set if ozgcloud.antragraum is enabled" ((.Values.ozgcloud).antragraum).decryptionCertificate) }}         
+          - name: ozgcloud_antragraum_decryptionPrivateKey
+            value: "file:/keystore/bayernid/bayern-id.key"
+          - name: ozgcloud_antragraum_decryptionCertificate
+            value: "file:/keystore/bayernid/bayern-id.crt"
           {{- end }}
           {{- if (((.Values.ozgcloud).feature).bescheid).enableDummyDocumentProcessor }}
           - name: ozgcloud_feature_bescheid_enableDummyDocumentProcessor
@@ -315,6 +315,12 @@ spec:
             subPath: ca.crt
             readOnly: true
           {{- end }}
+
+          {{- if ((.Values.ozgcloud).antragraum).enabled }}
+          - name: bayernid-certificate
+            mountPath: "/keystore/bayernid"
+            readOnly: true
+          {{- end }}
           - name: namespace-ca-cert
             mountPath: "/bindings/namespace-certificate"
             readOnly: true
@@ -336,6 +342,12 @@ spec:
           secret:
              secretName: user-manager-tls-cert
         {{- end }}
+        {{- if ((.Values.ozgcloud).antragraum).enabled }}
+        - name: bayernid-certificate
+          secret:
+            secretName: bayernid-certificate
+            optional: false
+        {{- end }}
         - name: vorgang-manager-grpc-tls-cert
           secret:
             secretName: vorgang-manager-grpc-tls-cert

src/main/helm/templates/network_policy.yaml

@@ -45,6 +45,16 @@ spec:
     - podSelector: 
         matchLabels:
           ozg-component: eingangsadapter
+{{- if ((.Values.ozgcloud).antragraum).enabled }}
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ required "ozgcloud.antragraum.namespace must be set if antragraum is enabled" ((.Values.ozgcloud).antragraum).namespace }}
+      podSelector: 
+        matchLabels:
+          component: antragsraum-server
+{{- end }}
+
 {{- with (.Values.networkPolicy).additionalIngressConfigLocal }}
 {{ toYaml . | indent 2 }}
 {{- end }}
@@ -87,6 +97,15 @@ spec:
     ports:
       - port: 9090
         protocol: TCP 
+{{- end }}
+{{- if ((.Values.ozgcloud).antragraum).enabled }}
+  - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ required "ozgcloud.antragraum.namespace must be set if antragraum is enabled" ((.Values.ozgcloud).antragraum).namespace }}
+        podSelector: 
+          matchLabels:
+            component: info-manager
 {{- end }}
   - to:
     - namespaceSelector:

src/test/helm/deployment_antragraum_test.yaml

@@ -32,93 +32,120 @@ set:
   imagePullSecret: image-pull-secret
   ozgcloud:
     environment: dev
+tests:
+  - it: should set antragraum values
+    set:
+      ozgcloud:
         antragraum:
           enabled: true
           url: https://antragraum.address
           metadataUri: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
-      decryptionPrivateKey: "decryptionPrivateKey_secret"
-      decryptionCertificate: "decryptionCertificate_secret"
-tests:
-  - it: should enable antragraum
-    templates:
-      - templates/deployment.yaml
     asserts:
       - contains:
           path: spec.template.spec.containers[0].env
           content:
             name: ozgcloud_antragraum_enabled
             value: "true"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ozgcloud_antragraum_url
+            value: https://antragraum.address
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ozgcloud_antragraum_metadataUri
+            value: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ozgcloud_antragraum_decryptionPrivateKey
+            value: "file:/keystore/bayernid/bayern-id.key"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ozgcloud_antragraum_decryptionCertificate
+            value: "file:/keystore/bayernid/bayern-id.crt"
+
+  - it: should not generate antragsraum config if disabled
+    set:
+      ozgcloud.antragraum.enabled: false
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ozgcloud_antragraum_enabled
+            value: "true"
+
   - it: should fail if antragraum url is not set
     set:
       ozgcloud:
-        environment: dev
         antragraum:
           enabled: true
-          url: 
+          metadataUri: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
     asserts:
       - failedTemplate:
           errorMessage: "ozgcloud.antragraum.url must be set if ozgcloud.antragraum is enabled"
 
-  - it: should set metadataUri
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: ozgcloud_antragraum_metadatauri
-            value: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
   - it: should fail if metadataUri is not set
     set:
       ozgcloud:
         antragraum:
-          metadataUri:
+          enabled: true
+          url: https://antragraum.address
     asserts:
       - failedTemplate:
           errorMessage: "ozgcloud.antragraum.metadataUri must be set if ozgcloud.antragraum is enabled"
 
-  - it: should set metadataUri
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: ozgcloud_antragraum_metadatauri
-            value: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
-  - it: should fail if metadataUri is not set
+
+  - it: should set volumeMounts
     set:
       ozgcloud:
         antragraum:
-          metadataUri:
-    asserts:
-      - failedTemplate:
-          errorMessage: "ozgcloud.antragraum.metadataUri must be set if ozgcloud.antragraum is enabled"
-
-  - it: should set decryptionPrivateKey
+          enabled: true
+          url: https://antragraum.address
+          metadataUri: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
     asserts:
       - contains:
-          path: spec.template.spec.containers[0].env
+          path: spec.template.spec.containers[0].volumeMounts
           content:
-            name: ozgcloud_antragraum_decryptionprivatekey
-            value: "decryptionPrivateKey_secret"
-  - it: should fail if decryptionPrivateKey is not set
+            name: bayernid-certificate
+            mountPath: "/keystore/bayernid"
+            readOnly: true
+  - it: should not set volumeMounts if antragsraum is disabled
     set:
-      ozgcloud:
-        antragraum:
-          decryptionPrivateKey:
+      ozgcloud.antragraum.enabled: false
     asserts:
-      - failedTemplate:
-          errorMessage: "ozgcloud.antragraum.decryptionPrivateKey must be set if ozgcloud.antragraum is enabled"
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: bayernid-certificate
+            mountPath: "/keystore/bayernid"
+            readOnly: true
     
-  - it: should set decryptionPrivateKey
+  - it: should have volumes
+    set:
+      ozgcloud:
+        antragraum:
+          enabled: true
+          url: https://antragraum.address
+          metadataUri: "classpath:/bayernid/metadata/bayernid-idp-infra.xml"
     asserts:
       - contains:
-          path: spec.template.spec.containers[0].env
+          path: spec.template.spec.volumes
           content:
-            name: ozgcloud_antragraum_decryptioncertificate
-            value: "decryptionCertificate_secret"
-  - it: should fail if decryptionCertificate is not set
+            name: bayernid-certificate
+            secret:
+              secretName: bayernid-certificate
+              optional: false
+  - it: should not have volumes if antragsraum is disabled
     set:
-      ozgcloud:
-        antragraum:
-          decryptionCertificate:
+      ozgcloud.antragraum.enabled: false
     asserts:
-      - failedTemplate:
-          errorMessage: "ozgcloud.antragraum.decryptionCertificate must be set if ozgcloud.antragraum is enabled"
+      - notContains:
+          path: spec.template.spec.volumes
\ No newline at end of file
+          content:
+            name: bayernid-certificate
+            secret:
+              secretName: bayernid-certificate
+              optional: false
\ No newline at end of file

src/test/helm/deployment_bayernid_test.yaml

@@ -31,6 +31,11 @@ templates:
 set:
   ozgcloud:
     environment: dev
+  imagePullSecret: test-image-pull-secret
+tests:
+  - it: should set bayernid values
+    set:
+      ozgcloud:
         bayernid:
           enabled: true
           proxy:
@@ -42,121 +47,145 @@ set:
             dienst: "dienst"
             mandant: "mandant"
             gemeindeSchluessel: "gemeindeSchluessel"
-  imagePullSecret: test-image-pull-secret
-tests:
-  - it: should enable bayernid
     asserts:
       - contains:
           path: spec.template.spec.containers[0].env
           content:
             name: ozgcloud_bayernid_enabled
             value: "true"
-
-  - it: should set absender name
-    asserts:
       - contains:
           path: spec.template.spec.containers[0].env
           content:
             name: ozgcloud_bayernid_absender_name
             value: "name"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ozgcloud_bayernid_absender_anschrift
+            value: "anschrift"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ozgcloud_bayernid_absender_dienst
+            value: "dienst"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ozgcloud_bayernid_absender_mandant
+            value: "mandant"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ozgcloud_bayernid_absender_gemeindeSchluessel
+            value: "gemeindeSchluessel"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: grpc_client_bayern-id_address
+            value: https://proxy.address.local
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: grpc_client_bayern-id_negotiationType
+            value: PLAINTEXT
+
   - it: should fail if absender name is not set
     set:
       ozgcloud:
         bayernid:
+          enabled: true
+          proxy:
+            address: https://proxy.address.local
           absender:
-            name:
+            postkorbId: "postkorbId"
+            anschrift: "anschrift"
+            dienst: "dienst"
+            mandant: "mandant"
+            gemeindeSchluessel: "gemeindeSchluessel"
     asserts:
       - failedTemplate:
           errorMessage: "ozgcloud.bayernid.absender.name must be set if ozgcloud.bayernid is enabled"
 
-  - it: should set absender anschrift
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: ozgcloud_bayernid_absender_anschrift
-            value: "anschrift"
   - it: should fail if absender anschrift is not set
     set:
       ozgcloud:
         bayernid:
+          enabled: true
+          proxy:
+            address: https://proxy.address.local
           absender:
-            anschrift:
+            postkorbId: "postkorbId"
+            name: "name"
+            dienst: "dienst"
+            mandant: "mandant"
+            gemeindeSchluessel: "gemeindeSchluessel"
     asserts:
       - failedTemplate:
           errorMessage: "ozgcloud.bayernid.absender.anschrift must be set if ozgcloud.bayernid is enabled"
 
-  - it: should set absender dienst
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: ozgcloud_bayernid_absender_dienst
-            value: "dienst"
   - it: should fail if absender dienst is not set
     set:
       ozgcloud:
         bayernid:
+          enabled: true
+          proxy:
+            address: https://proxy.address.local
           absender:
-            dienst:
+            postkorbId: "postkorbId"
+            name: "name"
+            anschrift: "anschrift"
+            mandant: "mandant"
+            gemeindeSchluessel: "gemeindeSchluessel"
     asserts:
       - failedTemplate:
           errorMessage: "ozgcloud.bayernid.absender.dienst must be set if ozgcloud.bayernid is enabled"
 
-  - it: should set absender mandant
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: ozgcloud_bayernid_absender_mandant
-            value: "mandant"
   - it: should fail if absender mandant is not set
     set:
       ozgcloud:
         bayernid:
+          enabled: true
+          proxy:
+            address: https://proxy.address.local
           absender:
-            mandant:
+            postkorbId: "postkorbId"
+            name: "name"
+            anschrift: "anschrift"
+            dienst: "dienst"
+            gemeindeSchluessel: "gemeindeSchluessel"
     asserts:
       - failedTemplate:
           errorMessage: "ozgcloud.bayernid.absender.mandant must be set if ozgcloud.bayernid is enabled"
 
-
-  - it: should contains absender gemeindeSchluessel
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: ozgcloud_bayernid_absender_gemeindeSchluessel
-            value: "gemeindeSchluessel"
   - it: should fail if absender gemeindeSchluessel is not set
     set:
       ozgcloud:
         bayernid:
+          enabled: true
+          proxy:
+            address: https://proxy.address.local
           absender:
-            gemeindeSchluessel:
+            postkorbId: "postkorbId"
+            name: "name"
+            anschrift: "anschrift"
+            dienst: "dienst"
+            mandant: "mandant"
     asserts:
       - failedTemplate:
           errorMessage: "ozgcloud.bayernid.absender.gemeindeSchluessel must be set if ozgcloud.bayernid is enabled"
 
-
-  - it: should set the bayernid proxy grpc address
-    set:
-      ozgcloud:
-        bayernid:
-          proxy:
-            address: https://bayernid-proxy.my-wonderful-domain.local:9000
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: grpc_client_bayern-id_address
-            value: https://bayernid-proxy.my-wonderful-domain.local:9000
   - it: should fail if bayernid proxy is enabled but proxy address is not configured
     set:
       ozgcloud:
         bayernid:
-          proxy:
-            address: 
+          enabled: true
+          absender:
+            postkorbId: "postkorbId"
+            name: "name"
+            anschrift: "anschrift"
+            dienst: "dienst"
+            mandant: "mandant"
+            gemeindeSchluessel: "gemeindeSchluessel"
     asserts:
       - failedTemplate:
           errorMessage: "ozgcloud.bayernid.proxy.address must be set if ozgcloud.bayernid is enabled"
@@ -165,18 +194,20 @@ tests:
     set:
       ozgcloud:
         bayernid:
+          enabled: true
           proxy:
+            address: https://proxy.address.local
             negotiationType: NOT_DEFAULT
+          absender:
+            postkorbId: "postkorbId"
+            name: "name"
+            anschrift: "anschrift"
+            dienst: "dienst"
+            mandant: "mandant"
+            gemeindeSchluessel: "gemeindeSchluessel"
     asserts:
       - contains:
           path: spec.template.spec.containers[0].env
           content:
             name: grpc_client_bayern-id_negotiationType
             value: NOT_DEFAULT
-  - it: should set the bayernid proxy grpc default
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: grpc_client_bayern-id_negotiationType
-            value: PLAINTEXT
\ No newline at end of file

src/test/helm/deployment_nachrichten_manager_address_test.yaml

@@ -38,5 +38,5 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].env
           content:
-            name: ozgcloud_nachrichten-manager_url
+            name: ozgcloud_nachrichten-manager_address
             value:  dns://vorgang-manager.sh-helm-test:9090

src/test/helm/network_policy_test.yaml

@@ -27,27 +27,21 @@ release:
   namespace: by-helm-test
 templates:
   - templates/network_policy.yaml
-tests:
-  - it: should match apiVersion
 set: 
   networkPolicy:
     dnsServerNamespace: test-dns-namespace
+tests:
+  - it: should match apiVersion
     asserts:
       - isAPIVersion:
           of: networking.k8s.io/v1
 
   - it: should match kind
-    set:
-      networkPolicy:
-        dnsServerNamespace: test-dns-namespace
     asserts:
       - isKind:
           of: NetworkPolicy
 
   - it: validate metadata
-    set:
-      networkPolicy:
-        dnsServerNamespace: test-dns-namespace
     asserts:
       - equal:
           path: metadata
@@ -56,9 +50,6 @@ tests:
             namespace: by-helm-test
 
   - it: should set policy target matchLabel
-    set:
-      networkPolicy:
-        dnsServerNamespace: test-dns-namespace
     asserts:
       - equal:
           path: spec.podSelector
@@ -68,27 +59,18 @@ tests:
 
 
   - it: should add policyType Egress
-    set:
-      networkPolicy:
-        dnsServerNamespace: test-dns-namespace
     asserts:
       - contains:
           path: spec.policyTypes
           content: Egress
 
   - it: should add policyType Ingress
-    set:
-      networkPolicy:
-        dnsServerNamespace: test-dns-namespace
     asserts:
       - contains:
           path: spec.policyTypes
           content: Ingress
 
   - it: should add ingress rule for eingangsmanager and alfa
-    set:
-      networkPolicy:
-        dnsServerNamespace: test-dns-namespace
     asserts:
       - contains:
           path: spec.ingress
@@ -103,11 +85,53 @@ tests:
                   matchLabels:
                     ozg-component: eingangsadapter
 
+  - it: should add ingress rule for antragraum if antragraum is enabled
+    set:
+      ozgcloud:
+        antragraum:
+          enabled: true
+          namespace: antragraum02
+    asserts:
+    - contains:
+        path: spec.ingress
+        content:
+          from:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: antragraum02
+              podSelector: 
+                matchLabels:
+                  component: antragsraum-server
+
 
-  - it: should add egress rule to elasticsearch
+  - it: should not add ingress rule for antragraum if antragraum is disabled
     set:
-      networkPolicy:
-        dnsServerNamespace: test-dns-namespace
+      ozgcloud:
+        antragraum:
+          enabled: false
+    asserts:
+    - notContains:
+        path: spec.ingress
+        content:
+          from:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: antragraum02
+              podSelector: 
+                matchLabels:
+                  component: antragraum-server
+
+  - it: should throw error if antragraum is enabled but antragraum namespace is not set
+    set:
+      ozgcloud:
+        antragraum:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: ozgcloud.antragraum.namespace must be set if antragraum is enabled
+
+
+  - it: should add egress rule to elasticsearch
     asserts:
       - contains:
           path: spec.egress
@@ -124,9 +148,6 @@ tests:
                   protocol: TCP
 
   - it: should add egress rule to mongodb
-    set:
-      networkPolicy:
-        dnsServerNamespace: test-dns-namespace
     asserts:
       - contains:
           path: spec.egress
@@ -140,9 +161,6 @@ tests:
                   protocol: TCP
 
   - it: should add egress rule to user-manager
-    set:
-      networkPolicy:
-        dnsServerNamespace: test-dns-namespace
     asserts:
       - contains:
           path: spec.egress
@@ -155,32 +173,8 @@ tests:
                 - port: 9000
                   protocol: TCP
 
-  - it: should add egress rule to dns service
-    set:
-      networkPolicy:
-        dnsServerNamespace: test-dns-namespace
-    asserts:
-      - contains:
-          path: spec.egress
-          content:
-              to:
-              - namespaceSelector:
-                  matchLabels:
-                    kubernetes.io/metadata.name: test-dns-namespace
-              ports:
-                - port: 53
-                  protocol: UDP
-                - port: 53
-                  protocol: TCP
-                - port: 5353
-                  protocol: UDP
-                - port: 5353
-                  protocol: TCP
-
   - it: should add egress rule to nachrichten-bayernid-proxy if bayernid is enabled
     set:
-      networkPolicy:
-        dnsServerNamespace: test-dns-namespace
       ozgcloud:
         bayernid:
           enabled: true
@@ -203,8 +197,6 @@ tests:
 
   - it: should not add egress rule to bayernid-proxy if bayernid is disabled
     set:
-      networkPolicy:
-        dnsServerNamespace: test-dns-namespace
       ozgcloud:
         bayernid:
           enabled: false
@@ -225,8 +217,6 @@ tests:
   
   - it: should throw error if bayernid-proxy is enabled but bayernid namespace is not set
     set:
-      networkPolicy:
-        dnsServerNamespace: test-dns-namespace
       ozgcloud:
         bayernid:
           enabled: true
@@ -234,11 +224,65 @@ tests:
       - failedTemplate:
           errorMessage: ozgcloud.bayernid.proxy.namespace must be set if bayernid is enabled
 
+  - it: should add egress rule to info-manager if antragraum is enabled
+    set:
+      ozgcloud:
+        antragraum:
+          enabled: true
+          namespace: antragraum02
+    asserts:
+      - contains:
+          path: spec.egress
+          content:
+            to:
+              - namespaceSelector:
+                  matchLabels:
+                    kubernetes.io/metadata.name: antragraum02
+                podSelector: 
+                  matchLabels:
+                    component: info-manager
+
+  - it: should not add egress rule to info-manager if antragraum is disabled
+    set:
+      ozgcloud:
+        antragraum:
+          enabled: false
+    asserts:
+      - notContains:
+          path: spec.egress
+          content:
+            to:
+              - namespaceSelector:
+                  matchLabels:
+                    kubernetes.io/metadata.name: antragraum02
+                podSelector: 
+                  matchLabels:
+                    component: info-manager
+
+
+  - it: should add egress rule to dns service
+    asserts:
+      - contains:
+          path: spec.egress
+          content:
+              to:
+              - namespaceSelector:
+                  matchLabels:
+                    kubernetes.io/metadata.name: test-dns-namespace
+              ports:
+                - port: 53
+                  protocol: UDP
+                - port: 53
+                  protocol: TCP
+                - port: 5353
+                  protocol: UDP
+                - port: 5353
+                  protocol: TCP
+
   - it: add ingress rule local by values
     set:
       networkPolicy:
         ssoPublicIp: 51.89.117.53/32
-        dnsServerNamespace: test-namespace-dns
         additionalIngressConfigGlobal:
         - from:
           - podSelector: 
@@ -256,7 +300,6 @@ tests:
     set:
       networkPolicy:
         ssoPublicIp: 51.89.117.53/32
-        dnsServerNamespace: test-namespace-dns
         additionalIngressConfigLocal:
         - from:
           - podSelector: 
@@ -285,8 +328,6 @@ tests:
           ports:
             - port: 12345
               protocol: TCP
-
-        dnsServerNamespace: test-dns-namespace
     asserts:
     - contains:
         path: spec.egress
@@ -307,7 +348,6 @@ tests:
   - it: add egress rules global by values
     set:
       networkPolicy:
-        dnsServerNamespace: test-dns-namespace
         additionalEgressConfigLocal:
         - to:
           - ipBlock:
@@ -329,7 +369,6 @@ tests:
     set:
       networkPolicy:
         disabled: true
-        dnsServerNamespace: test-dns-namespace
     asserts:
       - hasDocuments:
           count: 0
@@ -338,7 +377,6 @@ tests:
     set:
       networkPolicy:
         disabled: false
-        dnsServerNamespace: test-dns-namespace
     asserts:
       - hasDocuments:
           count: 1
\ No newline at end of file

vorgang-manager-server/pom.xml

@@ -55,8 +55,8 @@
 		<user-manager-interface.version>2.1.0</user-manager-interface.version>
 		<bescheid-manager.version>1.12.0-SNAPSHOT</bescheid-manager.version>
 		<processor-manager.version>0.4.0</processor-manager.version>
+		<nachrichten-manager.version>2.8.0-SNAPSHOT</nachrichten-manager.version>
 		<ozgcloud-starter.version>0.9.0-SNAPSHOT</ozgcloud-starter.version>
-		<nachrichten-manager.version>2.7.0</nachrichten-manager.version>
 		<notification-manager.version>2.7.0</notification-manager.version>
 
 		<zip.version>2.11.1</zip.version>
@@ -374,7 +374,7 @@
 					</image>
 					<profiles>
 						<profile>local</profile>
-						<profile>a12proc</profile>
+						<profile>bayernlocal</profile>
 					</profiles>
 				</configuration>
 			</plugin>

vorgang-manager-server/src/main/resources/application-local.yml

@@ -115,7 +115,6 @@ spring:
     activate:
       on-profile: bayern-id
 ozgcloud:
-  osi:
   bayernid:
     enabled: true
     absender:

vorgang-manager-server/src/main/resources/application.yml

@@ -80,6 +80,9 @@ ozgcloud:
     mail-from: EA-Poststelle@itvsh.de
   notification:
     mail-from: hilfe@ozgcloud.support
+  nachrichten-manager:
+    address: self:self
+    negotiation-type: plaintext
 #  vorgang-manager:
 #    address: self:self
 #    negotiation-type: plaintext
@@ -94,4 +97,5 @@ ozgcloud:
     negotiation-type: ${grpc.client.user-manager.negotiationType}
   antragraum:
     entityId: https://antragsraum.ozgcloud.de/
+    metadataUri: "classpath:/bayernid/bayernid-idp-infra.xml"
     

vorgang-manager-server/src/main/resources/bayernid/bayernid-dev-enc.crt

+-----BEGIN CERTIFICATE-----
+MIIEGzCCAwOgAwIBAgIUWPZFfhB4+iI3XdjUTMqhhDkljGgwDQYJKoZIhvcNAQEL
+BQAwgZwxCzAJBgNVBAYTAkRFMRswGQYDVQQIDBJCYWRlbi1XdWVydHRlbWJlcmcx
+EjAQBgNVBAcMCVN0dXR0Z2FydDEhMB8GA1UECgwYbWdtIHRlY2hub2xvZ2llIHBh
+cnRuZXJzMRIwEAYDVQQLDAlvemctY2xvdWQxJTAjBgkqhkiG9w0BCQEWFmplbnMu
+cmVlc2VAZ21nbS10cC5jb20wHhcNMjQwMzIwMDc0MDA5WhcNMjUwMzIwMDc0MDA5
+WjCBnDELMAkGA1UEBhMCREUxGzAZBgNVBAgMEkJhZGVuLVd1ZXJ0dGVtYmVyZzES
+MBAGA1UEBwwJU3R1dHRnYXJ0MSEwHwYDVQQKDBhtZ20gdGVjaG5vbG9naWUgcGFy
+dG5lcnMxEjAQBgNVBAsMCW96Zy1jbG91ZDElMCMGCSqGSIb3DQEJARYWamVucy5y
+ZWVzZUBnbWdtLXRwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANogQ1D22S1V53sAch82/LvbbqjMUQWCNOAyUEzrbEW0SqJ3ED+93ZL0rTwstiAj
+XQzPydKmo6keHlexm4f3EfBgJzUG6Y0O8BL/GG02n2ZaXZa3rtbY1y7CSBgICUGe
+9QPmHADUqTkzXwUVuKf6Ie1uyEbqLTr5T5PGOcESsQxVFkHG6/i2H7QhoeLDAWw5
+2ENwDRigM/mDaMliI5TWmM4T8DxKLZ7FUiQGDt/7vpQdBs+vit2ndaoQvQbpraBd
+/KVsbB3epXXFFX/y37+/lHMYtkCnPvHQljYjBz1hH6zcf1VcJLrmSElXHK74HLl5
+D/xYpUCCQX8EU0YIbPULejMCAwEAAaNTMFEwHQYDVR0OBBYEFFfqF7V0PscLpeAx
+Vj3ADkWSftbnMB8GA1UdIwQYMBaAFFfqF7V0PscLpeAxVj3ADkWSftbnMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAK70r5o4oLPu5JXJmKWnI7CD
+wjZR0XQX8x1+tWtqT/v6Trz4p6SGxdPzA+Z9dKl5TrHWn0Jue79NCTQO1fgn/L5Q
+ZblOCxFhe+yvgeqyMPRHtlF1RicMn+yPwS3QKON0INmsch64IVXJZgJms0d7HRcF
+GAn644FdxZH9IX39eqs1Y7l1Ac++4O9uSiB6N+js2ZTOI+KDrvVhKblE+0ehx3bM
++hqsXpRE6iq9wD1wAGiMxMTetG1kI0PMgDiDXTfG3ZkvpYtTyU2Mkl+F9FFWhwGI
+LrLKJeLZRRpwkDvWNUpER5UveXJvY8TKV8HZDhEzWB3IAjRYufHnP5MHLgMZmXk=
+-----END CERTIFICATE-----

vorgang-manager-server/src/main/resources/bayernid/bayernid-idp-infra.xml

+<?xml version="1.0" encoding="UTF-8"?><md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+    <md:EntityDescriptor entityID="https://infra-pre-id.bayernportal.de/idp">
+        <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+            <md:KeyDescriptor use="signing">
+                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                    <ds:X509Data>
+                        <ds:X509Certificate>MIIFbzCCA1egAwIBAgIJAPdFXXarkBN2MA0GCSqGSIb3DQEBCwUAME4xCzAJBgNV
+                            BAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xETAPBgNVBAcMCE11ZW5jaGVuMQ0wCwYD
+                            VQQKDARBS0RCMQwwCgYDVQQLDANJRE0wHhcNMjAxMDI3MTMxODQxWhcNMjUxMDI2
+                            MTMxODQxWjBOMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMREwDwYDVQQH
+                            DAhNdWVuY2hlbjENMAsGA1UECgwEQUtEQjEMMAoGA1UECwwDSURNMIICIjANBgkq
+                            hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzDtWAEdC3J9FD+ti1exRhN1lzNgKWqO2
+                            gQNdJvlt7KGHA2VGGO7tqRogTuoqi/ydtiHJ8+lhp4kcWqyfv7i9HXOncvcsRRmR
+                            dZjUY2Iui6ozJqD5LVm/vP5YfdP7vQPdbqyyfpoJhf3mbMEtdNDdGRnGIPUfDn+C
+                            Fbo37f9tPwMgf3jgh4gxaujtLIhhr9gevVTEeZAFu9EvzLNd3kEtRb7MuXqIOdu1
+                            rW8HlGYFwwVLqEyBn8XG0QAIfhMmGjFMG7z+Kco2quwOmmZVzWQfeH/3AlN2KbcP
+                            t7j+pl+6Bew2AAivP7O+95YKORqQjTu3rPWMF4txPId37MSjoytwBRyd5EACTvhQ
+                            BOGrDFKQUOx6fTtRc8+7XGVz8MdQaZQWQXXh1ByU783twNdnRSrSVIyLdjiy1uCb
+                            jvsSAtbzGBygPIvDo3skCNLNFXsChtHIfFFDK20KPGb0ghEDf2q3hDbFG3ZDGGyn
+                            ZmJcZKuZhJqodJ/++sAXADyTJNAPVYDjKCF4ypELp2Eu/p1gaQPJEb74L/ZFZVOE
+                            JFyXIiaqB9J+fcn/biqHHOmcCi8n9aIiNt1fatr1Z4lQRWoGtKaGU0+bzUSH4Bgs
+                            2EG4u1CI2MKDWqK2aEsHrtu8tbS9LrUmDVKtaEUOeul8xWVa036vp/YUIdiJNZSx
+                            ZG4iTmSOATECAwEAAaNQME4wHQYDVR0OBBYEFFYeltslkaolOmcINXQeSe7nURwp
+                            MB8GA1UdIwQYMBaAFFYeltslkaolOmcINXQeSe7nURwpMAwGA1UdEwQFMAMBAf8w
+                            DQYJKoZIhvcNAQELBQADggIBAKqAlXoO41SAiycYUOrR90pfwTCysmbtHF5RWSCM
+                            jF2aCG8URJ7bXwC0lBH8E5zCetFZwdqZziQtxzRkIOfhS5uWbH0RDhwuxZG+5RTP
+                            yaHPAZI6e5xHDu8vHl/VbC3lnL/6K8l+Purr/yo8qkJqrPgThZRL9jBQyYRhDSsJ
+                            UyIw5zcKKUQC/JWtMQAQcopbjekCs6xDT1HqIN90Sc/gOfYjNo0dGMNmro9mxcw8
+                            2Iow18KNVdtEexfD+/6x4NPD61pzuQEe09TR+Cv3XyzBoGQ/2arijcPnGvth79ff
+                            VFtRSf3fSs7wEKV9g3mEWXFDtPBhDj6K0kKU/kJfEZixkXl92MY+bmugrtTIrazj
+                            tfrgMglIAHu9XCYWd/gef0J+PNfHsxgbTEr3XSC+5/xoFKPQSw3PgV8lkUDq4mJU
+                            Ky/q4YmA37XQxourFR5pWvF03YACdtq6zPjtVeI7Cvkte6k0YW5S3cx9RmPv6YZh
+                            laZ5ERpWNiv6IjokLsvNeemf2PApjO7Q2EDBIoHBYH31wwJSsyRDrSVmbaqLFI15
+                            fLXeh2A4YbaBDZdGvDiLOAk+dG1wdZ2aGw/uNBzMtc8VeKqI1HPcqIluBA3uUPpy
+                            LLA+9hDPf6Pp4j0gkXxBikz+/h22bFxE1HmDiOSkEn+2NmOHuEFeA+D8jsCAL5VJ
+                            3emK</ds:X509Certificate>
+                    </ds:X509Data>
+                </ds:KeyInfo>
+            </md:KeyDescriptor>
+            <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://infra-pre-id.bayernportal.de/idp/profile/SAML2/POST/SSO"/>
+            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://infra-pre-id.bayernportal.de/idp/profile/SAML2/Redirect/SSO"/>
+        </md:IDPSSODescriptor>
+    </md:EntityDescriptor>
+</md:EntitiesDescriptor>
\ No newline at end of file

vorgang-manager-server/src/test/resources/bayernid/bsp-nachricht

-<ns4:sendBspNachrichtNative xmlns:ns3="http://www.akdb.de/egov/bsp/nachrichten" xmlns:ns4="urn:akdb:bsp:postkorb:komm:webservice"><bspNachricht>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;&lt;ns2:BspNachricht xmlns:ns2="http://www.akdb.de/egov/bsp/nachrichten" xmlns:ns3="urn:akdb:bsp:postkorb:komm:webservice"&gt;&lt;ns2:NachrichtenKopf&gt;&lt;ns2:Identifikation.Nachricht&gt;&lt;ns2:Erstellungszeitpunkt&gt;2020-04-01T10:30:10.000Z&lt;/ns2:Erstellungszeitpunkt&gt;&lt;ns2:NachrichtenId&gt;1&lt;/ns2:NachrichtenId&gt;&lt;/ns2:Identifikation.Nachricht&gt;&lt;ns2:Absender&gt;&lt;ns2:Dienst&gt;Stadtverwaltung&lt;/ns2:Dienst&gt;&lt;ns2:Mandant&gt;Fürth&lt;/ns2:Mandant&gt;&lt;ns2:Gemeindeschluessel&gt;&lt;ns2:Tabelle&gt;36&lt;/ns2:Tabelle&gt;&lt;ns2:Schluessel&gt;09563000&lt;/ns2:Schluessel&gt;&lt;/ns2:Gemeindeschluessel&gt;&lt;/ns2:Absender&gt;&lt;ns2:Empfaenger&gt;&lt;ns2:PostkorbId&gt;1&lt;/ns2:PostkorbId&gt;&lt;/ns2:Empfaenger&gt;&lt;/ns2:NachrichtenKopf&gt;&lt;ns2:NachrichtenInhalt&gt;&lt;ns2:Betreff&gt;Test Subject&lt;/ns2:Betreff&gt;&lt;ns2:StorkQaaLevel&gt;LEVEL_1&lt;/ns2:StorkQaaLevel&gt;&lt;ns2:ZuVorgang&gt;&lt;ns2:VorgangsId&gt;1&lt;/ns2:VorgangsId&gt;&lt;/ns2:ZuVorgang&gt;&lt;ns2:FreiText&gt;&lt;ns2:Encoding&gt;&lt;ns2:Tabelle&gt;9004&lt;/ns2:Tabelle&gt;&lt;ns2:Schluessel&gt;text/plain&lt;/ns2:Schluessel&gt;&lt;/ns2:Encoding&gt;&lt;ns2:Text&gt;BodyString&lt;/ns2:Text&gt;&lt;/ns2:FreiText&gt;&lt;/ns2:NachrichtenInhalt&gt;&lt;/ns2:BspNachricht&gt;</bspNachricht></ns4:sendBspNachrichtNative>
\ No newline at end of file

vorgang-manager-server/src/test/resources/bayernid/test.txt

-some simple text
\ No newline at end of file