diff --git a/src/main/helm/templates/_helpers.tpl b/src/main/helm/templates/_helpers.tpl
index cb9ff09ba278f1c9a324a7930772d0920f81e4a0..1317f415cf1502d9f897172dfcfcfdf2b1c3a2ef 100644
--- a/src/main/helm/templates/_helpers.tpl
+++ b/src/main/helm/templates/_helpers.tpl
@@ -123,3 +123,7 @@ app.kubernetes.io/namespace: {{ include "app.namespace" . }}
{{ include "app.bayernidAbsenderName" . }}
{{- end -}}
{{- end -}}
+
+{{- define "app.elsterTransferOperatorNamespace" -}}
+{{- required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace -}}
+{{- end -}}
\ No newline at end of file
diff --git a/src/main/helm/templates/elstertransfer_user_cr.yaml b/src/main/helm/templates/elstertransfer_user_cr.yaml
index 99e00bfd8734562f6da31f2d0985d345d3d4ee26..622de75f0eb7c8ff34d7069732d7bd40da1bab8a 100644
--- a/src/main/helm/templates/elstertransfer_user_cr.yaml
+++ b/src/main/helm/templates/elstertransfer_user_cr.yaml
@@ -30,5 +30,5 @@ metadata:
name: {{ include "app.namespace" . }}-etr-user
namespace: {{ include "app.namespace" $ }}
spec:
- keep_after_delete: {{ (.Values.etr_user).keep_after_delete | default false }}
+ keep_after_delete: {{ (.Values.elsterTransferOperator).keep_after_delete | default false }}
{{- end -}}
\ No newline at end of file
diff --git a/src/main/helm/templates/ozgcloud_elstertransfer_operator_secret_write_role.yaml b/src/main/helm/templates/ozgcloud_elstertransfer_operator_secret_create_role.yaml
similarity index 78%
rename from src/main/helm/templates/ozgcloud_elstertransfer_operator_secret_write_role.yaml
rename to src/main/helm/templates/ozgcloud_elstertransfer_operator_secret_create_role.yaml
index 4f2838a6996a2165636ef94bd39a567d971269eb..14e66bc84f9808f7a1c044555305f4a4148e1bf2 100644
--- a/src/main/helm/templates/ozgcloud_elstertransfer_operator_secret_write_role.yaml
+++ b/src/main/helm/templates/ozgcloud_elstertransfer_operator_secret_create_role.yaml
@@ -21,30 +21,30 @@
# Die sprachspezifischen Genehmigungen und Beschränkungen
# unter der Lizenz sind dem Lizenztext zu entnehmen.
#
-{{- if (((.Values.ozgcloud).muk).enabled) }}
+{{- if ((.Values.ozgcloud).muk).enabled }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: ozgcloud-elster-transfer-operator-secret-write-role-binding
+ name: ozgcloud-elster-transfer-operator-secret-create-role-binding
namespace: {{ include "app.namespace" . }}
subjects:
- kind: ServiceAccount
name: ozgcloud-elster-transfer-operator-service-account
- namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }}
+ namespace: {{ include "app.elsterTransferOperatorNamespace" . }}
roleRef:
kind: Role
- name: ozgcloud-elster-transfer-operator-secret-write-role
+ name: ozgcloud-elster-transfer-operator-secret-create-role
apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: ozgcloud-elster-transfer-operator-secret-write-role
+ name: ozgcloud-elster-transfer-operator-secret-create-role
namespace: {{ include "app.namespace" . }}
rules:
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["create", "update"]
+ verbs: ["create"]
{{- end }}
diff --git a/src/main/helm/templates/ozgcloud_elstertransfer_operator_secret_read_role.yaml b/src/main/helm/templates/ozgcloud_elstertransfer_operator_secret_read_role.yaml
index 38cd9d64961f5d364d508af3fb4548ee7f9f35df..561b89abc4a96334c80a54382887e323dde6fd2f 100644
--- a/src/main/helm/templates/ozgcloud_elstertransfer_operator_secret_read_role.yaml
+++ b/src/main/helm/templates/ozgcloud_elstertransfer_operator_secret_read_role.yaml
@@ -21,7 +21,7 @@
# Die sprachspezifischen Genehmigungen und Beschränkungen
# unter der Lizenz sind dem Lizenztext zu entnehmen.
#
-{{- if (((.Values.ozgcloud).muk).enabled) }}
+{{- if ((.Values.ozgcloud).muk).enabled }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -31,7 +31,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: ozgcloud-elster-transfer-operator-service-account
- namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }}
+ namespace: {{ include "app.elsterTransferOperatorNamespace" . }}
roleRef:
kind: Role
name: ozgcloud-elster-transfer-operator-secret-read-role
diff --git a/src/main/helm/templates/ozgcloud_elstertransfer_operator_secret_update_role.yaml b/src/main/helm/templates/ozgcloud_elstertransfer_operator_secret_update_role.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..584400851f0b3b110cb2d32e619a4b1816cb899d
--- /dev/null
+++ b/src/main/helm/templates/ozgcloud_elstertransfer_operator_secret_update_role.yaml
@@ -0,0 +1,51 @@
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+{{- if ((.Values.ozgcloud).muk).enabled }}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: ozgcloud-elster-transfer-operator-secret-update-role-binding
+ namespace: {{ include "app.namespace" . }}
+subjects:
+ - kind: ServiceAccount
+ name: ozgcloud-elster-transfer-operator-service-account
+ namespace: {{ include "app.elsterTransferOperatorNamespace" . }}
+roleRef:
+ kind: Role
+ name: ozgcloud-elster-transfer-operator-secret-update-role
+ apiGroup: rbac.authorization.k8s.io
+
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: ozgcloud-elster-transfer-operator-secret-update-role
+ namespace: {{ include "app.namespace" . }}
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["update"]
+ resourceNames: ["muk-user-secret"]
+{{- end }}
diff --git a/src/test/helm/elster_transfer_user_cr_test.yaml b/src/test/helm/elster_transfer_user_cr_test.yaml
index 2f311ccb8890cfd5abf34f1f4c3807c7c8027f61..0587c112a56c4097ccba6dc6c06cd60349fc66f5 100644
--- a/src/test/helm/elster_transfer_user_cr_test.yaml
+++ b/src/test/helm/elster_transfer_user_cr_test.yaml
@@ -79,7 +79,7 @@ tests:
ozgcloud:
muk:
enabled: true
- etr_user:
+ elsterTransferOperator:
keep_after_delete: true
asserts:
- equal:
diff --git a/src/test/helm/ozgcloud_elstertransfer_operator_secret_create_role_test.yaml b/src/test/helm/ozgcloud_elstertransfer_operator_secret_create_role_test.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..34a6109f7119929c515b06f0e1de9c85e440de55
--- /dev/null
+++ b/src/test/helm/ozgcloud_elstertransfer_operator_secret_create_role_test.yaml
@@ -0,0 +1,133 @@
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+
+suite: ElsterTransfer user secret rbac test
+release:
+ name: ozgcloud-elstertransfer-operator
+ namespace: test-namespace
+templates:
+ - templates/ozgcloud_elstertransfer_operator_secret_create_role.yaml
+
+
+tests:
+ - it: test RoleBinding metadata
+ set:
+ elsterTransferOperator:
+ namespace: etr-operator
+ ozgcloud:
+ muk:
+ enabled: true
+ asserts:
+ - isKind:
+ of: RoleBinding
+ documentIndex: 0
+ - isAPIVersion:
+ of: rbac.authorization.k8s.io/v1
+ documentIndex: 0
+ - equal:
+ path: metadata.name
+ value: ozgcloud-elster-transfer-operator-secret-create-role-binding
+ documentIndex: 0
+
+ - it: test RoleBinding subject
+ set:
+ elsterTransferOperator:
+ namespace: etr-operator
+ ozgcloud:
+ muk:
+ enabled: true
+ asserts:
+ - contains:
+ path: subjects
+ content:
+ kind: ServiceAccount
+ name: ozgcloud-elster-transfer-operator-service-account
+ namespace: etr-operator
+ documentIndex: 0
+ - it: test RoleBinding roleRef
+ set:
+ elsterTransferOperator:
+ namespace: etr-operator
+ ozgcloud:
+ muk:
+ enabled: true
+ asserts:
+ - equal:
+ path: roleRef
+ value:
+ kind: Role
+ name: ozgcloud-elster-transfer-operator-secret-create-role
+ apiGroup: rbac.authorization.k8s.io
+ documentIndex: 0
+
+ - it: test Role metadata
+ set:
+ elsterTransferOperator:
+ namespace: etr-operator
+ ozgcloud:
+ muk:
+ enabled: true
+ asserts:
+ - isKind:
+ of: Role
+ documentIndex: 1
+ - isAPIVersion:
+ of: rbac.authorization.k8s.io/v1
+ documentIndex: 1
+ - equal:
+ path: metadata.name
+ value: ozgcloud-elster-transfer-operator-secret-create-role
+ documentIndex: 1
+
+ - it: test RoleBinding rules
+ set:
+ elsterTransferOperator:
+ namespace: etr-operator
+ ozgcloud:
+ muk:
+ enabled: true
+ asserts:
+ - contains:
+ path: rules
+ content:
+ apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - create
+ documentIndex: 1
+ - it: test eltertransferOperator namespace must be set msg
+ set:
+ ozgcloud:
+ muk:
+ enabled: true
+ asserts:
+ - failedTemplate:
+ errorMessage: elsterTransferOperator.namespace must be set
+
+ - it: RBAC not created by default
+ asserts:
+ - hasDocuments:
+ count: 0
\ No newline at end of file
diff --git a/src/test/helm/ozgcloud_elstertransfer_operator_secret_read_role_test.yaml b/src/test/helm/ozgcloud_elstertransfer_operator_secret_read_role_test.yaml
index 567ccae0b99ff206b281b1b612add6518a5e252e..6d3bf2a10988847c5e425f13def889ea9ef8ea48 100644
--- a/src/test/helm/ozgcloud_elstertransfer_operator_secret_read_role_test.yaml
+++ b/src/test/helm/ozgcloud_elstertransfer_operator_secret_read_role_test.yaml
@@ -135,7 +135,4 @@ tests:
asserts:
- hasDocuments:
count: 0
- documentIndex: 1
- - hasDocuments:
- count: 0
- documentIndex: 0
\ No newline at end of file
+
\ No newline at end of file
diff --git a/src/test/helm/ozgcloud_elstertransfer_operator_secret_write_role_test.yaml b/src/test/helm/ozgcloud_elstertransfer_operator_secret_update_role_test.yaml
similarity index 89%
rename from src/test/helm/ozgcloud_elstertransfer_operator_secret_write_role_test.yaml
rename to src/test/helm/ozgcloud_elstertransfer_operator_secret_update_role_test.yaml
index af7d221d1d66b09d3c64a44b9280bde825ecfc13..5f28b5cd2104687d7b40103ae741effa0418fda4 100644
--- a/src/test/helm/ozgcloud_elstertransfer_operator_secret_write_role_test.yaml
+++ b/src/test/helm/ozgcloud_elstertransfer_operator_secret_update_role_test.yaml
@@ -27,7 +27,7 @@ release:
name: ozgcloud-elstertransfer-operator
namespace: test-namespace
templates:
- - templates/ozgcloud_elstertransfer_operator_secret_write_role.yaml
+ - templates/ozgcloud_elstertransfer_operator_secret_update_role.yaml
tests:
@@ -47,7 +47,7 @@ tests:
documentIndex: 0
- equal:
path: metadata.name
- value: ozgcloud-elster-transfer-operator-secret-write-role-binding
+ value: ozgcloud-elster-transfer-operator-secret-update-role-binding
documentIndex: 0
- it: test RoleBinding subject
@@ -77,7 +77,7 @@ tests:
path: roleRef
value:
kind: Role
- name: ozgcloud-elster-transfer-operator-secret-write-role
+ name: ozgcloud-elster-transfer-operator-secret-update-role
apiGroup: rbac.authorization.k8s.io
documentIndex: 0
@@ -97,7 +97,7 @@ tests:
documentIndex: 1
- equal:
path: metadata.name
- value: ozgcloud-elster-transfer-operator-secret-write-role
+ value: ozgcloud-elster-transfer-operator-secret-update-role
documentIndex: 1
- it: test RoleBinding rules
@@ -116,8 +116,9 @@ tests:
resources:
- secrets
verbs:
- - create
- update
+ resourceNames:
+ - muk-user-secret
documentIndex: 1
- it: test eltertransferOperator namespace must be set msg
set:
@@ -132,7 +133,4 @@ tests:
asserts:
- hasDocuments:
count: 0
- documentIndex: 1
- - hasDocuments:
- count: 0
- documentIndex: 0
\ No newline at end of file
+
\ No newline at end of file