diff --git a/elster-transfer/templates/_helpers.tpl b/elster-transfer/templates/_helpers.tpl
index d9a5ac76a5fbe9faaaa1a385f6c98a03c9f970f8..3f8f6505b8100ede9fd6e1941cfc8486a72293f1 100644
--- a/elster-transfer/templates/_helpers.tpl
+++ b/elster-transfer/templates/_helpers.tpl
@@ -63,3 +63,6 @@ app.kubernetes.io/namespace: {{ .Release.Namespace }}
{{- end -}}
+{{- define "app.elsterTransferOperatorNamespace" -}}
+{{- required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace -}}
+{{- end -}}
\ No newline at end of file
diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_write_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_create_role.yaml
similarity index 80%
rename from elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_write_role.yaml
rename to elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_create_role.yaml
index 90f2e1601d4e38dca32bcd3d5954d42613e471e9..a80c872d8259c4475bce0d0930437761b30c952f 100644
--- a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_write_role.yaml
+++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_create_role.yaml
@@ -26,25 +26,25 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: ozgcloud-elster-transfer-operator-configmap-write-role-binding
+ name: ozgcloud-elster-transfer-operator-configmap-create-role-binding
namespace: {{ include "app.namespace" . }}
subjects:
- kind: ServiceAccount
name: ozgcloud-elster-transfer-operator-service-account
- namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }}
+ namespace: {{ include "app.elsterTransferOperatorNamespace" . }}
roleRef:
kind: Role
- name: ozgcloud-elster-transfer-operator-configmap-write-role
+ name: ozgcloud-elster-transfer-operator-configmap-create-role
apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: ozgcloud-elster-transfer-operator-configmap-write-role
+ name: ozgcloud-elster-transfer-operator-configmap-create-role
namespace: {{ include "app.namespace" . }}
rules:
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["create", "update", "patch"]
+ verbs: ["create"]
{{- end -}}
\ No newline at end of file
diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_read_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_read_role.yaml
index c80d279d63433ffcb3dde69dcd000f563cb2ea6c..51833bde3e91b5ce6ef4b113d2028de255a96b67 100644
--- a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_read_role.yaml
+++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_read_role.yaml
@@ -31,7 +31,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: ozgcloud-elster-transfer-operator-service-account
- namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }}
+ namespace: {{ include "app.elsterTransferOperatorNamespace" . }}
roleRef:
kind: Role
name: ozgcloud-elster-transfer-operator-configmap-read-role
@@ -47,4 +47,5 @@ rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list"]
+ resourceNames: ["etr-user-config"]
{{- end -}}
\ No newline at end of file
diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..70b5d99bab832a90858bfa40e6e92eecd1fdbe40
--- /dev/null
+++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml
@@ -0,0 +1,51 @@
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+{{- if (.Values.userAuthentication).enabled }}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: ozgcloud-elster-transfer-operator-configmap-update-role-binding
+ namespace: {{ include "app.namespace" . }}
+subjects:
+ - kind: ServiceAccount
+ name: ozgcloud-elster-transfer-operator-service-account
+ namespace: {{ include "app.elsterTransferOperatorNamespace" . }}
+roleRef:
+ kind: Role
+ name: ozgcloud-elster-transfer-operator-configmap-update-role
+ apiGroup: rbac.authorization.k8s.io
+
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: ozgcloud-elster-transfer-operator-configmap-update-role
+ namespace: {{ include "app.namespace" . }}
+rules:
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["update", "patch"]
+ resourceNames: ["etr-user-config"]
+{{- end -}}
\ No newline at end of file
diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_read_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_read_role.yaml
index 0635baedca7c5b11f4e02b1e40bc63ad7dda86a4..b457a2c137e6e908ae7e5d2e161039ec36a55c9d 100644
--- a/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_read_role.yaml
+++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_read_role.yaml
@@ -30,7 +30,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: ozgcloud-elster-transfer-operator-service-account
- namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }}
+ namespace: {{ include "app.elsterTransferOperatorNamespace" . }}
roleRef:
kind: Role
name: ozgcloud-elster-transfer-operator-deployment-read-role
diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_write_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_write_role.yaml
index 6cf9b4435c73a845b88e5f344342a2d0203054d3..211e5ca93285225218f323e7cb200e5f2687db07 100644
--- a/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_write_role.yaml
+++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_write_role.yaml
@@ -30,7 +30,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: ozgcloud-elster-transfer-operator-service-account
- namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }}
+ namespace: {{ include "app.elsterTransferOperatorNamespace" . }}
roleRef:
kind: Role
name: ozgcloud-elster-transfer-operator-deployment-write-role
diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_create_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_create_role_test.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c62c3e897ef43c05fe7328cb1b70e7715009cf59
--- /dev/null
+++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_create_role_test.yaml
@@ -0,0 +1,121 @@
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+
+suite: ElsterTransfer read rbac test
+release:
+ name: elstertransfer
+ namespace: test-namespace
+set:
+templates:
+ - templates/ozgcloud_elstertransfer_operator_configmap_create_role.yaml
+tests:
+ - it: test RoleBinding metadata
+ set:
+ userAuthentication:
+ enabled: true
+ elsterTransferOperator:
+ namespace: etr-operator
+ asserts:
+ - isKind:
+ of: RoleBinding
+ documentIndex: 0
+ - isAPIVersion:
+ of: rbac.authorization.k8s.io/v1
+ - equal:
+ path: metadata.name
+ value: ozgcloud-elster-transfer-operator-configmap-create-role-binding
+ documentIndex: 0
+ - it: test RoleBinding subject
+ set:
+ userAuthentication:
+ enabled: true
+ elsterTransferOperator:
+ namespace: etr-operator
+ asserts:
+ - contains:
+ path: subjects
+ content:
+ kind: ServiceAccount
+ name: ozgcloud-elster-transfer-operator-service-account
+ namespace: etr-operator
+ documentIndex: 0
+ - it: test RoleBinding roleRef
+ set:
+ userAuthentication:
+ enabled: true
+ elsterTransferOperator:
+ namespace: etr-operator
+ asserts:
+ - equal:
+ path: roleRef
+ value:
+ kind: Role
+ name: ozgcloud-elster-transfer-operator-configmap-create-role
+ apiGroup: rbac.authorization.k8s.io
+ documentIndex: 0
+
+ - it: test Role metadata
+ set:
+ userAuthentication:
+ enabled: true
+ elsterTransferOperator:
+ namespace: etr-operator
+ asserts:
+ - isKind:
+ of: Role
+ documentIndex: 1
+ - isAPIVersion:
+ of: rbac.authorization.k8s.io/v1
+ - equal:
+ path: metadata.name
+ value: ozgcloud-elster-transfer-operator-configmap-create-role
+ documentIndex: 1
+ - it: test RoleBinding rules
+ set:
+ userAuthentication:
+ enabled: true
+ elsterTransferOperator:
+ namespace: etr-operator
+ asserts:
+ - contains:
+ path: rules
+ content:
+ apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - create
+ documentIndex: 1
+ - it: RBAC not created by default
+ asserts:
+ - hasDocuments:
+ count: 0
+ - it: test elsterTransferOperator.namespace must be set message
+ set:
+ userAuthentication:
+ enabled: true
+ asserts:
+ - failedTemplate:
+ errorMessage: elsterTransferOperator.namespace must be set
\ No newline at end of file
diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_read_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_read_role_test.yaml
index 77b266d74411a2160c315937ba917c153dadff75..7b01f30cd6383d2c685c6282214a3144879fd6a5 100644
--- a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_read_role_test.yaml
+++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_read_role_test.yaml
@@ -108,15 +108,13 @@ tests:
verbs:
- get
- list
+ resourceNames:
+ - "etr-user-config"
documentIndex: 1
- it: RBAC not created by default
asserts:
- hasDocuments:
count: 0
- documentIndex: 1
- - hasDocuments:
- count: 0
- documentIndex: 0
- it: test elsterTransferOperator.namespace must be set message
set:
userAuthentication:
diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_write_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_update_role_test.yaml
similarity index 88%
rename from elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_write_role_test.yaml
rename to elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_update_role_test.yaml
index 1bfb37203750cbe105e1bbc77e408ccd61fb4dbc..d307c0b894846af4b0a377d438a1936f8047b461 100644
--- a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_write_role_test.yaml
+++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_update_role_test.yaml
@@ -28,7 +28,7 @@ release:
namespace: test-namespace
set:
templates:
- - templates/ozgcloud_elstertransfer_operator_configmap_write_role.yaml
+ - templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml
tests:
- it: test RoleBinding metadata
set:
@@ -44,7 +44,7 @@ tests:
of: rbac.authorization.k8s.io/v1
- equal:
path: metadata.name
- value: ozgcloud-elster-transfer-operator-configmap-write-role-binding
+ value: ozgcloud-elster-transfer-operator-configmap-update-role-binding
documentIndex: 0
- it: test RoleBinding subject
set:
@@ -71,7 +71,7 @@ tests:
path: roleRef
value:
kind: Role
- name: ozgcloud-elster-transfer-operator-configmap-write-role
+ name: ozgcloud-elster-transfer-operator-configmap-update-role
apiGroup: rbac.authorization.k8s.io
documentIndex: 0
@@ -89,7 +89,7 @@ tests:
of: rbac.authorization.k8s.io/v1
- equal:
path: metadata.name
- value: ozgcloud-elster-transfer-operator-configmap-write-role
+ value: ozgcloud-elster-transfer-operator-configmap-update-role
documentIndex: 1
- it: test RoleBinding rules
set:
@@ -106,18 +106,15 @@ tests:
resources:
- configmaps
verbs:
- - create
- update
- patch
+ resourceNames:
+ - etr-user-config
documentIndex: 1
- it: RBAC not created by default
asserts:
- hasDocuments:
count: 0
- documentIndex: 1
- - hasDocuments:
- count: 0
- documentIndex: 0
- it: test elsterTransferOperator.namespace must be set message
set:
userAuthentication:
diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_read_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_read_role_test.yaml
index 06b4a6b87569917f910d55f1dac0f99ae465b5f5..53172b9568e4d4eadf947ec0fb48faaee00e5284 100644
--- a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_read_role_test.yaml
+++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_read_role_test.yaml
@@ -115,10 +115,6 @@ tests:
asserts:
- hasDocuments:
count: 0
- documentIndex: 1
- - hasDocuments:
- count: 0
- documentIndex: 0
- it: test elsterTransferOperator.namespace must be set message
set:
diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_write_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_write_role_test.yaml
index d4637a075633456d3ef00644b7e7893f44c49e24..340d39bd7ecf42e4c64fe73674d5f53cb1bebcb2 100644
--- a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_write_role_test.yaml
+++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_write_role_test.yaml
@@ -115,10 +115,7 @@ tests:
asserts:
- hasDocuments:
count: 0
- documentIndex: 1
- - hasDocuments:
- count: 0
- documentIndex: 0
+
- it: test elsterTransferOperator.namespace must be set message
set: