From 53e329f981c8339403b4ee60b470560326140f0e Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Mon, 19 Aug 2024 17:47:51 +0200
Subject: [PATCH] OZG-6247 solve comments

---
 elster-transfer/templates/_helpers.tpl        |   3 +
 ...nsfer_operator_configmap_create_role.yaml} |  10 +-
 ...transfer_operator_configmap_read_role.yaml |   3 +-
 ...ansfer_operator_configmap_update_role.yaml |  51 ++++++++
 ...ransfer_operator_deployment_read_role.yaml |   2 +-
 ...ansfer_operator_deployment_write_role.yaml |   2 +-
 ...r_operator_configmap_create_role_test.yaml | 121 ++++++++++++++++++
 ...fer_operator_configmap_read_role_test.yaml |   6 +-
 ..._operator_configmap_update_role_test.yaml} |  15 +--
 ...er_operator_deployment_read_role_test.yaml |   4 -
 ...r_operator_deployment_write_role_test.yaml |   5 +-
 11 files changed, 193 insertions(+), 29 deletions(-)
 rename elster-transfer/templates/{ozgcloud_elstertransfer_operator_configmap_write_role.yaml => ozgcloud_elstertransfer_operator_configmap_create_role.yaml} (80%)
 create mode 100644 elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml
 create mode 100644 elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_create_role_test.yaml
 rename elster-transfer/unit-tests/{ozgcloud_elstertransfer_operator_configmap_write_role_test.yaml => ozgcloud_elstertransfer_operator_configmap_update_role_test.yaml} (88%)

diff --git a/elster-transfer/templates/_helpers.tpl b/elster-transfer/templates/_helpers.tpl
index d9a5ac7..3f8f650 100644
--- a/elster-transfer/templates/_helpers.tpl
+++ b/elster-transfer/templates/_helpers.tpl
@@ -63,3 +63,6 @@ app.kubernetes.io/namespace: {{ .Release.Namespace }}
 {{- end -}}
 
 
+{{- define "app.elsterTransferOperatorNamespace" -}}
+{{- required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace -}}
+{{- end -}}
\ No newline at end of file
diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_write_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_create_role.yaml
similarity index 80%
rename from elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_write_role.yaml
rename to elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_create_role.yaml
index 90f2e16..a80c872 100644
--- a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_write_role.yaml
+++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_create_role.yaml
@@ -26,25 +26,25 @@
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: ozgcloud-elster-transfer-operator-configmap-write-role-binding
+  name: ozgcloud-elster-transfer-operator-configmap-create-role-binding
   namespace: {{ include "app.namespace" . }}
 subjects:
   - kind: ServiceAccount
     name: ozgcloud-elster-transfer-operator-service-account
-    namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }}
+    namespace: {{ include "app.elsterTransferOperatorNamespace" . }}
 roleRef:
   kind: Role
-  name: ozgcloud-elster-transfer-operator-configmap-write-role
+  name: ozgcloud-elster-transfer-operator-configmap-create-role
   apiGroup: rbac.authorization.k8s.io
 
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: ozgcloud-elster-transfer-operator-configmap-write-role
+  name: ozgcloud-elster-transfer-operator-configmap-create-role
   namespace: {{ include "app.namespace" . }}
 rules:
   - apiGroups: [""]
     resources: ["configmaps"]
-    verbs: ["create", "update", "patch"]
+    verbs: ["create"]
 {{- end -}}
\ No newline at end of file
diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_read_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_read_role.yaml
index c80d279..51833bd 100644
--- a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_read_role.yaml
+++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_read_role.yaml
@@ -31,7 +31,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: ozgcloud-elster-transfer-operator-service-account
-    namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }}
+    namespace: {{ include "app.elsterTransferOperatorNamespace" . }}
 roleRef:
   kind: Role
   name: ozgcloud-elster-transfer-operator-configmap-read-role
@@ -47,4 +47,5 @@ rules:
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get", "list"]
+    resourceNames: ["etr-user-config"]
 {{- end -}}
\ No newline at end of file
diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml
new file mode 100644
index 0000000..70b5d99
--- /dev/null
+++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml
@@ -0,0 +1,51 @@
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+{{- if (.Values.userAuthentication).enabled }}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ozgcloud-elster-transfer-operator-configmap-update-role-binding
+  namespace: {{ include "app.namespace" . }}
+subjects:
+  - kind: ServiceAccount
+    name: ozgcloud-elster-transfer-operator-service-account
+    namespace: {{ include "app.elsterTransferOperatorNamespace" . }}
+roleRef:
+  kind: Role
+  name: ozgcloud-elster-transfer-operator-configmap-update-role
+  apiGroup: rbac.authorization.k8s.io
+
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ozgcloud-elster-transfer-operator-configmap-update-role
+  namespace: {{ include "app.namespace" . }}
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["update", "patch"]
+    resourceNames: ["etr-user-config"]
+{{- end -}}
\ No newline at end of file
diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_read_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_read_role.yaml
index 0635bae..b457a2c 100644
--- a/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_read_role.yaml
+++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_read_role.yaml
@@ -30,7 +30,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: ozgcloud-elster-transfer-operator-service-account
-    namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }}
+    namespace: {{ include "app.elsterTransferOperatorNamespace" . }}
 roleRef:
   kind: Role
   name: ozgcloud-elster-transfer-operator-deployment-read-role
diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_write_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_write_role.yaml
index 6cf9b44..211e5ca 100644
--- a/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_write_role.yaml
+++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_write_role.yaml
@@ -30,7 +30,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: ozgcloud-elster-transfer-operator-service-account
-    namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }}
+    namespace: {{ include "app.elsterTransferOperatorNamespace" . }}
 roleRef:
   kind: Role
   name: ozgcloud-elster-transfer-operator-deployment-write-role
diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_create_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_create_role_test.yaml
new file mode 100644
index 0000000..c62c3e8
--- /dev/null
+++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_create_role_test.yaml
@@ -0,0 +1,121 @@
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+
+suite: ElsterTransfer read rbac test
+release:
+  name: elstertransfer
+  namespace: test-namespace
+set: 
+templates:
+  - templates/ozgcloud_elstertransfer_operator_configmap_create_role.yaml
+tests:
+  - it: test RoleBinding metadata
+    set: 
+      userAuthentication:
+        enabled: true
+      elsterTransferOperator:
+        namespace: etr-operator
+    asserts:
+      - isKind:
+          of: RoleBinding
+        documentIndex: 0
+      - isAPIVersion:
+          of: rbac.authorization.k8s.io/v1
+      - equal:
+          path: metadata.name
+          value: ozgcloud-elster-transfer-operator-configmap-create-role-binding
+        documentIndex: 0
+  - it: test RoleBinding subject
+    set: 
+      userAuthentication:
+        enabled: true
+      elsterTransferOperator:
+        namespace: etr-operator
+    asserts:
+      - contains:
+          path: subjects
+          content:
+            kind: ServiceAccount
+            name: ozgcloud-elster-transfer-operator-service-account
+            namespace: etr-operator
+        documentIndex: 0
+  - it: test RoleBinding roleRef
+    set: 
+      userAuthentication:
+        enabled: true
+      elsterTransferOperator:
+        namespace: etr-operator
+    asserts:
+      - equal:
+          path: roleRef
+          value:
+            kind: Role
+            name: ozgcloud-elster-transfer-operator-configmap-create-role
+            apiGroup: rbac.authorization.k8s.io
+        documentIndex: 0
+
+  - it: test Role metadata
+    set: 
+      userAuthentication:
+        enabled: true
+      elsterTransferOperator:
+        namespace: etr-operator
+    asserts:
+      - isKind:
+          of: Role
+        documentIndex: 1
+      - isAPIVersion:
+          of: rbac.authorization.k8s.io/v1
+      - equal:
+          path: metadata.name
+          value: ozgcloud-elster-transfer-operator-configmap-create-role
+        documentIndex: 1
+  - it: test RoleBinding rules
+    set: 
+      userAuthentication:
+        enabled: true
+      elsterTransferOperator:
+        namespace: etr-operator
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - configmaps
+            verbs:
+              - create
+        documentIndex: 1
+  - it: RBAC not created by default
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: test elsterTransferOperator.namespace must be set message
+    set: 
+      userAuthentication:
+        enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: elsterTransferOperator.namespace must be set
\ No newline at end of file
diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_read_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_read_role_test.yaml
index 77b266d..7b01f30 100644
--- a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_read_role_test.yaml
+++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_read_role_test.yaml
@@ -108,15 +108,13 @@ tests:
             verbs:
               - get
               - list
+            resourceNames: 
+              - "etr-user-config"
         documentIndex: 1
   - it: RBAC not created by default
     asserts:
       - hasDocuments:
           count: 0
-        documentIndex: 1
-      - hasDocuments:
-          count: 0
-        documentIndex: 0
   - it: test elsterTransferOperator.namespace must be set message
     set: 
       userAuthentication:
diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_write_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_update_role_test.yaml
similarity index 88%
rename from elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_write_role_test.yaml
rename to elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_update_role_test.yaml
index 1bfb372..d307c0b 100644
--- a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_write_role_test.yaml
+++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_update_role_test.yaml
@@ -28,7 +28,7 @@ release:
   namespace: test-namespace
 set: 
 templates:
-  - templates/ozgcloud_elstertransfer_operator_configmap_write_role.yaml
+  - templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml
 tests:
   - it: test RoleBinding metadata
     set: 
@@ -44,7 +44,7 @@ tests:
           of: rbac.authorization.k8s.io/v1
       - equal:
           path: metadata.name
-          value: ozgcloud-elster-transfer-operator-configmap-write-role-binding
+          value: ozgcloud-elster-transfer-operator-configmap-update-role-binding
         documentIndex: 0
   - it: test RoleBinding subject
     set: 
@@ -71,7 +71,7 @@ tests:
           path: roleRef
           value:
             kind: Role
-            name: ozgcloud-elster-transfer-operator-configmap-write-role
+            name: ozgcloud-elster-transfer-operator-configmap-update-role
             apiGroup: rbac.authorization.k8s.io
         documentIndex: 0
 
@@ -89,7 +89,7 @@ tests:
           of: rbac.authorization.k8s.io/v1
       - equal:
           path: metadata.name
-          value: ozgcloud-elster-transfer-operator-configmap-write-role
+          value: ozgcloud-elster-transfer-operator-configmap-update-role
         documentIndex: 1
   - it: test RoleBinding rules
     set: 
@@ -106,18 +106,15 @@ tests:
             resources:
               - configmaps
             verbs:
-              - create
               - update
               - patch 
+            resourceNames:
+              - etr-user-config
         documentIndex: 1
   - it: RBAC not created by default
     asserts:
       - hasDocuments:
           count: 0
-        documentIndex: 1
-      - hasDocuments:
-          count: 0
-        documentIndex: 0
   - it: test elsterTransferOperator.namespace must be set message
     set: 
       userAuthentication:
diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_read_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_read_role_test.yaml
index 06b4a6b..53172b9 100644
--- a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_read_role_test.yaml
+++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_read_role_test.yaml
@@ -115,10 +115,6 @@ tests:
     asserts:
       - hasDocuments:
           count: 0
-        documentIndex: 1
-      - hasDocuments:
-          count: 0
-        documentIndex: 0
 
   - it: test elsterTransferOperator.namespace must be set message
     set: 
diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_write_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_write_role_test.yaml
index d4637a0..340d39b 100644
--- a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_write_role_test.yaml
+++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_write_role_test.yaml
@@ -115,10 +115,7 @@ tests:
     asserts:
       - hasDocuments:
           count: 0
-        documentIndex: 1
-      - hasDocuments:
-          count: 0
-        documentIndex: 0
+
 
   - it: test elsterTransferOperator.namespace must be set message
     set: 
-- 
GitLab