From 1afcd95a52e3aa5334baa1b319f1357b6755a05f Mon Sep 17 00:00:00 2001
From: Jan Zickermann <jan.zickermann@dataport.de>
Date: Fri, 13 Dec 2024 13:10:08 +0100
Subject: [PATCH] #2 OZG-7121 helm: Init truststore and keystore in deployment
---
src/main/helm/templates/certificate.yaml | 11 --------
src/main/helm/templates/deployment.yaml | 25 +++++++++++++++---
src/main/resources/store/generate.sh | 3 +++
src/test/helm/deployment_env_test.yaml | 11 --------
src/test/helm/deployment_volumes_test.yaml | 30 +++++++++++++++++++---
5 files changed, 51 insertions(+), 29 deletions(-)
diff --git a/src/main/helm/templates/certificate.yaml b/src/main/helm/templates/certificate.yaml
index c9decda..0a4d782 100644
--- a/src/main/helm/templates/certificate.yaml
+++ b/src/main/helm/templates/certificate.yaml
@@ -17,17 +17,6 @@ spec:
duration: 8760h0m0s # 1 Jahr
renewBefore: 5840h0m0s # 8 Monate
commonName: {{ .Release.Name }}
- keystores:
- jks:
- create: true
- passwordSecretRef:
- name: xta-test-server-default-secret
- key: keystorePassword
- pkcs12:
- create: true
- passwordSecretRef:
- name: xta-test-server-default-secret
- key: keystorePassword
subject:
organizations:
- "XtaTestOrga"
diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index eb1080d..904a7ab 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -57,14 +57,31 @@ spec:
labelSelector:
matchLabels:
app.kubernetes.io/name: {{ .Release.Name }}
+ initContainers:
+ - name: init-keystore-and-truststore
+ image: alpine:3.21
+ command: [ "/bin/sh", "-c" ]
+ args:
+ - |
+ apk add --no-cache openssl openjdk11
+
+ echo "[1.0] Import Root CA into Xta-Server-Truststore"
+ keytool -importcert -alias xta-test-root-ca -keystore /store/keystore.jks -storetype JKS -storepass password -file /tls/ca.crt -noprompt
+
+ # Create a PKCS#12 keystore from tls.crt and tls.key
+ openssl pkcs12 -export -in /tls/tls.crt -inkey /tls/tls.key -out /store/keystore.p12 -name xta-test-server -passout pass:password
+ volumeMounts:
+ - name: xta-test-server-tls-store
+ mountPath: "/tls/"
+ readOnly: true
+ - name: store-dir
+ mountPath: "/store/"
containers:
- env:
- name: spring_profiles_active
value: {{ include "app.envSpringProfiles" . }}
- name: server_ssl_key-store
value: /store/keystore.p12
- - name: server_ssl_key-alias
- value: certificate
- name: server_ssl_trust-store
value: /store/truststore.jks
{{- with include "app.getCustomList" . }}
@@ -124,12 +141,14 @@ spec:
volumeMounts:
- name: temp-dir
mountPath: "/tmp"
- - name: xta-test-server-tls-store
+ - name: store-dir
mountPath: "/store/"
readOnly: true
volumes:
- name: temp-dir
emptyDir: {}
+ - name: store-dir
+ emptyDir: {}
- name: xta-test-server-tls-store
secret:
secretName: {{ .Release.Name }}-tls-secret
diff --git a/src/main/resources/store/generate.sh b/src/main/resources/store/generate.sh
index 5906a97..d6d7887 100755
--- a/src/main/resources/store/generate.sh
+++ b/src/main/resources/store/generate.sh
@@ -12,6 +12,9 @@ if [ ! -f $ISSUER_ALIAS.key ] || [ ! -f $ISSUER_ALIAS.crt ]; then
openssl genrsa -out $ISSUER_ALIAS.key 2048
echo "[1.1] Generate a self-signed certificate for the Xta-Root-CA"
openssl req -x509 -new -nodes -key $ISSUER_ALIAS.key -sha256 -days 4000 -out $ISSUER_ALIAS.crt -config ca-openssl.cnf -extensions v3_ca
+
+ # echo "[1.2] Generate a keystore for the Xta-Root-CA"
+ # openssl pkcs12 -export -in $ISSUER_ALIAS.crt -inkey $ISSUER_ALIAS.key -out $ISSUER_ALIAS.p12 -name xta-test-server -passout pass:password
else
echo "[1.0] Root CA found. Skipping generation."
fi
diff --git a/src/test/helm/deployment_env_test.yaml b/src/test/helm/deployment_env_test.yaml
index a4e9169..6fb8c36 100644
--- a/src/test/helm/deployment_env_test.yaml
+++ b/src/test/helm/deployment_env_test.yaml
@@ -51,17 +51,6 @@ tests:
content:
name: server_ssl_key-store
value: /store/keystore.p12
- - it: should set key alias
- set:
- ozgcloud:
- environment: dev
- imagePullSecret: image-pull-secret
- asserts:
- - contains:
- path: spec.template.spec.containers[0].env
- content:
- name: server_ssl_key-alias
- value: certificate
- it: should set truststore
set:
ozgcloud:
diff --git a/src/test/helm/deployment_volumes_test.yaml b/src/test/helm/deployment_volumes_test.yaml
index 9f998f3..2a7bdf4 100644
--- a/src/test/helm/deployment_volumes_test.yaml
+++ b/src/test/helm/deployment_volumes_test.yaml
@@ -25,6 +25,29 @@ tests:
name: temp-dir
emptyDir: {}
+ - it: should have store volume
+ asserts:
+ - contains:
+ path: spec.template.spec.volumes
+ content:
+ name: store-dir
+ emptyDir: {}
+ - it: should have store volume mount in initContainer
+ asserts:
+ - contains:
+ path: spec.template.spec.initContainers[0].volumeMounts
+ content:
+ name: store-dir
+ mountPath: "/store/"
+ - it: should have truststore volume mount in container
+ asserts:
+ - contains:
+ path: spec.template.spec.containers[0].volumeMounts
+ content:
+ name: store-dir
+ mountPath: "/store/"
+ readOnly: true
+
- it: should have tls store volume
asserts:
- contains:
@@ -33,12 +56,11 @@ tests:
name: xta-test-server-tls-store
secret:
secretName: helm-test-tls-secret
-
- - it: should have truststore volume mount
+ - it: should have truststore volume mount in initContainer
asserts:
- contains:
- path: spec.template.spec.containers[0].volumeMounts
+ path: spec.template.spec.initContainers[0].volumeMounts
content:
name: xta-test-server-tls-store
- mountPath: "/store/"
+ mountPath: "/tls/"
readOnly: true
\ No newline at end of file
--
GitLab