From 7aeea8d3524eea783e9dd2893801ce6407eaf768 Mon Sep 17 00:00:00 2001
From: Jan Zickermann <jan.zickermann@dataport.de>
Date: Mon, 9 Dec 2024 17:16:45 +0100
Subject: [PATCH] #2 OZG-7121 helm: Add server certificate resource
---
src/main/helm/templates/_helpers.tpl | 1 -
src/main/helm/templates/certificate.yaml | 61 +++++++++++++++
src/main/helm/templates/default_secret.yaml | 10 +++
.../templates/selfsigned_cluster_issuer.yaml | 9 +++
src/main/helm/test-values.yaml | 20 +++++
src/test/helm/certificate_test.yaml | 78 +++++++++++++++++++
.../helm/deployment_defaults_labels_test.yaml | 2 -
src/test/helm/deployment_test.yaml | 3 -
src/test/helm/service_monitor_test.yaml | 1 -
src/test/helm/service_test.yaml | 3 +-
10 files changed, 179 insertions(+), 9 deletions(-)
create mode 100644 src/main/helm/templates/certificate.yaml
create mode 100644 src/main/helm/templates/default_secret.yaml
create mode 100644 src/main/helm/templates/selfsigned_cluster_issuer.yaml
create mode 100644 src/main/helm/test-values.yaml
create mode 100644 src/test/helm/certificate_test.yaml
diff --git a/src/main/helm/templates/_helpers.tpl b/src/main/helm/templates/_helpers.tpl
index df89c62..dc3b2fc 100644
--- a/src/main/helm/templates/_helpers.tpl
+++ b/src/main/helm/templates/_helpers.tpl
@@ -34,7 +34,6 @@ app.kubernetes.io/namespace: {{ include "app.namespace" . }}
app.kubernetes.io/part-of: ozgcloud
app.kubernetes.io/version: {{ .Chart.Version }}
helm.sh/chart: {{ include "app.chart" . }}
-ozgcloud-mongodb-client: "true"
{{- end -}}
{{- define "app.matchLabels" }}
diff --git a/src/main/helm/templates/certificate.yaml b/src/main/helm/templates/certificate.yaml
new file mode 100644
index 0000000..8d1bf81
--- /dev/null
+++ b/src/main/helm/templates/certificate.yaml
@@ -0,0 +1,61 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ .Release.Name }}-tls-certificate
+ namespace: {{ include "app.namespace" . }}
+ labels:
+ {{- include "app.defaultLabels" . | indent 4 }}
+spec:
+ isCA: false
+ secretName: {{ .Release.Name }}-tls-secret
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: xta-test-cluster-issuer
+ kind: ClusterIssuer
+ group: cert-manager.io
+ duration: 8760h0m0s # 1 Jahr
+ renewBefore: 5840h0m0s # 8 Monate
+ commonName: {{ .Release.Name }}
+ keystores:
+ jks:
+ create: true
+ passwordSecretRef:
+ name: xta-test-server-default-secret
+ key: keystorePassword
+ alias: xta-test-server
+ pkcs12:
+ create: true
+ passwordSecretRef:
+ name: xta-test-server-default-secret
+ key: keystorePassword
+ subject:
+ organisations:
+ - "XtaTestOrga"
+ countries:
+ - DE
+ organizationalUnits:
+ - "XtaTestUnit"
+ localities:
+ - Kiel
+ provinces:
+ - Schleswig-Holstein
+ steetAddresses:
+ - "Test-Str. 4"
+ postalCodes:
+ - "22222"
+ # critical, digitalSignature, nonRepudiation, keyEncipherment, keyAgreement
+ usages:
+ - server auth
+ - digital signature
+ - content commitment # https://cryptography.io/en/latest/x509/reference/#cryptography.x509.KeyUsage.content_commitment
+ - key encipherment
+ - key agreement
+ dnsNames:
+ - "*.{{ .Release.Name }}.{{ include "app.namespace" . }}.svc.cluster.local"
+ - "{{ .Release.Name }}.{{ include "app.namespace" . }}.svc.cluster.local"
+ - "{{ .Release.Name }}.{{ include "app.namespace" . }}.svc.cluster"
+ - "{{ .Release.Name }}.{{ include "app.namespace" . }}.svc"
+ - "{{ .Release.Name }}.{{ include "app.namespace" . }}"
+ - "{{ .Release.Name }}"
\ No newline at end of file
diff --git a/src/main/helm/templates/default_secret.yaml b/src/main/helm/templates/default_secret.yaml
new file mode 100644
index 0000000..ae8b6f5
--- /dev/null
+++ b/src/main/helm/templates/default_secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: xta-test-server-default-secret
+ namespace: {{ include "app.namespace" . }}
+ labels:
+ {{- include "app.defaultLabels" . | indent 4 }}
+type: Opaque
+data:
+ keystorePassword: password
\ No newline at end of file
diff --git a/src/main/helm/templates/selfsigned_cluster_issuer.yaml b/src/main/helm/templates/selfsigned_cluster_issuer.yaml
new file mode 100644
index 0000000..a988ee3
--- /dev/null
+++ b/src/main/helm/templates/selfsigned_cluster_issuer.yaml
@@ -0,0 +1,9 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: xta-test-cluster-issuer
+ namespace: {{ include "app.namespace" . }}
+ labels:
+ {{- include "app.defaultLabels" . | indent 4 }}
+spec:
+ selfSigned: {}
\ No newline at end of file
diff --git a/src/main/helm/test-values.yaml b/src/main/helm/test-values.yaml
new file mode 100644
index 0000000..a40b96d
--- /dev/null
+++ b/src/main/helm/test-values.yaml
@@ -0,0 +1,20 @@
+replicaCount: 1
+
+image:
+ repo: docker.ozg-sh.de
+ name: xta-test-server
+ tag: latest
+
+imagePullSecret: ozgcloud-image-pull-secret
+
+env:
+ overrideSpringProfiles: abc, test
+
+baseUrl: test.by.ozg-cloud.de
+
+ozgcloud:
+ bezeichner: xta-test-serverr
+
+networkPolicy:
+ disabled: false
+ dnsServerNamespace: openshift-dns
\ No newline at end of file
diff --git a/src/test/helm/certificate_test.yaml b/src/test/helm/certificate_test.yaml
new file mode 100644
index 0000000..54c4401
--- /dev/null
+++ b/src/test/helm/certificate_test.yaml
@@ -0,0 +1,78 @@
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+
+suite: test certificate.yaml
+release:
+ name: xta-test-server-release-name
+ namespace: sh-helm-test
+templates:
+ - templates/certificate.yaml
+set:
+ ozgcloud:
+ bezeichner: helm
+ baseUrl: test.by.ozg-cloud.de
+
+tests:
+ - it: check Certificate kind
+ asserts:
+ - isKind:
+ of: Certificate
+ - it: should set metadata name
+ asserts:
+ - equal:
+ path: metadata.name
+ value: xta-test-server-release-name-tls-certificate
+ - it: should set secret name
+ asserts:
+ - equal:
+ path: spec.secretName
+ value: xta-test-server-release-name-tls-secret
+ - it: should set common name
+ asserts:
+ - equal:
+ path: spec.commonName
+ value: xta-test-server-release-name
+ - it: should set dns names
+ asserts:
+ - equal:
+ path: spec.dnsNames
+ value:
+ - "*.xta-test-server-release-name.sh-helm-test.svc.cluster.local"
+ - "xta-test-server-release-name.sh-helm-test.svc.cluster.local"
+ - "xta-test-server-release-name.sh-helm-test.svc.cluster"
+ - "xta-test-server-release-name.sh-helm-test.svc"
+ - "xta-test-server-release-name.sh-helm-test"
+ - "xta-test-server-release-name"
+ - it: should contain default lables and component lables
+ asserts:
+ - equal:
+ path: metadata.labels
+ value:
+ app.kubernetes.io/instance: xta-test-server
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: xta-test-server-release-name
+ app.kubernetes.io/namespace: sh-helm-test
+ app.kubernetes.io/part-of: ozgcloud
+ app.kubernetes.io/version: 0.0.0-MANAGED-BY-JENKINS
+ helm.sh/chart: xta-test-server-0.0.0-MANAGED-BY-JENKINS
\ No newline at end of file
diff --git a/src/test/helm/deployment_defaults_labels_test.yaml b/src/test/helm/deployment_defaults_labels_test.yaml
index 75de30f..5f38ba2 100644
--- a/src/test/helm/deployment_defaults_labels_test.yaml
+++ b/src/test/helm/deployment_defaults_labels_test.yaml
@@ -45,7 +45,6 @@ tests:
app.kubernetes.io/part-of: ozgcloud
app.kubernetes.io/version: 0.0.0-MANAGED-BY-JENKINS
helm.sh/chart: xta-test-server-0.0.0-MANAGED-BY-JENKINS
- ozgcloud-mongodb-client: "true"
- it: should set spec.selector.matchLabels
asserts:
@@ -69,4 +68,3 @@ tests:
app.kubernetes.io/version: 0.0.0-MANAGED-BY-JENKINS
component: xta-test-server
helm.sh/chart: xta-test-server-0.0.0-MANAGED-BY-JENKINS
- ozgcloud-mongodb-client: "true"
\ No newline at end of file
diff --git a/src/test/helm/deployment_test.yaml b/src/test/helm/deployment_test.yaml
index 6efc4a9..5dd2e12 100644
--- a/src/test/helm/deployment_test.yaml
+++ b/src/test/helm/deployment_test.yaml
@@ -82,9 +82,6 @@ tests:
- equal:
path: spec.template.metadata.labels.component
value: "xta-test-server"
- - equal:
- path: metadata.labels["ozgcloud-mongodb-client"]
- value: "true"
- equal:
path: spec.template.spec.topologySpreadConstraints[0].maxSkew
value: 1
diff --git a/src/test/helm/service_monitor_test.yaml b/src/test/helm/service_monitor_test.yaml
index 1572482..5d7ffe4 100644
--- a/src/test/helm/service_monitor_test.yaml
+++ b/src/test/helm/service_monitor_test.yaml
@@ -58,7 +58,6 @@ tests:
app.kubernetes.io/version: 0.0.0-MANAGED-BY-JENKINS
component: xta-test-server-service-monitor
helm.sh/chart: xta-test-server-0.0.0-MANAGED-BY-JENKINS
- ozgcloud-mongodb-client: "true"
- it: should have the metrics endpoint configured by default
asserts:
diff --git a/src/test/helm/service_test.yaml b/src/test/helm/service_test.yaml
index 585ea72..4c9156d 100644
--- a/src/test/helm/service_test.yaml
+++ b/src/test/helm/service_test.yaml
@@ -92,5 +92,4 @@ tests:
app.kubernetes.io/part-of: ozgcloud
app.kubernetes.io/version: 0.0.0-MANAGED-BY-JENKINS
component: xta-test-server-service
- helm.sh/chart: xta-test-server-0.0.0-MANAGED-BY-JENKINS
- ozgcloud-mongodb-client: "true"
\ No newline at end of file
+ helm.sh/chart: xta-test-server-0.0.0-MANAGED-BY-JENKINS
\ No newline at end of file
--
GitLab