From fb4c0b0bb77e82ba1abf8894c9b1d9654e0aaab1 Mon Sep 17 00:00:00 2001
From: Jan Zickermann <jan.zickermann@dataport.de>
Date: Mon, 16 Dec 2024 12:32:45 +0100
Subject: [PATCH] #2 OZG-7121 helm: Add three client certificates
---
.../helm/templates/client_certificates.yaml | 47 ++++++++++++
src/main/helm/templates/network_policy.yaml | 13 +---
src/main/helm/values.yaml | 4 +
src/test/helm/certificate_test.yaml | 5 ++
src/test/helm/client_certificates_test.yaml | 74 +++++++++++++++++++
src/test/helm/network_policy_test.yaml | 47 ++----------
6 files changed, 140 insertions(+), 50 deletions(-)
create mode 100644 src/main/helm/templates/client_certificates.yaml
create mode 100644 src/test/helm/client_certificates_test.yaml
diff --git a/src/main/helm/templates/client_certificates.yaml b/src/main/helm/templates/client_certificates.yaml
new file mode 100644
index 0000000..c52df70
--- /dev/null
+++ b/src/main/helm/templates/client_certificates.yaml
@@ -0,0 +1,47 @@
+{{- range $idx, $cn := .Values.clientCertificateCommonNames }}
+{{- with $ -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ .Release.Name }}-{{ $cn | lower }}-tls-certificate
+ namespace: {{ include "app.namespace" . }}
+ labels:
+ {{- include "app.defaultLabels" . | indent 4 }}
+spec:
+ isCA: false
+ secretName: {{ .Release.Name }}-{{ $cn | lower }}-tls-secret
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: {{ include "app.namespace" . }}-ca-issuer
+ kind: Issuer
+ duration: 8760h0m0s # 1 Jahr
+ renewBefore: 5840h0m0s # 8 Monate
+ commonName: {{ $cn }}
+ subject:
+ organizations:
+ - "XtaTestOrga"
+ countries:
+ - DE
+ organizationalUnits:
+ - "XtaTestUnit{{ $idx }}"
+ localities:
+ - Kiel
+ provinces:
+ - Schleswig-Holstein
+ streetAddresses:
+ - "Test-Str. {{ $idx }}"
+ postalCodes:
+ - "22222"
+ # critical, digitalSignature, nonRepudiation, keyEncipherment, keyAgreement
+ usages:
+ - client auth
+ - digital signature
+ - content commitment # https://cryptography.io/en/latest/x509/reference/#cryptography.x509.KeyUsage.content_commitment
+ - key encipherment
+ - key agreement
+
+---
+{{ end -}}
+{{- end }}
\ No newline at end of file
diff --git a/src/main/helm/templates/network_policy.yaml b/src/main/helm/templates/network_policy.yaml
index 8c490c4..deac83a 100644
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -2,16 +2,18 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
- name: network-policy-xta-test-server
+ name: {{ .Release.Name }}-network-policy
namespace: {{ include "app.namespace" . }}
spec:
podSelector:
matchLabels:
- component: xta-test-server
+ {{- include "app.matchLabels" . | indent 6 }}
policyTypes:
- Ingress
- Egress
ingress:
+ - ports:
+ - port: 8443
- from:
- namespaceSelector:
matchLabels:
@@ -19,13 +21,6 @@ spec:
ports:
- protocol: TCP
port: 8081
- - from:
- - podSelector:
- matchLabels:
- component: vorgang-manager
- ports:
- - protocol: TCP
- port: 8080
{{- with (.Values.networkPolicy).additionalIngressConfigLocal }}
{{ toYaml . | indent 2 }}
{{- end }}
diff --git a/src/main/helm/values.yaml b/src/main/helm/values.yaml
index 072e1c9..9fe80af 100644
--- a/src/main/helm/values.yaml
+++ b/src/main/helm/values.yaml
@@ -29,3 +29,7 @@ image:
name: xta-test-server
tag: latest
+clientCertificateCommonNames:
+ - clientA
+ - clientB
+ - clientC
diff --git a/src/test/helm/certificate_test.yaml b/src/test/helm/certificate_test.yaml
index 54c4401..b91e5d2 100644
--- a/src/test/helm/certificate_test.yaml
+++ b/src/test/helm/certificate_test.yaml
@@ -53,6 +53,11 @@ tests:
- equal:
path: spec.commonName
value: xta-test-server-release-name
+ - it: should use cluster ca as issuer
+ asserts:
+ - equal:
+ path: spec.issuerRef.name
+ value: sh-helm-test-ca-issuer
- it: should set dns names
asserts:
- equal:
diff --git a/src/test/helm/client_certificates_test.yaml b/src/test/helm/client_certificates_test.yaml
new file mode 100644
index 0000000..2ae85ca
--- /dev/null
+++ b/src/test/helm/client_certificates_test.yaml
@@ -0,0 +1,74 @@
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+
+suite: test client_certificates.yaml
+release:
+ name: xta-test-server-release-name
+ namespace: sh-helm-test
+templates:
+ - templates/client_certificates.yaml
+set:
+ ozgcloud:
+ bezeichner: helm
+ baseUrl: test.by.ozg-cloud.de
+
+tests:
+ - it: should configure three certificates by default
+ asserts:
+ - hasDocuments:
+ count: 3
+ - it: should contain a Certificate document
+ set:
+ clientCertificateCommonNames:
+ - CommonName
+ asserts:
+ - containsDocument:
+ kind: Certificate
+ apiVersion: cert-manager.io/v1
+ name: xta-test-server-release-name-commonname-tls-certificate
+ namespace: sh-helm-test
+ - it: should set common name
+ set:
+ clientCertificateCommonNames:
+ - CommonName
+ asserts:
+ - equal:
+ path: spec.commonName
+ value: CommonName
+ - it: should set secret name
+ set:
+ clientCertificateCommonNames:
+ - CommonName
+ asserts:
+ - equal:
+ path: spec.secretName
+ value: xta-test-server-release-name-commonname-tls-secret
+ - it: should use cluster ca as issuer
+ set:
+ clientCertificateCommonNames:
+ - CommonName
+ asserts:
+ - equal:
+ path: spec.issuerRef.name
+ value: sh-helm-test-ca-issuer
diff --git a/src/test/helm/network_policy_test.yaml b/src/test/helm/network_policy_test.yaml
index ff25d18..5a00166 100644
--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -28,7 +28,6 @@ release:
namespace: by-helm-test
templates:
- templates/network_policy.yaml
-
tests:
- it: should match apiVersion
set:
@@ -52,52 +51,18 @@ tests:
- equal:
path: metadata
value:
- name: network-policy-xta-test-server
+ name: xta-test-server-network-policy
namespace: by-helm-test
- it: validate spec
set:
networkPolicy:
dnsServerNamespace: kube-system
asserts:
- - equal:
- path: spec
- value:
- egress:
- - ports:
- - port: 53
- protocol: UDP
- - port: 53
- protocol: TCP
- - port: 5353
- protocol: UDP
- - port: 5353
- protocol: TCP
- to:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: kube-system
- ingress:
- - from:
- - namespaceSelector:
- matchLabels:
- name: openshift-user-workload-monitoring
- ports:
- - port: 8081
- protocol: TCP
- - from:
- - podSelector:
- matchLabels:
- component: vorgang-manager
- ports:
- - port: 8080
- protocol: TCP
- podSelector:
- matchLabels:
- component: xta-test-server
- policyTypes:
- - Ingress
- - Egress
-
+ - contains:
+ path: spec.ingress
+ content:
+ ports:
+ - port: 8443
- it: add ingress rule by values local
set:
--
GitLab