#2 OZG-7121 helm: Add three client certificates

fb4c0b0b · Jan Zickermann · e6610a4c · fb4c0b0b · fb4c0b0b · fb4c0b0b
Commit fb4c0b0b authored 5 months ago by Jan Zickermann
--- a/src/main/helm/templates/client_certificates.yaml
+++ b/src/main/helm/templates/client_certificates.yaml
+{{- range $idx, $cn := .Values.clientCertificateCommonNames }}
+{{- with $ -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Release.Name }}-{{ $cn | lower }}-tls-certificate
+  namespace: {{ include "app.namespace" . }}
+  labels:
+    {{- include "app.defaultLabels" . | indent 4 }}
+spec:
+  isCA: false
+  secretName: {{ .Release.Name }}-{{ $cn | lower }}-tls-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: {{ include "app.namespace" . }}-ca-issuer
+    kind: Issuer
+  duration: 8760h0m0s # 1 Jahr
+  renewBefore: 5840h0m0s # 8 Monate
+  commonName: {{ $cn }}
+  subject:
+    organizations:
+      - "XtaTestOrga"
+    countries:
+      - DE
+    organizationalUnits:
+      - "XtaTestUnit{{ $idx }}"
+    localities:
+      - Kiel
+    provinces:
+      - Schleswig-Holstein
+    streetAddresses:
+      - "Test-Str. {{ $idx }}"
+    postalCodes:
+      - "22222"
+  # critical, digitalSignature, nonRepudiation, keyEncipherment, keyAgreement
+  usages:
+    - client auth
+    - digital signature
+    - content commitment # https://cryptography.io/en/latest/x509/reference/#cryptography.x509.KeyUsage.content_commitment
+    - key encipherment
+    - key agreement
+---
+{{ end -}}
+{{- end }}
\ No newline at end of file
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -2,16 +2,18 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: network-policy-xta-test-server
+  name: {{ .Release.Name }}-network-policy
  namespace: {{ include "app.namespace" . }}
 spec:
  podSelector:
    matchLabels:
-      component: xta-test-server
+      {{- include "app.matchLabels" . | indent 6 }}
  policyTypes:
    - Ingress
    - Egress
  ingress:
+  - ports:
+    - port: 8443
  - from:
    - namespaceSelector:
        matchLabels:
@@ -19,13 +21,6 @@ spec:
    ports:
    - protocol: TCP
      port: 8081
-  - from:
-    - podSelector:
-        matchLabels:
-          component: vorgang-manager
-    ports:
-    - protocol: TCP
-      port: 8080
 {{- with (.Values.networkPolicy).additionalIngressConfigLocal }}
 {{ toYaml . | indent 2 }}
 {{- end }}

--- a/src/main/helm/values.yaml
+++ b/src/main/helm/values.yaml
@@ -29,3 +29,7 @@ image:
  name: xta-test-server
  tag: latest
+clientCertificateCommonNames:
+  - clientA
+  - clientB
+  - clientC
--- a/src/test/helm/certificate_test.yaml
+++ b/src/test/helm/certificate_test.yaml
@@ -53,6 +53,11 @@ tests:
      - equal:
          path: spec.commonName
          value: xta-test-server-release-name
+  - it: should use cluster ca as issuer
+    asserts:
+      - equal:
+          path: spec.issuerRef.name
+          value: sh-helm-test-ca-issuer
  - it: should set dns names
    asserts:
      - equal:

--- a/src/test/helm/client_certificates_test.yaml
+++ b/src/test/helm/client_certificates_test.yaml
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+suite: test client_certificates.yaml
+release:
+  name: xta-test-server-release-name
+  namespace: sh-helm-test
+templates:
+  - templates/client_certificates.yaml
+set:  
+  ozgcloud:
+    bezeichner: helm
+  baseUrl: test.by.ozg-cloud.de
+tests:
+  - it: should configure three certificates by default
+    asserts:
+      - hasDocuments:
+          count: 3
+  - it: should contain a Certificate document
+    set:
+      clientCertificateCommonNames:
+        - CommonName
+    asserts:
+      - containsDocument:
+          kind: Certificate
+          apiVersion: cert-manager.io/v1
+          name: xta-test-server-release-name-commonname-tls-certificate
+          namespace: sh-helm-test
+  - it: should set common name
+    set:
+      clientCertificateCommonNames:
+        - CommonName
+    asserts:
+      - equal:
+          path: spec.commonName
+          value: CommonName
+  - it: should set secret name
+    set:
+      clientCertificateCommonNames:
+        - CommonName
+    asserts:
+      - equal:
+          path: spec.secretName
+          value: xta-test-server-release-name-commonname-tls-secret
+  - it: should use cluster ca as issuer
+    set:
+      clientCertificateCommonNames:
+        - CommonName
+    asserts:
+      - equal:
+          path: spec.issuerRef.name
+          value: sh-helm-test-ca-issuer
--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -28,7 +28,6 @@ release:
  namespace: by-helm-test
 templates:
  - templates/network_policy.yaml
 tests:
  - it: should match apiVersion
    set:
@@ -52,52 +51,18 @@ tests:
      - equal:
          path: metadata
          value:
-            name: network-policy-xta-test-server
+            name: xta-test-server-network-policy
            namespace: by-helm-test
  - it: validate spec
    set:
      networkPolicy:
        dnsServerNamespace: kube-system
    asserts:
-      - equal:
+      - contains:
-          path: spec
+          path: spec.ingress
-          value:
+          content:
-            egress:
+            ports:
-              - ports:
+              - port: 8443
-                  - port: 53
-                    protocol: UDP
-                  - port: 53
-                    protocol: TCP
-                  - port: 5353
-                    protocol: UDP
-                  - port: 5353
-                    protocol: TCP
-                to:
-                  - namespaceSelector:
-                      matchLabels:
-                        kubernetes.io/metadata.name: kube-system
-            ingress:
-              - from:
-                  - namespaceSelector:
-                      matchLabels:
-                        name: openshift-user-workload-monitoring
-                ports:
-                  - port: 8081
-                    protocol: TCP
-              - from:
-                  - podSelector:
-                      matchLabels:
-                        component: vorgang-manager
-                ports:
-                  - port: 8080
-                    protocol: TCP
-            podSelector:
-              matchLabels:
-                component: xta-test-server
-            policyTypes:
-              - Ingress
-              - Egress
  - it: add ingress rule by values local
    set: