From 620bf31555599fe8e8579cfdf0f561244696f8f6 Mon Sep 17 00:00:00 2001 From: Yevhen Ivantsov Date: Thu, 8 Aug 2024 09:12:32 +1000 Subject: [PATCH] Make it possible to get certificates from multiple secrets --- docs/docs/userguide/CONFIGURATION.md | 85 +++++++++---- src/main/charts/bamboo/README.md | 4 +- src/main/charts/bamboo/templates/_helpers.tpl | 10 +- .../charts/bamboo/templates/statefulset.yaml | 13 +- src/main/charts/bamboo/values.yaml | 14 ++ src/main/charts/bitbucket/README.md | 8 +- .../charts/bitbucket/templates/_helpers.tpl | 10 +- .../bitbucket/templates/statefulset-mesh.yaml | 23 +++- .../bitbucket/templates/statefulset.yaml | 13 +- src/main/charts/bitbucket/values.yaml | 28 ++++ src/main/charts/confluence/README.md | 8 +- .../charts/confluence/templates/_helpers.tpl | 20 ++- .../templates/statefulset-synchrony.yaml | 13 +- .../confluence/templates/statefulset.yaml | 13 +- src/main/charts/confluence/values.yaml | 28 ++++ src/main/charts/crowd/README.md | 4 +- src/main/charts/crowd/templates/_helpers.tpl | 10 +- .../charts/crowd/templates/statefulset.yaml | 13 +- src/main/charts/crowd/values.yaml | 14 ++ src/main/charts/jira/README.md | 5 +- src/main/charts/jira/templates/_helpers.tpl | 12 +- .../charts/jira/templates/statefulset.yaml | 13 +- src/main/charts/jira/values.yaml | 16 +++ .../java/test/AdditionalCertificatesTest.java | 120 ++++++++++++++++++ 24 files changed, 448 insertions(+), 49 deletions(-) diff --git a/docs/docs/userguide/CONFIGURATION.md b/docs/docs/userguide/CONFIGURATION.md index 2724b5dfd..10dcb951e 100644 --- a/docs/docs/userguide/CONFIGURATION.md +++ b/docs/docs/userguide/CONFIGURATION.md @@ -523,38 +523,69 @@ readinessProbe: ## :material-certificate: Self Signed Certificates -To add self signed certificates to the default Java truststore, follow the below steps. +There are 2 ways to add self-signed certificates to the default Java truststore: from a single or multiple secrets. -* Create a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/){.external} containing base64-encoded certificate(s). Here's an example [kubectl command](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#use-source-files){.external} to create a secret from 2 local files: - -```shell -kubectl create secret generic dev-certificates \ - --from-file=stg.crt=./stg.crt \ - --from-file=dev.crt=./dev.crt -n $namespace -``` - -The resulting secret will have the following data: - -```yaml -data: - stg.crt: base64encodedstgcrt - dev.crt: base64encodeddevcrt -``` - -!!!info "You can have as many keys (certificates) in the secret as required. All keys will be mounted as files to `/tmp/crt` in the container and imported into Java truststore. In the example above, certificates will be mounted as `/tmp/crt/stg.crt` and `/tmp/crt/dev.crt`. File extension in the secret keys does not matter as long as the file is a valid certificate." - -* Provide the secret name in Helm values: +=== "From a single secret" + * Create a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/){.external} containing base64-encoded certificate(s). Here's an example [kubectl command](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#use-source-files){.external} to create a secret from 2 local files: + + ```shell + kubectl create secret generic dev-certificates \ + --from-file=stg.crt=./stg.crt \ + --from-file=dev.crt=./dev.crt -n $namespace + ``` + + The resulting secret will have the following data: + + ```yaml + data: + stg.crt: base64encodedstgcrt + dev.crt: base64encodeddevcrt + ``` + + !!!info "You can have as many keys (certificates) in the secret as required. All keys will be mounted as files to `/tmp/crt` in the container and imported into Java truststore. In the example above, certificates will be mounted as `/tmp/crt/stg.crt` and `/tmp/crt/dev.crt`. File extension in the secret keys does not matter as long as the file is a valid certificate." + + * Provide the secret name in Helm values: + + ```yaml + jira: + additionalCertificates: + secretName: dev-certificates + ``` +=== "From multiple secrets" + * Create 2 [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/){.external} containing base64-encoded certificate(s). Here's an example [kubectl command](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#use-source-files){.external} to create 2 secrets from local files (the first one with 2 certificates/keys and the second one with just one): + + ```shell + kubectl create secret generic dev-certificates \ + --from-file=stg.crt=./stg.crt \ + --from-file=dev.crt=./dev.crt -n $namespace -```yaml -jira: - additionalCertificates: - secretName: dev-certificates -``` + kubectl create secret generic root-ca \ + --from-file=ca.crt=./ca.crt -n $namespace + ``` + !!!info "You can have as many keys (certificates) in the secrets, however, you will need to list the keys you'd like to get mounted. All keys will be mounted as files to `/tmp/crt` in the container and imported into Java truststore." + + * Provide the list of secrets and their keys in Helm values: + + ```yaml + jira: + additionalCertificates: + secretList: + - name: dev-certificates + keys: + - stg.crt + - dev.crt + - name: root-ca + keys: + - ca.crt + ``` + To allow having identical keys in different secrets, filenames will have the following format: `-`, so + files will get mounted as `/tmp/crt/dev-certificates-stg.crt`, `/tmp/crt/dev-certificates-dev.crt` and `/tmp/crt/root-ca-ca.crt` + and imported to Java truststore with the same aliases. The product Helm chart will add additional `volumeMounts` and `volumes` to the pod(s), as well as an extra init container that will: * copy the default Java cacerts to a runtime volume shared between the init container and the main container at `/var/ssl` -* run [keytool -import](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html){.external} to import all certificates in `/tmp/crt` mounted from `dev-certificates` secret to `/var/ssl/cacerts` +* run [keytool -import](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html){.external} to import all certificates in `/tmp/crt` mounted from secret(s) to `/var/ssl/cacerts` `-Djavax.net.ssl.trustStore=/var/ssl/cacerts` system property will be automatically added to `JVM_SUPPORT_RECOMMENDED_ARGS` environment variable. @@ -583,4 +614,4 @@ Helm values are mounted to be included to the [support.zip](https://confluence.a Analytics json is a subset of `values.yaml` and contains selected Helm values that are sent as an analytics event and written to analytics logs, if analytics is enabled in the product. Analytics values are purely informational and contain information on how Helm charts are used. -You can find the complete list of analytics values in `_helpers.tpl`, `.analyticsJson`. \ No newline at end of file +You can find the complete list of analytics values in `_helpers.tpl`, `.analyticsJson`. diff --git a/src/main/charts/bamboo/README.md b/src/main/charts/bamboo/README.md index ed3c35df3..e4610fc25 100644 --- a/src/main/charts/bamboo/README.md +++ b/src/main/charts/bamboo/README.md @@ -34,7 +34,9 @@ Kubernetes: `>=1.21.x-0` | bamboo.accessLog.localHomeSubPath | string | `"log"` | The subdirectory within the local-home volume where access logs should be stored. | | bamboo.accessLog.mountPath | string | `"/opt/atlassian/bamboo/logs"` | The path within the Bamboo container where the local-home volume should be mounted in order to capture access logs. | | bamboo.additionalBundledPlugins | list | `[]` | Specifies a list of additional Bamboo plugins that should be added to the Bamboo container. Note plugins installed via this method will appear as bundled plugins rather than user plugins. These should be specified in the same manner as the 'additionalLibraries' property. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ NOTE: only .jar files can be loaded using this approach. OBR's can be extracted (unzipped) to access the associated .jar An alternative to this method is to install the plugins via "Manage Apps" in the product system administration UI. | -| bamboo.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| bamboo.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretList":null,"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| bamboo.additionalCertificates.secretList | string | `nil` | A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys from secret data need to be mounted as files to the init container | +| bamboo.additionalCertificates.secretName | string | `nil` | Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. | | bamboo.additionalEnvironmentVariables | list | `[]` | Defines any additional environment variables to be passed to the Bamboo container. See https://hub.docker.com/r/atlassian/bamboo for supported variables. | | bamboo.additionalJvmArgs | list | `[]` | Specifies a list of additional arguments that can be passed to the Bamboo JVM, e.g. system properties. | | bamboo.additionalLibraries | list | `[]` | Specifies a list of additional Java libraries that should be added to the Bamboo container. Each item in the list should specify the name of the volume that contains the library, as well as the name of the library file within that volume's root directory. Optionally, a subDirectory field can be included to specify which directory in the volume contains the library file. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ | diff --git a/src/main/charts/bamboo/templates/_helpers.tpl b/src/main/charts/bamboo/templates/_helpers.tpl index 635b4c4ea..bfc45c122 100644 --- a/src/main/charts/bamboo/templates/_helpers.tpl +++ b/src/main/charts/bamboo/templates/_helpers.tpl @@ -285,12 +285,20 @@ For each additional plugin declared, generate a volume mount that injects that l {{- with .Values.volumes.additional }} {{- toYaml . | nindent 0 }} {{- end }} -{{- if .Values.bamboo.additionalCertificates.secretName }} +{{- if or .Values.bamboo.additionalCertificates.secretName .Values.bamboo.additionalCertificates.secretList }} - name: keystore emptyDir: {} +{{- if .Values.bamboo.additionalCertificates.secretName }} - name: certs secret: secretName: {{ .Values.bamboo.additionalCertificates.secretName }} +{{- else }} +{{- range .Values.bamboo.additionalCertificates.secretList }} +- name: {{ .name }} + secret: + secretName: {{ .name }} +{{- end }} +{{- end }} {{- end }} {{- if or .Values.atlassianAnalyticsAndSupport.analytics.enabled .Values.atlassianAnalyticsAndSupport.helmValues.enabled }} - name: helm-values diff --git a/src/main/charts/bamboo/templates/statefulset.yaml b/src/main/charts/bamboo/templates/statefulset.yaml index 112af3038..1ea99a2ab 100644 --- a/src/main/charts/bamboo/templates/statefulset.yaml +++ b/src/main/charts/bamboo/templates/statefulset.yaml @@ -74,15 +74,26 @@ spec: command: ["sh", "-c", {{ include "bamboo.sharedHome.permissionFix.command" . | quote }}] {{- end }} {{- include "common.jmx.initContainer" . | nindent 8 }} - {{- if .Values.bamboo.additionalCertificates.secretName }} + {{- if or .Values.bamboo.additionalCertificates.secretName .Values.bamboo.additionalCertificates.secretList }} - name: import-certs image: {{ include "bamboo.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} volumeMounts: - name: keystore mountPath: /var/ssl + {{- if.Values.bamboo.additionalCertificates.secretName }} - name: certs mountPath: /tmp/crt + {{- else }} + {{- range .Values.bamboo.additionalCertificates.secretList }} + {{- $secretName := .name }} + {{- range .keys }} + - name: {{ $secretName }} + mountPath: /tmp/crt/{{$secretName}}-{{ . }} + subPath: {{ . }} + {{- end }} + {{- end }} + {{- end }} command: ["/bin/bash"] args: ["-c", {{ include "bamboo.addCrtToKeystoreCmd" . }}] resources: diff --git a/src/main/charts/bamboo/values.yaml b/src/main/charts/bamboo/values.yaml index 50623b801..ca96b113c 100644 --- a/src/main/charts/bamboo/values.yaml +++ b/src/main/charts/bamboo/values.yaml @@ -971,7 +971,21 @@ bamboo: # -- Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates # additionalCertificates: + # -- Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data + # will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. + # secretName: + # -- A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys + # from secret data need to be mounted as files to the init container + # + secretList: + #- name: self-signed-ca + # keys: + # - ca.crt + # - intermediate.crt + #- name: stg-intermediate + # keys: + # - stg.crt customCmd: initContainer: resources: {} diff --git a/src/main/charts/bitbucket/README.md b/src/main/charts/bitbucket/README.md index 70d15c63a..eee03a0b3 100644 --- a/src/main/charts/bitbucket/README.md +++ b/src/main/charts/bitbucket/README.md @@ -34,7 +34,9 @@ Kubernetes: `>=1.21.x-0` | atlassianAnalyticsAndSupport.analytics.enabled | bool | `true` | Mount ConfigMap with selected Helm chart values as a JSON which DC products will read and send analytics events to Atlassian data pipelines | | atlassianAnalyticsAndSupport.helmValues.enabled | bool | `true` | Mount ConfigMap with selected Helm chart values as a YAML file which can be optionally including to support.zip | | bitbucket.additionalBundledPlugins | list | `[]` | Specifies a list of additional Bitbucket plugins that should be added to the Bitbucket container. Note plugins installed via this method will appear as bundled plugins rather than user plugins. These should be specified in the same manner as the 'additionalLibraries' property. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ NOTE: only .jar files can be loaded using this approach. OBR's can be extracted (unzipped) to access the associated .jar An alternative to this method is to install the plugins via "Manage Apps" in the product system administration UI. | -| bitbucket.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| bitbucket.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretList":null,"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| bitbucket.additionalCertificates.secretList | string | `nil` | A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys from secret data need to be mounted as files to the init container | +| bitbucket.additionalCertificates.secretName | string | `nil` | Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. | | bitbucket.additionalEnvironmentVariables | list | `[]` | Defines any additional environment variables to be passed to the Bitbucket container. See https://hub.docker.com/r/atlassian/bitbucket for supported variables. | | bitbucket.additionalJvmArgs | list | `[]` | Specifies a list of additional arguments that can be passed to the Bitbucket JVM, e.g. system properties. | | bitbucket.additionalLibraries | list | `[]` | Specifies a list of additional Java libraries that should be added to the Bitbucket container. Each item in the list should specify the name of the volume that contains the library, as well as the name of the library file within that volume's root directory. Optionally, a subDirectory field can be included to specify which directory in the volume contains the library file. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ | @@ -64,7 +66,9 @@ Kubernetes: `>=1.21.x-0` | bitbucket.livenessProbe.initialDelaySeconds | int | `60` | Time to wait before starting the first probe | | bitbucket.livenessProbe.periodSeconds | int | `5` | How often (in seconds) the Bitbucket container liveness probe will run | | bitbucket.livenessProbe.timeoutSeconds | int | `1` | Number of seconds after which the probe times out | -| bitbucket.mesh.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| bitbucket.mesh.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretList":null,"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| bitbucket.mesh.additionalCertificates.secretList | string | `nil` | A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys from secret data need to be mounted as files to the init container | +| bitbucket.mesh.additionalCertificates.secretName | string | `nil` | Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. | | bitbucket.mesh.additionalEnvironmentVariables | object | `{}` | Defines any additional environment variables to be passed to the Bitbucket mesh containers. | | bitbucket.mesh.additionalFiles | string | `nil` | Additional existing ConfigMaps and Secrets not managed by Helm that should be mounted into service container | | bitbucket.mesh.additionalInitContainers | object | `{}` | Additional initContainer definitions that will be added to all Bitbucket pods | diff --git a/src/main/charts/bitbucket/templates/_helpers.tpl b/src/main/charts/bitbucket/templates/_helpers.tpl index a655561ba..611d83cc6 100644 --- a/src/main/charts/bitbucket/templates/_helpers.tpl +++ b/src/main/charts/bitbucket/templates/_helpers.tpl @@ -315,12 +315,20 @@ Define additional hosts here to allow template overrides when used as a sub char {{- with .Values.volumes.additional }} {{- toYaml . | nindent 0 }} {{- end }} -{{- if .Values.bitbucket.additionalCertificates.secretName }} +{{- if or .Values.bitbucket.additionalCertificates.secretName .Values.bitbucket.additionalCertificates.secretList }} - name: keystore emptyDir: {} +{{- if .Values.bitbucket.additionalCertificates.secretName }} - name: certs secret: secretName: {{ .Values.bitbucket.additionalCertificates.secretName }} +{{- else }} +{{- range .Values.bitbucket.additionalCertificates.secretList }} +- name: {{ .name }} + secret: + secretName: {{ .name }} +{{- end }} +{{- end }} {{- end }} {{- if or .Values.atlassianAnalyticsAndSupport.analytics.enabled .Values.atlassianAnalyticsAndSupport.helmValues.enabled }} - name: helm-values diff --git a/src/main/charts/bitbucket/templates/statefulset-mesh.yaml b/src/main/charts/bitbucket/templates/statefulset-mesh.yaml index 2b977400d..a86c0d097 100644 --- a/src/main/charts/bitbucket/templates/statefulset-mesh.yaml +++ b/src/main/charts/bitbucket/templates/statefulset-mesh.yaml @@ -63,15 +63,26 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if .Values.bitbucket.mesh.additionalCertificates.secretName }} + {{- if or .Values.bitbucket.mesh.additionalCertificates.secretName .Values.bitbucket.mesh.additionalCertificates.secretList }} - name: import-certs image: {{ .Values.bitbucket.mesh.image.repository }}:{{ .Values.bitbucket.mesh.image.tag }} imagePullPolicy: {{ .Values.image.pullPolicy }} volumeMounts: - name: keystore mountPath: /var/ssl + {{- if.Values.bitbucket.mesh.additionalCertificates.secretName }} - name: certs mountPath: /tmp/crt + {{- else }} + {{- range .Values.bitbucket.mesh.additionalCertificates.secretList }} + {{- $secretName := .name }} + {{- range .keys }} + - name: {{ $secretName }} + mountPath: /tmp/crt/{{$secretName}}-{{ . }} + subPath: {{ . }} + {{- end }} + {{- end }} + {{- end }} command: ["/bin/bash"] args: ["-c", {{ include "bitbucketMesh.addCrtToKeystoreCmd" . }}] resources: @@ -183,12 +194,20 @@ spec: - key: {{ .key }} path: {{ .key }} {{ end }} - {{- if .Values.bitbucket.mesh.additionalCertificates.secretName }} + {{- if or .Values.bitbucket.mesh.additionalCertificates.secretName .Values.bitbucket.mesh.additionalCertificates.secretList }} - name: keystore emptyDir: {} + {{- if .Values.bitbucket.mesh.additionalCertificates.secretName }} - name: certs secret: secretName: {{ .Values.bitbucket.mesh.additionalCertificates.secretName }} + {{- else }} + {{- range .Values.bitbucket.mesh.additionalCertificates.secretList }} + - name: {{ .name }} + secret: + secretName: {{ .name }} + {{- end }} + {{- end }} {{- end }} {{ include "common.jmx.config.volume" . | nindent 8 }} {{ include "bitbucket.mesh.volumeClaimTemplates" . | nindent 2 }} diff --git a/src/main/charts/bitbucket/templates/statefulset.yaml b/src/main/charts/bitbucket/templates/statefulset.yaml index 22927ba1d..522f6470f 100644 --- a/src/main/charts/bitbucket/templates/statefulset.yaml +++ b/src/main/charts/bitbucket/templates/statefulset.yaml @@ -86,15 +86,26 @@ spec: {{- end }} {{- end }} {{- include "common.jmx.initContainer" . | nindent 8 }} - {{- if .Values.bitbucket.additionalCertificates.secretName }} + {{- if or .Values.bitbucket.additionalCertificates.secretName .Values.bitbucket.additionalCertificates.secretList }} - name: import-certs image: {{ include "bitbucket.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} volumeMounts: - name: keystore mountPath: /var/ssl + {{- if.Values.bitbucket.additionalCertificates.secretName }} - name: certs mountPath: /tmp/crt + {{- else }} + {{- range .Values.bitbucket.additionalCertificates.secretList }} + {{- $secretName := .name }} + {{- range .keys }} + - name: {{ $secretName }} + mountPath: /tmp/crt/{{$secretName}}-{{ . }} + subPath: {{ . }} + {{- end }} + {{- end }} + {{- end }} command: ["/bin/bash"] args: ["-c", {{ include "bitbucket.addCrtToKeystoreCmd" . }}] resources: diff --git a/src/main/charts/bitbucket/values.yaml b/src/main/charts/bitbucket/values.yaml index 6c423f8f0..864035323 100644 --- a/src/main/charts/bitbucket/values.yaml +++ b/src/main/charts/bitbucket/values.yaml @@ -1127,7 +1127,21 @@ bitbucket: # -- Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates # additionalCertificates: + # -- Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data + # will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. + # secretName: + # -- A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys + # from secret data need to be mounted as files to the init container + # + secretList: + #- name: self-signed-ca + # keys: + # - ca.crt + # - intermediate.crt + #- name: stg-intermediate + # keys: + # - stg.crt customCmd: initContainer: resources: {} @@ -1208,7 +1222,21 @@ bitbucket: # -- Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates # additionalCertificates: + # -- Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data + # will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. + # secretName: + # -- A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys + # from secret data need to be mounted as files to the init container + # + secretList: + #- name: self-signed-ca + # keys: + # - ca.crt + # - intermediate.crt + #- name: stg-intermediate + # keys: + # - stg.crt customCmd: initContainer: resources: {} diff --git a/src/main/charts/confluence/README.md b/src/main/charts/confluence/README.md index 3e2d40579..437422449 100644 --- a/src/main/charts/confluence/README.md +++ b/src/main/charts/confluence/README.md @@ -37,7 +37,9 @@ Kubernetes: `>=1.21.x-0` | confluence.accessLog.localHomeSubPath | string | `"logs"` | The subdirectory within the local-home volume where access logs should be stored. | | confluence.accessLog.mountPath | string | `"/opt/atlassian/confluence/logs"` | The path within the Confluence container where the local-home volume should be mounted in order to capture access logs. | | confluence.additionalBundledPlugins | list | `[]` | Specifies a list of additional Confluence plugins that should be added to the Confluence container. Note plugins installed via this method will appear as bundled plugins rather than user plugins. These should be specified in the same manner as the 'additionalLibraries' property. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ NOTE: only .jar files can be loaded using this approach. OBR's can be extracted (unzipped) to access the associated .jar An alternative to this method is to install the plugins via "Manage Apps" in the product system administration UI. | -| confluence.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| confluence.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretList":null,"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| confluence.additionalCertificates.secretList | string | `nil` | A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys from secret data need to be mounted as files to the init container | +| confluence.additionalCertificates.secretName | string | `nil` | Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. | | confluence.additionalEnvironmentVariables | list | `[]` | Defines any additional environment variables to be passed to the Confluence container. See https://hub.docker.com/r/atlassian/confluence for supported variables. | | confluence.additionalJvmArgs | list | `[]` | Specifies a list of additional arguments that can be passed to the Confluence JVM, e.g. system properties. | | confluence.additionalLibraries | list | `[]` | Specifies a list of additional Java libraries that should be added to the Confluence container. Each item in the list should specify the name of the volume that contains the library, as well as the name of the library file within that volume's root directory. Optionally, a subDirectory field can be included to specify which directory in the volume contains the library file. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ | @@ -189,7 +191,9 @@ Kubernetes: `>=1.21.x-0` | serviceAccount.name | string | `nil` | The name of the ServiceAccount to be used by the pods. If not specified, but the "serviceAccount.create" flag is set to 'true', then the ServiceAccount name will be auto-generated, otherwise the 'default' ServiceAccount will be used. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server | | serviceAccount.role.create | bool | `true` | Create a role for Hazelcast client with privileges to get and list pods and endpoints in the namespace. Set to false if you need to create a Role and RoleBinding manually | | serviceAccount.roleBinding | object | `{"create":true}` | Grant permissions defined in Role (list and get pods and endpoints) to a service account. | -| synchrony.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| synchrony.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretList":null,"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| synchrony.additionalCertificates.secretList | string | `nil` | A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys from secret data need to be mounted as files to the init container | +| synchrony.additionalCertificates.secretName | string | `nil` | Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. | | synchrony.additionalJvmArgs | list | `[]` | Specifies a list of additional arguments that can be passed to the Synchrony JVM, e.g. system properties. | | synchrony.additionalLibraries | list | `[]` | Specifies a list of additional Java libraries that should be added to the Synchrony container. Each item in the list should specify the name of the volume that contains the library, as well as the name of the library file within that volume's root directory. Optionally, a subDirectory field can be included to specify which directory in the volume contains the library file. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ | | synchrony.additionalPorts | list | `[]` | Defines any additional ports for the Synchrony container. | diff --git a/src/main/charts/confluence/templates/_helpers.tpl b/src/main/charts/confluence/templates/_helpers.tpl index 86e1ae432..aa3f473ec 100644 --- a/src/main/charts/confluence/templates/_helpers.tpl +++ b/src/main/charts/confluence/templates/_helpers.tpl @@ -464,12 +464,20 @@ For each additional plugin declared, generate a volume mount that injects that l - key: seraph-config.xml path: seraph-config.xml {{- end }} -{{- if .Values.confluence.additionalCertificates.secretName }} +{{- if or .Values.confluence.additionalCertificates.secretName .Values.confluence.additionalCertificates.secretList }} - name: keystore emptyDir: {} +{{- if .Values.confluence.additionalCertificates.secretName }} - name: certs secret: secretName: {{ .Values.confluence.additionalCertificates.secretName }} +{{- else }} +{{- range .Values.confluence.additionalCertificates.secretList }} +- name: {{ .name }} + secret: + secretName: {{ .name }} +{{- end }} +{{- end }} {{- end }} {{- if or .Values.atlassianAnalyticsAndSupport.analytics.enabled .Values.atlassianAnalyticsAndSupport.helmValues.enabled }} - name: helm-values @@ -488,12 +496,20 @@ For each additional plugin declared, generate a volume mount that injects that l {{- with .Values.volumes.additionalSynchrony }} {{- toYaml . | nindent 0 }} {{- end }} -{{- if .Values.synchrony.additionalCertificates.secretName }} +{{- if or .Values.synchrony.additionalCertificates.secretName .Values.synchrony.additionalCertificates.secretList }} - name: keystore emptyDir: {} +{{- if .Values.synchrony.additionalCertificates.secretName }} - name: certs secret: secretName: {{ .Values.synchrony.additionalCertificates.secretName }} +{{- else }} +{{- range .Values.synchrony.additionalCertificates.secretList }} +- name: {{ .name }} + secret: + secretName: {{ .name }} +{{- end }} +{{- end }} {{- end }} {{- end }} diff --git a/src/main/charts/confluence/templates/statefulset-synchrony.yaml b/src/main/charts/confluence/templates/statefulset-synchrony.yaml index 53d3a64ea..7cb226dc5 100644 --- a/src/main/charts/confluence/templates/statefulset-synchrony.yaml +++ b/src/main/charts/confluence/templates/statefulset-synchrony.yaml @@ -47,7 +47,7 @@ spec: {{- end }} hostAliases: {{- include "confluence.additionalHosts" . | nindent 8 }} - {{- if .Values.synchrony.additionalCertificates.secretName }} + {{- if or .Values.synchrony.additionalCertificates.secretName .Values.synchrony.additionalCertificates.secretList }} initContainers: - name: import-certs image: {{ include "confluence.image" . | quote }} @@ -55,8 +55,19 @@ spec: volumeMounts: - name: keystore mountPath: /var/ssl + {{- if.Values.synchrony.additionalCertificates.secretName }} - name: certs mountPath: /tmp/crt + {{- else }} + {{- range .Values.synchrony.additionalCertificates.secretList }} + {{- $secretName := .name }} + {{- range .keys }} + - name: {{ $secretName }} + mountPath: /tmp/crt/{{$secretName}}-{{ . }} + subPath: {{ . }} + {{- end }} + {{- end }} + {{- end }} command: ["/bin/bash"] args: ["-c", {{ include "synchrony.addCrtToKeystoreCmd" . }}] resources: diff --git a/src/main/charts/confluence/templates/statefulset.yaml b/src/main/charts/confluence/templates/statefulset.yaml index f440e3816..22c18d541 100644 --- a/src/main/charts/confluence/templates/statefulset.yaml +++ b/src/main/charts/confluence/templates/statefulset.yaml @@ -98,15 +98,26 @@ spec: command: ["sh", "-c", {{ include "confluence.sharedHome.permissionFix.command" . | quote }}] {{- end }} {{- include "common.jmx.initContainer" . | nindent 8 }} - {{- if .Values.confluence.additionalCertificates.secretName }} + {{- if or .Values.confluence.additionalCertificates.secretName .Values.confluence.additionalCertificates.secretList }} - name: import-certs image: {{ include "confluence.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} volumeMounts: - name: keystore mountPath: /var/ssl + {{- if.Values.confluence.additionalCertificates.secretName }} - name: certs mountPath: /tmp/crt + {{- else }} + {{- range .Values.confluence.additionalCertificates.secretList }} + {{- $secretName := .name }} + {{- range .keys }} + - name: {{ $secretName }} + mountPath: /tmp/crt/{{$secretName}}-{{ . }} + subPath: {{ . }} + {{- end }} + {{- end }} + {{- end }} command: ["/bin/bash"] args: ["-c", {{ include "confluence.addCrtToKeystoreCmd" . }}] resources: diff --git a/src/main/charts/confluence/values.yaml b/src/main/charts/confluence/values.yaml index 163eed192..a2f5c18bb 100644 --- a/src/main/charts/confluence/values.yaml +++ b/src/main/charts/confluence/values.yaml @@ -1043,7 +1043,21 @@ confluence: # -- Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates # additionalCertificates: + # -- Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data + # will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. + # secretName: + # -- A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys + # from secret data need to be mounted as files to the init container + # + secretList: + #- name: self-signed-ca + # keys: + # - ca.crt + # - intermediate.crt + #- name: stg-intermediate + # keys: + # - stg.crt customCmd: initContainer: resources: {} @@ -1346,7 +1360,21 @@ synchrony: # -- Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates # additionalCertificates: + # -- Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data + # will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. + # secretName: + # -- A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys + # from secret data need to be mounted as files to the init container + # + secretList: + #- name: self-signed-ca + # keys: + # - ca.crt + # - intermediate.crt + #- name: stg-intermediate + # keys: + # - stg.crt customCmd: initContainer: resources: {} diff --git a/src/main/charts/crowd/README.md b/src/main/charts/crowd/README.md index 9b9338eea..4f4240f44 100644 --- a/src/main/charts/crowd/README.md +++ b/src/main/charts/crowd/README.md @@ -36,7 +36,9 @@ Kubernetes: `>=1.21.x-0` | crowd.accessLog.localHomeSubPath | string | `"logs"` | The subdirectory within the local-home volume where access logs should be stored. | | crowd.accessLog.mountPath | string | `"/opt/atlassian/crowd/apache-tomcat/logs"` | The path within the Crowd container where the local-home volume should be mounted in order to capture access logs. | | crowd.additionalBundledPlugins | list | `[]` | Specifies a list of additional Crowd plugins that should be added to the Crowd container. Note plugins installed via this method will appear as bundled plugins rather than user plugins. These should be specified in the same manner as the 'additionalLibraries' property. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ NOTE: only .jar files can be loaded using this approach. OBR's can be extracted (unzipped) to access the associated .jar An alternative to this method is to install the plugins via "Manage Apps" in the product system administration UI. | -| crowd.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| crowd.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretList":null,"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| crowd.additionalCertificates.secretList | string | `nil` | A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys from secret data need to be mounted as files to the init container | +| crowd.additionalCertificates.secretName | string | `nil` | Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. | | crowd.additionalEnvironmentVariables | list | `[]` | Defines any additional environment variables to be passed to the Crowd container. See https://hub.docker.com/r/atlassian/crowd for supported variables. | | crowd.additionalJvmArgs | list | `[]` | Specifies a list of additional arguments that can be passed to the Crowd JVM, e.g. system properties. | | crowd.additionalLibraries | list | `[]` | Specifies a list of additional Java libraries that should be added to the Crowd container. Each item in the list should specify the name of the volume that contains the library, as well as the name of the library file within that volume's root directory. Optionally, a subDirectory field can be included to specify which directory in the volume contains the library file. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ | diff --git a/src/main/charts/crowd/templates/_helpers.tpl b/src/main/charts/crowd/templates/_helpers.tpl index 112d46790..3527b017b 100644 --- a/src/main/charts/crowd/templates/_helpers.tpl +++ b/src/main/charts/crowd/templates/_helpers.tpl @@ -250,12 +250,20 @@ For each additional plugin declared, generate a volume mount that injects that l {{- with .Values.volumes.additional }} {{- toYaml . | nindent 0 }} {{- end }} -{{- if .Values.crowd.additionalCertificates.secretName }} +{{- if or .Values.crowd.additionalCertificates.secretName .Values.crowd.additionalCertificates.secretList }} - name: keystore emptyDir: {} +{{- if .Values.crowd.additionalCertificates.secretName }} - name: certs secret: secretName: {{ .Values.crowd.additionalCertificates.secretName }} +{{- else }} +{{- range .Values.crowd.additionalCertificates.secretList }} +- name: {{ .name }} + secret: + secretName: {{ .name }} +{{- end }} +{{- end }} {{- end }} {{- if or .Values.atlassianAnalyticsAndSupport.analytics.enabled .Values.atlassianAnalyticsAndSupport.helmValues.enabled }} - name: helm-values diff --git a/src/main/charts/crowd/templates/statefulset.yaml b/src/main/charts/crowd/templates/statefulset.yaml index b22e2ca53..e7012304b 100644 --- a/src/main/charts/crowd/templates/statefulset.yaml +++ b/src/main/charts/crowd/templates/statefulset.yaml @@ -79,15 +79,26 @@ spec: command: ["sh", "-c", {{ include "crowd.sharedHome.permissionFix.command" . | quote }}] {{- end }} {{- include "common.jmx.initContainer" . | nindent 8 }} - {{- if .Values.crowd.additionalCertificates.secretName }} + {{- if or .Values.crowd.additionalCertificates.secretName .Values.crowd.additionalCertificates.secretList }} - name: import-certs image: {{ include "crowd.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} volumeMounts: - name: keystore mountPath: /var/ssl + {{- if.Values.crowd.additionalCertificates.secretName }} - name: certs mountPath: /tmp/crt + {{- else }} + {{- range .Values.crowd.additionalCertificates.secretList }} + {{- $secretName := .name }} + {{- range .keys }} + - name: {{ $secretName }} + mountPath: /tmp/crt/{{$secretName}}-{{ . }} + subPath: {{ . }} + {{- end }} + {{- end }} + {{- end }} command: ["/bin/bash"] args: ["-c", {{ include "crowd.addCrtToKeystoreCmd" . }}] resources: diff --git a/src/main/charts/crowd/values.yaml b/src/main/charts/crowd/values.yaml index ce8e26c02..99c8b00e2 100644 --- a/src/main/charts/crowd/values.yaml +++ b/src/main/charts/crowd/values.yaml @@ -449,7 +449,21 @@ crowd: # -- Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates # additionalCertificates: + # -- Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data + # will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. + # secretName: + # -- A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys + # from secret data need to be mounted as files to the init container + # + secretList: + #- name: self-signed-ca + # keys: + # - ca.crt + # - intermediate.crt + #- name: stg-intermediate + # keys: + # - stg.crt customCmd: initContainer: resources: {} diff --git a/src/main/charts/jira/README.md b/src/main/charts/jira/README.md index 327028835..7044f7d8d 100644 --- a/src/main/charts/jira/README.md +++ b/src/main/charts/jira/README.md @@ -70,7 +70,10 @@ Kubernetes: `>=1.21.x-0` | jira.accessLog.localHomeSubPath | string | `"log"` | The subdirectory within the local-home volume where access logs should be stored. | | jira.accessLog.mountPath | string | `"/opt/atlassian/jira/logs"` | The path within the Jira container where the local-home volume should be mounted in order to capture access logs. | | jira.additionalBundledPlugins | list | `[]` | Specifies a list of additional Jira plugins that should be added to the Jira container. Note plugins installed via this method will appear as bundled plugins rather than user plugins. These should be specified in the same manner as the 'additionalLibraries' property. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ NOTE: only .jar files can be loaded using this approach. OBR's can be extracted (unzipped) to access the associated .jar An alternative to this method is to install the plugins via "Manage Apps" in the product system administration UI. | -| jira.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| jira.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretList":null,"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates | +| jira.additionalCertificates.initContainer.resources | object | `{}` | Resources requests and limits for the import-certs init container | +| jira.additionalCertificates.secretList | string | `nil` | A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys from secret data need to be mounted as files to the init container | +| jira.additionalCertificates.secretName | string | `nil` | Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. | | jira.additionalEnvironmentVariables | list | `[]` | Defines any additional environment variables to be passed to the Jira container. See https://hub.docker.com/r/atlassian/jira-software for supported variables. | | jira.additionalJvmArgs | list | `[]` | | | jira.additionalLibraries | list | `[]` | Specifies a list of additional Java libraries that should be added to the Jira container. Each item in the list should specify the name of the volume that contains the library, as well as the name of the library file within that volume's root directory. Optionally, a subDirectory field can be included to specify which directory in the volume contains the library file. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ | diff --git a/src/main/charts/jira/templates/_helpers.tpl b/src/main/charts/jira/templates/_helpers.tpl index d32f3dd22..4419ddf9e 100644 --- a/src/main/charts/jira/templates/_helpers.tpl +++ b/src/main/charts/jira/templates/_helpers.tpl @@ -174,7 +174,7 @@ on Tomcat's logs directory. THis ensures that Tomcat+Jira logs get captured in t mountPath: /opt/atlassian/jira/atlassian-jira/WEB-INF/classes/seraph-config.xml subPath: seraph-config.xml {{- end }} -{{- if .Values.jira.additionalCertificates.secretName }} +{{- if or .Values.jira.additionalCertificates.secretName .Values.jira.additionalCertificates.secretList }} - name: keystore mountPath: /var/ssl {{- end }} @@ -296,12 +296,20 @@ For each additional plugin declared, generate a volume mount that injects that l - key: seraph-config.xml path: seraph-config.xml {{- end }} -{{- if .Values.jira.additionalCertificates.secretName }} +{{- if or .Values.jira.additionalCertificates.secretName .Values.jira.additionalCertificates.secretList }} - name: keystore emptyDir: {} +{{- if .Values.jira.additionalCertificates.secretName }} - name: certs secret: secretName: {{ .Values.jira.additionalCertificates.secretName }} +{{- else }} +{{- range .Values.jira.additionalCertificates.secretList }} +- name: {{ .name }} + secret: + secretName: {{ .name }} +{{- end }} +{{- end }} {{- end }} {{- if or .Values.atlassianAnalyticsAndSupport.analytics.enabled .Values.atlassianAnalyticsAndSupport.helmValues.enabled }} - name: helm-values diff --git a/src/main/charts/jira/templates/statefulset.yaml b/src/main/charts/jira/templates/statefulset.yaml index 7646484e7..eaf5652db 100644 --- a/src/main/charts/jira/templates/statefulset.yaml +++ b/src/main/charts/jira/templates/statefulset.yaml @@ -79,15 +79,26 @@ spec: command: ["sh", "-c", {{ include "jira.sharedHome.permissionFix.command" . | quote }}] {{- end }} {{- include "common.jmx.initContainer" . | nindent 8 }} - {{- if .Values.jira.additionalCertificates.secretName }} + {{- if or .Values.jira.additionalCertificates.secretName .Values.jira.additionalCertificates.secretList }} - name: import-certs image: {{ include "jira.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} volumeMounts: - name: keystore mountPath: /var/ssl + {{- if.Values.jira.additionalCertificates.secretName }} - name: certs mountPath: /tmp/crt + {{- else }} + {{- range .Values.jira.additionalCertificates.secretList }} + {{- $secretName := .name }} + {{- range .keys }} + - name: {{ $secretName }} + mountPath: /tmp/crt/{{$secretName}}-{{ . }} + subPath: {{ . }} + {{- end }} + {{- end }} + {{- end }} command: ["/bin/bash"] args: ["-c", {{ include "jira.addCrtToKeystoreCmd" . }}] resources: diff --git a/src/main/charts/jira/values.yaml b/src/main/charts/jira/values.yaml index e4f759cf8..d5553f817 100644 --- a/src/main/charts/jira/values.yaml +++ b/src/main/charts/jira/values.yaml @@ -868,9 +868,25 @@ jira: # -- Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates # additionalCertificates: + # -- Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data + # will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. + # secretName: + # -- A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys + # from secret data need to be mounted as files to the init container + # + secretList: + #- name: self-signed-ca + # keys: + # - ca.crt + # - intermediate.crt + #- name: stg-intermediate + # keys: + # - stg.crt customCmd: initContainer: + # -- Resources requests and limits for the import-certs init container + # resources: {} # Monitoring diff --git a/src/test/java/test/AdditionalCertificatesTest.java b/src/test/java/test/AdditionalCertificatesTest.java index d4bc514cf..60770ac0c 100644 --- a/src/test/java/test/AdditionalCertificatesTest.java +++ b/src/test/java/test/AdditionalCertificatesTest.java @@ -257,4 +257,124 @@ void additional_certificates_bitbucket_mesh_init_resources(Product product) thro assertThat(statefulSet.getInitContainers().get(0).path("resources").path("limits").path("memory")).hasTextEqualTo("1Gi"); assertThat(statefulSet.getInitContainers().get(0).path("resources").path("limits").path("cpu")).hasTextEqualTo("20m"); } + + @ParameterizedTest + @EnumSource(value = Product.class, names = {"bamboo_agent"}, mode = EnumSource.Mode.EXCLUDE) + void additional_certificates_multi_volumes(Product product) throws Exception { + final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of( + "volumes.sharedHome.persistentVolumeClaim.create", "true", + product.name() + ".additionalCertificates.secretList[0].name", "self-signed-ca", + product.name() + ".additionalCertificates.secretList[0].keys[0]", "ca.crt", + product.name() + ".additionalCertificates.secretList[0].keys[1]", "stg.crt" + + )); + final var statefulSet = resources.getStatefulSet(product.getHelmReleaseName()); + assertThat(statefulSet.getVolume("keystore").get().path("emptyDir")).isEmpty(); + assertThat(statefulSet.getVolume("self-signed-ca").get().path("secret").path("secretName")).hasTextEqualTo("self-signed-ca"); + } + + @ParameterizedTest + @EnumSource(value = Product.class, names = {"bamboo_agent"}, mode = EnumSource.Mode.EXCLUDE) + void additional_certificates_multi_volume_mounts(Product product) throws Exception { + final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of( + "volumes.sharedHome.persistentVolumeClaim.create", "true", + product.name() + ".additionalCertificates.secretList[0].name", "self-signed-ca", + product.name() + ".additionalCertificates.secretList[0].keys[0]", "ca.crt", + product.name() + ".additionalCertificates.secretList[0].keys[1]", "stg.crt", + product.name() + ".additionalCertificates.secretList[1].name", "custom-ca", + product.name() + ".additionalCertificates.secretList[1].keys[0]", "custom.crt" + + )); + final var statefulSet = resources.getStatefulSet(product.getHelmReleaseName()); + assertThat(statefulSet.getInitContainers().get(1).path("name")).hasTextEqualTo("import-certs"); + assertThat(statefulSet.getInitContainers().get(1).path("volumeMounts").path(1).get("name")).hasTextEqualTo("self-signed-ca"); + assertThat(statefulSet.getInitContainers().get(1).path("volumeMounts").path(1).get("mountPath")).hasTextEqualTo("/tmp/crt/self-signed-ca-ca.crt"); + assertThat(statefulSet.getInitContainers().get(1).path("volumeMounts").path(1).get("subPath")).hasTextEqualTo("ca.crt"); + assertThat(statefulSet.getInitContainers().get(1).path("volumeMounts").path(2).get("name")).hasTextEqualTo("self-signed-ca"); + assertThat(statefulSet.getInitContainers().get(1).path("volumeMounts").path(2).get("mountPath")).hasTextEqualTo("/tmp/crt/self-signed-ca-stg.crt"); + assertThat(statefulSet.getInitContainers().get(1).path("volumeMounts").path(2).get("subPath")).hasTextEqualTo("stg.crt"); + assertThat(statefulSet.getInitContainers().get(1).path("volumeMounts").path(3).get("name")).hasTextEqualTo("custom-ca"); + assertThat(statefulSet.getInitContainers().get(1).path("volumeMounts").path(3).get("mountPath")).hasTextEqualTo("/tmp/crt/custom-ca-custom.crt"); + assertThat(statefulSet.getInitContainers().get(1).path("volumeMounts").path(3).get("subPath")).hasTextEqualTo("custom.crt"); + } + + @ParameterizedTest + @EnumSource(value = Product.class, names = {"confluence"}, mode = EnumSource.Mode.INCLUDE) + void additional_certificates_multi_volume_mounts_synchrony(Product product) throws Exception { + final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of( + "synchrony.enabled", "true", + "synchrony.additionalCertificates.secretList[0].name", "self-signed-ca", + "synchrony.additionalCertificates.secretList[0].keys[0]", "ca.crt", + "synchrony.additionalCertificates.secretList[0].keys[1]", "stg.crt", + "synchrony.additionalCertificates.secretList[1].name", "custom-ca", + "synchrony.additionalCertificates.secretList[1].keys[0]", "custom.crt" + + )); + final var statefulSet = resources.getStatefulSet(product.getHelmReleaseName() + "-synchrony"); + assertThat(statefulSet.getInitContainers().get(0).path("name")).hasTextEqualTo("import-certs"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(1).get("name")).hasTextEqualTo("self-signed-ca"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(1).get("mountPath")).hasTextEqualTo("/tmp/crt/self-signed-ca-ca.crt"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(1).get("subPath")).hasTextEqualTo("ca.crt"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(2).get("name")).hasTextEqualTo("self-signed-ca"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(2).get("mountPath")).hasTextEqualTo("/tmp/crt/self-signed-ca-stg.crt"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(2).get("subPath")).hasTextEqualTo("stg.crt"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(3).get("name")).hasTextEqualTo("custom-ca"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(3).get("mountPath")).hasTextEqualTo("/tmp/crt/custom-ca-custom.crt"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(3).get("subPath")).hasTextEqualTo("custom.crt"); + } + + @ParameterizedTest + @EnumSource(value = Product.class, names = {"confluence"}, mode = EnumSource.Mode.INCLUDE) + void additional_certificates_multi_volumes_synchrony(Product product) throws Exception { + final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of( + "synchrony.enabled", "true", + "synchrony.additionalCertificates.secretList[0].name", "self-signed-ca", + "synchrony.additionalCertificates.secretList[0].keys[0]", "ca.crt", + "synchrony.additionalCertificates.secretList[0].keys[1]", "stg.crt" + + )); + final var statefulSet = resources.getStatefulSet(product.getHelmReleaseName() + "-synchrony"); + assertThat(statefulSet.getVolume("keystore").get().path("emptyDir")).isEmpty(); + assertThat(statefulSet.getVolume("self-signed-ca").get().path("secret").path("secretName")).hasTextEqualTo("self-signed-ca"); + } + + @ParameterizedTest + @EnumSource(value = Product.class, names = {"bitbucket"}, mode = EnumSource.Mode.INCLUDE) + void additional_certificates_multi_volumes_mesh(Product product) throws Exception { + final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of( + "bitbucket.mesh.enabled", "true", + product.name() + ".mesh.additionalCertificates.secretList[0].name", "self-signed-ca", + product.name() + ".mesh.additionalCertificates.secretList[0].keys[0]", "ca.crt", + product.name() + ".mesh.additionalCertificates.secretList[0].keys[1]", "stg.crt" + + )); + final var statefulSet = resources.getStatefulSet(product.getHelmReleaseName() + "-mesh"); + assertThat(statefulSet.getVolume("keystore").get().path("emptyDir")).isEmpty(); + assertThat(statefulSet.getVolume("self-signed-ca").get().path("secret").path("secretName")).hasTextEqualTo("self-signed-ca"); + } + + @ParameterizedTest + @EnumSource(value = Product.class, names = {"bitbucket"}, mode = EnumSource.Mode.INCLUDE) + void additional_certificates_multi_volume_mounts_mesh(Product product) throws Exception { + final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of( + "bitbucket.mesh.enabled", "true", + product.name() + ".mesh.additionalCertificates.secretList[0].name", "self-signed-ca", + product.name() + ".mesh.additionalCertificates.secretList[0].keys[0]", "ca.crt", + product.name() + ".mesh.additionalCertificates.secretList[0].keys[1]", "stg.crt", + product.name() + ".mesh.additionalCertificates.secretList[1].name", "custom-ca", + product.name() + ".mesh.additionalCertificates.secretList[1].keys[0]", "custom.crt" + + )); + final var statefulSet = resources.getStatefulSet(product.getHelmReleaseName() + "-mesh"); + assertThat(statefulSet.getInitContainers().get(0).path("name")).hasTextEqualTo("import-certs"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(1).get("name")).hasTextEqualTo("self-signed-ca"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(1).get("mountPath")).hasTextEqualTo("/tmp/crt/self-signed-ca-ca.crt"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(1).get("subPath")).hasTextEqualTo("ca.crt"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(2).get("name")).hasTextEqualTo("self-signed-ca"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(2).get("mountPath")).hasTextEqualTo("/tmp/crt/self-signed-ca-stg.crt"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(2).get("subPath")).hasTextEqualTo("stg.crt"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(3).get("name")).hasTextEqualTo("custom-ca"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(3).get("mountPath")).hasTextEqualTo("/tmp/crt/custom-ca-custom.crt"); + assertThat(statefulSet.getInitContainers().get(0).path("volumeMounts").path(3).get("subPath")).hasTextEqualTo("custom.crt"); + } }