Fix secretList in additionalCertificates (#874)

* Fix secretList in additionalCertificates * Fix unit tests * Update _helpers.tpl * Fix unit tests --------- Co-authored-by: Yevhen Ivantsov <[email protected]>
atlassian · Sep 9, 2024 · b042c16 · b042c16
1 parent 0aeddbc
commit b042c16
Show file tree

Hide file tree

Showing 17 changed files with 133 additions and 27 deletions.
diff --git a/src/main/charts/bamboo/templates/_helpers.tpl b/src/main/charts/bamboo/templates/_helpers.tpl
@@ -170,7 +170,7 @@ on Tomcat's logs directory. THis ensures that Tomcat+Bamboo logs get captured in
   {{- if .Values.volumes.sharedHome.subPath }}
   subPath: {{ .Values.volumes.sharedHome.subPath | quote }}
   {{- end }}
-{{- if .Values.bamboo.additionalCertificates.secretName }}
+{{- if or .Values.bamboo.additionalCertificates.secretName .Values.bamboo.additionalCertificates.secretList }}
 - name: keystore
   mountPath: /var/ssl
 {{- end }}

diff --git a/src/main/charts/bamboo/templates/config-jvm.yaml b/src/main/charts/bamboo/templates/config-jvm.yaml
@@ -10,7 +10,7 @@ data:
     {{ . }}
     {{- end }}
     -XX:ActiveProcessorCount={{ include "flooredCPU" .Values.bamboo.resources.container.requests.cpu }}
-    {{- if .Values.bamboo.additionalCertificates.secretName }}
+    {{- if or .Values.bamboo.additionalCertificates.secretName .Values.bamboo.additionalCertificates.secretList }}
     -Djavax.net.ssl.trustStore=/var/ssl/cacerts
     {{- end }}
     {{ include "common.jmx.javaagent" . | indent 4 | trim }}

diff --git a/src/main/charts/bitbucket/templates/config-jvm-mesh.yaml b/src/main/charts/bitbucket/templates/config-jvm-mesh.yaml
@@ -13,7 +13,7 @@ data:
     {{- if .Values.monitoring.exposeJmxMetrics }}
     -javaagent:{{ .Values.monitoring.jmxExporterCustomJarLocation | default (printf "%s/jmx_prometheus_javaagent.jar" ( .Values.bitbucket.mesh.volume.mountPath)) }}={{ .Values.monitoring.jmxExporterPort}}:/opt/atlassian/jmx/jmx-config.yaml
     {{- end }}
-    {{- if .Values.bitbucket.mesh.additionalCertificates.secretName }}
+    {{- if or .Values.bitbucket.mesh.additionalCertificates.secretName .Values.bitbucket.mesh.additionalCertificates.secretList }}
     -Djavax.net.ssl.trustStore=/var/ssl/cacerts
     {{- end }}
   max_heap: {{ .Values.bitbucket.mesh.resources.jvm.maxHeap }}

diff --git a/src/main/charts/bitbucket/templates/config-jvm.yaml b/src/main/charts/bitbucket/templates/config-jvm.yaml
@@ -14,7 +14,7 @@ data:
     {{- if .Values.monitoring.exposeJmxMetrics }}
     -Dplugin.bitbucket-git.mesh.sidecar.jvmArgs=-javaagent:{{ .Values.monitoring.jmxExporterCustomJarLocation | default (printf "%s/jmx_prometheus_javaagent.jar"  .Values.volumes.sharedHome.mountPath) }}=9998:/opt/atlassian/jmx/jmx-config.yaml
     {{- end }}
-    {{- if .Values.bitbucket.additionalCertificates.secretName }}
+    {{- if or .Values.bitbucket.additionalCertificates.secretName .Values.bitbucket.additionalCertificates.secretList }}
     -Djavax.net.ssl.trustStore=/var/ssl/cacerts
     {{- end }}
   max_heap: {{ .Values.bitbucket.resources.jvm.maxHeap }}

diff --git a/src/main/charts/bitbucket/templates/statefulset-mesh.yaml b/src/main/charts/bitbucket/templates/statefulset-mesh.yaml
@@ -121,7 +121,7 @@ spec:
               mountPath: {{ .mountPath }}/{{ .key }}
               subPath: {{ .key }}
             {{ end }}
-            {{- if .Values.bitbucket.mesh.additionalCertificates.secretName }}
+            {{- if or .Values.bitbucket.mesh.additionalCertificates.secretName .Values.bitbucket.mesh.additionalCertificates.secretList }}
             - name: keystore
               mountPath: /var/ssl
             {{- end }}

diff --git a/src/main/charts/bitbucket/templates/statefulset.yaml b/src/main/charts/bitbucket/templates/statefulset.yaml
@@ -188,7 +188,7 @@ spec:
               subPath: {{ .Values.volumes.sharedHome.subPath | quote }}
               {{- end }}
             {{- end }}
-            {{- if .Values.bitbucket.additionalCertificates.secretName }}
+            {{- if or .Values.bitbucket.additionalCertificates.secretName .Values.bitbucket.additionalCertificates.secretList }}
             - name: keystore
               mountPath: /var/ssl
             {{- end }}

diff --git a/src/main/charts/confluence/templates/_helpers.tpl b/src/main/charts/confluence/templates/_helpers.tpl
@@ -283,7 +283,7 @@ on Tomcat's logs directory. THis ensures that Tomcat+Confluence logs get capture
   mountPath: /opt/atlassian/confluence/confluence/WEB-INF/classes/seraph-config.xml
   subPath: seraph-config.xml
 {{- end }}
-{{- if .Values.confluence.additionalCertificates.secretName }}
+{{- if or .Values.confluence.additionalCertificates.secretName .Values.confluence.additionalCertificates.secretList }}
 - name: keystore
   mountPath: /var/ssl
 {{- end }}
@@ -299,7 +299,7 @@ Defines the volume mounts used by the Synchrony container.
 {{ define "synchrony.volumeMounts" }}
 - name: synchrony-home
   mountPath: {{ .Values.volumes.synchronyHome.mountPath | quote }}
-{{- if .Values.synchrony.additionalCertificates.secretName }}
+{{- if or .Values.synchrony.additionalCertificates.secretName .Values.synchrony.additionalCertificates.secretList }}
 - name: keystore
   mountPath: /var/ssl
 {{- end }}

diff --git a/src/main/charts/confluence/templates/config-jvm.yaml b/src/main/charts/confluence/templates/config-jvm.yaml
@@ -19,7 +19,7 @@ data:
     {{- if .Values.serviceAccount.eksIrsa.roleArn }}
     -Daws.webIdentityTokenFile=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
     {{- end }}
-    {{- if .Values.confluence.additionalCertificates.secretName }}
+    {{- if or .Values.confluence.additionalCertificates.secretName .Values.confluence.additionalCertificates.secretList }}
     -Djavax.net.ssl.trustStore=/var/ssl/cacerts
     {{- end }}
     {{- include "common.jmx.javaagent" . | indent 4 -}}

diff --git a/src/main/charts/confluence/templates/synchrony-start-script.yaml b/src/main/charts/confluence/templates/synchrony-start-script.yaml
@@ -21,7 +21,7 @@ data:
        -Xss{{ .Values.synchrony.resources.jvm.stackSize }} \
        -Dsynchrony.port={{ .Values.synchrony.ports.http }} \
        -Dcluster.listen.port={{ .Values.synchrony.ports.hazelcast }} \
-       {{- if .Values.synchrony.additionalCertificates.secretName }}
+       {{- if or .Values.synchrony.additionalCertificates.secretName .Values.synchrony.additionalCertificates.secretList }}
        -Djavax.net.ssl.trustStore=/var/ssl/cacerts \
        {{- end }}
        {{- range .Values.synchrony.additionalJvmArgs }}

diff --git a/src/main/charts/confluence/values.yaml b/src/main/charts/confluence/values.yaml
@@ -1352,7 +1352,7 @@ synchrony:
   additionalVolumeMounts: []
 
   # -- Defines additional annotations to the Synchrony StateFulSet. This might be required when deploying using a GitOps approach
-  additionalAnnotations: 
+  additionalAnnotations:
   #  argocd.argoproj.io/sync-wave: "10"
 
   # -- Defines any additional ports for the Synchrony container.

diff --git a/src/main/charts/crowd/templates/_helpers.tpl b/src/main/charts/crowd/templates/_helpers.tpl
@@ -143,7 +143,7 @@ on Tomcat's logs directory. THis ensures that Tomcat+Crowd logs get captured in
   {{- if .Values.volumes.sharedHome.subPath }}
   subPath: {{ .Values.volumes.sharedHome.subPath | quote }}
   {{- end }}
-{{- if .Values.crowd.additionalCertificates.secretName }}
+{{- if or .Values.crowd.additionalCertificates.secretName .Values.crowd.additionalCertificates.secretList }}
 - name: keystore
   mountPath: /var/ssl
 {{- end }}

diff --git a/src/main/charts/crowd/templates/config-jvm.yaml b/src/main/charts/crowd/templates/config-jvm.yaml
@@ -12,7 +12,7 @@ data:
     {{ . }}
     {{- end }}
     -XX:ActiveProcessorCount={{ include "flooredCPU" .Values.crowd.resources.container.requests.cpu }}
-    {{- if .Values.crowd.additionalCertificates.secretName }}
+    {{- if or .Values.crowd.additionalCertificates.secretName .Values.crowd.additionalCertificates.secretList }}
     -Djavax.net.ssl.trustStore=/var/ssl/cacerts
     {{- end }}
     {{ include "common.jmx.javaagent" . | indent 4 | trim }}

diff --git a/src/main/charts/jira/templates/config-jvm.yaml b/src/main/charts/jira/templates/config-jvm.yaml
@@ -14,7 +14,7 @@ data:
     {{- if .Values.serviceAccount.eksIrsa.roleArn }}
     -Daws.webIdentityTokenFile=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
     {{- end }}
-    {{- if .Values.jira.additionalCertificates.secretName }}
+    {{- if or .Values.jira.additionalCertificates.secretName .Values.jira.additionalCertificates.secretList }}
     -Djavax.net.ssl.trustStore=/var/ssl/cacerts
     {{- end }}
     {{ include "common.jmx.javaagent" . | indent 4 | trim }}

diff --git a/src/test/config/kind/common-values.yaml b/src/test/config/kind/common-values.yaml
@@ -26,7 +26,14 @@ DC_APP_REPLACEME:
 
   # check if init container not failing when importing a custom crt into the default Java keystore
   additionalCertificates:
-    secretName: certificate
+    secretList:
+      - name: dev-certificates
+        keys:
+          - stg.crt
+          - dev.crt
+      - name: certificate-internal
+        keys:
+          - internal.crt
     initContainer:
       resources:
         requests:

diff --git a/src/test/java/test/AdditionalCertificatesTest.java b/src/test/java/test/AdditionalCertificatesTest.java
@@ -34,6 +34,22 @@ void additional_certificates_jvm_prop(Product product) throws Exception {
         assertThat(jvmConfigMap.getConfigMapData().path("additional_jvm_args")).hasTextContaining("-Djavax.net.ssl.trustStore=/var/ssl/cacerts");
     }
 
+    @ParameterizedTest
+    @EnumSource(value = Product.class, names = {"bamboo_agent"}, mode = EnumSource.Mode.EXCLUDE)
+    void additional_certificate_list_jvm_prop(Product product) throws Exception {
+        final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of(
+                product.name() + ".additionalCertificates.secretList[0].name", "self-signed-ca",
+                product.name() + ".additionalCertificates.secretList[0].keys[0]", "ca.crt",
+                product.name() + ".additionalCertificates.secretList[0].keys[1]", "stg.crt",
+                product.name() + ".additionalCertificates.secretList[1].name", "custom-ca",
+                product.name() + ".additionalCertificates.secretList[1].keys[0]", "custom.crt",
+                "volumes.sharedHome.persistentVolumeClaim.create", "true"
+        ));
+        final var jvmConfigMap = resources.get(ConfigMap, product.getHelmReleaseName() + "-jvm-config");
+        assertThat(jvmConfigMap.getConfigMapData().path("additional_jvm_args")).hasTextContaining("-Djavax.net.ssl.trustStore=/var/ssl/cacerts");
+    }
+
+
     @ParameterizedTest
     @EnumSource(value = Product.class, names = {"confluence"}, mode = EnumSource.Mode.INCLUDE)
     void additional_certificates_jvm_prop_synchrony(Product product) throws Exception {
@@ -45,6 +61,21 @@ void additional_certificates_jvm_prop_synchrony(Product product) throws Exceptio
         assertThat(jvmConfigMap.getConfigMapData().path("start-synchrony.sh")).hasTextContaining("-Djavax.net.ssl.trustStore=/var/ssl/cacerts");
     }
 
+    @ParameterizedTest
+    @EnumSource(value = Product.class, names = {"confluence"}, mode = EnumSource.Mode.INCLUDE)
+    void additional_certificate_list_jvm_prop_synchrony(Product product) throws Exception {
+        final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of(
+                "synchrony.enabled", "true",
+                "synchrony.additionalCertificates.secretList[0].name", "self-signed-ca",
+                "synchrony.additionalCertificates.secretList[0].keys[0]", "ca.crt",
+                "synchrony.additionalCertificates.secretList[0].keys[1]", "stg.crt",
+                "synchrony.additionalCertificates.secretList[1].name", "custom-ca",
+                "synchrony.additionalCertificates.secretList[1].keys[0]", "custom.crt"
+        ));
+        final var jvmConfigMap = resources.get(ConfigMap, product.getHelmReleaseName() + "-synchrony-entrypoint");
+        assertThat(jvmConfigMap.getConfigMapData().path("start-synchrony.sh")).hasTextContaining("-Djavax.net.ssl.trustStore=/var/ssl/cacerts");
+    }
+
     @ParameterizedTest
     @EnumSource(value = Product.class, names = {"bitbucket"}, mode = EnumSource.Mode.INCLUDE)
     void additional_certificates_jvm_prop_mesh(Product product) throws Exception {
@@ -56,6 +87,21 @@ void additional_certificates_jvm_prop_mesh(Product product) throws Exception {
         assertThat(bitbucketMeshJvmConfigMap.getConfigMapData().path("additional_jvm_args")).hasTextContaining("-Djavax.net.ssl.trustStore=/var/ssl/cacerts");
     }
 
+    @ParameterizedTest
+    @EnumSource(value = Product.class, names = {"bitbucket"}, mode = EnumSource.Mode.INCLUDE)
+    void additional_certificate_list_jvm_prop_mesh(Product product) throws Exception {
+        final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of(
+                product.name() + ".mesh.enabled", "true",
+                product.name() + ".mesh.additionalCertificates.secretList[0].name", "self-signed-ca",
+                product.name() + ".mesh.additionalCertificates.secretList[0].keys[0]", "ca.crt",
+                product.name() + ".mesh.additionalCertificates.secretList[0].keys[1]", "stg.crt",
+                product.name() + ".mesh.additionalCertificates.secretList[1].name", "custom-ca",
+                product.name() + ".mesh.additionalCertificates.secretList[1].keys[0]", "custom.crt"
+        ));
+        final var bitbucketMeshJvmConfigMap = resources.get(ConfigMap, product.getHelmReleaseName() + "-jvm-config-mesh");
+        assertThat(bitbucketMeshJvmConfigMap.getConfigMapData().path("additional_jvm_args")).hasTextContaining("-Djavax.net.ssl.trustStore=/var/ssl/cacerts");
+    }
+
     @ParameterizedTest
     @EnumSource(value = Product.class, names = {"bamboo_agent"}, mode = EnumSource.Mode.EXCLUDE)
     void additional_certificates_init_container(Product product) throws Exception {
@@ -109,6 +155,21 @@ void additional_certificates_volumeMounts(Product product) throws Exception {
         assertThat(keystoreVolumeMount.path("mountPath")).hasTextEqualTo("/var/ssl");
     }
 
+    @ParameterizedTest
+    @EnumSource(value = Product.class, names = {"bamboo_agent"}, mode = EnumSource.Mode.EXCLUDE)
+    void additional_certificate_list_volumeMounts(Product product) throws Exception {
+        final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of(
+                product.name() + ".additionalCertificates.secretList[0].name", "self-signed-ca",
+                product.name() + ".additionalCertificates.secretList[0].keys[0]", "ca.crt",
+                product.name() + ".additionalCertificates.secretList[0].keys[1]", "stg.crt",
+                product.name() + ".additionalCertificates.secretList[1].name", "custom-ca",
+                product.name() + ".additionalCertificates.secretList[1].keys[0]", "custom.crt"
+        ));
+        final var statefulSet = resources.getStatefulSet(product.getHelmReleaseName());
+        JsonNode keystoreVolumeMount = statefulSet.getContainer(product.name()).getVolumeMount("keystore");
+        assertThat(keystoreVolumeMount.path("mountPath")).hasTextEqualTo("/var/ssl");
+    }
+
     @ParameterizedTest
     @EnumSource(value = Product.class, names = {"bitbucket"}, mode = EnumSource.Mode.INCLUDE)
     void additional_certificates_volumeMounts_bitbucket_mesh(Product product) throws Exception {
@@ -121,6 +182,22 @@ void additional_certificates_volumeMounts_bitbucket_mesh(Product product) throws
         assertThat(keystoreVolumeMount.path("mountPath")).hasTextEqualTo("/var/ssl");
     }
 
+    @ParameterizedTest
+    @EnumSource(value = Product.class, names = {"bitbucket"}, mode = EnumSource.Mode.INCLUDE)
+    void additional_certificate_list_volumeMounts_bitbucket_mesh(Product product) throws Exception {
+        final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of(
+                product.name() + ".mesh.enabled", "true",
+                product.name() + ".mesh.additionalCertificates.secretList[0].name", "self-signed-ca",
+                product.name() + ".mesh.additionalCertificates.secretList[0].keys[0]", "ca.crt",
+                product.name() + ".mesh.additionalCertificates.secretList[0].keys[1]", "stg.crt",
+                product.name() + ".mesh.additionalCertificates.secretList[1].name", "custom-ca",
+                product.name() + ".mesh.additionalCertificates.secretList[1].keys[0]", "custom.crt"
+        ));
+        final var statefulSet = resources.getStatefulSet(product.getHelmReleaseName()+"-mesh");
+        JsonNode keystoreVolumeMount = statefulSet.getContainer(product.name()+"-mesh").getVolumeMount("keystore");
+        assertThat(keystoreVolumeMount.path("mountPath")).hasTextEqualTo("/var/ssl");
+    }
+
     @ParameterizedTest
     @EnumSource(value = Product.class, names = {"confluence"}, mode = EnumSource.Mode.INCLUDE)
     void additional_certificates_volumeMounts_synchrony(Product product) throws Exception {
@@ -133,6 +210,22 @@ void additional_certificates_volumeMounts_synchrony(Product product) throws Exce
         assertThat(keystoreVolumeMount.path("mountPath")).hasTextEqualTo("/var/ssl");
     }
 
+    @ParameterizedTest
+    @EnumSource(value = Product.class, names = {"confluence"}, mode = EnumSource.Mode.INCLUDE)
+    void additional_certificate_list_volumeMounts_synchrony(Product product) throws Exception {
+        final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of(
+                "synchrony.enabled", "true",
+                "synchrony.additionalCertificates.secretList[0].name", "self-signed-ca",
+                "synchrony.additionalCertificates.secretList[0].keys[0]", "ca.crt",
+                "synchrony.additionalCertificates.secretList[0].keys[1]", "stg.crt",
+                "synchrony.additionalCertificates.secretList[1].name", "custom-ca",
+                "synchrony.additionalCertificates.secretList[1].keys[0]", "custom.crt"
+        ));
+        final var statefulSet = resources.getStatefulSet(product.getHelmReleaseName()+"-synchrony");
+        JsonNode keystoreVolumeMount = statefulSet.getContainer("synchrony").getVolumeMount("keystore");
+        assertThat(keystoreVolumeMount.path("mountPath")).hasTextEqualTo("/var/ssl");
+    }
+
     @ParameterizedTest
     @EnumSource(value = Product.class, names = {"bamboo_agent"}, mode = EnumSource.Mode.EXCLUDE)
     void additional_certificates_volumes(Product product) throws Exception {

diff --git a/src/test/resources/expected_helm_output/bitbucket/output.yaml b/src/test/resources/expected_helm_output/bitbucket/output.yaml
@@ -593,7 +593,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config-jvm: 21aa4f6cd4149830dc45696be02257cf4bcd29f1bf7dccd9bc5e2d36fdf384a4
+        checksum/config-jvm: daf77dbb6115393d5de995314ed57f1fc3d7333a41fb26e69f17dea959df0af6
       labels:
         app.kubernetes.io/name: bitbucket-mesh
         app.kubernetes.io/instance: unittest-bitbucket
@@ -714,7 +714,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config-jvm: 0dd2fac063e308dbe5dc1fb17f4d82c8b41d7fee05dbc3ebc422b2053b5c45de
+        checksum/config-jvm: aae0751c315cf9c346f0f0b15d8170b726b8ed05c2698eb7128e11f716cf3fca
       labels:
         app.kubernetes.io/name: bitbucket
         app.kubernetes.io/instance: unittest-bitbucket