Skip to content

Commit

Permalink
Merge pull request #312 from holyspectral/jwt-cleanup
Browse files Browse the repository at this point in the history
NVSHAS-8212: let controller manage jwt certificate(cont.)
  • Loading branch information
becitsthere authored Sep 29, 2023
2 parents 709dd1e + ec9a468 commit c708d63
Show file tree
Hide file tree
Showing 4 changed files with 3 additions and 117 deletions.
3 changes: 0 additions & 3 deletions charts/core/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,6 @@ Parameter | Description | Default | Notes
`controller.certificate.secret` | Replace controller REST API certificate using secret if secret name is specified | `nil` |
`controller.certificate.keyFile` | Replace controller REST API certificate key file | `tls.key` |
`controller.certificate.pemFile` | Replace controller REST API certificate pem file | `tls.pem` |
`controller.jwtCertificate.secret` | Replace controller JWT signing key using secret if secret name is specified | `nil` |
`controller.jwtCertificate.keyFile` | Replace controller JWT signing key file | `tls.key` |
`controller.jwtCertificate.pemFile` | Replace controller JWT signing pem file | `tls.pem` |
`controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` |
`controller.federation.mastersvc.annotations` | Add annotations to Multi-cluster primary cluster REST API service | `{}` |
`controller.federation.mastersvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster primary cluster service | `false` |
Expand Down
5 changes: 0 additions & 5 deletions charts/core/templates/controller-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -261,11 +261,6 @@ spec:
secret:
secretName: {{ .Values.controller.certificate.secret }}
{{- end }}
{{- if .Values.controller.jwtCertificate.secret }}
- name: userjwtcert
secret:
secretName: {{ .Values.controller.jwtCertificate.secret }}
{{- end }}
{{- if .Values.internal.certmanager.enabled }}
- name: internal-cert
secret:
Expand Down
4 changes: 0 additions & 4 deletions charts/core/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -145,10 +145,6 @@ controller:
secret:
keyFile: tls.key
pemFile: tls.pem
jwtCertificate:
secret:
keyFile: tls.key
pemFile: tls.pem
internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer)
certificate:
secret: neuvector-internal
Expand Down
108 changes: 3 additions & 105 deletions test/deployment_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -339,7 +339,7 @@ func TestControllerSecrets(t *testing.T) {
helm.UnmarshalK8SYaml(t, output, &dep)
if dep.Name == "neuvector-controller-pod" {

// cert, usercert and userjwtcert will be mounted.
// cert and usercert will be mounted.
assert.Contains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{
Name: "cert",
VolumeSource: corev1.VolumeSource{
Expand All @@ -358,14 +358,6 @@ func TestControllerSecrets(t *testing.T) {
},
})

assert.NotContains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{
Name: "userjwtcert",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "nv-jwt-secret",
},
},
})
for _, container := range dep.Spec.Template.Spec.Containers {
if container.Name == "neuvector-controller-pod" {

Expand Down Expand Up @@ -418,7 +410,7 @@ func TestControllerNoSecrets(t *testing.T) {
helm.UnmarshalK8SYaml(t, output, &dep)
if dep.Name == "neuvector-controller-pod" {

// cert, usercert and userjwtcert will be mounted.
// cert and usercert will be mounted.
assert.NotContains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{
Name: "cert",
VolumeSource: corev1.VolumeSource{
Expand All @@ -437,14 +429,6 @@ func TestControllerNoSecrets(t *testing.T) {
},
})

assert.NotContains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{
Name: "userjwtcert",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "nv-jwt-secret",
},
},
})
for _, container := range dep.Spec.Template.Spec.Containers {
if container.Name == "neuvector-controller-pod" {

Expand All @@ -469,83 +453,6 @@ func TestControllerNoSecrets(t *testing.T) {
}
}

func TestControllerWithSSLAndJWTKeys(t *testing.T) {
helmChartPath := "../charts/core"

options := &helm.Options{
SetValues: map[string]string{
"controller.certificate.secret": "nv-ssl-secret",
"controller.certificate.keyFile": "key2.pem",
"controller.certificate.pemFile": "cert2.pem",
"controller.jwtCertificate.secret": "nv-jwt-secret",
"controller.jwtCertificate.keyFile": "key2.pem",
"controller.jwtCertificate.pemFile": "cert2.pem",
},
}

out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{
"templates/controller-deployment.yaml",
"templates/controller-secret.yaml",
})
outs := splitYaml(out)

// Secret will be created and mounted
for _, output := range outs {
var dep appsv1.Deployment
helm.UnmarshalK8SYaml(t, output, &dep)
if dep.Name == "neuvector-controller-pod" {

// cert, usercert and userjwtcert will be mounted.
assert.Contains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{
Name: "cert",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "neuvector-controller-secret",
},
},
})

assert.Contains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{
Name: "usercert",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "nv-ssl-secret",
},
},
})

assert.Contains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{
Name: "userjwtcert",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "nv-jwt-secret",
},
},
})
for _, container := range dep.Spec.Template.Spec.Containers {
if container.Name == "neuvector-controller-pod" {

assert.Contains(t, container.VolumeMounts, corev1.VolumeMount{
Name: "usercert",
MountPath: "/etc/neuvector/certs/ssl-cert.key",
SubPath: "key2.pem",
ReadOnly: true,
})

assert.Contains(t, container.VolumeMounts, corev1.VolumeMount{
Name: "usercert",
MountPath: "/etc/neuvector/certs/ssl-cert.pem",
SubPath: "cert2.pem",
ReadOnly: true,
})
}

}

}
}
}

func TestControllerWithOnlySSLKeys(t *testing.T) {
helmChartPath := "../charts/core"

Expand All @@ -569,7 +476,7 @@ func TestControllerWithOnlySSLKeys(t *testing.T) {
helm.UnmarshalK8SYaml(t, output, &dep)
if dep.Name == "neuvector-controller-pod" {

// cert, usercert will be mounted but not userjwtcert.
// cert and usercert will be mounted.
assert.Contains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{
Name: "cert",
VolumeSource: corev1.VolumeSource{
Expand All @@ -588,15 +495,6 @@ func TestControllerWithOnlySSLKeys(t *testing.T) {
},
})

assert.NotContains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{
Name: "userjwtcert",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "nv-jwt-secret",
},
},
})

for _, container := range dep.Spec.Template.Spec.Containers {
if container.Name == "neuvector-controller-pod" {

Expand Down

0 comments on commit c708d63

Please sign in to comment.