diff --git a/charts/core/README.md b/charts/core/README.md index fa98cd16..f2f3f56d 100644 --- a/charts/core/README.md +++ b/charts/core/README.md @@ -77,9 +77,6 @@ Parameter | Description | Default | Notes `controller.certificate.secret` | Replace controller REST API certificate using secret if secret name is specified | `nil` | `controller.certificate.keyFile` | Replace controller REST API certificate key file | `tls.key` | `controller.certificate.pemFile` | Replace controller REST API certificate pem file | `tls.pem` | -`controller.jwtCertificate.secret` | Replace controller JWT signing key using secret if secret name is specified | `nil` | -`controller.jwtCertificate.keyFile` | Replace controller JWT signing key file | `tls.key` | -`controller.jwtCertificate.pemFile` | Replace controller JWT signing pem file | `tls.pem` | `controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | `controller.federation.mastersvc.annotations` | Add annotations to Multi-cluster primary cluster REST API service | `{}` | `controller.federation.mastersvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster primary cluster service | `false` | diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index a6b44326..693b50e2 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -261,11 +261,6 @@ spec: secret: secretName: {{ .Values.controller.certificate.secret }} {{- end }} - {{- if .Values.controller.jwtCertificate.secret }} - - name: userjwtcert - secret: - secretName: {{ .Values.controller.jwtCertificate.secret }} - {{- end }} {{- if .Values.internal.certmanager.enabled }} - name: internal-cert secret: diff --git a/charts/core/values.yaml b/charts/core/values.yaml index 8d57f0a1..a3640be4 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -145,10 +145,6 @@ controller: secret: keyFile: tls.key pemFile: tls.pem - jwtCertificate: - secret: - keyFile: tls.key - pemFile: tls.pem internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: secret: neuvector-internal diff --git a/test/deployment_test.go b/test/deployment_test.go index 96342e26..79069d09 100644 --- a/test/deployment_test.go +++ b/test/deployment_test.go @@ -339,7 +339,7 @@ func TestControllerSecrets(t *testing.T) { helm.UnmarshalK8SYaml(t, output, &dep) if dep.Name == "neuvector-controller-pod" { - // cert, usercert and userjwtcert will be mounted. + // cert and usercert will be mounted. assert.Contains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{ Name: "cert", VolumeSource: corev1.VolumeSource{ @@ -358,14 +358,6 @@ func TestControllerSecrets(t *testing.T) { }, }) - assert.NotContains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{ - Name: "userjwtcert", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: "nv-jwt-secret", - }, - }, - }) for _, container := range dep.Spec.Template.Spec.Containers { if container.Name == "neuvector-controller-pod" { @@ -418,7 +410,7 @@ func TestControllerNoSecrets(t *testing.T) { helm.UnmarshalK8SYaml(t, output, &dep) if dep.Name == "neuvector-controller-pod" { - // cert, usercert and userjwtcert will be mounted. + // cert and usercert will be mounted. assert.NotContains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{ Name: "cert", VolumeSource: corev1.VolumeSource{ @@ -437,14 +429,6 @@ func TestControllerNoSecrets(t *testing.T) { }, }) - assert.NotContains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{ - Name: "userjwtcert", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: "nv-jwt-secret", - }, - }, - }) for _, container := range dep.Spec.Template.Spec.Containers { if container.Name == "neuvector-controller-pod" { @@ -469,83 +453,6 @@ func TestControllerNoSecrets(t *testing.T) { } } -func TestControllerWithSSLAndJWTKeys(t *testing.T) { - helmChartPath := "../charts/core" - - options := &helm.Options{ - SetValues: map[string]string{ - "controller.certificate.secret": "nv-ssl-secret", - "controller.certificate.keyFile": "key2.pem", - "controller.certificate.pemFile": "cert2.pem", - "controller.jwtCertificate.secret": "nv-jwt-secret", - "controller.jwtCertificate.keyFile": "key2.pem", - "controller.jwtCertificate.pemFile": "cert2.pem", - }, - } - - out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{ - "templates/controller-deployment.yaml", - "templates/controller-secret.yaml", - }) - outs := splitYaml(out) - - // Secret will be created and mounted - for _, output := range outs { - var dep appsv1.Deployment - helm.UnmarshalK8SYaml(t, output, &dep) - if dep.Name == "neuvector-controller-pod" { - - // cert, usercert and userjwtcert will be mounted. - assert.Contains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{ - Name: "cert", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: "neuvector-controller-secret", - }, - }, - }) - - assert.Contains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{ - Name: "usercert", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: "nv-ssl-secret", - }, - }, - }) - - assert.Contains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{ - Name: "userjwtcert", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: "nv-jwt-secret", - }, - }, - }) - for _, container := range dep.Spec.Template.Spec.Containers { - if container.Name == "neuvector-controller-pod" { - - assert.Contains(t, container.VolumeMounts, corev1.VolumeMount{ - Name: "usercert", - MountPath: "/etc/neuvector/certs/ssl-cert.key", - SubPath: "key2.pem", - ReadOnly: true, - }) - - assert.Contains(t, container.VolumeMounts, corev1.VolumeMount{ - Name: "usercert", - MountPath: "/etc/neuvector/certs/ssl-cert.pem", - SubPath: "cert2.pem", - ReadOnly: true, - }) - } - - } - - } - } -} - func TestControllerWithOnlySSLKeys(t *testing.T) { helmChartPath := "../charts/core" @@ -569,7 +476,7 @@ func TestControllerWithOnlySSLKeys(t *testing.T) { helm.UnmarshalK8SYaml(t, output, &dep) if dep.Name == "neuvector-controller-pod" { - // cert, usercert will be mounted but not userjwtcert. + // cert and usercert will be mounted. assert.Contains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{ Name: "cert", VolumeSource: corev1.VolumeSource{ @@ -588,15 +495,6 @@ func TestControllerWithOnlySSLKeys(t *testing.T) { }, }) - assert.NotContains(t, dep.Spec.Template.Spec.Volumes, corev1.Volume{ - Name: "userjwtcert", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: "nv-jwt-secret", - }, - }, - }) - for _, container := range dep.Spec.Template.Spec.Containers { if container.Name == "neuvector-controller-pod" {