From eea5111864ff75e44fc912752b4a98329871815f Mon Sep 17 00:00:00 2001 From: Alex Chapellon Date: Tue, 18 Jul 2023 15:28:13 +0200 Subject: [PATCH] OPSEXP-2188: narrow the usage of existingConfigMap for better integration (#74) --- charts/alfresco-share/Chart.lock | 6 +- charts/alfresco-share/Chart.yaml | 4 +- charts/alfresco-share/README.md | 8 ++- .../templates/config-share.yaml | 6 +- .../templates/deployment-share.yaml | 26 ++++++-- charts/alfresco-share/tests/cm_test.yaml | 43 +------------ .../alfresco-share/tests/deployment_test.yaml | 61 ++++++++++++++++--- charts/alfresco-share/values.yaml | 13 ++-- 8 files changed, 94 insertions(+), 73 deletions(-) diff --git a/charts/alfresco-share/Chart.lock b/charts/alfresco-share/Chart.lock index 1e4ef329..9bf34a2e 100644 --- a/charts/alfresco-share/Chart.lock +++ b/charts/alfresco-share/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: alfresco-common repository: https://alfresco.github.io/alfresco-helm-charts - version: 2.1.0-alpha.0 -digest: sha256:6922cc13c87c5fe6eed669f956cd5f0da86a96793da89e27099b73054e60024e -generated: "2023-07-10T16:32:19.328012924Z" + version: 2.1.0-alpha.2 +digest: sha256:fe22b1c02d336367c59ad384553ec6c8d003a01532e543dfee9f9c3d791c42ff +generated: "2023-07-18T14:51:47.649031+02:00" diff --git a/charts/alfresco-share/Chart.yaml b/charts/alfresco-share/Chart.yaml index 7181773f..0db72e31 100644 --- a/charts/alfresco-share/Chart.yaml +++ b/charts/alfresco-share/Chart.yaml @@ -2,9 +2,9 @@ apiVersion: v2 name: alfresco-share description: Alfresco Share Helm chart for Kubernetes type: application -version: 0.1.0-alpha.0 +version: 0.1.0-alpha.1 appVersion: 7.4.0 dependencies: - repository: https://alfresco.github.io/alfresco-helm-charts - version: 2.1.0-alpha.0 + version: 2.1.0-alpha.2 name: alfresco-common diff --git a/charts/alfresco-share/README.md b/charts/alfresco-share/README.md index fd957410..25fd32d8 100644 --- a/charts/alfresco-share/README.md +++ b/charts/alfresco-share/README.md @@ -1,6 +1,6 @@ # alfresco-share -![Version: 0.1.0-alpha.0](https://img.shields.io/badge/Version-0.1.0--alpha.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 7.4.0](https://img.shields.io/badge/AppVersion-7.4.0-informational?style=flat-square) +![Version: 0.1.0-alpha.1](https://img.shields.io/badge/Version-0.1.0--alpha.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 7.4.0](https://img.shields.io/badge/AppVersion-7.4.0-informational?style=flat-square) Alfresco Share Helm chart for Kubernetes @@ -8,7 +8,7 @@ Alfresco Share Helm chart for Kubernetes | Repository | Name | Version | |------------|------|---------| -| https://alfresco.github.io/alfresco-helm-charts | alfresco-common | 2.1.0-alpha.0 | +| https://alfresco.github.io/alfresco-helm-charts | alfresco-common | 2.1.0-alpha.2 | ## Values @@ -51,7 +51,9 @@ Alfresco Share Helm chart for Kubernetes | readinessProbe.initialDelaySeconds | int | `15` | | | readinessProbe.periodSeconds | int | `30` | | | readinessProbe.timeoutSeconds | int | `5` | | -| repository.existingConfigMap | string | `nil` | a pre-existing configmap which provides expected configuration for Share REPO_HOST REPO_PORT CSRF_FILTER_REFERER CSRF_FILTER_ORIGIN EXTERNAL_HOST | +| repository.existingConfigMap.keys.host | string | `"REPO_HOST"` | name of the key in the configMap where to find the repository service host | +| repository.existingConfigMap.keys.port | string | `"REPO_PORT"` | name of the key in the configMap where to find the repository service port | +| repository.existingConfigMap.name | string | `nil` | a pre-existing configmap which provides expected configuration for Share | | repository.host | string | `"localhost"` | repository hostname/servicename | | repository.port | int | `8080` | repository port where service is exposed | | resources.limits.cpu | string | `"4"` | | diff --git a/charts/alfresco-share/templates/config-share.yaml b/charts/alfresco-share/templates/config-share.yaml index 4fc0b237..b0ae10c0 100644 --- a/charts/alfresco-share/templates/config-share.yaml +++ b/charts/alfresco-share/templates/config-share.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.repository.existingConfigMap -}} +{{- if not .Values.repository.existingConfigMap.name -}} --- apiVersion: v1 kind: ConfigMap @@ -9,8 +9,4 @@ metadata: data: REPO_HOST: {{ .Values.repository.host | quote }} REPO_PORT: {{ .Values.repository.port | quote }} - {{- $known_urls := coalesce .Values.known_urls .Values.global.known_urls "http://localhost,https://localhost" }} - CSRF_FILTER_REFERER: {{ include "alfresco-common.csrf.referer" $known_urls }} - CSRF_FILTER_ORIGIN: {{ include "alfresco-common.csrf.origin" $known_urls }} - EXTERNAL_HOST: {{ include "alfresco-common.external.url" $known_urls }} {{- end -}} diff --git a/charts/alfresco-share/templates/deployment-share.yaml b/charts/alfresco-share/templates/deployment-share.yaml index 3fd80f12..5681f2e0 100644 --- a/charts/alfresco-share/templates/deployment-share.yaml +++ b/charts/alfresco-share/templates/deployment-share.yaml @@ -50,17 +50,31 @@ spec: protocol: TCP resources: {{- toYaml .Values.resources | nindent 12 }} - envFrom: - - configMapRef: - name: {{ .Values.repository.existingConfigMap | default (print (include "alfresco-share.fullname" .) "-configmap") }} + {{- $repo_details_cm := .Values.repository.existingConfigMap.name | default (print (include "alfresco-share.fullname" .) "-configmap") }} env: + - name: CSRF_FILTER_REFERER + value: {{ include "alfresco-common.csrf.referer" . }} + - name: CSRF_FILTER_ORIGIN + value: {{ include "alfresco-common.csrf.origin" . }} + - name: BASEURL + value: {{ include "alfresco-common.external.url" . }} + - name: JAVA_OPTS + value: >- + {{ (printf "%s %s" (.Values.environment.JAVA_OPTS | default "") "-Dalfresco.proxy=$BASEURL") }} + - name: REPO_HOST + valueFrom: + configMapKeyRef: + name: {{ $repo_details_cm }} + key: {{ .Values.repository.existingConfigMap.keys.host }} + - name: REPO_PORT + valueFrom: + configMapKeyRef: + name: {{ $repo_details_cm }} + key: {{ .Values.repository.existingConfigMap.keys.port }} {{- range $key, $value := (omit .Values.environment "JAVA_OPTS") }} - name: {{ $key }} value: {{ $value }} {{- end }} - - name: JAVA_OPTS - value: >- - {{ (printf "%s %s" (.Values.environment.JAVA_OPTS | default "") "-Dalfresco.proxy=$EXTERNAL_HOST") }} volumeMounts: {{- toYaml .Values.extraVolumeMounts | nindent 12 }} readinessProbe: diff --git a/charts/alfresco-share/tests/cm_test.yaml b/charts/alfresco-share/tests/cm_test.yaml index 95099619..2873e4e2 100644 --- a/charts/alfresco-share/tests/cm_test.yaml +++ b/charts/alfresco-share/tests/cm_test.yaml @@ -6,7 +6,8 @@ tests: - it: should not render a configmap set: repository: - existingConfigMap: myns/mycm + existingConfigMap: + name: myns/mycm asserts: - hasDocuments: count: 0 @@ -20,20 +21,7 @@ tests: repository: host: release-service.cluster.local port: 80 - known_urls: - - https://ecm.domain.tld/myapp/callback - - https://ecm.domain.tld/alfresco - - http://app.domain.local:8000 asserts: - - equal: - path: data.CSRF_FILTER_REFERER - value: >- - https://ecm.domain.tld/myapp/callback/.*\|https://ecm.domain.tld/alfresco/.*\|http://app.domain.local:8000/.* - template: config-share.yaml - - equal: - path: data.CSRF_FILTER_ORIGIN - value: https://ecm.domain.tld,https://ecm.domain.tld,http://app.domain.local:8000 - template: config-share.yaml - equal: path: data.REPO_HOST value: release-service.cluster.local @@ -42,30 +30,3 @@ tests: path: data.REPO_PORT value: "80" template: config-share.yaml - - - it: should render a default config - asserts: - - equal: - path: data.CSRF_FILTER_REFERER - value: http://localhost/.*\|https://localhost/.* - template: config-share.yaml - - equal: - path: data.CSRF_FILTER_ORIGIN - value: http://localhost,https://localhost - template: config-share.yaml - - equal: - path: data.REPO_HOST - value: localhost - template: config-share.yaml - - equal: - path: data.REPO_PORT - value: "8080" - template: config-share.yaml - - - it: should render a default Xorigin restriction config - asserts: - - equal: - path: data.CSRF_FILTER_REFERER - value: >- - http://localhost/.*\|https://localhost/.* - template: config-share.yaml diff --git a/charts/alfresco-share/tests/deployment_test.yaml b/charts/alfresco-share/tests/deployment_test.yaml index 5716755a..9b8f4fff 100644 --- a/charts/alfresco-share/tests/deployment_test.yaml +++ b/charts/alfresco-share/tests/deployment_test.yaml @@ -11,16 +11,63 @@ tests: value: RELEASE-NAME-alfresco-share template: deployment-share.yaml - - it: should leverage provided exisintg configmap + - it: should leverage provided existing configmap set: repository: - existingConfigMap: myns/mycm + existingConfigMap: + name: myns/mycm asserts: - - contains: - path: spec.template.spec.containers[0].envFrom - content: - configMapRef: - name: myns/mycm + - equal: + path: spec.template.spec.containers[0].env[5].valueFrom.configMapKeyRef.name + value: myns/mycm + template: deployment-share.yaml + + - it: Fail due to broken input + set: + known_urls: + - not.an/url + asserts: + - failedTemplate: + errorMessage: >- + provided known_urls MUST start with a scheme (http :// or https://) + template: deployment-share.yaml + - it: | + should render custom CSRF config. + referers MUST be a regex with pipes escaped (due to the way vars are substitued in Share pods + origins MUST be a list of hosts (without paths) separated by commas. + set: + known_urls: + - https://ecm.domain.tld/myapp/callback + - https://ecm.domain.tld/alfresco + - http://app.domain.local:8000 + asserts: + - equal: + path: spec.template.spec.containers[0].env[0].value + value: >- + https://ecm.domain.tld/myapp/callback/.*\|https://ecm.domain.tld/alfresco/.*\|http://app.domain.local:8000/.* + template: deployment-share.yaml + - equal: + path: spec.template.spec.containers[0].env[1].value + value: https://ecm.domain.tld,https://ecm.domain.tld,http://app.domain.local:8000 + template: deployment-share.yaml + - equal: + path: spec.template.spec.containers[0].env[2].value + value: https://ecm.domain.tld + template: deployment-share.yaml + + - it: should render a default Xorigin restriction config + asserts: + - equal: + path: spec.template.spec.containers[0].env[0].value + value: http://localhost/.*\|https://localhost/.* + template: deployment-share.yaml + - equal: + path: spec.template.spec.containers[0].env[1].value + value: http://localhost,https://localhost + template: deployment-share.yaml + - equal: + path: spec.template.spec.containers[0].env[2].value + value: http://localhost template: deployment-share.yaml - it: should render extra configs diff --git a/charts/alfresco-share/values.yaml b/charts/alfresco-share/values.yaml index dccf0d78..2d22ad41 100644 --- a/charts/alfresco-share/values.yaml +++ b/charts/alfresco-share/values.yaml @@ -7,13 +7,14 @@ repository: host: localhost # -- repository port where service is exposed port: 8080 - # -- a pre-existing configmap which provides expected configuration for Share - # REPO_HOST - # REPO_PORT - # CSRF_FILTER_REFERER - # CSRF_FILTER_ORIGIN - # EXTERNAL_HOST existingConfigMap: + # -- a pre-existing configmap which provides expected configuration for Share + name: + keys: + # -- name of the key in the configMap where to find the repository service host + host: REPO_HOST + # -- name of the key in the configMap where to find the repository service port + port: REPO_PORT # -- Provide the list of URL considered allowed to access Share resources (used # for CSRF protection). The value be either a list of strings or a single