add grpc-client for testing

Signed-off-by: clyang82 <chuyang@redhat.com>

Author: clyang82

charts/maestro-server/templates/deployment.yaml

@@ -58,7 +58,7 @@ spec:
         secret:
           secretName: maestro-https-certs
       {{- end }}
-      {{- if .Values.server.grpc.tls.enabled }}
+      {{- if and .Values.server.grpc.enabled .Values.server.grpc.tls.enabled }}
       - name: maestro-grpc-cert
         secret:
           secretName: maestro-grpc-cert
@@ -125,7 +125,7 @@ spec:
           mountPath: /secrets/https-certs
           readOnly: true
         {{- end }}
-        {{- if .Values.server.grpc.tls.enabled }}
+        {{- if and .Values.server.grpc.enabled .Values.server.grpc.tls.enabled }}
         - name: maestro-grpc-cert
           mountPath: /secrets/maestro-grpc-cert
           readOnly: true
@@ -158,10 +158,10 @@ spec:
         - --https-cert-file=/secrets/https-certs/tls.crt
         - --https-key-file=/secrets/https-certs/tls.key
         {{- end }}
-        {{- if .Values.server.grpc.tls.enabled }}
-        - --grpc-server-tls-cert-file={{ .Values.server.grpc.tls.certFile }}
-        - --grpc-server-tls-key-file={{ .Values.server.grpc.tls.keyFile }}
-        - --grpc-server-client-ca-file={{ .Values.server.grpc.tls.clientCAFile }}
+        {{- if and .Values.server.grpc.enabled .Values.server.grpc.tls.enabled }}
+        - --grpc-tls-cert-file={{ .Values.server.grpc.tls.certFile }}
+        - --grpc-tls-key-file={{ .Values.server.grpc.tls.keyFile }}
+        - --grpc-client-ca-file={{ .Values.server.grpc.tls.clientCAFile }}
         {{- end }}
         {{- if and (eq .Values.messageBroker.type "grpc") .Values.grpc.tls.enabled }}
         - --grpc-broker-tls-cert-file={{ .Values.grpc.tls.certFile }}

charts/maestro-server/templates/grpc.yaml

@@ -1,5 +1,4 @@
 {{- if and (eq .Values.messageBroker.type "grpc") .Values.grpc.enabled -}}
-
 ---
 apiVersion: v1
 kind: Secret

test/setup/deploy_server.sh

@@ -70,6 +70,11 @@ server:
   grpc:
     enabled: true
     bindPort: 8090
+    tls:
+      enabled: ${tls_enable}
+      certFile: /secrets/maestro-grpc-cert/server.crt
+      keyFile: /secrets/maestro-grpc-cert/server.key
+      clientCAFile: /secrets/maestro-grpc-cert/ca.crt
   metrics:
     bindPort: 8080
     https:
@@ -86,11 +91,6 @@ service:
     port: 8000
     nodePort: 30080
   grpc:
-    tls:
-      enabled: ${tls_enable}
-      certFile: /secrets/maestro-grpc-cert/server.crt
-      keyFile: /secrets/maestro-grpc-cert/server.key
-      clientCAFile: /secrets/maestro-grpc-cert/ca.crt
     type: NodePort
     port: 8090
     nodePort: 30090
@@ -173,6 +173,11 @@ kubectl wait deploy/maestro -n $namespace --for condition=Available=True --timeo
 # TODO use maestro service health check to ensure the service ready
 sleep 30 # wait 30 seconds for the service ready
 
+if [ "$tls_enable" = "true" ]; then
+  # deploy grpc-client-token for testing
+  kubectl apply -f "${PWD}/test/setup/grpc-client" -n ${namespace}
+fi
+
 # Expose the RESTAPI and gRPC service hosts
 # HTTPS is enabled unless Istio is enabled (Istio handles mTLS)
 if [ "$enable_istio" = "true" ]; then

test/setup/grpc-client/grpc-client.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: grpc-pub-sub
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: grpc-pub-sub
+subjects:
+- kind: User
+  name: grpc-client
+  apiGroup: rbac.authorization.k8s.io
+- kind: ServiceAccount
+  name: grpc-client
+  namespace: maestro
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: grpc-client
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: grpc-client-token
+  annotations:
+    kubernetes.io/service-account.name: grpc-client
+type: kubernetes.io/service-account-token