fix: port naming/app protocol tls.enabled (#90)

- Add template for platform port name and use in deployment & service.
- Update appProtocol template to use https when tls.enabled

Fixes Istio TLS Passthrough scenario where appProtocol override does not
appear to work; so uses port naming instead :
https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/

Author: ttschampel

charts/platform/templates/_helpers.tpl

@@ -132,9 +132,17 @@ This takes an array of three values:
 {{- end -}}
 {{- end -}}
 
-{{- define "determine.appProtocol" -}}
+{{- define "platform.portName" -}}
 {{- if .Values.server.tls.enabled -}}
+https
+{{- else -}}
 http2
+{{- end -}}
+{{- end -}}
+
+{{- define "determine.appProtocol" -}}
+{{- if .Values.server.tls.enabled -}}
+https
 {{- else -}}
 {{- if (include "isOpenshift" .) -}}
 h2c

charts/platform/templates/deployment.yaml

@@ -47,20 +47,20 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
-            - name: http2
+            - name: {{ include "platform.portName" . }}
               containerPort: {{ .Values.server.port }}
               protocol: TCP
           {{ if not .Values.server.disableHealthChecks }}
           livenessProbe:
             httpGet:
               scheme: {{ if .Values.server.tls.enabled }}HTTPS{{ else }}HTTP{{ end }}              
               path: /healthz
-              port: http2
+              port: {{ include "platform.portName" . }}
           readinessProbe:
             httpGet:
               scheme: {{ if .Values.server.tls.enabled }}HTTPS{{ else }}HTTP{{ end }}
               path: /healthz?service=all
-              port: http2
+              port: {{ include "platform.portName" . }}
           {{ end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}

charts/platform/templates/service.yaml

@@ -10,9 +10,9 @@ spec:
   type: {{ .Values.service.type }}
   ports:
     - port: {{ .Values.service.port }}
-      targetPort: http2
+      targetPort: {{ include "platform.portName" . }}
       appProtocol:  {{ include "determine.appProtocol" . }}
       protocol: TCP
-      name: http2
+      name: {{ include "platform.portName" . }}
   selector:
     {{- include "chart.selectorLabels" . | nindent 4 }}

tests/chart_platform_template_test.go

@@ -1,17 +1,16 @@
 package test
 
 import (
-	"path/filepath"
-	"strings"
-	"testing"
-
 	"github.com/gruntwork-io/terratest/modules/helm"
 	"github.com/gruntwork-io/terratest/modules/k8s"
 	"github.com/gruntwork-io/terratest/modules/random"
 	"github.com/stretchr/testify/suite"
-	"gopkg.in/yaml.v3"
+	yaml3 "gopkg.in/yaml.v3"
 	appv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	"path/filepath"
+	"strings"
+	"testing"
 )
 
 type PlatformChartTemplateSuite struct {
@@ -513,7 +512,7 @@ func (s *PlatformChartTemplateSuite) Test_Custom_Config_Template_Services_Merged
 	helm.UnmarshalK8SYaml(s.T(), output, &cm)
 
 	var config map[string]interface{}
-	s.Require().NoError(yaml.Unmarshal([]byte(cm.Data["opentdf.yaml"]), &config))
+	s.Require().NoError(yaml3.Unmarshal([]byte(cm.Data["opentdf.yaml"]), &config))
 
 	s.Require().Equal(releaseName+"-platform", cm.Name)
 
@@ -530,7 +529,7 @@ func (s *PlatformChartTemplateSuite) Test_Custom_Config_Template_Services_Merged
 	s.Require().True(testServiceKeyFound)
 }
 
-func (s *PlatformChartTemplateSuite) Test_TLS_Enabled_Expect_HTTP2_AppProtocol() {
+func (s *PlatformChartTemplateSuite) Test_TLS_Enabled_Expect_HTTPS_AppProtocol() {
 	releaseName := "basic"
 
 	namespaceName := "opentdf-" + strings.ToLower(random.UniqueId())
@@ -547,7 +546,18 @@ func (s *PlatformChartTemplateSuite) Test_TLS_Enabled_Expect_HTTP2_AppProtocol()
 	helm.UnmarshalK8SYaml(s.T(), output, &svc)
 
 	for _, port := range svc.Spec.Ports {
-		s.Require().Equal("http2", *port.AppProtocol)
+		s.Require().Equal("https", *port.AppProtocol)
+	}
+
+	output = helm.RenderTemplate(s.T(), options, s.chartPath, releaseName, []string{"templates/deployment.yaml"})
+	var deployment appv1.Deployment
+	helm.UnmarshalK8SYaml(s.T(), output, &deployment)
+	for _, container := range deployment.Spec.Template.Spec.Containers {
+		for _, port := range container.Ports {
+			s.Require().Equal("https", port.Name)
+		}
+		s.Require().Equal("https", container.ReadinessProbe.HTTPGet.Port.String())
+		s.Require().Equal("https", container.LivenessProbe.HTTPGet.Port.String())
 	}
 }
 
@@ -567,6 +577,17 @@ func (s *PlatformChartTemplateSuite) Test_TLS_Disabled_Generic_K8S_Expect_K8S_H2
 	for _, port := range svc.Spec.Ports {
 		s.Require().Equal("kubernetes.io/h2c", *port.AppProtocol)
 	}
+
+	output = helm.RenderTemplate(s.T(), options, s.chartPath, releaseName, []string{"templates/deployment.yaml"})
+	var deployment appv1.Deployment
+	helm.UnmarshalK8SYaml(s.T(), output, &deployment)
+	for _, container := range deployment.Spec.Template.Spec.Containers {
+		for _, port := range container.Ports {
+			s.Require().Equal("http2", port.Name)
+		}
+		s.Require().Equal("http2", container.ReadinessProbe.HTTPGet.Port.String())
+		s.Require().Equal("http2", container.LivenessProbe.HTTPGet.Port.String())
+	}
 }
 
 func (s *PlatformChartTemplateSuite) Test_TLS_Disabled_Openshift_Expect_H2C_AppProtocol() {