Add functional test for java-spiffe-helper

Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
moritzschmitz-oviva · Feb 14, 2024 · d2c5d32 · d2c5d32
1 parent 93da062
commit d2c5d32
Show file tree

Hide file tree

Showing 3 changed files with 123 additions and 0 deletions.
diff --git a/.github/tests/java-spiffe-helper.yaml b/.github/tests/java-spiffe-helper.yaml
@@ -0,0 +1,49 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: java-spiffe-helper
+data:
+  java-spiffe-helper.properties: |
+    keyStorePath=/tmp/keystore.p12
+    keyStorePass=password
+    keyPass=password
+    trustStorePath=/tmp/truststore.p12
+    trustStorePass=password
+    keyStoreType=pkcs12
+    keyAlias=spiffe
+    spiffeSocketPath=unix:/run/spire/agent-sockets/spire-agent.sock
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: java-spiffe-helper
+  labels:
+    app: java-spiffe-helper
+spec:
+  containers:
+    - name: java-spiffe-helper
+      image: java-spiffe-helper:test
+      imagePullPolicy: IfNotPresent
+      readinessProbe:
+        initialDelaySeconds: 15
+        exec:
+          command:
+            - ls
+            - /tmp/truststore.p12
+      volumeMounts:
+        - name: properties
+          mountPath: /app/java-spiffe-helper.properties
+          subPath: java-spiffe-helper.properties
+        - name: spire-sockets
+          mountPath: /run/spire/agent-sockets
+          readOnly: true
+  restartPolicy: Never
+  volumes:
+    - name: properties
+      configMap:
+        name: java-spiffe-helper
+    - name: spire-sockets
+      hostPath:
+        path: /run/spire/agent-sockets
+        type: DirectoryOrCreate
diff --git a/.github/tests/spire-values.yaml.tpl b/.github/tests/spire-values.yaml.tpl
@@ -0,0 +1,18 @@
+spire-server:
+  ca_subject:
+    common_name: $TRUSTSTORE_COMMON_NAME
+  controllerManager:
+    identities:
+      clusterSPIFFEIDs:
+        default:
+          enabled: false
+        java-spiffe-helper:
+          spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: default
+          podSelector:
+            matchLabels:
+              app: java-spiffe-helper
+          dnsNameTemplates:
+            - $KEYSTORE_COMMON_NAME
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -0,0 +1,56 @@
+name: Test
+
+on:
+  - push
+  - pull_request
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+
+    env:
+      KEYSTORE_COMMON_NAME: keystore-${{ github.sha }}
+      TRUSTSTORE_COMMON_NAME: truststore-${{ github.sha }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          tags: java-spiffe-helper:test
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - uses: helm/kind-action@v1
+        with:
+          cluster_name: kind
+      - run: kind load docker-image java-spiffe-helper:test --name kind
+      - run: helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
+      - run: envsubst < .github/tests/spire-values.yaml.tpl > .github/tests/spire-values.yaml
+      - run: helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f .github/tests/spire-values.yaml
+      - run: kubectl apply -f .github/tests/java-spiffe-helper.yaml
+      - run: kubectl wait pod/java-spiffe-helper --for condition=Ready --timeout=90s
+      - if: ${{ failure() }}
+        run: kubectl logs pod/java-spiffe-helper > java-spiffe-helper.log
+      - if: ${{ failure() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: logs
+          path: java-spiffe-helper.log
+      - if: ${{ failure() }}
+        run: kubectl describe pods -lapp=java-spiffe-helper
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+      - run: kubectl cp java-spiffe-helper:/tmp/keystore.p12 keystore.p12
+      - run: kubectl cp java-spiffe-helper:/tmp/truststore.p12 truststore.p12
+      - run: keytool -v -list -keystore keystore.p12 -storepass password | grep "CN=${{ env.KEYSTORE_COMMON_NAME }}"
+      - if: ${{ failure() }}
+        run: keytool -v -list -keystore keystore.p12 -storepass password
+      - run: keytool -v -list -keystore truststore.p12 -storepass password | grep "CN=${{ env.TRUSTSTORE_COMMON_NAME }}"
+      - if: ${{ failure() }}
+        run: keytool -v -list -keystore truststore.p12 -storepass password