From d2c5d32bd007645c9d807ec392490d2b1255d79a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20Schmitz=20von=20H=C3=BClst?=
 <moritz.schmitz@oviva.com>
Date: Wed, 14 Feb 2024 08:02:47 +0100
Subject: [PATCH] Add functional test for java-spiffe-helper
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Moritz Schmitz von Hülst <moritz.schmitz@oviva.com>
---
 .github/tests/java-spiffe-helper.yaml | 49 +++++++++++++++++++++++
 .github/tests/spire-values.yaml.tpl   | 18 +++++++++
 .github/workflows/test.yaml           | 56 +++++++++++++++++++++++++++
 3 files changed, 123 insertions(+)
 create mode 100644 .github/tests/java-spiffe-helper.yaml
 create mode 100644 .github/tests/spire-values.yaml.tpl
 create mode 100644 .github/workflows/test.yaml

diff --git a/.github/tests/java-spiffe-helper.yaml b/.github/tests/java-spiffe-helper.yaml
new file mode 100644
index 00000000..bfc9956a
--- /dev/null
+++ b/.github/tests/java-spiffe-helper.yaml
@@ -0,0 +1,49 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: java-spiffe-helper
+data:
+  java-spiffe-helper.properties: |
+    keyStorePath=/tmp/keystore.p12
+    keyStorePass=password
+    keyPass=password
+    trustStorePath=/tmp/truststore.p12
+    trustStorePass=password
+    keyStoreType=pkcs12
+    keyAlias=spiffe
+    spiffeSocketPath=unix:/run/spire/agent-sockets/spire-agent.sock
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: java-spiffe-helper
+  labels:
+    app: java-spiffe-helper
+spec:
+  containers:
+    - name: java-spiffe-helper
+      image: java-spiffe-helper:test
+      imagePullPolicy: IfNotPresent
+      readinessProbe:
+        initialDelaySeconds: 15
+        exec:
+          command:
+            - ls
+            - /tmp/truststore.p12
+      volumeMounts:
+        - name: properties
+          mountPath: /app/java-spiffe-helper.properties
+          subPath: java-spiffe-helper.properties
+        - name: spire-sockets
+          mountPath: /run/spire/agent-sockets
+          readOnly: true
+  restartPolicy: Never
+  volumes:
+    - name: properties
+      configMap:
+        name: java-spiffe-helper
+    - name: spire-sockets
+      hostPath:
+        path: /run/spire/agent-sockets
+        type: DirectoryOrCreate
diff --git a/.github/tests/spire-values.yaml.tpl b/.github/tests/spire-values.yaml.tpl
new file mode 100644
index 00000000..368e92be
--- /dev/null
+++ b/.github/tests/spire-values.yaml.tpl
@@ -0,0 +1,18 @@
+spire-server:
+  ca_subject:
+    common_name: $TRUSTSTORE_COMMON_NAME
+  controllerManager:
+    identities:
+      clusterSPIFFEIDs:
+        default:
+          enabled: false
+        java-spiffe-helper:
+          spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: default
+          podSelector:
+            matchLabels:
+              app: java-spiffe-helper
+          dnsNameTemplates:
+            - $KEYSTORE_COMMON_NAME
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
new file mode 100644
index 00000000..01a498d5
--- /dev/null
+++ b/.github/workflows/test.yaml
@@ -0,0 +1,56 @@
+name: Test
+
+on:
+  - push
+  - pull_request
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+
+    env:
+      KEYSTORE_COMMON_NAME: keystore-${{ github.sha }}
+      TRUSTSTORE_COMMON_NAME: truststore-${{ github.sha }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          tags: java-spiffe-helper:test
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - uses: helm/kind-action@v1
+        with:
+          cluster_name: kind
+      - run: kind load docker-image java-spiffe-helper:test --name kind
+      - run: helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
+      - run: envsubst < .github/tests/spire-values.yaml.tpl > .github/tests/spire-values.yaml
+      - run: helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ -f .github/tests/spire-values.yaml
+      - run: kubectl apply -f .github/tests/java-spiffe-helper.yaml
+      - run: kubectl wait pod/java-spiffe-helper --for condition=Ready --timeout=90s
+      - if: ${{ failure() }}
+        run: kubectl logs pod/java-spiffe-helper > java-spiffe-helper.log
+      - if: ${{ failure() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: logs
+          path: java-spiffe-helper.log
+      - if: ${{ failure() }}
+        run: kubectl describe pods -lapp=java-spiffe-helper
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+      - run: kubectl cp java-spiffe-helper:/tmp/keystore.p12 keystore.p12
+      - run: kubectl cp java-spiffe-helper:/tmp/truststore.p12 truststore.p12
+      - run: keytool -v -list -keystore keystore.p12 -storepass password | grep "CN=${{ env.KEYSTORE_COMMON_NAME }}"
+      - if: ${{ failure() }}
+        run: keytool -v -list -keystore keystore.p12 -storepass password
+      - run: keytool -v -list -keystore truststore.p12 -storepass password | grep "CN=${{ env.TRUSTSTORE_COMMON_NAME }}"
+      - if: ${{ failure() }}
+        run: keytool -v -list -keystore truststore.p12 -storepass password