Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add functional test for java-spiffe-helper #207

Merged
merged 10 commits into from
Mar 1, 2024
Merged

Add functional test for java-spiffe-helper #207

merged 10 commits into from
Mar 1, 2024

Conversation

moritzschmitz-oviva
Copy link
Contributor

@moritzschmitz-oviva moritzschmitz-oviva commented Feb 14, 2024
edited
Loading

Closes #200

  1. Build the java-spiffe-helper container using the latest changes on the branch.
  2. Bootstrap a kind cluster and load the previously built image into it.
  3. Install the spire-server chart with dependencies. Set special values for the CN in the certificates. This is what we later test.
  4. Start the java-spiffe-helper container and let it do its magic.
  5. Copy the created *.jks files and verify the CN values set earlier.

Potential discussion topics:

  1. Using the latest spire charts. Perhaps pin the version here?
  2. Checking only for the CN. Anything else to check for? For example the properties are using hard-coded values. Could also make them dynamic.

@moritzschmitz-oviva moritzschmitz-oviva force-pushed the add-functional-test-for-java-spiffe-helper branch 2 times, most recently from ac58a5b to d2c5d32 Compare February 14, 2024 10:59
@moritzschmitz-oviva moritzschmitz-oviva marked this pull request as ready for review February 14, 2024 11:00
kfox1111
kfox1111 reviewed Feb 14, 2024
View reviewed changes
Copy link

@kfox1111 kfox1111 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me. :)

One possible change inline.

@kfox1111
Copy link

Looks good to me. :)

@moritzschmitz-oviva moritzschmitz-oviva force-pushed the add-functional-test-for-java-spiffe-helper branch from dfc4a16 to 0158e34 Compare February 16, 2024 13:06
@moritzschmitz-oviva
Add functional test for java-spiffe-helper
8d4b46f 
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
@moritzschmitz-oviva
Only run on pull_request
a0c6669 
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
@moritzschmitz-oviva
No need for selector, there is only one pod
bb86033 
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
@moritzschmitz-oviva
Implement suggested changes
56fa0de 
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
@moritzschmitz-oviva
Use tee for logs
b71d80a 
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
@moritzschmitz-oviva moritzschmitz-oviva force-pushed the add-functional-test-for-java-spiffe-helper branch from 0158e34 to b71d80a Compare February 19, 2024 14:31
maxlambrecht
maxlambrecht reviewed Feb 28, 2024
View reviewed changes
.github/workflows/test.yaml Outdated
@@ -0,0 +1,59 @@
name: Test
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
name: Test
name: Java SPIFFE Helper CI

.github/workflows/test.yaml Outdated
Comment on lines 39 to 59
- if: ${{ failure() }}
run: kubectl logs pod/java-spiffe-helper | tee java-spiffe-helper.log
- if: ${{ failure() }}
uses: actions/upload-artifact@v4
with:
name: logs
path: java-spiffe-helper.log
- if: ${{ failure() }}
run: kubectl describe pod/java-spiffe-helper
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
- run: kubectl cp java-spiffe-helper:/tmp/keystore.p12 keystore.p12
- run: kubectl cp java-spiffe-helper:/tmp/truststore.p12 truststore.p12
- run: keytool -v -list -keystore keystore.p12 -storepass password | grep "CN=${{ env.KEYSTORE_COMMON_NAME }}"
- if: ${{ failure() }}
run: keytool -v -list -keystore keystore.p12 -storepass password
- run: keytool -v -list -keystore truststore.p12 -storepass password | grep "CN=${{ env.TRUSTSTORE_COMMON_NAME }}"
- if: ${{ failure() }}
run: keytool -v -list -keystore truststore.p12 -storepass password
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest adding step names to improve clarity, something like:

Suggested change
- if: ${{ failure() }}
run: kubectl logs pod/java-spiffe-helper | tee java-spiffe-helper.log
- if: ${{ failure() }}
uses: actions/upload-artifact@v4
with:
name: logs
path: java-spiffe-helper.log
- if: ${{ failure() }}
run: kubectl describe pod/java-spiffe-helper
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
- run: kubectl cp java-spiffe-helper:/tmp/keystore.p12 keystore.p12
- run: kubectl cp java-spiffe-helper:/tmp/truststore.p12 truststore.p12
- run: keytool -v -list -keystore keystore.p12 -storepass password | grep "CN=${{ env.KEYSTORE_COMMON_NAME }}"
- if: ${{ failure() }}
run: keytool -v -list -keystore keystore.p12 -storepass password
- run: keytool -v -list -keystore truststore.p12 -storepass password | grep "CN=${{ env.TRUSTSTORE_COMMON_NAME }}"
- if: ${{ failure() }}
run: keytool -v -list -keystore truststore.p12 -storepass password
- name: Capture Pod Logs on Failure
if: ${{ failure() }}
run: kubectl logs pod/java-spiffe-helper | tess java-spiffe-helper.log
- name: Upload Pod Logs on Failure
if: ${{ failure() }}
uses: actions/upload-artifact@v4
with:
name: java-spiffe-helper-logs
path: java-spiffe-helper.log
- name: Describe Pod on Failure
if: ${{ failure() }}
run: kubectl describe pod/java-spiffe-helper
- name: Setup Java Environment
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
- name: Copy Keystore and Truststore from Pod
run: |
kubectl cp java-spiffe-helper:/tmp/keystore.p12 keystore.p12
kubectl cp java-spiffe-helper:/tmp/truststore.p12 truststore.p12
- name: Verify Keystore Common Name
run: keytool -v -list -keystore keystore.p12 -storepass ${{ secrets.KEYSTORE_PASSWORD }} | grep "CN=${{ env.KEYSTORE_COMMON_NAME }}"
if: ${{ failure() }}
run: keytool -v -list -keystore keystore.p12 -storepass ${{ secrets.KEYSTORE_PASSWORD }}
- name: Verify Truststore Common Name
run: keytool -v -list -keystore truststore.p12 -storepass ${{ secrets.TRUSTSTORE_PASSWORD }} | grep "CN=${{ env.TRUSTSTORE_COMMON_NAME }}"
if: ${{ failure() }}
run: keytool -v -list -keystore truststore.p12 -storepass ${{ secrets.TRUSTSTORE_PASSWORD }}

.github/workflows/test.yaml Outdated
Comment on lines 26 to 38
- uses: helm/kind-action@v1
with:
cluster_name: kind
- run: kind load docker-image java-spiffe-helper:test --name kind
- run: helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
- run: |
helm upgrade --install -n spire-server spire spire \
--repo https://spiffe.github.io/helm-charts-hardened/ \
-f .github/tests/spire-values.yaml \
--set spire-server.ca_subject.common_name="$TRUSTSTORE_COMMON_NAME" \
--set spire-server.controllerManager.identities.clusterSPIFFEIDs.java-spiffe-helper.dnsNameTemplates[0]="$KEYSTORE_COMMON_NAME"
- run: kubectl apply -f .github/tests/java-spiffe-helper.yaml
- run: kubectl wait pod/java-spiffe-helper --for condition=Ready --timeout=90s
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section could benefit from added clarity through the use of descriptive step names and breaking down complex commands for better readability:

Suggestion:

Suggested change
- uses: helm/kind-action@v1
with:
cluster_name: kind
- run: kind load docker-image java-spiffe-helper:test --name kind
- run: helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
- run: |
helm upgrade --install -n spire-server spire spire \
--repo https://spiffe.github.io/helm-charts-hardened/ \
-f .github/tests/spire-values.yaml \
--set spire-server.ca_subject.common_name="$TRUSTSTORE_COMMON_NAME" \
--set spire-server.controllerManager.identities.clusterSPIFFEIDs.java-spiffe-helper.dnsNameTemplates[0]="$KEYSTORE_COMMON_NAME"
- run: kubectl apply -f .github/tests/java-spiffe-helper.yaml
- run: kubectl wait pod/java-spiffe-helper --for condition=Ready --timeout=90s
- name: Setup Kubernetes in Docker (KIND)
uses: helm/kind-action@v1
with:
cluster_name: kind
- name: Load Docker Image into KIND
run: kind load docker-image java-spiffe-helper:test --name kind
- name: Install SPIRE CRDs via Helm
run: helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace
- name: Configure and Install SPIRE Server
run: |
helm upgrade --install -n spire-server spire spire \
--repo https://spiffe.github.io/helm-charts-hardened/ \
-f .github/tests/spire-values.yaml \
--set spire-server.ca_subject.common_name="$TRUSTSTORE_COMMON_NAME" \
--set spire-server.controllerManager.identities.clusterSPIFFEIDs.java-spiffe-helper.dnsNameTemplates[0]="$KEYSTORE_COMMON_NAME"
- name: Apply java-spiffe-helper Kubernetes Configuration
run: kubectl apply -f .github/tests/java-spiffe-helper.yaml
- name: Wait for java-spiffe-helper Pod Readiness
run: kubectl wait pod/java-spiffe-helper --for condition=Ready --timeout=90s

@maxlambrecht
Copy link
Member

maxlambrecht commented Feb 28, 2024
edited
Loading

Hey @moritzschmitz-oviva, thanks a lot for this contribution!

I've reviewed the changes, left a few comments and have a couple of additional suggestions:

  • Could you please rename the test.yaml file to java-spiffe-helper-ci.yaml? This name better reflects its purpose within our CI pipeline.
  • Also, it would be great if we could rename the folder from github/workflows/tests to github/workflows/ci-k8s-configs.

In addition, I believe it's important to cover all supported LTS versions of Java to ensure compatibility. Could we update the job configuration to test against the following Java versions?

    name: Test on Java ${{ matrix.java_version }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
        java_version: [8, 11, 17, 21]  # Including all current LTS versions

@moritzschmitz-oviva
A few changes according to comments
c60431e 
Signed-off-by: Moritz Schmitz von Hülst <[email protected]>
@moritzschmitz-oviva
Copy link
Contributor Author

  • Could you please rename the test.yaml file to java-spiffe-helper-ci.yaml? This name better reflects its purpose within our CI pipeline.

Done

  • Also, it would be great if we could rename the folder from github/workflows/tests to github/workflows/ci-k8s-configs.

Done

In addition, I believe it's important to cover all supported LTS versions of Java to ensure compatibility. Could we update the job configuration to test against the following Java versions?

I don't think this is necessary. The actions/setup-java in the workflow is only required for keytool. java-spiffe-helper itself is containerized and built with the same Dockerfile which is used for the 'main' build as well.

@maxlambrecht
Copy link
Member

I don't think this is necessary. The actions/setup-java in the workflow is only required for keytool. java-spiffe-helper itself is containerized and built with the same Dockerfile which is used for the 'main' build as well.

You are completely right!

@maxlambrecht
Copy link
Member

maxlambrecht commented Feb 29, 2024
edited
Loading

Hey @moritzschmitz-oviva, this PR looks good! I agree with the point you raised in the 'topics to discuss' about pinning the chart version. It's definitely a good practice that can enhance the stability of the test. Looking forward to seeing this adjustment.

As for the CN verification, it appears to be sufficient for the scope of this functional test. I'm particularly interested in seeing the java-spiffe-helper in action storing certificates in a JKS file, and then ensuring the expected cert is stored.

@moritzschmitz-oviva
Copy link
Contributor Author

Hey @moritzschmitz-oviva, this PR looks good! I agree with the point you raised in the 'topics to discuss' about pinning the chart version. It's definitely a good practice that can enhance the stability of the test. Looking forward to seeing this adjustment.

Adjusted the workflow. Perhaps over-engineered it a bit now. Adding additional chart versions should be straight forward for testing. I didn't pin the patch, because according to SemVer, patches must be backwards compatible changes.

maxlambrecht
maxlambrecht approved these changes Mar 1, 2024
View reviewed changes
Copy link
Member

@maxlambrecht maxlambrecht left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Thanks, @moritzschmitz-oviva !

@maxlambrecht maxlambrecht merged commit 616e8bc into spiffe:main Mar 1, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxlambrecht maxlambrecht maxlambrecht approved these changes

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

@kfox1111 kfox1111 Awaiting requested review from kfox1111

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Functional Test for java-spiffe-helper
3 participants
@moritzschmitz-oviva @kfox1111 @maxlambrecht