diff --git a/.github/ci-k8s-configs/java-spiffe-helper.yaml b/.github/ci-k8s-configs/java-spiffe-helper.yaml new file mode 100644 index 0000000..bfc9956 --- /dev/null +++ b/.github/ci-k8s-configs/java-spiffe-helper.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: java-spiffe-helper +data: + java-spiffe-helper.properties: | + keyStorePath=/tmp/keystore.p12 + keyStorePass=password + keyPass=password + trustStorePath=/tmp/truststore.p12 + trustStorePass=password + keyStoreType=pkcs12 + keyAlias=spiffe + spiffeSocketPath=unix:/run/spire/agent-sockets/spire-agent.sock +--- +apiVersion: v1 +kind: Pod +metadata: + name: java-spiffe-helper + labels: + app: java-spiffe-helper +spec: + containers: + - name: java-spiffe-helper + image: java-spiffe-helper:test + imagePullPolicy: IfNotPresent + readinessProbe: + initialDelaySeconds: 15 + exec: + command: + - ls + - /tmp/truststore.p12 + volumeMounts: + - name: properties + mountPath: /app/java-spiffe-helper.properties + subPath: java-spiffe-helper.properties + - name: spire-sockets + mountPath: /run/spire/agent-sockets + readOnly: true + restartPolicy: Never + volumes: + - name: properties + configMap: + name: java-spiffe-helper + - name: spire-sockets + hostPath: + path: /run/spire/agent-sockets + type: DirectoryOrCreate diff --git a/.github/ci-k8s-configs/spire-values.yaml b/.github/ci-k8s-configs/spire-values.yaml new file mode 100644 index 0000000..e4e1708 --- /dev/null +++ b/.github/ci-k8s-configs/spire-values.yaml @@ -0,0 +1,18 @@ +spire-server: + ca_subject: + common_name: common_name + controllerManager: + identities: + clusterSPIFFEIDs: + default: + enabled: false + java-spiffe-helper: + spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: default + podSelector: + matchLabels: + app: java-spiffe-helper + dnsNameTemplates: + - dnsNameTemplate diff --git a/.github/workflows/java-spiffe-helper-ci.yaml b/.github/workflows/java-spiffe-helper-ci.yaml new file mode 100644 index 0000000..87e3b67 --- /dev/null +++ b/.github/workflows/java-spiffe-helper-ci.yaml @@ -0,0 +1,85 @@ +name: Java SPIFFE Helper CI + +on: + - pull_request + +jobs: + test: + name: Test with SPIRE helm chart in version ${{ matrix.spire-chart-version.spire }} + runs-on: ubuntu-latest + + strategy: + matrix: + spire-chart-version: + - spire: '0.17.x' + crds: '0.3.x' + + env: + HELM_REPOSITORY: https://spiffe.github.io/helm-charts-hardened/ + KEYSTORE_COMMON_NAME: keystore-${{ github.sha }} + TRUSTSTORE_COMMON_NAME: truststore-${{ github.sha }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Setup QEMU + uses: docker/setup-qemu-action@v3 + - name: Setup buildx + uses: docker/setup-buildx-action@v3 + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '17' + - name: Build container + uses: docker/build-push-action@v5 + with: + context: . + tags: java-spiffe-helper:test + load: true + cache-from: type=gha + cache-to: type=gha,mode=max + - name: Create local kubernetes cluster + uses: helm/kind-action@v1 + with: + cluster_name: kind + - name: Load container image onto kubernetes node + run: kind load docker-image java-spiffe-helper:test --name kind + - name: Install SPIRE CRDs in version ${{ matrix.spire-chart-version.crds }} + run: | + helm upgrade --install -n spire-server spire-crds spire-crds \ + --repo ${{ env.HELM_REPOSITORY }} \ + --version ${{ matrix.spire-chart-version.crds }} \ + --create-namespace + - name: Install SPIRE server in version ${{ matrix.spire-chart-version.spire }} and set to-be-verified values for common name + run: | + helm upgrade --install -n spire-server spire spire \ + --repo ${{ env.HELM_REPOSITORY }} \ + --version ${{ matrix.spire-chart-version.spire }} \ + --values .github/ci-k8s-configs/spire-values.yaml \ + --set spire-server.ca_subject.common_name="$TRUSTSTORE_COMMON_NAME" \ + --set spire-server.controllerManager.identities.clusterSPIFFEIDs.java-spiffe-helper.dnsNameTemplates[0]="$KEYSTORE_COMMON_NAME" + - name: Deploy java-spiffe-helper pod to local cluster + run: kubectl apply -f .github/ci-k8s-configs/java-spiffe-helper.yaml + - name: Wait for java-spiffe-helper pod to become ready + run: kubectl wait pod/java-spiffe-helper --for condition=Ready --timeout=90s + - name: Output logs of java-spiffe-helper pod + if: ${{ failure() }} + run: kubectl logs pod/java-spiffe-helper + - name: Describe java-spiffe-helper pod + if: ${{ failure() }} + run: kubectl describe pod/java-spiffe-helper + - name: Copy keystore from java-spiffe-helper pod + run: kubectl cp java-spiffe-helper:/tmp/keystore.p12 keystore.p12 + - name: Copy truststore from java-spiffe-helper pod + run: kubectl cp java-spiffe-helper:/tmp/truststore.p12 truststore.p12 + - name: Verify keystore contains configured common name + run: keytool -v -list -keystore keystore.p12 -storepass password | grep "CN=${{ env.KEYSTORE_COMMON_NAME }}" + - name: Output keystore contents + if: ${{ failure() }} + run: keytool -v -list -keystore keystore.p12 -storepass password + - name: Verify truststore contains configured common name + run: keytool -v -list -keystore truststore.p12 -storepass password | grep "CN=${{ env.TRUSTSTORE_COMMON_NAME }}" + - name: Output truststore contents + if: ${{ failure() }} + run: keytool -v -list -keystore truststore.p12 -storepass password