Add functional test for java-spiffe-helper (#207)

Add functional test for java-spiffe-helper

Signed-off-by: Moritz Schmitz von Hülst <moritz.schmitz@oviva.com>

* Only run on pull_request

Signed-off-by: Moritz Schmitz von Hülst <moritz.schmitz@oviva.com>

* No need for selector, there is only one pod

Signed-off-by: Moritz Schmitz von Hülst <moritz.schmitz@oviva.com>

* Implement suggested changes

Signed-off-by: Moritz Schmitz von Hülst <moritz.schmitz@oviva.com>

* Use tee for logs

Signed-off-by: Moritz Schmitz von Hülst <moritz.schmitz@oviva.com>

* A few changes according to comments

Signed-off-by: Moritz Schmitz von Hülst <moritz.schmitz@oviva.com>

* Extend workflow to support multiple semver ranges for SPIRE helm charts

Signed-off-by: Moritz Schmitz von Hülst <moritz.schmitz@oviva.com>

* Extend workflow to support multiple semver ranges for SPIRE helm charts

Signed-off-by: Moritz Schmitz von Hülst <moritz.schmitz@oviva.com>

* USe SemVer range instead of fixed version

Signed-off-by: Moritz Schmitz von Hülst <moritz.schmitz@oviva.com>

---------

Signed-off-by: Moritz Schmitz von Hülst <moritz.schmitz@oviva.com>
Co-authored-by: Max Lambrecht <maxlambrecht@gmail.com>

.github/ci-k8s-configs/java-spiffe-helper.yaml

@@ -0,0 +1,49 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: java-spiffe-helper
+data:
+  java-spiffe-helper.properties: |
+    keyStorePath=/tmp/keystore.p12
+    keyStorePass=password
+    keyPass=password
+    trustStorePath=/tmp/truststore.p12
+    trustStorePass=password
+    keyStoreType=pkcs12
+    keyAlias=spiffe
+    spiffeSocketPath=unix:/run/spire/agent-sockets/spire-agent.sock
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: java-spiffe-helper
+  labels:
+    app: java-spiffe-helper
+spec:
+  containers:
+    - name: java-spiffe-helper
+      image: java-spiffe-helper:test
+      imagePullPolicy: IfNotPresent
+      readinessProbe:
+        initialDelaySeconds: 15
+        exec:
+          command:
+            - ls
+            - /tmp/truststore.p12
+      volumeMounts:
+        - name: properties
+          mountPath: /app/java-spiffe-helper.properties
+          subPath: java-spiffe-helper.properties
+        - name: spire-sockets
+          mountPath: /run/spire/agent-sockets
+          readOnly: true
+  restartPolicy: Never
+  volumes:
+    - name: properties
+      configMap:
+        name: java-spiffe-helper
+    - name: spire-sockets
+      hostPath:
+        path: /run/spire/agent-sockets
+        type: DirectoryOrCreate

.github/ci-k8s-configs/spire-values.yaml

@@ -0,0 +1,18 @@
+spire-server:
+  ca_subject:
+    common_name: common_name
+  controllerManager:
+    identities:
+      clusterSPIFFEIDs:
+        default:
+          enabled: false
+        java-spiffe-helper:
+          spiffeIDTemplate: spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: default
+          podSelector:
+            matchLabels:
+              app: java-spiffe-helper
+          dnsNameTemplates:
+            - dnsNameTemplate

.github/workflows/java-spiffe-helper-ci.yaml

@@ -0,0 +1,85 @@
+name: Java SPIFFE Helper CI
+
+on:
+  - pull_request
+
+jobs:
+  test:
+    name: Test with SPIRE helm chart in version ${{ matrix.spire-chart-version.spire }}
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        spire-chart-version:
+          - spire: '0.17.x'
+            crds: '0.3.x'
+
+    env:
+      HELM_REPOSITORY: https://spiffe.github.io/helm-charts-hardened/
+      KEYSTORE_COMMON_NAME: keystore-${{ github.sha }}
+      TRUSTSTORE_COMMON_NAME: truststore-${{ github.sha }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Setup buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+      - name: Build container
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          tags: java-spiffe-helper:test
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - name: Create local kubernetes cluster
+        uses: helm/kind-action@v1
+        with:
+          cluster_name: kind
+      - name: Load container image onto kubernetes node
+        run: kind load docker-image java-spiffe-helper:test --name kind
+      - name: Install SPIRE CRDs in version ${{ matrix.spire-chart-version.crds }}
+        run: |
+          helm upgrade --install -n spire-server spire-crds spire-crds \
+            --repo ${{ env.HELM_REPOSITORY }} \
+            --version ${{ matrix.spire-chart-version.crds }} \
+            --create-namespace
+      - name: Install SPIRE server in version ${{ matrix.spire-chart-version.spire }} and set to-be-verified values for common name
+        run: |
+          helm upgrade --install -n spire-server spire spire \
+            --repo ${{ env.HELM_REPOSITORY }} \
+            --version ${{ matrix.spire-chart-version.spire }} \
+            --values .github/ci-k8s-configs/spire-values.yaml \
+            --set spire-server.ca_subject.common_name="$TRUSTSTORE_COMMON_NAME" \
+            --set spire-server.controllerManager.identities.clusterSPIFFEIDs.java-spiffe-helper.dnsNameTemplates[0]="$KEYSTORE_COMMON_NAME"
+      - name: Deploy java-spiffe-helper pod to local cluster
+        run: kubectl apply -f .github/ci-k8s-configs/java-spiffe-helper.yaml
+      - name: Wait for java-spiffe-helper pod to become ready
+        run: kubectl wait pod/java-spiffe-helper --for condition=Ready --timeout=90s
+      - name: Output logs of java-spiffe-helper pod
+        if: ${{ failure() }}
+        run: kubectl logs pod/java-spiffe-helper
+      - name: Describe java-spiffe-helper pod
+        if: ${{ failure() }}
+        run: kubectl describe pod/java-spiffe-helper
+      - name: Copy keystore from java-spiffe-helper pod
+        run: kubectl cp java-spiffe-helper:/tmp/keystore.p12 keystore.p12
+      - name: Copy truststore from java-spiffe-helper pod
+        run: kubectl cp java-spiffe-helper:/tmp/truststore.p12 truststore.p12
+      - name: Verify keystore contains configured common name
+        run: keytool -v -list -keystore keystore.p12 -storepass password | grep "CN=${{ env.KEYSTORE_COMMON_NAME }}"
+      - name: Output keystore contents
+        if: ${{ failure() }}
+        run: keytool -v -list -keystore keystore.p12 -storepass password
+      - name: Verify truststore contains configured common name
+        run: keytool -v -list -keystore truststore.p12 -storepass password | grep "CN=${{ env.TRUSTSTORE_COMMON_NAME }}"
+      - name: Output truststore contents
+        if: ${{ failure() }}
+        run: keytool -v -list -keystore truststore.p12 -storepass password