Bump com.nimbusds:nimbus-jose-jwt from 9.47 to 9.48 #137
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Java SPIFFE Helper CI | |
on: | |
- pull_request | |
jobs: | |
test: | |
name: Test with SPIRE helm chart in version ${{ matrix.spire-chart-version.spire }} | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
spire-chart-version: | |
- spire: '0.17.x' | |
crds: '0.3.x' | |
env: | |
HELM_REPOSITORY: https://spiffe.github.io/helm-charts-hardened/ | |
KEYSTORE_COMMON_NAME: keystore-${{ github.sha }} | |
TRUSTSTORE_COMMON_NAME: truststore-${{ github.sha }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Setup QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Setup buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Setup Java | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '17' | |
- name: Build container | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
tags: java-spiffe-helper:test | |
load: true | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- name: Create local kubernetes cluster | |
uses: helm/kind-action@v1 | |
with: | |
cluster_name: kind | |
- name: Load container image onto kubernetes node | |
run: kind load docker-image java-spiffe-helper:test --name kind | |
- name: Install SPIRE CRDs in version ${{ matrix.spire-chart-version.crds }} | |
run: | | |
helm upgrade --install -n spire-server spire-crds spire-crds \ | |
--repo ${{ env.HELM_REPOSITORY }} \ | |
--version ${{ matrix.spire-chart-version.crds }} \ | |
--create-namespace | |
- name: Install SPIRE server in version ${{ matrix.spire-chart-version.spire }} and set to-be-verified values for common name | |
run: | | |
helm upgrade --install -n spire-server spire spire \ | |
--repo ${{ env.HELM_REPOSITORY }} \ | |
--version ${{ matrix.spire-chart-version.spire }} \ | |
--values .github/ci-k8s-configs/spire-values.yaml \ | |
--set spire-server.ca_subject.common_name="$TRUSTSTORE_COMMON_NAME" \ | |
--set spire-server.controllerManager.identities.clusterSPIFFEIDs.java-spiffe-helper.dnsNameTemplates[0]="$KEYSTORE_COMMON_NAME" | |
- name: Deploy java-spiffe-helper pod to local cluster | |
run: kubectl apply -f .github/ci-k8s-configs/java-spiffe-helper.yaml | |
- name: Wait for java-spiffe-helper pod to become ready | |
run: kubectl wait pod/java-spiffe-helper --for condition=Ready --timeout=90s | |
- name: Output logs of java-spiffe-helper pod | |
if: ${{ failure() }} | |
run: kubectl logs pod/java-spiffe-helper | |
- name: Describe java-spiffe-helper pod | |
if: ${{ failure() }} | |
run: kubectl describe pod/java-spiffe-helper | |
- name: Copy keystore from java-spiffe-helper pod | |
run: kubectl cp java-spiffe-helper:/tmp/keystore.p12 keystore.p12 | |
- name: Copy truststore from java-spiffe-helper pod | |
run: kubectl cp java-spiffe-helper:/tmp/truststore.p12 truststore.p12 | |
- name: Verify keystore contains configured common name | |
run: keytool -v -list -keystore keystore.p12 -storepass password | grep "CN=${{ env.KEYSTORE_COMMON_NAME }}" | |
- name: Output keystore contents | |
if: ${{ failure() }} | |
run: keytool -v -list -keystore keystore.p12 -storepass password | |
- name: Verify truststore contains configured common name | |
run: keytool -v -list -keystore truststore.p12 -storepass password | grep "CN=${{ env.TRUSTSTORE_COMMON_NAME }}" | |
- name: Output truststore contents | |
if: ${{ failure() }} | |
run: keytool -v -list -keystore truststore.p12 -storepass password |