Skip to content

Bump com.nimbusds:nimbus-jose-jwt from 9.47 to 9.48 #137

Bump com.nimbusds:nimbus-jose-jwt from 9.47 to 9.48

Bump com.nimbusds:nimbus-jose-jwt from 9.47 to 9.48 #137

name: Java SPIFFE Helper CI
on:
- pull_request
jobs:
test:
name: Test with SPIRE helm chart in version ${{ matrix.spire-chart-version.spire }}
runs-on: ubuntu-latest
strategy:
matrix:
spire-chart-version:
- spire: '0.17.x'
crds: '0.3.x'
env:
HELM_REPOSITORY: https://spiffe.github.io/helm-charts-hardened/
KEYSTORE_COMMON_NAME: keystore-${{ github.sha }}
TRUSTSTORE_COMMON_NAME: truststore-${{ github.sha }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup QEMU
uses: docker/setup-qemu-action@v3
- name: Setup buildx
uses: docker/setup-buildx-action@v3
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
- name: Build container
uses: docker/build-push-action@v6
with:
context: .
tags: java-spiffe-helper:test
load: true
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Create local kubernetes cluster
uses: helm/kind-action@v1
with:
cluster_name: kind
- name: Load container image onto kubernetes node
run: kind load docker-image java-spiffe-helper:test --name kind
- name: Install SPIRE CRDs in version ${{ matrix.spire-chart-version.crds }}
run: |
helm upgrade --install -n spire-server spire-crds spire-crds \
--repo ${{ env.HELM_REPOSITORY }} \
--version ${{ matrix.spire-chart-version.crds }} \
--create-namespace
- name: Install SPIRE server in version ${{ matrix.spire-chart-version.spire }} and set to-be-verified values for common name
run: |
helm upgrade --install -n spire-server spire spire \
--repo ${{ env.HELM_REPOSITORY }} \
--version ${{ matrix.spire-chart-version.spire }} \
--values .github/ci-k8s-configs/spire-values.yaml \
--set spire-server.ca_subject.common_name="$TRUSTSTORE_COMMON_NAME" \
--set spire-server.controllerManager.identities.clusterSPIFFEIDs.java-spiffe-helper.dnsNameTemplates[0]="$KEYSTORE_COMMON_NAME"
- name: Deploy java-spiffe-helper pod to local cluster
run: kubectl apply -f .github/ci-k8s-configs/java-spiffe-helper.yaml
- name: Wait for java-spiffe-helper pod to become ready
run: kubectl wait pod/java-spiffe-helper --for condition=Ready --timeout=90s
- name: Output logs of java-spiffe-helper pod
if: ${{ failure() }}
run: kubectl logs pod/java-spiffe-helper
- name: Describe java-spiffe-helper pod
if: ${{ failure() }}
run: kubectl describe pod/java-spiffe-helper
- name: Copy keystore from java-spiffe-helper pod
run: kubectl cp java-spiffe-helper:/tmp/keystore.p12 keystore.p12
- name: Copy truststore from java-spiffe-helper pod
run: kubectl cp java-spiffe-helper:/tmp/truststore.p12 truststore.p12
- name: Verify keystore contains configured common name
run: keytool -v -list -keystore keystore.p12 -storepass password | grep "CN=${{ env.KEYSTORE_COMMON_NAME }}"
- name: Output keystore contents
if: ${{ failure() }}
run: keytool -v -list -keystore keystore.p12 -storepass password
- name: Verify truststore contains configured common name
run: keytool -v -list -keystore truststore.p12 -storepass password | grep "CN=${{ env.TRUSTSTORE_COMMON_NAME }}"
- name: Output truststore contents
if: ${{ failure() }}
run: keytool -v -list -keystore truststore.p12 -storepass password