chore: upgrade Node.js to 24 and update dependencies

- Upgrade Node.js from 20 to 24.15.0 across all CI jobs and workflows - Run npm audit fix to resolve CVEs in dependencies - Generate TLS certs dynamically via scripts/gen-tls-certs.sh instead of using static certs - Add Makefile targets for running each integration test suite locally
2026-05-14 20:40:32 +00:00 · 2026-05-06 20:26:22 +05:30 · 2026-05-06 20:26:22 +05:30 · 647e66c75f
commit 647e66c75f
parent 79632e33d6
15 changed files with 526 additions and 709 deletions
--- a/scripts/gen-tls-certs.sh
+++ b/scripts/gen-tls-certs.sh
@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2019, 2025
+# SPDX-License-Identifier: MIT
+#
+# Generates a PKI chain (CA, server cert, client cert) using cfssl.
+# Outputs certs to .build/certs/ and writes .build/e2e-tls.env for local
+# act usage (act --env-file .build/e2e-tls.env).
+#
+# Usage: ./scripts/gen-tls-certs.sh
+# Requires: cfssl, cfssljson  (brew install cfssl)
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+OUTDIR="$REPO_ROOT/.build/certs"
+ENVFILE="$REPO_ROOT/.build/e2e-tls.env"
+
+if ! command -v cfssl &>/dev/null || ! command -v cfssljson &>/dev/null; then
+    echo "error: cfssl and cfssljson are required." >&2
+    echo "       Install with: brew install cfssl" >&2
+    exit 1
+fi
+
+mkdir -p "$OUTDIR"
+cd "$OUTDIR"
+
+# ── cfssl signing config ──────────────────────────────────────────────────────
+cat > cfssl-config.json <<'EOF'
+{
+  "signing": {
+    "default": { "expiry": "8760h" },
+    "profiles": {
+      "server": {
+        "usages": ["signing", "key encipherment", "server auth"],
+        "expiry": "8760h"
+      },
+      "client": {
+        "usages": ["signing", "key encipherment", "client auth"],
+        "expiry": "8760h"
+      }
+    }
+  }
+}
+EOF
+
+# ── CA ────────────────────────────────────────────────────────────────────────
+echo "Generating CA..."
+cfssl gencert -initca - <<'EOF' | cfssljson -bare ca
+{
+  "CN": "Vault Test CA",
+  "key": { "algo": "rsa", "size": 2048 },
+  "ca": { "expiry": "87600h" }
+}
+EOF
+
+# ── Server cert ───────────────────────────────────────────────────────────────
+echo "Generating server certificate..."
+cfssl gencert \
+    -ca=ca.pem \
+    -ca-key=ca-key.pem \
+    -config=cfssl-config.json \
+    -profile=server - <<'EOF' | cfssljson -bare server
+{
+  "CN": "vault-tls",
+  "hosts": ["localhost", "127.0.0.1", "vault-tls"],
+  "key": { "algo": "rsa", "size": 2048 }
+}
+EOF
+
+# ── Client cert ───────────────────────────────────────────────────────────────
+echo "Generating client certificate..."
+cfssl gencert \
+    -ca=ca.pem \
+    -ca-key=ca-key.pem \
+    -config=cfssl-config.json \
+    -profile=client - <<'EOF' | cfssljson -bare client
+{
+  "CN": "vault-client",
+  "key": { "algo": "rsa", "size": 2048 }
+}
+EOF
+
+# ── Rename to names expected by vault config ──────────────────────────────────
+mv ca.pem     ca.crt
+mv server.pem server.crt
+mv server-key.pem server.key
+mv client.pem client.crt
+mv client-key.pem client.key
+
+# ── Remove intermediates not needed at runtime ────────────────────────────────
+rm -f ca.csr server.csr client.csr ca-key.pem cfssl-config.json
+
+# ── Copy vault server config ──────────────────────────────────────────────────
+cp "$REPO_ROOT/integrationTests/e2e-tls/configs/config.hcl" config.hcl
+
+# ── Write env file for local act usage ───────────────────────────────────────
+{
+    printf 'VAULTCA=%s\n'          "$(base64 < ca.crt     | tr -d '\n')"
+    printf 'VAULT_CLIENT_CERT=%s\n' "$(base64 < client.crt | tr -d '\n')"
+    printf 'VAULT_CLIENT_KEY=%s\n'  "$(base64 < client.key | tr -d '\n')"
+} > "$ENVFILE"
+
+echo "Certs generated in $OUTDIR"
+echo "Env file written to $ENVFILE"