cert-manager · moll-re · May 26, 2020 · May 26, 2020 · May 26, 2020 · May 27, 2020
diff --git a/.github/workflows/build-images.yaml b/.github/workflows/build-images.yaml
@@ -0,0 +1,49 @@
+name: Build docker images
+
+env:
+  DOCKER_BASE_NAME: 'ghcr.io/${{ github.repository_owner }}/cert-manager-webhook-dnsimple'
+
+on:
+  workflow_call:
+    inputs:
+      tags:
+        description: 'Tags to build the image for (separated by a whitespace)'
+        required: true
+        type: string
+
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          password: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ github.repository_owner }}
+
+      - name: Format tags
+        id: format-tags
+        # prepends DOCKER_BASE_NAME to every entry in the string ${{ inputs.tags }}
+        run: |
+          echo "TAGS=$(printf '${{ env.DOCKER_BASE_NAME }}/%s,' ${{ inputs.tags }})" >> $GITHUB_OUTPUT
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.format-tags.outputs.TAGS }}
diff --git a/.github/workflows/test-go.yaml b/.github/workflows/test-go.yaml
@@ -0,0 +1,54 @@
+name: Run code tests
+
+on:
+  push:
+  workflow_call:
+    secrets:
+      DNSIMPLE_API_TOKEN:
+        required: true
+      DNSIMPLE_ZONE_NAME:
+        required: true
+
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+
+    - name: Setup Go
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: src/go.mod
+        cache-dependency-path: src/go.sum
+
+
+    - name: Install kubebuilder fixtures
+      id: kubebuilder
+      run: |
+        go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+        echo "BIN_DIR=$(setup-envtest use -p path)" >> $GITHUB_OUTPUT
+
+
+    - name: Run tests
+      env:
+        DNSIMPLE_API_TOKEN: ${{ secrets.DNSIMPLE_API_TOKEN }}
+        DNSIMPLE_ZONE_NAME: ${{ secrets.DNSIMPLE_ZONE_NAME }}
+      run: |
+        export TEST_ASSET_KUBE_APISERVER=${{ steps.kubebuilder.outputs.BIN_DIR }}/kube-apiserver
+        export TEST_ASSET_ETCD=${{ steps.kubebuilder.outputs.BIN_DIR }}/etcd
+        export TEST_ASSET_KUBECTL=${{ steps.kubebuilder.outputs.BIN_DIR }}/kubectl
+        export TEST_ZONE_NAME="${DNSIMPLE_ZONE_NAME}." # add trailing dot
+        echo """apiVersion: v1
+        kind: Secret
+        metadata:
+          name: dnsimple-token
+        type: Opaque
+        stringData:
+            token: $DNSIMPLE_API_TOKEN
+        """ > testdata/dnsimple-token.yaml
+        cd src
+        go test -v .
diff --git a/.github/workflows/test-kubernetes.yaml b/.github/workflows/test-kubernetes.yaml
@@ -0,0 +1,91 @@
+name: Run webhook tests in a full environment
+
+on:
+  workflow_call:
+    secrets:
+      DNSIMPLE_API_TOKEN:
+        required: true
+      DNSIMPLE_ZONE_NAME:
+        required: true
+
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+
+    - name: Start minikube
+      uses: medyagh/setup-minikube@master
+      with:
+        kubernetes-version: 1.29.3
+
+
+    - name: Install cert-manager and patch upstream dns servers
+      run: |
+        kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.3/cert-manager.yaml
+
+
+    - name: Wait for cert-manager to be ready
+      run: |
+        kubectl wait --for=condition=available --timeout=600s deployment/cert-manager-webhook -n cert-manager
+        kubectl get pods -n cert-manager
+        kubectl get svc -n cert-manager -o wide
+
+
+    - name: Install cert-manager-webhook-dnsimple
+      env:
+        DNSIMPLE_API_TOKEN: ${{ secrets.DNSIMPLE_API_TOKEN }}
+        DNSIMPLE_ZONE_NAME: ${{ secrets.DNSIMPLE_ZONE_NAME}}
+      run: |
+        helm install cert-manager-webhook-dnsimple ./charts/cert-manager-webhook-dnsimple \
+          --namespace cert-manager \
+          --set dnsimple.token="$DNSIMPLE_API_TOKEN" \
+          --set groupName="acme.$DNSIMPLE_ZONE_NAME" \
+          --set image.repository=ghcr.io/${{ github.repository_owner }}/cert-manager-webhook-dnsimple \
+          --set clusterIssuer.staging.enabled=true \
+          --set clusterIssuer.email="noreply@$DNSIMPLE_ZONE_NAME" \
+          --set image.tag=commit-${{ github.sha }}
+        kubectl get secrets cert-manager-webhook-dnsimple -o yaml
+
+
+    - name: Wait for cert-manager-webhook-dnsimple to be ready
+      run: |
+        kubectl wait --for=condition=available --timeout=600s deployment/cert-manager-webhook-dnsimple
+        kubectl get pods
+        kubectl get svc -o wide
+
+
+    - name: Create sample certificate that uses the webhook
+      env:
+        DNSIMPLE_ZONE_NAME: ${{ env.DNSIMPLE_ZONE_NAME }}
+      run: |
+        kubectl apply -f - <<EOF
+        apiVersion: cert-manager.io/v1
+        kind: Certificate
+        metadata:
+          name: dnsimple-test
+          namespace: default
+        spec:
+          dnsNames:
+            - "gh-action-test.$DNSIMPLE_ZONE_NAME"
+          issuerRef:
+            name: cert-manager-webhook-dnsimple-staging
+            kind: ClusterIssuer
+          secretName: dnsimple-test-tls
+        EOF
+
+
+    - name: Wait for certificate to be ready
+      run: |
+        kubectl wait --for=condition=ready --timeout=600s certificate/dnsimple-test
+        kubectl get certificate dnsimple-test
+
+
+    - name: Check DNSimple API for new TXT record
+      env:
+        DNSIMPLE_ZONE_NAME: ${{ env.DNSIMPLE_ZONE_NAME }}
+      run: |
+        dig +short TXT _acme-challenge.gh-action-test.$DNSIMPLE_ZONE_NAME
diff --git a/.github/workflows/workflow_full-test-suite.yaml b/.github/workflows/workflow_full-test-suite.yaml
@@ -0,0 +1,32 @@
+name: Run full test suite
+
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+    branches:
+    - master
+
+jobs:
+  code-test:
+    name: Run tests on code
+    uses: ./.github/workflows/test-go.yaml
+    secrets: inherit
+
+
+  build-image:
+    name: Build Docker image
+    uses: ./.github/workflows/build-images.yaml
+    with:
+      tags: >
+        commit-${{ github.sha }}
+        latest
+    needs: code-test
+
+
+  webhook-tests:
+    name: Run tests on webhooks
+    needs: build-image
+    uses: ./.github/workflows/test-kubernetes.yaml
+    secrets: inherit
diff --git a/.github/workflows/workflow_tagged-build.yaml b/.github/workflows/workflow_tagged-build.yaml
@@ -0,0 +1,16 @@
+name: Publish a new tagged Docker image
+
+on:
+  push:
+    tags: # v* tags are protected in the repository settings
+      - 'v*'
+
+jobs:
+  docker-build:
+    name: Build tagged Docker image
+    uses: ./.github/workflows/build-images.yaml
+    with:
+      tags: >
+        ${{ github.ref }}
+        commit-${{ github.sha }}
+        latest
diff --git a/.gitignore b/.gitignore
@@ -12,4 +12,7 @@
 *.out
 
 # Ignore the built binary
-cert-manager-webhook-example
+cert-manager-webhook-dnsimple
+
+# Ignore kubebuilder test binaries
+_test/
diff --git a/Dockerfile b/Dockerfile
@@ -1,22 +1,22 @@
-FROM golang:1.12.4-alpine AS build_deps
+FROM golang:1.20-alpine AS build_deps
 
 RUN apk add --no-cache git
 
 WORKDIR /workspace
 ENV GO111MODULE=on
 
-COPY go.mod .
-COPY go.sum .
+COPY src/go.mod .
+COPY src/go.sum .
 
 RUN go mod download
 
 FROM build_deps AS build
 
-COPY . .
+COPY src .
 
 RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
 
-FROM alpine:3.9
+FROM alpine:3.17
 
 RUN apk add --no-cache ca-certificates
 

diff --git a/Makefile b/Makefile
@@ -1,20 +1,25 @@
-IMAGE_NAME := "webhook"
-IMAGE_TAG := "latest"
+GO ?= $(shell which go)
+OS ?= $(shell $(GO) env GOOS)
+ARCH ?= $(shell $(GO) env GOARCH)
+KUBE_VERSION=1.25.0
 
-OUT := $(shell pwd)/_out
+# required by go tests
+export TEST_ASSET_ETCD=../_test/kubebuilder/etcd
+export TEST_ASSET_KUBE_APISERVER=../_test/kubebuilder/kube-apiserver
+export TEST_ASSET_KUBECTL=../_test/kubebuilder/kubectl
 
-$(shell mkdir -p "$(OUT)")
+test: _test/kubebuilder
+	cd src && $(GO) test -v .
 
-verify:
-	go test -v .
+_test/kubebuilder:
+	curl -fsSL https://go.kubebuilder.io/test-tools/$(KUBE_VERSION)/$(OS)/$(ARCH) -o kubebuilder-tools.tar.gz
+	mkdir -p _test/kubebuilder
+	tar -xvf kubebuilder-tools.tar.gz
+	mv kubebuilder/bin/* _test/kubebuilder/
+	rm kubebuilder-tools.tar.gz
+	rm -R kubebuilder
 
-build:
-	docker build -t "$(IMAGE_NAME):$(IMAGE_TAG)" .
+clean: clean-kubebuilder
 
-.PHONY: rendered-manifest.yaml
-rendered-manifest.yaml:
-	helm template \
-	    --name example-webhook \
-        --set image.repository=$(IMAGE_NAME) \
-        --set image.tag=$(IMAGE_TAG) \
-        deploy/example-webhook > "$(OUT)/rendered-manifest.yaml"
+clean-kubebuilder:
+	rm -Rf _test