Fix variable error

.github/workflows/build-images.yaml

@@ -0,0 +1,48 @@
+name: Build docker images
+
+on:
+  workflow_call:
+    inputs:
+      tags:
+        description: 'Tags to build the image for (separated by a whitespace)'
+        required: true
+        type: string
+
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: src/go.mod
+          cache-dependency-path: src/go.sum
+
+
+      - name: Get go dependencies
+        run: |
+          cd src
+          go mod download 
+
+
+      - name: Setup ko
+        # KO is a tool for building go container images https://ko.build/
+        uses: ko-build/[email protected]
+        # KO is configured to use GHCR as the registry
+
+
+      - name: Format tags with a comma
+        id: format-tags
+        run: echo "TAGS=$(echo ${{ inputs.tags }} | tr ' ' ',')" >> $GITHUB_OUTPUT
+
+
+      - name: Build images
+        run: |
+          cd src
+          ko build --tags="${{ steps.format-tags.outputs.TAGS }}" --platform=linux/amd64,linux/arm64 --bare --sbom=none

.github/workflows/helm-release.yaml

@@ -0,0 +1,30 @@
+# This workflow publishes a new chart release to github pages
+# The content of the branch gh-pages is then published to https://puzzle.github.io/cert-manager-webhook-dnsimple/
+name: Release a new chart version
+
+on:
+  workflow_dispatch:
+
+jobs:
+  release:
+    permissions:
+      contents: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        with:
+          charts_dir: ./charts

.github/workflows/test-go.yaml

@@ -0,0 +1,54 @@
+name: Run code tests
+
+on:
+  push:
+  workflow_call:
+    secrets:
+      DNSIMPLE_API_TOKEN:
+        required: true
+      DNSIMPLE_ZONE_NAME:
+        required: true
+
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+
+    - name: Setup Go
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: src/go.mod
+        cache-dependency-path: src/go.sum
+
+
+    - name: Install kubebuilder fixtures
+      id: kubebuilder
+      run: |
+        go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+        echo "BIN_DIR=$(setup-envtest use -p path)" >> $GITHUB_OUTPUT
+
+
+    - name: Run tests
+      env:
+        DNSIMPLE_API_TOKEN: ${{ secrets.DNSIMPLE_API_TOKEN }}
+        DNSIMPLE_ZONE_NAME: ${{ secrets.DNSIMPLE_ZONE_NAME }}
+      run: |
+        export TEST_ASSET_KUBE_APISERVER=${{ steps.kubebuilder.outputs.BIN_DIR }}/kube-apiserver
+        export TEST_ASSET_ETCD=${{ steps.kubebuilder.outputs.BIN_DIR }}/etcd
+        export TEST_ASSET_KUBECTL=${{ steps.kubebuilder.outputs.BIN_DIR }}/kubectl
+        export TEST_ZONE_NAME="${DNSIMPLE_ZONE_NAME}." # add trailing dot
+        echo """apiVersion: v1
+        kind: Secret
+        metadata:
+          name: dnsimple-token
+        type: Opaque
+        stringData:
+            token: $DNSIMPLE_API_TOKEN
+        """ > testdata/dnsimple-token.yaml
+        cd src
+        go test -v .

.github/workflows/test-kubernetes.yaml

@@ -0,0 +1,122 @@
+name: Run webhook tests in a full environment
+
+on:
+  workflow_call:
+    secrets:
+      DNSIMPLE_API_TOKEN:
+        required: true
+      DNSIMPLE_ZONE_NAME:
+        required: true
+
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+
+    - name: Start minikube
+      uses: medyagh/setup-minikube@master
+      with:
+        kubernetes-version: 1.29.3
+
+
+    - name: Install cert-manager, patch upstream dns servers, wait for readiness
+      run: |
+        echo "Target cert-manager version: ${{ vars.TARGET_CERT_MANAGER_VERSION }}"
+        kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/${{ vars.TARGET_CERT_MANAGER_VERSION }}/cert-manager.yaml
+        # Patch cert-manager to use DNSimple's nameservers for faster propagation-checks
+        kubectl patch deployment cert-manager -n cert-manager --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--dns01-recursive-nameservers=ns1.dnsimple.com:53"}]'
+        kubectl wait --for=condition=available --timeout=600s deployment/cert-manager-webhook -n cert-manager
+
+
+    - name: Install cert-manager-webhook-dnsimple, wait for readiness
+      env:
+        DNSIMPLE_API_TOKEN: ${{ secrets.DNSIMPLE_API_TOKEN }}
+        DNSIMPLE_ZONE_NAME: ${{ secrets.DNSIMPLE_ZONE_NAME}}
+      run: |
+        helm install cert-manager-webhook-dnsimple ./charts/cert-manager-webhook-dnsimple \
+          --namespace cert-manager \
+          --set dnsimple.token="$DNSIMPLE_API_TOKEN" \
+          --set groupName="acme.$DNSIMPLE_ZONE_NAME" \
+          --set image.repository=ghcr.io/${{ github.repository_owner }}/cert-manager-webhook-dnsimple \
+          --set clusterIssuer.staging.enabled=true \
+          --set clusterIssuer.email="noreply@$DNSIMPLE_ZONE_NAME" \
+          --set image.tag=commit-${{ github.sha }}
+
+        helm -n cert-manager list
+
+        max_wait_time_seconds=600
+        sleep_between_iterations=10
+
+        start=$(date +%s)
+        end=$(( $start + $max_wait_time_seconds ))
+
+        echo ""
+        echo "Awaiting succesful deployment for max ${max_wait_time_seconds} seconds or until $(date --date="@$end")"
+        while [ $(date +%s) -le $end ]; do
+            echo "[i] New iteration at $(date +%s)"
+            kubectl -n cert-manager get po
+
+            if [ $(kubectl -n cert-manager get po | grep Crash | wc -l) -gt 0 ]; then
+                echo "::error title=Deployment is failing::At least one pod is crashing"
+                for pod in $(kubectl -n cert-manager get po | grep Crash | awk '{print $1}'); do
+                    echo "Logs for pod '$pod'"
+                    kubectl -n cert-manager logs $pod
+                done
+
+                exit 1
+            fi
+
+            replicas=$(kubectl -n cert-manager get deploy/cert-manager-webhook-dnsimple -o=jsonpath={.status.unavailableReplicas})
+            if [[ $([ -z $replicas ]) || $replicas -gt 0 ]]; then
+                sleep $sleep_between_iterations
+            else
+                echo "Replicas of deployment cert-manager-webhook-dnsimple have become available."
+                exit 0
+            fi
+        done
+
+        echo "::error title=Deployment timed out::Have timed out waiting for good deployment health"
+        exit 1
+
+    - name: Create sample certificate that uses the webhook
+      env:
+        DNSIMPLE_ZONE_NAME: ${{ secrets.DNSIMPLE_ZONE_NAME }}
+      run: |
+        echo """apiVersion: cert-manager.io/v1
+        kind: Certificate
+        metadata:
+          name: dnsimple-test
+          namespace: default
+        spec:
+          dnsNames:
+            - gh-action-test.$DNSIMPLE_ZONE_NAME
+          issuerRef:
+            name: cert-manager-webhook-dnsimple-staging
+            kind: ClusterIssuer
+          secretName: dnsimple-test-tls
+        """  > certificate.yaml
+        kubectl apply -f certificate.yaml
+
+
+    - name: Assert that the DNS record was created
+      env:
+        DNSIMPLE_ZONE_NAME: ${{ secrets.DNSIMPLE_ZONE_NAME }}
+      timeout-minutes: 10  
+      run: |
+        while true; do
+          if nslookup -type=TXT _acme-challenge.gh-action-test.$DNSIMPLE_ZONE_NAME ns1.dnsimple.com; then
+            break
+          fi
+          sleep 30
+        done
+
+
+    - name: Check the certificate status
+      run: |
+        kubectl wait --for=condition=ready --timeout=600s certificate/dnsimple-test
+        # this should not be necessary since the certificate is usually ready once the DNS record is propagated
+        kubectl get certificate dnsimple-test -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' | grep True

.github/workflows/workflow_full-test-suite.yaml

@@ -0,0 +1,32 @@
+name: Run full test suite
+
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+    branches:
+    - master
+
+jobs:
+  code-test:
+    name: Run tests on code
+    uses: ./.github/workflows/test-go.yaml
+    secrets: inherit
+
+
+  build-image:
+    name: Build Docker image
+    uses: ./.github/workflows/build-images.yaml
+    with:
+      tags: >-
+        commit-${{ github.sha }}
+        latest
+    needs: code-test
+
+
+  webhook-tests:
+    name: Run tests on webhooks
+    needs: build-image
+    uses: ./.github/workflows/test-kubernetes.yaml
+    secrets: inherit

.github/workflows/workflow_tagged-build.yaml

@@ -0,0 +1,16 @@
+name: Publish a new tagged Docker image
+
+on:
+  push:
+    tags: # v* tags are protected in the repository settings
+      - 'v*'
+
+jobs:
+  docker-build:
+    name: Build tagged Docker image
+    uses: ./.github/workflows/build-images.yaml
+    with:
+      tags: >-
+        ${{ github.ref_name }}
+        commit-${{ github.sha }}
+        latest

.gitignore

@@ -11,5 +11,5 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
-# Ignore the built binary
-cert-manager-webhook-example
+# Ignore kubebuilder test binaries
+_test/

Makefile

@@ -1,20 +1,25 @@
-IMAGE_NAME := "webhook"
-IMAGE_TAG := "latest"
+GO ?= $(shell which go)
+OS ?= $(shell $(GO) env GOOS)
+ARCH ?= $(shell $(GO) env GOARCH)
+KUBE_VERSION=1.25.0
 
-OUT := $(shell pwd)/_out
+# required by go tests
+export TEST_ASSET_ETCD=../_test/kubebuilder/etcd
+export TEST_ASSET_KUBE_APISERVER=../_test/kubebuilder/kube-apiserver
+export TEST_ASSET_KUBECTL=../_test/kubebuilder/kubectl
 
-$(shell mkdir -p "$(OUT)")
+test: _test/kubebuilder
+	cd src && $(GO) test -v .
 
-verify:
-	go test -v .
+_test/kubebuilder:
+	curl -fsSL https://go.kubebuilder.io/test-tools/$(KUBE_VERSION)/$(OS)/$(ARCH) -o kubebuilder-tools.tar.gz
+	mkdir -p _test/kubebuilder
+	tar -xvf kubebuilder-tools.tar.gz
+	mv kubebuilder/bin/* _test/kubebuilder/
+	rm kubebuilder-tools.tar.gz
+	rm -R kubebuilder
 
-build:
-	docker build -t "$(IMAGE_NAME):$(IMAGE_TAG)" .
+clean: clean-kubebuilder
 
-.PHONY: rendered-manifest.yaml
-rendered-manifest.yaml:
-	helm template \
-	    --name example-webhook \
-        --set image.repository=$(IMAGE_NAME) \
-        --set image.tag=$(IMAGE_TAG) \
-        deploy/example-webhook > "$(OUT)/rendered-manifest.yaml"
+clean-kubebuilder:
+	rm -Rf _test