Draft: CI features for this repository

.github/workflows/build-images.yaml

@@ -0,0 +1,63 @@
+name: Build docker images
+
+env:
+  DOCKER_BASE_NAME: 'ghcr.io/${{ github.repository_owner }}/cert-manager-webhook-dnsimple'
+
+on:
+  workflow_call:
+    inputs:
+      tags:
+        description: 'Tags to build the image for (separated by a whitespace)'
+        required: true
+        type: string
+
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          password: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ github.repository_owner }}
+
+      - name: Format tags
+        id: format-tags
+        # prepends DOCKER_BASE_NAME to every entry in the string ${{ inputs.tags }}
+        run: |
+          echo "TAGS=$(printf '${{ env.DOCKER_BASE_NAME }}/%s,' ${{ inputs.tags }})" >> $GITHUB_OUTPUT
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.format-tags.outputs.TAGS }}
+
+
+
+      # currently not working
+      # - name: Delete old images matching the pattern commit-*
+      #   uses: snok/container-retention-policy@v2
+      #   with:
+      #     image-names: ${{ env.DOCKER_BASE_NAME }}/${{ env.IMAGE_NAME }}
+      #     filter-tags: commit-
+      #     cut-off: One month ago UTC
+      #     keep-at-least: 1
+      #     account-type: personal
+      #     token: ${{ secrets.GITHUB_TOKEN }}
+      #     token-type: github-token

.github/workflows/chart-release.yaml

@@ -0,0 +1,31 @@
+# This workflow will publish a new chart release to github pages according to the configuration in index.yaml
+# The content of the branch gh-pages is updated and watched by the github pages service
+
+name: Release Charts
+
+on:
+  workflow_call:
+
+jobs:
+  release:
+    permissions:
+      contents: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        with:
+          chart_path: ./charts

.github/workflows/run-code-tests.yaml

@@ -0,0 +1,46 @@
+name: Run code tests
+
+on:
+  push:
+  workflow_call:
+
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Setup Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: '1.21.x'
+        cache-dependency-path: src/go.mod
+
+
+    - name: Install kubebuilder fixtures
+      id: kubebuilder
+      run: |
+        go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+        echo "BIN_DIR=$(setup-envtest use -p path)" >> $GITHUB_OUTPUT
+
+
+    - name: Run tests
+      run: |
+        export TEST_ASSET_KUBE_APISERVER=${{ steps.kubebuilder.outputs.BIN_DIR }}/kube-apiserver
+        export TEST_ASSET_ETCD=${{ steps.kubebuilder.outputs.BIN_DIR }}/etcd
+        export TEST_ASSET_KUBECTL=${{ steps.kubebuilder.outputs.BIN_DIR }}/kubectl
+        export TEST_ZONE_NAME=puzzzzle.ch.
+        export DNSIMPLE_SANDBOX=true
+        echo """apiVersion: v1
+        kind: Secret
+        metadata:
+          name: dnsimple-token
+        type: Opaque
+        data:
+            token: $(echo -n '${{ secrets.DNSIMPLE_API_TOKEN }}' | base64)
+        """ > testdata/dnsimple-token.yaml
+        cd src
+        go test -v .

.github/workflows/run-kubernetes-tests.yaml

@@ -0,0 +1,83 @@
+name: Run webhook tests in a full environment
+
+on:
+  workflow_call:
+
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Start minikube
+      uses: medyagh/setup-minikube@master
+      with:
+        kubernetes-version: 1.21.2
+
+    - name: Install cert-manager
+      run: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.3/cert-manager.yaml
+
+    - name: Wait for cert-manager to be ready
+      run: |
+        kubectl wait --for=condition=available --timeout=600s deployment/cert-manager-webhook -n cert-manager
+        kubectl get pods -n cert-manager
+        kubectl get svc -n cert-manager -o wide
+
+    - name: Install cert-manager-webhook-dnsimple
+      env:
+        DNSIMPLE_API_TOKEN: ${{ secrets.DNSIMPLE_API_TOKEN }}
+      run: |
+        echo "DNSIMPLE_API_TOKEN: $DNSIMPLE_API_TOKEN"
+        echo "DNSIMPLE_API_TOKEN: ${{ secrets.DNSIMPLE_API_TOKEN }}"
+
+        helm install cert-manager-webhook-dnsimple ./charts/cert-manager-webhook-dnsimple \
+          --namespace cert-manager \
+          --set dnsimple.token='$DNSIMPLE_API_TOKEN' \
+          --set dnsimple.apiBaseURL=https://api.sandbox.dnsimple.com \
+          --set groupName=acme.puzzzzle.ch \
+          --set image.repository=ghcr.io/moll-re/cert-manager-webhook-dnsimple \
+          --set clusterIssuer.staging.enabled=true \
+          --set [email protected] \
+          --set image.tag=${{ github.sha}}
+        kubectl get secrets cert-manager-webhook-dnsimple -o yaml
+    - name: Wait for cert-manager-webhook-dnsimple to be ready
+      run: |
+        kubectl wait --for=condition=available --timeout=600s deployment/cert-manager-webhook-dnsimple
+        kubectl get pods
+        kubectl get svc -o wide
+
+    - name: Create sample certificate that uses the webhook
+      run: |
+        kubectl apply -f - <<EOF
+        apiVersion: cert-manager.io/v1
+        kind: Certificate
+        metadata:
+          name: dnsimple-test
+          namespace: default
+        spec:
+          dnsNames:
+            - test.puzzzzle.ch
+          issuerRef:
+            name: cert-manager-webhook-dnsimple-staging
+            kind: ClusterIssuer
+          secretName: dnsimple-test-tls
+        EOF
+
+
+    - name: Check DNSimple API for new TXT record
+      env:
+        DNSIMPLE_API_TOKEN: ${{ secrets.DNSIMPLE_API_TOKEN }}
+      run: |
+        echo "Checking for new TXT record"
+        echo "DNSIMPLE_API_TOKEN: $DNSIMPLE_API_TOKEN"
+        echo "DNSIMPLE_API_TOKEN: ${{ secrets.DNSIMPLE_API_TOKEN }}"
+
+        curl \
+          -H "Authorization: Bearer ${{ secrets.DNSIMPLE_API_TOKEN }}" \
+          -H 'Accept: application/json' \
+          -X GET https://api.sandbox.dnsimple.com/v2/2250/zones/puzzzzle.ch/records?type=TXT \
+          -o records.json
+        cat records.json
+        echo "$(jq '.data[].content' records.json)"

.github/workflows/workflow_release-helm.yaml

@@ -0,0 +1,14 @@
+name: Publish new helm release
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'charts/**'
+
+
+jobs:
+  helm-release:
+    name: Release new helm chart version
+    uses: ./.github/workflows/chart-release.yaml

.github/workflows/workflow_release-tagged.yaml

@@ -0,0 +1,18 @@
+name: Publish new docker release
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - '*'
+
+jobs:
+  docker-build:
+    name: Build tagged Docker image
+    uses: ./.github/workflows/build-images.yaml
+    with:
+      tags: >
+        ${{ github.ref }}
+        commit-${{ github.sha }}
+        latest

.github/workflows/workflow_test-pull-request.yaml

@@ -0,0 +1,28 @@
+name: Run PR tests
+
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+    branches:
+    - master
+
+jobs:
+  code-test:
+    name: Run tests on code
+    uses: ./.github/workflows/run-code-tests.yaml
+
+  build-image:
+    name: Build Docker image
+    uses: ./.github/workflows/build-images.yaml
+    with:
+      tags: >
+        commit-${{ github.sha }}
+        latest
+    # needs: code-test
+
+  webhook-tests:
+    name: Run tests on webhooks
+    needs: build-image
+    uses: ./.github/workflows/run-kubernetes-tests.yaml

.gitignore

@@ -5,14 +5,17 @@
 *.so
 *.dylib
 
-# Test binary, build with `go test -c`
+# Test binary, built with `go test -c`
 *.test
 
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
-# Ignore the built binary
-cert-manager-webhook-dnsimple
+# Dependency directories (remove the comment below to include it)
+# vendor/
 
-# Ignore test binaries
-__test__/
+# Go workspace file
+go.work
+
+# Test dependencies by kubebuilder
+_test

Dockerfile

@@ -5,14 +5,14 @@ RUN apk add --no-cache git
 WORKDIR /workspace
 ENV GO111MODULE=on
 
-COPY go.mod .
-COPY go.sum .
+COPY src/go.mod .
+COPY src/go.sum .
 
 RUN go mod download
 
 FROM build_deps AS build
 
-COPY . .
+COPY src .
 
 RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
 

Makefile

@@ -1,21 +1,18 @@
 GO ?= $(shell which go)
 OS ?= $(shell $(GO) env GOOS)
 ARCH ?= $(shell $(GO) env GOARCH)
-
-IMAGE_NAME := "neoskop/cert-manager-webhook-dnsimple"
-IMAGE_TAG := "latest"
-
-OUT := $(shell pwd)/_out
-
 KUBE_VERSION=1.25.0
 
+OUT := $(shell pwd)/_out
 $(shell mkdir -p "$(OUT)")
-export TEST_ASSET_ETCD=_test/kubebuilder/etcd
-export TEST_ASSET_KUBE_APISERVER=_test/kubebuilder/kube-apiserver
-export TEST_ASSET_KUBECTL=_test/kubebuilder/kubectl
+
+include testdata/dnsimple.env
+export TEST_ASSET_ETCD=../_test/kubebuilder/etcd
+export TEST_ASSET_KUBE_APISERVER=../_test/kubebuilder/kube-apiserver
+export TEST_ASSET_KUBECTL=../_test/kubebuilder/kubectl
 
 test: _test/kubebuilder
-	$(GO) test -v .
+	cd src && $(GO) test -v .
 
 _test/kubebuilder:
 	curl -fsSL https://go.kubebuilder.io/test-tools/$(KUBE_VERSION)/$(OS)/$(ARCH) -o kubebuilder-tools.tar.gz
@@ -28,15 +25,4 @@ _test/kubebuilder:
 clean: clean-kubebuilder
 
 clean-kubebuilder:
-	rm -Rf _test/kubebuilder
-
-build:
-	docker build -t "$(IMAGE_NAME):$(IMAGE_TAG)" .
-
-.PHONY: rendered-manifest.yaml
-rendered-manifest.yaml:
-	helm template \
-	    --name dnsimple-webhook \
-        --set image.repository=$(IMAGE_NAME) \
-        --set image.tag=$(IMAGE_TAG) \
-        deploy/dnsimple-webhook > "$(OUT)/rendered-manifest.yaml"
+	rm -Rf _test