KropCloud/cert-manager-webhook-example
1
0
Fork 1
mirror of https://github.com/cert-manager/webhook-example.git synced 2025-07-01 22:35:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

New KUBE_VERSION, handle temp errs, update READMEs

Browse source
This commit is contained in:
Valentin Klopfenstein 2025-03-12 10:42:10 +01:00
parent 9b0da083ff
commit 4b05cc8c04
5 changed files with 58 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
.github/workflows/test-go.yaml vendored
View file

@ -42,6 +42,10 @@ jobs:
export TEST_ASSET_ETCD=${{ steps.kubebuilder.outputs.BIN_DIR }}/etcd export TEST_ASSET_ETCD=${{ steps.kubebuilder.outputs.BIN_DIR }}/etcd
export TEST_ASSET_KUBECTL=${{ steps.kubebuilder.outputs.BIN_DIR }}/kubectl export TEST_ASSET_KUBECTL=${{ steps.kubebuilder.outputs.BIN_DIR }}/kubectl
export TEST_ZONE_NAME="${DNSIMPLE_ZONE_NAME}." # add trailing dot export TEST_ZONE_NAME="${DNSIMPLE_ZONE_NAME}." # add trailing dot
YLW='\033[1;33m'
NC='\033[0m'
echo """apiVersion: v1 echo """apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
@ -51,4 +55,17 @@ jobs:
token: $DNSIMPLE_API_TOKEN token: $DNSIMPLE_API_TOKEN
""" > testdata/dnsimple-token.yaml """ > testdata/dnsimple-token.yaml
cd src cd src
go test -v .
# Occasionally, transient network errors can make tests fail
attempt=0
max_attempts=3
while [ $attempt -lt $max_attempts ]; do
attempt=$((attempt+1))
output=$(go test -v . 2>&1 | tee /dev/tty)
if echo "$output" | grep -q -e "Temporary failure in name resolution" -e "connection reset by peer"; then
echo -e "${YLW}Detected transient network error. Retrying... ($attempt/$max_attempts)${NC}"
else
break
fi
done

4
Makefile
View file

@ -1,7 +1,9 @@
GO ?= $(shell which go) GO ?= $(shell which go)
OS ?= $(shell $(GO) env GOOS) OS ?= $(shell $(GO) env GOOS)
ARCH ?= $(shell $(GO) env GOARCH) ARCH ?= $(shell $(GO) env GOARCH)
KUBE_VERSION=1.25.0
# Available versions: https://storage.googleapis.com/kubebuilder-tools
KUBE_VERSION=$(shell curl -s https://storage.googleapis.com/kubebuilder-tools | grep -oP 'kubebuilder-tools-\K[0-9]+\.[0-9]+\.[0-9]+' | sort -V | tail -n 1 || echo "1.30.0")
# required by go tests # required by go tests
export TEST_ASSET_ETCD=../_test/kubebuilder/etcd export TEST_ASSET_ETCD=../_test/kubebuilder/etcd

28
README.md
View file

@ -75,26 +75,34 @@ The Helm chart accepts the following values:
All cert-manager webhooks have to pass the DNS01 provider conformance testing suite. All cert-manager webhooks have to pass the DNS01 provider conformance testing suite.
### Pull requests ### Pull requests
Prerequisites for PRs are implemented as GitHub-actions. All tests should pass before a PR is merged: Prerequisites for PRs are implemented as GitHub-actions. All tests should pass before a PR is merged:
- the `cert-manager` conformance suite is run with provided kubebuilder fixtures - The `cert-manager` conformance suite is run with provided kubebuilder fixtures
- a custom test suite running on a working k8s cluster (using `minikube`) is executed as well - A custom test suite running on a working k8s cluster (using `minikube`) is executed as well
### Local testing ### Local testing
#### Test suite #### Test suite
You can also run tests locally, as specified in the `Makefile`: Tests can be run locally according to the `Makefile`:
1. Set-up `testdata/` according to its [README][3]. 1. Set up `testdata/` according to its [README][3]
- `dnsimple-token.yaml` should be filled with a valid token (for either the sandbox or production environment) - `dnsimple-token.yaml` should be filled with a valid token (for either the sandbox or production environment)
- `dnsimple.env` should contain the remaining environment variables (non sensitive)
2. Execute the test suite: 2. Set env var `TEST_ZONE_NAME`, adding a trailing dot
- `export TEST_ZONE_NAME="<zone>."`
3. Execute the test suite:
```bash ```bash
make test make test
``` ```
> [!NOTE]
> Kubebuilder will always use the latest version available.
#### In-cluster testing #### In-cluster testing
1. Install cert-manager: 1. Install cert-manager:
```bash ```bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.3/cert-manager.yaml kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.3/cert-manager.yaml
``` ```
2. Install the webhook: 2. Install the webhook:
```bash ```bash
helm install cert-manager-webhook-dnsimple \ helm install cert-manager-webhook-dnsimple \
@ -103,6 +111,7 @@ You can also run tests locally, as specified in the `Makefile`:
--set clusterIssuer.staging.enabled=true \ --set clusterIssuer.staging.enabled=true \
./charts/cert-manager-webhook-dnsimple ./charts/cert-manager-webhook-dnsimple
``` ```
3. Test away... You can create a sample certificate to ensure the webhook is working correctly: 3. Test away... You can create a sample certificate to ensure the webhook is working correctly:
```bash ```bash
kubectl apply -f - <<<EOF kubectl apply -f - <<<EOF
@ -123,7 +132,8 @@ You can also run tests locally, as specified in the `Makefile`:
## Releases ## Releases
### Docker images ### Docker images
Every push to `master` or on a pull-request triggers the upload of a new docker image to the GitHub Container Registry (this is configured through github actions). These images should **not considered stable** and are tagged with `commit-<hash>`. **We recommend using a specific version tag for production deployments instead.** Every push to `master` or on a pull-request triggers the upload of a new docker image to the GitHub Container Registry (this is configured through github actions).
These images should **not be considered stable** and are tagged with `commit-<hash>`. **We recommend using a specific version tag for production deployments instead.**
Tagged images are considered stable, these are the ones referenced by the default helm values. Tagged images are considered stable, these are the ones referenced by the default helm values.

18
src/main_test.go
View file

@ -1,22 +1,36 @@
package main package main
import ( import (
"fmt"
"os" "os"
"strings"
"testing" "testing"
dns "github.com/cert-manager/cert-manager/test/acme" dns "github.com/cert-manager/cert-manager/test/acme"
"sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/controller-runtime/pkg/log/zap"
) )
var ( const (
zone = os.Getenv("TEST_ZONE_NAME")
testdata_dir = "../testdata" testdata_dir = "../testdata"
) )
var (
zone = os.Getenv("TEST_ZONE_NAME")
)
func TestRunsSuite(t *testing.T) { func TestRunsSuite(t *testing.T) {
log.SetLogger(zap.New(zap.UseFlagOptions(&zap.Options{})))
// The manifest path should contain a file named config.json that is a // The manifest path should contain a file named config.json that is a
// snippet of valid configuration that should be included on the // snippet of valid configuration that should be included on the
// ChallengeRequest passed as part of the test cases. // ChallengeRequest passed as part of the test cases.
// Ensure trailing dot
if !strings.HasSuffix(zone, ".") {
zone = fmt.Sprintf("%s.", zone)
}
fixture := dns.NewFixture(&dnsimpleDNSProviderSolver{}, fixture := dns.NewFixture(&dnsimpleDNSProviderSolver{},
dns.SetResolvedZone(zone), dns.SetResolvedZone(zone),
dns.SetAllowAmbientCredentials(false), dns.SetAllowAmbientCredentials(false),

3
testdata/README.md vendored
View file

@ -6,4 +6,5 @@ Copy the `dnsimple-token.yaml.example` example file removing the `.example` suff
$ cp dnsimple-token.yaml{.example,} $ cp dnsimple-token.yaml{.example,}
``` ```
Replace the placeholders for the API token in `dnsimple-token.yaml`. The API token can be generated in your DNSimple account settings in the automation tab. Replace the placeholders for the API token in `dnsimple-token.yaml`.
The API token can be generated in your DNSimple account settings in the automation tab.