add basic actions for more complex workflows

.github/workflows/build-images.yaml

@@ -0,0 +1,49 @@
+name: Build docker images
+
+env:
+  DOCKER_BASE_NAME: 'ghcr.io/${{ github.repository_owner }}/cert-manager-webhook-dnsimple'
+
+on:
+  workflow_call:
+    inputs:
+      tags:
+        description: 'Tags to build the image for (separated by a whitespace)'
+        required: true
+        type: string
+
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          password: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ github.repository_owner }}
+      
+      - name: Format tags
+        id: format-tags
+        # prepends DOCKER_BASE_NAME to every entry in the string ${{ inputs.tags }}
+        run: |
+          echo "TAGS=$(printf '${{ env.DOCKER_BASE_NAME }}/%s,' ${{ inputs.tags }})" >> $GITHUB_OUTPUT
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.format-tags.outputs.TAGS }}

.github/workflows/test-go.yaml

@@ -0,0 +1,54 @@
+name: Run code tests
+
+on:
+  push:
+  workflow_call:
+    secrets:
+      DNSIMPLE_API_TOKEN:
+        required: true
+      DNSIMPLE_ZONE_NAME:
+        required: true
+
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    
+
+    - name: Setup Go
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: src/go.mod
+        cache-dependency-path: src/go.sum
+
+
+    - name: Install kubebuilder fixtures
+      id: kubebuilder
+      run: |
+        go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+        echo "BIN_DIR=$(setup-envtest use -p path)" >> $GITHUB_OUTPUT
+
+
+    - name: Run tests
+      env:
+        DNSIMPLE_API_TOKEN: ${{ secrets.DNSIMPLE_API_TOKEN }}
+        DNSIMPLE_ZONE_NAME: ${{ secrets.DNSIMPLE_ZONE_NAME }}
+      run: |
+        export TEST_ASSET_KUBE_APISERVER=${{ steps.kubebuilder.outputs.BIN_DIR }}/kube-apiserver
+        export TEST_ASSET_ETCD=${{ steps.kubebuilder.outputs.BIN_DIR }}/etcd
+        export TEST_ASSET_KUBECTL=${{ steps.kubebuilder.outputs.BIN_DIR }}/kubectl
+        export TEST_ZONE_NAME="${DNSIMPLE_ZONE_NAME}." # add trailing dot
+        echo """apiVersion: v1
+        kind: Secret
+        metadata:
+          name: dnsimple-token
+        type: Opaque
+        stringData:
+            token: $DNSIMPLE_API_TOKEN
+        """ > testdata/dnsimple-token.yaml
+        cd src
+        go test -v .

.github/workflows/test-kubernetes.yaml

@@ -0,0 +1,91 @@
+name: Run webhook tests in a full environment
+
+on:
+  workflow_call:
+    secrets:
+      DNSIMPLE_API_TOKEN:
+        required: true
+      DNSIMPLE_ZONE_NAME:
+        required: true
+
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+
+    - name: Start minikube
+      uses: medyagh/setup-minikube@master
+      with:
+        kubernetes-version: 1.29.3
+
+
+    - name: Install cert-manager and patch upstream dns servers
+      run: |
+        kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.3/cert-manager.yaml
+
+
+    - name: Wait for cert-manager to be ready
+      run: |
+        kubectl wait --for=condition=available --timeout=600s deployment/cert-manager-webhook -n cert-manager
+        kubectl get pods -n cert-manager
+        kubectl get svc -n cert-manager -o wide
+
+
+    - name: Install cert-manager-webhook-dnsimple
+      env:
+        DNSIMPLE_API_TOKEN: ${{ secrets.DNSIMPLE_API_TOKEN }}
+        DNSIMPLE_ZONE_NAME: ${{ secrets.DNSIMPLE_ZONE_NAME}}
+      run: |
+        helm install cert-manager-webhook-dnsimple ./charts/cert-manager-webhook-dnsimple \
+          --namespace cert-manager \
+          --set dnsimple.token="$DNSIMPLE_API_TOKEN" \
+          --set groupName="acme.$DNSIMPLE_ZONE_NAME" \
+          --set image.repository=ghcr.io/${{ github.repository_owner }}/cert-manager-webhook-dnsimple \
+          --set clusterIssuer.staging.enabled=true \
+          --set clusterIssuer.email="noreply@$DNSIMPLE_ZONE_NAME" \
+          --set image.tag=commit-${{ github.sha }}
+        kubectl get secrets cert-manager-webhook-dnsimple -o yaml
+
+
+    - name: Wait for cert-manager-webhook-dnsimple to be ready
+      run: |
+        kubectl wait --for=condition=available --timeout=600s deployment/cert-manager-webhook-dnsimple
+        kubectl get pods
+        kubectl get svc -o wide
+
+
+    - name: Create sample certificate that uses the webhook
+      env:
+        DNSIMPLE_ZONE_NAME: ${{ env.DNSIMPLE_ZONE_NAME }}
+      run: |
+        kubectl apply -f - <<EOF
+        apiVersion: cert-manager.io/v1
+        kind: Certificate
+        metadata:
+          name: dnsimple-test
+          namespace: default
+        spec:
+          dnsNames:
+            - "gh-action-test.$DNSIMPLE_ZONE_NAME"
+          issuerRef:
+            name: cert-manager-webhook-dnsimple-staging
+            kind: ClusterIssuer
+          secretName: dnsimple-test-tls
+        EOF
+
+
+    - name: Wait for certificate to be ready
+      run: |
+        kubectl wait --for=condition=ready --timeout=600s certificate/dnsimple-test
+        kubectl get certificate dnsimple-test
+
+
+    - name: Check DNSimple API for new TXT record
+      env:
+        DNSIMPLE_ZONE_NAME: ${{ env.DNSIMPLE_ZONE_NAME }}
+      run: |
+        dig +short TXT _acme-challenge.gh-action-test.$DNSIMPLE_ZONE_NAME