venconn: add integration tests using envtest

Note that I should probably have gone with a fake of the
ConnectionHandler instead of an envtest. We will move to the fake later
on.

I added the venaficonnection CRDs manually for now. I have a PR to
automate pulling these CRDs from the venafi-connection-lib project:
#556

For now, I added these manifests manually with the following commands:

  gh pr checkout 556
  git checkout -
  git checkout step1-makefile-modules -- deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd{,.without-validations}.yaml

Author: maelvls

.gitignore

@@ -13,3 +13,4 @@ predicate.json
 *.pub
 *.tgz
 
+_bin

Makefile

@@ -48,6 +48,8 @@ build:
 install:
 	cd $(ROOT_DIR) && $(GO_INSTALL)
 
+export KUBEBUILDER_ASSETS=$(ROOT_DIR)/_bin/tools
+test: _bin/tools/etcd _bin/tools/kube-apiserver
 test:
 	cd $(ROOT_DIR) && go test ./...
 
@@ -142,3 +144,54 @@ ci-build: ci-test build build-docker-image build-all-platforms bundle-all-platfo
 
 ci-publish: ci-build push-docker-image
 	echo "ci-publish is going to be disabled. We are adopting Github actions"
+
+# NOTE(mael): The download targets for yq, etcd, and kube-apiserver are a lesser
+# and suboptimal version of what's in venafi-enhanced-issuer. We will migrate to
+# makefile-modules and klone soon, so I didn't want to work too hard on this.
+
+YQ_linux_amd64_SHA256SUM=bd695a6513f1196aeda17b174a15e9c351843fb1cef5f9be0af170f2dd744f08
+YQ_darwin_amd64_SHA256SUM=b2ff70e295d02695b284755b2a41bd889cfb37454e1fa71abc3a6ec13b2676cf
+YQ_darwin_arm64_SHA256SUM=e9fc15db977875de982e0174ba5dc2cf5ae4a644e18432a4262c96d4439b1686
+YQ_VERSION=v4.35.1
+
+_bin/downloaded/tools/yq@$(YQ_VERSION)_%:
+	mkdir -p _bin/downloaded/tools
+	curl -L https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$* -o $@
+	./make/util/checkhash.sh $@ $(YQ_$*_SHA256SUM)
+	chmod +x $@
+
+HOST_OS=$(shell uname | tr '[:upper:]' '[:lower:]')
+HOST_ARCH=$(shell uname -m | sed 's/x86_64/amd64/')
+
+_bin/tools/yq: _bin/downloaded/tools/yq@$(YQ_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+	@mkdir -p _bin/tools
+	@cd $(dir $@) && ln -sf $(patsubst _bin/%,../%,$<) $(notdir $@)
+
+KUBEBUILDER_TOOLS_linux_amd64_SHA256SUM=f9699df7b021f71a1ab55329b36b48a798e6ae3a44d2132255fc7e46c6790d4d
+KUBEBUILDER_TOOLS_darwin_amd64_SHA256SUM=e1913674bacaa70c067e15649237e1f67d891ba53f367c0a50786b4a274ee047
+KUBEBUILDER_TOOLS_darwin_arm64_SHA256SUM=0422632a2bbb0d4d14d7d8b0f05497a4d041c11d770a07b7a55c44bcc5e8ce66
+KUBEBUILDER_ASSETS_VERSION=1.27.1
+
+_bin/downloaded/tools/etcd@$(KUBEBUILDER_ASSETS_VERSION)_%: _bin/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | _bin/downloaded/tools
+	./make/util/checkhash.sh $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM)
+	@# O writes the specified file to stdout
+	tar xfO $< kubebuilder/bin/etcd > $@ && chmod 775 $@
+
+_bin/downloaded/tools/kube-apiserver@$(KUBEBUILDER_ASSETS_VERSION)_%: _bin/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | _bin/downloaded/tools
+	./make/util/checkhash.sh $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM)
+	@# O writes the specified file to stdout
+	tar xfO $< kubebuilder/bin/kube-apiserver > $@ && chmod 775 $@
+
+_bin/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | _bin/downloaded/tools
+	curl -L https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-$(KUBEBUILDER_ASSETS_VERSION)-$(HOST_OS)-$(HOST_ARCH).tar.gz -o $@
+
+_bin/downloaded/tools:
+	@mkdir -p $@
+
+_bin/tools/etcd: _bin/downloaded/tools/etcd@$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+	@mkdir -p _bin/tools
+	@cd $(dir $@) && ln -sf $(patsubst _bin/%,../%,$<) $(notdir $@)
+
+_bin/tools/kube-apiserver: _bin/downloaded/tools/kube-apiserver@$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+	@mkdir -p _bin/tools
+	@cd $(dir $@) && ln -sf $(patsubst _bin/%,../%,$<) $(notdir $@)

deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+# This script takes the hash of its first argument and verifies it against the
+# hex hash given in its second argument
+
+SHASUM=$(./make/util/hash.sh "$1")
+
+# When running 'make learn-sha-tools', we don't want this script to fail.
+# Instead we log what sha values are wrong, so the make.mk file can be updated.
+if [ "$SHASUM" != "$2" ] && [ "${LEARN_FILE:-}" != "" ]; then
+	echo "s/$2/$SHASUM/g" >> "${LEARN_FILE:-}"
+	exit 0
+fi
+
+if [ "$SHASUM" != "$2"  ]; then
+	echo "invalid checksum for \"$1\": wanted \"$2\" but got \"$SHASUM\""
+	exit 1
+fi

deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+# This script is a wrapper for outputting purely the sha256 hash of the input file,
+# ideally in a portable way.
+
+sha256sum "$1" | cut -d" " -f1

make/util/checkhash.sh

@@ -268,7 +268,7 @@ func fakeTPP(t testing.TB) (*httptest.Server, *x509.Certificate) {
 func startEnvtest(t testing.TB) (_ *envtest.Environment, _ *rest.Config, kclient ctrlruntime.WithWatch) {
 	envtest := &envtest.Environment{
 		ErrorIfCRDPathMissing: true,
-		CRDDirectoryPaths:     []string{"/tmp/venafi-connection.yaml"},
+		CRDDirectoryPaths:     []string{"../../deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml"},
 	}
 	restconf, err := envtest.Start()
 	require.NoError(t, err)