init cert-manager-alidns-webhook

Author: crazygit

.github/workflows/ci.yaml

@@ -0,0 +1,101 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - "v*.*.*"
+  pull_request:
+    branches:
+      - master
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.25"
+          cache: true
+
+      - name: Run go vet
+        run: go vet ./...
+
+      - name: Run tests
+        run: go test -race -coverprofile=coverage.txt -covermode=atomic ./...
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          file: ./coverage.txt
+          fail_ci_if_error: false
+          verbose: true
+
+  helm-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.16.0
+
+      - name: Lint Helm Chart
+        run: |
+          helm lint deploy/cert-manager-alidns-webhook
+
+  docker-release:
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs: [test, helm-lint]
+    uses: ./.github/workflows/docker-release.yaml
+    secrets: inherit
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+
+  helm-release:
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs: [test, helm-lint]
+    uses: ./.github/workflows/helm-release.yaml
+    secrets: inherit
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+
+  create-release:
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs: [docker-release, helm-release]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          body: |
+            ## Docker Image
+
+            ```bash
+            docker pull ghcr.io/crazygit/cert-manager-alidns-webhook:${{ github.ref_name }}
+            ```
+
+            ## Helm Chart
+
+            ```bash
+            helm install cert-manager-alidns-webhook oci://ghcr.io/crazygit/helm-charts/cert-manager-alidns-webhook --version ${{ github.ref_name }}
+            ```
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/docker-release.yaml

@@ -0,0 +1,51 @@
+name: Docker Release
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/crazygit/cert-manager-alidns-webhook
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: true
+          sbom: true

.github/workflows/helm-release.yaml

@@ -0,0 +1,38 @@
+name: Helm Release
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
+jobs:
+  package-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.16.0
+
+      - name: Package Helm Chart
+        run: |
+          cd deploy/cert-manager-alidns-webhook
+          helm package .
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push Helm Chart to GHCR
+        run: |
+          helm push deploy/cert-manager-alidns-webhook/*.tgz oci://ghcr.io/crazygit/helm-charts

.gitignore

@@ -17,3 +17,4 @@ cert-manager-webhook-example
 # Make artifacts
 _out
 _test
+*.tgz

DEVELOPMENT.md

@@ -0,0 +1,47 @@
+# 开发指南
+
+## 📋 项目概述
+
+基于 [cert-manager/webhook-example](https://github.com/cert-manager/webhook-example) 模板，开发适用于阿里云 DNS (AliDNS) 的 cert-manager webhook。
+
+### 核心特性
+
+- ✅ 支持 **RRSA** (RAM Roles for Service Accounts) - 生产环境推荐
+- ✅ 支持 **AccessKey/SecretKey** - 开发/测试环境
+- ✅ 支持 **ECS 实例 RAM 角色** - ACK 自动支持
+- ✅ 使用 **V2.0 Tea SDK** - 官方推荐版本
+- ✅ **幂等性** DNS 记录管理
+- ✅ **Helm Chart** 一键部署
+
+## 运行测试用例
+
+### 单元测试
+
+```
+$ go test -v ./pkg/alidns/...
+```
+
+### 集成测试
+
+⚠️ **注意**：
+
+集成测试会通过 API 操作阿里云解析的域名记录，运行时最好使用一个**非生产环境**的域名测试。
+
+前提条件：
+
+- 已经有域名托管在阿里云解析
+- 参考[管理访问凭证](https://help.aliyun.com/zh/sdk/developer-reference/v2-manage-go-access-credentials), 在本地配置好了访问凭证的环境变量或`config.json`文件
+
+```shell
+TEST_ZONE_NAME=example.com. make test
+```
+
+替换上面命令中 `example.com.` 为你当前托管在阿里云用于测试的域名（不要忘记域名后面的 `.`）
+
+## 🔗 参考资源
+
+- [阿里云 Golang SDK 配置](https://next.api.aliyun.com/api-tools/sdk/Alidns?version=2015-01-09&language=go-tea&tab=primer-doc)
+- [管理访问凭证](https://help.aliyun.com/zh/sdk/developer-reference/v2-manage-go-access-credentials)
+- [Endpoint 设置](https://api.aliyun.com/product/Alidns)
+- [Cert-Manager Creating DNS Providers](https://cert-manager.io/docs/contributing/dns-providers/)
+- [Cert-Manager webhook-example](https://github.com/cert-manager/webhook-example)

Dockerfile

@@ -1,24 +1,29 @@
-FROM golang:1.23-alpine3.19@sha256:5f3336882ad15d10ac1b59fbaba7cb84c35d4623774198b36ae60edeba45fd84 AS build_deps
-
-RUN apk add --no-cache git
+# Build stage
+FROM golang:1.25.3 AS build
 
 WORKDIR /workspace
 
-COPY go.mod .
-COPY go.sum .
-
+# Download dependencies
+COPY go.mod go.sum ./
 RUN go mod download
 
-FROM build_deps AS build
-
+# Build the webhook binary
 COPY . .
+RUN CGO_ENABLED=0 go build \
+    -ldflags '-w -extldflags "-static"' \
+    -o cert-manager-alidns-webhook .
 
-RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
-
-FROM alpine:3.23@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62
+# Final stage
+FROM alpine:3.23
 
 RUN apk add --no-cache ca-certificates
 
-COPY --from=build /workspace/webhook /usr/local/bin/webhook
+# Non-root user
+RUN addgroup -g 1000 cert-manager && \
+    adduser -u 1000 -G cert-manager -D -h /home/cert-manager cert-manager
+
+USER cert-manager
+
+COPY --from=build /workspace/cert-manager-alidns-webhook /usr/local/bin/cert-manager-alidns-webhook
 
-ENTRYPOINT ["webhook"]
+ENTRYPOINT ["/usr/local/bin/cert-manager-alidns-webhook"]

Makefile

@@ -9,7 +9,7 @@ OUT := $(shell pwd)/_out
 
 KUBEBUILDER_VERSION=1.28.0
 
-HELM_FILES := $(shell find deploy/example-webhook)
+HELM_FILES := $(shell find deploy/cert-manager-alidns-webhook)
 
 test: _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/etcd _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kube-apiserver _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kubectl
 	TEST_ASSET_ETCD=_test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/etcd \
@@ -36,10 +36,10 @@ rendered-manifest.yaml: $(OUT)/rendered-manifest.yaml
 
 $(OUT)/rendered-manifest.yaml: $(HELM_FILES) | $(OUT)
 	helm template \
-	    --name example-webhook \
+	    --name cert-manager-alidns-webhook \
             --set image.repository=$(IMAGE_NAME) \
             --set image.tag=$(IMAGE_TAG) \
-            deploy/example-webhook > $@
+            deploy/cert-manager-alidns-webhook > $@
 
 _test $(OUT) _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH):
 	mkdir -p $@