Refactor certificate generation for integration test Dex.

Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this.

Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable.

Signed-off-by: Matt Moyer <moyerm@vmware.com>

hack/lib/tilt/Tiltfile

@@ -27,6 +27,17 @@ k8s_yaml(local(['ytt','--file', '../../../test/deploy/dex']))
 # Tell tilt to watch all of those files for changes.
 watch_file('../../../test/deploy/dex')
 
+# Collect all the deployed certificate issuer resources under a "cert-issuer" resource tab.
+k8s_resource(
+    workload='cert-issuer',
+    objects=[
+        # these are the objects that would otherwise appear in the "uncategorized" tab in the tilt UI
+        'cert-issuer:serviceaccount',
+        'cert-issuer:role',
+        'cert-issuer:rolebinding',
+    ],
+)
+
 # Collect all the deployed Dex resources under a "dex" resource tab.
 k8s_resource(
     workload='dex', # this is the deployment name
@@ -35,6 +46,7 @@ k8s_resource(
         'dex:namespace',
         'dex-config:configmap',
    ],
+   resource_deps=['cert-issuer'],
 )
 
 #####################################################################################################
@@ -186,6 +198,6 @@ k8s_resource(
 local_resource(
   'test-env',
   'TILT_MODE=yes ../../prepare-for-integration-tests.sh',
-  resource_deps=['local-user-auth', 'concierge', 'supervisor'],
+  resource_deps=['local-user-auth', 'concierge', 'supervisor', 'dex', 'cert-issuer'],
   deps=['../../prepare-for-integration-tests.sh'],
 )

hack/prepare-for-integration-tests.sh

@@ -268,7 +268,7 @@ fi
 #
 # Download the test CA bundle that was generated in the Dex pod.
 #
-test_ca_bundle_pem="$(kubectl exec -n dex deployment/dex -- cat /var/certs/ca.pem)"
+test_ca_bundle_pem="$(kubectl get secrets -n dex certs -o go-template='{{index .data "ca.pem" | base64decode}}')"
 
 #
 # Create the environment file