✨ test: add punycode support and improve test infrastructure

- Add pre-commit config with go-fmt, go-mod-tidy, golangci-lint, go-sec
- Add Makefile targets for unit/integration tests with validation
- Support Punycode to Unicode conversion in solver for international domains
- Add comprehensive Punycode test cases in solver_test.go
- Improve test helper functions in client_test.go (mustSetEnv/mustUnsetEnv)
- Add hadolint ignore for Alpine APK install in Dockerfile
- Move golang.org/x/net from indirect to direct dependency
- Update DEVELOPMENT.md with simplified test commands

Author: crazygit

.pre-commit-config.yaml

@@ -0,0 +1,38 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+exclude: |
+          (?x)^(
+            gen/docs/.*|
+            .*_gen\.go|
+          )$
+fail_fast: false
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-added-large-files
+  - repo: https://github.com/TekWizely/pre-commit-golang
+    rev: v1.0.0-rc.4
+    hooks:
+      - id: go-fmt
+        args: [-w]
+      - id: go-mod-tidy
+      - id: golangci-lint-mod
+      - id: go-sec-mod
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.14.0
+    hooks:
+      - id: hadolint
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.4.1
+    hooks:
+      - id: codespell
+        name: Run codespell to check for common misspellings in files
+        language: python
+        types: [ text ]
+        args:
+          - --write-changes
+          - --skip=go.sum,./gen
+          - -L thirdparty

DEVELOPMENT.md

@@ -160,8 +160,8 @@ cd cert-manager-alidns-webhook
 # 2. 安装依赖
 go mod download
 
-# 3. 运行测试
-go test -v ./...
+# 3. 运行测试（默认只跑单元测试）
+make
 ```
 
 ### 阿里云访问凭证配置
@@ -273,10 +273,10 @@ sed -i '' 's|k8s.io/.* v0.35.0|k8s.io/client-go v0.34.1|' go.mod
 go mod tidy
 ```
 
-4. **运行测试验证**
+4. **运行测试验证（默认只跑单元测试）**
 
 ```bash
-go test -v ./...
+make
 ```
 
 #### 本地验证
@@ -312,7 +312,7 @@ go run main.go \
 
 ```bash
 # 运行所有单元测试
-go test -v ./...
+make test-unit
 
 # 运行特定包的测试
 go test -v ./pkg/alidns/
@@ -336,15 +336,19 @@ go test -cover ./...
 
 ```bash
 # 设置测试域名（注意末尾的点）
-TEST_ZONE_NAME=example.com. make test
-
-# 或者直接运行 go test（需要先设置环境变量）
-export TEST_ZONE_NAME=example.com.
-go test -v ./pkg/alidns/ -tags=integration
+TEST_ZONE_NAME=example.com. make test-integration
 ```
 
+Makefile 会检查 `TEST_ZONE_NAME` 是否设置并校验格式（必须以点结尾）。
+
 替换上面命令中 `example.com.` 为你当前托管在阿里云用于测试的域名（不要忘记域名后面的 `.`）。
 
+#### 运行全部测试
+
+```bash
+make test-all
+```
+
 ---
 
 ## 参考资源
@@ -370,7 +374,7 @@ go test -v ./pkg/alidns/ -tags=integration
 
 在提交 PR 前，请确保：
 
-1. ✅ 代码通过所有测试（`go test ./...`）
+1. ✅ 代码通过所有测试（`make test-all`）
 2. ✅ 添加了必要的单元测试
 3. ✅ 更新了相关文档（如需要）
 

Dockerfile

@@ -24,6 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build \
 # Final stage
 FROM alpine:3.23
 
+# hadolint ignore=DL3018
 RUN apk add --no-cache ca-certificates tzdata && \
     addgroup -g 1000 cert-manager && \
     adduser -u 1000 -G cert-manager -D -h /home/cert-manager cert-manager

Makefile

@@ -11,11 +11,30 @@ KUBEBUILDER_VERSION=1.28.0
 
 HELM_FILES := $(shell find deploy/cert-manager-alidns-webhook)
 
-test: _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/etcd _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kube-apiserver _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kubectl
+.DEFAULT_GOAL := test-unit
+.MAIN: test-unit
+
+.PHONY: test-integration
+test-integration: _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/etcd _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kube-apiserver _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kubectl
+	@if [ -z "$(TEST_ZONE_NAME)" ]; then \
+		echo "ERROR: TEST_ZONE_NAME is not set. Example: TEST_ZONE_NAME=example.com. (note the trailing dot)."; \
+		exit 1; \
+	fi
+	@if ! printf '%s' "$(TEST_ZONE_NAME)" | grep -Eq '^[A-Za-z0-9]([A-Za-z0-9-]*[A-Za-z0-9])?(\.[A-Za-z0-9]([A-Za-z0-9-]*[A-Za-z0-9])?)*\.$'; then \
+		echo "ERROR: TEST_ZONE_NAME must be a FQDN ending with a dot, e.g. example.com. (trailing dot required)."; \
+		exit 1; \
+	fi
 	TEST_ASSET_ETCD=_test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/etcd \
 	TEST_ASSET_KUBE_APISERVER=_test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kube-apiserver \
 	TEST_ASSET_KUBECTL=_test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kubectl \
-	$(GO) test -v .
+	$(GO) test -v  -tags=integration .
+
+.PHONY: test-unit
+test-unit:
+	$(GO) test -v ./...
+
+.PHONY: test-all
+test-all: test-unit test-integration
 
 _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH).tar.gz: | _test
 	curl -fsSL https://go.kubebuilder.io/test-tools/$(KUBEBUILDER_VERSION)/$(OS)/$(ARCH) -o $@

README.md

@@ -395,4 +395,4 @@ This project is based on the [cert-manager/webhook-example](https://github.com/c
 
 <p align="center">
   <sub>Built with ❤️ by the open source community</sub>
-</p>
+</p>

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/aliyun/credentials-go v1.4.10
 	github.com/cert-manager/cert-manager v1.19.2
 	github.com/stretchr/testify v1.11.1
+	golang.org/x/net v0.47.0
 	k8s.io/client-go v0.34.1
 )
 
@@ -87,7 +88,6 @@ require (
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect
 	golang.org/x/mod v0.30.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/oauth2 v0.31.0 // indirect
 	golang.org/x/sync v0.18.0 // indirect
 	golang.org/x/sys v0.38.0 // indirect

pkg/alidns/client_test.go

@@ -10,6 +10,7 @@ import (
 	util "github.com/alibabacloud-go/tea-utils/v2/service"
 	"github.com/alibabacloud-go/tea/tea"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 // MockAliDNSClient 是用于测试的 mock 客户端
@@ -54,11 +55,11 @@ func (m *MockAliDNSClient) DescribeDomainRecordsWithOptions(request *alidns.Desc
 
 func TestAddTXTRecord(t *testing.T) {
 	tests := []struct {
-		name         string
+		name            string
 		existingRecords []*alidns.DescribeDomainRecordsResponseBodyDomainRecordsRecord
-		addFuncCalled bool
-		expectError  bool
-		errorMsg     string
+		addFuncCalled   bool
+		expectError     bool
+		errorMsg        string
 	}{
 		{
 			name:            "new record - should create",
@@ -133,9 +134,10 @@ func TestAddTXTRecord(t *testing.T) {
 				}
 			} else {
 				assert.NoError(t, err)
-				if tt.name == "record already exists - should return existing" {
+				switch tt.name {
+				case "record already exists - should return existing":
 					assert.Equal(t, "existing-id", recordID)
-				} else if tt.name == "new record - should create" {
+				case "new record - should create":
 					assert.Equal(t, "new-record-id", recordID)
 				}
 			}
@@ -196,7 +198,7 @@ func TestDeleteRecordsByKey(t *testing.T) {
 		expectError  bool
 	}{
 		{
-			name:         "single matching record",
+			name: "single matching record",
 			records: []*alidns.DescribeDomainRecordsResponseBodyDomainRecordsRecord{
 				{
 					RecordId: tea.String("record-1"),
@@ -228,8 +230,8 @@ func TestDeleteRecordsByKey(t *testing.T) {
 			expectError:  false,
 		},
 		{
-			name:        "describe API error",
-			records:     nil,
+			name:         "describe API error",
+			records:      nil,
 			expectDelete: 0,
 			expectError:  true,
 		},
@@ -432,21 +434,31 @@ func TestGetEndpoint(t *testing.T) {
 			originalValue := os.Getenv("ALIBABA_CLOUD_REGION_ID")
 			defer func() {
 				if originalValue != "" {
-					os.Setenv("ALIBABA_CLOUD_REGION_ID", originalValue)
+					mustSetEnv(t, "ALIBABA_CLOUD_REGION_ID", originalValue)
 				} else {
-					os.Unsetenv("ALIBABA_CLOUD_REGION_ID")
+					mustUnsetEnv(t, "ALIBABA_CLOUD_REGION_ID")
 				}
 			}()
 
 			// Set test env var
 			if tt.envRegion != "" {
-				os.Setenv("ALIBABA_CLOUD_REGION_ID", tt.envRegion)
+				mustSetEnv(t, "ALIBABA_CLOUD_REGION_ID", tt.envRegion)
 			} else {
-				os.Unsetenv("ALIBABA_CLOUD_REGION_ID")
+				mustUnsetEnv(t, "ALIBABA_CLOUD_REGION_ID")
 			}
 
 			result := getEndpoint()
 			assert.Equal(t, tt.expectedResult, result)
 		})
 	}
 }
+
+func mustSetEnv(t *testing.T, key, value string) {
+	t.Helper()
+	require.NoError(t, os.Setenv(key, value))
+}
+
+func mustUnsetEnv(t *testing.T, key string) {
+	t.Helper()
+	require.NoError(t, os.Unsetenv(key))
+}

pkg/alidns/solver.go

@@ -7,6 +7,7 @@ import (
 	"log/slog"
 
 	"github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
+	"golang.org/x/net/idna"
 	"k8s.io/client-go/rest"
 
 	"github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util"
@@ -200,5 +201,13 @@ func (s *Solver) extractDomainAndRR(fqdn, zone string) (string, string) {
 	// 移除 rr 可能的结尾点
 	rr = strings.TrimSuffix(rr, ".")
 
+	// Convert Punycode to Unicode for both zone (domain) and rr
+	if uZone, err := idna.ToUnicode(zone); err == nil {
+		zone = uZone
+	}
+	if uRR, err := idna.ToUnicode(rr); err == nil {
+		rr = uRR
+	}
+
 	return zone, rr
 }

pkg/alidns/solver_test.go

@@ -216,3 +216,50 @@ func TestSolver_CleanUp_Uninitialized(t *testing.T) {
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "not initialized")
 }
+
+func TestExtractDomainAndRR_Punycode(t *testing.T) {
+	solver := &Solver{}
+
+	tests := []struct {
+		name         string
+		fqdn         string
+		zone         string
+		expectDomain string
+		expectRR     string
+	}{
+		{
+			name:         "punycode zone",
+			fqdn:         "_acme-challenge.xn--fiq228c.com.",
+			zone:         "xn--fiq228c.com.",
+			expectDomain: "中文.com",
+			expectRR:     "_acme-challenge",
+		},
+		{
+			name:         "punycode subdomain",
+			fqdn:         "_acme-challenge.xn--0zwm56d.xn--fiq228c.com.",
+			zone:         "xn--fiq228c.com.",
+			expectDomain: "中文.com",
+			expectRR:     "_acme-challenge.测试",
+		},
+		{
+			name: "mixed punycode and unicode (should fail splitting if mismatch)",
+			fqdn: "_acme-challenge.中文.com.",
+			zone: "xn--fiq228c.com.",
+			// Mismatch causes split failure, so RR is full FQDN.
+			// zone "xn--fiq228c.com." -> "中文.com"
+			// fqdn "_acme-challenge.中文.com."
+			// rr = fqdn (since suffix doesn't match string-wise)
+			// rr -> ToUnicode("_acme-challenge.中文.com.") -> "_acme-challenge.中文.com"
+			expectDomain: "中文.com",
+			expectRR:     "_acme-challenge.中文.com",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			domain, rr := solver.extractDomainAndRR(tt.fqdn, tt.zone)
+			assert.Equal(t, tt.expectDomain, domain, "Domain mismatch")
+			assert.Equal(t, tt.expectRR, rr, "RR mismatch")
+		})
+	}
+}