This made it necessary to separate the RBAC and ServiceAccount
maifests for controller and varnish.

We now have deploy and undeploy targets for both controller and
Varnish that use helm or kubectl, depending on whether the make
variable DEPLOY=kubectl is set.

make variable DEPLOY=kubectl specifies these variants for the targets
deploy- and undeploy-controller, otherwise un/deploy the helm chart.

make VARNISH=klarlack ... # for the klarlack image, otherwise varnish
make TEST=local ...       # for the local docker registry
make TEST=ci ...          # for the gitlab registry (CI pipeline)

If TEST is unset, pull the "official" images from dockerhub.

This has the consequence that GNU make is required.

Ref #36

The haproxy container now runs the app k8s-crt-dnldr, and no longer
runs http-faccess. See https://code.uplex.de/k8s/k8s-crt-dnldr

k8s-crt-dnldr runs a k8s client that reads Secrets, filtered for
RLS (type:kubernetes.io/tls). It provides a REST API with which a
client can instruct it to write (PUT) or remove (DELETE) a pem
file (concatenated crt and key) corresponding to a TLS Secret in
the cluster. By default, these are written to /etc/ssl/private,
where haproxy reads certificates. After the next haproxy reload
following the write or delete, haproxy will use or not use the
certificate.

Once k8s-crt-dnldr has been instructed to store a Secret, it
responds to Update and Delete events for the Secret by updating
or deleting the file on its own. The controller currently sends
commands to do so as well, but in practice the k8s-crt-dnldr has
already changed the certificate itself (this is not an error).

This means that viking Pods must have RBAC rights to read
Secrets (the fact that these are filtered for TLS is not
expressible in RBAC). That in turn means that viking Pods
must be assigned a service account name, to get the RBAC
role binding.

The controller no longer needs RBAC write privileges for Secrets,
and the "tls-cert" Secret with the hard-wired name is no longer
necessary. The Secret volume that projects "tls-cert" into viking
Pods has been removed.

The port faccess in the headless Service for viking admin
has been renamed to crt-dnldr.

Addresses #36

This re-uses the example chart for "hello without TLS". Passes
verify.sh.

This will be re-organized over time, but this configuration passes
deploy/verify.sh without changes.

In test/e2e.sh, we run the test twice, to confirm that VMOD dynamic
picks up the changed IP for the DNS name. For now, just run the test
once in the pipeline.

These are unfortunately set up to run in a specific order. The order
should currently match the order in test/e2e.sh.

Since it has been failing consistently in the CI pipeline.

VCL label and source file names changed.

Update comments and fix up whitespace while we're here.

Add the port "configured" to the headless Varnish admin Service,
which responds with status 200 when an Ingress is configured, 503
otherwise. This replaces the previous purpose of the Ready state,
to determine if the Pods are currently implementing an Ingress.

This is actually a small change to the Varnish images and the admin
Service, but a wide-ranging change for testing, since we now check
the configured port before verifying a configuration (rather than
wait for the Ready state). Common test code is now in the bash
library test/utils.sh.

This commit also includes a fix for the repeated test of the
ExternalName example, which verifies that the changed IP addresses
for ExternalName Services are picked up by VMOD dynamic. The test
waits for the Ready state of the IngressBackends. The second time
around, kubectl wait sometimes picked up previous versions of the
Pods that were in the process of terminating. These of course never
became Ready, and the wait timed out. Now we wait for those Pods
to delete before proceeding with the second test.