spiffe
Improve k8s integration tests in CI
Currently we try to figure out the latest kind release and then the tags from the first 5 pages of kindes/node image releases and try to run the k8s integration test using all of the found tags with the latest kind version.
This has some issues with the potential to break CI or even compromise it (if kind is compromises, since we automatically pick up latest releases from there). Each kind release advertises a list of compatible images. It's likely to work with other images, but there's no guarantee given.
We need to see what's the easiest way to maintain this in a way that isn't likely to break and that is secure. kind maintainers suggest that we pin the version of kind we use and the sha256 of the images that are compatible with that release. Adding kind as a tool dependency (once we upgrade to go 1.24) might make it a bit easier to manage. Dependabot would at least notify us of new release so we'd know when update the image list.
Probably some things we can do between the tests here, and the tests in the helm charts too.
