Rewrite CSR creation into jq to be more robust

charts/imagepullsecret-injector/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.20
+version: 0.0.21
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/imagepullsecret-injector/scripts/create-signed-cert.sh

@@ -83,23 +83,27 @@ echo "Deleting old CertificateSigningRequests"
 kubectl delete csr ${csrName} 2>/dev/null || true
 
 echo "Creating new CertificateSigningRequests"
-# create  server cert/key CSR and  send to k8s API
-cat <<EOF | kubectl create -f -
-apiVersion: certificates.k8s.io/v1
-kind: CertificateSigningRequest
-metadata:
-  name: ${csrName}
-  namespace: ${namespace}
-spec:
-  signerName: kubernetes.io/kubelet-serving
-  groups:
-  - system:authenticated
-  request: $(< "${tmpdir}"/server.csr base64 | tr -d '\n')
-  usages:
-  - digital signature
-  - key encipherment
-  - server auth
-EOF
+# create server cert/key CSR and  send to k8s API
+jq -n --arg request "$(< "${tmpdir}"/server.csr base64 -w0)" \
+  --arg namespace "$namespace" \
+  --arg csrName "$csrName" '{
+    apiVersion: "certificates.k8s.io/v1beta1",
+    kind: "CertificateSigningRequest",
+    metadata: {
+      name: $csrName,
+      namespace: $namespace
+    },
+    spec: {
+      signerName: "kubernetes.io/kubelet-serving",
+      groups: ["system:authenticated"],
+      request: $request,
+      usages: [
+        "digital signature",
+        "key encipherment",
+        "server auth"
+      ]
+    }
+  }' | kubectl create -f -
 
 # verify CSR has been created
 while true; do