Fix certificate generation script arguments

2026-01-13 15:23:50 +01:00 · 2021-04-04 20:08:56 +02:00
10 changed files with 21 additions and 34 deletions
--- a/.github/workflows/release-docker.yaml
+++ b/.github/workflows/release-docker.yaml
@@ -4,7 +4,6 @@ on:
  push:
    branches:
      - main
-      - devel

 jobs:
  release:
@@ -13,7 +12,7 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v1
        with:
-          ref: ${{ github.ref }}
+          ref: main

      - name: Configure Git
        run: |
@@ -23,8 +22,8 @@ jobs:
      - name: Build and push docker images (make image)
        run: make image
        env:
-          DOCKER_USER: ${GITHUB_ACTOR}
-          DOCKER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DOCKER_USER: '${{ secrets.DOCKER_USER }}'
+          DOCKER_TOKEN: '${{ secrets.DOCKER_TOKEN }}'

      - name: Logout from dockerhub (make docker-logout)
        run: make docker-logout
--- a/5
+++ b/5
@@ -1,8 +1,7 @@
 # Image URL to use all building/pushing image targets;
 # Use your own docker registry and image name for dev/test by overridding the
 # IMAGE_REPO, IMAGE_NAME and IMAGE_TAG environment variable.
-REPOSITORY_BASE ?= ghcr.io
-IMAGE_REPO ?= $(REPOSITORY_BASE)/ysoftdevs/imagepullsecret-injector
+IMAGE_REPO ?= marshallmarshall
 IMAGE_NAME ?= imagepullsecret-injector
 GENERATOR_IMAGE_NAME ?= webhook-cert-generator

@@ -82,7 +81,7 @@ build-linux:
 image: docker-login build-image push-image

 docker-login:
-	@echo "$(DOCKER_TOKEN)" | docker login -u "$(DOCKER_USER)" --password-stdin "$(REPOSITORY_BASE)"
+	@echo ${DOCKER_TOKEN} | docker login -u ${DOCKER_USER} --password-stdin

 docker-logout:
 	@docker logout
--- a/README.md
+++ b/README.md
@@ -3,8 +3,10 @@
 The responsibility of this webhook is to patch all newly created/updated service account and make sure they all contained proper imagepullsecret configuration. 

 This repo produces one helm chart available via helm repository https://ysoftdevs.github.io/imagepullsecret-injector. There are also 2 docker images:
- `ghcr.io/ysoftdevs/imagepullsecret-injector/imagepullsecret-injector` - the image containing the webhook itself
- `ghcr.io/ysoftdevs/imagepullsecret-injector/webhook-cert-generator` - helper image responsible for (re)generating the certificates
+- `marshallmarshall/imagepullsecret-injector` - the image containing the webhook itself
+- `marshallmarshall/webhook-cert-generator` - helper image responsible for (re)generating the certificates
+
+

 ## Helm description
 The helm chart consists of 2 parts: the certificate generator and the webhook configuration itself.
@@ -57,6 +59,3 @@ Of note is also a fact that the chart runs a lookup to the connected cluster to
    kubectl get sa -n yolo default -ojsonpath='{.imagePullSecrets}'
    ```
    The `get` command should display _some_ non-empty result.
-
-## Releasing locally
-To authenticate to the docker registry to push the images manually, you will need your own Github Personal Access Token. For more information follow this guide https://docs.github.com/en/packages/guides/migrating-to-github-container-registry-for-docker-images#authenticating-with-the-container-registry
--- a/helm/imagepullsecret-injector/Chart.yaml
+++ b/helm/imagepullsecret-injector/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.16
+version: 0.0.10

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/helm/imagepullsecret-injector/scripts/create-signed-cert.sh
+++ b/helm/imagepullsecret-injector/scripts/create-signed-cert.sh
@@ -89,7 +89,6 @@ apiVersion: certificates.k8s.io/v1
 kind: CertificateSigningRequest
 metadata:
  name: ${csrName}
-  namespace: ${namespace}
 spec:
  signerName: kubernetes.io/kubelet-serving
  groups:
--- a/helm/imagepullsecret-injector/templates/certificate-gen/cronjob-certificate-gen.yaml
+++ b/helm/imagepullsecret-injector/templates/certificate-gen/cronjob-certificate-gen.yaml
@@ -5,7 +5,7 @@ metadata:
  labels:
    {{- include "imagepullsecret-injector.labels" . | nindent 4 }}
 spec:
-  schedule: '* * * * 0'
+  schedule: '* * * * *'
  jobTemplate:
    metadata:
      name: "{{ .Release.Name }}"
@@ -21,12 +21,9 @@ spec:
              image: "{{ .Values.certificateGeneratorImage.registry }}/{{ .Values.certificateGeneratorImage.repository }}:{{ .Values.certificateGeneratorImage.tag | default .Chart.AppVersion }}"
              command: ["/entrypoint/entrypoint.sh"]
              args:
-                - --service
-                - "{{ include "imagepullsecret-injector.serviceName" . }}"
-                - --namespace
-                - "{{ .Release.Namespace }}"
-                - --secret
-                - "{{ include "imagepullsecret-injector.certificateSecretName" . }}"
+                - --service "{{ include "imagepullsecret-injector.serviceName" . }}"
+                - --namespace "{{ .Release.Namespace }}"
+                - --secret "{{ include "imagepullsecret-injector.certificateSecretName" . }}"
              volumeMounts:
                - mountPath: "/entrypoint"
                  name: entrypoint
--- a/helm/imagepullsecret-injector/templates/certificate-gen/job-certificate-gen.yaml
+++ b/helm/imagepullsecret-injector/templates/certificate-gen/job-certificate-gen.yaml
@@ -14,12 +14,9 @@ spec:
          image: "{{ .Values.certificateGeneratorImage.registry }}/{{ .Values.certificateGeneratorImage.repository }}:{{ .Values.certificateGeneratorImage.tag | default .Chart.AppVersion }}"
          command: ["/entrypoint/entrypoint.sh"]
          args:
-            - --service
-            - "{{ include "imagepullsecret-injector.serviceName" . }}"
-            - --namespace
-            - "{{ .Release.Namespace }}"
-            - --secret
-            - "{{ include "imagepullsecret-injector.certificateSecretName" . }}"
+            - --service "{{ include "imagepullsecret-injector.serviceName" . }}"
+            - --namespace "{{ .Release.Namespace }}"
+            - --secret "{{ include "imagepullsecret-injector.certificateSecretName" . }}"
          volumeMounts:
            - mountPath: "/entrypoint"
              name: entrypoint
--- a/helm/imagepullsecret-injector/templates/certificate-gen/rbac-certificate-gen.yaml
+++ b/helm/imagepullsecret-injector/templates/certificate-gen/rbac-certificate-gen.yaml
@@ -30,16 +30,15 @@ rules:
      - list
      - get
  - apiGroups:
-      - certificates.k8s.io
+      - "certificates.k8s.io/v1"
    resources:
      - certificatesigningrequests
    verbs:
      - create
      - list
      - get
-      - delete
  - apiGroups:
-      - certificates.k8s.io
+      - "certificates.k8s.io/v1"
    resources:
      - certificatesigningrequests/approval
    verbs:
--- a/helm/imagepullsecret-injector/templates/mutatingwebhook.yaml
+++ b/helm/imagepullsecret-injector/templates/mutatingwebhook.yaml
@@ -21,5 +21,3 @@ webhooks:
    resources: ["serviceaccounts"]
  admissionReviewVersions: ["v1", "v1beta1"]
  sideEffects: None
-  # The default "Fail" option prevents Gardener cluster to be hibernated
-  failurePolicy: Ignore
--- a/helm/imagepullsecret-injector/values.yaml
+++ b/helm/imagepullsecret-injector/values.yaml
@@ -1,12 +1,12 @@
 image:
-  registry: ghcr.io/ysoftdevs/imagepullsecret-injector
+  registry: marshallmarshall
  repository: imagepullsecret-injector
  pullPolicy: Always
  # Overrides the image tag whose default is the chart appVersion.
  tag: ""

 certificateGeneratorImage:
-  registry: ghcr.io/ysoftdevs/imagepullsecret-injector
+  registry: marshallmarshall
  repository: webhook-cert-generator
  tag: ""