Bump the chart version

.github/workflows/release-docker.yaml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - devel
 
 jobs:
   release:
@@ -12,7 +13,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v1
         with:
-          ref: main
+          ref: ${{ github.ref }}
 
       - name: Configure Git
         run: |
@@ -22,8 +23,8 @@ jobs:
       - name: Build and push docker images (make image)
         run: make image
         env:
-          DOCKER_USER: '${{ secrets.DOCKER_USER }}'
+          DOCKER_USER: ${GITHUB_ACTOR}
-          DOCKER_TOKEN: '${{ secrets.DOCKER_TOKEN }}'
+          DOCKER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Logout from dockerhub (make docker-logout)
         run: make docker-logout

Makefile

@@ -1,7 +1,8 @@
 # Image URL to use all building/pushing image targets;
 # Use your own docker registry and image name for dev/test by overridding the
 # IMAGE_REPO, IMAGE_NAME and IMAGE_TAG environment variable.
-IMAGE_REPO ?= marshallmarshall
+REPOSITORY_BASE ?= ghcr.io
+IMAGE_REPO ?= $(REPOSITORY_BASE)/ysoftdevs/imagepullsecret-injector
 IMAGE_NAME ?= imagepullsecret-injector
 GENERATOR_IMAGE_NAME ?= webhook-cert-generator
 
@@ -81,7 +82,7 @@ build-linux:
 image: docker-login build-image push-image
 
 docker-login:
-	@echo ${DOCKER_TOKEN} | docker login -u ${DOCKER_USER} --password-stdin
+	@echo "$(DOCKER_TOKEN)" | docker login -u "$(DOCKER_USER)" --password-stdin "$(REPOSITORY_BASE)"
 
 docker-logout:
 	@docker logout

README.md

@@ -3,10 +3,8 @@
 The responsibility of this webhook is to patch all newly created/updated service account and make sure they all contained proper imagepullsecret configuration. 
 
 This repo produces one helm chart available via helm repository https://ysoftdevs.github.io/imagepullsecret-injector. There are also 2 docker images:
-- `marshallmarshall/imagepullsecret-injector` - the image containing the webhook itself
+- `ghcr.io/ysoftdevs/imagepullsecret-injector/imagepullsecret-injector` - the image containing the webhook itself
-- `marshallmarshall/webhook-cert-generator` - helper image responsible for (re)generating the certificates
+- `ghcr.io/ysoftdevs/imagepullsecret-injector/webhook-cert-generator` - helper image responsible for (re)generating the certificates
-
-
 
 ## Helm description
 The helm chart consists of 2 parts: the certificate generator and the webhook configuration itself.
@@ -59,3 +57,6 @@ Of note is also a fact that the chart runs a lookup to the connected cluster to
     kubectl get sa -n yolo default -ojsonpath='{.imagePullSecrets}'
     ```
     The `get` command should display _some_ non-empty result.
+
+## Releasing locally
+To authenticate to the docker registry to push the images manually, you will need your own Github Personal Access Token. For more information follow this guide https://docs.github.com/en/packages/guides/migrating-to-github-container-registry-for-docker-images#authenticating-with-the-container-registry

helm/imagepullsecret-injector/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.11
+version: 0.0.16
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm/imagepullsecret-injector/scripts/create-signed-cert.sh

@@ -89,6 +89,7 @@ apiVersion: certificates.k8s.io/v1
 kind: CertificateSigningRequest
 metadata:
   name: ${csrName}
+  namespace: ${namespace}
 spec:
   signerName: kubernetes.io/kubelet-serving
   groups:

helm/imagepullsecret-injector/templates/certificate-gen/cronjob-certificate-gen.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     {{- include "imagepullsecret-injector.labels" . | nindent 4 }}
 spec:
-  schedule: '* * * * *'
+  schedule: '* * * * 0'
   jobTemplate:
     metadata:
       name: "{{ .Release.Name }}"

helm/imagepullsecret-injector/templates/certificate-gen/rbac-certificate-gen.yaml

@@ -30,15 +30,16 @@ rules:
       - list
       - get
   - apiGroups:
-      - "certificates.k8s.io/v1"
+      - certificates.k8s.io
     resources:
       - certificatesigningrequests
     verbs:
       - create
       - list
       - get
+      - delete
   - apiGroups:
-      - "certificates.k8s.io/v1"
+      - certificates.k8s.io
     resources:
       - certificatesigningrequests/approval
     verbs:

helm/imagepullsecret-injector/templates/mutatingwebhook.yaml

@@ -21,3 +21,5 @@ webhooks:
     resources: ["serviceaccounts"]
   admissionReviewVersions: ["v1", "v1beta1"]
   sideEffects: None
+  # The default "Fail" option prevents Gardener cluster to be hibernated
+  failurePolicy: Ignore

helm/imagepullsecret-injector/values.yaml

@@ -1,12 +1,12 @@
 image:
-  registry: marshallmarshall
+  registry: ghcr.io/ysoftdevs/imagepullsecret-injector
   repository: imagepullsecret-injector
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
 certificateGeneratorImage:
-  registry: marshallmarshall
+  registry: ghcr.io/ysoftdevs/imagepullsecret-injector
   repository: webhook-cert-generator
   tag: ""