Make the deployment and the jobs run in a non-root environment

.github/workflows/release-chart.yaml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - release/legacy-csr
     paths:
       - 'charts/**'
 
@@ -13,8 +14,6 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v1
-        with:
-          ref: main
 
       - name: Configure Git
         run: |
@@ -47,6 +46,6 @@ jobs:
 
       - name: Run chart-releaser
         if: steps.helm_version_checker.outcome == 'success'
-        uses: helm/chart-releaser-action@master
+        uses: helm/chart-releaser-action@v1.2.1
         env:
           CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

VERSION

@@ -1 +1 @@
-0.0.11
+0.0.12

build/Dockerfile

@@ -7,4 +7,7 @@ RUN make build
 FROM alpine:3.13.4 as base
 COPY --from=builder /go/src/github.com/ysoftdevs/imagepullsecret-injector/build/_output/bin/imagepullsecret-injector /usr/local/bin/imagepullsecret-injector
 
-ENTRYPOINT ["imagepullsecret-injector"]
+RUN addgroup -S imagepullsecret-injector-group && adduser -S imagepullsecret-injector-user -G imagepullsecret-injector-group
+USER imagepullsecret-injector-user
+
+ENTRYPOINT ["imagepullsecret-injector"]

build/Dockerfile.cert-generator

@@ -1,6 +1,9 @@
 FROM alpine:3.13.4
 
-RUN apk add bash curl openssl \
+RUN addgroup -S imagepullsecret-injector-group && adduser -S imagepullsecret-injector-user -G imagepullsecret-injector-group \
+    && apk add bash curl openssl jq \
     && curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
     && chmod 755 ./kubectl \
     && mv ./kubectl /usr/bin/kubectl
+
+USER imagepullsecret-injector-user

charts/imagepullsecret-injector/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.20
+version: 0.0.21
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.0.11
+appVersion: 0.0.12

charts/imagepullsecret-injector/scripts/create-signed-cert.sh

@@ -83,23 +83,27 @@ echo "Deleting old CertificateSigningRequests"
 kubectl delete csr ${csrName} 2>/dev/null || true
 
 echo "Creating new CertificateSigningRequests"
-# create  server cert/key CSR and  send to k8s API
-cat <<EOF | kubectl create -f -
-apiVersion: certificates.k8s.io/v1
-kind: CertificateSigningRequest
-metadata:
-  name: ${csrName}
-  namespace: ${namespace}
-spec:
-  signerName: kubernetes.io/kubelet-serving
-  groups:
-  - system:authenticated
-  request: $(< "${tmpdir}"/server.csr base64 | tr -d '\n')
-  usages:
-  - digital signature
-  - key encipherment
-  - server auth
-EOF
+# create server cert/key CSR and  send to k8s API
+jq -n --arg request "$(< "${tmpdir}"/server.csr base64)" \
+  --arg namespace "$namespace" \
+  --arg csrName "$csrName" '{
+    apiVersion: "certificates.k8s.io/v1",
+    kind: "CertificateSigningRequest",
+    metadata: {
+      name: $csrName,
+      namespace: $namespace
+    },
+    spec: {
+      signerName: "kubernetes.io/kubelet-serving",
+      groups: ["system:authenticated"],
+      request: $request,
+      usages: [
+        "digital signature",
+        "key encipherment",
+        "server auth"
+      ]
+    }
+  }' | kubectl create -f -
 
 # verify CSR has been created
 while true; do