mirror of
https://github.com/ysoftdevs/imagepullsecret-injector.git
synced 2026-01-11 22:41:15 +01:00
Compare commits
10 Commits
imagepulls
...
devel
| Author | SHA1 | Date | |
|---|---|---|---|
|
c22716b470 | ||
|
|
ea8755766c | ||
|
|
ec9cd60d14 | ||
|
|
6234301c85 | ||
|
|
c97fc465e8 | ||
|
|
1523ba232b | ||
|
|
42be5e1041 | ||
|
|
5d9930238a | ||
|
|
ed1b29e8b5 | ||
|
|
761a43ed1f |
7
.github/workflows/release-docker.yaml
vendored
7
.github/workflows/release-docker.yaml
vendored
@@ -4,6 +4,7 @@ on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- devel
|
||||
|
||||
jobs:
|
||||
release:
|
||||
@@ -12,7 +13,7 @@ jobs:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v1
|
||||
with:
|
||||
ref: main
|
||||
ref: ${{ github.ref }}
|
||||
|
||||
- name: Configure Git
|
||||
run: |
|
||||
@@ -22,8 +23,8 @@ jobs:
|
||||
- name: Build and push docker images (make image)
|
||||
run: make image
|
||||
env:
|
||||
DOCKER_USER: '${{ secrets.DOCKER_USER }}'
|
||||
DOCKER_TOKEN: '${{ secrets.DOCKER_TOKEN }}'
|
||||
DOCKER_USER: ${GITHUB_ACTOR}
|
||||
DOCKER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Logout from dockerhub (make docker-logout)
|
||||
run: make docker-logout
|
||||
5
Makefile
5
Makefile
@@ -1,7 +1,8 @@
|
||||
# Image URL to use all building/pushing image targets;
|
||||
# Use your own docker registry and image name for dev/test by overridding the
|
||||
# IMAGE_REPO, IMAGE_NAME and IMAGE_TAG environment variable.
|
||||
IMAGE_REPO ?= marshallmarshall
|
||||
REPOSITORY_BASE ?= ghcr.io
|
||||
IMAGE_REPO ?= $(REPOSITORY_BASE)/ysoftdevs/imagepullsecret-injector
|
||||
IMAGE_NAME ?= imagepullsecret-injector
|
||||
GENERATOR_IMAGE_NAME ?= webhook-cert-generator
|
||||
|
||||
@@ -81,7 +82,7 @@ build-linux:
|
||||
image: docker-login build-image push-image
|
||||
|
||||
docker-login:
|
||||
@echo ${DOCKER_TOKEN} | docker login -u ${DOCKER_USER} --password-stdin
|
||||
@echo "$(DOCKER_TOKEN)" | docker login -u "$(DOCKER_USER)" --password-stdin "$(REPOSITORY_BASE)"
|
||||
|
||||
docker-logout:
|
||||
@docker logout
|
||||
|
||||
@@ -3,10 +3,8 @@
|
||||
The responsibility of this webhook is to patch all newly created/updated service account and make sure they all contained proper imagepullsecret configuration.
|
||||
|
||||
This repo produces one helm chart available via helm repository https://ysoftdevs.github.io/imagepullsecret-injector. There are also 2 docker images:
|
||||
- `marshallmarshall/imagepullsecret-injector` - the image containing the webhook itself
|
||||
- `marshallmarshall/webhook-cert-generator` - helper image responsible for (re)generating the certificates
|
||||
|
||||
|
||||
- `ghcr.io/ysoftdevs/imagepullsecret-injector/imagepullsecret-injector` - the image containing the webhook itself
|
||||
- `ghcr.io/ysoftdevs/imagepullsecret-injector/webhook-cert-generator` - helper image responsible for (re)generating the certificates
|
||||
|
||||
## Helm description
|
||||
The helm chart consists of 2 parts: the certificate generator and the webhook configuration itself.
|
||||
@@ -59,3 +57,6 @@ Of note is also a fact that the chart runs a lookup to the connected cluster to
|
||||
kubectl get sa -n yolo default -ojsonpath='{.imagePullSecrets}'
|
||||
```
|
||||
The `get` command should display _some_ non-empty result.
|
||||
|
||||
## Releasing locally
|
||||
To authenticate to the docker registry to push the images manually, you will need your own Github Personal Access Token. For more information follow this guide https://docs.github.com/en/packages/guides/migrating-to-github-container-registry-for-docker-images#authenticating-with-the-container-registry
|
||||
@@ -15,7 +15,7 @@ type: application
|
||||
# This is the chart version. This version number should be incremented each time you make changes
|
||||
# to the chart and its templates, including the app version.
|
||||
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
||||
version: 0.0.9
|
||||
version: 0.0.16
|
||||
|
||||
# This is the version number of the application being deployed. This version number should be
|
||||
# incremented each time you make changes to the application. Versions are not expected to
|
||||
|
||||
@@ -89,6 +89,7 @@ apiVersion: certificates.k8s.io/v1
|
||||
kind: CertificateSigningRequest
|
||||
metadata:
|
||||
name: ${csrName}
|
||||
namespace: ${namespace}
|
||||
spec:
|
||||
signerName: kubernetes.io/kubelet-serving
|
||||
groups:
|
||||
|
||||
@@ -5,7 +5,7 @@ metadata:
|
||||
labels:
|
||||
{{- include "imagepullsecret-injector.labels" . | nindent 4 }}
|
||||
spec:
|
||||
schedule: '* * * * *'
|
||||
schedule: '* * * * 0'
|
||||
jobTemplate:
|
||||
metadata:
|
||||
name: "{{ .Release.Name }}"
|
||||
@@ -21,9 +21,12 @@ spec:
|
||||
image: "{{ .Values.certificateGeneratorImage.registry }}/{{ .Values.certificateGeneratorImage.repository }}:{{ .Values.certificateGeneratorImage.tag | default .Chart.AppVersion }}"
|
||||
command: ["/entrypoint/entrypoint.sh"]
|
||||
args:
|
||||
- --service="{{ include "imagepullsecret-injector.serviceName" . }}"
|
||||
- --namespace="{{ .Release.Namespace }}"
|
||||
- --secret="{{ include "imagepullsecret-injector.certificateSecretName" . }}"
|
||||
- --service
|
||||
- "{{ include "imagepullsecret-injector.serviceName" . }}"
|
||||
- --namespace
|
||||
- "{{ .Release.Namespace }}"
|
||||
- --secret
|
||||
- "{{ include "imagepullsecret-injector.certificateSecretName" . }}"
|
||||
volumeMounts:
|
||||
- mountPath: "/entrypoint"
|
||||
name: entrypoint
|
||||
|
||||
@@ -14,9 +14,12 @@ spec:
|
||||
image: "{{ .Values.certificateGeneratorImage.registry }}/{{ .Values.certificateGeneratorImage.repository }}:{{ .Values.certificateGeneratorImage.tag | default .Chart.AppVersion }}"
|
||||
command: ["/entrypoint/entrypoint.sh"]
|
||||
args:
|
||||
- --service="{{ include "imagepullsecret-injector.serviceName" . }}"
|
||||
- --namespace="{{ .Release.Namespace }}"
|
||||
- --secret="{{ include "imagepullsecret-injector.certificateSecretName" . }}"
|
||||
- --service
|
||||
- "{{ include "imagepullsecret-injector.serviceName" . }}"
|
||||
- --namespace
|
||||
- "{{ .Release.Namespace }}"
|
||||
- --secret
|
||||
- "{{ include "imagepullsecret-injector.certificateSecretName" . }}"
|
||||
volumeMounts:
|
||||
- mountPath: "/entrypoint"
|
||||
name: entrypoint
|
||||
|
||||
@@ -30,15 +30,16 @@ rules:
|
||||
- list
|
||||
- get
|
||||
- apiGroups:
|
||||
- "certificates.k8s.io/v1"
|
||||
- certificates.k8s.io
|
||||
resources:
|
||||
- certificatesigningrequests
|
||||
verbs:
|
||||
- create
|
||||
- list
|
||||
- get
|
||||
- delete
|
||||
- apiGroups:
|
||||
- "certificates.k8s.io/v1"
|
||||
- certificates.k8s.io
|
||||
resources:
|
||||
- certificatesigningrequests/approval
|
||||
verbs:
|
||||
|
||||
@@ -21,3 +21,5 @@ webhooks:
|
||||
resources: ["serviceaccounts"]
|
||||
admissionReviewVersions: ["v1", "v1beta1"]
|
||||
sideEffects: None
|
||||
# The default "Fail" option prevents Gardener cluster to be hibernated
|
||||
failurePolicy: Ignore
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
image:
|
||||
registry: marshallmarshall
|
||||
registry: ghcr.io/ysoftdevs/imagepullsecret-injector
|
||||
repository: imagepullsecret-injector
|
||||
pullPolicy: Always
|
||||
# Overrides the image tag whose default is the chart appVersion.
|
||||
tag: ""
|
||||
|
||||
certificateGeneratorImage:
|
||||
registry: marshallmarshall
|
||||
registry: ghcr.io/ysoftdevs/imagepullsecret-injector
|
||||
repository: webhook-cert-generator
|
||||
tag: ""
|
||||
|
||||
|
||||
Reference in New Issue
Block a user