Make the deployment and the jobs run in a non-root environment

VERSION

@@ -1 +1 @@
-0.0.11
+0.0.12

build/Dockerfile

@@ -7,4 +7,7 @@ RUN make build
 FROM alpine:3.13.4 as base
 COPY --from=builder /go/src/github.com/ysoftdevs/imagepullsecret-injector/build/_output/bin/imagepullsecret-injector /usr/local/bin/imagepullsecret-injector
 
+RUN addgroup -S imagepullsecret-injector-group && adduser -S imagepullsecret-injector-user -G imagepullsecret-injector-group
+USER imagepullsecret-injector-user
+
 ENTRYPOINT ["imagepullsecret-injector"]

build/Dockerfile.cert-generator

@@ -1,6 +1,9 @@
 FROM alpine:3.13.4
 
-RUN apk add bash curl openssl \
+RUN addgroup -S imagepullsecret-injector-group && adduser -S imagepullsecret-injector-user -G imagepullsecret-injector-group \
+    && apk add bash curl openssl jq \
     && curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
     && chmod 755 ./kubectl \
     && mv ./kubectl /usr/bin/kubectl
+
+USER imagepullsecret-injector-user

charts/imagepullsecret-injector/Chart.yaml

@@ -2,6 +2,22 @@ apiVersion: v2
 name: imagepullsecret-injector
 description: A Helm chart for Kubernetes
 
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
-version: 0.0.20-legacy
+
-appVersion: 0.0.11
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.21
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 0.0.12

charts/imagepullsecret-injector/scripts/create-signed-cert.sh

@@ -83,23 +83,27 @@ echo "Deleting old CertificateSigningRequests"
 kubectl delete csr ${csrName} 2>/dev/null || true
 
 echo "Creating new CertificateSigningRequests"
-# create  server cert/key CSR and  send to k8s API
+# create server cert/key CSR and  send to k8s API
-cat <<EOF | kubectl create -f -
+jq -n --arg request "$(< "${tmpdir}"/server.csr base64)" \
-apiVersion: certificates.k8s.io/v1beta1
+  --arg namespace "$namespace" \
-kind: CertificateSigningRequest
+  --arg csrName "$csrName" '{
-metadata:
+    apiVersion: "certificates.k8s.io/v1",
-  name: ${csrName}
+    kind: "CertificateSigningRequest",
-  namespace: ${namespace}
+    metadata: {
-spec:
+      name: $csrName,
-  signerName: kubernetes.io/kubelet-serving
+      namespace: $namespace
-  groups:
+    },
-  - system:authenticated
+    spec: {
-  request: $(< "${tmpdir}"/server.csr base64 | tr -d '\n')
+      signerName: "kubernetes.io/kubelet-serving",
-  usages:
+      groups: ["system:authenticated"],
-  - digital signature
+      request: $request,
-  - key encipherment
+      usages: [
-  - server auth
+        "digital signature",
-EOF
+        "key encipherment",
+        "server auth"
+      ]
+    }
+  }' | kubectl create -f -
 
 # verify CSR has been created
 while true; do

charts/imagepullsecret-injector/values.yaml

@@ -14,6 +14,7 @@ imagepullsecretInjector:
   dockerconfigjsonRef:
     secretName: acr-dockerconfigjson-source
     secretNamespace: ""
+
   targetSecretName: acr-dockerconfigjson
   ignoreSecretCreationError: false
   allSaNames: false