From 899b4d06c61822b5a4c8ad6a6c443f7329877e38 Mon Sep 17 00:00:00 2001 From: github-actions Date: Thu, 15 Jul 2021 07:50:37 +0000 Subject: [PATCH] Update image version in manifest to v0.1.6 --- README.md | 2 +- manifests/Kptfile | 21 +-- manifests/cluster-role-binding.yaml | 7 +- manifests/cluster-role.yaml | 79 ++++++----- manifests/deployment.yaml | 127 +++++++++-------- manifests/mutating-webhook-configuration.yaml | 131 +++++++++--------- manifests/namespace.yaml | 1 - manifests/role-binding.yaml | 7 +- manifests/role.yaml | 25 ++-- manifests/secret.yaml | 1 - manifests/service-account.yaml | 1 - manifests/service.yaml | 5 +- 12 files changed, 190 insertions(+), 217 deletions(-) diff --git a/README.md b/README.md index 2595f35..01edcbc 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ the container image. You can use digester to deploy container images by digest. Alternatively, you can download the latest version using these commands: ```sh - VERSION=v0.1.5 + VERSION=v0.1.6 curl -Lo digester "https://github.com/google/k8s-digester/releases/download/${VERSION}/digester_$(uname -s)_$(uname -m)" chmod +x digester ``` diff --git a/manifests/Kptfile b/manifests/Kptfile index 8888311..a1dce9b 100644 --- a/manifests/Kptfile +++ b/manifests/Kptfile @@ -1,25 +1,8 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: kpt.dev/v1 kind: Kptfile metadata: name: digester annotations: - config.kubernetes.io/local-config: 'true' + config.kubernetes.io/local-config: "true" info: - description: >- - The digester mutating admission webhook resolves tags to digests for - container and init container images in Kubernetes Pod and Pod template - specs. + description: The digester mutating admission webhook resolves tags to digests for container and init container images in Kubernetes Pod and Pod template specs. diff --git a/manifests/cluster-role-binding.yaml b/manifests/cluster-role-binding.yaml index 0f86939..2a496f2 100644 --- a/manifests/cluster-role-binding.yaml +++ b/manifests/cluster-role-binding.yaml @@ -11,7 +11,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -23,6 +22,6 @@ roleRef: kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: -- name: digester-admin - namespace: digester-system - kind: ServiceAccount + - name: digester-admin + namespace: digester-system + kind: ServiceAccount diff --git a/manifests/cluster-role.yaml b/manifests/cluster-role.yaml index 077aa28..514a303 100644 --- a/manifests/cluster-role.yaml +++ b/manifests/cluster-role.yaml @@ -11,7 +11,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -19,42 +18,42 @@ metadata: labels: digester/system: 'yes' rules: -- resources: - - secrets # access to imagePullSecrets - - serviceaccounts # access to imagepullSecrets - apiGroups: - - '' - verbs: - - get - - list - - watch -- resources: - - customresourcedefinitions - apiGroups: - - apiextensions.k8s.io - verbs: - - get - - list - - watch -- resources: - - mutatingwebhookconfigurations - apiGroups: - - admissionregistration.k8s.io - verbs: - - get - - list - - watch -- resources: - - mutatingwebhookconfigurations - apiGroups: - - admissionregistration.k8s.io - resourceNames: - - digester-mutating-webhook-configuration - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - resources: + - secrets # access to imagePullSecrets + - serviceaccounts # access to imagepullSecrets + apiGroups: + - '' + verbs: + - get + - list + - watch + - resources: + - customresourcedefinitions + apiGroups: + - apiextensions.k8s.io + verbs: + - get + - list + - watch + - resources: + - mutatingwebhookconfigurations + apiGroups: + - admissionregistration.k8s.io + verbs: + - get + - list + - watch + - resources: + - mutatingwebhookconfigurations + apiGroups: + - admissionregistration.k8s.io + resourceNames: + - digester-mutating-webhook-configuration + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml index b4368ee..2858882 100644 --- a/manifests/deployment.yaml +++ b/manifests/deployment.yaml @@ -11,7 +11,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - apiVersion: apps/v1 kind: Deployment metadata: @@ -42,67 +41,67 @@ spec: nodeSelector: kubernetes.io/os: linux containers: - - name: manager - image: ko://github.com/google/k8s-digester # kpt-set: ${image} - args: - - webhook - - --cert-dir=/certs # kpt-set: --cert-dir=${cert-dir} - - --disable-cert-rotation=false # kpt-set: --disable-cert-rotation=${disable-cert-rotation} - - --dry-run=false # kpt-set: --dry-run=${dry-run} - - --health-addr=:9090 # kpt-set: --health-addr=:${health-port} - - --metrics-addr=:8888 # kpt-set: --metrics-addr=:${metrics-port} - - --offline=false # kpt-set: --offline=${offline} - - --port=8443 # kpt-set: --port=${port} - ports: - - name: webhook-server - protocol: TCP - containerPort: 8443 # kpt-set: ${port} - - name: metrics - protocol: TCP - containerPort: 8888 # kpt-set: ${metrics-port} - - name: healthz - protocol: TCP - containerPort: 9090 # kpt-set: ${health-port} - env: - - name: DEBUG - value: 'false' # kpt-set: ${debug} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - requests: - cpu: 100m # kpt-set: ${request-cpu} - ephemeral-storage: 256Mi # kpt-set: ${request-ephemeral-storage} - memory: 256Mi # kpt-set: ${request-memory} - volumeMounts: - - name: cert - readOnly: true - mountPath: /certs # kpt-set: ${cert-dir} - livenessProbe: - httpGet: - port: healthz - path: /healthz - readinessProbe: - httpGet: - port: healthz - path: /readyz - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 + - name: manager + image: ghcr.io/google/k8s-digester:v0.1.6@sha256:5a8e9b25b7464b550c959937c412b1451004ff8d426b23ea5e8f31a5cc497a4d # kpt-set: ${image} + args: + - webhook + - --cert-dir=/certs # kpt-set: --cert-dir=${cert-dir} + - --disable-cert-rotation=false # kpt-set: --disable-cert-rotation=${disable-cert-rotation} + - --dry-run=false # kpt-set: --dry-run=${dry-run} + - --health-addr=:9090 # kpt-set: --health-addr=:${health-port} + - --metrics-addr=:8888 # kpt-set: --metrics-addr=:${metrics-port} + - --offline=false # kpt-set: --offline=${offline} + - --port=8443 # kpt-set: --port=${port} + ports: + - name: webhook-server + protocol: TCP + containerPort: 8443 # kpt-set: ${port} + - name: metrics + protocol: TCP + containerPort: 8888 # kpt-set: ${metrics-port} + - name: healthz + protocol: TCP + containerPort: 9090 # kpt-set: ${health-port} + env: + - name: DEBUG + value: 'false' # kpt-set: ${debug} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + resources: + requests: + cpu: 100m # kpt-set: ${request-cpu} + ephemeral-storage: 256Mi # kpt-set: ${request-ephemeral-storage} + memory: 256Mi # kpt-set: ${request-memory} + volumeMounts: + - name: cert + readOnly: true + mountPath: /certs # kpt-set: ${cert-dir} + livenessProbe: + httpGet: + port: healthz + path: /healthz + readinessProbe: + httpGet: + port: healthz + path: /readyz + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 volumes: - - name: cert - secret: - defaultMode: 420 - secretName: digester-webhook-server-cert + - name: cert + secret: + defaultMode: 420 + secretName: digester-webhook-server-cert diff --git a/manifests/mutating-webhook-configuration.yaml b/manifests/mutating-webhook-configuration.yaml index 4635ac3..c61b2c3 100644 --- a/manifests/mutating-webhook-configuration.yaml +++ b/manifests/mutating-webhook-configuration.yaml @@ -11,7 +11,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -21,68 +20,68 @@ metadata: digester/operation: webhook digester/system: 'yes' webhooks: -- name: digester-webhook-service.digester-system.svc - admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: digester-webhook-service - namespace: digester-system - path: /v1/mutate - caBundle: Cg== - failurePolicy: Ignore # kpt-set: ${failure-policy} - namespaceSelector: - matchLabels: - digest-resolution: enabled - reinvocationPolicy: IfNeeded - rules: - - resources: - - pods - - podtemplates - - replicationcontrollers - apiGroups: - - '' - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - scope: Namespaced - - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - apiGroups: - - apps - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - scope: Namespaced - - resources: - - cronjobs - - jobs - apiGroups: - - batch - apiVersions: - - v1 - - v1beta1 - operations: - - CREATE - - UPDATE - scope: Namespaced - - resources: - - containersources - apiGroups: - - sources.knative.dev - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - scope: Namespaced - sideEffects: None - timeoutSeconds: 15 + - name: digester-webhook-service.digester-system.svc + admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: digester-webhook-service + namespace: digester-system + path: /v1/mutate + caBundle: Cg== + failurePolicy: Ignore # kpt-set: ${failure-policy} + namespaceSelector: + matchLabels: + digest-resolution: enabled + reinvocationPolicy: IfNeeded + rules: + - resources: + - pods + - podtemplates + - replicationcontrollers + apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + scope: Namespaced + - resources: + - daemonsets + - deployments + - replicasets + - statefulsets + apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + scope: Namespaced + - resources: + - cronjobs + - jobs + apiGroups: + - batch + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + scope: Namespaced + - resources: + - containersources + apiGroups: + - sources.knative.dev + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + scope: Namespaced + sideEffects: None + timeoutSeconds: 15 diff --git a/manifests/namespace.yaml b/manifests/namespace.yaml index 900db11..1d3a5c9 100644 --- a/manifests/namespace.yaml +++ b/manifests/namespace.yaml @@ -11,7 +11,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - apiVersion: v1 kind: Namespace metadata: diff --git a/manifests/role-binding.yaml b/manifests/role-binding.yaml index c55c168..e2a88a7 100644 --- a/manifests/role-binding.yaml +++ b/manifests/role-binding.yaml @@ -11,7 +11,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -24,6 +23,6 @@ roleRef: kind: Role apiGroup: rbac.authorization.k8s.io subjects: -- name: digester-admin - namespace: digester-system - kind: ServiceAccount + - name: digester-admin + namespace: digester-system + kind: ServiceAccount diff --git a/manifests/role.yaml b/manifests/role.yaml index bd7f8f2..f67b5fd 100644 --- a/manifests/role.yaml +++ b/manifests/role.yaml @@ -11,7 +11,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -20,15 +19,15 @@ metadata: labels: digester/system: 'yes' rules: -- resources: - - secrets - apiGroups: - - '' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - resources: + - secrets + apiGroups: + - '' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/manifests/secret.yaml b/manifests/secret.yaml index be0215d..ab25c3a 100644 --- a/manifests/secret.yaml +++ b/manifests/secret.yaml @@ -11,7 +11,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - apiVersion: v1 kind: Secret metadata: diff --git a/manifests/service-account.yaml b/manifests/service-account.yaml index 866bdf5..b0b0f57 100644 --- a/manifests/service-account.yaml +++ b/manifests/service-account.yaml @@ -11,7 +11,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - apiVersion: v1 kind: ServiceAccount metadata: diff --git a/manifests/service.yaml b/manifests/service.yaml index f0fdc4d..6ee8f6b 100644 --- a/manifests/service.yaml +++ b/manifests/service.yaml @@ -11,7 +11,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - apiVersion: v1 kind: Service metadata: @@ -27,5 +26,5 @@ spec: digester/operation: webhook digester/system: 'yes' ports: - - port: 443 - targetPort: 8443 # kpt-set: ${port} + - port: 443 + targetPort: 8443 # kpt-set: ${port}