rc3: fix helm chart webhooks certs & get blob for proxied docker libr…

…ary (#403)

* fix get blob for docker library
* release rc3
* ingress: ingressClassName
* helm tls fixes
* fix helm hooks by using helm.sh/hook-weight

.github/workflows/config/install-kind-ingress.sh

@@ -16,4 +16,5 @@ do
     sleep 1
     ((time_out--))
 done
+kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission
 echo "Ingress Running"

.github/workflows/config/values.yaml

@@ -8,8 +8,8 @@ trow:
       enabled: true
 ingress:
   enabled: true
+  ingressClassName: nginx
   annotations:
-    kubernetes.io/ingress.class: nginx
     nginx.ingress.kubernetes.io/proxy-body-size: "0"
   hosts:
     - paths: ['/']

.github/workflows/pr-tests.yaml

@@ -135,7 +135,6 @@ jobs:
       - name: Install Ingress
         run: |
           .github/workflows/config/install-kind-ingress.sh
-          kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission
       - name: Sideload Trow image
         run: |
           kind load image-archive /tmp/trow_image.tar.zst

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "trow"
-version = "0.7.0-rc2"
+version = "0.7.0-rc3"
 authors = []
 edition = "2021"
 

charts/trow/Chart.yaml

@@ -8,5 +8,5 @@ maintainers:
   - name: awoimbee
     url: https://github.com/awoimbee
 
-version: 0.9.0-rc2
-appVersion: 0.7.0-rc2
+version: 0.9.0-rc3
+appVersion: 0.7.0-rc3

charts/trow/templates/ingress.yaml

@@ -17,7 +17,10 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-{{- if .Values.ingress.tls }}
+  {{- if .Values.ingress.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
   tls:
   {{- range .Values.ingress.tls }}
     - hosts:

charts/trow/templates/webhooks/deployment.yaml

@@ -69,9 +69,9 @@ spec:
           {{- if (not (empty .Values.webhooks.tls.existingSecretRef)) }}
             secretName: {{ .Values.webhooks.tls.existingSecretRef }}
           {{- else if .Values.webhooks.tls.certmanager.enabled }}
-            secretName: {{ include "trow.fullname" . }}-cm-admission
+            secretName: {{ include "trow.fullname" . }}-cm-webhooks
           {{- else if .Values.webhooks.tls.patch.enabled }}
-            secretName: {{ include "trow.fullname" . }}-patch-admission
+            secretName: {{ include "trow.fullname" . }}-patch-webhooks
           {{- end }}
         - name: webhook-cert-translated
           emptyDir: {}

charts/trow/templates/webhooks/mutatingwebhook.yaml

@@ -8,8 +8,8 @@ metadata:
     app.kubernetes.io/component: admission-webhook
   annotations:
   {{- if .Values.webhooks.tls.certmanager.enabled }}
-    certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" (.Release.Namespace) (include "trow.fullname" .) | quote }}
-    cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" (.Release.Namespace) (include "trow.fullname" .) | quote }}
+    certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-webhooks" (.Release.Namespace) (include "trow.fullname" .) | quote }}
+    cert-manager.io/inject-ca-from: {{ printf "%s/%s-webhooks" (.Release.Namespace) (include "trow.fullname" .) | quote }}
   {{- end }}
 webhooks:
   - name: mutate.trow.io

charts/trow/templates/webhooks/tls-certmanager.yaml

@@ -5,7 +5,7 @@
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: {{ include "trow.fullname" . }}-cm-admission-self-signed-issuer
+  name: {{ include "trow.fullname" . }}-cm-webhooks-self-signed-issuer
   namespace: {{ .Release.Namespace }}
 spec:
   selfSigned: {}
@@ -14,13 +14,13 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: {{ include "trow.fullname" . }}-cm-admission-root-cert
+  name: {{ include "trow.fullname" . }}-cm-webhooks-root-cert
   namespace: {{ .Release.Namespace }}
 spec:
-  secretName: {{ include "trow.fullname" . }}-cm-admission-root-cert
+  secretName: {{ include "trow.fullname" . }}-cm-webhooks-root-cert
   duration: {{ .Values.webhooks.tls.certmanager.rootCert.duration | default "43800h0m0s" | quote }}
   issuerRef:
-    name: {{ include "trow.fullname" . }}-cm-admission-self-signed-issuer
+    name: {{ include "trow.fullname" . }}-cm-webhooks-self-signed-issuer
   commonName: "ca.webhook.trow"
   isCA: true
   subject:
@@ -31,31 +31,31 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: {{ include "trow.fullname" . }}-cm-admission-root-issuer
+  name: {{ include "trow.fullname" . }}-cm-webhooks-root-issuer
   namespace: {{ .Release.Namespace }}
 spec:
   ca:
-    secretName: {{ include "trow.fullname" . }}-cm-admission-root-cert
+    secretName: {{ include "trow.fullname" . }}-cm-webhooks-root-cert
 ---
 # generate a server certificate for the apiservices to use
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: {{ include "trow.fullname" . }}-admission
+  name: {{ include "trow.fullname" . }}-webhooks
   namespace: {{ .Release.Namespace }}
 spec:
-  secretName: {{ include "trow.fullname" . }}-cm-admission
-  duration: {{ .Values.webhooks.tls.certmanager.admissionCert.duration | default "8760h0m0s" | quote }}
+  secretName: {{ include "trow.fullname" . }}-cm-webhooks
+  duration: {{ .Values.webhooks.tls.certmanager.webhooksCert.duration | default "8760h0m0s" | quote }}
   issuerRef:
     {{- if .Values.webhooks.tls.certmanager.issuerRef }}
     {{- toYaml .Values.webhooks.tls.certmanager.issuerRef | nindent 4 }}
     {{- else }}
-    name: {{ include "trow.fullname" . }}-cm-admission-root-issuer
+    name: {{ include "trow.fullname" . }}-cm-webhooks-root-issuer
     {{- end }}
   dnsNames:
-    - {{ include "trow.fullname" . }}-admission
-    - {{ include "trow.fullname" . }}-admission.{{ .Release.Namespace }}
-    - {{ include "trow.fullname" . }}-admission.{{ .Release.Namespace }}.svc
+    - {{ include "trow.fullname" . }}-webhooks
+    - {{ include "trow.fullname" . }}-webhooks.{{ .Release.Namespace }}
+    - {{ include "trow.fullname" . }}-webhooks.{{ .Release.Namespace }}.svc
   subject:
     organizations:
       - trow-registry