ENH: Upgrade QuarksSecret to v1.0.758

- New images for QuarksSecret are now hosted on Github Container
Registry (GHCR) instead of DockerHub
- This commit updates our references to the image to refer to GHCR, but
eventually we may want to rebuild/rehome the images in the
`cloudfoundry` DockerHub org for consistency and so that they live in a
repo we manage (we do not currently manage the `cloudfoundry/quarks-secret`
DockerHub repo this commit switches away from)
- This story was created to track that work: https://www.pivotaltracker.com/story/show/177859985

QuarksSecret Release Notes:
https://github.com/cloudfoundry-incubator/quarks-secret/releases/tag/v1.0.758

[#177703767](https://www.pivotaltracker.com/story/show/177703767)

Authored-by: Tim Downey <[email protected]>

build/quarks-secret/_vendir/deploy/helm/quarks-secret/templates/_helpers.tpl

@@ -16,8 +16,8 @@ If release name contains chart name it will be used as a full name.
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- if contains $name .Release.Namespace -}}
+{{- .Release.Namespace | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
@@ -36,7 +36,7 @@ Create the name of the quarks-secret service account to use
 */}}
 {{- define "quarks-secret.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create -}}
-    {{ default (include "quarks-secret.fullname" .) .Values.serviceAccount.name }}
+    {{ default (include "quarks-secret.name" .) .Values.serviceAccount.name }}
 {{- else -}}
     {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}

build/quarks-secret/_vendir/deploy/helm/quarks-secret/templates/operator.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ template "quarks-secret.fullname" . }}
+  name: {{ template "quarks-secret.name" . }}
   namespace: "{{ .Release.Namespace }}"
 spec:
   replicas: 1

build/quarks-secret/_vendir/deploy/helm/quarks-secret/templates/service-account-pull-secret.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.global.image.credentials }}
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: {{ template "quarks-secret.serviceAccountName" . }}-pull-secret
+  namespace: {{ .Release.Namespace }}
+data:
+  .dockerconfigjson: {{ printf "{%q:{%q:{%q:%q,%q:%q,%q:%q}}}" "auths" .Values.global.image.credentials.servername "username" .Values.global.image.credentials.username "password" .Values.global.image.credentials.password "auth" (printf "%s:%s" .Values.global.image.credentials.username .Values.global.image.credentials.password | b64enc) | b64enc }}
+{{- end }}

build/quarks-secret/_vendir/deploy/helm/quarks-secret/templates/service-account.yaml

@@ -4,6 +4,10 @@ kind: ServiceAccount
 metadata:
   name: {{ template "quarks-secret.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+{{- if .Values.global.image.credentials }}
+imagePullSecrets:
+- name: {{ template "quarks-secret.serviceAccountName" . }}-pull-secret
+{{- end }}
 {{- end }}
 
 {{- if .Values.global.rbac.create }}

build/quarks-secret/_vendir/deploy/helm/quarks-secret/values.yaml

@@ -50,6 +50,10 @@ global:
   image:
     # pullPolicy defines the policy used for pulling docker images.
     pullPolicy: IfNotPresent
+    credentials: ~
+      # username:
+      # password:
+      # servername:
   # monitoredID is a string that has to match the content of the 'monitored' label in each monitored namespace.
   # The monitoredID helper uses the release fullname, unless this is set.
   monitoredID:

build/quarks-secret/build.sh

@@ -7,10 +7,6 @@ echo "generating QuarksSecret resource definitions..."
 
 chart_yaml=${SCRIPT_DIR}/_vendir/deploy/helm/quarks-secret/Chart.yaml
 
-# won't be necessary after this PR is merged and we start using a QuarksSecret that includes the change:
-# https://github.com/cloudfoundry-incubator/quarks-secret/pull/92
-sed -i -r 's/x.x.x/0.0.0/g' ${chart_yaml}
-
 # some versions of sed create this strange file with a -r suffix
 if [[ -f ${SCRIPT_DIR}/_vendir/deploy/helm/quarks-secret/Chart.yaml-r ]]; then
   rm ${SCRIPT_DIR}/_vendir/deploy/helm/quarks-secret/Chart.yaml-r

build/quarks-secret/image-override.yml

@@ -3,6 +3,6 @@ apiVersion: kbld.k14s.io/v1alpha1
 kind: Config
 minimumRequiredVersion: 0.28.0
 overrides:
-  - image: cloudfoundry/quarks-secret:v1.0.744
-    newImage: index.docker.io/cloudfoundry/quarks-secret@sha256:582a52c1d20b1b263ecada60196e214ffcfaa455ebfac5a43646ab9d13bb86fd
+  - image: ghcr.io/cloudfoundry-incubator/uarks-secret:v1.0.758
+    newImage: ghcr.io/cloudfoundry-incubator/quarks-secret@sha256:265adf83e2f4ccef62b2c93999fe830c783d92ad2e703ff1c21c20d6ecbf357e
     preresolved: true

build/quarks-secret/quarks-values.yaml

@@ -2,8 +2,8 @@ fullnameOverride: cf-quarks-secret
 
 image:
   repository: quarks-secret
-  org: cloudfoundry
-  tag: v1.0.744
+  org: ghcr.io/cloudfoundry-incubator
+  tag: v1.0.758
 
 global:
   monitoredID: cf-quarks-secret

config/quarks-secret/_ytt_lib/quarks-secret/rendered.yml

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: cf-quarks-secret
+  name: quarks-secret
   namespace: cf-system
 ---
 apiVersion: apiextensions.k8s.io/v1
@@ -164,7 +164,7 @@ roleRef:
   name: cf-quarks-secret
 subjects:
 - kind: ServiceAccount
-  name: cf-quarks-secret
+  name: quarks-secret
   namespace: cf-system
 ---
 apiVersion: apps/v1
@@ -173,10 +173,11 @@ metadata:
   annotations:
     kbld.k14s.io/images: |
       - Metas:
-        - Type: preresolved
-          URL: index.docker.io/cloudfoundry/quarks-secret@sha256:582a52c1d20b1b263ecada60196e214ffcfaa455ebfac5a43646ab9d13bb86fd
-        URL: index.docker.io/cloudfoundry/quarks-secret@sha256:582a52c1d20b1b263ecada60196e214ffcfaa455ebfac5a43646ab9d13bb86fd
-  name: cf-quarks-secret
+        - Tag: v1.0.758
+          Type: resolved
+          URL: ghcr.io/cloudfoundry-incubator/quarks-secret:v1.0.758
+        URL: ghcr.io/cloudfoundry-incubator/quarks-secret@sha256:265adf83e2f4ccef62b2c93999fe830c783d92ad2e703ff1c21c20d6ecbf357e
+  name: quarks-secret
   namespace: cf-system
 spec:
   replicas: 1
@@ -212,10 +213,10 @@ spec:
               fieldPath: metadata.name
         - name: OPERATOR_NAME
           value: quarks-secret
-        image: index.docker.io/cloudfoundry/quarks-secret@sha256:582a52c1d20b1b263ecada60196e214ffcfaa455ebfac5a43646ab9d13bb86fd
+        image: ghcr.io/cloudfoundry-incubator/quarks-secret@sha256:265adf83e2f4ccef62b2c93999fe830c783d92ad2e703ff1c21c20d6ecbf357e
         imagePullPolicy: IfNotPresent
         name: quarks-secret
         ports:
         - containerPort: 60000
           name: metrics
-      serviceAccountName: cf-quarks-secret
+      serviceAccountName: quarks-secret

vendir.lock.yml

@@ -74,11 +74,10 @@ directories:
   path: build/postgres/_vendir
 - contents:
   - git:
-      commitTitle: Fix quarks secret `SecretLabels` & `SecretAnnotations` update bug
-        (#59)...
-      sha: 4171053d17e66a93044795924abdca66cac09785
+      commitTitle: Bump go version to 1.15.8
+      sha: a2afaeacad761388a738d01a0c8a7647f80d4afa
       tags:
-      - v1.0.744
+      - v1.0.758
     path: .
   path: build/quarks-secret/_vendir
 kind: LockConfig

vendir.yml

@@ -116,6 +116,6 @@ directories:
   - path: .
     git:
       url: https://github.com/cloudfoundry-incubator/quarks-secret
-      ref: 4171053d17e66a93044795924abdca66cac09785 # version: 1.0.744
+      ref: v1.0.758
     includePaths:
     - deploy/helm/quarks-secret/**/*