Update to latest tag (#52)

Version 1.7.0

Updater: Set image to latest, specific tag instead of just restarting pods

Co-authored-by: Philip Stadermann <[email protected]>
Co-authored-by: Verdict-as-a-Service Team <[email protected]>

README.md

@@ -16,7 +16,7 @@ global:
   imagePullSecrets:
     - registry
   secret:
-    dockerconfigjson: "${BASE64_ENCODED_JSON_CONTAINING_TOKEN}"
+    dockerconfigjson: "BASE64_ENCODED_JSON_CONTAINING_TOKEN"
 ```
 
 * Install Verdict-as-a-Service:

charts/vaas/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vaas
-version: 1.6.7
+version: "1.7.0"
 description: Deployment of a Verdict-as-a-Service on-premise instance
 maintainers:
   - name: G DATA CyberDefense AG

charts/vaas/templates/gdscan/update.yaml

@@ -58,22 +58,45 @@ spec:
           {{- with .Values.gdscan.nodeSelector }}
           nodeSelector:
             {{- toYaml . | nindent 12 }}
-          {{- end }}       
+          {{- end }}
+          {{- include "gdscan.imagePullSecrets" . | nindent 10 }}
+          volumes:
+            - name: docker
+              emptyDir: {}
+            {{- range (include "gdscan.imagePullSecrets" . | fromYaml ).imagePullSecrets }}
+            - name: {{ .name }}
+              secret:
+                secretName: {{ .name }}
+                items:
+                - key: .dockerconfigjson
+                  path: {{ .name }}.json
+            {{- end }}
           containers:
-            - name: kubectl
+            - name: updater
               image: "{{ .Values.gdscan.autoUpdate.image.registry }}/{{ .Values.gdscan.autoUpdate.image.repository }}:{{ .Values.gdscan.autoUpdate.image.tag }}"
               {{- if .Values.gdscan.autoUpdate.containerSecurityContext.enabled }}
               securityContext: {{- omit .Values.gdscan.autoUpdate.containerSecurityContext "enabled" | toYaml | nindent 16 }}
               {{- end }}                
-              command:
-                - "kubectl"
-                - "rollout"
-                - "restart"
+              command: ["sh", "-c"]
+              args:
+              - |
+                set -xe
 {{- if and (.Values.gdscan.persistence.enabled) (eq .Values.gdscan.persistence.accessMode "ReadWriteOnce" ) }}
-                - "statefulset/{{ include "gdscan.fullname" . }}"
+                RESOURCE="statefulset/{{ include "gdscan.fullname" . }}"
 {{- else }}
-                - "deployment/{{ include "gdscan.fullname" . }}"
+                RESOURCE="deployment/{{ include "gdscan.fullname" . }}"
 {{- end }}
+                LATEST=$(/app/get-latest-docker-tag {{ .Values.gdscan.client.image.repository }} {{ .Values.gdscan.client.image.tag }})
+                IMAGE="{{ .Values.gdscan.client.image.repository }}:$LATEST"
+                echo "Setting image of $RESOURCE to $IMAGE"
+                kubectl set image -n {{ .Release.Namespace }} $RESOURCE client=$IMAGE
+              volumeMounts:
+                - name: docker
+                  mountPath: /home/appuser/.docker
+                {{- range (include "gdscan.imagePullSecrets" . | fromYaml ).imagePullSecrets }}
+                - name: {{ .name }}
+                  mountPath: "/home/appuser/.image_pull_secrets/"
+                {{- end }}
 {{- if .Values.gdscan.autoUpdate.networkPolicy.enabled }}
 ---
 apiVersion: networking.k8s.io/v1
@@ -91,5 +114,6 @@ spec:
   egress:
     - ports:
         - port: {{ .Values.gdscan.autoUpdate.networkPolicy.k8sApiPort }}
+        - port: 443
 {{- end }}
-{{- end}}
+{{- end}}

charts/vaas/values.yaml

@@ -225,9 +225,9 @@ gdscan:
 
   autoUpdate:
     image:
-      registry: docker.io
-      repository: bitnami/kubectl
-      tag: "1.30"
+      registry: ghcr.io/gdatasoftwareag
+      repository: vaas/scanner-updater
+      tag: "0.4.1"
     containerSecurityContext:
       enabled: true
       readOnlyRootFilesystem: true