feat!(helm): stable image tag defaults

* The Helm chart no longer defaults the image tag to `latest`, but
  now defaults to the chart's `appVersion` (which matches the latest
  SemVer image tag).
* Simplify configuration overrides having eliminated the need for
  `kube-rbac-proxy`. The `deployment` values hierarchy has been renamed
  `manager`, and the values overrides previously managed under
  `deployment.containers.githubTokenManager` are now directly set
  on `manager`. Further, image `repository` and `tag` values are also
  directly set on `manager`.
  If `deployment.containers.githubTokenManager.image.tag` was set
  previously, then `manager.tag` should be set instead.

Author: isometry

deploy/charts/github-token-manager/Chart.yaml

@@ -4,4 +4,4 @@ name: github-token-manager
 description: A Helm chart for github-token-manager
 
 type: application
-version: 0.1.5
+version: 0.2.0

deploy/charts/github-token-manager/templates/deployment.yaml

@@ -1,21 +1,21 @@
 ---
-{{- $deployment := .Values.deployment }}
+{{- $manager := .Values.manager }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "chart.fullname" . }}
-  {{- with mergeOverwrite (default dict .Values.commonAnnotations) (default dict $deployment.annotations) }}
+  {{- with mergeOverwrite (default dict .Values.commonAnnotations) (default dict $manager.annotations) }}
   annotations:
     {{- range $key, $value := . }}
     {{ $key }}: {{ tpl $value $ | quote }}
     {{- end }}
   {{- end }}
   labels:
-    component: deployment
+    component: manager
     {{- include "labels" . | nindent 4 }}
-    {{- with $deployment.extraLabels -}}{{ toYaml . | nindent 4 }}{{- end }}
+    {{- with $manager.extraLabels -}}{{ toYaml . | nindent 4 }}{{- end }}
 spec:
-  replicas: {{ $deployment.replicas }}
+  replicas: {{ $manager.replicas }}
   selector:
     matchLabels:
       {{- include "selectorLabels" . | nindent 6 }}
@@ -26,14 +26,6 @@ spec:
       labels:
         {{- include "selectorLabels" . | nindent 8 }}
     spec:
-      {{- with $deployment.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with $deployment.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -49,18 +41,21 @@ spec:
                     values:
                       - linux
       containers:
-        {{- $githubTokenManager := $deployment.containers.githubTokenManager }}
         - args:
             - --health-probe-bind-address=:8081
             - --metrics-bind-address=127.0.0.1:8080
             - --leader-elect
           command:
             - /ko-app/manager
-          {{- with $githubTokenManager.env }}
+          {{- with $manager.env }}
           env:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          image: {{ $githubTokenManager.image.repository }}:{{ $githubTokenManager.image.tag }}
+          image: {{ if (hasPrefix "sha256:" (default "" $manager.tag)) -}}
+              {{- printf "%s@%s" $manager.repository $manager.tag -}}
+            {{- else -}}
+              {{- printf "%s:%s" $manager.repository (or $manager.tag $.Chart.AppVersion "latest") -}}
+            {{- end }}
           livenessProbe:
             httpGet:
               path: /healthz
@@ -76,9 +71,9 @@ spec:
             periodSeconds: 10
           resources:
             limits:
-              {{- $githubTokenManager.resources.limits | toYaml | nindent 14 }}
+              {{- $manager.resources.limits | toYaml | nindent 14 }}
             requests:
-              {{- $githubTokenManager.resources.requests | toYaml | nindent 14 }}
+              {{- $manager.resources.requests | toYaml | nindent 14 }}
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
@@ -88,12 +83,20 @@ spec:
             - mountPath: /config
               name: config
               readOnly: true
+      {{- with $manager.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: {{ .Values.rbac.serviceAccount.name | default (include "chart.fullname" . ) }}
       terminationGracePeriodSeconds: 10
+      {{- with $manager.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
         - name: config
           secret:

deploy/charts/github-token-manager/values.yaml

@@ -53,32 +53,29 @@ metrics:
         protocol: TCP
         targetPort: https
 
-## deployment
+## manager
+##   repository: image repository
+##   tag: image tag
 ##   replicas: number of replicas
+##   annotations: map of annotations (optional)
 ##   tolerations: list of tolerations (optional)
 ##   nodeSelector: node selector (optional)
-##   containers: list of containers
-##     githubTokenManager:
-##       image:
-##         repository: image repository
-##         tag: image tag
-deployment:
-  annotations: {}
+##   env: list of additional environment variables to set on the manager container
+##   resources: manager container resource requests and limits
+manager:
+  repository: ghcr.io/isometry/github-token-manager
+  tag: ~ # defaults to chart appVersion
   replicas: 1
+  annotations: {}
   tolerations: ~
   nodeSelector: ~
-  containers:
-    githubTokenManager:
-      image:
-        repository: ghcr.io/isometry/github-token-manager
-        tag: latest
-      # additional environment variables to set on the controller container
-      # e.g. `[{name: VAULT_ADDR, value: http://vault:8200}]`
-      env: []
-      resources:
-        limits:
-          cpu: 500m
-          memory: 128Mi
-        requests:
-          cpu: 5m
-          memory: 64Mi
+  # additional environment variables to set on the controller container
+  # e.g. `[{name: VAULT_ADDR, value: http://vault:8200}]`
+  env: []
+  resources:
+    limits:
+      cpu: 500m
+      memory: 128Mi
+    requests:
+      cpu: 5m
+      memory: 64Mi