Open lgov opened 1 year ago
secret generation is used in the default one-line kubectl apply ...
installation method, in order to minimize one's efforts to configure Pomerium.
if we change image tags in the gen-secrets Job definition, the kubectl apply would fail, as Jobs are immutable and cannot be updated.
This is why currently it just uses main
, as nothing is changing in the bootstrap secrets generation currently.
Issue description
When deploying the Pomerium ingress controller v0.20.0 using the deployment.yaml file of tag v0.20.0, the gen-secrets container in the pomerium-gen-secrets job runs using the pomerium/ingress-controller:main image and not the pomerium/ingress-controller:sha-cdc389c image.
This is a problem for us because:
Proposed solution
The fix for related issue #435 was to pin the ingress-controller image tag to sha-cdc389c in the deployment.yaml file for the pomerium deployment resource. I propose to make the same change for the image definition in the pomerium-gen-secrets Job spec in the current and next tagged releases. We do this locally with a kustomize patch but IMHO this should be fixed here upstream.
What's your environment like?