The gen-secrets container should also use a release image, not pomerium/ingress-controller:main

[lgov]

Issue description

When deploying the Pomerium ingress controller v0.20.0 using the deployment.yaml file of tag v0.20.0, the gen-secrets container in the pomerium-gen-secrets job runs using the pomerium/ingress-controller:main image and not the pomerium/ingress-controller:sha-cdc389c image.

This is a problem for us because:

1. The main image tag follows the main branch so it can introduce issues related to work-in-progress changes
2. We pull release images in our own private repository. Image tags are selected by regexp, and main images are not pulled (as we don't need them)

Proposed solution

The fix for related issue #435 was to pin the ingress-controller image tag to sha-cdc389c in the deployment.yaml file for the pomerium deployment resource. I propose to make the same change for the image definition in the pomerium-gen-secrets Job spec in the current and next tagged releases. We do this locally with a kustomize patch but IMHO this should be fixed here upstream.

What's your environment like?

• Pomerium v0.20.0 installed from https://raw.githubusercontent.com/pomerium/ingress-controller/v0.20.0/deployment.yaml
• AWS EKS

[wasaga]

secret generation is used in the default one-line kubectl apply ... installation method, in order to minimize one's efforts to configure Pomerium.

if we change image tags in the gen-secrets Job definition, the kubectl apply would fail, as Jobs are immutable and cannot be updated.

This is why currently it just uses main, as nothing is changing in the bootstrap secrets generation currently.