Merge pull request #124 from cybozu-go/migrate-to-ghcr

Migrate to ghcr.io
cybozu-go · Jan 25, 2024 · 5961d80 · 5961d80
2 parents 858e41c + 11309f3
commit 5961d80
Show file tree

Hide file tree

Showing 57 changed files with 75 additions and 88 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -19,12 +19,6 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: quay.io Login
-        uses: docker/login-action@v2
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USER }}
-          password: ${{ secrets.QUAY_PASSWORD }}
       - name: Setup go
         uses: actions/setup-go@v3
         with:

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -13,7 +13,6 @@ builds:
       - -X github.com/cybozu-go/pod-security-admission.Version={{.Version}}
 dockers:
   - image_templates:
-    - "quay.io/cybozu/{{.ProjectName}}:{{ .Version }}-amd64"
     - "ghcr.io/cybozu-go/{{.ProjectName}}:{{ .Version }}-amd64"
     use: buildx
     dockerfile: Dockerfile
@@ -25,12 +24,6 @@ dockers:
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
 docker_manifests:
-  - name_template: "quay.io/cybozu/{{.ProjectName}}:{{ .Version }}"
-    image_templates:
-      - "quay.io/cybozu/{{.ProjectName}}:{{ .Version }}-amd64"
-  - name_template: "quay.io/cybozu/{{.ProjectName}}:{{ .Major }}.{{ .Minor }}"
-    image_templates:
-      - "quay.io/cybozu/{{.ProjectName}}:{{ .Version }}-amd64"
   - name_template: "ghcr.io/cybozu-go/{{.ProjectName}}:{{ .Version }}"
     image_templates:
       - "ghcr.io/cybozu-go/{{.ProjectName}}:{{ .Version }}-amd64"

diff --git a/README.md b/README.md
@@ -95,7 +95,7 @@ https://github.com/kubernetes/kubectl/issues/1108
 Docker images
 -------------
 
-Docker images are available on [Quay.io](https://quay.io/repository/cybozu/pod-security-admission)
+Docker images are available on [ghcr.io](https://github.com/cybozu-go/pod-security-admission/pkgs/container/pod-security-admission)
 
 License
 -------

diff --git a/charts/pod-security-admission/values.yaml b/charts/pod-security-admission/values.yaml
@@ -6,7 +6,7 @@ controllerManager:
     containerSecurityContext:
       allowPrivilegeEscalation: false
     image:
-      repository: quay.io/cybozu/pod-security-admission
+      repository: ghcr.io/cybozu-go/pod-security-admission
       tag: app-version-placeholder
     imagePullPolicy: IfNotPresent
     resources:

diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -4,7 +4,7 @@ resources:
 images:
 - name: pod-security-admission
   newTag: 0.6.1
-  newName: quay.io/cybozu/pod-security-admission
+  newName: ghcr.io/cybozu-go/pod-security-admission
 
 generatorOptions:
   disableNameSuffixHash: true

diff --git a/hooks/ephemeral_container_test.go b/hooks/ephemeral_container_test.go
@@ -28,7 +28,7 @@ metadata:
 spec:
   containers:
   - name: ubuntu
-    image: quay.io/cybozu/ubuntu
+    image: ghcr.io/cybozu/ubuntu
     securityContext:
       runAsNonRoot: true
 `
@@ -58,7 +58,7 @@ spec:
 		Entry("Valid Ephemeral Container", "restricted", "test-simple-ec", corev1.EphemeralContainer{
 			EphemeralContainerCommon: corev1.EphemeralContainerCommon{
 				Name:  "debug",
-				Image: "quay.io/cybozu/ubuntu-debug",
+				Image: "ghcr.io/cybozu/ubuntu-debug",
 				SecurityContext: &corev1.SecurityContext{
 					RunAsNonRoot: ptr.To(true),
 				},
@@ -67,7 +67,7 @@ spec:
 		Entry("Privileged Ephemeral Container", "baseline", "test-privileged-ec", corev1.EphemeralContainer{
 			EphemeralContainerCommon: corev1.EphemeralContainerCommon{
 				Name:  "debug",
-				Image: "quay.io/cybozu/ubuntu-debug",
+				Image: "ghcr.io/cybozu/ubuntu-debug",
 				SecurityContext: &corev1.SecurityContext{
 					RunAsNonRoot: ptr.To(true),
 					Privileged:   ptr.To(true),
@@ -77,7 +77,7 @@ spec:
 		Entry("AllowPrivilegeEscalation Ephemeral Container", "restricted", "test-allow-privilege-escalation-ec", corev1.EphemeralContainer{
 			EphemeralContainerCommon: corev1.EphemeralContainerCommon{
 				Name:  "debug",
-				Image: "quay.io/cybozu/ubuntu-debug",
+				Image: "ghcr.io/cybozu/ubuntu-debug",
 				SecurityContext: &corev1.SecurityContext{
 					RunAsNonRoot:             ptr.To(true),
 					AllowPrivilegeEscalation: ptr.To(true),
@@ -87,7 +87,7 @@ spec:
 		Entry("RootGroup Ephemeral Container", "restricted", "test-root-group-ec", corev1.EphemeralContainer{
 			EphemeralContainerCommon: corev1.EphemeralContainerCommon{
 				Name:  "debug",
-				Image: "quay.io/cybozu/ubuntu-debug",
+				Image: "ghcr.io/cybozu/ubuntu-debug",
 				SecurityContext: &corev1.SecurityContext{
 					RunAsNonRoot: ptr.To(true),
 					RunAsGroup:   ptr.To[int64](0),
@@ -100,7 +100,7 @@ spec:
 			Entry("RunAsRoot Ephemeral Container", "restricted", "test-run-as-root-ec", corev1.EphemeralContainer{
 				EphemeralContainerCommon: corev1.EphemeralContainerCommon{
 					Name:  "debug",
-					Image: "quay.io/cybozu/ubuntu-debug",
+					Image: "ghcr.io/cybozu/ubuntu-debug",
 					SecurityContext: &corev1.SecurityContext{
 						RunAsNonRoot: pointer.Bool(false),
 					},
@@ -110,7 +110,7 @@ spec:
 		Entry("UnsafeCapability Ephemeral Container", "restricted", "test-unsafe-capability-ec", corev1.EphemeralContainer{
 			EphemeralContainerCommon: corev1.EphemeralContainerCommon{
 				Name:  "debug",
-				Image: "quay.io/cybozu/ubuntu-debug",
+				Image: "ghcr.io/cybozu/ubuntu-debug",
 				SecurityContext: &corev1.SecurityContext{
 					RunAsNonRoot: ptr.To(true),
 					Capabilities: &corev1.Capabilities{
@@ -124,7 +124,7 @@ spec:
 		Entry("UnsafeProcMount Ephemeral Container", "restricted", "test-unsafe-procmount-ec", corev1.EphemeralContainer{
 			EphemeralContainerCommon: corev1.EphemeralContainerCommon{
 				Name:  "debug",
-				Image: "quay.io/cybozu/ubuntu-debug",
+				Image: "ghcr.io/cybozu/ubuntu-debug",
 				SecurityContext: &corev1.SecurityContext{
 					RunAsNonRoot: ptr.To(true),
 					ProcMount:    &unmasked,
@@ -134,7 +134,7 @@ spec:
 		Entry("UnsafeSeccomp Ephemeral Container", "restricted", "test-unsafe-seccomp-ec", corev1.EphemeralContainer{
 			EphemeralContainerCommon: corev1.EphemeralContainerCommon{
 				Name:  "debug",
-				Image: "quay.io/cybozu/ubuntu-debug",
+				Image: "ghcr.io/cybozu/ubuntu-debug",
 				SecurityContext: &corev1.SecurityContext{
 					RunAsNonRoot: ptr.To(true),
 					SeccompProfile: &corev1.SeccompProfile{
@@ -147,7 +147,7 @@ spec:
 		Entry("UnsafeSELinux Ephemeral Container", "restricted", "test-unsafe-selinux-ec", corev1.EphemeralContainer{
 			EphemeralContainerCommon: corev1.EphemeralContainerCommon{
 				Name:  "debug",
-				Image: "quay.io/cybozu/ubuntu-debug",
+				Image: "ghcr.io/cybozu/ubuntu-debug",
 				SecurityContext: &corev1.SecurityContext{
 					RunAsNonRoot: ptr.To(true),
 					SELinuxOptions: &corev1.SELinuxOptions{
@@ -171,7 +171,7 @@ spec:
 		spec:
 		  containers:
 		  - name: ubuntu
-		    image: quay.io/cybozu/ubuntu
+		    image: ghcr.io/cybozu/ubuntu
 		    securityContext:
 		      runAsNonRoot: true
 		`
@@ -189,7 +189,7 @@ spec:
 					ec := corev1.EphemeralContainer{
 						EphemeralContainerCommon: corev1.EphemeralContainerCommon{
 							Name:  "debug",
-							Image: "quay.io/cybozu/ubuntu-debug",
+							Image: "ghcr.io/cybozu/ubuntu-debug",
 						},
 					}
 					pod.Spec.EphemeralContainers = append(pod.Spec.EphemeralContainers, ec)

diff --git a/hooks/testdata/baseline/additional-capability.yaml b/hooks/testdata/baseline/additional-capability.yaml
@@ -7,7 +7,7 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
       securityContext:
         capabilities:
           add:

diff --git a/hooks/testdata/baseline/host-ports.yaml b/hooks/testdata/baseline/host-ports.yaml
@@ -7,7 +7,7 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
       ports:
         - containerPort: 8080
           hostPort: 65500

diff --git a/hooks/testdata/baseline/noncore-volume1.yaml b/hooks/testdata/baseline/noncore-volume1.yaml
@@ -9,7 +9,7 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
   volumes:
     - name: nfs
       nfs:

diff --git a/hooks/testdata/baseline/noncore-volume2.yaml b/hooks/testdata/baseline/noncore-volume2.yaml
@@ -9,7 +9,7 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
   volumes:
     - name: config
       configMap:

diff --git a/hooks/testdata/baseline/privilege-escalation1.yaml b/hooks/testdata/baseline/privilege-escalation1.yaml
@@ -9,6 +9,6 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
       securityContext:
         allowPrivilegeEscalation: true
diff --git a/hooks/testdata/baseline/privilege-escalation2.yaml b/hooks/testdata/baseline/privilege-escalation2.yaml
@@ -9,9 +9,9 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
   initContainers:
     - name: debug
-      image: quay.io/cybozu/ubuntu-debug
+      image: ghcr.io/cybozu/ubuntu-debug
       securityContext:
         allowPrivilegeEscalation: true
diff --git a/hooks/testdata/baseline/root-group1.yaml b/hooks/testdata/baseline/root-group1.yaml
@@ -10,4 +10,4 @@ spec:
     runAsGroup: 0
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
diff --git a/hooks/testdata/baseline/root-group2.yaml b/hooks/testdata/baseline/root-group2.yaml
@@ -11,4 +11,4 @@ spec:
       - 0
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
diff --git a/hooks/testdata/baseline/root-group3.yaml b/hooks/testdata/baseline/root-group3.yaml
@@ -10,4 +10,4 @@ spec:
     fsGroup: 0
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
diff --git a/hooks/testdata/baseline/root-group4.yaml b/hooks/testdata/baseline/root-group4.yaml
@@ -9,6 +9,6 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
       securityContext:
         runAsGroup: 0
diff --git a/hooks/testdata/baseline/root-group5.yaml b/hooks/testdata/baseline/root-group5.yaml
@@ -9,9 +9,9 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
   initContainers:
     - name: debug
-      image: quay.io/cybozu/ubuntu-debug
+      image: ghcr.io/cybozu/ubuntu-debug
       securityContext:
         runAsGroup: 0
diff --git a/hooks/testdata/baseline/run-as-root1.yaml b/hooks/testdata/baseline/run-as-root1.yaml
@@ -9,4 +9,4 @@ spec:
     runAsNonRoot: false
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
diff --git a/hooks/testdata/baseline/run-as-root2.yaml b/hooks/testdata/baseline/run-as-root2.yaml
@@ -9,4 +9,4 @@ spec:
     runAsUser: 0
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
diff --git a/hooks/testdata/baseline/run-as-root3.yaml b/hooks/testdata/baseline/run-as-root3.yaml
@@ -7,4 +7,4 @@ metadata:
 spec:
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
diff --git a/hooks/testdata/baseline/run-as-root4.yaml b/hooks/testdata/baseline/run-as-root4.yaml
@@ -7,6 +7,6 @@ metadata:
 spec:
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
       securityContext:
         runAsNonRoot: false
diff --git a/hooks/testdata/baseline/run-as-root5.yaml b/hooks/testdata/baseline/run-as-root5.yaml
@@ -9,6 +9,6 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
       securityContext:
         runAsUser: 0
diff --git a/hooks/testdata/baseline/seccomp1.yaml b/hooks/testdata/baseline/seccomp1.yaml
@@ -12,4 +12,4 @@ spec:
       localhostProfile: profiles/audit.json
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
diff --git a/hooks/testdata/baseline/seccomp2.yaml b/hooks/testdata/baseline/seccomp2.yaml
@@ -9,7 +9,7 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
       securityContext:
         seccompProfile:
           type: "Localhost"

diff --git a/hooks/testdata/baseline/seccomp3.yaml b/hooks/testdata/baseline/seccomp3.yaml
@@ -9,10 +9,10 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
   initContainers:
     - name: debug
-      image: quay.io/cybozu/ubuntu-debug
+      image: ghcr.io/cybozu/ubuntu-debug
       securityContext:
         seccompProfile:
           type: "Localhost"

diff --git a/hooks/testdata/hostpath/host-path3.yaml b/hooks/testdata/hostpath/host-path3.yaml
@@ -9,7 +9,7 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
   volumes:
     - name: host
       hostPath:

diff --git a/hooks/testdata/hostpath/host-path4.yaml b/hooks/testdata/hostpath/host-path4.yaml
@@ -9,7 +9,7 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
   volumes:
     - name: host
       hostPath:

diff --git a/hooks/testdata/mutating/run-as-root1.yaml b/hooks/testdata/mutating/run-as-root1.yaml
@@ -7,4 +7,4 @@ spec:
     runAsNonRoot: false
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
diff --git a/hooks/testdata/privileged/apparmor.yaml b/hooks/testdata/privileged/apparmor.yaml
@@ -10,4 +10,4 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
diff --git a/hooks/testdata/privileged/capability1.yaml b/hooks/testdata/privileged/capability1.yaml
@@ -9,10 +9,10 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
   initContainers:
     - name: debug
-      image: quay.io/cybozu/ubuntu-debug
+      image: ghcr.io/cybozu/ubuntu-debug
       securityContext:
         capabilities:
           drop:

diff --git a/hooks/testdata/privileged/capability2.yaml b/hooks/testdata/privileged/capability2.yaml
@@ -9,7 +9,7 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
       securityContext:
         capabilities:
           add:

diff --git a/hooks/testdata/privileged/host-ipc.yaml b/hooks/testdata/privileged/host-ipc.yaml
@@ -9,5 +9,5 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
   hostIPC: true
diff --git a/hooks/testdata/privileged/host-network.yaml b/hooks/testdata/privileged/host-network.yaml
@@ -9,5 +9,5 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
   hostNetwork: true
diff --git a/hooks/testdata/privileged/host-path.yaml b/hooks/testdata/privileged/host-path.yaml
@@ -9,7 +9,7 @@ spec:
     runAsNonRoot: true
   containers:
     - name: ubuntu
-      image: quay.io/cybozu/ubuntu
+      image: ghcr.io/cybozu/ubuntu
   volumes:
     - name: host
       hostPath: