Skip to content

Commit

Permalink
fix: remove deprecated imageSignatureRepository flag (kyverno#9698)
Browse files Browse the repository at this point in the history
Signed-off-by: Charles-Edouard Brétéché <[email protected]>
  • Loading branch information
eddycharly authored Feb 8, 2024
1 parent c2dda83 commit a1cb4f1
Show file tree
Hide file tree
Showing 14 changed files with 45 additions and 79 deletions.
1 change: 0 additions & 1 deletion cmd/cli/kubectl-kyverno/processor/generate.go
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,6 @@ func initializeMockController(out io.Writer, s *store.Store, gvrToListKind map[s
imageverifycache.DisabledImageVerifyCache(),
store.ContextLoaderFactory(s, nil),
nil,
"",
))
return c, nil
}
1 change: 0 additions & 1 deletion cmd/cli/kubectl-kyverno/processor/policy_processor.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,6 @@ func (p *PolicyProcessor) ApplyPoliciesOnResource() ([]engineapi.EngineResponse,
imageverifycache.DisabledImageVerifyCache(),
store.ContextLoaderFactory(p.Store, nil),
policyExceptionLister,
"",
)
gvk, subresource := resource.GroupVersionKind(), ""
// If --cluster flag is not set, then we need to find the top level resource GVK and subresource
Expand Down
1 change: 0 additions & 1 deletion cmd/internal/engine.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,6 @@ func NewEngine(
ivCache,
factories.DefaultContextLoaderFactory(configMapResolver, factories.WithAPICallConfig(apiCallConfig), factories.WithGlobalContextStore(gctxStore)),
exceptionsSelector,
imageSignatureRepository,
)
}

Expand Down
13 changes: 3 additions & 10 deletions cmd/internal/flag.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,9 @@ var (
exceptionNamespace string
enableConfigMapCaching bool
// cosign
imageSignatureRepository string
enableTUF bool
tufMirror string
tufRoot string
enableTUF bool
tufMirror string
tufRoot string
// registry client
imagePullSecrets string
allowInsecureRegistry bool
Expand Down Expand Up @@ -111,7 +110,6 @@ func initDeferredLoadingFlags() {
}

func initCosignFlags() {
flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "(DEPRECATED, will be removed in 1.12) Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
flag.BoolVar(&enableTUF, "enableTuf", false, "enable tuf for private sigstore deployments")
flag.StringVar(&tufMirror, "tufMirror", tuf.DefaultRemoteRoot, "Alternate TUF mirror for sigstore. If left blank, public sigstore one is used for cosign verification.")
flag.StringVar(&tufRoot, "tufRoot", "", "Alternate TUF root.json for sigstore. If left blank, public sigstore one is used for cosign verification.")
Expand Down Expand Up @@ -229,11 +227,6 @@ func initFlags(config Configuration, opts ...Option) {
}

func showWarnings(config Configuration, logger logr.Logger) {
if config.UsesCosign() {
if imageSignatureRepository != "" {
logger.Info("Warning: imageSignatureRepository is deprecated and will be removed in 1.12. Use per rule configuration `verifyImages.Repository` instead.")
}
}
}

func ParseFlags(config Configuration, opts ...Option) {
Expand Down
39 changes: 18 additions & 21 deletions pkg/engine/engine.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,15 +27,14 @@ import (
)

type engine struct {
configuration config.Configuration
metricsConfiguration config.MetricsConfiguration
jp jmespath.Interface
client engineapi.Client
rclientFactory engineapi.RegistryClientFactory
ivCache imageverifycache.Client
contextLoader engineapi.ContextLoaderFactory
exceptionSelector engineapi.PolicyExceptionSelector
imageSignatureRepository string
configuration config.Configuration
metricsConfiguration config.MetricsConfiguration
jp jmespath.Interface
client engineapi.Client
rclientFactory engineapi.RegistryClientFactory
ivCache imageverifycache.Client
contextLoader engineapi.ContextLoaderFactory
exceptionSelector engineapi.PolicyExceptionSelector
// metrics
resultCounter metric.Int64Counter
durationHistogram metric.Float64Histogram
Expand All @@ -52,7 +51,6 @@ func NewEngine(
ivCache imageverifycache.Client,
contextLoader engineapi.ContextLoaderFactory,
exceptionSelector engineapi.PolicyExceptionSelector,
imageSignatureRepository string,
) engineapi.Engine {
meter := otel.GetMeterProvider().Meter(metrics.MeterName)
resultCounter, err := meter.Int64Counter(
Expand All @@ -70,17 +68,16 @@ func NewEngine(
logging.Error(err, "failed to register metric kyverno_policy_execution_duration_seconds")
}
return &engine{
configuration: configuration,
metricsConfiguration: metricsConfiguration,
jp: jp,
client: client,
rclientFactory: rclientFactory,
ivCache: ivCache,
contextLoader: contextLoader,
exceptionSelector: exceptionSelector,
imageSignatureRepository: imageSignatureRepository,
resultCounter: resultCounter,
durationHistogram: durationHistogram,
configuration: configuration,
metricsConfiguration: metricsConfiguration,
jp: jp,
client: client,
rclientFactory: rclientFactory,
ivCache: ivCache,
contextLoader: contextLoader,
exceptionSelector: exceptionSelector,
resultCounter: resultCounter,
durationHistogram: durationHistogram,
}
}

Expand Down
3 changes: 0 additions & 3 deletions pkg/engine/fuzz_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ var (
imageverifycache.DisabledImageVerifyCache(),
factories.DefaultContextLoaderFactory(nil),
nil,
"",
)
initter sync.Once
)
Expand Down Expand Up @@ -127,7 +126,6 @@ func FuzzVerifyImageAndPatchTest(f *testing.F) {
imageverifycache.DisabledImageVerifyCache(),
factories.DefaultContextLoaderFactory(nil),
nil,
"",
)

_, _ = verifyImageAndPatchEngine.VerifyAndPatchImages(
Expand Down Expand Up @@ -274,7 +272,6 @@ func FuzzMutateTest(f *testing.F) {
imageverifycache.DisabledImageVerifyCache(),
factories.DefaultContextLoaderFactory(nil),
nil,
"",
)
e.Mutate(
context.Background(),
Expand Down
25 changes: 11 additions & 14 deletions pkg/engine/handlers/mutation/mutate_image.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,11 @@ import (
)

type mutateImageHandler struct {
configuration config.Configuration
rclientFactory engineapi.RegistryClientFactory
ivCache imageverifycache.Client
ivm *engineapi.ImageVerificationMetadata
images []apiutils.ImageInfo
imageSignatureRepository string
configuration config.Configuration
rclientFactory engineapi.RegistryClientFactory
ivCache imageverifycache.Client
ivm *engineapi.ImageVerificationMetadata
images []apiutils.ImageInfo
}

func NewMutateImageHandler(
Expand All @@ -40,7 +39,6 @@ func NewMutateImageHandler(
rclientFactory engineapi.RegistryClientFactory,
ivCache imageverifycache.Client,
ivm *engineapi.ImageVerificationMetadata,
imageSignatureRepository string,
) (handlers.Handler, error) {
if len(rule.VerifyImages) == 0 {
return nil, nil
Expand All @@ -53,12 +51,11 @@ func NewMutateImageHandler(
return nil, nil
}
return mutateImageHandler{
configuration: configuration,
rclientFactory: rclientFactory,
ivm: ivm,
ivCache: ivCache,
images: ruleImages,
imageSignatureRepository: imageSignatureRepository,
configuration: configuration,
rclientFactory: rclientFactory,
ivm: ivm,
ivCache: ivCache,
images: ruleImages,
}, nil
}

Expand Down Expand Up @@ -102,7 +99,7 @@ func (h mutateImageHandler) Process(
engineapi.RuleError(rule.Name, engineapi.ImageVerify, "failed to fetch secrets", err),
)
}
iv := internal.NewImageVerifier(logger, rclient, h.ivCache, policyContext, *ruleCopy, h.ivm, h.imageSignatureRepository)
iv := internal.NewImageVerifier(logger, rclient, h.ivCache, policyContext, *ruleCopy, h.ivm)
patch, ruleResponse := iv.Verify(ctx, imageVerify, h.images, h.configuration)
patches = append(patches, patch...)
engineResponses = append(engineResponses, ruleResponse...)
Expand Down
1 change: 0 additions & 1 deletion pkg/engine/image_verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ func (e *engine) verifyAndPatchImages(
e.rclientFactory,
e.ivCache,
&ivm,
e.imageSignatureRepository,
)
}
resource, ruleResp := e.invokeRuleHandler(
Expand Down
2 changes: 0 additions & 2 deletions pkg/engine/image_verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -322,7 +322,6 @@ func testVerifyAndPatchImages(
imageverifycache.DisabledImageVerifyCache(),
factories.DefaultContextLoaderFactory(cmResolver),
nil,
"",
)
return e.VerifyAndPatchImages(
ctx,
Expand Down Expand Up @@ -1075,7 +1074,6 @@ func testImageVerifyCache(
ivCache,
factories.DefaultContextLoaderFactory(cmResolver),
nil,
"",
)
return e.VerifyAndPatchImages(
ctx,
Expand Down
33 changes: 13 additions & 20 deletions pkg/engine/internal/imageverifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,12 @@ import (
)

type ImageVerifier struct {
logger logr.Logger
rclient engineapi.RegistryClient
ivCache imageverifycache.Client
policyContext engineapi.PolicyContext
rule kyvernov1.Rule
ivm *engineapi.ImageVerificationMetadata
imageSignatureRepository string
logger logr.Logger
rclient engineapi.RegistryClient
ivCache imageverifycache.Client
policyContext engineapi.PolicyContext
rule kyvernov1.Rule
ivm *engineapi.ImageVerificationMetadata
}

func NewImageVerifier(
Expand All @@ -45,16 +44,14 @@ func NewImageVerifier(
policyContext engineapi.PolicyContext,
rule kyvernov1.Rule,
ivm *engineapi.ImageVerificationMetadata,
imageSignatureRepository string,
) *ImageVerifier {
return &ImageVerifier{
logger: logger,
rclient: rclient,
ivCache: ivCache,
policyContext: policyContext,
rule: rule,
ivm: ivm,
imageSignatureRepository: imageSignatureRepository,
logger: logger,
rclient: rclient,
ivCache: ivCache,
policyContext: policyContext,
rule: rule,
ivm: ivm,
}
}

Expand Down Expand Up @@ -552,13 +549,9 @@ func (iv *ImageVerifier) buildCosignVerifier(
attestation *kyvernov1.Attestation,
) (images.ImageVerifier, *images.Options, string) {
path := ""
repository := iv.imageSignatureRepository
if imageVerify.Repository != "" {
repository = imageVerify.Repository
}
opts := &images.Options{
ImageRef: image,
Repository: repository,
Repository: imageVerify.Repository,
Annotations: imageVerify.Annotations,
Client: iv.rclient,
}
Expand Down
1 change: 0 additions & 1 deletion pkg/engine/mutation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ func testMutate(
imageverifycache.DisabledImageVerifyCache(),
contextLoader,
nil,
"",
)
return e.Mutate(
ctx,
Expand Down
1 change: 0 additions & 1 deletion pkg/engine/validation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@ func testValidate(
imageverifycache.DisabledImageVerifyCache(),
contextLoader,
nil,
"",
)
return e.Validate(
ctx,
Expand Down
1 change: 0 additions & 1 deletion pkg/webhooks/resource/fake.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,6 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
imageverifycache.DisabledImageVerifyCache(),
factories.DefaultContextLoaderFactory(configMapResolver),
peLister,
"",
),
}
}
2 changes: 0 additions & 2 deletions pkg/webhooks/resource/validation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1064,7 +1064,6 @@ func TestValidate_failure_action_overrides(t *testing.T) {
imageverifycache.DisabledImageVerifyCache(),
factories.DefaultContextLoaderFactory(nil),
nil,
"",
)
for i, tc := range testcases {
t.Run(fmt.Sprintf("case %d", i), func(t *testing.T) {
Expand Down Expand Up @@ -1167,7 +1166,6 @@ func Test_RuleSelector(t *testing.T) {
imageverifycache.DisabledImageVerifyCache(),
factories.DefaultContextLoaderFactory(nil),
nil,
"",
)
resp := eng.Validate(
context.TODO(),
Expand Down

0 comments on commit a1cb4f1

Please sign in to comment.