Implement label whitelist in Helm chart

fluxcd · Jul 8, 2019 · eb2e499 · eb2e499
1 parent 507c661
commit eb2e499
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/chart/flux/README.md b/chart/flux/README.md
@@ -234,6 +234,7 @@ The following tables lists the configurable parameters of the Flux chart and the
 | `registry.insecureHosts`                          | `None`                                               | Use HTTP rather than HTTPS for the image registry domains
 | `registry.cacheExpiry`                            | `None`                                               | Duration to keep cached image info (deprecated)
 | `registry.excludeImage`                           | `None`                                               | Do not scan images that match these glob expressions; if empty, 'k8s.gcr.io/*' images are excluded
+| `registry.useTimestampLabels`                     | `None`                                               | Allow usage of (RFC3339) timestamp labels from (canonical) image refs that match these glob expressions; if empty, 'index.docker.io/weaveworks/*' images are allowed
 | `registry.ecr.region`                             | `None`                                               | Restrict ECR scanning to these AWS regions; if empty, only the cluster's region will be scanned
 | `registry.ecr.includeId`                          | `None`                                               | Restrict ECR scanning to these AWS account IDs; if empty, all account IDs that aren't excluded may be scanned
 | `registry.ecr.excludeId`                          | `602401143452`                                       | Do not scan ECR for images in these AWS account IDs; the default is to exclude the EKS system account

diff --git a/chart/flux/templates/deployment.yaml b/chart/flux/templates/deployment.yaml
@@ -199,6 +199,9 @@ spec:
           {{- if .Values.registry.excludeImage }}
           - --registry-exclude-image={{ .Values.registry.excludeImage }}
           {{- end }}
+          {{- if .Values.registry.useTimestampLabels }}
+          - --registry-use-labels={{ .Values.registry.useTimestampLabels }}
+          {{- end }}
           {{- if .Values.registry.ecr.region }}
           - --registry-ecr-region={{ .Values.registry.ecr.region }}
           {{- end }}

diff --git a/chart/flux/values.yaml b/chart/flux/values.yaml
@@ -184,6 +184,8 @@ registry:
   cacheExpiry:
   # Do not scan images that match these glob expressions
   excludeImage:
+  # Allow usage of (RFC3339) timestamp labels from (canonical) image refs that match these glob expressions
+  useTimestampLabels:
   # AWS ECR settings
   ecr:
     region: