From eb2e49981f50564935dc93da6fcdb7b2b633d211 Mon Sep 17 00:00:00 2001
From: Hidde Beydals <hello@hidde.co>
Date: Fri, 21 Jun 2019 13:30:55 +0200
Subject: [PATCH] Implement label whitelist in Helm chart

---
 chart/flux/README.md                 | 1 +
 chart/flux/templates/deployment.yaml | 3 +++
 chart/flux/values.yaml               | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/chart/flux/README.md b/chart/flux/README.md
index 7257d1b10..94d3fa78d 100755
--- a/chart/flux/README.md
+++ b/chart/flux/README.md
@@ -234,6 +234,7 @@ The following tables lists the configurable parameters of the Flux chart and the
 | `registry.insecureHosts`                          | `None`                                               | Use HTTP rather than HTTPS for the image registry domains
 | `registry.cacheExpiry`                            | `None`                                               | Duration to keep cached image info (deprecated)
 | `registry.excludeImage`                           | `None`                                               | Do not scan images that match these glob expressions; if empty, 'k8s.gcr.io/*' images are excluded
+| `registry.useTimestampLabels`                     | `None`                                               | Allow usage of (RFC3339) timestamp labels from (canonical) image refs that match these glob expressions; if empty, 'index.docker.io/weaveworks/*' images are allowed
 | `registry.ecr.region`                             | `None`                                               | Restrict ECR scanning to these AWS regions; if empty, only the cluster's region will be scanned
 | `registry.ecr.includeId`                          | `None`                                               | Restrict ECR scanning to these AWS account IDs; if empty, all account IDs that aren't excluded may be scanned
 | `registry.ecr.excludeId`                          | `602401143452`                                       | Do not scan ECR for images in these AWS account IDs; the default is to exclude the EKS system account
diff --git a/chart/flux/templates/deployment.yaml b/chart/flux/templates/deployment.yaml
index 4000938f2..5b44f4778 100644
--- a/chart/flux/templates/deployment.yaml
+++ b/chart/flux/templates/deployment.yaml
@@ -199,6 +199,9 @@ spec:
           {{- if .Values.registry.excludeImage }}
           - --registry-exclude-image={{ .Values.registry.excludeImage }}
           {{- end }}
+          {{- if .Values.registry.useTimestampLabels }}
+          - --registry-use-labels={{ .Values.registry.useTimestampLabels }}
+          {{- end }}
           {{- if .Values.registry.ecr.region }}
           - --registry-ecr-region={{ .Values.registry.ecr.region }}
           {{- end }}
diff --git a/chart/flux/values.yaml b/chart/flux/values.yaml
index 9389c8dad..285c669ab 100644
--- a/chart/flux/values.yaml
+++ b/chart/flux/values.yaml
@@ -184,6 +184,8 @@ registry:
   cacheExpiry:
   # Do not scan images that match these glob expressions
   excludeImage:
+  # Allow usage of (RFC3339) timestamp labels from (canonical) image refs that match these glob expressions
+  useTimestampLabels:
   # AWS ECR settings
   ecr:
     region: