From 1d1342a0b829e97ccfa786220e52279e85bf85ac Mon Sep 17 00:00:00 2001
From: Michael Bridgen <michael@weave.works>
Date: Mon, 17 Feb 2020 15:08:31 +0000
Subject: [PATCH 1/4] Include --registry-include-image flag in reference docs

---
 docs/faq.md               | 21 ++++++++++++++++++---
 docs/references/daemon.md |  1 +
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/docs/faq.md b/docs/faq.md
index fef989852..9f0afd71b 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -354,10 +354,25 @@ You can completely disable registry scanning by using the
 
 
 If you only want to disable scanning for certain images, don't set
-`--registry-disable-scanning`. Instead, you can tell Flux what images to exclude
-by supplying a list of glob expressions to the `--registry-exclude-image` flag.
+`--registry-disable-scanning`. Instead, you can tell Flux what images
+to include or exclude by supplying a list of glob expressions to the
+`--registry-include-image` and `--registry-exclude-image` flags.
 
-To exclude images from Docker Hub and Quay.io, use:
+ * `--registry-include-image` takes patterns to be included; no values
+   (the default) means "include everything". If you provide a pattern,
+   _only_ images matching the pattern will be included (less any that
+   are explicitly excluded); and,
+ * `--registry-exclude-image` takes patterns to be excludes; the
+   default is to exclude the Kubernetes base images (`k8s.gcr.io/*`).
+
+To include only images from Docker Hub organisation `exampledotcom`,
+use:
+
+```
+--registry-include-image=docker.io/exampledotcom/*
+```
+
+To **exclude** images from Docker Hub and Quay.io, use:
 
 ```
 --registry-exclude-image=docker.io/*,quay.io/*
diff --git a/docs/references/daemon.md b/docs/references/daemon.md
index 104ecc691..cc7e67e63 100644
--- a/docs/references/daemon.md
+++ b/docs/references/daemon.md
@@ -73,6 +73,7 @@ Version controlling of cluster manifests provides reproducibility and a historic
 | --registry-burst                                 | `125`                              | maximum number of warmer connections to remote and memcache
 | --registry-insecure-host                         | []                                 | registry hosts to use HTTP for (instead of HTTPS)
 | --registry-exclude-image                         | `["k8s.gcr.io/*"]`                 | do not scan images that match these glob expressions
+| --registry-include-image                         | `nil`                              | scan _only_ images that match these glob expressions (the default, `nil`, means include everything)
 | --registry-use-labels                            | `["index.docker.io/weaveworks/*", "index.docker.io/fluxcd/*"]` | use the timestamp (RFC3339) from labels for (canonical) image refs that match these glob expressions
 | --docker-config                                  | `""`                               | path to a Docker config file with default image registry credentials
 | --registry-ecr-region                            | `[]`                               | allow these AWS regions when scanning images from ECR (multiple values allowed); defaults to the detected cluster region

From 8d809027d62f641c88f73ac62093873be87222c8 Mon Sep 17 00:00:00 2001
From: Michael Bridgen <michael@weave.works>
Date: Mon, 17 Feb 2020 15:11:38 +0000
Subject: [PATCH 2/4] Expose --registry-include-image in Helm chart

---
 chart/flux/README.md                 | 1 +
 chart/flux/templates/deployment.yaml | 3 +++
 chart/flux/values.yaml               | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/chart/flux/README.md b/chart/flux/README.md
index 17403b0e8..b7c0c09ce 100755
--- a/chart/flux/README.md
+++ b/chart/flux/README.md
@@ -241,6 +241,7 @@ The following tables lists the configurable parameters of the Flux chart and the
 | `registry.cacheExpiry`                            | `None`                                               | Duration to keep cached image info (deprecated)
 | `registry.disableScanning`                        | `false`                                              | Disable registry scanning completely. Flux will be deployed without memcached
 | `registry.excludeImage`                           | `None`                                               | Do not scan images that match these glob expressions; if empty, 'k8s.gcr.io/*' images are excluded
+| `registry.includeImage`                           | `None`                                               | Scan only images that match these glob expressions; if empty, all images are included
 | `registry.useTimestampLabels`                     | `None`                                               | Allow usage of (RFC3339) timestamp labels from (canonical) image refs that match these glob expressions; if empty, 'index.docker.io/{weaveworks,fluxcd}/*' images are allowed
 | `registry.ecr.region`                             | `None`                                               | Restrict ECR scanning to these AWS regions; if empty, only the cluster's region will be scanned
 | `registry.ecr.includeId`                          | `None`                                               | Restrict ECR scanning to these AWS account IDs; if empty, all account IDs that aren't excluded may be scanned
diff --git a/chart/flux/templates/deployment.yaml b/chart/flux/templates/deployment.yaml
index e262e2916..aa84f160f 100644
--- a/chart/flux/templates/deployment.yaml
+++ b/chart/flux/templates/deployment.yaml
@@ -245,6 +245,9 @@ spec:
           {{- if .Values.registry.excludeImage }}
           - --registry-exclude-image={{ .Values.registry.excludeImage }}
           {{- end }}
+          {{- if .Values.registry.includeImage }}
+          - --registry-include-image={{ .Values.registry.includeImage }}
+          {{- end }}
           {{- if .Values.registry.useTimestampLabels }}
           - --registry-use-labels={{ .Values.registry.useTimestampLabels }}
           {{- end }}
diff --git a/chart/flux/values.yaml b/chart/flux/values.yaml
index 5d5a88c27..4ac489643 100644
--- a/chart/flux/values.yaml
+++ b/chart/flux/values.yaml
@@ -155,6 +155,8 @@ registry:
   disableScanning: false
   # Do not scan images that match these glob expressions
   excludeImage:
+  # Only scan images that match these glob expressions
+  includeImage:
   # Allow usage of (RFC3339) timestamp labels from (canonical) image refs that match these glob expressions
   useTimestampLabels:
   # AWS ECR settings

From 516612e0654cdc0cccc41f9bb8af2c2318b429af Mon Sep 17 00:00:00 2001
From: Michael Bridgen <michael@weave.works>
Date: Mon, 17 Feb 2020 15:15:20 +0000
Subject: [PATCH 3/4] Give example of Helm value for including pattern

---
 docs/faq.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/faq.md b/docs/faq.md
index 9f0afd71b..ae89316b1 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -384,6 +384,12 @@ Here is the Helm install equivalent (note the `\,` separator):
 --set registry.excludeImage="docker.io/*\,quay.io/*"
 ```
 
+... and similarly for `--registry-include-image`:
+
+```
+--set registry.includeImage="docker.io/exampledotcom/*"
+```
+
 To exclude images containing `test` in the FQN, use:
 
 ```

From 52fdf08a80e3d983dc6f99ed54f3e67885c3baa4 Mon Sep 17 00:00:00 2001
From: Michael Bridgen <michael@weave.works>
Date: Mon, 17 Feb 2020 15:53:06 +0000
Subject: [PATCH 4/4] Rejig descriptions of the two image flags

---
 docs/faq.md | 43 ++++++++++++++++---------------------------
 1 file changed, 16 insertions(+), 27 deletions(-)

diff --git a/docs/faq.md b/docs/faq.md
index ae89316b1..7affd90d4 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -353,47 +353,36 @@ You can completely disable registry scanning by using the
  Memcached.
 
 
-If you only want to disable scanning for certain images, don't set
+If you only want to scan certain images, don't set
 `--registry-disable-scanning`. Instead, you can tell Flux what images
 to include or exclude by supplying a list of glob expressions to the
-`--registry-include-image` and `--registry-exclude-image` flags.
+`--registry-include-image` and `--registry-exclude-image` flags:
 
- * `--registry-include-image` takes patterns to be included; no values
-   (the default) means "include everything". If you provide a pattern,
-   _only_ images matching the pattern will be included (less any that
-   are explicitly excluded); and,
- * `--registry-exclude-image` takes patterns to be excludes; the
-   default is to exclude the Kubernetes base images (`k8s.gcr.io/*`).
+ * `--registry-exclude-image` takes patterns to be excluded; the
+   default is to exclude the Kubernetes base images (`k8s.gcr.io/*`);
+   and,
+ * `--registry-include-image` takes patterns to be included; no
+   patterns (the default) means "include everything". If you provide a
+   pattern, _only_ images matching the pattern will be included (less
+   any that are explicitly excluded).
 
-To include only images from Docker Hub organisation `exampledotcom`,
-use:
+To restrict scanning to only images from organisations `example` and `example-dev`,
+you might use:
 
 ```
---registry-include-image=docker.io/exampledotcom/*
+--registry-include-image=*/example/*,*/example-dev/*
 ```
 
-To **exclude** images from Docker Hub and Quay.io, use:
+To exclude images from quay.io, use:
 
 ```
---registry-exclude-image=docker.io/*,quay.io/*
+--registry-exclude-image=quay.io/*
 ```
 
-Here is the Helm install equivalent (note the `\,` separator):
+Here are the Helm install equivalents (note the `\,` separator):
 
 ```
---set registry.excludeImage="docker.io/*\,quay.io/*"
-```
-
-... and similarly for `--registry-include-image`:
-
-```
---set registry.includeImage="docker.io/exampledotcom/*"
-```
-
-To exclude images containing `test` in the FQN, use:
-
-```
---registry-exclude-image=*test*
+--set registry.includeImage="*/example/*\,*/example-dev/*" --set registry.excludeImage="quay.io/*"
 ```
 
 ### Does Flux support Kustomize/Templating/My favorite manifest factorization technology?