kyverno/pkg/registryclient/client.go

package registryclient

import (
	"context"
	"io/ioutil"

	"github.com/google/go-containerregistry/pkg/authn/github"

	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
	"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
	"github.com/google/go-containerregistry/pkg/authn"
	kauth "github.com/google/go-containerregistry/pkg/authn/kubernetes"
	"github.com/google/go-containerregistry/pkg/v1/google"
	"github.com/pkg/errors"
	"k8s.io/client-go/kubernetes"
)

var (
	Secrets []string

	kubeClient     kubernetes.Interface
	namespace      string
	serviceAccount string

	defaultKeychain = authn.NewMultiKeychain(
		authn.DefaultKeychain,
		google.Keychain,
		authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(ioutil.Discard))),
		authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()),
		github.Keychain,
	)

	DefaultKeychain = defaultKeychain
)

// InitializeLocal loads the docker credentials and initializes the default auth method for container registry API calls
func InitializeLocal() {
	DefaultKeychain = authn.DefaultKeychain
}

// Initialize loads the image pull secrets and initializes the default auth method for container registry API calls
func Initialize(client kubernetes.Interface, ns, sa string, imagePullSecrets []string) error {
	kubeClient = client
	namespace = ns
	serviceAccount = sa
	Secrets = imagePullSecrets

	var kc authn.Keychain
	kcOpts := kauth.Options{
		Namespace:          namespace,
		ServiceAccountName: serviceAccount,
		ImagePullSecrets:   imagePullSecrets,
	}

	kc, err := kauth.New(context.Background(), client, kcOpts)
	if err != nil {
		return errors.Wrap(err, "failed to initialize registry keychain")
	}

	DefaultKeychain = authn.NewMultiKeychain(
		defaultKeychain,
		kc,
	)

	return nil
}

// UpdateKeychain reinitializes the image pull secrets and default auth method for container registry API calls
func UpdateKeychain() error {
	var err = Initialize(kubeClient, namespace, serviceAccount, Secrets)
	if err != nil {
		return err
	}
	return nil
}
Add image data to validate image configs (#2946) * Add image data to validate image configs Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add tests for image context Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add e2e test cases for image size policy Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-17 04:06:44 +00:00			`package registryclient`

			`import (`
			`"context"`
Multiple keys (#3636) * fix autogen check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow multiple keys and fix root/intermediate certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make issuer/subject optional Signed-off-by: Jim Bugwadia <jim@nirmata.com> * enable CTLog options Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix split Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rename CTLog -> Rekor Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * api/kyverno/v1/image_verification_test.go Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-04-22 00:10:02 -07:00			`"io/ioutil"`

			`"github.com/google/go-containerregistry/pkg/authn/github"`
Add image data to validate image configs (#2946) * Add image data to validate image configs Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add tests for image context Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add e2e test cases for image size policy Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-17 04:06:44 +00:00
Add cloud provider keychains to DefaultKeychain (#3116) Removes the need to specify an image pull secret to make use of cloud provider credentials. As I understand it, this should be fine outside of cloud provider contexts. As part of this, I've switched to using authn/kubernetes, which I believe is preferable to k8schain. Signed-off-by: Rob Best <robertbest89@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-01-28 19:33:27 +00:00			`ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"`
			`"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"`
Add image data to validate image configs (#2946) * Add image data to validate image configs Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add tests for image context Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add e2e test cases for image size policy Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-17 04:06:44 +00:00			`"github.com/google/go-containerregistry/pkg/authn"`
Add cloud provider keychains to DefaultKeychain (#3116) Removes the need to specify an image pull secret to make use of cloud provider credentials. As I understand it, this should be fine outside of cloud provider contexts. As part of this, I've switched to using authn/kubernetes, which I believe is preferable to k8schain. Signed-off-by: Rob Best <robertbest89@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-01-28 19:33:27 +00:00			`kauth "github.com/google/go-containerregistry/pkg/authn/kubernetes"`
			`"github.com/google/go-containerregistry/pkg/v1/google"`
Add image data to validate image configs (#2946) * Add image data to validate image configs Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add tests for image context Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add e2e test cases for image size policy Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-17 04:06:44 +00:00			`"github.com/pkg/errors"`
			`"k8s.io/client-go/kubernetes"`
			`)`

			`var (`
			`Secrets []string`

Multiple keys (#3636) * fix autogen check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow multiple keys and fix root/intermediate certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make issuer/subject optional Signed-off-by: Jim Bugwadia <jim@nirmata.com> * enable CTLog options Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix split Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rename CTLog -> Rekor Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * api/kyverno/v1/image_verification_test.go Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-04-22 00:10:02 -07:00			`kubeClient kubernetes.Interface`
			`namespace string`
			`serviceAccount string`
Add cloud provider keychains to DefaultKeychain (#3116) Removes the need to specify an image pull secret to make use of cloud provider credentials. As I understand it, this should be fine outside of cloud provider contexts. As part of this, I've switched to using authn/kubernetes, which I believe is preferable to k8schain. Signed-off-by: Rob Best <robertbest89@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-01-28 19:33:27 +00:00
Multiple keys (#3636) * fix autogen check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow multiple keys and fix root/intermediate certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make issuer/subject optional Signed-off-by: Jim Bugwadia <jim@nirmata.com> * enable CTLog options Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix split Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rename CTLog -> Rekor Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * api/kyverno/v1/image_verification_test.go Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-04-22 00:10:02 -07:00			`defaultKeychain = authn.NewMultiKeychain(`
Add cloud provider keychains to DefaultKeychain (#3116) Removes the need to specify an image pull secret to make use of cloud provider credentials. As I understand it, this should be fine outside of cloud provider contexts. As part of this, I've switched to using authn/kubernetes, which I believe is preferable to k8schain. Signed-off-by: Rob Best <robertbest89@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-01-28 19:33:27 +00:00			`authn.DefaultKeychain,`
			`google.Keychain,`
Multiple keys (#3636) * fix autogen check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow multiple keys and fix root/intermediate certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make issuer/subject optional Signed-off-by: Jim Bugwadia <jim@nirmata.com> * enable CTLog options Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix split Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rename CTLog -> Rekor Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * api/kyverno/v1/image_verification_test.go Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-04-22 00:10:02 -07:00			`authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(ioutil.Discard))),`
			`authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()),`
			`github.Keychain,`
Add cloud provider keychains to DefaultKeychain (#3116) Removes the need to specify an image pull secret to make use of cloud provider credentials. As I understand it, this should be fine outside of cloud provider contexts. As part of this, I've switched to using authn/kubernetes, which I believe is preferable to k8schain. Signed-off-by: Rob Best <robertbest89@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-01-28 19:33:27 +00:00			`)`
Multiple keys (#3636) * fix autogen check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow multiple keys and fix root/intermediate certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make issuer/subject optional Signed-off-by: Jim Bugwadia <jim@nirmata.com> * enable CTLog options Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix split Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rename CTLog -> Rekor Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * api/kyverno/v1/image_verification_test.go Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-04-22 00:10:02 -07:00
			`DefaultKeychain = defaultKeychain`
Add image data to validate image configs (#2946) * Add image data to validate image configs Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add tests for image context Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add e2e test cases for image size policy Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-17 04:06:44 +00:00			`)`

Add a registry flag to allow direct access to container registries in the CLI (#3396) * Add a registry flag to allow direct access to container registries in the CLI Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-03-16 09:56:47 +05:30			`// InitializeLocal loads the docker credentials and initializes the default auth method for container registry API calls`
			`func InitializeLocal() {`
			`DefaultKeychain = authn.DefaultKeychain`
			`}`

Add image data to validate image configs (#2946) * Add image data to validate image configs Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add tests for image context Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add e2e test cases for image size policy Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-17 04:06:44 +00:00			`// Initialize loads the image pull secrets and initializes the default auth method for container registry API calls`
Multiple keys (#3636) * fix autogen check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow multiple keys and fix root/intermediate certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make issuer/subject optional Signed-off-by: Jim Bugwadia <jim@nirmata.com> * enable CTLog options Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix split Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rename CTLog -> Rekor Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * api/kyverno/v1/image_verification_test.go Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-04-22 00:10:02 -07:00			`func Initialize(client kubernetes.Interface, ns, sa string, imagePullSecrets []string) error {`
Add image data to validate image configs (#2946) * Add image data to validate image configs Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add tests for image context Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add e2e test cases for image size policy Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-17 04:06:44 +00:00			`kubeClient = client`
Multiple keys (#3636) * fix autogen check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow multiple keys and fix root/intermediate certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make issuer/subject optional Signed-off-by: Jim Bugwadia <jim@nirmata.com> * enable CTLog options Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix split Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rename CTLog -> Rekor Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * api/kyverno/v1/image_verification_test.go Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-04-22 00:10:02 -07:00			`namespace = ns`
			`serviceAccount = sa`
Add image data to validate image configs (#2946) * Add image data to validate image configs Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add tests for image context Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add e2e test cases for image size policy Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-17 04:06:44 +00:00			`Secrets = imagePullSecrets`

			`var kc authn.Keychain`
Add cloud provider keychains to DefaultKeychain (#3116) Removes the need to specify an image pull secret to make use of cloud provider credentials. As I understand it, this should be fine outside of cloud provider contexts. As part of this, I've switched to using authn/kubernetes, which I believe is preferable to k8schain. Signed-off-by: Rob Best <robertbest89@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-01-28 19:33:27 +00:00			`kcOpts := kauth.Options{`
Add image data to validate image configs (#2946) * Add image data to validate image configs Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add tests for image context Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add e2e test cases for image size policy Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-17 04:06:44 +00:00			`Namespace: namespace,`
			`ServiceAccountName: serviceAccount,`
			`ImagePullSecrets: imagePullSecrets,`
			`}`

Add cloud provider keychains to DefaultKeychain (#3116) Removes the need to specify an image pull secret to make use of cloud provider credentials. As I understand it, this should be fine outside of cloud provider contexts. As part of this, I've switched to using authn/kubernetes, which I believe is preferable to k8schain. Signed-off-by: Rob Best <robertbest89@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-01-28 19:33:27 +00:00			`kc, err := kauth.New(context.Background(), client, kcOpts)`
Add image data to validate image configs (#2946) * Add image data to validate image configs Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add tests for image context Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add e2e test cases for image size policy Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-17 04:06:44 +00:00			`if err != nil {`
			`return errors.Wrap(err, "failed to initialize registry keychain")`
			`}`

Add cloud provider keychains to DefaultKeychain (#3116) Removes the need to specify an image pull secret to make use of cloud provider credentials. As I understand it, this should be fine outside of cloud provider contexts. As part of this, I've switched to using authn/kubernetes, which I believe is preferable to k8schain. Signed-off-by: Rob Best <robertbest89@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-01-28 19:33:27 +00:00			`DefaultKeychain = authn.NewMultiKeychain(`
			`defaultKeychain,`
			`kc,`
			`)`

Add image data to validate image configs (#2946) * Add image data to validate image configs Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add tests for image context Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add e2e test cases for image size policy Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-17 04:06:44 +00:00			`return nil`
			`}`

			`// UpdateKeychain reinitializes the image pull secrets and default auth method for container registry API calls`
			`func UpdateKeychain() error {`
Multiple keys (#3636) * fix autogen check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow multiple keys and fix root/intermediate certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make issuer/subject optional Signed-off-by: Jim Bugwadia <jim@nirmata.com> * enable CTLog options Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix split Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rename CTLog -> Rekor Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * api/kyverno/v1/image_verification_test.go Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-04-22 00:10:02 -07:00			`var err = Initialize(kubeClient, namespace, serviceAccount, Secrets)`
Add image data to validate image configs (#2946) * Add image data to validate image configs Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add tests for image context Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * Add e2e test cases for image size policy Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> 2022-01-17 04:06:44 +00:00			`if err != nil {`
			`return err`
			`}`
			`return nil`
			`}`