kyverno/cmd/cli/kubectl-kyverno/commands/oci/push/options.go

package push

import (
	"context"
	"errors"
	"fmt"
	"os"

	"github.com/google/go-containerregistry/pkg/authn"
	"github.com/google/go-containerregistry/pkg/name"
	"github.com/google/go-containerregistry/pkg/v1/empty"
	"github.com/google/go-containerregistry/pkg/v1/mutate"
	"github.com/google/go-containerregistry/pkg/v1/remote"
	"github.com/google/go-containerregistry/pkg/v1/static"
	"github.com/google/go-containerregistry/pkg/v1/types"
	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/oci/internal"
	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy"
	"github.com/kyverno/kyverno/pkg/config"
	policyutils "github.com/kyverno/kyverno/pkg/utils/policy"
	policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
)

type options struct {
	imageRef string
}

func (o options) validate(policy string) error {
	if o.imageRef == "" {
		return errors.New("image is required")
	}
	if policy == "" {
		return errors.New("policy is required")
	}
	return nil
}

func (o options) execute(ctx context.Context, dir string, keychain authn.Keychain) error {
	results, err := policy.Load(nil, "", dir)
	if err != nil {
		return fmt.Errorf("unable to read policy file or directory %s (%w)", dir, err)
	}
	for _, policy := range results.Policies {
		sa := config.KyvernoUserName(config.KyvernoServiceAccountName())
		if _, err := policyvalidation.Validate(policy, nil, nil, nil, true, sa, sa); err != nil {
			return fmt.Errorf("validating policy %s: %v", policy.GetName(), err)
		}
	}
	img := mutate.MediaType(empty.Image, types.OCIManifestSchema1)
	img = mutate.ConfigMediaType(img, internal.PolicyConfigMediaType)
	ref, err := name.ParseReference(o.imageRef)
	if err != nil {
		return fmt.Errorf("parsing image reference: %v", err)
	}
	for _, policy := range results.Policies {
		if policy.IsNamespaced() {
			fmt.Fprintf(os.Stderr, "Adding policy [%s]\n", policy.GetName())
		} else {
			fmt.Fprintf(os.Stderr, "Adding cluster policy [%s]\n", policy.GetName())
		}
		policyBytes, err := policyutils.ToYaml(policy)
		if err != nil {
			return fmt.Errorf("converting policy to yaml: %v", err)
		}
		policyLayer := static.NewLayer(policyBytes, internal.PolicyLayerMediaType)
		img, err = mutate.Append(img, mutate.Addendum{
			Layer:       policyLayer,
			Annotations: internal.Annotations(policy),
		})
		if err != nil {
			return fmt.Errorf("mutating image: %v", err)
		}
	}
	fmt.Fprintf(os.Stderr, "Uploading [%s]...\n", ref.Name())
	if err = remote.Write(ref, img, remote.WithContext(ctx), remote.WithAuthFromKeychain(keychain)); err != nil {
		return fmt.Errorf("writing image: %v", err)
	}
	fmt.Fprintf(os.Stderr, "Done.")
	return nil
}
chore: add cli commands unit tests (#8366) * chore: add cli unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: add cli commands unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-12 23:47:03 +02:00			`package push`

			`import (`
			`"context"`
			`"errors"`
			`"fmt"`
			`"os"`

			`"github.com/google/go-containerregistry/pkg/authn"`
			`"github.com/google/go-containerregistry/pkg/name"`
			`"github.com/google/go-containerregistry/pkg/v1/empty"`
			`"github.com/google/go-containerregistry/pkg/v1/mutate"`
			`"github.com/google/go-containerregistry/pkg/v1/remote"`
			`"github.com/google/go-containerregistry/pkg/v1/static"`
			`"github.com/google/go-containerregistry/pkg/v1/types"`
			`"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/oci/internal"`
			`"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy"`
			`"github.com/kyverno/kyverno/pkg/config"`
			`policyutils "github.com/kyverno/kyverno/pkg/utils/policy"`
			`policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"`
			`)`

			`type options struct {`
			`imageRef string`
			`}`

			`func (o options) validate(policy string) error {`
			`if o.imageRef == "" {`
			`return errors.New("image is required")`
			`}`
			`if policy == "" {`
			`return errors.New("policy is required")`
			`}`
			`return nil`
			`}`

			`func (o options) execute(ctx context.Context, dir string, keychain authn.Keychain) error {`
Fix cli load policies from fs (#10270) * skip invalid policy files Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix file-system policy loader Signed-off-by: Jim Bugwadia <jim@nirmata.com> * propagate policy schema error Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2024-05-21 00:17:49 -07:00			`results, err := policy.Load(nil, "", dir)`
chore: add cli commands unit tests (#8366) * chore: add cli unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: add cli commands unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-12 23:47:03 +02:00			`if err != nil {`
			`return fmt.Errorf("unable to read policy file or directory %s (%w)", dir, err)`
			`}`
Fix cli load policies from fs (#10270) * skip invalid policy files Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix file-system policy loader Signed-off-by: Jim Bugwadia <jim@nirmata.com> * propagate policy schema error Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2024-05-21 00:17:49 -07:00			`for _, policy := range results.Policies {`
remove wildcard permissions (#10785) * remove wildcard permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix background controller perms Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove secrets perm Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix reports-controller role Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add wildcard check and limit generate policy checks based on `synchronize` Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update manifest Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix wildcard check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update default QPS and burst for better performance and to prevent test failure Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix perms Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix perms Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix merge issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix merge issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2024-08-20 01:55:32 -07:00			`sa := config.KyvernoUserName(config.KyvernoServiceAccountName())`
			`if _, err := policyvalidation.Validate(policy, nil, nil, nil, true, sa, sa); err != nil {`
chore: add cli commands unit tests (#8366) * chore: add cli unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: add cli commands unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-12 23:47:03 +02:00			`return fmt.Errorf("validating policy %s: %v", policy.GetName(), err)`
			`}`
			`}`
			`img := mutate.MediaType(empty.Image, types.OCIManifestSchema1)`
			`img = mutate.ConfigMediaType(img, internal.PolicyConfigMediaType)`
			`ref, err := name.ParseReference(o.imageRef)`
			`if err != nil {`
			`return fmt.Errorf("parsing image reference: %v", err)`
			`}`
Fix cli load policies from fs (#10270) * skip invalid policy files Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix file-system policy loader Signed-off-by: Jim Bugwadia <jim@nirmata.com> * propagate policy schema error Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2024-05-21 00:17:49 -07:00			`for _, policy := range results.Policies {`
chore: add cli commands unit tests (#8366) * chore: add cli unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: add cli commands unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-12 23:47:03 +02:00			`if policy.IsNamespaced() {`
			`fmt.Fprintf(os.Stderr, "Adding policy [%s]\n", policy.GetName())`
			`} else {`
			`fmt.Fprintf(os.Stderr, "Adding cluster policy [%s]\n", policy.GetName())`
			`}`
			`policyBytes, err := policyutils.ToYaml(policy)`
			`if err != nil {`
			`return fmt.Errorf("converting policy to yaml: %v", err)`
			`}`
			`policyLayer := static.NewLayer(policyBytes, internal.PolicyLayerMediaType)`
			`img, err = mutate.Append(img, mutate.Addendum{`
			`Layer: policyLayer,`
			`Annotations: internal.Annotations(policy),`
			`})`
			`if err != nil {`
			`return fmt.Errorf("mutating image: %v", err)`
			`}`
			`}`
			`fmt.Fprintf(os.Stderr, "Uploading [%s]...\n", ref.Name())`
			`if err = remote.Write(ref, img, remote.WithContext(ctx), remote.WithAuthFromKeychain(keychain)); err != nil {`
			`return fmt.Errorf("writing image: %v", err)`
			`}`
			`fmt.Fprintf(os.Stderr, "Done.")`
			`return nil`
			`}`