kyverno/cmd/cli/kubectl-kyverno/commands/oci/pull/command.go

package pull

import (
	"errors"
	"fmt"
	"io"
	"os"
	"path/filepath"

	securejoin "github.com/cyphar/filepath-securejoin"
	"github.com/google/go-containerregistry/pkg/authn"
	"github.com/google/go-containerregistry/pkg/name"
	"github.com/google/go-containerregistry/pkg/v1/remote"
	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/oci/internal"
	cobrautils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/cobra"
	policyutils "github.com/kyverno/kyverno/pkg/utils/policy"
	yamlutils "github.com/kyverno/kyverno/pkg/utils/yaml"
	"github.com/spf13/cobra"
)

func Command(keychain authn.Keychain) *cobra.Command {
	var dir string
	var imageRef string
	cmd := &cobra.Command{
		Use:     "pull",
		Short:   cobrautils.FormatDescription(true, websiteUrl, true, description...),
		Long:    cobrautils.FormatDescription(false, websiteUrl, true, description...),
		Example: cobrautils.FormatExamples(examples...),
		RunE: func(cmd *cobra.Command, args []string) error {
			if imageRef == "" {
				return errors.New("image reference is required")
			}

			dir = filepath.Clean(dir)
			if !filepath.IsAbs(dir) {
				cwd, err := os.Getwd()
				if err != nil {
					return err
				}

				dir, err = securejoin.SecureJoin(cwd, dir)
				if err != nil {
					return err
				}
			}

			fi, err := os.Lstat(dir)
			// Dir does not need to exist, as it can later be created.
			if err != nil && errors.Is(err, os.ErrNotExist) {
				if err := os.MkdirAll(dir, 0o750); err != nil {
					return fmt.Errorf("unable to create directory %s: %w", dir, err)
				}
			}

			if err == nil && !fi.IsDir() {
				return fmt.Errorf("dir '%s' must be a directory", dir)
			}

			ref, err := name.ParseReference(imageRef)
			if err != nil {
				return fmt.Errorf("parsing image reference: %v", err)
			}

			fmt.Fprintf(os.Stderr, "Downloading policies from an image [%s]...\n", ref.Name())
			rmt, err := remote.Get(ref, remote.WithContext(cmd.Context()), remote.WithAuthFromKeychain(keychain))
			if err != nil {
				return fmt.Errorf("getting image: %v", err)
			}

			img, err := rmt.Image()
			if err != nil {
				return fmt.Errorf("getting image: %v", err)
			}

			l, err := img.Layers()
			if err != nil {
				return fmt.Errorf("getting image layers: %v", err)
			}

			for _, layer := range l {
				lmt, err := layer.MediaType()
				if err != nil {
					return fmt.Errorf("getting layer media type: %v", err)
				}

				if lmt == internal.PolicyLayerMediaType {
					blob, err := layer.Compressed()
					if err != nil {
						return fmt.Errorf("getting layer blob: %v", err)
					}
					defer blob.Close()

					layerBytes, err := io.ReadAll(blob)
					if err != nil {
						return fmt.Errorf("reading layer blob: %v", err)
					}
					policies, _, err := yamlutils.GetPolicy(layerBytes)
					if err != nil {
						return fmt.Errorf("unmarshaling layer blob: %v", err)
					}
					for _, policy := range policies {
						policyBytes, err := policyutils.ToYaml(policy)
						if err != nil {
							return fmt.Errorf("converting policy to yaml: %v", err)
						}
						pp := filepath.Join(dir, policy.GetName()+".yaml")
						fmt.Fprintf(os.Stderr, "Saving policy into disk [%s]...\n", pp)
						if err := os.WriteFile(pp, policyBytes, 0o600); err != nil {
							return fmt.Errorf("creating file: %v", err)
						}
					}
				}
			}
			fmt.Fprintf(os.Stderr, "Done.")
			return nil
		},
	}
	cmd.Flags().StringVarP(&dir, "directory", "d", ".", "path to a directory")
	cmd.Flags().StringVarP(&imageRef, "image", "i", "", "image reference to push to or pull from")
	return cmd
}
refactor: CLI oci commands (#8224) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-03 23:21:40 +02:00			`package pull`
feat: oci pull/push support for policie(s) (#5026) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-10-24 21:47:20 +03:00
			`import (`
			`"errors"`
			`"fmt"`
			`"io"`
			`"os"`
			`"path/filepath"`

			`securejoin "github.com/cyphar/filepath-securejoin"`
refactor: CLI oci commands (#8224) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-03 23:21:40 +02:00			`"github.com/google/go-containerregistry/pkg/authn"`
feat: oci pull/push support for policie(s) (#5026) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-10-24 21:47:20 +03:00			`"github.com/google/go-containerregistry/pkg/name"`
			`"github.com/google/go-containerregistry/pkg/v1/remote"`
refactor: move all cli commands in a commands package (#8231) * chore: name all cli command files the same Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: move all cli commands in a commands package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * root Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-04 17:15:55 +02:00			`"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/oci/internal"`
docs: improve cli commands docs (#8259) * chore: improve cli commands docs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * docs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * experimental Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * version Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * oci Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * oci Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * jp Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * apply Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * create Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-05 04:14:28 +02:00			`cobrautils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/cobra"`
feat: create a policy utils package (#5473) * feat: create a policy utils package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * added comment Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-25 13:46:02 +01:00			`policyutils "github.com/kyverno/kyverno/pkg/utils/policy"`
fix: reading policies for oci command and pushing image (#5435) * fix: reading policies for oci command and pushing image Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-11-24 16:54:56 +01:00			`yamlutils "github.com/kyverno/kyverno/pkg/utils/yaml"`
feat: oci pull/push support for policie(s) (#5026) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-10-24 21:47:20 +03:00			`"github.com/spf13/cobra"`
			`)`

refactor: CLI oci commands (#8224) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-03 23:21:40 +02:00			`func Command(keychain authn.Keychain) *cobra.Command {`
			`var dir string`
			`var imageRef string`
feat: oci pull/push support for policie(s) (#5026) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-10-24 21:47:20 +03:00			`cmd := &cobra.Command{`
docs: improve cli commands docs (#8259) * chore: improve cli commands docs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * docs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * experimental Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * version Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * oci Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * oci Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * jp Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * apply Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * create Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-05 04:14:28 +02:00			`Use: "pull",`
			`Short: cobrautils.FormatDescription(true, websiteUrl, true, description...),`
			`Long: cobrautils.FormatDescription(false, websiteUrl, true, description...),`
			`Example: cobrautils.FormatExamples(examples...),`
feat: oci pull/push support for policie(s) (#5026) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-10-24 21:47:20 +03:00			`RunE: func(cmd *cobra.Command, args []string) error {`
			`if imageRef == "" {`
			`return errors.New("image reference is required")`
			`}`

			`dir = filepath.Clean(dir)`
			`if !filepath.IsAbs(dir) {`
			`cwd, err := os.Getwd()`
			`if err != nil {`
			`return err`
			`}`

			`dir, err = securejoin.SecureJoin(cwd, dir)`
			`if err != nil {`
			`return err`
			`}`
			`}`

			`fi, err := os.Lstat(dir)`
			`// Dir does not need to exist, as it can later be created.`
			`if err != nil && errors.Is(err, os.ErrNotExist) {`
			`if err := os.MkdirAll(dir, 0o750); err != nil {`
			`return fmt.Errorf("unable to create directory %s: %w", dir, err)`
			`}`
			`}`

			`if err == nil && !fi.IsDir() {`
			`return fmt.Errorf("dir '%s' must be a directory", dir)`
			`}`

			`ref, err := name.ParseReference(imageRef)`
			`if err != nil {`
			`return fmt.Errorf("parsing image reference: %v", err)`
			`}`

enhance logging, fix pull flag description (#5797) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> 2022-12-28 12:58:51 +03:00			`fmt.Fprintf(os.Stderr, "Downloading policies from an image [%s]...\n", ref.Name())`
fix: reading policies for oci command and pushing image (#5435) * fix: reading policies for oci command and pushing image Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-11-24 16:54:56 +01:00			`rmt, err := remote.Get(ref, remote.WithContext(cmd.Context()), remote.WithAuthFromKeychain(keychain))`
feat: oci pull/push support for policie(s) (#5026) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-10-24 21:47:20 +03:00			`if err != nil {`
			`return fmt.Errorf("getting image: %v", err)`
			`}`

			`img, err := rmt.Image()`
			`if err != nil {`
			`return fmt.Errorf("getting image: %v", err)`
			`}`

			`l, err := img.Layers()`
			`if err != nil {`
			`return fmt.Errorf("getting image layers: %v", err)`
			`}`

			`for _, layer := range l {`
			`lmt, err := layer.MediaType()`
			`if err != nil {`
			`return fmt.Errorf("getting layer media type: %v", err)`
			`}`

refactor: CLI oci commands (#8224) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-03 23:21:40 +02:00			`if lmt == internal.PolicyLayerMediaType {`
feat: oci pull/push support for policie(s) (#5026) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-10-24 21:47:20 +03:00			`blob, err := layer.Compressed()`
			`if err != nil {`
			`return fmt.Errorf("getting layer blob: %v", err)`
			`}`
			`defer blob.Close()`

fix: reading policies for oci command and pushing image (#5435) * fix: reading policies for oci command and pushing image Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-11-24 16:54:56 +01:00			`layerBytes, err := io.ReadAll(blob)`
feat: oci pull/push support for policie(s) (#5026) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-10-24 21:47:20 +03:00			`if err != nil {`
			`return fmt.Errorf("reading layer blob: %v", err)`
			`}`
Supporting ValidatingAdmissionPolicy in kyverno cli (apply and test command) (#6656) * feat: add policy reporter to the dev lab Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: remove obsolete structs from CLI Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * Supporting ValidatingAdmissionPolicy in kyverno apply Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * chore: bump k8s from v0.26.3 to v0.27.0-rc.0 Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Support validating admission policy in kyverno apply Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Support validating admission policy in kyverno test Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * refactoring Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding kyverno apply tests for validating admission policy Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * running codegen-all Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding IsVap field in TestResults Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * chore: bump k8s from v0.27.0-rc.0 to v0.27.1 Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Fix vap in engine response Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2023-05-10 11:12:53 +03:00			`policies, _, err := yamlutils.GetPolicy(layerBytes)`
fix: reading policies for oci command and pushing image (#5435) * fix: reading policies for oci command and pushing image Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-11-24 16:54:56 +01:00			`if err != nil {`
feat: oci pull/push support for policie(s) (#5026) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-10-24 21:47:20 +03:00			`return fmt.Errorf("unmarshaling layer blob: %v", err)`
			`}`
fix: reading policies for oci command and pushing image (#5435) * fix: reading policies for oci command and pushing image Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-11-24 16:54:56 +01:00			`for _, policy := range policies {`
feat: create a policy utils package (#5473) * feat: create a policy utils package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * added comment Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-25 13:46:02 +01:00			`policyBytes, err := policyutils.ToYaml(policy)`
fix: reading policies for oci command and pushing image (#5435) * fix: reading policies for oci command and pushing image Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-11-24 16:54:56 +01:00			`if err != nil {`
feat: create a policy utils package (#5473) * feat: create a policy utils package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * added comment Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-25 13:46:02 +01:00			`return fmt.Errorf("converting policy to yaml: %v", err)`
fix: reading policies for oci command and pushing image (#5435) * fix: reading policies for oci command and pushing image Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-11-24 16:54:56 +01:00			`}`
enhance logging, fix pull flag description (#5797) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> 2022-12-28 12:58:51 +03:00			`pp := filepath.Join(dir, policy.GetName()+".yaml")`
			`fmt.Fprintf(os.Stderr, "Saving policy into disk [%s]...\n", pp)`
			`if err := os.WriteFile(pp, policyBytes, 0o600); err != nil {`
fix: reading policies for oci command and pushing image (#5435) * fix: reading policies for oci command and pushing image Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-11-24 16:54:56 +01:00			`return fmt.Errorf("creating file: %v", err)`
			`}`
feat: oci pull/push support for policie(s) (#5026) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-10-24 21:47:20 +03:00			`}`
			`}`
			`}`
enhance logging, fix pull flag description (#5797) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> 2022-12-28 12:58:51 +03:00			`fmt.Fprintf(os.Stderr, "Done.")`
feat: oci pull/push support for policie(s) (#5026) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-10-24 21:47:20 +03:00			`return nil`
			`},`
			`}`
			`cmd.Flags().StringVarP(&dir, "directory", "d", ".", "path to a directory")`
refactor: CLI oci commands (#8224) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-03 23:21:40 +02:00			`cmd.Flags().StringVarP(&imageRef, "image", "i", "", "image reference to push to or pull from")`
feat: oci pull/push support for policie(s) (#5026) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-10-24 21:47:20 +03:00			`return cmd`
			`}`