mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
feat: add custom keychains using fluxcd/oci/auth package (#7908)
* feat:add usage of flux auth package for creating keychain
for every oci provider, we will create a client from flux and use its login() method
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat: add registry checking
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* bug: update azure keychain to return anonymous kc
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* bug: remove google keychain
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* bug: kubeconfig redefined
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* bug: fix kubeconfig flag being double defined
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* updated comments (#7902)
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
* chore(deps): bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#7918)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.56.2 to 1.57.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.56.2...v1.57.0)
---
updated-dependencies:
- dependency-name: google.golang.org/grpc
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump github.com/go-git/go-git/v5 from 5.8.0 to 5.8.1 (#7919)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.8.0 to 5.8.1.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.8.0...v5.8.1)
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
* refactor validating admission policies (#7835)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
* feat: update default keychain in registry to be empty (#7906)
* feat: update default keychain to be empty
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat: update registryCredentialHelpers description
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
---------
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* fix: rename vap to its full name (#7929)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
* fix(chart): only create ServiceMonitor if cluster supports it (#7926)
* fix: only create ServiceMonitor if cluster supports it
Adds an additional check to the ServiceMonitor template to ensure that
the cluster supports the `monitoring.coreos.com/v1` API version.
Signed-off-by: Alexej Disterhoft <alexej@disterhoft.de>
* add IITS Consulting as adopter from Google Form (#7932)
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
* Adding other folder's subfolders to workflows/conformance.yaml's tests array (#7927)
Signed-off-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com>
Co-authored-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
* feat: add create metrics-config cli command (#7782)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* chore(deps): bump svenstaro/upload-release-action from 2.6.1 to 2.7.0 (#7940)
Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.6.1 to 2.7.0.
- [Release notes](https://github.com/svenstaro/upload-release-action/releases)
- [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md)
- [Commits](2b9d2847a9...1beeb572c1)
---
updated-dependencies:
- dependency-name: svenstaro/upload-release-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
* test: add tests for ghcr private repository (#7791)
* chore: organize constants better (#7941)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* chore: move cert.kyverno.io/managed-by label in constants (#7942)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix: rename --compact to --detailed-results in CLI (#7937)
* fix: rename --compact to --detailed-results in CLI
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
* rename compact arg
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---------
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* chore: move more constants (#7944)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* feat: add `create values` cli command (#7779)
* feat: add cli command
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* feat: add create values cli command
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---------
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* Removed usage of `replacements` from goreleaser.yml file (#7833)
* Changed goreleaser.yml file
Signed-off-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com>
* Changed syntax
Signed-off-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com>
* Small indent fix
Signed-off-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com>
---------
Signed-off-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com>
Co-authored-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
* add 1.10.2 (#7947)
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
* chore: move cache enabled label (#7949)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* chore(deps): bump go.uber.org/zap from 1.24.0 to 1.25.0 (#7952)
Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.24.0 to 1.25.0.
- [Release notes](https://github.com/uber-go/zap/releases)
- [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/uber-go/zap/compare/v1.24.0...v1.25.0)
---
updated-dependencies:
- dependency-name: go.uber.org/zap
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* doc: add feature flag guidelines (#7951)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
* chore: move kyverno.io/verify-images constant (#7955)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* feat: add ttl controller (#7821)
* added the ttl controller
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fixed label and vars
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* added logger
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* applied fixes
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* removed comments
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* lint
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* lint
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* lint
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* more lint fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* applied changes
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* minor fixes
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix logger, separate parse logic
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* added tests
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* added kuttl tests, validation utilities
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* commented code
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* renamed tests
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix test
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* created log.go
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix log.go
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* added README.md refactor code
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* lint fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* lint
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* lint fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* added validation webhook
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* label-validation fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* added flag, updated verbs
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* updated verbs
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* updated helm chart
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* test fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* lint
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* linter
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* imporoved webhook validation
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* linter fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* lint
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* lint fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix codegen
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* webhook names and path constants
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* constant label
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix label selector
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* kuttl test fix
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* helm docs
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix controller logger
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix: manager logger
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix failure policy
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* kuttl tests
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* move kuttl tests in separate job
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* remove rbac steps
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* remove configmaps from core cluster role
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix logger
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* rename flag
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* kuttl
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix error
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix linter
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---------
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
Signed-off-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* chore: rename ttl controller package (#7957)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* chore: move ttl formats to constants (#7958)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* feat: Add support for server-side-apply in generate rules (#7705)
* feat: Add support for server-side-apply in generate rules
Signed-off-by: Mike Bryant <mike@mikebryant.me.uk>
* chore: run make codegen-all
Signed-off-by: Mike Bryant <mike.bryant@mettle.co.uk>
* chore: Remove unnecessary file I got from copy/paste
Signed-off-by: Mike Bryant <mike.bryant@mettle.co.uk>
---------
Signed-off-by: Mike Bryant <mike@mikebryant.me.uk>
Signed-off-by: Mike Bryant <mike.bryant@mettle.co.uk>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
* refactor: ttl label validation (#7960)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* chore(deps): bump github.com/google/go-containerregistry (#7961)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.14.1-0.20230425172351-b7c6e9dc3944 to 0.16.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/commits/v0.16.1)
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore: fix cleanup controller debug in vscode (#7963)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix: ttl cleanup controller events processing (#7964)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* test: add test to cleanup the same resource twice (#7965)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix: ttl manager stop informer on error (#7966)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* chore(deps): bump slsa-framework/slsa-github-generator (#7968)
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.7.0 to 1.8.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.7.0...v1.8.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat: add basic structure for image verify cache (#7890)
* feat: add interface for image verify cache
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat: add basic client for cache
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat: add ttl to client
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat: add flags and flag setup
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat: added a default image verify cache
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat: add propogation of cache to image verifier
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat: add useCache to image verification types
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* bug: add ivcache to image verifier
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat: add logger to cache
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* typo: DisabledImageVerfiyCache
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* typo: DisabledImageVerfiyCache
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* Update cmd/internal/flag.go
Signed-off-by: shuting <shutting06@gmail.com>
* feat: add use cache to v2beta1 crd
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* bug: change public attribute TTL to private
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* fix: replace nil in test with disabled cache
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* fix: convert ttl time to time.Duration
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat: update opts to use time.Duration
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat:add policy version and remove delete functions
by adding policy version, old entries will automatically become outdated and we will not have to remove them manually
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat: remove clear and update get and set to take interface as input
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* style: fix lint issue
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
---------
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: shuting <shutting06@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* Fixes kyverno cli container reorder (#7943)
* added combine rule response
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
* added kyverno test cli tests
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
* added kyverno test cli tests
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
* small nits
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
* added ; in between the err messages
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
* removed fixed rulename and ruletype
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
---------
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
* chore(deps): bump sigs.k8s.io/controller-runtime from 0.15.0 to 0.15.1 (#7975)
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.15.0 to 0.15.1.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.15.0...v0.15.1)
---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump golang.org/x/text from 0.11.0 to 0.12.0 (#7976)
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.11.0 to 0.12.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.11.0...v0.12.0)
---
updated-dependencies:
- dependency-name: golang.org/x/text
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#7977)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.11.0 to 0.12.0.
- [Commits](https://github.com/golang/crypto/compare/v0.11.0...v0.12.0)
---
updated-dependencies:
- dependency-name: golang.org/x/crypto
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix:Add Missing Severity Cases in SeverityFromString Function (#7974)
Signed-off-by: lichanghao.orange <lichanghao.orange@bytedance.com>
Co-authored-by: shuting <shuting@nirmata.com>
* feat(chart) Allow podSecurityContext and securityContext for webhooksCleanup (#7970)
Fixes #7962
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix: Fixed issue with AddVariable that prevented certain variables (#7981)
When using a label or annotation with quoted dots, AddVariable was splitting inside the quote causing it to be improperly parsed and replaced
Signed-off-by: mvaal <mvaal@expediagroup.com>
* fix: Kyverno cli apply duplicate result counts (#7945)
* removed repeated logic from kyverno_policies_types
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
fixed unit tests
* fixed unit tests
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
* updated common.go logic
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
* remove skip response logic from common.go
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
* remove skip response logic from common.go
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
* fixed conflict
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
---------
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
* fix: return err in load data (#7982)
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
* fix, enhancement (#7988)
* fix, enhancement
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* lint
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
---------
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
* fix: improve lint
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat: update auth pkg
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* chore: fix go mod
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* feat: updated CLI keychains
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
* chore update fluxcd/pkg/auth@0.31.1
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
---------
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: hackeramitkumar <amit9116260192@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Signed-off-by: Alexej Disterhoft <alexej@disterhoft.de>
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
Signed-off-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com>
Signed-off-by: Mike Bryant <mike@mikebryant.me.uk>
Signed-off-by: Mike Bryant <mike.bryant@mettle.co.uk>
Signed-off-by: shuting <shutting06@gmail.com>
Signed-off-by: lichanghao.orange <lichanghao.orange@bytedance.com>
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Signed-off-by: mvaal <mvaal@expediagroup.com>
Co-authored-by: Amit kumar <amit9116260192@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Alexej Disterhoft <github@disterhoft.de>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Co-authored-by: Pradyot Ranjan <99216956+prady0t@users.noreply.github.com>
Co-authored-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com>
Co-authored-by: Mike Bryant <mike.bryant@mettle.co.uk>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: UgOrange <lichanghao.orange@bytedance.com>
Co-authored-by: treydock <tdockendorf@osc.edu>
Co-authored-by: Marcus Vaal <mvaal@expediagroup.com>
This commit is contained in:
Vishal Choudhary
GitHub
parent
2cc0f9ddd4
commit
07877ef37a
5 changed files with 123 additions and 19 deletions
|
|
@ -1,28 +1,22 @@
|
|||
package oci
|
||||
|
||||
import (
|
||||
"io"
|
||||
|
||||
"github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
|
||||
"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
|
||||
"github.com/google/go-containerregistry/pkg/authn"
|
||||
"github.com/google/go-containerregistry/pkg/authn/github"
|
||||
"github.com/google/go-containerregistry/pkg/v1/google"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/command"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/oci/pull"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/oci/push"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
func Command() *cobra.Command {
|
||||
amazonKeychain := authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard)))
|
||||
azureKeychain := authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper())
|
||||
keychain := authn.NewMultiKeychain(
|
||||
authn.DefaultKeychain,
|
||||
google.Keychain,
|
||||
github.Keychain,
|
||||
amazonKeychain,
|
||||
azureKeychain,
|
||||
registryclient.AWSKeychain,
|
||||
registryclient.GCPKeychain,
|
||||
registryclient.AzureKeychain,
|
||||
)
|
||||
cmd := &cobra.Command{
|
||||
Use: "oci",
|
||||
|
|
|
|||
5
go.mod
5
go.mod
|
|
@ -8,15 +8,14 @@ require (
|
|||
github.com/Masterminds/sprig/v3 v3.2.3
|
||||
github.com/aquilax/truncate v1.0.0
|
||||
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
|
||||
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20230823232655-ce48fc331ac7
|
||||
github.com/blang/semver/v4 v4.0.0
|
||||
github.com/cenkalti/backoff v2.2.1+incompatible
|
||||
github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589
|
||||
github.com/cyphar/filepath-securejoin v0.2.4
|
||||
github.com/dgraph-io/ristretto v0.1.1
|
||||
github.com/distribution/distribution v2.8.2+incompatible
|
||||
github.com/evanphx/json-patch/v5 v5.6.0
|
||||
github.com/fatih/color v1.15.0
|
||||
github.com/fluxcd/pkg/oci v0.31.1
|
||||
github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
|
||||
github.com/go-git/go-billy/v5 v5.4.1
|
||||
github.com/go-git/go-git/v5 v5.8.1
|
||||
|
|
@ -160,6 +159,7 @@ require (
|
|||
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 // indirect
|
||||
github.com/aws/smithy-go v1.14.2 // indirect
|
||||
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20230823232655-ce48fc331ac7 // indirect
|
||||
github.com/beorn7/perks v1.0.1 // indirect
|
||||
github.com/blang/semver v3.5.1+incompatible // indirect
|
||||
github.com/buildkite/agent/v3 v3.52.1 // indirect
|
||||
|
|
@ -167,6 +167,7 @@ require (
|
|||
github.com/cenkalti/backoff/v3 v3.2.2 // indirect
|
||||
github.com/cenkalti/backoff/v4 v4.2.1 // indirect
|
||||
github.com/cespare/xxhash/v2 v2.2.0 // indirect
|
||||
github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
|
||||
github.com/clbanning/mxj/v2 v2.7.0 // indirect
|
||||
github.com/cloudflare/circl v1.3.3 // indirect
|
||||
github.com/cockroachdb/apd/v3 v3.2.0 // indirect
|
||||
|
|
|
|||
2
go.sum
2
go.sum
|
|
@ -462,6 +462,8 @@ github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBD
|
|||
github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
|
||||
github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
|
||||
github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
|
||||
github.com/fluxcd/pkg/oci v0.31.1 h1:kaN9yEfetc/02gv3SroAa2OWqukTZNKN+/Y6tGWlKIA=
|
||||
github.com/fluxcd/pkg/oci v0.31.1/go.mod h1:UL7nzm7p3fk5X0ZTsHl3qBhRy/NtuGqFSangXvPKUNw=
|
||||
github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
|
||||
github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
|
||||
github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
|
||||
|
|
|
|||
|
|
@ -1,10 +1,36 @@
|
|||
package registryclient
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"strings"
|
||||
|
||||
"github.com/fluxcd/pkg/oci/auth/aws"
|
||||
"github.com/fluxcd/pkg/oci/auth/azure"
|
||||
"github.com/fluxcd/pkg/oci/auth/gcp"
|
||||
"github.com/google/go-containerregistry/pkg/authn"
|
||||
"github.com/google/go-containerregistry/pkg/name"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
)
|
||||
|
||||
var (
|
||||
acrRE = regexp.MustCompile(`.*\.azurecr\.io|.*\.azurecr\.cn|.*\.azurecr\.de|.*\.azurecr\.us`)
|
||||
ecrPattern = regexp.MustCompile(`(^[a-zA-Z0-9][a-zA-Z0-9-_]*)\.dkr\.ecr(-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.amazonaws\.com(\.cn)?$`)
|
||||
)
|
||||
|
||||
const (
|
||||
mcrHostname = "mcr.microsoft.com"
|
||||
tokenUsername = "<token>"
|
||||
|
||||
ServiceECR = "ecr"
|
||||
ServiceECRPublic = "ecr-public"
|
||||
proxyEndpointScheme = "https://"
|
||||
programName = "docker-credential-ecr-login"
|
||||
ecrPublicName = "public.ecr.aws"
|
||||
ecrPublicEndpoint = proxyEndpointScheme + ecrPublicName
|
||||
)
|
||||
|
||||
type autoRefreshSecrets struct {
|
||||
lister corev1listers.SecretNamespaceLister
|
||||
imagePullSecrets []string
|
||||
|
|
@ -32,3 +58,88 @@ var AnonymousKeychain authn.Keychain = anonymuskc{}
|
|||
func (anonymuskc) Resolve(_ authn.Resource) (authn.Authenticator, error) {
|
||||
return authn.Anonymous, nil
|
||||
}
|
||||
|
||||
type azurekeychain struct{}
|
||||
|
||||
var AzureKeychain authn.Keychain = azurekeychain{}
|
||||
|
||||
func (azurekeychain) Resolve(resource authn.Resource) (authn.Authenticator, error) {
|
||||
if !isACRRegistry(resource.RegistryStr()) {
|
||||
return authn.Anonymous, nil
|
||||
}
|
||||
|
||||
ref, err := name.ParseReference(resource.String())
|
||||
if err != nil {
|
||||
return authn.Anonymous, nil
|
||||
}
|
||||
|
||||
azClient := azure.NewClient()
|
||||
auth, err := azClient.Login(context.TODO(), true, resource.String(), ref)
|
||||
if err != nil {
|
||||
return authn.Anonymous, nil
|
||||
}
|
||||
return auth, nil
|
||||
}
|
||||
|
||||
func isACRRegistry(input string) bool {
|
||||
serverURL, err := url.Parse("https://" + input)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
if serverURL.Hostname() == mcrHostname {
|
||||
return true
|
||||
}
|
||||
matches := acrRE.FindStringSubmatch(serverURL.Hostname())
|
||||
return len(matches) != 0
|
||||
}
|
||||
|
||||
type awskeychain struct{}
|
||||
|
||||
var AWSKeychain authn.Keychain = awskeychain{}
|
||||
|
||||
func (awskeychain) Resolve(resource authn.Resource) (authn.Authenticator, error) {
|
||||
if !isAWSRegistry(resource.RegistryStr()) {
|
||||
return authn.Anonymous, nil
|
||||
}
|
||||
awsClient := aws.NewClient()
|
||||
auth, err := awsClient.Login(context.TODO(), true, resource.String())
|
||||
if err != nil {
|
||||
return authn.Anonymous, nil
|
||||
}
|
||||
return auth, nil
|
||||
}
|
||||
|
||||
func isAWSRegistry(input string) bool {
|
||||
input = strings.TrimPrefix(input, proxyEndpointScheme)
|
||||
serverURL, err := url.Parse(proxyEndpointScheme + input)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
if serverURL.Hostname() == ecrPublicName {
|
||||
return true
|
||||
}
|
||||
matches := ecrPattern.FindStringSubmatch(serverURL.Hostname())
|
||||
return len(matches) >= 3
|
||||
}
|
||||
|
||||
type gcpkeychain struct{}
|
||||
|
||||
var GCPKeychain authn.Keychain = gcpkeychain{}
|
||||
|
||||
func (gcpkeychain) Resolve(resource authn.Resource) (authn.Authenticator, error) {
|
||||
if !gcp.ValidHost(resource.RegistryStr()) {
|
||||
return authn.Anonymous, nil
|
||||
}
|
||||
|
||||
ref, err := name.ParseReference(resource.String())
|
||||
if err != nil {
|
||||
return authn.Anonymous, nil
|
||||
}
|
||||
|
||||
gcpClient := gcp.NewClient()
|
||||
auth, err := gcpClient.Login(context.TODO(), true, resource.String(), ref)
|
||||
if err != nil {
|
||||
return authn.Anonymous, nil
|
||||
}
|
||||
return auth, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,18 +4,14 @@ import (
|
|||
"context"
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"net/http"
|
||||
"runtime"
|
||||
"time"
|
||||
|
||||
"github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
|
||||
"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
|
||||
"github.com/google/go-containerregistry/pkg/authn"
|
||||
"github.com/google/go-containerregistry/pkg/authn/github"
|
||||
"github.com/google/go-containerregistry/pkg/name"
|
||||
"github.com/google/go-containerregistry/pkg/v1/google"
|
||||
gcrremote "github.com/google/go-containerregistry/pkg/v1/remote"
|
||||
"github.com/kyverno/kyverno/pkg/tracing"
|
||||
"github.com/sigstore/cosign/v2/pkg/oci/remote"
|
||||
|
|
@ -129,13 +125,13 @@ func WithCredentialProviders(credentialProviders ...string) Option {
|
|||
chains = append(chains, authn.DefaultKeychain)
|
||||
}
|
||||
if helpers.Has("google") {
|
||||
chains = append(chains, google.Keychain)
|
||||
chains = append(chains, GCPKeychain)
|
||||
}
|
||||
if helpers.Has("amazon") {
|
||||
chains = append(chains, authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard))))
|
||||
chains = append(chains, AWSKeychain)
|
||||
}
|
||||
if helpers.Has("azure") {
|
||||
chains = append(chains, authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()))
|
||||
chains = append(chains, AzureKeychain)
|
||||
}
|
||||
if helpers.Has("github") {
|
||||
chains = append(chains, github.Keychain)
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue