mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 15:37:19 +00:00
refactor: make registry client variables private (#3975)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
5340c5608c
commit
1afda6a137
5 changed files with 54 additions and 61 deletions
|
|
@ -11,7 +11,6 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/google/go-containerregistry/pkg/name"
|
||||
gcrremote "github.com/google/go-containerregistry/pkg/v1/remote"
|
||||
"github.com/in-toto/in-toto-golang/in_toto"
|
||||
wildcard "github.com/kyverno/go-wildcard"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
|
|
@ -57,7 +56,11 @@ func VerifySignature(opts Options) (digest string, err error) {
|
|||
if err != nil {
|
||||
return "", errors.Wrap(err, "constructing client options")
|
||||
}
|
||||
remoteOpts = append(remoteOpts, remote.WithRemoteOptions(gcrremote.WithAuthFromKeychain(registryclient.DefaultKeychain)))
|
||||
o, err := registryclient.GetOptions()
|
||||
if err != nil {
|
||||
return "", errors.Wrap(err, "getting remote options")
|
||||
}
|
||||
remoteOpts = append(remoteOpts, remote.WithRemoteOptions(o))
|
||||
cosignOpts := &cosign.CheckOpts{
|
||||
Annotations: map[string]interface{}{},
|
||||
RegistryClientOpts: remoteOpts,
|
||||
|
|
|
|||
|
|
@ -80,5 +80,4 @@ func TestCosignKeyless(t *testing.T) {
|
|||
opts.Issuer = "https://github.com/login/oauth"
|
||||
_, err = VerifySignature(opts)
|
||||
assert.NilError(t, err)
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,8 +8,6 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/google/go-containerregistry/pkg/name"
|
||||
"github.com/google/go-containerregistry/pkg/v1/remote"
|
||||
"github.com/kyverno/go-wildcard"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/autogen"
|
||||
|
|
@ -45,14 +43,6 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (*response.EngineRespons
|
|||
policyContext.JSONContext.Checkpoint()
|
||||
defer policyContext.JSONContext.Restore()
|
||||
|
||||
// update image registry secrets
|
||||
if len(registryclient.Secrets) > 0 {
|
||||
logger.V(4).Info("updating registry credentials", "secrets", registryclient.Secrets)
|
||||
if err := registryclient.UpdateKeychain(); err != nil {
|
||||
logger.Error(err, "failed to update image pull secrets")
|
||||
}
|
||||
}
|
||||
|
||||
ivm := &ImageVerificationMetadata{}
|
||||
rules := autogen.ComputeRules(policyContext.Policy)
|
||||
for i := range rules {
|
||||
|
|
@ -254,16 +244,10 @@ func hasImageVerifiedAnnotationChanged(ctx *PolicyContext, log logr.Logger) bool
|
|||
}
|
||||
|
||||
func fetchImageDigest(ref string) (string, error) {
|
||||
parsedRef, err := name.ParseReference(ref)
|
||||
_, desc, err := registryclient.Get(ref)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to parse image reference: %s, error: %v", ref, err)
|
||||
return "", err
|
||||
}
|
||||
|
||||
desc, err := remote.Get(parsedRef, remote.WithAuthFromKeychain(registryclient.DefaultKeychain))
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to fetch image reference: %s, error: %v", ref, err)
|
||||
}
|
||||
|
||||
return desc.Digest.String(), nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,8 +5,6 @@ import (
|
|||
"fmt"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/google/go-containerregistry/pkg/name"
|
||||
"github.com/google/go-containerregistry/pkg/v1/remote"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/store"
|
||||
jmespath "github.com/kyverno/kyverno/pkg/engine/jmespath"
|
||||
|
|
@ -135,11 +133,6 @@ func loadVariable(logger logr.Logger, entry kyvernov1.ContextEntry, ctx *PolicyC
|
|||
}
|
||||
|
||||
func loadImageData(logger logr.Logger, entry kyvernov1.ContextEntry, ctx *PolicyContext) error {
|
||||
if len(registryclient.Secrets) > 0 {
|
||||
if err := registryclient.UpdateKeychain(); err != nil {
|
||||
return fmt.Errorf("unable to load image registry credentials, %w", err)
|
||||
}
|
||||
}
|
||||
imageData, err := fetchImageData(logger, entry, ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
@ -182,13 +175,9 @@ func fetchImageData(logger logr.Logger, entry kyvernov1.ContextEntry, ctx *Polic
|
|||
|
||||
// FetchImageDataMap fetches image information from the remote registry.
|
||||
func fetchImageDataMap(ref string) (interface{}, error) {
|
||||
parsedRef, err := name.ParseReference(ref)
|
||||
parsedRef, desc, err := registryclient.Get(ref)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to parse image reference: %s, error: %v", ref, err)
|
||||
}
|
||||
desc, err := remote.Get(parsedRef, remote.WithAuthFromKeychain(registryclient.DefaultKeychain))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to fetch image reference: %s, error: %v", ref, err)
|
||||
return nil, err
|
||||
}
|
||||
image, err := desc.Image()
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package registryclient
|
|||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
|
||||
ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
|
||||
|
|
@ -9,18 +10,19 @@ import (
|
|||
"github.com/google/go-containerregistry/pkg/authn"
|
||||
"github.com/google/go-containerregistry/pkg/authn/github"
|
||||
kauth "github.com/google/go-containerregistry/pkg/authn/kubernetes"
|
||||
"github.com/google/go-containerregistry/pkg/name"
|
||||
"github.com/google/go-containerregistry/pkg/v1/google"
|
||||
"github.com/google/go-containerregistry/pkg/v1/remote"
|
||||
"github.com/pkg/errors"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
)
|
||||
|
||||
var (
|
||||
Secrets []string
|
||||
|
||||
isLocal bool
|
||||
secrets []string
|
||||
kubeClient kubernetes.Interface
|
||||
namespace string
|
||||
serviceAccount string
|
||||
|
||||
defaultKeychain = authn.NewMultiKeychain(
|
||||
authn.DefaultKeychain,
|
||||
google.Keychain,
|
||||
|
|
@ -28,47 +30,63 @@ var (
|
|||
authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()),
|
||||
github.Keychain,
|
||||
)
|
||||
|
||||
DefaultKeychain = defaultKeychain
|
||||
)
|
||||
|
||||
// InitializeLocal loads the docker credentials and initializes the default auth method for container registry API calls
|
||||
func InitializeLocal() {
|
||||
DefaultKeychain = authn.DefaultKeychain
|
||||
isLocal = true
|
||||
}
|
||||
|
||||
// Initialize loads the image pull secrets and initializes the default auth method for container registry API calls
|
||||
func Initialize(client kubernetes.Interface, ns, sa string, imagePullSecrets []string) error {
|
||||
isLocal = false
|
||||
kubeClient = client
|
||||
namespace = ns
|
||||
serviceAccount = sa
|
||||
Secrets = imagePullSecrets
|
||||
secrets = imagePullSecrets
|
||||
_, err := getKeychain()
|
||||
return err
|
||||
}
|
||||
|
||||
var kc authn.Keychain
|
||||
func getKeychain() (authn.Keychain, error) {
|
||||
if isLocal {
|
||||
return authn.DefaultKeychain, nil
|
||||
}
|
||||
if len(secrets) == 0 {
|
||||
return defaultKeychain, nil
|
||||
}
|
||||
kcOpts := kauth.Options{
|
||||
Namespace: namespace,
|
||||
ServiceAccountName: serviceAccount,
|
||||
ImagePullSecrets: imagePullSecrets,
|
||||
ImagePullSecrets: secrets,
|
||||
}
|
||||
|
||||
kc, err := kauth.New(context.Background(), client, kcOpts)
|
||||
kc, err := kauth.New(context.Background(), kubeClient, kcOpts)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "failed to initialize registry keychain")
|
||||
return nil, errors.Wrap(err, "failed to initialize registry keychain")
|
||||
}
|
||||
return authn.NewMultiKeychain(defaultKeychain, kc), nil
|
||||
}
|
||||
|
||||
DefaultKeychain = authn.NewMultiKeychain(
|
||||
defaultKeychain,
|
||||
kc,
|
||||
)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// UpdateKeychain reinitializes the image pull secrets and default auth method for container registry API calls
|
||||
func UpdateKeychain() error {
|
||||
err := Initialize(kubeClient, namespace, serviceAccount, Secrets)
|
||||
func Get(ref string) (name.Reference, *remote.Descriptor, error) {
|
||||
parsedRef, err := name.ParseReference(ref)
|
||||
if err != nil {
|
||||
return err
|
||||
return nil, nil, fmt.Errorf("failed to parse image reference: %s, error: %v", ref, err)
|
||||
}
|
||||
return nil
|
||||
kc, err := getKeychain()
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
desc, err := remote.Get(parsedRef, remote.WithAuthFromKeychain(kc))
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("failed to fetch image reference: %s, error: %v", ref, err)
|
||||
}
|
||||
return parsedRef, desc, nil
|
||||
}
|
||||
|
||||
func GetOptions() (remote.Option, error) {
|
||||
kc, err := getKeychain()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return remote.WithAuthFromKeychain(kc), nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue