refactor: remove some api unnecessary pointers (4) (#3713)

* refactor: remove some api unnecessary pointers

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: remove some api unnecessary pointers (2)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: remove some api unnecessary pointers (3)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: remove some api unnecessary pointers (4)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>

api/kyverno/v1/rule_types.go

@@ -64,7 +64,7 @@ type Rule struct {
 
 	// VerifyImages is used to verify image signatures and mutate them to add a digest
 	// +optional
-	VerifyImages []*ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
+	VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
 }
 
 // HasMutate checks for mutate rule

api/kyverno/v1/zz_generated.deepcopy.go

@@ -1000,13 +1000,9 @@ func (in *Rule) DeepCopyInto(out *Rule) {
 	in.Generation.DeepCopyInto(&out.Generation)
 	if in.VerifyImages != nil {
 		in, out := &in.VerifyImages, &out.VerifyImages
-		*out = make([]*ImageVerification, len(*in))
+		*out = make([]ImageVerification, len(*in))
 		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(ImageVerification)
-				(*in).DeepCopyInto(*out)
-			}
+			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }

docs/crd/v1/index.html

@@ -1698,6 +1698,10 @@ the image reference.</p>
 <h3 id="kyverno.io/v1.ImageVerification">ImageVerification
 </h3>
 <p>
+(<em>Appears on:</em>
+<a href="#kyverno.io/v1.Rule">Rule</a>)
+</p>
+<p>
 <p>ImageVerification validates that images that match the specified pattern
 are signed with the supplied public key. Once the image is verified it is
 mutated to include the SHA digest retrieved during the registration.</p>
@@ -2676,8 +2680,8 @@ Generation
 <td>
 <code>verifyImages</code></br>
 <em>
-<a href="#kyverno.io/v1.*./api/kyverno/v1.ImageVerification">
-[]*./api/kyverno/v1.ImageVerification
+<a href="#kyverno.io/v1.ImageVerification">
+[]ImageVerification
 </a>
 </em>
 </td>

pkg/autogen/rule.go

@@ -22,14 +22,14 @@ import (
 // https://github.com/kyverno/kyverno/issues/568
 
 type kyvernoRule struct {
-	Name             string                       `json:"name"`
-	MatchResources   *kyverno.MatchResources      `json:"match"`
-	ExcludeResources *kyverno.MatchResources      `json:"exclude,omitempty"`
-	Context          *[]kyverno.ContextEntry      `json:"context,omitempty"`
-	AnyAllConditions *apiextensions.JSON          `json:"preconditions,omitempty"`
-	Mutation         *kyverno.Mutation            `json:"mutate,omitempty"`
-	Validation       *kyverno.Validation          `json:"validate,omitempty"`
-	VerifyImages     []*kyverno.ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
+	Name             string                      `json:"name"`
+	MatchResources   *kyverno.MatchResources     `json:"match"`
+	ExcludeResources *kyverno.MatchResources     `json:"exclude,omitempty"`
+	Context          *[]kyverno.ContextEntry     `json:"context,omitempty"`
+	AnyAllConditions *apiextensions.JSON         `json:"preconditions,omitempty"`
+	Mutation         *kyverno.Mutation           `json:"mutate,omitempty"`
+	Validation       *kyverno.Validation         `json:"validate,omitempty"`
+	VerifyImages     []kyverno.ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
 }
 
 func createRule(rule *kyverno.Rule) *kyvernoRule {
@@ -181,9 +181,9 @@ func generateRule(logger logr.Logger, name string, rule *kyverno.Rule, tplKey, s
 		return rule
 	}
 	if rule.VerifyImages != nil {
-		newVerifyImages := make([]*kyverno.ImageVerification, len(rule.VerifyImages))
+		newVerifyImages := make([]kyverno.ImageVerification, len(rule.VerifyImages))
 		for i, vi := range rule.VerifyImages {
-			newVerifyImages[i] = vi.DeepCopy()
+			newVerifyImages[i] = *vi.DeepCopy()
 		}
 		rule.VerifyImages = newVerifyImages
 		return rule

pkg/cosign/cosign.go

@@ -178,7 +178,7 @@ func loadCertPool(roots []byte) (*x509.CertPool, error) {
 
 // FetchAttestations retrieves signed attestations and decodes them into in-toto statements
 // https://github.com/in-toto/attestation/blob/main/spec/README.md#statement
-func FetchAttestations(imageRef string, imageVerify *v1.ImageVerification, log logr.Logger) ([]map[string]interface{}, error) {
+func FetchAttestations(imageRef string, imageVerify v1.ImageVerification, log logr.Logger) ([]map[string]interface{}, error) {
 	ctx := context.Background()
 	var err error
 

pkg/engine/imageVerify.go

@@ -114,13 +114,13 @@ func appendError(resp *response.EngineResponse, rule *v1.Rule, msg string, statu
 func substituteVariables(rule *v1.Rule, ctx context.EvalInterface, logger logr.Logger) (*v1.Rule, error) {
 
 	// remove attestations as variables are not substituted in them
-	ruleCopy := rule.DeepCopy()
-	for _, iv := range ruleCopy.VerifyImages {
-		iv.Attestations = nil
+	ruleCopy := *rule.DeepCopy()
+	for i := range ruleCopy.VerifyImages {
+		ruleCopy.VerifyImages[i].Attestations = nil
 	}
 
 	var err error
-	*ruleCopy, err = variables.SubstituteAllInRule(logger, ctx, *ruleCopy)
+	ruleCopy, err = variables.SubstituteAllInRule(logger, ctx, ruleCopy)
 	if err != nil {
 		return nil, err
 	}
@@ -130,7 +130,7 @@ func substituteVariables(rule *v1.Rule, ctx context.EvalInterface, logger logr.L
 		ruleCopy.VerifyImages[i].Attestations = rule.VerifyImages[i].Attestations
 	}
 
-	return ruleCopy, nil
+	return &ruleCopy, nil
 }
 
 type imageVerifier struct {
@@ -140,9 +140,9 @@ type imageVerifier struct {
 	resp          *response.EngineResponse
 }
 
-func (iv *imageVerifier) verify(imageVerify *v1.ImageVerification, images map[string]map[string]kubeutils.ImageInfo) {
+func (iv *imageVerifier) verify(imageVerify v1.ImageVerification, images map[string]map[string]kubeutils.ImageInfo) {
 	// for backward compatibility
-	imageVerify = imageVerify.Convert()
+	imageVerify = *imageVerify.Convert()
 
 	for _, infoMap := range images {
 		for _, imageInfo := range infoMap {
@@ -212,7 +212,7 @@ func (iv *imageVerifier) handleDigest(digest string, imageInfo kubeutils.ImageIn
 	return patch, nil
 }
 
-func (iv *imageVerifier) markImageVerified(imageVerify *v1.ImageVerification, ruleResp *response.RuleResponse, digest string, imageInfo kubeutils.ImageInfo) *response.RuleResponse {
+func (iv *imageVerifier) markImageVerified(imageVerify v1.ImageVerification, ruleResp *response.RuleResponse, digest string, imageInfo kubeutils.ImageInfo) *response.RuleResponse {
 	if hasImageVerifiedAnnotationChanged(iv.policyContext, imageInfo.Name, digest) {
 		msg := "changes to `images.kyverno.io` annotation are not allowed"
 		return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusFail, nil)
@@ -292,7 +292,7 @@ func imageMatches(image string, imagePatterns []string) bool {
 	return false
 }
 
-func (iv *imageVerifier) verifySignatures(imageVerify *v1.ImageVerification, imageInfo kubeutils.ImageInfo) (*response.RuleResponse, string) {
+func (iv *imageVerifier) verifySignatures(imageVerify v1.ImageVerification, imageInfo kubeutils.ImageInfo) (*response.RuleResponse, string) {
 	image := imageInfo.String()
 	iv.logger.V(2).Info("verifying image signatures", "image", image, "attestors", len(imageVerify.Attestors), "attestations", len(imageVerify.Attestations))
 
@@ -312,7 +312,7 @@ func (iv *imageVerifier) verifySignatures(imageVerify *v1.ImageVerification, ima
 	return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), digest
 }
 
-func (iv *imageVerifier) verifyAttestorSet(attestorSet v1.AttestorSet, imageVerify *v1.ImageVerification, image, path string) (string, error) {
+func (iv *imageVerifier) verifyAttestorSet(attestorSet v1.AttestorSet, imageVerify v1.ImageVerification, image, path string) (string, error) {
 	var errorList []error
 	verifiedCount := 0
 	attestorSet = expandStaticKeys(attestorSet)
@@ -409,7 +409,7 @@ func getRequiredCount(as v1.AttestorSet) int {
 	return *as.Count
 }
 
-func (iv *imageVerifier) buildOptionsAndPath(attestor v1.Attestor, imageVerify *v1.ImageVerification, image string) (*cosign.Options, string) {
+func (iv *imageVerifier) buildOptionsAndPath(attestor v1.Attestor, imageVerify v1.ImageVerification, image string) (*cosign.Options, string) {
 	path := ""
 	opts := &cosign.Options{
 		ImageRef:    image,
@@ -466,7 +466,7 @@ func makeAddDigestPatch(imageInfo kubeutils.ImageInfo, digest string) ([]byte, e
 	return json.Marshal(patch)
 }
 
-func (iv *imageVerifier) verifyAttestations(imageVerify *v1.ImageVerification, imageInfo kubeutils.ImageInfo) *response.RuleResponse {
+func (iv *imageVerifier) verifyAttestations(imageVerify v1.ImageVerification, imageInfo kubeutils.ImageInfo) *response.RuleResponse {
 	image := imageInfo.String()
 	start := time.Now()
 

pkg/engine/imageVerify_test.go

@@ -523,11 +523,11 @@ func Test_ChangedAnnotation(t *testing.T) {
 }
 
 func Test_MarkImageVerified(t *testing.T) {
-	imageVerifyRule := &kyverno.ImageVerification{Required: true}
+	imageVerifyRule := kyverno.ImageVerification{Required: true}
 	iv := &imageVerifier{
 		logger:        log.Log,
 		policyContext: buildContext(t, testPolicyGood, testResource, ""),
-		rule:          &kyverno.Rule{VerifyImages: []*kyverno.ImageVerification{imageVerifyRule}},
+		rule:          &kyverno.Rule{VerifyImages: []kyverno.ImageVerification{imageVerifyRule}},
 		resp:          &response.EngineResponse{},
 	}
 
@@ -545,8 +545,8 @@ func Test_MarkImageVerified(t *testing.T) {
 	assert.Equal(t, value, "true")
 
 	ruleResp.Patches = nil
-	imageVerifyRule = &kyverno.ImageVerification{Required: false}
-	iv.rule = &kyverno.Rule{VerifyImages: []*kyverno.ImageVerification{imageVerifyRule}}
+	imageVerifyRule = kyverno.ImageVerification{Required: false}
+	iv.rule = &kyverno.Rule{VerifyImages: []kyverno.ImageVerification{imageVerifyRule}}
 	iv.markImageVerified(imageVerifyRule, ruleResp, digest, imageInfo)
 	assert.Equal(t, len(ruleResp.Patches), 0)
 }