From 61aa713d274152cd66c1856ac6dfc34e1b2c2bb3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Fri, 22 Sep 2023 12:40:16 +0200
Subject: [PATCH] fix: image cache panic and cleanup (#8512)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 .../handlers/cleanup/handlers.go              |  2 --
 .../kubectl-kyverno/store/contextloader.go    |  4 +--
 pkg/engine/api/contextloader.go               |  2 --
 pkg/engine/engine.go                          |  1 -
 pkg/engine/factories/contextloaderfactory.go  |  2 --
 pkg/engine/internal/imageverifier.go          | 27 ++++++++++++-------
 6 files changed, 18 insertions(+), 20 deletions(-)

diff --git a/cmd/cleanup-controller/handlers/cleanup/handlers.go b/cmd/cleanup-controller/handlers/cleanup/handlers.go
index c6a895f49d..87d77ae18b 100644
--- a/cmd/cleanup-controller/handlers/cleanup/handlers.go
+++ b/cmd/cleanup-controller/handlers/cleanup/handlers.go
@@ -16,7 +16,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/event"
-	"github.com/kyverno/kyverno/pkg/imageverifycache"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
 	"github.com/kyverno/kyverno/pkg/utils/match"
@@ -131,7 +130,6 @@ func (h *handlers) executePolicy(
 		h.jp,
 		h.client,
 		nil,
-		imageverifycache.DisabledImageVerifyCache(),
 		spec.Context,
 		enginectx,
 	); err != nil {
diff --git a/cmd/cli/kubectl-kyverno/store/contextloader.go b/cmd/cli/kubectl-kyverno/store/contextloader.go
index 0145f630ba..ace392914e 100644
--- a/cmd/cli/kubectl-kyverno/store/contextloader.go
+++ b/cmd/cli/kubectl-kyverno/store/contextloader.go
@@ -8,7 +8,6 @@ import (
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
-	"github.com/kyverno/kyverno/pkg/imageverifycache"
 )
 
 func ContextLoaderFactory(cmResolver engineapi.ConfigmapResolver) engineapi.ContextLoaderFactory {
@@ -49,7 +48,6 @@ func (w wrapper) Load(
 	jp jmespath.Interface,
 	client engineapi.RawClient,
 	rclientFactory engineapi.RegistryClientFactory,
-	ivCache imageverifycache.Client,
 	contextEntries []kyvernov1.ContextEntry,
 	jsonContext enginecontext.Interface,
 ) error {
@@ -59,5 +57,5 @@ func (w wrapper) Load(
 	if !GetRegistryAccess() {
 		rclientFactory = nil
 	}
-	return w.inner.Load(ctx, jp, client, rclientFactory, ivCache, contextEntries, jsonContext)
+	return w.inner.Load(ctx, jp, client, rclientFactory, contextEntries, jsonContext)
 }
diff --git a/pkg/engine/api/contextloader.go b/pkg/engine/api/contextloader.go
index 88f699102f..732c48fafe 100644
--- a/pkg/engine/api/contextloader.go
+++ b/pkg/engine/api/contextloader.go
@@ -6,7 +6,6 @@ import (
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
-	"github.com/kyverno/kyverno/pkg/imageverifycache"
 )
 
 type RegistryClientFactory interface {
@@ -25,7 +24,6 @@ type ContextLoader interface {
 		jp jmespath.Interface,
 		client RawClient,
 		rclientFactory RegistryClientFactory,
-		ivCache imageverifycache.Client,
 		contextEntries []kyvernov1.ContextEntry,
 		jsonContext enginecontext.Interface,
 	) error
diff --git a/pkg/engine/engine.go b/pkg/engine/engine.go
index b0d4b552c9..f29fc232b6 100644
--- a/pkg/engine/engine.go
+++ b/pkg/engine/engine.go
@@ -180,7 +180,6 @@ func (e *engine) ContextLoader(
 			e.jp,
 			e.client,
 			e.rclientFactory,
-			e.ivCache,
 			contextEntries,
 			jsonContext,
 		)
diff --git a/pkg/engine/factories/contextloaderfactory.go b/pkg/engine/factories/contextloaderfactory.go
index 5a08900979..74a1ead540 100644
--- a/pkg/engine/factories/contextloaderfactory.go
+++ b/pkg/engine/factories/contextloaderfactory.go
@@ -10,7 +10,6 @@ import (
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/context/loaders"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
-	"github.com/kyverno/kyverno/pkg/imageverifycache"
 	"github.com/kyverno/kyverno/pkg/logging"
 	"github.com/kyverno/kyverno/pkg/toggle"
 )
@@ -47,7 +46,6 @@ func (l *contextLoader) Load(
 	jp jmespath.Interface,
 	client engineapi.RawClient,
 	rclientFactory engineapi.RegistryClientFactory,
-	ivCache imageverifycache.Client,
 	contextEntries []kyvernov1.ContextEntry,
 	jsonContext enginecontext.Interface,
 ) error {
diff --git a/pkg/engine/internal/imageverifier.go b/pkg/engine/internal/imageverifier.go
index da5b11db17..bba729740d 100644
--- a/pkg/engine/internal/imageverifier.go
+++ b/pkg/engine/internal/imageverifier.go
@@ -245,14 +245,19 @@ func (iv *ImageVerifier) Verify(
 			continue
 		}
 		start := time.Now()
-		found, err := iv.ivCache.Get(ctx, iv.policyContext.Policy(), iv.rule.Name, image)
-		if err != nil {
-			iv.logger.Error(err, "error occurred during cache get")
+		isInCache := false
+		if iv.ivCache != nil {
+			found, err := iv.ivCache.Get(ctx, iv.policyContext.Policy(), iv.rule.Name, image)
+			if err != nil {
+				iv.logger.Error(err, "error occurred during cache get")
+			} else {
+				isInCache = found
+			}
 		}
 
 		var ruleResp *engineapi.RuleResponse
 		var digest string
-		if found {
+		if isInCache {
 			iv.logger.V(2).Info("cache entry found", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image)
 			ruleResp = engineapi.RulePass(iv.rule.Name, engineapi.ImageVerify, "verified from cache")
 			digest = imageInfo.Digest
@@ -260,12 +265,14 @@ func (iv *ImageVerifier) Verify(
 			iv.logger.V(2).Info("cache entry not found", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image)
 			ruleResp, digest = iv.verifyImage(ctx, imageVerify, imageInfo, cfg)
 			if ruleResp != nil && ruleResp.Status() == engineapi.RuleStatusPass {
-				setted, err := iv.ivCache.Set(ctx, iv.policyContext.Policy(), iv.rule.Name, image)
-				if err != nil {
-					iv.logger.Error(err, "error occurred during cache set")
-				} else {
-					if setted {
-						iv.logger.V(4).Info("successfully set cache", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image)
+				if iv.ivCache != nil {
+					setted, err := iv.ivCache.Set(ctx, iv.policyContext.Policy(), iv.rule.Name, image)
+					if err != nil {
+						iv.logger.Error(err, "error occurred during cache set")
+					} else {
+						if setted {
+							iv.logger.V(4).Info("successfully set cache", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image)
+						}
 					}
 				}
 			}