refactor: cut dependency between image verifier and registry client (#7536)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-05 07:26:55 +00:00 · 2023-06-14 18:19:38 +02:00 · 2023-06-14 18:19:38 +02:00 · 6f040af4d0
commit 6f040af4d0
parent ee1e7a7add
6 changed files with 25 additions and 18 deletions
--- a/pkg/cosign/cosign.go
+++ b/pkg/cosign/cosign.go
@ -99,7 +99,7 @@ func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.Check
 	if err != nil {
 		return nil, fmt.Errorf("constructing client options: %w", err)
 	}
-	remoteOpts = append(remoteOpts, opts.RegistryClient.BuildRemoteOption(ctx))
+	remoteOpts = append(remoteOpts, opts.Client.BuildRemoteOption(ctx))
 	cosignOpts := &cosign.CheckOpts{
 		Annotations:        map[string]interface{}{},
 		RegistryClientOpts: remoteOpts,
--- a/pkg/cosign/cosign_test.go
+++ b/pkg/cosign/cosign_test.go
@ -81,7 +81,7 @@ func TestCosignKeyless(t *testing.T) {

 	rc, err := registryclient.New()
 	assert.NilError(t, err)
-	opts.RegistryClient = rc
+	opts.Client = rc

 	verifier := &cosignVerifier{}
 	_, err = verifier.VerifySignature(context.TODO(), opts)
--- a/pkg/engine/internal/imageverifier.go
+++ b/pkg/engine/internal/imageverifier.go
@ -465,10 +465,10 @@ func (iv *ImageVerifier) buildCosignVerifier(
 		repository = imageVerify.Repository
 	}
 	opts := &images.Options{
-		ImageRef:       image,
-		Repository:     repository,
-		Annotations:    imageVerify.Annotations,
-		RegistryClient: iv.rclient,
+		ImageRef:    image,
+		Repository:  repository,
+		Annotations: imageVerify.Annotations,
+		Client:      iv.rclient,
 	}

 	if imageVerify.Roots != "" {
@ -536,10 +536,10 @@ func (iv *ImageVerifier) buildNotaryVerifier(
 ) (images.ImageVerifier, *images.Options, string) {
 	path := ""
 	opts := &images.Options{
-		ImageRef:       image,
-		Cert:           attestor.Certificates.Certificate,
-		CertChain:      attestor.Certificates.CertificateChain,
-		RegistryClient: iv.rclient,
+		ImageRef:  image,
+		Cert:      attestor.Certificates.Certificate,
+		CertChain: attestor.Certificates.CertificateChain,
+		Client:    iv.rclient,
 	}

 	if attestation != nil {
--- a/pkg/images/verifier.go
+++ b/pkg/images/verifier.go
@ -3,7 +3,8 @@ package images
 import (
 	"context"

-	"github.com/kyverno/kyverno/pkg/registryclient"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/sigstore/cosign/pkg/oci/remote"
 )

 type ImageVerifier interface {
@ -14,9 +15,15 @@ type ImageVerifier interface {
 	FetchAttestations(ctx context.Context, opts Options) (*Response, error)
 }

+type Client interface {
+	Keychain() authn.Keychain
+	RefreshKeychainPullSecrets(ctx context.Context) error
+	BuildRemoteOption(context.Context) remote.Option
+}
+
 type Options struct {
 	ImageRef             string
-	RegistryClient       registryclient.Client
+	Client               Client
 	FetchAttestations    bool
 	Key                  string
 	Cert                 string
--- a/pkg/notary/notary.go
+++ b/pkg/notary/notary.go
@ -52,7 +52,7 @@ func (v *notaryVerifier) VerifySignature(ctx context.Context, opts images.Option
 	}

 	v.log.V(4).Info("creating notation repo", "reference", opts.ImageRef)
-	parsedRef, err := parseReferenceCrane(ctx, opts.ImageRef, opts.RegistryClient)
+	parsedRef, err := parseReferenceCrane(ctx, opts.ImageRef, opts.Client)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to parse image reference: %s", opts.ImageRef)
 	}
@ -135,7 +135,7 @@ func (v *notaryVerifier) FetchAttestations(ctx context.Context, opts images.Opti
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to parse image reference: %s", opts.ImageRef)
 	}
-	authenticator, err := getAuthenticator(ctx, opts.ImageRef, opts.RegistryClient)
+	authenticator, err := getAuthenticator(ctx, opts.ImageRef, opts.Client)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to parse authenticator: %s", opts.ImageRef)
 	}
@ -237,7 +237,7 @@ func verifyAttestators(ctx context.Context, v *notaryVerifier, ref name.Referenc

 	v.log.V(4).Info("created verifier")
 	reference := ref.Context().RegistryStr() + "/" + ref.Context().RepositoryStr() + "@" + desc.Digest.String()
-	parsedRef, err := parseReferenceCrane(ctx, reference, opts.RegistryClient)
+	parsedRef, err := parseReferenceCrane(ctx, reference, opts.Client)
 	if err != nil {
 		return ocispec.Descriptor{}, errors.Wrapf(err, "failed to parse image reference: %s", opts.ImageRef)
 	}
--- a/pkg/notary/registry.go
+++ b/pkg/notary/registry.go
@ -8,7 +8,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/google/go-containerregistry/pkg/name"
 	gcrremote "github.com/google/go-containerregistry/pkg/v1/remote"
-	"github.com/kyverno/kyverno/pkg/registryclient"
+	"github.com/kyverno/kyverno/pkg/images"
 	notationregistry "github.com/notaryproject/notation-go/registry"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@ -22,7 +22,7 @@ type parsedReference struct {
 	Desc       ocispec.Descriptor
 }

-func parseReferenceCrane(ctx context.Context, ref string, registryClient registryclient.Client) (*parsedReference, error) {
+func parseReferenceCrane(ctx context.Context, ref string, registryClient images.Client) (*parsedReference, error) {
 	nameRef, err := name.ParseReference(ref)
 	if err != nil {
 		return nil, err
@ -78,7 +78,7 @@ func (ir *imageResource) RegistryStr() string {
 	return ir.ref.Context().RegistryStr()
 }

-func getAuthenticator(ctx context.Context, ref string, registryClient registryclient.Client) (*authn.Authenticator, error) {
+func getAuthenticator(ctx context.Context, ref string, registryClient images.Client) (*authn.Authenticator, error) {
 	parsedRef, err := name.ParseReference(ref)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to parse registry reference %s", ref)