diff --git a/cmd/background-controller/main.go b/cmd/background-controller/main.go index 01778c9222..dd34c20ed7 100644 --- a/cmd/background-controller/main.go +++ b/cmd/background-controller/main.go @@ -8,7 +8,6 @@ import ( "sync" "time" - "github.com/go-logr/logr" "github.com/kyverno/kyverno/cmd/internal" "github.com/kyverno/kyverno/pkg/background" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" @@ -19,7 +18,6 @@ import ( kyvernoclient "github.com/kyverno/kyverno/pkg/clients/kyverno" "github.com/kyverno/kyverno/pkg/config" policymetricscontroller "github.com/kyverno/kyverno/pkg/controllers/metrics/policy" - "github.com/kyverno/kyverno/pkg/cosign" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/leaderelection" @@ -35,14 +33,6 @@ const ( resyncPeriod = 15 * time.Minute ) -func setupCosign(logger logr.Logger, imageSignatureRepository string) { - logger = logger.WithName("cosign") - logger.Info("setup cosign...", "repository", imageSignatureRepository) - if imageSignatureRepository != "" { - cosign.ImageSignatureRepository = imageSignatureRepository - } -} - func createrLeaderControllers( eng engineapi.Engine, genWorkers int, @@ -93,12 +83,10 @@ func main() { var ( genWorkers int maxQueuedEvents int - imageSignatureRepository string leaderElectionRetryPeriod time.Duration ) flagset := flag.NewFlagSet("updaterequest-controller", flag.ExitOnError) flagset.IntVar(&genWorkers, "genWorkers", 10, "Workers for the background controller.") - flagset.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.") flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.") flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.") // config @@ -109,6 +97,7 @@ func main() { internal.WithKubeconfig(), internal.WithPolicyExceptions(), internal.WithConfigMapCaching(), + internal.WithCosign(), internal.WithRegistryClient(), internal.WithFlagSets(flagset), ) @@ -131,8 +120,6 @@ func main() { kyamlopenapi.Schema() // informer factories kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod) - // setup cosign - setupCosign(setup.Logger, imageSignatureRepository) eventGenerator := event.NewEventGenerator( dClient, kyvernoInformer.Kyverno().V1().ClusterPolicies(), diff --git a/cmd/internal/config.go b/cmd/internal/config.go index eeeab8c288..45eae25637 100644 --- a/cmd/internal/config.go +++ b/cmd/internal/config.go @@ -11,6 +11,7 @@ type Configuration interface { UsesKubeconfig() bool UsesPolicyExceptions() bool UsesConfigMapCaching() bool + UsesCosign() bool UsesRegistryClient() bool FlagSets() []*flag.FlagSet } @@ -61,6 +62,12 @@ func WithConfigMapCaching() ConfigurationOption { } } +func WithCosign() ConfigurationOption { + return func(c *configuration) { + c.usesCosign = true + } +} + func WithRegistryClient() ConfigurationOption { return func(c *configuration) { c.usesRegistryClient = true @@ -80,6 +87,7 @@ type configuration struct { usesKubeconfig bool usesPolicyExceptions bool usesConfigMapCaching bool + usesCosign bool usesRegistryClient bool flagSets []*flag.FlagSet } @@ -108,6 +116,10 @@ func (c *configuration) UsesConfigMapCaching() bool { return c.usesConfigMapCaching } +func (c *configuration) UsesCosign() bool { + return c.usesCosign +} + func (c *configuration) UsesRegistryClient() bool { return c.usesRegistryClient } diff --git a/cmd/internal/cosign.go b/cmd/internal/cosign.go new file mode 100644 index 0000000000..4a63614bdc --- /dev/null +++ b/cmd/internal/cosign.go @@ -0,0 +1,14 @@ +package internal + +import ( + "github.com/go-logr/logr" + "github.com/kyverno/kyverno/pkg/cosign" +) + +func setupCosign(logger logr.Logger) { + logger = logger.WithName("cosign").WithValues("repository", imageSignatureRepository) + logger.Info("setup cosign...") + if imageSignatureRepository != "" { + cosign.ImageSignatureRepository = imageSignatureRepository + } +} diff --git a/cmd/internal/flag.go b/cmd/internal/flag.go index 20092525bc..940893e9bc 100644 --- a/cmd/internal/flag.go +++ b/cmd/internal/flag.go @@ -32,6 +32,8 @@ var ( enablePolicyException bool exceptionNamespace string enableConfigMapCaching bool + // cosign + imageSignatureRepository string // registry client imagePullSecrets string allowInsecureRegistry bool @@ -79,6 +81,10 @@ func initConfigMapCachingFlags() { flag.BoolVar(&enableConfigMapCaching, "enableConfigMapCaching", true, "Enable config maps caching.") } +func initCosignFlags() { + flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.") +} + func initRegistryClientFlags() { flag.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.") flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.") @@ -111,6 +117,10 @@ func InitFlags(config Configuration) { if config.UsesConfigMapCaching() { initConfigMapCachingFlags() } + // cosign + if config.UsesCosign() { + initCosignFlags() + } // registry client if config.UsesRegistryClient() { initRegistryClientFlags() diff --git a/cmd/internal/setup.go b/cmd/internal/setup.go index 3a4babcc29..546fc766c4 100644 --- a/cmd/internal/setup.go +++ b/cmd/internal/setup.go @@ -43,6 +43,7 @@ func Setup(config Configuration, name string, skipResourceFilters bool) (context client = client.WithMetrics(metricsManager, metrics.KubeClient) configuration := startConfigController(ctx, logger, client, skipResourceFilters) sdownTracing := SetupTracing(logger, name, client) + setupCosign(logger) var registryClient registryclient.Client if config.UsesRegistryClient() { registryClient = setupRegistryClient(ctx, logger, client) diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 748197743e..10574cc6de 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -27,7 +27,6 @@ import ( openapicontroller "github.com/kyverno/kyverno/pkg/controllers/openapi" policycachecontroller "github.com/kyverno/kyverno/pkg/controllers/policycache" webhookcontroller "github.com/kyverno/kyverno/pkg/controllers/webhook" - "github.com/kyverno/kyverno/pkg/cosign" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/leaderelection" @@ -58,14 +57,6 @@ const ( exceptionWebhookControllerName = "exception-webhook-controller" ) -func setupCosign(logger logr.Logger, imageSignatureRepository string) { - logger = logger.WithName("cosign") - logger.Info("setup cosign...", "repository", imageSignatureRepository) - if imageSignatureRepository != "" { - cosign.ImageSignatureRepository = imageSignatureRepository - } -} - func showWarnings(logger logr.Logger) { logger = logger.WithName("warnings") // log if `forceFailurePolicyIgnore` flag has been set or not @@ -198,7 +189,6 @@ func main() { genWorkers int maxQueuedEvents int autoUpdateWebhooks bool - imageSignatureRepository string webhookRegistrationTimeout time.Duration admissionReports bool dumpPayload bool @@ -212,7 +202,6 @@ func main() { flagset.IntVar(&genWorkers, "genWorkers", 10, "Workers for generate controller.") flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.") flagset.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.") - flagset.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.") flagset.BoolVar(&autoUpdateWebhooks, "autoUpdateWebhooks", true, "Set this flag to 'false' to disable auto-configuration of the webhook.") flagset.DurationVar(&webhookRegistrationTimeout, "webhookRegistrationTimeout", 120*time.Second, "Timeout for webhook registration, e.g., 30s, 1m, 5m.") flagset.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse) @@ -229,6 +218,7 @@ func main() { internal.WithKubeconfig(), internal.WithPolicyExceptions(), internal.WithConfigMapCaching(), + internal.WithCosign(), internal.WithRegistryClient(), internal.WithFlagSets(flagset), ) @@ -262,8 +252,6 @@ func main() { kubeKyvernoInformer := kubeinformers.NewSharedInformerFactoryWithOptions(setup.KubeClient, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace())) kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod) secretLister := kubeKyvernoInformer.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace()) - // setup cosign - setupCosign(setup.Logger, imageSignatureRepository) openApiManager, err := openapi.NewManager(setup.Logger.WithName("openapi")) if err != nil { setup.Logger.Error(err, "Failed to create openapi manager") diff --git a/cmd/reports-controller/main.go b/cmd/reports-controller/main.go index 84ce7287e8..a0c077fb2e 100644 --- a/cmd/reports-controller/main.go +++ b/cmd/reports-controller/main.go @@ -8,7 +8,6 @@ import ( "sync" "time" - "github.com/go-logr/logr" "github.com/kyverno/kyverno/cmd/internal" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions" @@ -22,7 +21,6 @@ import ( aggregatereportcontroller "github.com/kyverno/kyverno/pkg/controllers/report/aggregate" backgroundscancontroller "github.com/kyverno/kyverno/pkg/controllers/report/background" resourcereportcontroller "github.com/kyverno/kyverno/pkg/controllers/report/resource" - "github.com/kyverno/kyverno/pkg/cosign" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/leaderelection" @@ -38,14 +36,6 @@ const ( resyncPeriod = 15 * time.Minute ) -func setupCosign(logger logr.Logger, imageSignatureRepository string) { - logger = logger.WithName("cosign") - logger.Info("setup cosign...", "repository", imageSignatureRepository) - if imageSignatureRepository != "" { - cosign.ImageSignatureRepository = imageSignatureRepository - } -} - func createReportControllers( eng engineapi.Engine, backgroundScan bool, @@ -170,7 +160,6 @@ func createrLeaderControllers( func main() { var ( leaderElectionRetryPeriod time.Duration - imageSignatureRepository string backgroundScan bool admissionReports bool reportsChunkSize int @@ -181,7 +170,6 @@ func main() { ) flagset := flag.NewFlagSet("reports-controller", flag.ExitOnError) flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.") - flagset.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.") flagset.BoolVar(&backgroundScan, "backgroundScan", true, "Enable or disable backgound scan.") flagset.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.") flagset.IntVar(&reportsChunkSize, "reportsChunkSize", 1000, "Max number of results in generated reports, reports will be split accordingly if there are more results to be stored.") @@ -197,6 +185,7 @@ func main() { internal.WithKubeconfig(), internal.WithPolicyExceptions(), internal.WithConfigMapCaching(), + internal.WithCosign(), internal.WithRegistryClient(), internal.WithFlagSets(flagset), ) @@ -220,8 +209,6 @@ func main() { kyamlopenapi.Schema() // informer factories kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod) - // setup cosign - setupCosign(setup.Logger, imageSignatureRepository) eventGenerator := event.NewEventGenerator( dClient, kyvernoInformer.Kyverno().V1().ClusterPolicies(),