mirror of
https://github.com/kyverno/kyverno.git
synced 2025-01-20 18:52:16 +00:00
feat: move cosign init in internal package (#6846)
* refactor: configuration config map controller Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * rbac Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * clean Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * clean Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * logs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: move cosign init in internal package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
parent
93cf943ad1
commit
89b0a649e3
7 changed files with 40 additions and 41 deletions
|
@ -8,7 +8,6 @@ import (
|
|||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/cmd/internal"
|
||||
"github.com/kyverno/kyverno/pkg/background"
|
||||
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
||||
|
@ -19,7 +18,6 @@ import (
|
|||
kyvernoclient "github.com/kyverno/kyverno/pkg/clients/kyverno"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
policymetricscontroller "github.com/kyverno/kyverno/pkg/controllers/metrics/policy"
|
||||
"github.com/kyverno/kyverno/pkg/cosign"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/leaderelection"
|
||||
|
@ -35,14 +33,6 @@ const (
|
|||
resyncPeriod = 15 * time.Minute
|
||||
)
|
||||
|
||||
func setupCosign(logger logr.Logger, imageSignatureRepository string) {
|
||||
logger = logger.WithName("cosign")
|
||||
logger.Info("setup cosign...", "repository", imageSignatureRepository)
|
||||
if imageSignatureRepository != "" {
|
||||
cosign.ImageSignatureRepository = imageSignatureRepository
|
||||
}
|
||||
}
|
||||
|
||||
func createrLeaderControllers(
|
||||
eng engineapi.Engine,
|
||||
genWorkers int,
|
||||
|
@ -93,12 +83,10 @@ func main() {
|
|||
var (
|
||||
genWorkers int
|
||||
maxQueuedEvents int
|
||||
imageSignatureRepository string
|
||||
leaderElectionRetryPeriod time.Duration
|
||||
)
|
||||
flagset := flag.NewFlagSet("updaterequest-controller", flag.ExitOnError)
|
||||
flagset.IntVar(&genWorkers, "genWorkers", 10, "Workers for the background controller.")
|
||||
flagset.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
|
||||
flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
|
||||
flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
|
||||
// config
|
||||
|
@ -109,6 +97,7 @@ func main() {
|
|||
internal.WithKubeconfig(),
|
||||
internal.WithPolicyExceptions(),
|
||||
internal.WithConfigMapCaching(),
|
||||
internal.WithCosign(),
|
||||
internal.WithRegistryClient(),
|
||||
internal.WithFlagSets(flagset),
|
||||
)
|
||||
|
@ -131,8 +120,6 @@ func main() {
|
|||
kyamlopenapi.Schema()
|
||||
// informer factories
|
||||
kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
|
||||
// setup cosign
|
||||
setupCosign(setup.Logger, imageSignatureRepository)
|
||||
eventGenerator := event.NewEventGenerator(
|
||||
dClient,
|
||||
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
|
||||
|
|
|
@ -11,6 +11,7 @@ type Configuration interface {
|
|||
UsesKubeconfig() bool
|
||||
UsesPolicyExceptions() bool
|
||||
UsesConfigMapCaching() bool
|
||||
UsesCosign() bool
|
||||
UsesRegistryClient() bool
|
||||
FlagSets() []*flag.FlagSet
|
||||
}
|
||||
|
@ -61,6 +62,12 @@ func WithConfigMapCaching() ConfigurationOption {
|
|||
}
|
||||
}
|
||||
|
||||
func WithCosign() ConfigurationOption {
|
||||
return func(c *configuration) {
|
||||
c.usesCosign = true
|
||||
}
|
||||
}
|
||||
|
||||
func WithRegistryClient() ConfigurationOption {
|
||||
return func(c *configuration) {
|
||||
c.usesRegistryClient = true
|
||||
|
@ -80,6 +87,7 @@ type configuration struct {
|
|||
usesKubeconfig bool
|
||||
usesPolicyExceptions bool
|
||||
usesConfigMapCaching bool
|
||||
usesCosign bool
|
||||
usesRegistryClient bool
|
||||
flagSets []*flag.FlagSet
|
||||
}
|
||||
|
@ -108,6 +116,10 @@ func (c *configuration) UsesConfigMapCaching() bool {
|
|||
return c.usesConfigMapCaching
|
||||
}
|
||||
|
||||
func (c *configuration) UsesCosign() bool {
|
||||
return c.usesCosign
|
||||
}
|
||||
|
||||
func (c *configuration) UsesRegistryClient() bool {
|
||||
return c.usesRegistryClient
|
||||
}
|
||||
|
|
14
cmd/internal/cosign.go
Normal file
14
cmd/internal/cosign.go
Normal file
|
@ -0,0 +1,14 @@
|
|||
package internal
|
||||
|
||||
import (
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/pkg/cosign"
|
||||
)
|
||||
|
||||
func setupCosign(logger logr.Logger) {
|
||||
logger = logger.WithName("cosign").WithValues("repository", imageSignatureRepository)
|
||||
logger.Info("setup cosign...")
|
||||
if imageSignatureRepository != "" {
|
||||
cosign.ImageSignatureRepository = imageSignatureRepository
|
||||
}
|
||||
}
|
|
@ -32,6 +32,8 @@ var (
|
|||
enablePolicyException bool
|
||||
exceptionNamespace string
|
||||
enableConfigMapCaching bool
|
||||
// cosign
|
||||
imageSignatureRepository string
|
||||
// registry client
|
||||
imagePullSecrets string
|
||||
allowInsecureRegistry bool
|
||||
|
@ -79,6 +81,10 @@ func initConfigMapCachingFlags() {
|
|||
flag.BoolVar(&enableConfigMapCaching, "enableConfigMapCaching", true, "Enable config maps caching.")
|
||||
}
|
||||
|
||||
func initCosignFlags() {
|
||||
flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
|
||||
}
|
||||
|
||||
func initRegistryClientFlags() {
|
||||
flag.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
|
||||
flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
|
||||
|
@ -111,6 +117,10 @@ func InitFlags(config Configuration) {
|
|||
if config.UsesConfigMapCaching() {
|
||||
initConfigMapCachingFlags()
|
||||
}
|
||||
// cosign
|
||||
if config.UsesCosign() {
|
||||
initCosignFlags()
|
||||
}
|
||||
// registry client
|
||||
if config.UsesRegistryClient() {
|
||||
initRegistryClientFlags()
|
||||
|
|
|
@ -43,6 +43,7 @@ func Setup(config Configuration, name string, skipResourceFilters bool) (context
|
|||
client = client.WithMetrics(metricsManager, metrics.KubeClient)
|
||||
configuration := startConfigController(ctx, logger, client, skipResourceFilters)
|
||||
sdownTracing := SetupTracing(logger, name, client)
|
||||
setupCosign(logger)
|
||||
var registryClient registryclient.Client
|
||||
if config.UsesRegistryClient() {
|
||||
registryClient = setupRegistryClient(ctx, logger, client)
|
||||
|
|
|
@ -27,7 +27,6 @@ import (
|
|||
openapicontroller "github.com/kyverno/kyverno/pkg/controllers/openapi"
|
||||
policycachecontroller "github.com/kyverno/kyverno/pkg/controllers/policycache"
|
||||
webhookcontroller "github.com/kyverno/kyverno/pkg/controllers/webhook"
|
||||
"github.com/kyverno/kyverno/pkg/cosign"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/leaderelection"
|
||||
|
@ -58,14 +57,6 @@ const (
|
|||
exceptionWebhookControllerName = "exception-webhook-controller"
|
||||
)
|
||||
|
||||
func setupCosign(logger logr.Logger, imageSignatureRepository string) {
|
||||
logger = logger.WithName("cosign")
|
||||
logger.Info("setup cosign...", "repository", imageSignatureRepository)
|
||||
if imageSignatureRepository != "" {
|
||||
cosign.ImageSignatureRepository = imageSignatureRepository
|
||||
}
|
||||
}
|
||||
|
||||
func showWarnings(logger logr.Logger) {
|
||||
logger = logger.WithName("warnings")
|
||||
// log if `forceFailurePolicyIgnore` flag has been set or not
|
||||
|
@ -198,7 +189,6 @@ func main() {
|
|||
genWorkers int
|
||||
maxQueuedEvents int
|
||||
autoUpdateWebhooks bool
|
||||
imageSignatureRepository string
|
||||
webhookRegistrationTimeout time.Duration
|
||||
admissionReports bool
|
||||
dumpPayload bool
|
||||
|
@ -212,7 +202,6 @@ func main() {
|
|||
flagset.IntVar(&genWorkers, "genWorkers", 10, "Workers for generate controller.")
|
||||
flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
|
||||
flagset.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
|
||||
flagset.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
|
||||
flagset.BoolVar(&autoUpdateWebhooks, "autoUpdateWebhooks", true, "Set this flag to 'false' to disable auto-configuration of the webhook.")
|
||||
flagset.DurationVar(&webhookRegistrationTimeout, "webhookRegistrationTimeout", 120*time.Second, "Timeout for webhook registration, e.g., 30s, 1m, 5m.")
|
||||
flagset.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse)
|
||||
|
@ -229,6 +218,7 @@ func main() {
|
|||
internal.WithKubeconfig(),
|
||||
internal.WithPolicyExceptions(),
|
||||
internal.WithConfigMapCaching(),
|
||||
internal.WithCosign(),
|
||||
internal.WithRegistryClient(),
|
||||
internal.WithFlagSets(flagset),
|
||||
)
|
||||
|
@ -262,8 +252,6 @@ func main() {
|
|||
kubeKyvernoInformer := kubeinformers.NewSharedInformerFactoryWithOptions(setup.KubeClient, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
|
||||
kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
|
||||
secretLister := kubeKyvernoInformer.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
|
||||
// setup cosign
|
||||
setupCosign(setup.Logger, imageSignatureRepository)
|
||||
openApiManager, err := openapi.NewManager(setup.Logger.WithName("openapi"))
|
||||
if err != nil {
|
||||
setup.Logger.Error(err, "Failed to create openapi manager")
|
||||
|
|
|
@ -8,7 +8,6 @@ import (
|
|||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/cmd/internal"
|
||||
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
||||
kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions"
|
||||
|
@ -22,7 +21,6 @@ import (
|
|||
aggregatereportcontroller "github.com/kyverno/kyverno/pkg/controllers/report/aggregate"
|
||||
backgroundscancontroller "github.com/kyverno/kyverno/pkg/controllers/report/background"
|
||||
resourcereportcontroller "github.com/kyverno/kyverno/pkg/controllers/report/resource"
|
||||
"github.com/kyverno/kyverno/pkg/cosign"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/leaderelection"
|
||||
|
@ -38,14 +36,6 @@ const (
|
|||
resyncPeriod = 15 * time.Minute
|
||||
)
|
||||
|
||||
func setupCosign(logger logr.Logger, imageSignatureRepository string) {
|
||||
logger = logger.WithName("cosign")
|
||||
logger.Info("setup cosign...", "repository", imageSignatureRepository)
|
||||
if imageSignatureRepository != "" {
|
||||
cosign.ImageSignatureRepository = imageSignatureRepository
|
||||
}
|
||||
}
|
||||
|
||||
func createReportControllers(
|
||||
eng engineapi.Engine,
|
||||
backgroundScan bool,
|
||||
|
@ -170,7 +160,6 @@ func createrLeaderControllers(
|
|||
func main() {
|
||||
var (
|
||||
leaderElectionRetryPeriod time.Duration
|
||||
imageSignatureRepository string
|
||||
backgroundScan bool
|
||||
admissionReports bool
|
||||
reportsChunkSize int
|
||||
|
@ -181,7 +170,6 @@ func main() {
|
|||
)
|
||||
flagset := flag.NewFlagSet("reports-controller", flag.ExitOnError)
|
||||
flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
|
||||
flagset.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
|
||||
flagset.BoolVar(&backgroundScan, "backgroundScan", true, "Enable or disable backgound scan.")
|
||||
flagset.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
|
||||
flagset.IntVar(&reportsChunkSize, "reportsChunkSize", 1000, "Max number of results in generated reports, reports will be split accordingly if there are more results to be stored.")
|
||||
|
@ -197,6 +185,7 @@ func main() {
|
|||
internal.WithKubeconfig(),
|
||||
internal.WithPolicyExceptions(),
|
||||
internal.WithConfigMapCaching(),
|
||||
internal.WithCosign(),
|
||||
internal.WithRegistryClient(),
|
||||
internal.WithFlagSets(flagset),
|
||||
)
|
||||
|
@ -220,8 +209,6 @@ func main() {
|
|||
kyamlopenapi.Schema()
|
||||
// informer factories
|
||||
kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
|
||||
// setup cosign
|
||||
setupCosign(setup.Logger, imageSignatureRepository)
|
||||
eventGenerator := event.NewEventGenerator(
|
||||
dClient,
|
||||
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
|
||||
|
|
Loading…
Add table
Reference in a new issue