fix: remove deprecated imageSignatureRepository flag (#9698)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-28 10:28:36 +00:00 · 2024-02-08 13:10:29 +01:00 · 2024-02-08 13:10:29 +01:00 · a1cb4f1c30
commit a1cb4f1c30
parent c2dda83d6e
14 changed files with 45 additions and 79 deletions
--- a/cmd/cli/kubectl-kyverno/processor/generate.go
+++ b/cmd/cli/kubectl-kyverno/processor/generate.go
@ -135,7 +135,6 @@ func initializeMockController(out io.Writer, s *store.Store, gvrToListKind map[s
 		imageverifycache.DisabledImageVerifyCache(),
 		store.ContextLoaderFactory(s, nil),
 		nil,
-		"",
 	))
 	return c, nil
 }
--- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go
+++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go
@ -81,7 +81,6 @@ func (p *PolicyProcessor) ApplyPoliciesOnResource() ([]engineapi.EngineResponse,
 		imageverifycache.DisabledImageVerifyCache(),
 		store.ContextLoaderFactory(p.Store, nil),
 		policyExceptionLister,
-		"",
 	)
 	gvk, subresource := resource.GroupVersionKind(), ""
 	// If --cluster flag is not set, then we need to find the top level resource GVK and subresource
--- a/cmd/internal/engine.go
+++ b/cmd/internal/engine.go
@ -52,7 +52,6 @@ func NewEngine(
 		ivCache,
 		factories.DefaultContextLoaderFactory(configMapResolver, factories.WithAPICallConfig(apiCallConfig), factories.WithGlobalContextStore(gctxStore)),
 		exceptionsSelector,
-		imageSignatureRepository,
 	)
 }

--- a/cmd/internal/flag.go
+++ b/cmd/internal/flag.go
@ -41,10 +41,9 @@ var (
 	exceptionNamespace     string
 	enableConfigMapCaching bool
 	// cosign
-	imageSignatureRepository string
-	enableTUF                bool
-	tufMirror                string
-	tufRoot                  string
+	enableTUF bool
+	tufMirror string
+	tufRoot   string
 	// registry client
 	imagePullSecrets          string
 	allowInsecureRegistry     bool
@ -111,7 +110,6 @@ func initDeferredLoadingFlags() {
 }

 func initCosignFlags() {
-	flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "(DEPRECATED, will be removed in 1.12) Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
 	flag.BoolVar(&enableTUF, "enableTuf", false, "enable tuf for private sigstore deployments")
 	flag.StringVar(&tufMirror, "tufMirror", tuf.DefaultRemoteRoot, "Alternate TUF mirror for sigstore. If left blank, public sigstore one is used for cosign verification.")
 	flag.StringVar(&tufRoot, "tufRoot", "", "Alternate TUF root.json for sigstore. If left blank, public sigstore one is used for cosign verification.")
@ -229,11 +227,6 @@ func initFlags(config Configuration, opts ...Option) {
 }

 func showWarnings(config Configuration, logger logr.Logger) {
-	if config.UsesCosign() {
-		if imageSignatureRepository != "" {
-			logger.Info("Warning: imageSignatureRepository is deprecated and will be removed in 1.12. Use per rule configuration `verifyImages.Repository` instead.")
-		}
-	}
 }

 func ParseFlags(config Configuration, opts ...Option) {
--- a/pkg/engine/engine.go
+++ b/pkg/engine/engine.go
@ -27,15 +27,14 @@ import (
 )

 type engine struct {
-	configuration            config.Configuration
-	metricsConfiguration     config.MetricsConfiguration
-	jp                       jmespath.Interface
-	client                   engineapi.Client
-	rclientFactory           engineapi.RegistryClientFactory
-	ivCache                  imageverifycache.Client
-	contextLoader            engineapi.ContextLoaderFactory
-	exceptionSelector        engineapi.PolicyExceptionSelector
-	imageSignatureRepository string
+	configuration        config.Configuration
+	metricsConfiguration config.MetricsConfiguration
+	jp                   jmespath.Interface
+	client               engineapi.Client
+	rclientFactory       engineapi.RegistryClientFactory
+	ivCache              imageverifycache.Client
+	contextLoader        engineapi.ContextLoaderFactory
+	exceptionSelector    engineapi.PolicyExceptionSelector
 	// metrics
 	resultCounter     metric.Int64Counter
 	durationHistogram metric.Float64Histogram
@ -52,7 +51,6 @@ func NewEngine(
 	ivCache imageverifycache.Client,
 	contextLoader engineapi.ContextLoaderFactory,
 	exceptionSelector engineapi.PolicyExceptionSelector,
-	imageSignatureRepository string,
 ) engineapi.Engine {
 	meter := otel.GetMeterProvider().Meter(metrics.MeterName)
 	resultCounter, err := meter.Int64Counter(
@ -70,17 +68,16 @@ func NewEngine(
 		logging.Error(err, "failed to register metric kyverno_policy_execution_duration_seconds")
 	}
 	return &engine{
-		configuration:            configuration,
-		metricsConfiguration:     metricsConfiguration,
-		jp:                       jp,
-		client:                   client,
-		rclientFactory:           rclientFactory,
-		ivCache:                  ivCache,
-		contextLoader:            contextLoader,
-		exceptionSelector:        exceptionSelector,
-		imageSignatureRepository: imageSignatureRepository,
-		resultCounter:            resultCounter,
-		durationHistogram:        durationHistogram,
+		configuration:        configuration,
+		metricsConfiguration: metricsConfiguration,
+		jp:                   jp,
+		client:               client,
+		rclientFactory:       rclientFactory,
+		ivCache:              ivCache,
+		contextLoader:        contextLoader,
+		exceptionSelector:    exceptionSelector,
+		resultCounter:        resultCounter,
+		durationHistogram:    durationHistogram,
 	}
 }

--- a/pkg/engine/fuzz_test.go
+++ b/pkg/engine/fuzz_test.go
@ -43,7 +43,6 @@ var (
 		imageverifycache.DisabledImageVerifyCache(),
 		factories.DefaultContextLoaderFactory(nil),
 		nil,
-		"",
 	)
 	initter sync.Once
 )
@ -127,7 +126,6 @@ func FuzzVerifyImageAndPatchTest(f *testing.F) {
 			imageverifycache.DisabledImageVerifyCache(),
 			factories.DefaultContextLoaderFactory(nil),
 			nil,
-			"",
 		)

 		_, _ = verifyImageAndPatchEngine.VerifyAndPatchImages(
@ -274,7 +272,6 @@ func FuzzMutateTest(f *testing.F) {
 			imageverifycache.DisabledImageVerifyCache(),
 			factories.DefaultContextLoaderFactory(nil),
 			nil,
-			"",
 		)
 		e.Mutate(
 			context.Background(),
--- a/pkg/engine/handlers/mutation/mutate_image.go
+++ b/pkg/engine/handlers/mutation/mutate_image.go
@ -24,12 +24,11 @@ import (
 )

 type mutateImageHandler struct {
-	configuration            config.Configuration
-	rclientFactory           engineapi.RegistryClientFactory
-	ivCache                  imageverifycache.Client
-	ivm                      *engineapi.ImageVerificationMetadata
-	images                   []apiutils.ImageInfo
-	imageSignatureRepository string
+	configuration  config.Configuration
+	rclientFactory engineapi.RegistryClientFactory
+	ivCache        imageverifycache.Client
+	ivm            *engineapi.ImageVerificationMetadata
+	images         []apiutils.ImageInfo
 }

 func NewMutateImageHandler(
@ -40,7 +39,6 @@ func NewMutateImageHandler(
 	rclientFactory engineapi.RegistryClientFactory,
 	ivCache imageverifycache.Client,
 	ivm *engineapi.ImageVerificationMetadata,
-	imageSignatureRepository string,
 ) (handlers.Handler, error) {
 	if len(rule.VerifyImages) == 0 {
 		return nil, nil
@ -53,12 +51,11 @@ func NewMutateImageHandler(
 		return nil, nil
 	}
 	return mutateImageHandler{
-		configuration:            configuration,
-		rclientFactory:           rclientFactory,
-		ivm:                      ivm,
-		ivCache:                  ivCache,
-		images:                   ruleImages,
-		imageSignatureRepository: imageSignatureRepository,
+		configuration:  configuration,
+		rclientFactory: rclientFactory,
+		ivm:            ivm,
+		ivCache:        ivCache,
+		images:         ruleImages,
 	}, nil
 }

@ -102,7 +99,7 @@ func (h mutateImageHandler) Process(
 				engineapi.RuleError(rule.Name, engineapi.ImageVerify, "failed to fetch secrets", err),
 			)
 		}
-		iv := internal.NewImageVerifier(logger, rclient, h.ivCache, policyContext, *ruleCopy, h.ivm, h.imageSignatureRepository)
+		iv := internal.NewImageVerifier(logger, rclient, h.ivCache, policyContext, *ruleCopy, h.ivm)
 		patch, ruleResponse := iv.Verify(ctx, imageVerify, h.images, h.configuration)
 		patches = append(patches, patch...)
 		engineResponses = append(engineResponses, ruleResponse...)
--- a/pkg/engine/image_verify.go
+++ b/pkg/engine/image_verify.go
@ -43,7 +43,6 @@ func (e *engine) verifyAndPatchImages(
 				e.rclientFactory,
 				e.ivCache,
 				&ivm,
-				e.imageSignatureRepository,
 			)
 		}
 		resource, ruleResp := e.invokeRuleHandler(
--- a/pkg/engine/image_verify_test.go
+++ b/pkg/engine/image_verify_test.go
@ -322,7 +322,6 @@ func testVerifyAndPatchImages(
 		imageverifycache.DisabledImageVerifyCache(),
 		factories.DefaultContextLoaderFactory(cmResolver),
 		nil,
-		"",
 	)
 	return e.VerifyAndPatchImages(
 		ctx,
@ -1075,7 +1074,6 @@ func testImageVerifyCache(
 		ivCache,
 		factories.DefaultContextLoaderFactory(cmResolver),
 		nil,
-		"",
 	)
 	return e.VerifyAndPatchImages(
 		ctx,
--- a/pkg/engine/internal/imageverifier.go
+++ b/pkg/engine/internal/imageverifier.go
@ -29,13 +29,12 @@ import (
 )

 type ImageVerifier struct {
-	logger                   logr.Logger
-	rclient                  engineapi.RegistryClient
-	ivCache                  imageverifycache.Client
-	policyContext            engineapi.PolicyContext
-	rule                     kyvernov1.Rule
-	ivm                      *engineapi.ImageVerificationMetadata
-	imageSignatureRepository string
+	logger        logr.Logger
+	rclient       engineapi.RegistryClient
+	ivCache       imageverifycache.Client
+	policyContext engineapi.PolicyContext
+	rule          kyvernov1.Rule
+	ivm           *engineapi.ImageVerificationMetadata
 }

 func NewImageVerifier(
@ -45,16 +44,14 @@ func NewImageVerifier(
 	policyContext engineapi.PolicyContext,
 	rule kyvernov1.Rule,
 	ivm *engineapi.ImageVerificationMetadata,
-	imageSignatureRepository string,
 ) *ImageVerifier {
 	return &ImageVerifier{
-		logger:                   logger,
-		rclient:                  rclient,
-		ivCache:                  ivCache,
-		policyContext:            policyContext,
-		rule:                     rule,
-		ivm:                      ivm,
-		imageSignatureRepository: imageSignatureRepository,
+		logger:        logger,
+		rclient:       rclient,
+		ivCache:       ivCache,
+		policyContext: policyContext,
+		rule:          rule,
+		ivm:           ivm,
 	}
 }

@ -552,13 +549,9 @@ func (iv *ImageVerifier) buildCosignVerifier(
 	attestation *kyvernov1.Attestation,
 ) (images.ImageVerifier, *images.Options, string) {
 	path := ""
-	repository := iv.imageSignatureRepository
-	if imageVerify.Repository != "" {
-		repository = imageVerify.Repository
-	}
 	opts := &images.Options{
 		ImageRef:    image,
-		Repository:  repository,
+		Repository:  imageVerify.Repository,
 		Annotations: imageVerify.Annotations,
 		Client:      iv.rclient,
 	}
--- a/pkg/engine/mutation_test.go
+++ b/pkg/engine/mutation_test.go
@ -42,7 +42,6 @@ func testMutate(
 		imageverifycache.DisabledImageVerifyCache(),
 		contextLoader,
 		nil,
-		"",
 	)
 	return e.Mutate(
 		ctx,
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@ -41,7 +41,6 @@ func testValidate(
 		imageverifycache.DisabledImageVerifyCache(),
 		contextLoader,
 		nil,
-		"",
 	)
 	return e.Validate(
 		ctx,
--- a/pkg/webhooks/resource/fake.go
+++ b/pkg/webhooks/resource/fake.go
@ -62,7 +62,6 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
 			imageverifycache.DisabledImageVerifyCache(),
 			factories.DefaultContextLoaderFactory(configMapResolver),
 			peLister,
-			"",
 		),
 	}
 }
--- a/pkg/webhooks/resource/validation_test.go
+++ b/pkg/webhooks/resource/validation_test.go
@ -1064,7 +1064,6 @@ func TestValidate_failure_action_overrides(t *testing.T) {
 		imageverifycache.DisabledImageVerifyCache(),
 		factories.DefaultContextLoaderFactory(nil),
 		nil,
-		"",
 	)
 	for i, tc := range testcases {
 		t.Run(fmt.Sprintf("case %d", i), func(t *testing.T) {
@ -1167,7 +1166,6 @@ func Test_RuleSelector(t *testing.T) {
 		imageverifycache.DisabledImageVerifyCache(),
 		factories.DefaultContextLoaderFactory(nil),
 		nil,
-		"",
 	)
 	resp := eng.Validate(
 		context.TODO(),