From a1cb4f1c303c448d211abcc80035c057eb8e421b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Thu, 8 Feb 2024 13:10:29 +0100 Subject: [PATCH] fix: remove deprecated imageSignatureRepository flag (#9698) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- cmd/cli/kubectl-kyverno/processor/generate.go | 1 - .../processor/policy_processor.go | 1 - cmd/internal/engine.go | 1 - cmd/internal/flag.go | 13 ++----- pkg/engine/engine.go | 39 +++++++++---------- pkg/engine/fuzz_test.go | 3 -- pkg/engine/handlers/mutation/mutate_image.go | 25 ++++++------ pkg/engine/image_verify.go | 1 - pkg/engine/image_verify_test.go | 2 - pkg/engine/internal/imageverifier.go | 33 +++++++--------- pkg/engine/mutation_test.go | 1 - pkg/engine/validation_test.go | 1 - pkg/webhooks/resource/fake.go | 1 - pkg/webhooks/resource/validation_test.go | 2 - 14 files changed, 45 insertions(+), 79 deletions(-) diff --git a/cmd/cli/kubectl-kyverno/processor/generate.go b/cmd/cli/kubectl-kyverno/processor/generate.go index 073de09578..b5df84db26 100644 --- a/cmd/cli/kubectl-kyverno/processor/generate.go +++ b/cmd/cli/kubectl-kyverno/processor/generate.go @@ -135,7 +135,6 @@ func initializeMockController(out io.Writer, s *store.Store, gvrToListKind map[s imageverifycache.DisabledImageVerifyCache(), store.ContextLoaderFactory(s, nil), nil, - "", )) return c, nil } diff --git a/cmd/cli/kubectl-kyverno/processor/policy_processor.go b/cmd/cli/kubectl-kyverno/processor/policy_processor.go index 7b592a8a57..32e245b328 100644 --- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go +++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go @@ -81,7 +81,6 @@ func (p *PolicyProcessor) ApplyPoliciesOnResource() ([]engineapi.EngineResponse, imageverifycache.DisabledImageVerifyCache(), store.ContextLoaderFactory(p.Store, nil), policyExceptionLister, - "", ) gvk, subresource := resource.GroupVersionKind(), "" // If --cluster flag is not set, then we need to find the top level resource GVK and subresource diff --git a/cmd/internal/engine.go b/cmd/internal/engine.go index f1754a73f5..1fd5e99564 100644 --- a/cmd/internal/engine.go +++ b/cmd/internal/engine.go @@ -52,7 +52,6 @@ func NewEngine( ivCache, factories.DefaultContextLoaderFactory(configMapResolver, factories.WithAPICallConfig(apiCallConfig), factories.WithGlobalContextStore(gctxStore)), exceptionsSelector, - imageSignatureRepository, ) } diff --git a/cmd/internal/flag.go b/cmd/internal/flag.go index 357e2a9672..714446b616 100644 --- a/cmd/internal/flag.go +++ b/cmd/internal/flag.go @@ -41,10 +41,9 @@ var ( exceptionNamespace string enableConfigMapCaching bool // cosign - imageSignatureRepository string - enableTUF bool - tufMirror string - tufRoot string + enableTUF bool + tufMirror string + tufRoot string // registry client imagePullSecrets string allowInsecureRegistry bool @@ -111,7 +110,6 @@ func initDeferredLoadingFlags() { } func initCosignFlags() { - flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "(DEPRECATED, will be removed in 1.12) Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.") flag.BoolVar(&enableTUF, "enableTuf", false, "enable tuf for private sigstore deployments") flag.StringVar(&tufMirror, "tufMirror", tuf.DefaultRemoteRoot, "Alternate TUF mirror for sigstore. If left blank, public sigstore one is used for cosign verification.") flag.StringVar(&tufRoot, "tufRoot", "", "Alternate TUF root.json for sigstore. If left blank, public sigstore one is used for cosign verification.") @@ -229,11 +227,6 @@ func initFlags(config Configuration, opts ...Option) { } func showWarnings(config Configuration, logger logr.Logger) { - if config.UsesCosign() { - if imageSignatureRepository != "" { - logger.Info("Warning: imageSignatureRepository is deprecated and will be removed in 1.12. Use per rule configuration `verifyImages.Repository` instead.") - } - } } func ParseFlags(config Configuration, opts ...Option) { diff --git a/pkg/engine/engine.go b/pkg/engine/engine.go index 8b16028f14..c1dc78a261 100644 --- a/pkg/engine/engine.go +++ b/pkg/engine/engine.go @@ -27,15 +27,14 @@ import ( ) type engine struct { - configuration config.Configuration - metricsConfiguration config.MetricsConfiguration - jp jmespath.Interface - client engineapi.Client - rclientFactory engineapi.RegistryClientFactory - ivCache imageverifycache.Client - contextLoader engineapi.ContextLoaderFactory - exceptionSelector engineapi.PolicyExceptionSelector - imageSignatureRepository string + configuration config.Configuration + metricsConfiguration config.MetricsConfiguration + jp jmespath.Interface + client engineapi.Client + rclientFactory engineapi.RegistryClientFactory + ivCache imageverifycache.Client + contextLoader engineapi.ContextLoaderFactory + exceptionSelector engineapi.PolicyExceptionSelector // metrics resultCounter metric.Int64Counter durationHistogram metric.Float64Histogram @@ -52,7 +51,6 @@ func NewEngine( ivCache imageverifycache.Client, contextLoader engineapi.ContextLoaderFactory, exceptionSelector engineapi.PolicyExceptionSelector, - imageSignatureRepository string, ) engineapi.Engine { meter := otel.GetMeterProvider().Meter(metrics.MeterName) resultCounter, err := meter.Int64Counter( @@ -70,17 +68,16 @@ func NewEngine( logging.Error(err, "failed to register metric kyverno_policy_execution_duration_seconds") } return &engine{ - configuration: configuration, - metricsConfiguration: metricsConfiguration, - jp: jp, - client: client, - rclientFactory: rclientFactory, - ivCache: ivCache, - contextLoader: contextLoader, - exceptionSelector: exceptionSelector, - imageSignatureRepository: imageSignatureRepository, - resultCounter: resultCounter, - durationHistogram: durationHistogram, + configuration: configuration, + metricsConfiguration: metricsConfiguration, + jp: jp, + client: client, + rclientFactory: rclientFactory, + ivCache: ivCache, + contextLoader: contextLoader, + exceptionSelector: exceptionSelector, + resultCounter: resultCounter, + durationHistogram: durationHistogram, } } diff --git a/pkg/engine/fuzz_test.go b/pkg/engine/fuzz_test.go index 5882cc58cf..63888f3a12 100644 --- a/pkg/engine/fuzz_test.go +++ b/pkg/engine/fuzz_test.go @@ -43,7 +43,6 @@ var ( imageverifycache.DisabledImageVerifyCache(), factories.DefaultContextLoaderFactory(nil), nil, - "", ) initter sync.Once ) @@ -127,7 +126,6 @@ func FuzzVerifyImageAndPatchTest(f *testing.F) { imageverifycache.DisabledImageVerifyCache(), factories.DefaultContextLoaderFactory(nil), nil, - "", ) _, _ = verifyImageAndPatchEngine.VerifyAndPatchImages( @@ -274,7 +272,6 @@ func FuzzMutateTest(f *testing.F) { imageverifycache.DisabledImageVerifyCache(), factories.DefaultContextLoaderFactory(nil), nil, - "", ) e.Mutate( context.Background(), diff --git a/pkg/engine/handlers/mutation/mutate_image.go b/pkg/engine/handlers/mutation/mutate_image.go index c9dbe1a9eb..63cb69efde 100644 --- a/pkg/engine/handlers/mutation/mutate_image.go +++ b/pkg/engine/handlers/mutation/mutate_image.go @@ -24,12 +24,11 @@ import ( ) type mutateImageHandler struct { - configuration config.Configuration - rclientFactory engineapi.RegistryClientFactory - ivCache imageverifycache.Client - ivm *engineapi.ImageVerificationMetadata - images []apiutils.ImageInfo - imageSignatureRepository string + configuration config.Configuration + rclientFactory engineapi.RegistryClientFactory + ivCache imageverifycache.Client + ivm *engineapi.ImageVerificationMetadata + images []apiutils.ImageInfo } func NewMutateImageHandler( @@ -40,7 +39,6 @@ func NewMutateImageHandler( rclientFactory engineapi.RegistryClientFactory, ivCache imageverifycache.Client, ivm *engineapi.ImageVerificationMetadata, - imageSignatureRepository string, ) (handlers.Handler, error) { if len(rule.VerifyImages) == 0 { return nil, nil @@ -53,12 +51,11 @@ func NewMutateImageHandler( return nil, nil } return mutateImageHandler{ - configuration: configuration, - rclientFactory: rclientFactory, - ivm: ivm, - ivCache: ivCache, - images: ruleImages, - imageSignatureRepository: imageSignatureRepository, + configuration: configuration, + rclientFactory: rclientFactory, + ivm: ivm, + ivCache: ivCache, + images: ruleImages, }, nil } @@ -102,7 +99,7 @@ func (h mutateImageHandler) Process( engineapi.RuleError(rule.Name, engineapi.ImageVerify, "failed to fetch secrets", err), ) } - iv := internal.NewImageVerifier(logger, rclient, h.ivCache, policyContext, *ruleCopy, h.ivm, h.imageSignatureRepository) + iv := internal.NewImageVerifier(logger, rclient, h.ivCache, policyContext, *ruleCopy, h.ivm) patch, ruleResponse := iv.Verify(ctx, imageVerify, h.images, h.configuration) patches = append(patches, patch...) engineResponses = append(engineResponses, ruleResponse...) diff --git a/pkg/engine/image_verify.go b/pkg/engine/image_verify.go index 5e2d7e8da0..c525f39e52 100644 --- a/pkg/engine/image_verify.go +++ b/pkg/engine/image_verify.go @@ -43,7 +43,6 @@ func (e *engine) verifyAndPatchImages( e.rclientFactory, e.ivCache, &ivm, - e.imageSignatureRepository, ) } resource, ruleResp := e.invokeRuleHandler( diff --git a/pkg/engine/image_verify_test.go b/pkg/engine/image_verify_test.go index 377bad2cab..babebc6d82 100644 --- a/pkg/engine/image_verify_test.go +++ b/pkg/engine/image_verify_test.go @@ -322,7 +322,6 @@ func testVerifyAndPatchImages( imageverifycache.DisabledImageVerifyCache(), factories.DefaultContextLoaderFactory(cmResolver), nil, - "", ) return e.VerifyAndPatchImages( ctx, @@ -1075,7 +1074,6 @@ func testImageVerifyCache( ivCache, factories.DefaultContextLoaderFactory(cmResolver), nil, - "", ) return e.VerifyAndPatchImages( ctx, diff --git a/pkg/engine/internal/imageverifier.go b/pkg/engine/internal/imageverifier.go index 7c04a75302..3b5dd4648f 100644 --- a/pkg/engine/internal/imageverifier.go +++ b/pkg/engine/internal/imageverifier.go @@ -29,13 +29,12 @@ import ( ) type ImageVerifier struct { - logger logr.Logger - rclient engineapi.RegistryClient - ivCache imageverifycache.Client - policyContext engineapi.PolicyContext - rule kyvernov1.Rule - ivm *engineapi.ImageVerificationMetadata - imageSignatureRepository string + logger logr.Logger + rclient engineapi.RegistryClient + ivCache imageverifycache.Client + policyContext engineapi.PolicyContext + rule kyvernov1.Rule + ivm *engineapi.ImageVerificationMetadata } func NewImageVerifier( @@ -45,16 +44,14 @@ func NewImageVerifier( policyContext engineapi.PolicyContext, rule kyvernov1.Rule, ivm *engineapi.ImageVerificationMetadata, - imageSignatureRepository string, ) *ImageVerifier { return &ImageVerifier{ - logger: logger, - rclient: rclient, - ivCache: ivCache, - policyContext: policyContext, - rule: rule, - ivm: ivm, - imageSignatureRepository: imageSignatureRepository, + logger: logger, + rclient: rclient, + ivCache: ivCache, + policyContext: policyContext, + rule: rule, + ivm: ivm, } } @@ -552,13 +549,9 @@ func (iv *ImageVerifier) buildCosignVerifier( attestation *kyvernov1.Attestation, ) (images.ImageVerifier, *images.Options, string) { path := "" - repository := iv.imageSignatureRepository - if imageVerify.Repository != "" { - repository = imageVerify.Repository - } opts := &images.Options{ ImageRef: image, - Repository: repository, + Repository: imageVerify.Repository, Annotations: imageVerify.Annotations, Client: iv.rclient, } diff --git a/pkg/engine/mutation_test.go b/pkg/engine/mutation_test.go index 8ca46610a9..f218a73b2a 100644 --- a/pkg/engine/mutation_test.go +++ b/pkg/engine/mutation_test.go @@ -42,7 +42,6 @@ func testMutate( imageverifycache.DisabledImageVerifyCache(), contextLoader, nil, - "", ) return e.Mutate( ctx, diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index b6a987d063..54a7e63c09 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -41,7 +41,6 @@ func testValidate( imageverifycache.DisabledImageVerifyCache(), contextLoader, nil, - "", ) return e.Validate( ctx, diff --git a/pkg/webhooks/resource/fake.go b/pkg/webhooks/resource/fake.go index 9438901fe3..09d78c440e 100644 --- a/pkg/webhooks/resource/fake.go +++ b/pkg/webhooks/resource/fake.go @@ -62,7 +62,6 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook imageverifycache.DisabledImageVerifyCache(), factories.DefaultContextLoaderFactory(configMapResolver), peLister, - "", ), } } diff --git a/pkg/webhooks/resource/validation_test.go b/pkg/webhooks/resource/validation_test.go index 6a5473c2eb..47f1e43d14 100644 --- a/pkg/webhooks/resource/validation_test.go +++ b/pkg/webhooks/resource/validation_test.go @@ -1064,7 +1064,6 @@ func TestValidate_failure_action_overrides(t *testing.T) { imageverifycache.DisabledImageVerifyCache(), factories.DefaultContextLoaderFactory(nil), nil, - "", ) for i, tc := range testcases { t.Run(fmt.Sprintf("case %d", i), func(t *testing.T) { @@ -1167,7 +1166,6 @@ func Test_RuleSelector(t *testing.T) { imageverifycache.DisabledImageVerifyCache(), factories.DefaultContextLoaderFactory(nil), nil, - "", ) resp := eng.Validate( context.TODO(),