fix: cosign global var (#7397)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-28 10:28:36 +00:00 · 2023-06-02 14:18:10 +02:00 · 2023-06-02 14:18:10 +02:00 · cbce1c91b7
commit cbce1c91b7
parent 3db7c41a62
15 changed files with 55 additions and 54 deletions
--- a/cmd/cli/kubectl-kyverno/utils/common/common.go
+++ b/cmd/cli/kubectl-kyverno/utils/common/common.go
@ -858,6 +858,7 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
 		nil,
 		store.ContextLoaderFactory(nil),
 		nil,
+		"",
 	))
 	return c, nil
 }
--- a/cmd/cli/kubectl-kyverno/utils/common/kyverno_policies_types.go
+++ b/cmd/cli/kubectl-kyverno/utils/common/kyverno_policies_types.go
@ -118,6 +118,7 @@ OuterLoop:
 		registryclient.NewOrDie(),
 		store.ContextLoaderFactory(nil),
 		nil,
+		"",
 	)
 	policyContext, err := engine.NewPolicyContext(
 		jp,
--- a/cmd/internal/cosign.go
+++ b/cmd/internal/cosign.go
@ -1,14 +0,0 @@
-package internal
-
-import (
-	"github.com/go-logr/logr"
-	"github.com/kyverno/kyverno/pkg/cosign"
-)
-
-func setupCosign(logger logr.Logger) {
-	logger = logger.WithName("cosign").WithValues("repository", imageSignatureRepository)
-	logger.Info("setup cosign...")
-	if imageSignatureRepository != "" {
-		cosign.ImageSignatureRepository = imageSignatureRepository
-	}
-}
--- a/cmd/internal/engine.go
+++ b/cmd/internal/engine.go
@ -41,6 +41,7 @@ func NewEngine(
 		rclient,
 		engineapi.DefaultContextLoaderFactory(configMapResolver),
 		exceptionsSelector,
+		imageSignatureRepository,
 	)
 }

--- a/cmd/internal/setup.go
+++ b/cmd/internal/setup.go
@ -58,7 +58,6 @@ func Setup(config Configuration, name string, skipResourceFilters bool) (context
 	client = client.WithMetrics(metricsManager, metrics.KubeClient)
 	configuration := startConfigController(ctx, logger, client, skipResourceFilters)
 	sdownTracing := SetupTracing(logger, name, client)
-	setupCosign(logger)
 	var registryClient registryclient.Client
 	if config.UsesRegistryClient() {
 		registryClient = setupRegistryClient(ctx, logger, client)
--- a/pkg/cosign/cosign.go
+++ b/pkg/cosign/cosign.go
@ -31,9 +31,6 @@ import (
 	"go.uber.org/multierr"
 )

-// ImageSignatureRepository is an alternate signature repository
-var ImageSignatureRepository string
-
 func NewVerifier() images.ImageVerifier {
 	return &cosignVerifier{}
 }
--- a/pkg/engine/engine.go
+++ b/pkg/engine/engine.go
@ -28,13 +28,14 @@ import (
 )

 type engine struct {
-	configuration        config.Configuration
-	metricsConfiguration config.MetricsConfiguration
-	jp                   jmespath.Interface
-	client               dclient.Interface
-	rclient              registryclient.Client
-	contextLoader        engineapi.ContextLoaderFactory
-	exceptionSelector    engineapi.PolicyExceptionSelector
+	configuration            config.Configuration
+	metricsConfiguration     config.MetricsConfiguration
+	jp                       jmespath.Interface
+	client                   dclient.Interface
+	rclient                  registryclient.Client
+	contextLoader            engineapi.ContextLoaderFactory
+	exceptionSelector        engineapi.PolicyExceptionSelector
+	imageSignatureRepository string
 	// metrics
 	resultCounter     metric.Int64Counter
 	durationHistogram metric.Float64Histogram
@ -50,6 +51,7 @@ func NewEngine(
 	rclient registryclient.Client,
 	contextLoader engineapi.ContextLoaderFactory,
 	exceptionSelector engineapi.PolicyExceptionSelector,
+	imageSignatureRepository string,
 ) engineapi.Engine {
 	meter := global.MeterProvider().Meter(metrics.MeterName)
 	resultCounter, err := meter.Int64Counter(
@ -67,15 +69,16 @@ func NewEngine(
 		logging.Error(err, "failed to register metric kyverno_policy_execution_duration_seconds")
 	}
 	return &engine{
-		configuration:        configuration,
-		metricsConfiguration: metricsConfiguration,
-		jp:                   jp,
-		client:               client,
-		rclient:              rclient,
-		contextLoader:        contextLoader,
-		exceptionSelector:    exceptionSelector,
-		resultCounter:        resultCounter,
-		durationHistogram:    durationHistogram,
+		configuration:            configuration,
+		metricsConfiguration:     metricsConfiguration,
+		jp:                       jp,
+		client:                   client,
+		rclient:                  rclient,
+		contextLoader:            contextLoader,
+		exceptionSelector:        exceptionSelector,
+		imageSignatureRepository: imageSignatureRepository,
+		resultCounter:            resultCounter,
+		durationHistogram:        durationHistogram,
 	}
 }

--- a/pkg/engine/handlers/mutation/mutate_image.go
+++ b/pkg/engine/handlers/mutation/mutate_image.go
@ -22,10 +22,11 @@ import (
 )

 type mutateImageHandler struct {
-	configuration config.Configuration
-	rclient       registryclient.Client
-	ivm           *engineapi.ImageVerificationMetadata
-	images        []apiutils.ImageInfo
+	configuration            config.Configuration
+	rclient                  registryclient.Client
+	ivm                      *engineapi.ImageVerificationMetadata
+	images                   []apiutils.ImageInfo
+	imageSignatureRepository string
 }

 func NewMutateImageHandler(
@ -35,6 +36,7 @@ func NewMutateImageHandler(
 	configuration config.Configuration,
 	rclient registryclient.Client,
 	ivm *engineapi.ImageVerificationMetadata,
+	imageSignatureRepository string,
 ) (handlers.Handler, error) {
 	if len(rule.VerifyImages) == 0 {
 		return nil, nil
@ -47,10 +49,11 @@ func NewMutateImageHandler(
 		return nil, nil
 	}
 	return mutateImageHandler{
-		configuration: configuration,
-		rclient:       rclient,
-		ivm:           ivm,
-		images:        ruleImages,
+		configuration:            configuration,
+		rclient:                  rclient,
+		ivm:                      ivm,
+		images:                   ruleImages,
+		imageSignatureRepository: imageSignatureRepository,
 	}, nil
 }

@ -69,7 +72,7 @@ func (h mutateImageHandler) Process(
 			engineapi.RuleError(rule.Name, engineapi.ImageVerify, "failed to substitute variables", err),
 		)
 	}
-	iv := internal.NewImageVerifier(logger, h.rclient, policyContext, *ruleCopy, h.ivm)
+	iv := internal.NewImageVerifier(logger, h.rclient, policyContext, *ruleCopy, h.ivm, h.imageSignatureRepository)
 	var engineResponses []*engineapi.RuleResponse
 	for _, imageVerify := range ruleCopy.VerifyImages {
 		engineResponses = append(engineResponses, iv.Verify(ctx, imageVerify, h.images, h.configuration)...)
--- a/pkg/engine/image_verify.go
+++ b/pkg/engine/image_verify.go
@ -41,6 +41,7 @@ func (e *engine) verifyAndPatchImages(
 				e.configuration,
 				e.rclient,
 				&ivm,
+				e.imageSignatureRepository,
 			)
 		}
 		resource, ruleResp := e.invokeRuleHandler(
--- a/pkg/engine/image_verify_test.go
+++ b/pkg/engine/image_verify_test.go
@ -184,6 +184,7 @@ func testVerifyAndPatchImages(
 		rclient,
 		engineapi.DefaultContextLoaderFactory(cmResolver),
 		nil,
+		"",
 	)
 	return e.VerifyAndPatchImages(
 		ctx,
--- a/pkg/engine/internal/imageverifier.go
+++ b/pkg/engine/internal/imageverifier.go
@ -26,11 +26,12 @@ import (
 )

 type ImageVerifier struct {
-	logger        logr.Logger
-	rclient       registryclient.Client
-	policyContext engineapi.PolicyContext
-	rule          kyvernov1.Rule
-	ivm           *engineapi.ImageVerificationMetadata
+	logger                   logr.Logger
+	rclient                  registryclient.Client
+	policyContext            engineapi.PolicyContext
+	rule                     kyvernov1.Rule
+	ivm                      *engineapi.ImageVerificationMetadata
+	imageSignatureRepository string
 }

 func NewImageVerifier(
@ -39,13 +40,15 @@ func NewImageVerifier(
 	policyContext engineapi.PolicyContext,
 	rule kyvernov1.Rule,
 	ivm *engineapi.ImageVerificationMetadata,
+	imageSignatureRepository string,
 ) *ImageVerifier {
 	return &ImageVerifier{
-		logger:        logger,
-		rclient:       rclient,
-		policyContext: policyContext,
-		rule:          rule,
-		ivm:           ivm,
+		logger:                   logger,
+		rclient:                  rclient,
+		policyContext:            policyContext,
+		rule:                     rule,
+		ivm:                      ivm,
+		imageSignatureRepository: imageSignatureRepository,
 	}
 }

@ -456,7 +459,7 @@ func (iv *ImageVerifier) buildCosignVerifier(
 	attestation *kyvernov1.Attestation,
 ) (images.ImageVerifier, *images.Options, string) {
 	path := ""
-	repository := cosign.ImageSignatureRepository
+	repository := iv.imageSignatureRepository
 	if imageVerify.Repository != "" {
 		repository = imageVerify.Repository
 	}
--- a/pkg/engine/mutation_test.go
+++ b/pkg/engine/mutation_test.go
@ -38,6 +38,7 @@ func testMutate(
 		rclient,
 		contextLoader,
 		nil,
+		"",
 	)
 	return e.Mutate(
 		ctx,
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@ -39,6 +39,7 @@ func testValidate(
 		rclient,
 		contextLoader,
 		nil,
+		"",
 	)
 	return e.Validate(
 		ctx,
--- a/pkg/webhooks/resource/fake.go
+++ b/pkg/webhooks/resource/fake.go
@ -62,6 +62,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
 			rclient,
 			engineapi.DefaultContextLoaderFactory(configMapResolver),
 			peLister,
+			"",
 		),
 	}
 }
--- a/pkg/webhooks/resource/validation_test.go
+++ b/pkg/webhooks/resource/validation_test.go
@ -1059,6 +1059,7 @@ func TestValidate_failure_action_overrides(t *testing.T) {
 		registryclient.NewOrDie(),
 		engineapi.DefaultContextLoaderFactory(nil),
 		nil,
+		"",
 	)
 	for i, tc := range testcases {
 		t.Run(fmt.Sprintf("case %d", i), func(t *testing.T) {
@ -1160,6 +1161,7 @@ func Test_RuleSelector(t *testing.T) {
 		registryclient.NewOrDie(),
 		engineapi.DefaultContextLoaderFactory(nil),
 		nil,
+		"",
 	)
 	resp := eng.Validate(
 		context.TODO(),