diff --git a/cmd/cli/kubectl-kyverno/utils/common/common.go b/cmd/cli/kubectl-kyverno/utils/common/common.go index d8999a49ad..e345d9f09e 100644 --- a/cmd/cli/kubectl-kyverno/utils/common/common.go +++ b/cmd/cli/kubectl-kyverno/utils/common/common.go @@ -858,6 +858,7 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr nil, store.ContextLoaderFactory(nil), nil, + "", )) return c, nil } diff --git a/cmd/cli/kubectl-kyverno/utils/common/kyverno_policies_types.go b/cmd/cli/kubectl-kyverno/utils/common/kyverno_policies_types.go index 8db271ddb8..21532febf1 100644 --- a/cmd/cli/kubectl-kyverno/utils/common/kyverno_policies_types.go +++ b/cmd/cli/kubectl-kyverno/utils/common/kyverno_policies_types.go @@ -118,6 +118,7 @@ OuterLoop: registryclient.NewOrDie(), store.ContextLoaderFactory(nil), nil, + "", ) policyContext, err := engine.NewPolicyContext( jp, diff --git a/cmd/internal/cosign.go b/cmd/internal/cosign.go deleted file mode 100644 index 4a63614bdc..0000000000 --- a/cmd/internal/cosign.go +++ /dev/null @@ -1,14 +0,0 @@ -package internal - -import ( - "github.com/go-logr/logr" - "github.com/kyverno/kyverno/pkg/cosign" -) - -func setupCosign(logger logr.Logger) { - logger = logger.WithName("cosign").WithValues("repository", imageSignatureRepository) - logger.Info("setup cosign...") - if imageSignatureRepository != "" { - cosign.ImageSignatureRepository = imageSignatureRepository - } -} diff --git a/cmd/internal/engine.go b/cmd/internal/engine.go index 78415c56bd..aaa7f2ca19 100644 --- a/cmd/internal/engine.go +++ b/cmd/internal/engine.go @@ -41,6 +41,7 @@ func NewEngine( rclient, engineapi.DefaultContextLoaderFactory(configMapResolver), exceptionsSelector, + imageSignatureRepository, ) } diff --git a/cmd/internal/setup.go b/cmd/internal/setup.go index b22f495776..1d2afc9e16 100644 --- a/cmd/internal/setup.go +++ b/cmd/internal/setup.go @@ -58,7 +58,6 @@ func Setup(config Configuration, name string, skipResourceFilters bool) (context client = client.WithMetrics(metricsManager, metrics.KubeClient) configuration := startConfigController(ctx, logger, client, skipResourceFilters) sdownTracing := SetupTracing(logger, name, client) - setupCosign(logger) var registryClient registryclient.Client if config.UsesRegistryClient() { registryClient = setupRegistryClient(ctx, logger, client) diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index 20a745fd1c..7f483d31ea 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -31,9 +31,6 @@ import ( "go.uber.org/multierr" ) -// ImageSignatureRepository is an alternate signature repository -var ImageSignatureRepository string - func NewVerifier() images.ImageVerifier { return &cosignVerifier{} } diff --git a/pkg/engine/engine.go b/pkg/engine/engine.go index a4ea6e9616..84b1dfa441 100644 --- a/pkg/engine/engine.go +++ b/pkg/engine/engine.go @@ -28,13 +28,14 @@ import ( ) type engine struct { - configuration config.Configuration - metricsConfiguration config.MetricsConfiguration - jp jmespath.Interface - client dclient.Interface - rclient registryclient.Client - contextLoader engineapi.ContextLoaderFactory - exceptionSelector engineapi.PolicyExceptionSelector + configuration config.Configuration + metricsConfiguration config.MetricsConfiguration + jp jmespath.Interface + client dclient.Interface + rclient registryclient.Client + contextLoader engineapi.ContextLoaderFactory + exceptionSelector engineapi.PolicyExceptionSelector + imageSignatureRepository string // metrics resultCounter metric.Int64Counter durationHistogram metric.Float64Histogram @@ -50,6 +51,7 @@ func NewEngine( rclient registryclient.Client, contextLoader engineapi.ContextLoaderFactory, exceptionSelector engineapi.PolicyExceptionSelector, + imageSignatureRepository string, ) engineapi.Engine { meter := global.MeterProvider().Meter(metrics.MeterName) resultCounter, err := meter.Int64Counter( @@ -67,15 +69,16 @@ func NewEngine( logging.Error(err, "failed to register metric kyverno_policy_execution_duration_seconds") } return &engine{ - configuration: configuration, - metricsConfiguration: metricsConfiguration, - jp: jp, - client: client, - rclient: rclient, - contextLoader: contextLoader, - exceptionSelector: exceptionSelector, - resultCounter: resultCounter, - durationHistogram: durationHistogram, + configuration: configuration, + metricsConfiguration: metricsConfiguration, + jp: jp, + client: client, + rclient: rclient, + contextLoader: contextLoader, + exceptionSelector: exceptionSelector, + imageSignatureRepository: imageSignatureRepository, + resultCounter: resultCounter, + durationHistogram: durationHistogram, } } diff --git a/pkg/engine/handlers/mutation/mutate_image.go b/pkg/engine/handlers/mutation/mutate_image.go index c48ca38c21..ed7712c008 100644 --- a/pkg/engine/handlers/mutation/mutate_image.go +++ b/pkg/engine/handlers/mutation/mutate_image.go @@ -22,10 +22,11 @@ import ( ) type mutateImageHandler struct { - configuration config.Configuration - rclient registryclient.Client - ivm *engineapi.ImageVerificationMetadata - images []apiutils.ImageInfo + configuration config.Configuration + rclient registryclient.Client + ivm *engineapi.ImageVerificationMetadata + images []apiutils.ImageInfo + imageSignatureRepository string } func NewMutateImageHandler( @@ -35,6 +36,7 @@ func NewMutateImageHandler( configuration config.Configuration, rclient registryclient.Client, ivm *engineapi.ImageVerificationMetadata, + imageSignatureRepository string, ) (handlers.Handler, error) { if len(rule.VerifyImages) == 0 { return nil, nil @@ -47,10 +49,11 @@ func NewMutateImageHandler( return nil, nil } return mutateImageHandler{ - configuration: configuration, - rclient: rclient, - ivm: ivm, - images: ruleImages, + configuration: configuration, + rclient: rclient, + ivm: ivm, + images: ruleImages, + imageSignatureRepository: imageSignatureRepository, }, nil } @@ -69,7 +72,7 @@ func (h mutateImageHandler) Process( engineapi.RuleError(rule.Name, engineapi.ImageVerify, "failed to substitute variables", err), ) } - iv := internal.NewImageVerifier(logger, h.rclient, policyContext, *ruleCopy, h.ivm) + iv := internal.NewImageVerifier(logger, h.rclient, policyContext, *ruleCopy, h.ivm, h.imageSignatureRepository) var engineResponses []*engineapi.RuleResponse for _, imageVerify := range ruleCopy.VerifyImages { engineResponses = append(engineResponses, iv.Verify(ctx, imageVerify, h.images, h.configuration)...) diff --git a/pkg/engine/image_verify.go b/pkg/engine/image_verify.go index 296497940b..4298cf68c8 100644 --- a/pkg/engine/image_verify.go +++ b/pkg/engine/image_verify.go @@ -41,6 +41,7 @@ func (e *engine) verifyAndPatchImages( e.configuration, e.rclient, &ivm, + e.imageSignatureRepository, ) } resource, ruleResp := e.invokeRuleHandler( diff --git a/pkg/engine/image_verify_test.go b/pkg/engine/image_verify_test.go index e7f528e76d..ecc1d1390a 100644 --- a/pkg/engine/image_verify_test.go +++ b/pkg/engine/image_verify_test.go @@ -184,6 +184,7 @@ func testVerifyAndPatchImages( rclient, engineapi.DefaultContextLoaderFactory(cmResolver), nil, + "", ) return e.VerifyAndPatchImages( ctx, diff --git a/pkg/engine/internal/imageverifier.go b/pkg/engine/internal/imageverifier.go index ffd5601c6d..c03b53ad1c 100644 --- a/pkg/engine/internal/imageverifier.go +++ b/pkg/engine/internal/imageverifier.go @@ -26,11 +26,12 @@ import ( ) type ImageVerifier struct { - logger logr.Logger - rclient registryclient.Client - policyContext engineapi.PolicyContext - rule kyvernov1.Rule - ivm *engineapi.ImageVerificationMetadata + logger logr.Logger + rclient registryclient.Client + policyContext engineapi.PolicyContext + rule kyvernov1.Rule + ivm *engineapi.ImageVerificationMetadata + imageSignatureRepository string } func NewImageVerifier( @@ -39,13 +40,15 @@ func NewImageVerifier( policyContext engineapi.PolicyContext, rule kyvernov1.Rule, ivm *engineapi.ImageVerificationMetadata, + imageSignatureRepository string, ) *ImageVerifier { return &ImageVerifier{ - logger: logger, - rclient: rclient, - policyContext: policyContext, - rule: rule, - ivm: ivm, + logger: logger, + rclient: rclient, + policyContext: policyContext, + rule: rule, + ivm: ivm, + imageSignatureRepository: imageSignatureRepository, } } @@ -456,7 +459,7 @@ func (iv *ImageVerifier) buildCosignVerifier( attestation *kyvernov1.Attestation, ) (images.ImageVerifier, *images.Options, string) { path := "" - repository := cosign.ImageSignatureRepository + repository := iv.imageSignatureRepository if imageVerify.Repository != "" { repository = imageVerify.Repository } diff --git a/pkg/engine/mutation_test.go b/pkg/engine/mutation_test.go index e1fddc4368..ca0a5aa05d 100644 --- a/pkg/engine/mutation_test.go +++ b/pkg/engine/mutation_test.go @@ -38,6 +38,7 @@ func testMutate( rclient, contextLoader, nil, + "", ) return e.Mutate( ctx, diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index 72e2bd41c7..97b5e6ea1e 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -39,6 +39,7 @@ func testValidate( rclient, contextLoader, nil, + "", ) return e.Validate( ctx, diff --git a/pkg/webhooks/resource/fake.go b/pkg/webhooks/resource/fake.go index 73d8a0ebab..a7ad03c655 100644 --- a/pkg/webhooks/resource/fake.go +++ b/pkg/webhooks/resource/fake.go @@ -62,6 +62,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook rclient, engineapi.DefaultContextLoaderFactory(configMapResolver), peLister, + "", ), } } diff --git a/pkg/webhooks/resource/validation_test.go b/pkg/webhooks/resource/validation_test.go index 1f8ecf3a39..2afc117260 100644 --- a/pkg/webhooks/resource/validation_test.go +++ b/pkg/webhooks/resource/validation_test.go @@ -1059,6 +1059,7 @@ func TestValidate_failure_action_overrides(t *testing.T) { registryclient.NewOrDie(), engineapi.DefaultContextLoaderFactory(nil), nil, + "", ) for i, tc := range testcases { t.Run(fmt.Sprintf("case %d", i), func(t *testing.T) { @@ -1160,6 +1161,7 @@ func Test_RuleSelector(t *testing.T) { registryclient.NewOrDie(), engineapi.DefaultContextLoaderFactory(nil), nil, + "", ) resp := eng.Validate( context.TODO(),