feat: add registry credential helpers feature (#7002)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2023-04-25 16:41:04 +02:00 · 2023-04-25 16:41:04 +02:00 · f930c8eb48
commit f930c8eb48
parent f145ac44eb
8 changed files with 28 additions and 6 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -247,6 +247,8 @@ The chart values are organised per component.
 | features.policyExceptions.enabled | bool | `false` | Enables the feature |
 | features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace |
 | features.protectManagedResources.enabled | bool | `false` | Enables the feature |
+| features.registryClient.allowInsecure | bool | `false` | Allow insecure registry |
+| features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |
 | features.reports.chunkSize | int | `1000` | Reports chunk size |

 ### Admission controller
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@ -41,6 +41,10 @@
 {{- with .reports -}}
  {{- $flags = append $flags (print "--reportsChunkSize=" .chunkSize) -}}
 {{- end -}}
+{{- with .registryClient -}}
+  {{- $flags = append $flags (print "--allowInsecureRegistry=" .allowInsecure) -}}
+  {{- $flags = append $flags (print "--registryCredentialHelpers=" (join "," .credentialHelpers)) -}}
+{{- end -}}
 {{- with $flags -}}
  {{- toYaml . -}}
 {{- end -}}
--- a/charts/kyverno/templates/admission-controller/deployment.yaml
+++ b/charts/kyverno/templates/admission-controller/deployment.yaml
@ -154,6 +154,7 @@ spec:
              "forceFailurePolicyIgnore"
              "policyExceptions"
              "protectManagedResources"
+              "registryClient"
            ) | nindent 12 }}
            {{- range $key, $value := .Values.admissionController.container.extraArgs }}
            {{- if $value }}
--- a/charts/kyverno/templates/reports-controller/deployment.yaml
+++ b/charts/kyverno/templates/reports-controller/deployment.yaml
@ -109,6 +109,7 @@ spec:
              "configMapCaching"
              "policyExceptions"
              "reports"
+              "registryClient"
            ) | nindent 12 }}
            {{- range $key, $value := .Values.reportsController.extraArgs }}
            {{- if $value }}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -353,6 +353,16 @@ features:
  protectManagedResources:
    # -- Enables the feature
    enabled: false
+  registryClient:
+    # -- Allow insecure registry
+    allowInsecure: false
+    # -- Enable registry client helpers
+    credentialHelpers:
+    - default
+    - google
+    - amazon
+    - azure
+    - github
  reports:
    # -- Reports chunk size
    chunkSize: 1000
--- a/cmd/internal/flag.go
+++ b/cmd/internal/flag.go
@ -37,9 +37,9 @@ var (
 	// cosign
 	imageSignatureRepository string
 	// registry client
-	imagePullSecrets      string
-	allowInsecureRegistry bool
-	enableHelpers         string
+	imagePullSecrets          string
+	allowInsecureRegistry     bool
+	registryCredentialHelpers string
 	// leader election
 	leaderElectionRetryPeriod time.Duration
 )
@ -93,7 +93,7 @@ func initCosignFlags() {
 func initRegistryClientFlags() {
 	flag.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
 	flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
-	flag.StringVar(&enableHelpers, "enableHelpers", "", "Credential helpers to enable (default,google,amazon,azure,github), all will be enabled if empty.")
+	flag.StringVar(&registryCredentialHelpers, "registryCredentialHelpers", "", "Credential helpers to enable (default,google,amazon,azure,github), all will be enabled if empty.")
 }

 func initLeaderElectionFlags() {
--- a/cmd/internal/registry.go
+++ b/cmd/internal/registry.go
@ -31,8 +31,8 @@ func setupRegistryClient(ctx context.Context, logger logr.Logger, client kuberne
 	if allowInsecureRegistry {
 		registryOptions = append(registryOptions, registryclient.WithAllowInsecureRegistry())
 	}
-	if len(enableHelpers) > 0 {
-		registryOptions = append(registryOptions, registryclient.WithCredentialHelpers(strings.Split(enableHelpers, ",")...))
+	if len(registryCredentialHelpers) > 0 {
+		registryOptions = append(registryOptions, registryclient.WithCredentialHelpers(strings.Split(registryCredentialHelpers, ",")...))
 	}
 	registryClient, err := registryclient.New(registryOptions...)
 	checkError(logger, err, "failed to create registry client")
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -35006,6 +35006,8 @@ spec:
            - --enablePolicyException=false
            - --exceptionNamespace=
            - --protectManagedResources=false
+            - --allowInsecureRegistry=false
+            - --registryCredentialHelpers=default,google,amazon,azure,github
          resources: 
            limits:
              memory: 384Mi
@ -35367,6 +35369,8 @@ spec:
            - --enablePolicyException=false
            - --exceptionNamespace=
            - --reportsChunkSize=1000
+            - --allowInsecureRegistry=false
+            - --registryCredentialHelpers=default,google,amazon,azure,github
          env:
          - name: METRICS_CONFIG
            value: kyverno-metrics