mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-18 13:40:21 +00:00
Code Activity

feat: add registry credential helpers feature (#7002)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-04-25 16:41:04 +02:00 committed by GitHub
parent f145ac44eb
commit f930c8eb48
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 28 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
charts/kyverno/README.md
View file

@ -247,6 +247,8 @@ The chart values are organised per component.
| features.policyExceptions.enabled | bool | `false` | Enables the feature | | features.policyExceptions.enabled | bool | `false` | Enables the feature |
| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace | | features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace |
| features.protectManagedResources.enabled | bool | `false` | Enables the feature | | features.protectManagedResources.enabled | bool | `false` | Enables the feature |
| features.registryClient.allowInsecure | bool | `false` | Allow insecure registry |
| features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |
| features.reports.chunkSize | int | `1000` | Reports chunk size | | features.reports.chunkSize | int | `1000` | Reports chunk size |
### Admission controller ### Admission controller

4
charts/kyverno/templates/_helpers.tpl
View file

@ -41,6 +41,10 @@
{{- with .reports -}} {{- with .reports -}}
{{- $flags = append $flags (print "--reportsChunkSize=" .chunkSize) -}} {{- $flags = append $flags (print "--reportsChunkSize=" .chunkSize) -}}
{{- end -}} {{- end -}}
{{- with .registryClient -}}
{{- $flags = append $flags (print "--allowInsecureRegistry=" .allowInsecure) -}}
{{- $flags = append $flags (print "--registryCredentialHelpers=" (join "," .credentialHelpers)) -}}
{{- end -}}
{{- with $flags -}} {{- with $flags -}}
{{- toYaml . -}} {{- toYaml . -}}
{{- end -}} {{- end -}}

1
charts/kyverno/templates/admission-controller/deployment.yaml
View file

@ -154,6 +154,7 @@ spec:
"forceFailurePolicyIgnore" "forceFailurePolicyIgnore"
"policyExceptions" "policyExceptions"
"protectManagedResources" "protectManagedResources"
"registryClient"
) | nindent 12 }} ) | nindent 12 }}
{{- range $key, $value := .Values.admissionController.container.extraArgs }} {{- range $key, $value := .Values.admissionController.container.extraArgs }}
{{- if $value }} {{- if $value }}

1
charts/kyverno/templates/reports-controller/deployment.yaml
View file

@ -109,6 +109,7 @@ spec:
"configMapCaching" "configMapCaching"
"policyExceptions" "policyExceptions"
"reports" "reports"
"registryClient"
) | nindent 12 }} ) | nindent 12 }}
{{- range $key, $value := .Values.reportsController.extraArgs }} {{- range $key, $value := .Values.reportsController.extraArgs }}
{{- if $value }} {{- if $value }}

10
charts/kyverno/values.yaml
View file

@ -353,6 +353,16 @@ features:
protectManagedResources: protectManagedResources:
# -- Enables the feature # -- Enables the feature
enabled: false enabled: false
registryClient:
# -- Allow insecure registry
allowInsecure: false
# -- Enable registry client helpers
credentialHelpers:
- default
- google
- amazon
- azure
- github
reports: reports:
# -- Reports chunk size # -- Reports chunk size
chunkSize: 1000 chunkSize: 1000

8
cmd/internal/flag.go
View file

@ -37,9 +37,9 @@ var (
// cosign // cosign
imageSignatureRepository string imageSignatureRepository string
// registry client // registry client
imagePullSecrets string imagePullSecrets string
allowInsecureRegistry bool allowInsecureRegistry bool
enableHelpers string registryCredentialHelpers string
// leader election // leader election
leaderElectionRetryPeriod time.Duration leaderElectionRetryPeriod time.Duration
) )
@ -93,7 +93,7 @@ func initCosignFlags() {
func initRegistryClientFlags() { func initRegistryClientFlags() {
flag.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.") flag.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.") flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
flag.StringVar(&enableHelpers, "enableHelpers", "", "Credential helpers to enable (default,google,amazon,azure,github), all will be enabled if empty.") flag.StringVar(&registryCredentialHelpers, "registryCredentialHelpers", "", "Credential helpers to enable (default,google,amazon,azure,github), all will be enabled if empty.")
} }
func initLeaderElectionFlags() { func initLeaderElectionFlags() {

4
cmd/internal/registry.go
View file

@ -31,8 +31,8 @@ func setupRegistryClient(ctx context.Context, logger logr.Logger, client kuberne
if allowInsecureRegistry { if allowInsecureRegistry {
registryOptions = append(registryOptions, registryclient.WithAllowInsecureRegistry()) registryOptions = append(registryOptions, registryclient.WithAllowInsecureRegistry())
} }
if len(enableHelpers) > 0 { if len(registryCredentialHelpers) > 0 {
registryOptions = append(registryOptions, registryclient.WithCredentialHelpers(strings.Split(enableHelpers, ",")...)) registryOptions = append(registryOptions, registryclient.WithCredentialHelpers(strings.Split(registryCredentialHelpers, ",")...))
} }
registryClient, err := registryclient.New(registryOptions...) registryClient, err := registryclient.New(registryOptions...)
checkError(logger, err, "failed to create registry client") checkError(logger, err, "failed to create registry client")

4
config/install-latest-testing.yaml
View file

@ -35006,6 +35006,8 @@ spec:
- --enablePolicyException=false - --enablePolicyException=false
- --exceptionNamespace= - --exceptionNamespace=
- --protectManagedResources=false - --protectManagedResources=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
resources: resources:
limits: limits:
memory: 384Mi memory: 384Mi
@ -35367,6 +35369,8 @@ spec:
- --enablePolicyException=false - --enablePolicyException=false
- --exceptionNamespace= - --exceptionNamespace=
- --reportsChunkSize=1000 - --reportsChunkSize=1000
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
env: env:
- name: METRICS_CONFIG - name: METRICS_CONFIG
value: kyverno-metrics value: kyverno-metrics