mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 20:20:22 +00:00
feat: add registry credential helpers feature (#7002)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
f145ac44eb
commit
f930c8eb48
8 changed files with 28 additions and 6 deletions
|
@ -247,6 +247,8 @@ The chart values are organised per component.
|
||||||
| features.policyExceptions.enabled | bool | `false` | Enables the feature |
|
| features.policyExceptions.enabled | bool | `false` | Enables the feature |
|
||||||
| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace |
|
| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace |
|
||||||
| features.protectManagedResources.enabled | bool | `false` | Enables the feature |
|
| features.protectManagedResources.enabled | bool | `false` | Enables the feature |
|
||||||
|
| features.registryClient.allowInsecure | bool | `false` | Allow insecure registry |
|
||||||
|
| features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |
|
||||||
| features.reports.chunkSize | int | `1000` | Reports chunk size |
|
| features.reports.chunkSize | int | `1000` | Reports chunk size |
|
||||||
|
|
||||||
### Admission controller
|
### Admission controller
|
||||||
|
|
|
@ -41,6 +41,10 @@
|
||||||
{{- with .reports -}}
|
{{- with .reports -}}
|
||||||
{{- $flags = append $flags (print "--reportsChunkSize=" .chunkSize) -}}
|
{{- $flags = append $flags (print "--reportsChunkSize=" .chunkSize) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
{{- with .registryClient -}}
|
||||||
|
{{- $flags = append $flags (print "--allowInsecureRegistry=" .allowInsecure) -}}
|
||||||
|
{{- $flags = append $flags (print "--registryCredentialHelpers=" (join "," .credentialHelpers)) -}}
|
||||||
|
{{- end -}}
|
||||||
{{- with $flags -}}
|
{{- with $flags -}}
|
||||||
{{- toYaml . -}}
|
{{- toYaml . -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
|
@ -154,6 +154,7 @@ spec:
|
||||||
"forceFailurePolicyIgnore"
|
"forceFailurePolicyIgnore"
|
||||||
"policyExceptions"
|
"policyExceptions"
|
||||||
"protectManagedResources"
|
"protectManagedResources"
|
||||||
|
"registryClient"
|
||||||
) | nindent 12 }}
|
) | nindent 12 }}
|
||||||
{{- range $key, $value := .Values.admissionController.container.extraArgs }}
|
{{- range $key, $value := .Values.admissionController.container.extraArgs }}
|
||||||
{{- if $value }}
|
{{- if $value }}
|
||||||
|
|
|
@ -109,6 +109,7 @@ spec:
|
||||||
"configMapCaching"
|
"configMapCaching"
|
||||||
"policyExceptions"
|
"policyExceptions"
|
||||||
"reports"
|
"reports"
|
||||||
|
"registryClient"
|
||||||
) | nindent 12 }}
|
) | nindent 12 }}
|
||||||
{{- range $key, $value := .Values.reportsController.extraArgs }}
|
{{- range $key, $value := .Values.reportsController.extraArgs }}
|
||||||
{{- if $value }}
|
{{- if $value }}
|
||||||
|
|
|
@ -353,6 +353,16 @@ features:
|
||||||
protectManagedResources:
|
protectManagedResources:
|
||||||
# -- Enables the feature
|
# -- Enables the feature
|
||||||
enabled: false
|
enabled: false
|
||||||
|
registryClient:
|
||||||
|
# -- Allow insecure registry
|
||||||
|
allowInsecure: false
|
||||||
|
# -- Enable registry client helpers
|
||||||
|
credentialHelpers:
|
||||||
|
- default
|
||||||
|
- google
|
||||||
|
- amazon
|
||||||
|
- azure
|
||||||
|
- github
|
||||||
reports:
|
reports:
|
||||||
# -- Reports chunk size
|
# -- Reports chunk size
|
||||||
chunkSize: 1000
|
chunkSize: 1000
|
||||||
|
|
|
@ -37,9 +37,9 @@ var (
|
||||||
// cosign
|
// cosign
|
||||||
imageSignatureRepository string
|
imageSignatureRepository string
|
||||||
// registry client
|
// registry client
|
||||||
imagePullSecrets string
|
imagePullSecrets string
|
||||||
allowInsecureRegistry bool
|
allowInsecureRegistry bool
|
||||||
enableHelpers string
|
registryCredentialHelpers string
|
||||||
// leader election
|
// leader election
|
||||||
leaderElectionRetryPeriod time.Duration
|
leaderElectionRetryPeriod time.Duration
|
||||||
)
|
)
|
||||||
|
@ -93,7 +93,7 @@ func initCosignFlags() {
|
||||||
func initRegistryClientFlags() {
|
func initRegistryClientFlags() {
|
||||||
flag.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
|
flag.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
|
||||||
flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
|
flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
|
||||||
flag.StringVar(&enableHelpers, "enableHelpers", "", "Credential helpers to enable (default,google,amazon,azure,github), all will be enabled if empty.")
|
flag.StringVar(®istryCredentialHelpers, "registryCredentialHelpers", "", "Credential helpers to enable (default,google,amazon,azure,github), all will be enabled if empty.")
|
||||||
}
|
}
|
||||||
|
|
||||||
func initLeaderElectionFlags() {
|
func initLeaderElectionFlags() {
|
||||||
|
|
|
@ -31,8 +31,8 @@ func setupRegistryClient(ctx context.Context, logger logr.Logger, client kuberne
|
||||||
if allowInsecureRegistry {
|
if allowInsecureRegistry {
|
||||||
registryOptions = append(registryOptions, registryclient.WithAllowInsecureRegistry())
|
registryOptions = append(registryOptions, registryclient.WithAllowInsecureRegistry())
|
||||||
}
|
}
|
||||||
if len(enableHelpers) > 0 {
|
if len(registryCredentialHelpers) > 0 {
|
||||||
registryOptions = append(registryOptions, registryclient.WithCredentialHelpers(strings.Split(enableHelpers, ",")...))
|
registryOptions = append(registryOptions, registryclient.WithCredentialHelpers(strings.Split(registryCredentialHelpers, ",")...))
|
||||||
}
|
}
|
||||||
registryClient, err := registryclient.New(registryOptions...)
|
registryClient, err := registryclient.New(registryOptions...)
|
||||||
checkError(logger, err, "failed to create registry client")
|
checkError(logger, err, "failed to create registry client")
|
||||||
|
|
|
@ -35006,6 +35006,8 @@ spec:
|
||||||
- --enablePolicyException=false
|
- --enablePolicyException=false
|
||||||
- --exceptionNamespace=
|
- --exceptionNamespace=
|
||||||
- --protectManagedResources=false
|
- --protectManagedResources=false
|
||||||
|
- --allowInsecureRegistry=false
|
||||||
|
- --registryCredentialHelpers=default,google,amazon,azure,github
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
memory: 384Mi
|
memory: 384Mi
|
||||||
|
@ -35367,6 +35369,8 @@ spec:
|
||||||
- --enablePolicyException=false
|
- --enablePolicyException=false
|
||||||
- --exceptionNamespace=
|
- --exceptionNamespace=
|
||||||
- --reportsChunkSize=1000
|
- --reportsChunkSize=1000
|
||||||
|
- --allowInsecureRegistry=false
|
||||||
|
- --registryCredentialHelpers=default,google,amazon,azure,github
|
||||||
env:
|
env:
|
||||||
- name: METRICS_CONFIG
|
- name: METRICS_CONFIG
|
||||||
value: kyverno-metrics
|
value: kyverno-metrics
|
||||||
|
|
Loading…
Add table
Reference in a new issue