mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-09 17:37:12 +00:00
Code Activity
kyverno/pkg/engine/handlers/validation/validate_manifest_test.go
Vishal Choudhary e9e44291bf
Support for Cosign 2.0 (#7248) 
* cosign 2.0 version upgrade

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* IgnoreTlog and IgnoreSCT updated

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* removed cli packages

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* lazy evaluate vars in conditions (#7238)

* lazy evaluate vars in conditions

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove unnecessary conversion

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/conditions/03-manifests.yaml

Signed-off-by: shuting <shutting06@gmail.com>

* Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/README.md

Signed-off-by: shuting <shutting06@gmail.com>

* added error check in test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: shuting <shutting06@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* in-toto-golang update

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added rekor

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* quote image in error (#7259)

Signed-off-by: bakito <github@bakito.ch>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: auto update webhooks not configuring fail endpoint (#7261)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix latest version check (#7263)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump svenstaro/upload-release-action from 2.5.0 to 2.6.0 (#7270)

Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.5.0 to 2.6.0.
- [Release notes](https://github.com/svenstaro/upload-release-action/releases)
- [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md)
- [Commits](7319e4733e...58d5258088)

---
updated-dependencies:
- dependency-name: svenstaro/upload-release-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump sigs.k8s.io/controller-runtime from 0.14.6 to 0.15.0 (#7272)

Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.14.6 to 0.15.0.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.14.6...v0.15.0)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* feat: add yaml util to check empty document (#7276)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* go mod update

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* removed cosign 1.13.1 dependency

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added default rekor url

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* updated cosign option

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* go mod update

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* go sum fix

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* NIT

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix failing test: Test_VerifyManifest_MustAll_InvalidYAML

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* suggestions from jim

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* go mod fix

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* updates to cosign verification

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* kuttl test ignore sct

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* go mod fixes

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* go mod update

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* downgrading gcr version

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* null pointer error

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* updated failing cli tests

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* updated kuttl test with complete subjects

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fixed issue with wildcard replacement

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* engine tests

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* removed conflicts with notary

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* updated go mod

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* codegen and test

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added pubkeys test

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* add default CTLogPubKeys

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* cleanup

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* unwanted test

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: auth checks with the APIVersion and the subresource (#7628)

* fix auth checks with apiVersion and subresource

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add kuttl tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove duplicate code

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update permissions

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: harden rbac permissions (#7638)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore(deps): bump sigstore/cosign-installer from 3.0.5 to 3.1.0 (#7664)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.5 to 3.1.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](dd6b2e2b61...d13028333d)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#7663)

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.3 to 2.2.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](80e868c13c...08b4669551)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* [Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 (#7650)

* Bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6

Signed-off-by: webstradev <e.s.westra.95@gmail.com>

* fixed tests

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added tests for repository

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

---------

Signed-off-by: webstradev <e.s.westra.95@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: webstradev <e.s.westra.95@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>

* fix: vscode debug config (#7653)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: pr updater workflow (#7665)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: add specific loaders from #7597 (#7671)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat: add cluster select and relabling config for ServiceMonitors (#7659)

* feat: add cluster select and relabling config for ServiceMonitors

Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>

* feat: add cluster select and relabling config for ServiceMonitors

Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>

---------

Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>

* fix: cleanup controller context from #7597 (#7672)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: cleanup controller rbac (#7669)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: migrate context loaders (part 1) from #7597 (#7676)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: migrate context loaders (part 2) from #7597 (#7677)

* refactor: migrate context loaders (part 1) from #7597

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: migrate context loaders (part 2) from #7597

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat: add lazy loading feature flag (#7680)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: image verification (#7652)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* Fix deferred loading (#7597)

* handle nested contexts

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add feature flag

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add kuttl tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix CLI regclient

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix: token permissions on report vulns workflow (#7611)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: token permissions (#7619)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: update the flag descriptions of the reports-controller (#7617)

Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com>

* fix: panic if env var not defined (#7613)

* fix: panic if env var not defined

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* use toggles instead of a flag

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update toggle name

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update toggle name

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix roles

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix role

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update manifests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove extra unlock

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix loader reset

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* propagate context

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* cm resolver

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* level management

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* address review comments

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add enableDeferredLoading to other controllers

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* re-enable ACR credhelper

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* improve tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove image registry client init

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* check for invalid reset/restore

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* recursive kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* add pre/post queries

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add check for a recursive match

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* new test suite

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* eval loaders at creation level

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* add an index for resolving deps in order

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* improve comment

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* extract remove method

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* merge main

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* flags

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feature flag

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix flag

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* update unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* two rules kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* update unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* revert

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* per rule checkpoint

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix mutate chained rules

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* per rule checpoint/restore

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* log error

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Emmanuel Ferdman <emmanuelferdman@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>

* fix: factorise confimap informer code (#7667)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1 (#7689)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](d13028333d...6e04d228eb)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: Swap any/all in the error message. (#7688)

Signed-off-by: JaeHeung Han <hylowaker@users.noreply.github.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat: add background only policy support (#6666)

* feat: add background only policy support

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* webhook

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* validation

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* kuttl

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* all disabled

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: pr updater workflow (#7697)

* fix: pr updater workflow

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* Update .github/workflows/pr-update.yaml

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: customizable tracer configuration (#7644)

* fix: customizable tracer configuration

Signed-off-by: Daniel Laszlo <laszlodaniel@icloud.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* fix: harden rbac permissions (#7638)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* chore(deps): bump sigstore/cosign-installer from 3.0.5 to 3.1.0 (#7664)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.5 to 3.1.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](dd6b2e2b61...d13028333d)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* chore(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#7663)

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.3 to 2.2.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](80e868c13c...08b4669551)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* use resource.New instead of Merge

Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* fix tabs

Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* [Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 (#7650)

* Bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6

Signed-off-by: webstradev <e.s.westra.95@gmail.com>

* fixed tests

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added tests for repository

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

---------

Signed-off-by: webstradev <e.s.westra.95@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: webstradev <e.s.westra.95@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* fix: vscode debug config (#7653)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* fix: pr updater workflow (#7665)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* refactor: add specific loaders from #7597 (#7671)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* feat: add cluster select and relabling config for ServiceMonitors (#7659)

* feat: add cluster select and relabling config for ServiceMonitors

Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>

* feat: add cluster select and relabling config for ServiceMonitors

Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>

---------

Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* fix: cleanup controller context from #7597 (#7672)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* fix: cleanup controller rbac (#7669)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* refactor: migrate context loaders (part 1) from #7597 (#7676)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* refactor: migrate context loaders (part 2) from #7597 (#7677)

* refactor: migrate context loaders (part 1) from #7597

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: migrate context loaders (part 2) from #7597

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* feat: add lazy loading feature flag (#7680)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* fix: image verification (#7652)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* Fix deferred loading (#7597)

* handle nested contexts

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add feature flag

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add kuttl tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix CLI regclient

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix: token permissions on report vulns workflow (#7611)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: token permissions (#7619)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: update the flag descriptions of the reports-controller (#7617)

Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com>

* fix: panic if env var not defined (#7613)

* fix: panic if env var not defined

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* use toggles instead of a flag

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update toggle name

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update toggle name

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix roles

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix role

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update manifests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove extra unlock

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix loader reset

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* propagate context

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* cm resolver

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* level management

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* address review comments

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add enableDeferredLoading to other controllers

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* re-enable ACR credhelper

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* improve tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove image registry client init

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* check for invalid reset/restore

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* recursive kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* add pre/post queries

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add check for a recursive match

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* new test suite

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* eval loaders at creation level

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* add an index for resolving deps in order

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* improve comment

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* extract remove method

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* merge main

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* flags

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feature flag

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix flag

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* update unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* two rules kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* update unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* revert

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* per rule checkpoint

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix mutate chained rules

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* per rule checpoint/restore

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* log error

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Emmanuel Ferdman <emmanuelferdman@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* fix: factorise confimap informer code (#7667)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* chore(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1 (#7689)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](d13028333d...6e04d228eb)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>

* Update pkg/tracing/config.go

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Daniel Laszlo <laszlodaniel@icloud.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: webstradev <e.s.westra.95@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: webstradev <e.s.westra.95@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Frank Jogeleit <frank.jogeleit@lovoo.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Emmanuel Ferdman <emmanuelferdman@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix: lock schema manager when updating it (#7704)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* test: add kuttl tests for background only policies (#7709)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* Feat: Upgrade controller-gen to v0.12.0 and fix tooling (#7683)

* Upgrade controller-gen and fix tooling

Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org>

* Address comments

Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org>

* Add a marker in the sed command

Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org>

* Upgrade to the latest version and rearrange the annotations

Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org>

* Fix failing Verify Codegen tests

Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org>

* Remove unnecessary file

Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org>

* Restore original version in test folder

Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org>

* Add creationTimestamp: null again in the test folder

Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org>

---------

Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org>
Co-authored-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: release signing (#7711) (#7713)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore: use github token instead of pat (#7716)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: reduce token permissions (#7719)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: reduce token permissions (#7721)

* fix: reduce token permissions

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: reduce token permissions

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: make `test --fail-only` return 1 if there are failed tests (#7717)

Signed-off-by: Carles Figuerola <cfiguerola@expediagroup.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* remove redundant tests (#7702)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: use gh token instead of pat (#7723)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: remove obsolete scripts (#7720)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: reduce token permission (#7729)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: use github token instead of pat (#7727)

* fix: remove jmespath replace directive

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: use github token instead of pat

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: use golang builtin version management (#7654)

* fix: use golang builtin version management

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat: template for user setup in kuttl (#7731)

Signed-off-by: Alok N <alokme123@gmail.com>

* feat: Add option to add imagePullSecrets to cleanup CronJobs (#7730)

* Add option to add imagePullSecrets to cleanup CronJobs

Signed-off-by: Alexander Olzem <olzemal@pm.me>

* Update chart README

Signed-off-by: Alexander Olzem <olzemal@pm.me>

---------

Signed-off-by: Alexander Olzem <olzemal@pm.me>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: typo in check cmd (#7733)

Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com>

* fix: nits in cli flags (#7736)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore: bump ko version (#7738)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore: bump kind node versions (#7737)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: refactor cli values loading and remove dead code (#7739)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* [Feature] round() JMESPath function (#7489)

* adding roundoff

Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com>

* removing unnecessary

Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com>

* adding test

Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com>

* adding edge case

Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com>

* fixing error

Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com>

* updating function call

Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com>

* updating function jpRound

Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com>

* error handling negative

Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com>

* fix

Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com>

* fix linter

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* parsing

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* cleanup

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore(deps): bump ubuntu from `6120be6` to `0bced47` in /.devcontainer (#7744)

Bumps ubuntu from `6120be6` to `0bced47`.

---
updated-dependencies:
- dependency-name: ubuntu
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: improve cli apply args check (#7746)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: remove cli dead code (#7748)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* Replaced gcr crane with gcr remote (#7747)

* fix: oras-go/v2 version in go.sum

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* refactor: move kyverno constants out of v1 package (#7760)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore: use register-gen to register k8s types (#7761)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore(deps): bump fluxcd/flux2 from 0.41.2 to 2.0.0 (#7764)

Bumps [fluxcd/flux2](https://github.com/fluxcd/flux2) from 0.41.2 to 2.0.0.
- [Release notes](https://github.com/fluxcd/flux2/releases)
- [Changelog](https://github.com/fluxcd/flux2/blob/main/.goreleaser.yml)
- [Commits](dbda8fbdb8...9ea0a535ea)

---
updated-dependencies:
- dependency-name: fluxcd/flux2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore: introduce defaulters-gen (#7765)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat: add table output to cli apply command (#7757)

* feat: add table output to cli apply command

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* factorise

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>

* chore: bump cosign in gh workflows (#7715)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore: switch to deepcopy-gen (#7766)

* chore: switch to deepcopy-gen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore: increase linter timeout (#7767)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* undo: revert back to cosign 2.0.2

cosign 2.1.1 has dependency conflicts with oras

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* remove markers

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore: remove 0_14 version of gcr

k8s-sigstore-manifest got a new version so we can finally upgrade gcr to v0.15

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* add: add logging to tlogs and sct

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* undo: remove registryOpts in favor of registry client opts

added the missing parts from registryOptions in registry client opts

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore: add generated files

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore: clean go mod

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: remove bad logs

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* bug: fix go mod

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: update kubebuilder version in crds

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* update: rollback policy to ignore tlog

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore: update codegen

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

---------

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: shuting <shutting06@gmail.com>
Signed-off-by: bakito <github@bakito.ch>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: webstradev <e.s.westra.95@gmail.com>
Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>
Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com>
Signed-off-by: JaeHeung Han <hylowaker@users.noreply.github.com>
Signed-off-by: Daniel Laszlo <laszlodaniel@icloud.com>
Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com>
Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org>
Signed-off-by: Carles Figuerola <cfiguerola@expediagroup.com>
Signed-off-by: Alok N <alokme123@gmail.com>
Signed-off-by: Alexander Olzem <olzemal@pm.me>
Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com>
Co-authored-by: Marc Brugger <github@bakito.ch>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: webstradev <e.s.westra.95@gmail.com>
Co-authored-by: Frank Jogeleit <frank.jogeleit@lovoo.com>
Co-authored-by: Emmanuel Ferdman <emmanuelferdman@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: JaeHeung Han <hylowaker@users.noreply.github.com>
Co-authored-by: Daniel Laszlo <laszlodaniel@icloud.com>
Co-authored-by: Md Shahbaz Alam <shahbazalam75508@gmail.com>
Co-authored-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org>
Co-authored-by: Carles-Figuerola <carles@figuerola.info>
Co-authored-by: Alok Naushad <alokme123@gmail.com>
Co-authored-by: Alex Olzem <olzemal@gmail.com>
Co-authored-by: SukhveerS <78963782+Rexbeast2@users.noreply.github.com>
2023-08-15 14:25:55 +00:00

815 lines
26 KiB
Go
Raw Blame History

package validation
import (
"context"
"encoding/json"
"testing"
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/config"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/engine/policycontext"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
"gotest.tools/assert"
v1 "k8s.io/api/admission/v1"
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
)
var jp = jmespath.New(config.NewDefaultConfiguration(false))
var test_policy = `{}`
var signed_resource = `{
"apiVersion": "v1",
"data": {
"comment": "comment1",
"key1": "val1",
"key2": "val2"
},
"kind": "ConfigMap",
"metadata": {
"annotations": {
"cosign.sigstore.dev/message": "H4sIAAAAAAAA/wD8AAP/H4sIAAAAAAAA/+zRu27DIBQGYGaeghdIOVzsNKydu1Vdq9MYW5Y54AKJmjx9leuYsVUlf8vPz2U4Qu4xyz6Fzuci41EqeJ7C19DpGj+BDNFHMGS/LQDAEOWb3Caasy9ljMOqYl4Nx2azMQBGyYI0B7/a0tMBKbC709vW2nOu2+acoC/9RDVrpqyGprXQasPAQKvWTAD7BbtSMTOAPO269OBeqdj3D86vs9zzn8B5fPe5jCk6sVd8GmPnxEuK/Ti84szJV+ywouNCRCTvxP2T+W1/8gflxB6DuhR9LpoLsU1EPlZ3Wyj+1+MuFovF4uonAAD//3weCWIACAAAAQAA//+Nc9ey/AAAAA==",
"cosign.sigstore.dev/signature": "MEYCIQCTNFfObr0DiBCbDYEq0clxRw0FeoY35LhEiIFrGU7bZAIhAJR7AEYHIXkCPGlPIXA8ao0L99s3RWAjjzoxwcvOfmeT"
},
"name": "sample-cm",
"namespace": "sample-ns"
}
}`
var signed_adreq = `{
"uid": "2529b894-5fca-4df9-a92b-7110f42bfa09",
"kind": {
"group": "",
"version": "v1",
"kind": "ConfigMap"
},
"resource": {
"group": "",
"version": "v1",
"resource": "configmaps"
},
"requestKind": {
"group": "",
"version": "v1",
"kind": "ConfigMap"
},
"requestResource": {
"group": "",
"version": "v1",
"resource": "configmaps"
},
"name": "sample-cm",
"namespace": "sample-ns",
"operation": "CREATE",
"userInfo": {
"username": "kubernetes-admin",
"groups": [
"system:masters",
"system:authenticated"
]
},
"object": {
"apiVersion": "v1",
"data": {
"comment": "comment1",
"key1": "val1",
"key2": "val2"
},
"kind": "ConfigMap",
"metadata": {
"annotations": {
"cosign.sigstore.dev/message": "H4sIAAAAAAAA/wD8AAP/H4sIAAAAAAAA/+zRu27DIBQGYGaeghdIOVzsNKydu1Vdq9MYW5Y54AKJmjx9leuYsVUlf8vPz2U4Qu4xyz6Fzuci41EqeJ7C19DpGj+BDNFHMGS/LQDAEOWb3Caasy9ljMOqYl4Nx2azMQBGyYI0B7/a0tMBKbC709vW2nOu2+acoC/9RDVrpqyGprXQasPAQKvWTAD7BbtSMTOAPO269OBeqdj3D86vs9zzn8B5fPe5jCk6sVd8GmPnxEuK/Ti84szJV+ywouNCRCTvxP2T+W1/8gflxB6DuhR9LpoLsU1EPlZ3Wyj+1+MuFovF4uonAAD//3weCWIACAAAAQAA//+Nc9ey/AAAAA==",
"cosign.sigstore.dev/signature": "MEYCIQCTNFfObr0DiBCbDYEq0clxRw0FeoY35LhEiIFrGU7bZAIhAJR7AEYHIXkCPGlPIXA8ao0L99s3RWAjjzoxwcvOfmeT"
},
"creationTimestamp": "2022-03-04T07:43:10Z",
"managedFields": [
{
"apiVersion": "v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:data": {
".": {},
"f:comment": {},
"f:key1": {},
"f:key2": {}
},
"f:metadata": {
"f:annotations": {
".": {},
"f:integrityshield.io/message": {},
"f:integrityshield.io/signature": {}
}
}
},
"manager": "oc",
"operation": "Update",
"time": "2022-03-04T07:43:10Z"
}
],
"name": "sample-cm",
"namespace": "sample-ns",
"uid": "44725451-0fd5-47ec-98a1-f53f938e9b4d"
}
},
"oldObject": null,
"dryRun": false,
"options": {
"apiVersion": "meta.k8s.io/v1",
"kind": "CreateOptions"
}
}`
var unsigned_resource = `{
"apiVersion": "v1",
"data": {
"comment": "comment1",
"key1": "val1",
"key2": "val2"
},
"kind": "ConfigMap",
"metadata": {
"name": "sample-cm",
"namespace": "sample-ns"
}
}`
var unsigned_adreq = `{
"uid": "2529b894-5fca-4df9-a92b-7110f42bfa09",
"kind": {
"group": "",
"version": "v1",
"kind": "ConfigMap"
},
"resource": {
"group": "",
"version": "v1",
"resource": "configmaps"
},
"requestKind": {
"group": "",
"version": "v1",
"kind": "ConfigMap"
},
"requestResource": {
"group": "",
"version": "v1",
"resource": "configmaps"
},
"name": "sample-cm",
"namespace": "sample-ns",
"operation": "CREATE",
"userInfo": {
"username": "kubernetes-admin",
"groups": [
"system:masters",
"system:authenticated"
]
},
"object": {
"apiVersion": "v1",
"data": {
"comment": "comment1",
"key1": "val1",
"key2": "val2"
},
"kind": "ConfigMap",
"metadata": {
"creationTimestamp": "2022-03-04T07:43:10Z",
"managedFields": [
{
"apiVersion": "v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:data": {
".": {},
"f:comment": {},
"f:key1": {},
"f:key2": {}
},
"f:metadata": {
"f:annotations": {
".": {},
"f:integrityshield.io/message": {},
"f:integrityshield.io/signature": {}
}
}
},
"manager": "oc",
"operation": "Update",
"time": "2022-03-04T07:43:10Z"
}
],
"name": "sample-cm",
"namespace": "sample-ns",
"uid": "44725451-0fd5-47ec-98a1-f53f938e9b4d"
}
},
"oldObject": null,
"dryRun": false,
"options": {
"apiVersion": "meta.k8s.io/v1",
"kind": "CreateOptions"
}
}`
var invalid_resource = `{
"apiVersion": "v1",
"data": {
"comment": "comment1",
"key1": "val1",
"key2": "val2",
"key3": "val3"
},
"kind": "ConfigMap",
"metadata": {
"name": "sample-cm",
"namespace": "sample-ns",
"annotations": {
"cosign.sigstore.dev/message": "H4sIAAAAAAAA/wAIAff+H4sIAAAAAAAA/+yQu07DMBSGM+cp/ALB97T1ysyGWNHBcYKVHDuy3UL79Ii0ha0jCJFv+S/+Pdj0AIn2cepcyvSoqVZb+Rwwb076pStod+M7onx7ZYyxIdBHaiPOyeXsw9AUSM1w2raca7UTdB98aYrLpbF4dwScqjOfd1ulFt20elEmznmxTFdcCS0ka7USFZNcKlkRVv0A+1wgVYylcd/FG7tcoO9vnF/e8qV/BJj9k0vZx2DIgdejD50h9zH0fniAuUZXoIMCpiYkADpDMuA8ucbipckz2O865Po6txHRhWKuhteEjO7IDTnAdAliCeK3P2FlZWXlH/IRAAD//2efbt8ACAAAAQAA//91Gk76CAEAAA==",
"cosign.sigstore.dev/signature": "MEQCIFrMmrKUOAzbp0/5oe7TEotfqbAH9L5ao6iaIOlDZQCOAiAYcUnBFbn4GqgayTtcLN+Yi/2hH6hFz4MBUydO6DREAQ=="
}
}
}`
var invalid_adreq = `{
"clusterRoles": null,
"dryRun": false,
"kind": {
"group": "",
"kind": "ConfigMap",
"version": "v1"
},
"name": "sample-cm",
"namespace": "sample-ns",
"object": {
"apiVersion": "v1",
"data": {
"comment": "comment1",
"key1": "val1",
"key2": "val2",
"key3": "val3"
},
"kind": "ConfigMap",
"metadata": {
"annotations": {
"cosign.sigstore.dev/message": "H4sIAAAAAAAA/wAIAff+H4sIAAAAAAAA/+yQu07DMBSGM+cp/ALB97T1ysyGWNHBcYKVHDuy3UL79Ii0ha0jCJFv+S/+Pdj0AIn2cepcyvSoqVZb+Rwwb076pStod+M7onx7ZYyxIdBHaiPOyeXsw9AUSM1w2raca7UTdB98aYrLpbF4dwScqjOfd1ulFt20elEmznmxTFdcCS0ka7USFZNcKlkRVv0A+1wgVYylcd/FG7tcoO9vnF/e8qV/BJj9k0vZx2DIgdejD50h9zH0fniAuUZXoIMCpiYkADpDMuA8ucbipckz2O865Po6txHRhWKuhteEjO7IDTnAdAliCeK3P2FlZWXlH/IRAAD//2efbt8ACAAAAQAA//91Gk76CAEAAA==",
"cosign.sigstore.dev/signature": "MEQCIFrMmrKUOAzbp0/5oe7TEotfqbAH9L5ao6iaIOlDZQCOAiAYcUnBFbn4GqgayTtcLN+Yi/2hH6hFz4MBUydO6DREAQ=="
},
"creationTimestamp": "2022-06-15T08:11:51Z",
"managedFields": [
{
"apiVersion": "v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:data": {
".": {},
"f:comment": {},
"f:key1": {},
"f:key2": {},
"f:key3": {}
},
"f:metadata": {
"f:annotations": {
".": {},
"f:cosign.sigstore.dev/message": {},
"f:cosign.sigstore.dev/signature": {}
}
}
},
"manager": "kubectl-create",
"operation": "Update",
"time": "2022-06-15T08:11:51Z"
}
],
"name": "sample-cm",
"namespace": "sample-ns",
"uid": "5b4e13e5-898d-4fd2-95a9-8d7a95f3b469"
}
},
"oldObject": null,
"operation": "CREATE",
"options": {
"apiVersion": "meta.k8s.io/v1",
"fieldManager": "kubectl-create",
"fieldValidation": "Strict",
"kind": "CreateOptions"
},
"requestKind": {
"group": "",
"kind": "ConfigMap",
"version": "v1"
},
"requestResource": {
"group": "",
"resource": "configmaps",
"version": "v1"
},
"resource": {
"group": "",
"resource": "configmaps",
"version": "v1"
},
"roles": null,
"uid": "eecf91e9-4bba-420a-8094-261c8099a04c",
"userInfo": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
}
}`
var multi_sig_resource = `{
"apiVersion": "v1",
"kind": "Service",
"metadata": {
"annotations": {
"cosign.sigstore.dev/message": "H4sIAAAAAAAA/yyKzQrCQAwG7/sU3wsUFMGf3MSzUFC8h22QxXY3JKHg20sXb8PMsJaXmJdWCes+fUqdCA+xtWRJiwRPHEwJqLwIIcRj8H92lbwlbRa+wdCRcN4lAFBr0XKbCc/b2E2wvSXGPl0Op2MCXGbJ0Yz6wKqE+/eqmn4BAAD//3vEXUSaAAAA",
"cosign.sigstore.dev/signature": "MEUCIQDpI/7Ncl8iJJ/Kc8JlL5FLbePZprMSRRjvXYlaybjU2wIgaPYh93JMerk2L+vTOwQ4pYlZ43Eq86QnQ8wuKPXmnWE="
},
"name": "test-service"
},
"spec": {
"ports": [
{
"port": 80,
"protocol": "TCP",
"targetPort": 9376
}
],
"selector": {
"app": "MyApp"
}
}
}`
var multi_sig_adreq = `{
"clusterRoles": null,
"dryRun": false,
"kind": {
"group": "",
"kind": "Service",
"version": "v1"
},
"name": "test-service",
"namespace": "test-ns",
"object": {
"apiVersion": "v1",
"kind": "Service",
"metadata": {
"annotations": {
"cosign.sigstore.dev/message": "H4sIAAAAAAAA/yyKzQrCQAwG7/sU3wsUFMGf3MSzUFC8h22QxXY3JKHg20sXb8PMsJaXmJdWCes+fUqdCA+xtWRJiwRPHEwJqLwIIcRj8H92lbwlbRa+wdCRcN4lAFBr0XKbCc/b2E2wvSXGPl0Op2MCXGbJ0Yz6wKqE+/eqmn4BAAD//3vEXUSaAAAA",
"cosign.sigstore.dev/signature": "MEUCIQDpI/7Ncl8iJJ/Kc8JlL5FLbePZprMSRRjvXYlaybjU2wIgaPYh93JMerk2L+vTOwQ4pYlZ43Eq86QnQ8wuKPXmnWE="
},
"creationTimestamp": "2022-06-16T07:15:34Z",
"managedFields": [
{
"apiVersion": "v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:annotations": {
".": {},
"f:cosign.sigstore.dev/message": {},
"f:cosign.sigstore.dev/signature": {}
}
},
"f:spec": {
"f:internalTrafficPolicy": {},
"f:ports": {
".": {},
"k:{\"port\":80,\"protocol\":\"TCP\"}": {
".": {},
"f:port": {},
"f:protocol": {},
"f:targetPort": {}
}
},
"f:selector": {},
"f:sessionAffinity": {},
"f:type": {}
}
},
"manager": "kubectl-create",
"operation": "Update",
"time": "2022-06-16T07:15:34Z"
}
],
"name": "test-service",
"namespace": "test-ns",
"uid": "7011a06e-50cb-46b8-bf88-40582294d2b2"
},
"spec": {
"clusterIP": "10.96.122.111",
"clusterIPs": [
"10.96.122.111"
],
"internalTrafficPolicy": "Cluster",
"ipFamilies": [
"IPv4"
],
"ipFamilyPolicy": "SingleStack",
"ports": [
{
"port": 80,
"protocol": "TCP",
"targetPort": 9376
}
],
"selector": {
"app": "MyApp"
},
"sessionAffinity": "None",
"type": "ClusterIP"
},
"status": {
"loadBalancer": {}
}
},
"oldObject": null,
"operation": "CREATE",
"options": {
"apiVersion": "meta.k8s.io/v1",
"fieldManager": "kubectl-create",
"fieldValidation": "Strict",
"kind": "CreateOptions"
},
"requestKind": {
"group": "",
"kind": "Service",
"version": "v1"
},
"requestResource": {
"group": "",
"resource": "services",
"version": "v1"
},
"resource": {
"group": "",
"resource": "services",
"version": "v1"
},
"roles": null,
"uid": "cb2aed81-39ca-43c0-b565-0621b9a5d38c",
"userInfo": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
}
}`
var multi_sig2_resource = `{
"apiVersion": "v1",
"kind": "Service",
"metadata": {
"annotations": {
"cosign.sigstore.dev/message": "H4sIAAAAAAAA/yyKzQrCQAwG7/sU3wsUFMGf3MSzUFC8h22QxXY3JKHg20sXb8PMsJaXmJdWCes+fUqdCA+xtWRJiwRPHEwJqLwIIcRj8H92lbwlbRa+wdCRcN4lAFBr0XKbCc/b2E2wvSXGPl0Op2MCXGbJ0Yz6wKqE+/eqmn4BAAD//3vEXUSaAAAA",
"cosign.sigstore.dev/signature": "MEUCIQDpI/7Ncl8iJJ/Kc8JlL5FLbePZprMSRRjvXYlaybjU2wIgaPYh93JMerk2L+vTOwQ4pYlZ43Eq86QnQ8wuKPXmnWE=",
"cosign.sigstore.dev/signature_1": "MEMCICxbOY2HKophxyUVxhBOAJo+kt+WYleDttBCVFrmA/7PAh8lgr5u3d2rFM8gSTBEYgzRzXIwAZEByrpq0SVRwqq7"
},
"name": "test-service"
},
"spec": {
"ports": [
{
"port": 80,
"protocol": "TCP",
"targetPort": 9376
}
],
"selector": {
"app": "MyApp"
}
}
}`
var multi_sig2_adreq = `{
"clusterRoles": null,
"dryRun": false,
"kind": {
"group": "",
"kind": "Service",
"version": "v1"
},
"name": "test-service",
"namespace": "test-ns",
"object": {
"apiVersion": "v1",
"kind": "Service",
"metadata": {
"annotations": {
"cosign.sigstore.dev/message": "H4sIAAAAAAAA/yyKzQrCQAwG7/sU3wsUFMGf3MSzUFC8h22QxXY3JKHg20sXb8PMsJaXmJdWCes+fUqdCA+xtWRJiwRPHEwJqLwIIcRj8H92lbwlbRa+wdCRcN4lAFBr0XKbCc/b2E2wvSXGPl0Op2MCXGbJ0Yz6wKqE+/eqmn4BAAD//3vEXUSaAAAA",
"cosign.sigstore.dev/signature": "MEUCIQDpI/7Ncl8iJJ/Kc8JlL5FLbePZprMSRRjvXYlaybjU2wIgaPYh93JMerk2L+vTOwQ4pYlZ43Eq86QnQ8wuKPXmnWE=",
"cosign.sigstore.dev/signature_1": "MEMCICxbOY2HKophxyUVxhBOAJo+kt+WYleDttBCVFrmA/7PAh8lgr5u3d2rFM8gSTBEYgzRzXIwAZEByrpq0SVRwqq7"
},
"creationTimestamp": "2022-06-16T07:16:23Z",
"managedFields": [
{
"apiVersion": "v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:annotations": {
".": {},
"f:cosign.sigstore.dev/message": {},
"f:cosign.sigstore.dev/signature": {},
"f:cosign.sigstore.dev/signature_1": {}
}
},
"f:spec": {
"f:internalTrafficPolicy": {},
"f:ports": {
".": {},
"k:{\"port\":80,\"protocol\":\"TCP\"}": {
".": {},
"f:port": {},
"f:protocol": {},
"f:targetPort": {}
}
},
"f:selector": {},
"f:sessionAffinity": {},
"f:type": {}
}
},
"manager": "kubectl-create",
"operation": "Update",
"time": "2022-06-16T07:16:23Z"
}
],
"name": "test-service",
"namespace": "test-ns",
"uid": "3e146f89-bd8a-4738-a7d4-41c5872d18ad"
},
"spec": {
"clusterIP": "10.96.223.193",
"clusterIPs": [
"10.96.223.193"
],
"internalTrafficPolicy": "Cluster",
"ipFamilies": [
"IPv4"
],
"ipFamilyPolicy": "SingleStack",
"ports": [
{
"port": 80,
"protocol": "TCP",
"targetPort": 9376
}
],
"selector": {
"app": "MyApp"
},
"sessionAffinity": "None",
"type": "ClusterIP"
},
"status": {
"loadBalancer": {}
}
},
"oldObject": null,
"operation": "CREATE",
"options": {
"apiVersion": "meta.k8s.io/v1",
"fieldManager": "kubectl-create",
"fieldValidation": "Strict",
"kind": "CreateOptions"
},
"requestKind": {
"group": "",
"kind": "Service",
"version": "v1"
},
"requestResource": {
"group": "",
"resource": "services",
"version": "v1"
},
"resource": {
"group": "",
"resource": "services",
"version": "v1"
},
"roles": null,
"uid": "8a2891d0-351a-4363-92e4-0c99b10e5f26",
"userInfo": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
}
}`
const ecdsaPub = `-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY
BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng==
-----END PUBLIC KEY-----`
const ecdsaPub2 = `-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy
FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A==
-----END PUBLIC KEY-----
`
var (
h = validateManifestHandler{}
cfg = config.NewDefaultConfiguration(false)
)
func Test_VerifyManifest_SignedYAML(t *testing.T) {
policyContext := buildContext(t, test_policy, signed_resource, "")
var request v1.AdmissionRequest
_ = json.Unmarshal([]byte(signed_adreq), &request)
policyContext.JSONContext().AddRequest(request)
policyContext.Policy().SetName("test-policy")
verifyRule := kyvernov1.Manifests{}
verifyRule.Attestors = append(verifyRule.Attestors, kyvernov1.AttestorSet{
Entries: []kyvernov1.Attestor{
{
Keys: &kyvernov1.StaticKeyAttestor{
PublicKeys: ecdsaPub,
},
},
},
})
logger := logr.Discard()
verified, _, err := h.verifyManifest(context.TODO(), logger, policyContext, verifyRule)
assert.NilError(t, err)
assert.Equal(t, verified, true)
}
func Test_VerifyManifest_UnsignedYAML(t *testing.T) {
policyContext := buildContext(t, test_policy, unsigned_resource, "")
var request v1.AdmissionRequest
_ = json.Unmarshal([]byte(unsigned_adreq), &request)
policyContext.JSONContext().AddRequest(request)
policyContext.Policy().SetName("test-policy")
verifyRule := kyvernov1.Manifests{}
verifyRule.Attestors = append(verifyRule.Attestors, kyvernov1.AttestorSet{
Entries: []kyvernov1.Attestor{
{
Keys: &kyvernov1.StaticKeyAttestor{
PublicKeys: ecdsaPub,
},
},
},
})
logger := logr.Discard()
verified, _, err := h.verifyManifest(context.TODO(), logger, policyContext, verifyRule)
assert.NilError(t, err)
assert.Equal(t, verified, false)
}
func Test_VerifyManifest_InvalidYAML(t *testing.T) {
policyContext := buildContext(t, test_policy, invalid_resource, "")
var request v1.AdmissionRequest
_ = json.Unmarshal([]byte(invalid_adreq), &request)
policyContext.JSONContext().AddRequest(request)
policyContext.Policy().SetName("test-policy")
verifyRule := kyvernov1.Manifests{}
verifyRule.Attestors = append(verifyRule.Attestors, kyvernov1.AttestorSet{
Entries: []kyvernov1.Attestor{
{
Keys: &kyvernov1.StaticKeyAttestor{
PublicKeys: ecdsaPub,
},
},
},
})
logger := logr.Discard()
verified, _, err := h.verifyManifest(context.TODO(), logger, policyContext, verifyRule)
assert.NilError(t, err)
assert.Equal(t, verified, false)
}
func Test_VerifyManifest_MustAll_InvalidYAML(t *testing.T) {
policyContext := buildContext(t, test_policy, multi_sig_resource, "")
var request v1.AdmissionRequest
_ = json.Unmarshal([]byte(multi_sig_adreq), &request)
policyContext.JSONContext().AddRequest(request)
policyContext.Policy().SetName("test-policy")
verifyRule := kyvernov1.Manifests{}
verifyRule.Attestors = append(verifyRule.Attestors, kyvernov1.AttestorSet{
Entries: []kyvernov1.Attestor{
{
Keys: &kyvernov1.StaticKeyAttestor{
PublicKeys: ecdsaPub,
},
},
{
Keys: &kyvernov1.StaticKeyAttestor{
PublicKeys: ecdsaPub2,
},
},
},
})
logger := logr.Discard()
verified, _, err := h.verifyManifest(context.TODO(), logger, policyContext, verifyRule)
errMsg := `.attestors[0].entries[1].keys: failed to verify signature: verification failed for 1 signature. all trials: ["[publickey 1/1] [signature 1/1] error: cosign.VerifyBlobCmd.Exec() returned an error: invalid signature when validating ASN.1 encoded signature"]`
assert.Error(t, err, errMsg)
assert.Equal(t, verified, false)
}
func Test_VerifyManifest_MustAll_ValidYAML(t *testing.T) {
policyContext := buildContext(t, test_policy, multi_sig2_resource, "")
var request v1.AdmissionRequest
_ = json.Unmarshal([]byte(multi_sig2_adreq), &request)
policyContext.JSONContext().AddRequest(request)
policyContext.Policy().SetName("test-policy")
verifyRule := kyvernov1.Manifests{}
count := 3
verifyRule.Attestors = append(verifyRule.Attestors, kyvernov1.AttestorSet{
Count: &count,
Entries: []kyvernov1.Attestor{
{
Keys: &kyvernov1.StaticKeyAttestor{
PublicKeys: ecdsaPub,
},
},
{
Keys: &kyvernov1.StaticKeyAttestor{
PublicKeys: ecdsaPub2,
},
},
{
Attestor: &apiextv1.JSON{Raw: []byte(`{"entries":[{"keys":{"publicKeys":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY\nBibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng==\n-----END PUBLIC KEY----- "}}]}`)},
},
},
})
logger := logr.Discard()
verified, _, err := h.verifyManifest(context.TODO(), logger, policyContext, verifyRule)
assert.NilError(t, err)
assert.Equal(t, verified, true)
}
func Test_VerifyManifest_AtLeastOne(t *testing.T) {
policyContext := buildContext(t, test_policy, multi_sig_resource, "")
var request v1.AdmissionRequest
_ = json.Unmarshal([]byte(multi_sig_adreq), &request)
policyContext.JSONContext().AddRequest(request)
policyContext.Policy().SetName("test-policy")
verifyRule := kyvernov1.Manifests{}
count := 1
verifyRule.Attestors = append(verifyRule.Attestors, kyvernov1.AttestorSet{
Count: &count,
Entries: []kyvernov1.Attestor{
{
Keys: &kyvernov1.StaticKeyAttestor{
PublicKeys: ecdsaPub,
},
},
{
Keys: &kyvernov1.StaticKeyAttestor{
PublicKeys: ecdsaPub2,
},
},
},
})
logger := logr.Discard()
verified, _, err := h.verifyManifest(context.TODO(), logger, policyContext, verifyRule)
assert.NilError(t, err)
assert.Equal(t, verified, true)
}
func buildContext(t *testing.T, policy, resource string, oldResource string) engineapi.PolicyContext {
var cpol kyvernov1.ClusterPolicy
err := json.Unmarshal([]byte(policy), &cpol)
assert.NilError(t, err)
resourceUnstructured, err := kubeutils.BytesToUnstructured([]byte(resource))
assert.NilError(t, err)
policyContext, err := policycontext.NewPolicyContext(
jp,
*resourceUnstructured,
kyvernov1.Create,
nil,
cfg,
)
assert.NilError(t, err)
policyContext = policyContext.
WithPolicy(&cpol).
WithNewResource(*resourceUnstructured)
if oldResource != "" {
oldResourceUnstructured, err := kubeutils.BytesToUnstructured([]byte(oldResource))
assert.NilError(t, err)
err = enginecontext.AddOldResource(policyContext.JSONContext(), []byte(oldResource))
assert.NilError(t, err)
policyContext = policyContext.WithOldResource(*oldResourceUnstructured)
}
return policyContext
}
View git blame Copy permalink