mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 01:16:55 +00:00
9fde4fd6a1
* fix autogen check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow multiple keys and fix root/intermediate certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make issuer/subject optional Signed-off-by: Jim Bugwadia <jim@nirmata.com> * enable CTLog options Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix split Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rename CTLog -> Rekor Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * api/kyverno/v1/image_verification_test.go Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
75 lines
2 KiB
Go
75 lines
2 KiB
Go
package registryclient
|
|
|
|
import (
|
|
"context"
|
|
"io/ioutil"
|
|
|
|
"github.com/google/go-containerregistry/pkg/authn/github"
|
|
|
|
ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
|
|
"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
|
|
"github.com/google/go-containerregistry/pkg/authn"
|
|
kauth "github.com/google/go-containerregistry/pkg/authn/kubernetes"
|
|
"github.com/google/go-containerregistry/pkg/v1/google"
|
|
"github.com/pkg/errors"
|
|
"k8s.io/client-go/kubernetes"
|
|
)
|
|
|
|
var (
|
|
Secrets []string
|
|
|
|
kubeClient kubernetes.Interface
|
|
namespace string
|
|
serviceAccount string
|
|
|
|
defaultKeychain = authn.NewMultiKeychain(
|
|
authn.DefaultKeychain,
|
|
google.Keychain,
|
|
authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(ioutil.Discard))),
|
|
authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()),
|
|
github.Keychain,
|
|
)
|
|
|
|
DefaultKeychain = defaultKeychain
|
|
)
|
|
|
|
// InitializeLocal loads the docker credentials and initializes the default auth method for container registry API calls
|
|
func InitializeLocal() {
|
|
DefaultKeychain = authn.DefaultKeychain
|
|
}
|
|
|
|
// Initialize loads the image pull secrets and initializes the default auth method for container registry API calls
|
|
func Initialize(client kubernetes.Interface, ns, sa string, imagePullSecrets []string) error {
|
|
kubeClient = client
|
|
namespace = ns
|
|
serviceAccount = sa
|
|
Secrets = imagePullSecrets
|
|
|
|
var kc authn.Keychain
|
|
kcOpts := kauth.Options{
|
|
Namespace: namespace,
|
|
ServiceAccountName: serviceAccount,
|
|
ImagePullSecrets: imagePullSecrets,
|
|
}
|
|
|
|
kc, err := kauth.New(context.Background(), client, kcOpts)
|
|
if err != nil {
|
|
return errors.Wrap(err, "failed to initialize registry keychain")
|
|
}
|
|
|
|
DefaultKeychain = authn.NewMultiKeychain(
|
|
defaultKeychain,
|
|
kc,
|
|
)
|
|
|
|
return nil
|
|
}
|
|
|
|
// UpdateKeychain reinitializes the image pull secrets and default auth method for container registry API calls
|
|
func UpdateKeychain() error {
|
|
var err = Initialize(kubeClient, namespace, serviceAccount, Secrets)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|