mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
e9e44291bf
* cosign 2.0 version upgrade Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * IgnoreTlog and IgnoreSCT updated Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * removed cli packages Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * lazy evaluate vars in conditions (#7238) * lazy evaluate vars in conditions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unnecessary conversion Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/conditions/03-manifests.yaml Signed-off-by: shuting <shutting06@gmail.com> * Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/README.md Signed-off-by: shuting <shutting06@gmail.com> * added error check in test Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * in-toto-golang update Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added rekor Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * quote image in error (#7259) Signed-off-by: bakito <github@bakito.ch> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: auto update webhooks not configuring fail endpoint (#7261) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix latest version check (#7263) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump svenstaro/upload-release-action from 2.5.0 to 2.6.0 (#7270) Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/svenstaro/upload-release-action/releases) - [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md) - [Commits](7319e4733e...58d5258088) --- updated-dependencies: - dependency-name: svenstaro/upload-release-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump sigs.k8s.io/controller-runtime from 0.14.6 to 0.15.0 (#7272) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.14.6 to 0.15.0. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.14.6...v0.15.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add yaml util to check empty document (#7276) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * go mod update Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * removed cosign 1.13.1 dependency Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added default rekor url Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated cosign option Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * go mod update Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * go sum fix Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * NIT Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix failing test: Test_VerifyManifest_MustAll_InvalidYAML Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * suggestions from jim Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * go mod fix Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updates to cosign verification Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * kuttl test ignore sct Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * go mod fixes Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * go mod update Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * downgrading gcr version Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * null pointer error Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated failing cli tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated kuttl test with complete subjects Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fixed issue with wildcard replacement Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * engine tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * removed conflicts with notary Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated go mod Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * codegen and test Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added pubkeys test Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * add default CTLogPubKeys Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * cleanup Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * unwanted test Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: auth checks with the APIVersion and the subresource (#7628) * fix auth checks with apiVersion and subresource Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove duplicate code Signed-off-by: ShutingZhao <shuting@nirmata.com> * update permissions Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: harden rbac permissions (#7638) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump sigstore/cosign-installer from 3.0.5 to 3.1.0 (#7664) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.5 to 3.1.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](dd6b2e2b61...d13028333d) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#7663) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.3 to 2.2.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](80e868c13c...08b4669551) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * [Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 (#7650) * Bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 Signed-off-by: webstradev <e.s.westra.95@gmail.com> * fixed tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added tests for repository Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: webstradev <e.s.westra.95@gmail.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Co-authored-by: webstradev <e.s.westra.95@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> * fix: vscode debug config (#7653) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: pr updater workflow (#7665) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: add specific loaders from #7597 (#7671) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: add cluster select and relabling config for ServiceMonitors (#7659) * feat: add cluster select and relabling config for ServiceMonitors Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com> * feat: add cluster select and relabling config for ServiceMonitors Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com> --------- Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com> * fix: cleanup controller context from #7597 (#7672) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: cleanup controller rbac (#7669) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: migrate context loaders (part 1) from #7597 (#7676) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: migrate context loaders (part 2) from #7597 (#7677) * refactor: migrate context loaders (part 1) from #7597 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: migrate context loaders (part 2) from #7597 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: add lazy loading feature flag (#7680) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: image verification (#7652) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * Fix deferred loading (#7597) * handle nested contexts Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add feature flag Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add kuttl tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix CLI regclient Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: token permissions on report vulns workflow (#7611) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: token permissions (#7619) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: update the flag descriptions of the reports-controller (#7617) Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com> * fix: panic if env var not defined (#7613) * fix: panic if env var not defined Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * use toggles instead of a flag Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update toggle name Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update toggle name Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix roles Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix role Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update manifests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove extra unlock Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix loader reset Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * propagate context Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cm resolver Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * level management Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add enableDeferredLoading to other controllers Signed-off-by: Jim Bugwadia <jim@nirmata.com> * re-enable ACR credhelper Signed-off-by: Jim Bugwadia <jim@nirmata.com> * improve tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove image registry client init Signed-off-by: Jim Bugwadia <jim@nirmata.com> * check for invalid reset/restore Signed-off-by: Jim Bugwadia <jim@nirmata.com> * recursive kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * add pre/post queries Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add check for a recursive match Signed-off-by: Jim Bugwadia <jim@nirmata.com> * new test suite Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * eval loaders at creation level Signed-off-by: Jim Bugwadia <jim@nirmata.com> * kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * add an index for resolving deps in order Signed-off-by: Jim Bugwadia <jim@nirmata.com> * improve comment Signed-off-by: Jim Bugwadia <jim@nirmata.com> * extract remove method Signed-off-by: Jim Bugwadia <jim@nirmata.com> * merge main Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * flags Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feature flag Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix flag Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * two rules kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * revert Signed-off-by: ShutingZhao <shuting@nirmata.com> * per rule checkpoint Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix mutate chained rules Signed-off-by: ShutingZhao <shuting@nirmata.com> * per rule checpoint/restore Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * log error Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> * fix: factorise confimap informer code (#7667) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1 (#7689) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](d13028333d...6e04d228eb) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: Swap any/all in the error message. (#7688) Signed-off-by: JaeHeung Han <hylowaker@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: add background only policy support (#6666) * feat: add background only policy support Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * all disabled Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: pr updater workflow (#7697) * fix: pr updater workflow Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * Update .github/workflows/pr-update.yaml Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: customizable tracer configuration (#7644) * fix: customizable tracer configuration Signed-off-by: Daniel Laszlo <laszlodaniel@icloud.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * fix: harden rbac permissions (#7638) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * chore(deps): bump sigstore/cosign-installer from 3.0.5 to 3.1.0 (#7664) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.5 to 3.1.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](dd6b2e2b61...d13028333d) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * chore(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#7663) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.3 to 2.2.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](80e868c13c...08b4669551) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * use resource.New instead of Merge Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * fix tabs Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * [Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 (#7650) * Bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 Signed-off-by: webstradev <e.s.westra.95@gmail.com> * fixed tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added tests for repository Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: webstradev <e.s.westra.95@gmail.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Co-authored-by: webstradev <e.s.westra.95@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * fix: vscode debug config (#7653) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * fix: pr updater workflow (#7665) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * refactor: add specific loaders from #7597 (#7671) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * feat: add cluster select and relabling config for ServiceMonitors (#7659) * feat: add cluster select and relabling config for ServiceMonitors Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com> * feat: add cluster select and relabling config for ServiceMonitors Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com> --------- Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * fix: cleanup controller context from #7597 (#7672) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * fix: cleanup controller rbac (#7669) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * refactor: migrate context loaders (part 1) from #7597 (#7676) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * refactor: migrate context loaders (part 2) from #7597 (#7677) * refactor: migrate context loaders (part 1) from #7597 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: migrate context loaders (part 2) from #7597 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * feat: add lazy loading feature flag (#7680) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * fix: image verification (#7652) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * Fix deferred loading (#7597) * handle nested contexts Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add feature flag Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add kuttl tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix CLI regclient Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: token permissions on report vulns workflow (#7611) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: token permissions (#7619) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: update the flag descriptions of the reports-controller (#7617) Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com> * fix: panic if env var not defined (#7613) * fix: panic if env var not defined Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * use toggles instead of a flag Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update toggle name Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update toggle name Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix roles Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix role Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update manifests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove extra unlock Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix loader reset Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * propagate context Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cm resolver Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * level management Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add enableDeferredLoading to other controllers Signed-off-by: Jim Bugwadia <jim@nirmata.com> * re-enable ACR credhelper Signed-off-by: Jim Bugwadia <jim@nirmata.com> * improve tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove image registry client init Signed-off-by: Jim Bugwadia <jim@nirmata.com> * check for invalid reset/restore Signed-off-by: Jim Bugwadia <jim@nirmata.com> * recursive kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * add pre/post queries Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add check for a recursive match Signed-off-by: Jim Bugwadia <jim@nirmata.com> * new test suite Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * eval loaders at creation level Signed-off-by: Jim Bugwadia <jim@nirmata.com> * kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * add an index for resolving deps in order Signed-off-by: Jim Bugwadia <jim@nirmata.com> * improve comment Signed-off-by: Jim Bugwadia <jim@nirmata.com> * extract remove method Signed-off-by: Jim Bugwadia <jim@nirmata.com> * merge main Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * flags Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feature flag Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix flag Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * two rules kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * revert Signed-off-by: ShutingZhao <shuting@nirmata.com> * per rule checkpoint Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix mutate chained rules Signed-off-by: ShutingZhao <shuting@nirmata.com> * per rule checpoint/restore Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * log error Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * fix: factorise confimap informer code (#7667) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * chore(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1 (#7689) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](d13028333d...6e04d228eb) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> * Update pkg/tracing/config.go Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Daniel Laszlo <laszlodaniel@icloud.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: webstradev <e.s.westra.95@gmail.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Co-authored-by: webstradev <e.s.westra.95@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Frank Jogeleit <frank.jogeleit@lovoo.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: lock schema manager when updating it (#7704) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test: add kuttl tests for background only policies (#7709) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * Feat: Upgrade controller-gen to v0.12.0 and fix tooling (#7683) * Upgrade controller-gen and fix tooling Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org> * Address comments Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org> * Add a marker in the sed command Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org> * Upgrade to the latest version and rearrange the annotations Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org> * Fix failing Verify Codegen tests Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org> * Remove unnecessary file Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org> * Restore original version in test folder Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org> * Add creationTimestamp: null again in the test folder Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org> --------- Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org> Co-authored-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: release signing (#7711) (#7713) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: use github token instead of pat (#7716) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: reduce token permissions (#7719) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: reduce token permissions (#7721) * fix: reduce token permissions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: reduce token permissions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: make `test --fail-only` return 1 if there are failed tests (#7717) Signed-off-by: Carles Figuerola <cfiguerola@expediagroup.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * remove redundant tests (#7702) Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: use gh token instead of pat (#7723) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: remove obsolete scripts (#7720) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: reduce token permission (#7729) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: use github token instead of pat (#7727) * fix: remove jmespath replace directive Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: use github token instead of pat Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: use golang builtin version management (#7654) * fix: use golang builtin version management Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: template for user setup in kuttl (#7731) Signed-off-by: Alok N <alokme123@gmail.com> * feat: Add option to add imagePullSecrets to cleanup CronJobs (#7730) * Add option to add imagePullSecrets to cleanup CronJobs Signed-off-by: Alexander Olzem <olzemal@pm.me> * Update chart README Signed-off-by: Alexander Olzem <olzemal@pm.me> --------- Signed-off-by: Alexander Olzem <olzemal@pm.me> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: typo in check cmd (#7733) Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com> * fix: nits in cli flags (#7736) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: bump ko version (#7738) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: bump kind node versions (#7737) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: refactor cli values loading and remove dead code (#7739) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * [Feature] round() JMESPath function (#7489) * adding roundoff Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com> * removing unnecessary Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com> * adding test Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com> * adding edge case Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com> * fixing error Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com> * updating function call Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com> * updating function jpRound Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com> * error handling negative Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com> * fix Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com> * fix linter Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * parsing Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump ubuntu from `6120be6` to `0bced47` in /.devcontainer (#7744) Bumps ubuntu from `6120be6` to `0bced47`. --- updated-dependencies: - dependency-name: ubuntu dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: improve cli apply args check (#7746) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: remove cli dead code (#7748) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * Replaced gcr crane with gcr remote (#7747) * fix: oras-go/v2 version in go.sum Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * refactor: move kyverno constants out of v1 package (#7760) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: use register-gen to register k8s types (#7761) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump fluxcd/flux2 from 0.41.2 to 2.0.0 (#7764) Bumps [fluxcd/flux2](https://github.com/fluxcd/flux2) from 0.41.2 to 2.0.0. - [Release notes](https://github.com/fluxcd/flux2/releases) - [Changelog](https://github.com/fluxcd/flux2/blob/main/.goreleaser.yml) - [Commits](dbda8fbdb8...9ea0a535ea) --- updated-dependencies: - dependency-name: fluxcd/flux2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: introduce defaulters-gen (#7765) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: add table output to cli apply command (#7757) * feat: add table output to cli apply command Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * factorise Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> * chore: bump cosign in gh workflows (#7715) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: switch to deepcopy-gen (#7766) * chore: switch to deepcopy-gen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: increase linter timeout (#7767) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * undo: revert back to cosign 2.0.2 cosign 2.1.1 has dependency conflicts with oras Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * remove markers Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: remove 0_14 version of gcr k8s-sigstore-manifest got a new version so we can finally upgrade gcr to v0.15 Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * add: add logging to tlogs and sct Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * undo: remove registryOpts in favor of registry client opts added the missing parts from registryOptions in registry client opts Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore: add generated files Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore: clean go mod Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: remove bad logs Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * bug: fix go mod Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: update kubebuilder version in crds Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * update: rollback policy to ignore tlog Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore: update codegen Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: shuting <shutting06@gmail.com> Signed-off-by: bakito <github@bakito.ch> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: webstradev <e.s.westra.95@gmail.com> Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com> Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com> Signed-off-by: JaeHeung Han <hylowaker@users.noreply.github.com> Signed-off-by: Daniel Laszlo <laszlodaniel@icloud.com> Signed-off-by: Daniel Laszlo <daniel.laszlo@bitpanda.com> Signed-off-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org> Signed-off-by: Carles Figuerola <cfiguerola@expediagroup.com> Signed-off-by: Alok N <alokme123@gmail.com> Signed-off-by: Alexander Olzem <olzemal@pm.me> Signed-off-by: Rexbeast2 <ssukhveer514@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com> Co-authored-by: Marc Brugger <github@bakito.ch> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: webstradev <e.s.westra.95@gmail.com> Co-authored-by: Frank Jogeleit <frank.jogeleit@lovoo.com> Co-authored-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: JaeHeung Han <hylowaker@users.noreply.github.com> Co-authored-by: Daniel Laszlo <laszlodaniel@icloud.com> Co-authored-by: Md Shahbaz Alam <shahbazalam75508@gmail.com> Co-authored-by: shahbaz <shahbaz@shahbaz.myguest.virtualbox.org> Co-authored-by: Carles-Figuerola <carles@figuerola.info> Co-authored-by: Alok Naushad <alokme123@gmail.com> Co-authored-by: Alex Olzem <olzemal@gmail.com> Co-authored-by: SukhveerS <78963782+Rexbeast2@users.noreply.github.com>
276 lines
12 KiB
Go
276 lines
12 KiB
Go
package cosign
|
|
|
|
import (
|
|
"context"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"io"
|
|
"testing"
|
|
|
|
v1 "github.com/google/go-containerregistry/pkg/v1"
|
|
"github.com/google/go-containerregistry/pkg/v1/types"
|
|
"github.com/kyverno/kyverno/pkg/images"
|
|
"github.com/kyverno/kyverno/pkg/registryclient"
|
|
"github.com/sigstore/cosign/v2/pkg/cosign"
|
|
"github.com/sigstore/cosign/v2/pkg/cosign/bundle"
|
|
"github.com/sigstore/cosign/v2/pkg/oci"
|
|
"gotest.tools/assert"
|
|
)
|
|
|
|
const cosignPayload = `{
|
|
"critical": {
|
|
"identity": {
|
|
"docker-reference": "registry-v2.nirmata.io/pause"
|
|
},
|
|
"image": {
|
|
"docker-manifest-digest": "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108"
|
|
},
|
|
"type": "cosign container image signature"
|
|
},
|
|
"optional": {
|
|
"foo": "bar",
|
|
"bar": "baz"
|
|
}
|
|
}`
|
|
|
|
const keylessPayload = `{
|
|
"critical": {
|
|
"identity": {
|
|
"docker-reference": "ghcr.io/kyverno/test-verify-image"
|
|
},
|
|
"image": {
|
|
"docker-manifest-digest": "sha256:ee53528c4e3c723945cf870d73702b76135955a218dd7497bf344aa73ebb4227"
|
|
},
|
|
"type": "cosign container image signature"
|
|
},
|
|
"optional": {
|
|
"Bundle": {
|
|
"SignedEntryTimestamp": "--TIME-STAMP--",
|
|
"Payload": {
|
|
"integratedTime": 1689234389,
|
|
"logIndex": 27432442,
|
|
"logID": "--LOG-ID--"
|
|
}
|
|
},
|
|
"Issuer": "https://accounts.google.com",
|
|
"Subject": "kyverno@nirmata.com"
|
|
}
|
|
}`
|
|
|
|
const globalRekorPubKey = `-----BEGIN PUBLIC KEY-----
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwr
|
|
kBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==
|
|
-----END PUBLIC KEY-----
|
|
`
|
|
|
|
const wrongRekorPubKey = `-----BEGIN PUBLIC KEY-----
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoiR2ouEAp4JS/JIgkCVYCxpp/dMe
|
|
4Mkc/92O8rbWs6xIAcIEju7+Z2yecpQH6RbztEVCZbBZhEVfMdRgWKOrrQ==
|
|
-----END PUBLIC KEY-----`
|
|
|
|
func TestCosignPayload(t *testing.T) {
|
|
image := "registry-v2.nirmata.io/pause"
|
|
signedPayloads := cosign.SignedPayload{Payload: []byte(cosignPayload)}
|
|
ociSig, err := getSignature(signedPayloads)
|
|
assert.NilError(t, err)
|
|
p, err := extractPayload([]oci.Signature{ociSig})
|
|
assert.NilError(t, err)
|
|
a := map[string]string{"foo": "bar"}
|
|
err = checkAnnotations(p, a)
|
|
assert.NilError(t, err)
|
|
d, err := extractDigest(image, p)
|
|
assert.NilError(t, err)
|
|
assert.Equal(t, d, "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108")
|
|
|
|
image2 := "ghcr.io/kyverno/test-verify-image"
|
|
signedPayloads2 := cosign.SignedPayload{Payload: []byte(keylessPayload)}
|
|
ociSig, err = getSignature(signedPayloads2)
|
|
assert.NilError(t, err)
|
|
signatures2 := []oci.Signature{ociSig}
|
|
|
|
p2, err := extractPayload(signatures2)
|
|
assert.NilError(t, err)
|
|
|
|
d2, err := extractDigest(image2, p2)
|
|
assert.NilError(t, err)
|
|
assert.Equal(t, d2, "sha256:ee53528c4e3c723945cf870d73702b76135955a218dd7497bf344aa73ebb4227")
|
|
}
|
|
|
|
func TestCosignKeyless(t *testing.T) {
|
|
opts := images.Options{
|
|
ImageRef: "ghcr.io/jimbugwadia/pause2",
|
|
Issuer: "https://github.com/",
|
|
Subject: "jim",
|
|
RekorURL: "https://rekor.sigstore.dev",
|
|
IgnoreSCT: true,
|
|
}
|
|
|
|
rc, err := registryclient.New()
|
|
assert.NilError(t, err)
|
|
opts.Client = rc
|
|
|
|
verifier := &cosignVerifier{}
|
|
_, err = verifier.VerifySignature(context.TODO(), opts)
|
|
assert.ErrorContains(t, err, "subject mismatch: expected jim, received jim@nirmata.com")
|
|
|
|
opts.Subject = "jim@nirmata.com"
|
|
_, err = verifier.VerifySignature(context.TODO(), opts)
|
|
assert.ErrorContains(t, err, "issuer mismatch: expected https://github.com/, received https://github.com/login/oauth")
|
|
|
|
opts.Issuer = "https://github.com/login/oauth"
|
|
_, err = verifier.VerifySignature(context.TODO(), opts)
|
|
assert.NilError(t, err)
|
|
}
|
|
|
|
func TestRekorPubkeys(t *testing.T) {
|
|
opts := images.Options{
|
|
ImageRef: "ghcr.io/jimbugwadia/pause2",
|
|
Issuer: "https://github.com/login/oauth",
|
|
Subject: "jim@nirmata.com",
|
|
RekorURL: "--INVALID--", // To avoid using the default rekor url as thats where signature is uploaded
|
|
RekorPubKey: wrongRekorPubKey,
|
|
IgnoreSCT: true,
|
|
}
|
|
|
|
rc, err := registryclient.New()
|
|
assert.NilError(t, err)
|
|
opts.Client = rc
|
|
|
|
verifier := &cosignVerifier{}
|
|
_, err = verifier.VerifySignature(context.TODO(), opts)
|
|
assert.ErrorContains(t, err, "rekor log public key not found for payload")
|
|
|
|
opts.RekorPubKey = globalRekorPubKey
|
|
_, err = verifier.VerifySignature(context.TODO(), opts)
|
|
assert.NilError(t, err)
|
|
}
|
|
|
|
func TestCosignMatchCertificateData(t *testing.T) {
|
|
pem1 := "-----BEGIN CERTIFICATE-----\nMIIDtzCCAzygAwIBAgIUX9MdOHZMlRONmc0Iu3DtiLXLVLYwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjIxMDA3MTkyNDI0WhcNMjIxMDA3MTkzNDI0WjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAE0+a5/FhwY4fREWP++3V4rciGiqWGRgHaiP1z\nSlWihKkU71sBVeTzjdrcN8wXzBAefqh5URBfCeE8pJRfQsVKxKOCAlswggJXMA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUJy79\nhpkwHtXtLWOvFu/icY56bwgwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wbgYDVR0RAQH/BGQwYoZgaHR0cHM6Ly9naXRodWIuY29tL0ppbUJ1Z3dhZGlh\nL2RlbW8tamF2YS10b21jYXQvLmdpdGh1Yi93b3JrZmxvd3MvcHVibGlzaC55YW1s\nQHJlZnMvdGFncy92MC4wLjIyMDkGCisGAQQBg78wAQEEK2h0dHBzOi8vdG9rZW4u\nYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wEgYKKwYBBAGDvzABAgQEcHVz\naDA2BgorBgEEAYO/MAEDBChjNzY0NTI4NGZhN2FlYmU1NTQ2MThlZWU4NzliNGQ2\nOTQ3Zjg1NjRlMB8GCisGAQQBg78wAQQEEWJ1aWxkLXNpZ24tYXR0ZXN0MCoGCisG\nAQQBg78wAQUEHEppbUJ1Z3dhZGlhL2RlbW8tamF2YS10b21jYXQwHwYKKwYBBAGD\nvzABBgQRcmVmcy90YWdzL3YwLjAuMjIwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgAI\nYJLwKFL/aEXR0WsnhJxFZxisFj3DONJt5rwiBjZvcgAAAYOz5+pbAAAEAwBHMEUC\nIBb8fwsLBOu+qJkL6UhT4pwGvRVAN2n74BF1BL703rqPAiEAznbfgYJbqA+JIUiQ\nwwLiFOD8pqidSl+HhW8Lhdg3o+wwCgYIKoZIzj0EAwMDaQAwZgIxAJIBIkZBhM+K\nkBIFNeuWBsyVaAcFRallz3C8jvPQCPbec0ZpIsw624dUs8zD3c96AQIxALf875rt\n+oZgwE6hsDazJzoTcBZ1mYVF6bAlwVdtMiC98aApG6T+qaBirxSgu7IGQw==\n-----END CERTIFICATE-----\n"
|
|
cert1, err := loadCert([]byte(pem1))
|
|
assert.NilError(t, err)
|
|
|
|
subject1 := "https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/*"
|
|
issuer1 := "https://token.actions.githubusercontent.com"
|
|
extensions := map[string]string{
|
|
"githubWorkflowTrigger": "push",
|
|
"githubWorkflowSha": "c7645284fa7aebe554618eee879b4d6947f8564e",
|
|
"githubWorkflowName": "build-sign-attest",
|
|
"githubWorkflowRepository": "JimBugwadia/demo-java-tomcat",
|
|
}
|
|
|
|
matchErr := matchCertificateData(cert1, subject1, issuer1, extensions)
|
|
assert.NilError(t, matchErr)
|
|
|
|
matchErr = matchCertificateData(cert1, "", issuer1, extensions)
|
|
assert.NilError(t, matchErr)
|
|
|
|
matchErr = matchCertificateData(cert1, subject1, issuer1, nil)
|
|
assert.NilError(t, matchErr)
|
|
|
|
matchErr = matchCertificateData(cert1, "wrong-subject", issuer1, extensions)
|
|
assert.Error(t, matchErr, "subject mismatch: expected wrong-subject, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22")
|
|
|
|
extensions["githubWorkflowTrigger"] = "pull"
|
|
matchErr = matchCertificateData(cert1, subject1, issuer1, extensions)
|
|
assert.Error(t, matchErr, "extension mismatch: expected pull for key githubWorkflowTrigger, received push")
|
|
}
|
|
|
|
type testSignature struct {
|
|
cert *x509.Certificate
|
|
}
|
|
|
|
func (ts testSignature) Digest() (v1.Hash, error) {
|
|
return v1.Hash{}, fmt.Errorf("not implemented")
|
|
}
|
|
|
|
func (ts testSignature) DiffID() (v1.Hash, error) {
|
|
return v1.Hash{}, fmt.Errorf("not implemented")
|
|
}
|
|
|
|
func (ts testSignature) Compressed() (io.ReadCloser, error) {
|
|
return nil, fmt.Errorf("not implemented")
|
|
}
|
|
|
|
func (ts testSignature) Uncompressed() (io.ReadCloser, error) {
|
|
return nil, fmt.Errorf("not implemented")
|
|
}
|
|
|
|
func (ts testSignature) Size() (int64, error) {
|
|
return 0, fmt.Errorf("not implemented")
|
|
}
|
|
|
|
func (ts testSignature) MediaType() (types.MediaType, error) {
|
|
return "", fmt.Errorf("not implemented")
|
|
}
|
|
|
|
func (ts testSignature) Annotations() (map[string]string, error) {
|
|
return nil, fmt.Errorf("not implemented")
|
|
}
|
|
|
|
func (ts testSignature) Payload() ([]byte, error) {
|
|
return nil, fmt.Errorf("not implemented")
|
|
}
|
|
|
|
func (ts testSignature) Signature() ([]byte, error) {
|
|
return nil, fmt.Errorf("not implemented")
|
|
}
|
|
|
|
func (ts testSignature) Base64Signature() (string, error) {
|
|
return "", fmt.Errorf("not implemented")
|
|
}
|
|
|
|
func (ts testSignature) Cert() (*x509.Certificate, error) {
|
|
return ts.cert, nil
|
|
}
|
|
|
|
func (ts testSignature) Chain() ([]*x509.Certificate, error) {
|
|
return nil, fmt.Errorf("not implemented")
|
|
}
|
|
|
|
func (ts testSignature) Bundle() (*bundle.RekorBundle, error) {
|
|
return nil, fmt.Errorf("not implemented")
|
|
}
|
|
|
|
func (ts testSignature) RFC3161Timestamp() (*bundle.RFC3161Timestamp, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
func TestCosignMatchSignatures(t *testing.T) {
|
|
pem1 := "-----BEGIN CERTIFICATE-----\nMIIDtzCCAzygAwIBAgIUX9MdOHZMlRONmc0Iu3DtiLXLVLYwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjIxMDA3MTkyNDI0WhcNMjIxMDA3MTkzNDI0WjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAE0+a5/FhwY4fREWP++3V4rciGiqWGRgHaiP1z\nSlWihKkU71sBVeTzjdrcN8wXzBAefqh5URBfCeE8pJRfQsVKxKOCAlswggJXMA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUJy79\nhpkwHtXtLWOvFu/icY56bwgwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wbgYDVR0RAQH/BGQwYoZgaHR0cHM6Ly9naXRodWIuY29tL0ppbUJ1Z3dhZGlh\nL2RlbW8tamF2YS10b21jYXQvLmdpdGh1Yi93b3JrZmxvd3MvcHVibGlzaC55YW1s\nQHJlZnMvdGFncy92MC4wLjIyMDkGCisGAQQBg78wAQEEK2h0dHBzOi8vdG9rZW4u\nYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wEgYKKwYBBAGDvzABAgQEcHVz\naDA2BgorBgEEAYO/MAEDBChjNzY0NTI4NGZhN2FlYmU1NTQ2MThlZWU4NzliNGQ2\nOTQ3Zjg1NjRlMB8GCisGAQQBg78wAQQEEWJ1aWxkLXNpZ24tYXR0ZXN0MCoGCisG\nAQQBg78wAQUEHEppbUJ1Z3dhZGlhL2RlbW8tamF2YS10b21jYXQwHwYKKwYBBAGD\nvzABBgQRcmVmcy90YWdzL3YwLjAuMjIwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgAI\nYJLwKFL/aEXR0WsnhJxFZxisFj3DONJt5rwiBjZvcgAAAYOz5+pbAAAEAwBHMEUC\nIBb8fwsLBOu+qJkL6UhT4pwGvRVAN2n74BF1BL703rqPAiEAznbfgYJbqA+JIUiQ\nwwLiFOD8pqidSl+HhW8Lhdg3o+wwCgYIKoZIzj0EAwMDaQAwZgIxAJIBIkZBhM+K\nkBIFNeuWBsyVaAcFRallz3C8jvPQCPbec0ZpIsw624dUs8zD3c96AQIxALf875rt\n+oZgwE6hsDazJzoTcBZ1mYVF6bAlwVdtMiC98aApG6T+qaBirxSgu7IGQw==\n-----END CERTIFICATE-----\n"
|
|
cert1, err := loadCert([]byte(pem1))
|
|
assert.NilError(t, err)
|
|
|
|
pem2 := "-----BEGIN CERTIFICATE-----\nMIICnjCCAiSgAwIBAgIUfHC63TD7cn1QEYwI6sJ50PclbMMwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjIxMTIxMTczNDIwWhcNMjIxMTIxMTc0NDIwWjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEpJeio6iqU9TbHm+WV5KmeinSPWFrMFzoduFN\ntvrjMRAJV6qDX7aHvZRQPtSUxt3PvWwPwZz6Id8XwfHgJwtpp6OCAUMwggE/MA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU+sL4\nr0BAYZhtjWXdqZd6ktDbl60wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wHQYDVR0RAQH/BBMwEYEPamltQG5pcm1hdGEuY29tMCwGCisGAQQBg78wAQEE\nHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8\nBHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABhJtBVS4A\nAAQDAEcwRQIgbWUReMySzQUjZBII8Mdfrw7+MtmcPObrU7lDGNzvc40CIQCSa0xj\nafVdGMlgOPxDvc9gkI2ht6eQN2kmZXkNHe95PTAKBggqhkjOPQQDAwNoADBlAjEA\npQJPNKjRHqsfjhTcrvS1tKodYbz/NKWRJQbacmQaEX3aGZEa/Jczp2IFkcU6eEH/\nAjADp3TpZ56DdgAGCFXDRk3xOcgeDtPeIG6i+fq8Xfik+pIFs+thR7n1ya6LmaXv\nkhw=\n-----END CERTIFICATE-----\n"
|
|
cert2, err := loadCert([]byte(pem2))
|
|
assert.NilError(t, err)
|
|
|
|
sigs := []oci.Signature{
|
|
testSignature{cert: cert1},
|
|
testSignature{cert: cert2},
|
|
}
|
|
|
|
subject1 := "https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/*"
|
|
issuer1 := "https://token.actions.githubusercontent.com"
|
|
extensions := map[string]string{
|
|
"githubWorkflowTrigger": "push",
|
|
"githubWorkflowSha": "c7645284fa7aebe554618eee879b4d6947f8564e",
|
|
"githubWorkflowName": "build-sign-attest",
|
|
"githubWorkflowRepository": "JimBugwadia/demo-java-tomcat",
|
|
}
|
|
|
|
subject2 := "*@nirmata.com"
|
|
issuer2 := "https://github.com/login/oauth"
|
|
|
|
matchErr := matchSignatures(sigs, subject1, issuer1, extensions)
|
|
assert.NilError(t, matchErr)
|
|
|
|
matchErr = matchSignatures(sigs, subject2, issuer2, nil)
|
|
assert.NilError(t, matchErr)
|
|
|
|
matchErr = matchSignatures(sigs, subject2, issuer1, nil)
|
|
assert.Error(t, matchErr, "subject mismatch: expected *@nirmata.com, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22; issuer mismatch: expected https://token.actions.githubusercontent.com, received https://github.com/login/oauth")
|
|
|
|
matchErr = matchSignatures(sigs, subject2, issuer2, extensions)
|
|
assert.ErrorContains(t, matchErr, "extension mismatch")
|
|
}
|