mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
cbbd8488c8
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
114 lines
3.4 KiB
Go
114 lines
3.4 KiB
Go
package oci
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"github.com/google/go-containerregistry/pkg/name"
|
|
"github.com/google/go-containerregistry/pkg/v1/empty"
|
|
"github.com/google/go-containerregistry/pkg/v1/mutate"
|
|
"github.com/google/go-containerregistry/pkg/v1/remote"
|
|
"github.com/google/go-containerregistry/pkg/v1/static"
|
|
"github.com/google/go-containerregistry/pkg/v1/types"
|
|
"github.com/spf13/cobra"
|
|
"gopkg.in/yaml.v3"
|
|
)
|
|
|
|
var policyRef string
|
|
|
|
func ociPushCommand() *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "push",
|
|
Long: "This command is one of the supported experimental commands in Kyverno CLI, and its behaviour might be changed any time.",
|
|
Short: "push policie(s) that are included in an OCI image to OCI registry",
|
|
Example: `# push policy to an OCI image from a given policy file
|
|
kyverno oci push -p policy.yaml -i <imgref>
|
|
|
|
# push multiple policies to an OCI image from a given directory that includes policies
|
|
kyverno oci push -p policies. -i <imgref>`,
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
if imageRef == "" {
|
|
return errors.New("image reference is required")
|
|
}
|
|
|
|
var p []string
|
|
f, err := os.Stat(policyRef)
|
|
if os.IsNotExist(err) {
|
|
return fmt.Errorf("policy file or directory %s does not exist", policyRef)
|
|
}
|
|
|
|
if f.IsDir() {
|
|
err = filepath.Walk(policyRef, func(path string, info os.FileInfo, err error) error {
|
|
if !info.IsDir() {
|
|
p = append(p, path)
|
|
}
|
|
|
|
if m := info.Mode(); !(m.IsRegular() || m.IsDir()) {
|
|
return nil
|
|
}
|
|
|
|
return nil
|
|
})
|
|
} else {
|
|
p = append(p, policyRef)
|
|
}
|
|
|
|
if err != nil {
|
|
return fmt.Errorf("unable to read policy file or directory %s: %w", policyRef, err)
|
|
}
|
|
|
|
fmt.Println("Policies will be pushing: ", p)
|
|
|
|
img := mutate.MediaType(empty.Image, types.OCIManifestSchema1)
|
|
img = mutate.ConfigMediaType(img, policyConfigMediaType)
|
|
for _, policy := range p {
|
|
policyBytes, err := os.ReadFile(filepath.Clean(policy))
|
|
if err != nil {
|
|
return fmt.Errorf("failed to read policy file %s: %v", policy, err)
|
|
}
|
|
|
|
var policyMap map[string]interface{}
|
|
if err = yaml.Unmarshal(policyBytes, &policyMap); err != nil {
|
|
return fmt.Errorf("failed to unmarshal policy file %s: %v", policy, err)
|
|
}
|
|
|
|
annotations := map[string]string{}
|
|
for k, v := range policyMap["metadata"].(map[string]interface{})["annotations"].(map[string]interface{}) {
|
|
annotations[k] = v.(string)
|
|
}
|
|
|
|
ref, err := name.ParseReference(imageRef)
|
|
if err != nil {
|
|
return fmt.Errorf("parsing image reference: %v", err)
|
|
}
|
|
|
|
do := []remote.Option{
|
|
remote.WithContext(cmd.Context()),
|
|
remote.WithAuthFromKeychain(keychain),
|
|
}
|
|
|
|
policyLayer := static.NewLayer(policyBytes, policyLayerMediaType)
|
|
img, err = mutate.Append(img, mutate.Addendum{
|
|
Layer: policyLayer,
|
|
Annotations: annotations,
|
|
})
|
|
|
|
if err != nil {
|
|
return fmt.Errorf("mutating image: %v", err)
|
|
}
|
|
|
|
fmt.Fprintf(os.Stderr, "Uploading Kyverno policy file [%s] to [%s] with mediaType [%s].\n", policy, ref.Name(), policyLayerMediaType)
|
|
if err = Write(ref, img, do...); err != nil {
|
|
return fmt.Errorf("writing image: %v", err)
|
|
}
|
|
|
|
fmt.Fprintf(os.Stderr, "Kyverno policy file [%s] successfully uploaded to [%s]\n", policy, ref.Name())
|
|
}
|
|
return nil
|
|
},
|
|
}
|
|
cmd.Flags().StringVarP(&policyRef, "policy", "p", "", "path to policie(s)")
|
|
return cmd
|
|
}
|