Merge pull request #25 from nirmata/http-error-mutate

nirmata · Aug 8, 2023 · 211b4b4 · 211b4b4
2 parents ac751fb + 41e4cd9
commit 211b4b4
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 59 deletions.
diff --git a/configs/install.yaml b/configs/install.yaml
@@ -190,6 +190,7 @@ spec:
       labels:
         app: kyverno-notation-aws
     spec:
+      terminationGracePeriodSeconds: 5
       securityContext:
         runAsNonRoot: true
       containers:
@@ -202,8 +203,8 @@ spec:
 
         # CACHING
         - --cacheEnabled
-        - --cacheMaxSize=1000
-        - --cacheTTLDuration=3600
+        - --cacheMaxSize=2000
+        - --cacheTTLDurationSeconds=7200
 
         # USE IF IRSA IS NOT CONFIGURED
         # - --imagePullSecrets=regcred

diff --git a/configs/samples/certs.yaml b/configs/samples/certs.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ca-bundle
+  namespace: kyverno-notation-aws
+data:
+  caBundle: |-
+    -----BEGIN CERTIFICATE-----
+    MIICijCCAjCgAwIBAgIQdEOXGQG0lzp0ZTpzZHE6tjAKBggqhkjOPQQDAjAbMRkw
+    FwYDVQQDExBteS1zZWxmc2lnbmVkLWNhMB4XDTIzMDgwNDE4MTQwN1oXDTIzMTEw
+    MjE4MTQwN1owMTEQMA4GA1UEChMHbmlybWF0YTEdMBsGA1UEAxMUa3l2ZXJuby1u
+    b3RhdGlvbi1hd3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOiJhK
+    gmtGOHqkyQZP+fTBBhXwMW+TWGAoKcmd6s7hEOU6QhRAYejq9zS1Kn2TOkjl/ozQ
+    6GTPFEnhR9vbPpjRLRC7mAIzGE4hHFd5CPhE8aQ1iJnjreI2ZBpKgtopsUc3prKz
+    0K72y1ILNkh/T0O7dlwx8euPbNeb8lM3tZ/5x1wCQeMff+fqGojH7G59SuPBDO50
+    ThbZrSyEaakyduDL7R8mg0aHCnYirlmJqHtKUYuIbl7snRu/vpWtlh7/g/uAPexL
+    4zvzO/RJJIRlUes1lNuVL2DeBggg43w6RC18uHox+RsY1XgQxxAPLWxFk6Eb+9Sr
+    CmTcnLHNbZH7ukJlAgMBAAGjdTBzMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
+    BQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMSCIyrIr+FKVgjBkgBU5S8l
+    f8zWMCMGA1UdEQQcMBqCGHN2Yy5reXZlcm5vLW5vdGF0aW9uLWF3czAKBggqhkjO
+    PQQDAgNIADBFAiEAndKOWVth4KoTDlqY6W2S5yweZMH0V1K2Fw1lOxLjUp8CIAf3
+    Pw2FMvZu8r6DFMR+5XeEP1GAxDt5KPBFLBToAoUQ
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIBdjCCAR2gAwIBAgIRAJA63rRTLfec7JNxOIHjWbwwCgYIKoZIzj0EAwIwGzEZ
+    MBcGA1UEAxMQbXktc2VsZnNpZ25lZC1jYTAeFw0yMzA4MDQxODE0MDJaFw0yMzEx
+    MDIxODE0MDJaMBsxGTAXBgNVBAMTEG15LXNlbGZzaWduZWQtY2EwWTATBgcqhkjO
+    PQIBBggqhkjOPQMBBwNCAAScMrNHKzn6NhpUzdVMgBlAUNvNgoTxgcO7S+mV73ig
+    AfLM38FED9VQprVPQ0JF3D44YmnhhsmyNT4Dk8g6ysTgo0IwQDAOBgNVHQ8BAf8E
+    BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxIIjKsiv4UpWCMGSAFTl
+    LyV/zNYwCgYIKoZIzj0EAwIDRwAwRAIgGQGPg6+7Qppz51fgobNW4X3C56K5ylZl
+    Q4Lpo93g2UACIAtq0MnkQ8ebPop13RMFrh9Hj/bGV1hz2i5QEu6QTetb
+    -----END CERTIFICATE-----
diff --git a/configs/samples/kyverno-policy.yaml b/configs/samples/kyverno-policy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: check-images     
 spec:
   validationFailureAction: Enforce
+  failurePolicy: Fail
   webhookTimeoutSeconds: 30
   schemaValidation: false
   rules:
@@ -15,73 +16,40 @@ spec:
           - test-notation
           kinds:
           - Pod
-    preconditions:
-      all:
-      - key: "{{request.operation}}"
-        operator: AnyIn
-        value:
-        - CREATE
-        - UPDATE
+          operations:
+            - CREATE
+            - UPDATE
     context:
+    - name: ca-bundle
+      configMap:
+        name: ca-bundle
+        namespace: kyverno-notation-aws
     - name: response
       apiCall:
         method: POST
         data:
         - key: images
           value: "{{images}}"
         - key: trustPolicy
-          value: aws-signer-trust-policy
+          value: "tp-{{request.namespace}}"
         - key: attestations
           value: 
-          - imageReference: "844333597536.dkr.ecr.us-west-2.amazonaws.com*"
+          - imageReference: "*"
             type: 
             - name: sbom/example
               conditions:
                 all:
                 - key: \{{creationInfo.licenseListVersion}}
                   operator: Equals
                   value: "3.17"
+                  message: invalid license version
         service:
           url: https://svc.kyverno-notation-aws/checkimages
-          caBundle: |-
-            -----BEGIN CERTIFICATE-----
-            MIICijCCAjCgAwIBAgIQdEOXGQG0lzp0ZTpzZHE6tjAKBggqhkjOPQQDAjAbMRkw
-            FwYDVQQDExBteS1zZWxmc2lnbmVkLWNhMB4XDTIzMDgwNDE4MTQwN1oXDTIzMTEw
-            MjE4MTQwN1owMTEQMA4GA1UEChMHbmlybWF0YTEdMBsGA1UEAxMUa3l2ZXJuby1u
-            b3RhdGlvbi1hd3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOiJhK
-            gmtGOHqkyQZP+fTBBhXwMW+TWGAoKcmd6s7hEOU6QhRAYejq9zS1Kn2TOkjl/ozQ
-            6GTPFEnhR9vbPpjRLRC7mAIzGE4hHFd5CPhE8aQ1iJnjreI2ZBpKgtopsUc3prKz
-            0K72y1ILNkh/T0O7dlwx8euPbNeb8lM3tZ/5x1wCQeMff+fqGojH7G59SuPBDO50
-            ThbZrSyEaakyduDL7R8mg0aHCnYirlmJqHtKUYuIbl7snRu/vpWtlh7/g/uAPexL
-            4zvzO/RJJIRlUes1lNuVL2DeBggg43w6RC18uHox+RsY1XgQxxAPLWxFk6Eb+9Sr
-            CmTcnLHNbZH7ukJlAgMBAAGjdTBzMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
-            BQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMSCIyrIr+FKVgjBkgBU5S8l
-            f8zWMCMGA1UdEQQcMBqCGHN2Yy5reXZlcm5vLW5vdGF0aW9uLWF3czAKBggqhkjO
-            PQQDAgNIADBFAiEAndKOWVth4KoTDlqY6W2S5yweZMH0V1K2Fw1lOxLjUp8CIAf3
-            Pw2FMvZu8r6DFMR+5XeEP1GAxDt5KPBFLBToAoUQ
-            -----END CERTIFICATE-----
-            -----BEGIN CERTIFICATE-----
-            MIIBdjCCAR2gAwIBAgIRAJA63rRTLfec7JNxOIHjWbwwCgYIKoZIzj0EAwIwGzEZ
-            MBcGA1UEAxMQbXktc2VsZnNpZ25lZC1jYTAeFw0yMzA4MDQxODE0MDJaFw0yMzEx
-            MDIxODE0MDJaMBsxGTAXBgNVBAMTEG15LXNlbGZzaWduZWQtY2EwWTATBgcqhkjO
-            PQIBBggqhkjOPQMBBwNCAAScMrNHKzn6NhpUzdVMgBlAUNvNgoTxgcO7S+mV73ig
-            AfLM38FED9VQprVPQ0JF3D44YmnhhsmyNT4Dk8g6ysTgo0IwQDAOBgNVHQ8BAf8E
-            BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxIIjKsiv4UpWCMGSAFTl
-            LyV/zNYwCgYIKoZIzj0EAwIDRwAwRAIgGQGPg6+7Qppz51fgobNW4X3C56K5ylZl
-            Q4Lpo93g2UACIAtq0MnkQ8ebPop13RMFrh9Hj/bGV1hz2i5QEu6QTetb
-            -----END CERTIFICATE-----
-    validate:
-      message: "{{ response.message }}"
-      deny:
-        conditions:
-          all:
-          - key: "{{ response.verified }}"
-            operator: EQUALS
-            value: false
-    # mutate:
-    #   foreach:
-    #   - list: "response.results"
-    #     patchesJson6902: |-
-    #         - path: {{ element.path }}
-    #           op: replace
-    #           value: {{ element.image }}
+          caBundle: '{{ "ca-bundle".data.caBundle }}"'
+    mutate:
+      foreach:
+      - list: "response.results"
+        patchesJson6902: |-
+            - path: {{ element.path }}
+              op: replace
+              value: {{ element.image }}
diff --git a/configs/samples/trustpolicy.yaml b/configs/samples/trustpolicy.yaml
@@ -4,7 +4,7 @@ metadata:
   name: trustpolicy-sample
 spec:
   version: '1.0'
-  trustPolicyName: aws-signer-trust-policy
+  trustPolicyName: tp-test-notation
   trustPolicies:
   - name: aws-signer-tp
     registryScopes:
@@ -23,7 +23,7 @@ metadata:
   name: trustpolicy-sample-fail
 spec:
   version: '1.0'
-  trustPolicyName: aws-signer-trust-policy-fail
+  trustPolicyName: tp-test-notation-fail
   trustPolicies:
   - name: aws-signer-tp
     registryScopes:

diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.18.7
 	github.com/go-logr/zapr v1.2.4
 	github.com/google/go-containerregistry v0.15.2
-	github.com/nirmata/kyverno-notation-verifier v0.7.4
+	github.com/nirmata/kyverno-notation-verifier v0.7.8
 	github.com/notaryproject/notation-core-go v1.0.0-rc.4
 	github.com/pkg/errors v0.9.1
 	go.uber.org/zap v1.24.0

diff --git a/go.sum b/go.sum
@@ -976,8 +976,8 @@ github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxzi
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354/go.mod h1:KSVJerMDfblTH7p5MZaTt+8zaT2iEk3AkVb9PQdZuE8=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/nirmata/kyverno-notation-verifier v0.7.4 h1:tFxkV5/R31plApGenSLMosLDLRPlKotC7aXR2GVSp9M=
-github.com/nirmata/kyverno-notation-verifier v0.7.4/go.mod h1:o4pf546Qdj5pTit7hJAhfUjnJlXhLKRzND6BGRlc9aE=
+github.com/nirmata/kyverno-notation-verifier v0.7.8 h1:glK9geiZ9m/M2mZPljsklyipXq0lj2xC+D+KQJa/Bvw=
+github.com/nirmata/kyverno-notation-verifier v0.7.8/go.mod h1:o4pf546Qdj5pTit7hJAhfUjnJlXhLKRzND6BGRlc9aE=
 github.com/nishanths/exhaustive v0.1.0/go.mod h1:S1j9110vxV1ECdCudXRkeMnFQ/DQk9ajLT0Uf2MYZQQ=
 github.com/nishanths/predeclared v0.0.0-20190419143655-18a43bb90ffc/go.mod h1:62PewwiQTlm/7Rj+cxVYqZvDIUc+JjZq6GHAC1fsObQ=
 github.com/nishanths/predeclared v0.2.1/go.mod h1:HvkGJcA3naj4lOwnFXFDkFxVtSqQMB9sbB1usJ+xjQE=

diff --git a/main.go b/main.go
@@ -58,7 +58,7 @@ func main() {
 	flag.Int64Var(&cacheMaxSize, "cacheMaxSize", 1000, "Max size limit for the TTL cache, default is 1000.")
 
 	var cacheTTLDuration int64
-	flag.Int64Var(&cacheTTLDuration, "cacheTTLDuration", int64(1*time.Hour), "Max TTL value for a cache in seconds, default is 1 hour.")
+	flag.Int64Var(&cacheTTLDuration, "cacheTTLDurationSeconds", int64(1*time.Hour), "Max TTL value for a cache in seconds, default is 1 hour.")
 
 	flag.Parse()
 	logger, err := zap.NewDevelopment()