Predefined user allowed registries (#336)

* add support for user allowed registries predefined in component configuration
kyma-project · Nov 4, 2024 · 8d68df6 · 8d68df6
1 parent 4f26acc
commit 8d68df6
Show file tree

Hide file tree

Showing 10 changed files with 32 additions and 12 deletions.
diff --git a/charts/warden/templates/configmap.yaml b/charts/warden/templates/configmap.yaml
@@ -1,10 +1,13 @@
+# TODO: move this logic to the GO code
 {{- $allowedRegistries := .Values.global.config.data.notary.allowedRegistries }}
 {{- if and .Values.global.config.data.notary.additionalAllowedRegistries .Values.global.config.data.notary.defaultAllowedRegistries -}}
 {{- $allowedRegistries = join ", " (concat .Values.global.config.data.notary.defaultAllowedRegistries  .Values.global.config.data.notary.additionalAllowedRegistries | uniq ) }}
 {{- else if .Values.global.config.data.notary.defaultAllowedRegistries -}}
 {{- $allowedRegistries = join ", " .Values.global.config.data.notary.defaultAllowedRegistries }}
 {{- end -}}
 
+{{- $predefinedUserAllowedRegistries := join ", " .Values.global.config.data.notary.predefinedUserAllowedRegistries }}
+
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -34,6 +37,7 @@ data:
       URL: {{ .Values.global.config.data.notary.URL }}
       timeout: {{ .Values.global.config.data.notary.timeout }}
       allowedRegistries: {{ $allowedRegistries }}
+      predefinedUserAllowedRegistries: {{ $predefinedUserAllowedRegistries }}
     operator:
       healthProbeBindAddress: {{ .Values.global.config.data.operator.healthProbeBindAddress }}
       metricsBindAddress: {{ .Values.global.config.data.operator.metricsBindAddress }}

diff --git a/charts/warden/values.yaml b/charts/warden/values.yaml
@@ -46,6 +46,7 @@ global:
         defaultAllowedRegistries: []
         # list of registries exceptionally allowed ( overidable ) per environment
         additionalAllowedRegistries: []
+        predefinedUserAllowedRegistries: []
       admission:
         timeout: 10s
         port: 8443

diff --git a/cmd/admission/main.go b/cmd/admission/main.go
@@ -161,9 +161,10 @@ func main() {
 		Handler: admission.NewValidationWebhook(logger.With("webhook", "validation"), decoder),
 	})
 
+	predefinedUserAllowedRegistries := validate.ParseAllowedRegistries(appConfig.Notary.PredefinedUserAllowedRegistries)
 	whs.Register(admission.DefaultingPath, &ctrlwebhook.Admission{
 		Handler: admission.NewDefaultingWebhook(mgr.GetClient(),
-			validatorSvc, validate.NewValidatorSvcFactory(),
+			validatorSvc, validate.NewValidatorSvcFactory(predefinedUserAllowedRegistries...),
 			appConfig.Admission.Timeout, appConfig.Admission.StrictMode,
 			decoder, logger.With("webhook", "defaulting")),
 	})

diff --git a/cmd/operator/main.go b/cmd/operator/main.go
@@ -122,6 +122,7 @@ func main() {
 
 	repoFactory := validate.NotaryRepoFactory{Timeout: appConfig.Notary.Timeout}
 	allowedRegistries := validate.ParseAllowedRegistries(appConfig.Notary.AllowedRegistries)
+	predefinedUserAllowedRegistries := validate.ParseAllowedRegistries(appConfig.Notary.PredefinedUserAllowedRegistries)
 
 	notaryConfig := &validate.ServiceConfig{NotaryConfig: validate.NotaryConfig{Url: appConfig.Notary.URL}, AllowedRegistries: allowedRegistries}
 
@@ -132,7 +133,7 @@ func main() {
 		mgr.GetClient(),
 		mgr.GetScheme(),
 		podValidator,
-		validate.NewValidatorSvcFactory(),
+		validate.NewValidatorSvcFactory(predefinedUserAllowedRegistries...),
 		controllers.PodReconcilerConfig{RequeueAfter: appConfig.Operator.PodReconcilerRequeueAfter},
 		logger.Named("pod-controller"),
 	)).SetupWithManager(mgr); err != nil {

diff --git a/docs/contributor/01-10-configure_system.md b/docs/contributor/01-10-configure_system.md
@@ -13,6 +13,7 @@ You can set the following properties:
 | `notary.URL`                         | URL of the Notary server used for image verification.                                                                                                                                                                       | "https://signing-dev.repositories.cloud.sap" |
 | `notary.allowedRegistries`           | Comma-separated list of allowed registry prefixes.                                                                                                                                                                        | ""                                           |
 | `notary.timeout`                     | Timeout for the Notary server connection.                                                                                                                                                                                       | "30s"                                        |
+| `notary.predefinedUserAllowedRegistries` | Comma-separated list of allowed registry prefixes added to list configured by the user in namespace annotation `namespaces.warden.kyma-project.io/allowed-registries`.                                                                                                             | ""                                           |
 | `admission.systemNamespace`          | Namespace where the Warden admission controller is deployed.                                                                                                                                                                | "default"                                    |
 | `admission.serviceName`              | Name of the Warden admission controller service.                                                                                                                                                                            | "warden-admission"                           |
 | `admission.secretName`               | Name of the Secret containing the certificate for the Warden admission controller.                                                                                                                                          | "warden-admission-cert"                      |

diff --git a/internal/admission/defaulting_test.go b/internal/admission/defaulting_test.go
@@ -481,7 +481,7 @@ func TestFlow_SomeInputStatuses_ShouldCallPodValidation(t *testing.T) {
 			},
 		},
 		{
-			name:        "create pod with label Pending should pass wit validation",
+			name:        "create pod with label Pending should pass with validation",
 			operation:   admissionv1.Create,
 			inputLabels: map[string]string{pkg.PodValidationLabel: pkg.ValidationStatusPending},
 			want: want{

diff --git a/internal/config/file.go b/internal/config/file.go
@@ -9,9 +9,10 @@ import (
 )
 
 type notary struct {
-	URL               string        `yaml:"URL"`
-	Timeout           time.Duration `yaml:"timeout"`
-	AllowedRegistries string        `yaml:"allowedRegistries"`
+	URL                             string        `yaml:"URL"`
+	Timeout                         time.Duration `yaml:"timeout"`
+	AllowedRegistries               string        `yaml:"allowedRegistries"`
+	PredefinedUserAllowedRegistries string        `yaml:"predefinedUserAllowedRegistries"`
 }
 
 type admission struct {

diff --git a/internal/config/file_test.go b/internal/config/file_test.go
@@ -9,8 +9,9 @@ import (
 )
 
 const (
-	testURL               = "https://signing-dev.repositories.cloud.sap"
-	testAllowedRegistries = "test1,\ntest2,\ntest3"
+	testURL                             = "https://signing-dev.repositories.cloud.sap"
+	testAllowedRegistries               = "test1,\ntest2,\ntest3"
+	testPredefinedUserAllowedRegistries = "user1,\nuser2"
 )
 
 func TestLoad(t *testing.T) {
@@ -22,6 +23,7 @@ func TestLoad(t *testing.T) {
 		cfg, err := Load(path)
 		require.NoError(t, err)
 		require.Equal(t, testAllowedRegistries, cfg.Notary.AllowedRegistries)
+		require.Equal(t, testPredefinedUserAllowedRegistries, cfg.Notary.PredefinedUserAllowedRegistries)
 		require.Equal(t, testURL, cfg.Notary.URL)
 	})
 
@@ -31,6 +33,7 @@ func TestLoad(t *testing.T) {
 		cfg, err := Load(path)
 		require.NoError(t, err)
 		require.Equal(t, testAllowedRegistries, cfg.Notary.AllowedRegistries)
+		require.Equal(t, testPredefinedUserAllowedRegistries, cfg.Notary.PredefinedUserAllowedRegistries)
 		require.Equal(t, testURL, cfg.Notary.URL)
 	})
 

diff --git a/internal/config/testData/config.yaml b/internal/config/testData/config.yaml
@@ -4,3 +4,6 @@ notary:
     test1,
     test2,
     test3
+  predefinedUserAllowedRegistries: |-
+    user1,
+    user2
diff --git a/internal/validate/pod.go b/internal/validate/pod.go
@@ -32,15 +32,20 @@ type ValidatorSvcFactory interface {
 var _ ValidatorSvcFactory = &validatorSvcFactory{}
 
 type validatorSvcFactory struct {
+	predefinedAllowedRegistries []string
 }
 
-func NewValidatorSvcFactory() ValidatorSvcFactory {
-	return &validatorSvcFactory{}
+func NewValidatorSvcFactory(predefinedAllowedRegistries ...string) ValidatorSvcFactory {
+	return &validatorSvcFactory{
+		predefinedAllowedRegistries: predefinedAllowedRegistries,
+	}
 }
 
-func (_ validatorSvcFactory) NewValidatorSvc(notaryURL string, notaryAllowedRegistries string, notaryTimeout time.Duration) PodValidator {
+func (f validatorSvcFactory) NewValidatorSvc(notaryURL string, notaryAllowedRegistries string, notaryTimeout time.Duration) PodValidator {
 	repoFactory := NotaryRepoFactory{Timeout: notaryTimeout}
-	allowedRegistries := ParseAllowedRegistries(notaryAllowedRegistries)
+	allowedRegistries := append(
+		ParseAllowedRegistries(notaryAllowedRegistries),
+		f.predefinedAllowedRegistries...)
 
 	validatorSvcConfig := ServiceConfig{
 		NotaryConfig:      NotaryConfig{Url: notaryURL},
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,3 +4,6 @@ notary: @@
         test1,
         test2,
         test3
+      predefinedUserAllowedRegistries: |-
+        user1,
+        user2