OSD-23318:Add feature flag to enable ECR image registry

openshift · Jun 20, 2024 · c3292c5 · c3292c5
1 parent 0cc99b8
commit c3292c5
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 2 deletions.
diff --git a/build/resources.go b/build/resources.go
@@ -133,6 +133,17 @@ func createRole() *rbacv1.Role {
 					"*",
 				},
 			},
+			{
+				APIGroups: []string{
+					"",
+				},
+				Resources: []string{
+					"configmaps",
+				},
+				Verbs: []string{
+					"get",
+				},
+			},
 		},
 	}
 }

diff --git a/build/selectorsyncset.yaml b/build/selectorsyncset.yaml
@@ -53,6 +53,12 @@ objects:
         - servicemonitors
         verbs:
         - '*'
+      - apiGroups:
+        - ""
+        resources:
+        - configmaps
+        verbs:
+        - get
     - apiVersion: rbac.authorization.k8s.io/v1
       kind: RoleBinding
       metadata:

diff --git a/pkg/webhooks/imagecontentpolicies/imagecontentpolicies.go b/pkg/webhooks/imagecontentpolicies/imagecontentpolicies.go
@@ -1,17 +1,21 @@
 package imagecontentpolicies
 
 import (
+	"context"
 	"net/http"
 	"regexp"
 	"slices"
 
 	"github.com/go-logr/logr"
 	configv1 "github.com/openshift/api/config/v1"
 	operatorv1alpha1 "github.com/openshift/api/operator/v1alpha1"
+	"github.com/openshift/managed-cluster-validating-webhooks/config"
 	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/utils"
 	admissionregv1 "k8s.io/api/admissionregistration/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
@@ -26,6 +30,8 @@ const (
 
 	//Allow Hypershift hosted clusters to mirror ECR
 	authorizedECRMirrors = `(^(.*).dkr.ecr.(.*).amazonaws.com)`
+
+	allowECRConfigMapName = "allow-ecr"
 )
 
 var (
@@ -52,7 +58,6 @@ func (w *ImageContentPoliciesWebhook) Authorized(request admission.Request) admi
 		return admission.Errored(http.StatusBadRequest, err)
 	}
 
-	// Allow system account to change IDMS,ITMS and ICSP for HCP hosted cluster
 	if w.HypershiftEnabled() && isAllowedUserGroup(request) {
 		return utils.WebhookResponse(request, true, "")
 	}
@@ -66,7 +71,7 @@ func (w *ImageContentPoliciesWebhook) Authorized(request admission.Request) admi
 		}
 
 		// Allow HCP to mirror ECR repos
-		if w.HypershiftEnabled() && authorizeHCPImageDigestMirrorSet(idms) {
+		if w.HypershiftEnabled() && w.isECRAllowed() && authorizeHCPImageDigestMirrorSet(idms) {
 			return utils.WebhookResponse(request, true, "")
 		}
 
@@ -193,6 +198,23 @@ func (w *ImageContentPoliciesWebhook) HypershiftEnabled() bool {
 	return true
 }
 
+func (w *ImageContentPoliciesWebhook) isECRAllowed() bool {
+	cfg, err := rest.InClusterConfig()
+	if err != nil {
+		w.log.Info("failed to load config for feature flag, running imagecontentpolicies webhook without the feature flag")
+		return false
+	}
+
+	client, err := kubernetes.NewForConfig(cfg)
+
+	if _, err := client.CoreV1().ConfigMaps(config.OperatorNamespace).Get(context.TODO(), allowECRConfigMapName, metav1.GetOptions{}); err != nil {
+		// The Configmap does not exist or we ran into errors
+		// Assume this feature flag should be off
+		return false
+	}
+	return true
+}
+
 // authorizeImageDigestMirrorSet should reject an ImageDigestMirrorSet that matches an unauthorized mirror list
 func authorizeImageDigestMirrorSet(idms configv1.ImageDigestMirrorSet) bool {
 	unauthorizedRepositoryMirrorsRe := regexp.MustCompile(unauthorizedRepositoryMirrors)