feature: Compile source materials (configmaps, secrets) to support image policy admission controller #1418
Comments
|
With the Generally we split the setup and wiring of informer events into The Unfortunately the sample-controller doesn't touch on our table testing stuff, but we do have a lot of examples of this at least. Here is one from serving: https://github.com/knative/serving/blob/0b4ef84741509d6d8b67454a09fd15849ba48b93/pkg/reconciler/domainmapping/table_test.go#L68. Here is another example from a smaller repo where it might be simpler to disentangle the parts: https://github.com/knative-sandbox/net-contour/blob/main/pkg/reconciler/contour/contour_test.go#L57 |
|
This is where the tracker "tracks" the foreign key: https://github.com/knative-sandbox/sample-controller/blob/e0d660a91633d4c48d9ce12359fc1b17a2dbfc0b/pkg/reconciler/addressableservice/addressableservice.go#L53-L58
|
|
Since I mentioned testing error paths, the TableTest stuff let's you induce failures on particular API operations like so: https://github.com/knative-sandbox/net-contour/blob/2f7655b2da0afcff70d4fd2b347359b034e26f05/pkg/reconciler/contour/contour_test.go#L99 |
|
These are great references. Thanks @mattmoor. |
|
I've laid out a skeleton for the reconciler itself here: #1513 |
…gstore#1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
…gstore#1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
…gstore#1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
…gstore#1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
* This is the start of the necessary pieces to get #1418 and #1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Add placeholder configmap with an example. Rename to be consistent with the other cm. image-policies => config-image-policies Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Address lint. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Use namespaced sharedinformerfactory so that we have the right permissions. Ran manual tests validating that things are working, when I remove things from the configmap, things are patched back in (after the global resync is triggered). Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Check error, duh. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Just trying to remove the files that verify-codegen is complaining. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
|
@mattmoor @kkavitha I think we can close this issue now? I reckon the config stuff is implemented enough to close this as well as wired into the validation (maybe not in the best place) so it all flows through there. |
|
@vaikas Yes, I feel it has been addressed. |
…implemented (sigstore#1562) * This is the start of the necessary pieces to get sigstore#1418 and sigstore#1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Add placeholder configmap with an example. Rename to be consistent with the other cm. image-policies => config-image-policies Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Address lint. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Use namespaced sharedinformerfactory so that we have the right permissions. Ran manual tests validating that things are working, when I remove things from the configmap, things are patched back in (after the global resync is triggered). Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Check error, duh. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Just trying to remove the files that verify-codegen is complaining. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
In order to enable more efficient use of resources by the admission controller, compile the various sources of truth, be they secrets or configmaps, etc., into a single document (configmap) for consumption.
Outcomes:
@mattmoor @coyote240 @hectorj2f
See also: #1417 #1419
The text was updated successfully, but these errors were encountered: