Start of the necessary pieces to get #1418 and #1419 implemented #1562
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## main #1562 +/- ##
==========================================
+ Coverage 26.49% 27.39% +0.90%
==========================================
Files 126 130 +4
Lines 7214 7376 +162
==========================================
+ Hits 1911 2021 +110
- Misses 5093 5132 +39
- Partials 210 223 +13
Continue to review full report at Codecov.
|
kkavitha
reviewed
Mar 8, 2022
|
I don't understand why codegen is failing, I rebased to head, ran update-codegen and it shows no changes. |
|
Need to grant permissions to look at the configmap and secrets |
mattmoor
reviewed
Mar 8, 2022
mattmoor
reviewed
Mar 8, 2022
mattmoor
reviewed
Mar 8, 2022
mattmoor
reviewed
Mar 8, 2022
mattmoor
reviewed
Mar 8, 2022
mattmoor
reviewed
Mar 8, 2022
mattmoor
reviewed
Mar 8, 2022
…gstore#1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Rename to be consistent with the other cm. image-policies => config-image-policies Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
…sions. Ran manual tests validating that things are working, when I remove things from the configmap, things are patched back in (after the global resync is triggered). Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
|
I'm so very baffled as to what's going on with hack/update-codegen. Here's what I did (again) and it's still complaining. |
This was referenced Mar 9, 2022
hectorj2f
reviewed
Mar 9, 2022
| @@ -85,6 +87,9 @@ var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{ | |||
| } | |||
|
|
|||
| func NewValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl { | |||
| // Decorate contexts with the current state of the config. | |||
There was a problem hiding this comment.
@vaikas Shouldn't you do the same for the NewMutatingAdmisisonController ?
There was a problem hiding this comment.
lol, I took it out as per previous PR feedback :) Is there anything in the policy that gets used by mutating?
#1562 (comment)
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
mattmoor
approved these changes
Mar 9, 2022
mlieberman85
pushed a commit
to mlieberman85/cosign
that referenced
this pull request
May 6, 2022
…implemented (sigstore#1562) * This is the start of the necessary pieces to get sigstore#1418 and sigstore#1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Add placeholder configmap with an example. Rename to be consistent with the other cm. image-policies => config-image-policies Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Address lint. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Use namespaced sharedinformerfactory so that we have the right permissions. Ran manual tests validating that things are working, when I remove things from the configmap, things are patched back in (after the global resync is triggered). Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Check error, duh. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Just trying to remove the files that verify-codegen is complaining. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the start of the necessary pieces to get #1418 and #1419 implemented
ClusterImagePolicy reconciler will now create a configmap (no secret support yet)
and update it on changes (not on deletions yet). Also put up most necessary
testing pieces so that we can start unit testing the reconciler and make sure
it updates the resulting configmap.
There's also a ConfigStore that we can then inject into the admission webhook
that I have wired in there (nop for now, but demonstrating how it could work).
Idea being that you could then for a given image ask for all the authorities that
need to be validated. You can see what that config looks like in the
/pkg/apis/config/testdata/config-image-policies.yaml and the accompanying tests
in /pkg/apis/config/image_policies_test
I made sure that it works with both yaml/json.
While playing with this there's some questions that came to mind, so I'll take
those to the document.
Hope is that we get enough pieces in place so that we can agree on the major
moving pieces and how they fit together and enough testing in place that
we can start sharding up the work more efficiently and in more focused areas.
Signed-off-by: Ville Aikas vaikas@chainguard.dev
Summary
Ticket Link
Fixes
Release Note