From ad30826ea0d73be118b5a6c422d411a545a2a82d Mon Sep 17 00:00:00 2001 From: Jerry Sun Date: Fri, 20 Jan 2023 14:23:27 -0500 Subject: [PATCH] Upversion helm charts to v0.13.1 This commit upversions the portieris helm charts to 0.13.1, which is the newest version at the time. This commit also aligns our patches to the new helm charts. - the issues addessed by patch 0001 has been merged upstream, so the patch was removed - tolerations and image pull secrets are handled by helm overrides so the patches were removed - some patches on code that have been removed upstream were removed The behavior for portieris changed a bit since our old version. In the old version, the default behavior is to allow all deployments. Namespaces with an imagepolicy will follow that imagepolicy. In the new version(0.13.1), the default behavior is to deny all deployments. This commit adds a permissive cluster image policy to allow all deployments, keeping it in line with the old behavior and preventing any interference with things like kube-system and our other applications. Test Cases: PASS: Build new ISO and ensure the new application tarball uses the new v0.13.1 helm charts PASS: Apply portieris and ensure it uses the new v0.13.1 image PASS: Apply an imagepolicy. Ensure a signed image can be deployed in a pod and an unsigned image cannot be deployed in a pod PASS: remove and reapply application Story: 2010394 Task: 47071 Signed-off-by: Jerry Sun Change-Id: Ica6efa081a7b2c1e1358add609b274d6b121bb12 --- centos_tarball-dl.lst | 2 +- ...permissive-cluster-policy-by-default.patch | 37 + ...0001-Squash-required-portieris-fixes.patch | 1296 ----------------- ...002-add-image-pull-secrets-to-images.patch | 28 - ...e-to-reinstall-the-admission-webhook.patch | 51 - ...4-run-admission-webhooks-as-non-root.patch | 105 -- .../patches/0005-add-toleration.patch | 130 -- ...dd-toleration-to-deployment-and-jobs.patch | 119 -- .../debian/deb_folder/patches/series | 7 +- portieris-helm/debian/deb_folder/rules | 2 +- portieris-helm/debian/meta_data.yaml | 6 +- ...permissive-cluster-policy-by-default.patch | 37 + ...0001-Squash-required-portieris-fixes.patch | 1296 ----------------- ...002-add-image-pull-secrets-to-images.patch | 28 - ...e-to-reinstall-the-admission-webhook.patch | 51 - ...4-run-admission-webhooks-as-non-root.patch | 105 -- .../files/0005-add-toleration.patch | 130 -- ...dd-toleration-to-deployment-and-jobs.patch | 119 -- .../portieris/helmrelease.yaml | 2 +- .../portieris/portieris-static-overrides.yaml | 14 +- 20 files changed, 89 insertions(+), 3476 deletions(-) create mode 100644 portieris-helm/debian/deb_folder/patches/0001-Add-permissive-cluster-policy-by-default.patch delete mode 100644 portieris-helm/debian/deb_folder/patches/0001-Squash-required-portieris-fixes.patch delete mode 100644 portieris-helm/debian/deb_folder/patches/0002-add-image-pull-secrets-to-images.patch delete mode 100644 portieris-helm/debian/deb_folder/patches/0003-add-toggle-to-reinstall-the-admission-webhook.patch delete mode 100644 portieris-helm/debian/deb_folder/patches/0004-run-admission-webhooks-as-non-root.patch delete mode 100644 portieris-helm/debian/deb_folder/patches/0005-add-toleration.patch delete mode 100644 portieris-helm/debian/deb_folder/patches/0006-Add-toleration-to-deployment-and-jobs.patch create mode 100644 portieris-helm/files/0001-Add-permissive-cluster-policy-by-default.patch delete mode 100644 portieris-helm/files/0001-Squash-required-portieris-fixes.patch delete mode 100644 portieris-helm/files/0002-add-image-pull-secrets-to-images.patch delete mode 100644 portieris-helm/files/0003-add-toggle-to-reinstall-the-admission-webhook.patch delete mode 100644 portieris-helm/files/0004-run-admission-webhooks-as-non-root.patch delete mode 100644 portieris-helm/files/0005-add-toleration.patch delete mode 100644 portieris-helm/files/0006-Add-toleration-to-deployment-and-jobs.patch diff --git a/centos_tarball-dl.lst b/centos_tarball-dl.lst index 1bd7550..8c5bd1f 100644 --- a/centos_tarball-dl.lst +++ b/centos_tarball-dl.lst @@ -1 +1 @@ -portieris-0.7.0.tgz#portieris#https://github.com/IBM/portieris/archive/0.7.0.tar.gz#http## +portieris-0.13.1.tgz#portieris#https://github.com/IBM/portieris/archive/refs/tags/v0.13.1.tar.gz#http## diff --git a/portieris-helm/debian/deb_folder/patches/0001-Add-permissive-cluster-policy-by-default.patch b/portieris-helm/debian/deb_folder/patches/0001-Add-permissive-cluster-policy-by-default.patch new file mode 100644 index 0000000..4308a3f --- /dev/null +++ b/portieris-helm/debian/deb_folder/patches/0001-Add-permissive-cluster-policy-by-default.patch @@ -0,0 +1,37 @@ +From 0eff41601723e51d975af4e4663dc788bb067f0a Mon Sep 17 00:00:00 2001 +From: Jerry Sun +Date: Mon, 16 Jan 2023 11:35:58 -0500 +Subject: [PATCH 1/1] Add permissive cluster policy by default + +The default permissive policy is only added if the policy set is +set to IKS. In the non IKS case, no default cluster image policy +is created. This means all pod deployment is denied in all +namespaces that don't have any imagepolicies. This patch applies +the default permissive cluster image policy to not interfere with +platform functionality when Portieris is applied. + +Signed-off-by: Jerry Sun +--- + helm/portieris/templates/policies.yaml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/helm/portieris/templates/policies.yaml b/helm/portieris/templates/policies.yaml +index 6e67ffc..ed8c84f 100644 +--- a/helm/portieris/templates/policies.yaml ++++ b/helm/portieris/templates/policies.yaml +@@ -65,7 +65,6 @@ spec: + --- + {{ end }} + +-{{- if (eq .Values.PolicySet "IKS") }} + apiVersion: portieris.cloud.ibm.com/v1 + kind: ClusterImagePolicy + metadata: +@@ -77,4 +76,3 @@ spec: + repositories: + {{- .Values.clusterPolicy.allowedRepositories | toYaml | nindent 4 }} + --- +-{{ end }} +-- +2.34.1 + diff --git a/portieris-helm/debian/deb_folder/patches/0001-Squash-required-portieris-fixes.patch b/portieris-helm/debian/deb_folder/patches/0001-Squash-required-portieris-fixes.patch deleted file mode 100644 index b71b0cf..0000000 --- a/portieris-helm/debian/deb_folder/patches/0001-Squash-required-portieris-fixes.patch +++ /dev/null @@ -1,1296 +0,0 @@ -From 42bd348d6a6b656d62dc436313b4dd2d8c838993 Mon Sep 17 00:00:00 2001 -From: Joseph Richard -Date: Thu, 23 Jul 2020 15:45:17 -0400 -Subject: [PATCH] Squash required portieris fixes - -Add fixes for these issues to portieris build: - * https://github.com/IBM/portieris/issues/51 - * https://github.com/IBM/portieris/issues/59 - -This should be rebased once those issues are fixed in a published -release of portieris. - -Signed-off-by: Joseph Richard ---- - CHANGELOG.md | 23 +++ - README.md | 19 ++- - cmd/trust/main.go | 8 +- - helm/cleanup.sh | 7 +- - helm/portieris/gencerts | 10 +- - .../delete-admission-webhooks.yaml | 2 +- - .../templates/admission-webhooks/webhooks.yaml | 8 +- - helm/portieris/templates/clusterrole.yaml | 7 +- - helm/portieris/templates/clusterrolebinding.yaml | 3 + - .../templates/crd-creation/configmap.yaml | 3 + - .../templates/crd-creation/create-crds.yaml | 2 +- - .../templates/crd-creation/delete-crds.yaml | 6 +- - helm/portieris/templates/default/policies.yaml | 76 +++++---- - helm/portieris/templates/deployment.yaml | 8 +- - helm/portieris/templates/secret.yaml | 26 ++- - .../templates/securitycontextconstraint.yaml | 43 +++++ - helm/portieris/templates/service.yaml | 2 +- - helm/portieris/templates/serviceaccount.yaml | 3 + - helm/portieris/values.yaml | 53 ++++-- - helpers/image/image.go | 7 + - helpers/oauth/header.go | 178 +++++++++++++++++++++ - helpers/oauth/oauth.go | 85 ++++++++-- - pkg/controller/multi/notary_test.go | 16 +- - pkg/registry/fakeregistry/fakeregistry.go | 27 ++-- - pkg/registry/registry.go | 12 +- - pkg/verifier/trust/verifier.go | 87 +++++++++- - 26 files changed, 598 insertions(+), 123 deletions(-) - create mode 100644 CHANGELOG.md - create mode 100644 helm/portieris/templates/securitycontextconstraint.yaml - create mode 100644 helpers/oauth/header.go - -diff --git a/CHANGELOG.md b/CHANGELOG.md -new file mode 100644 -index 0000000..0c93f86 ---- /dev/null -+++ b/CHANGELOG.md -@@ -0,0 +1,23 @@ -+# Change Log -+ -+Notable changes recorded here. -+This project adheres to [Semantic Versioning](http://semver.org/). -+ -+# 0.7.1 -+## 2020-06-xx -+ -+* Fix the port name in service template ([PR#149](https://github.com/IBM/portieris/pull/149)) -+* Change the default namespace to portieris ([#117](https://github.com/IBM/portieris/issues/117)) -+* Support Helm3 and Openshift 4 ([#130](https://github.com/IBM/portieris/pull/130)) -+* anti-affinity and liveness/readiness probes ([#66](https://github.com/IBM/portieris/issues/66)) -+* Support sourcing webhook certificates from cert-manager ([#59](https://github.com/IBM/portieris/issues/59)) -+ -+# 0.7.0 -+## 2020-06-09 -+ -+* Support for reading simple signatures from lookaside storage, ([#93](https://github.com/IBM/portieris/issues/93)) -+ -+# 0.6.0 -+## 2020-03-26 -+ -+* Support for the verification of simple signatures using [containers/image](https://github.com/containers/image). ([#70](https://github.com/IBM/portieris/issues/70)) -diff --git a/README.md b/README.md -index b417d36..af69444 100644 ---- a/README.md -+++ b/README.md -@@ -29,18 +29,27 @@ Portieris' Admission Webhook is configured to fail closed. Three instances of Po - - ## Installing Portieris - --Portieris is installed using a Helm chart. Before you begin, make sure that you have Kubernetes 1.9 or above, and Helm 2.8 or above (not Helm 3.x) installed in your cluster. -+Portieris is installed using a Helm chart. Before you begin, make sure that you have Kubernetes 1.16 or above and Helm 3.0 or above installed on your workstation. - --To install Portieris: -+To install Portieris in the default namespace (portieris): - - * Clone the Portieris Git repository to your workstation. - * Change directory into the Portieris Git repository. --* Run `./helm/portieris/gencerts `. The `gencerts` script generates new SSL certificates and keys for Portieris. Portieris presents this certificates to the Kubernetes API server when the API server makes admission requests. If you do not generate new certificates, it could be possible for an attacker to spoof Portieris in your cluster. --* Run `helm upgrade --install portieris --set namespace= helm/portieris`. -+* Run `./helm/portieris/gencerts`. The `gencerts` script generates new SSL certificates and keys for Portieris. Portieris presents this certificates to the Kubernetes API server when the API server makes admission requests. If you do not generate new certificates, it could be possible for an attacker to spoof Portieris in your cluster. -+* Run `kubectl create namespace portieris` -+* Run `helm install portieris helm/portieris`. -+ -+To use an alternative namespace: -+* Run `./helm/portieris/gencerts `. -+* Run `kubectl create namespace `. -+* Run `helm install portieris --set namespace= helm/portieris`. -+ -+To manage certificates through installed cert-manager(https://cert-manager.io/): -+* Run `helm install portieris --set UseCertManager=true helm/portieris`. - - ## Uninstalling Portieris - --You can uninstall Portieris at any time by running `helm delete --purge portieris`. Note that all your image security policies are deleted when you uninstall Portieris. -+You can uninstall Portieris at any time by running `helm delete portieris`. Note that all your image security policies are deleted when you uninstall Portieris. - - ## Image security policies - -diff --git a/cmd/trust/main.go b/cmd/trust/main.go -index e07daa4..4295842 100644 ---- a/cmd/trust/main.go -+++ b/cmd/trust/main.go -@@ -77,13 +77,13 @@ func main() { - glog.Fatal("Could not get trust client", err) - } - -- serverCert, err := ioutil.ReadFile("/etc/certs/serverCert.pem") -+ serverCert, err := ioutil.ReadFile("/etc/certs/tls.crt") - if err != nil { -- glog.Fatal("Could not read /etc/certs/serverCert.pem", err) -+ glog.Fatal("Could not read /etc/certs/tls.crt", err) - } -- serverKey, err := ioutil.ReadFile("/etc/certs/serverKey.pem") -+ serverKey, err := ioutil.ReadFile("/etc/certs/tls.key") - if err != nil { -- glog.Fatal("Could not read /etc/certs/serverKey.pem", err) -+ glog.Fatal("Could not read /etc/certs/tls.key", err) - } - - cr := registryclient.NewClient() -diff --git a/helm/cleanup.sh b/helm/cleanup.sh -index 89dd681..06b69a8 100755 ---- a/helm/cleanup.sh -+++ b/helm/cleanup.sh -@@ -1,9 +1,9 @@ - #! /bin/bash - - RELEASE_NAME=${1:-portieris} --NAMESPACE=${2:-ibm-system} -+NAMESPACE=${2:-portieris} - --echo Purging release ${RELEASE_NAME} in ${NAMESPACE} -+echo Deleting release ${RELEASE_NAME} in ${NAMESPACE} - - kubectl delete MutatingWebhookConfiguration image-admission-config --ignore-not-found=true - kubectl delete ValidatingWebhookConfiguration image-admission-config --ignore-not-found=true -@@ -12,6 +12,5 @@ kubectl delete crd clusterimagepolicies.securityenforcement.admission.cloud.ibm. - - kubectl delete jobs -n ${NAMESPACE} create-admission-webhooks create-armada-image-policies create-crds validate-crd-creation --ignore-not-found=true - --helm delete --purge ${RELEASE_NAME} -+helm delete ${RELEASE_NAME} --no-hooks - --kubectl delete jobs -n ${NAMESPACE} delete-admission-webhooks delete-crds --ignore-not-found=true -diff --git a/helm/portieris/gencerts b/helm/portieris/gencerts -index 3e1c724..d1dc2fa 100755 ---- a/helm/portieris/gencerts -+++ b/helm/portieris/gencerts -@@ -3,7 +3,7 @@ - SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - - SERVICE_NAME=portieris --NAMESPACE=${1:-ibm-system} -+NAMESPACE=${1:-portieris} - - echo "Using $SERVICE_NAME as the service name" - echo "Using $NAMESPACE as the namespace" -@@ -26,12 +26,12 @@ EOF - - # Create a certificate authority - openssl genrsa -out $CERT_DIR/caKey.pem 2048 --openssl req -x509 -new -nodes -key $CERT_DIR/caKey.pem -days 100000 -out $CERT_DIR/caCert.pem -subj "/CN=${SERVICE_NAME}_ca" -+openssl req -x509 -new -nodes -key $CERT_DIR/caKey.pem -days 100000 -out $CERT_DIR/ca.crt -subj "/CN=${SERVICE_NAME}_ca" - - # Create a server certiticate --openssl genrsa -out $CERT_DIR/serverKey.pem 2048 -+openssl genrsa -out $CERT_DIR/tls.key 2048 - # Note the CN is the DNS name of the service of the webhook. --openssl req -new -key $CERT_DIR/serverKey.pem -out $CERT_DIR/server.csr -subj "/CN=${SERVICE_NAME}.${NAMESPACE}.svc" -config $CERT_DIR/server.conf --openssl x509 -req -in $CERT_DIR/server.csr -CA $CERT_DIR/caCert.pem -CAkey $CERT_DIR/caKey.pem -CAcreateserial -out $CERT_DIR/serverCert.pem -days 100000 -extensions v3_req -extfile $CERT_DIR/server.conf -+openssl req -new -key $CERT_DIR/tls.key -out $CERT_DIR/server.csr -subj "/CN=${SERVICE_NAME}.${NAMESPACE}.svc" -config $CERT_DIR/server.conf -+openssl x509 -req -in $CERT_DIR/server.csr -CA $CERT_DIR/ca.crt -CAkey $CERT_DIR/caKey.pem -CAcreateserial -out $CERT_DIR/tls.crt -days 100000 -extensions v3_req -extfile $CERT_DIR/server.conf - - rm $CERT_DIR/caKey.pem $CERT_DIR/server.conf $CERT_DIR/server.csr -diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -index 35a3812..ce34927 100644 ---- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -@@ -5,7 +5,7 @@ metadata: - namespace: {{ .Values.namespace }} - annotations: - helm.sh/hook: pre-delete -- helm.sh/hook-weight: "-10" -+ helm.sh/hook-weight: "-8" - helm.sh/hook-delete-policy: hook-succeeded - labels: - app: {{ template "portieris.name" . }} -diff --git a/helm/portieris/templates/admission-webhooks/webhooks.yaml b/helm/portieris/templates/admission-webhooks/webhooks.yaml -index caee941..0f013a0 100644 ---- a/helm/portieris/templates/admission-webhooks/webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/webhooks.yaml -@@ -3,6 +3,10 @@ apiVersion: admissionregistration.k8s.io/v1beta1 - kind: MutatingWebhookConfiguration - metadata: - name: image-admission-config -+ {{ if .Values.UseCertManager }} -+ annotations: -+ cert-manager.io/inject-ca-from: {{ .Values.namespace }}/portieris-certs -+ {{ end }} - namespace: {{ .Values.namespace }} - labels: - app: {{ template "portieris.name" . }} -@@ -16,7 +20,9 @@ webhooks: - name: {{ template "portieris.name" . }} - namespace: {{ .Values.namespace }} - path: "/admit" -- caBundle: {{ .Files.Get "certs/caCert.pem" | b64enc }} -+ {{ if not .Values.UseCertManager }} -+ caBundle: {{ .Files.Get "certs/ca.crt" | b64enc }} -+ {{ end }} - rules: - - operations: [ "CREATE", "UPDATE" ] - apiGroups: ["*"] -diff --git a/helm/portieris/templates/clusterrole.yaml b/helm/portieris/templates/clusterrole.yaml -index 2090543..67c5912 100644 ---- a/helm/portieris/templates/clusterrole.yaml -+++ b/helm/portieris/templates/clusterrole.yaml -@@ -7,10 +7,13 @@ metadata: - chart: {{ template "portieris.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -+ annotations: -+ helm.sh/hook: pre-install -+ helm.sh/hook-weight: "-10" - rules: - - apiGroups: ["securityenforcement.admission.cloud.ibm.com"] - resources: ["imagepolicies", "clusterimagepolicies"] -- verbs: ["get", "watch", "list", "create"] -+ verbs: ["get", "watch", "list", "create", "patch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "create", "delete"] -@@ -19,4 +22,4 @@ rules: - verbs: ["get", "create", "delete"] - - apiGroups: [""] - resources: ["secrets", "serviceaccounts"] -- verbs: ["get"] -\ No newline at end of file -+ verbs: ["get"] -diff --git a/helm/portieris/templates/clusterrolebinding.yaml b/helm/portieris/templates/clusterrolebinding.yaml -index 3468bb0..0bfdac7 100644 ---- a/helm/portieris/templates/clusterrolebinding.yaml -+++ b/helm/portieris/templates/clusterrolebinding.yaml -@@ -7,6 +7,9 @@ metadata: - chart: {{ template "portieris.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -+ annotations: -+ helm.sh/hook: pre-install -+ helm.sh/hook-weight: "-9" - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -diff --git a/helm/portieris/templates/crd-creation/configmap.yaml b/helm/portieris/templates/crd-creation/configmap.yaml -index 5c185af..0cdeb40 100644 ---- a/helm/portieris/templates/crd-creation/configmap.yaml -+++ b/helm/portieris/templates/crd-creation/configmap.yaml -@@ -8,6 +8,9 @@ metadata: - chart: {{ template "portieris.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -+ annotations: -+ helm.sh/hook: pre-install -+ helm.sh/hook-weight: "-7" - data: - custom-resource-definitions.yaml: |- - {{- include "crds.yaml.tpl" . | indent 4}} -diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml -index 7be3d51..3ac36f6 100644 ---- a/helm/portieris/templates/crd-creation/create-crds.yaml -+++ b/helm/portieris/templates/crd-creation/create-crds.yaml -@@ -4,7 +4,7 @@ metadata: - name: create-crds - namespace: {{ .Values.namespace }} - annotations: -- helm.sh/hook: post-install -+ helm.sh/hook: pre-install - helm.sh/hook-weight: "-6" - helm.sh/hook-delete-policy: hook-succeeded - labels: -diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml -index 7313d23..9080511 100644 ---- a/helm/portieris/templates/crd-creation/delete-crds.yaml -+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml -@@ -4,8 +4,8 @@ metadata: - name: delete-crds - namespace: {{ .Values.namespace }} - annotations: -- helm.sh/hook: pre-delete -- helm.sh/hook-weight: "-9" -+ helm.sh/hook: post-delete -+ helm.sh/hook-weight: "-8" - helm.sh/hook-delete-policy: hook-succeeded - labels: - app: {{ template "portieris.name" . }} -@@ -40,4 +40,4 @@ spec: - configMap: - name: image-policy-crds - restartPolicy: OnFailure -- -\ No newline at end of file -+ -diff --git a/helm/portieris/templates/default/policies.yaml b/helm/portieris/templates/default/policies.yaml -index d9dc0e7..f47fa8f 100644 ---- a/helm/portieris/templates/default/policies.yaml -+++ b/helm/portieris/templates/default/policies.yaml -@@ -2,73 +2,79 @@ - apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 - kind: ImagePolicy - metadata: -- name: portieris-default-image-policy -+ name: default - namespace: {{ .Values.namespace }} - annotations: - helm.sh/hook: post-install - helm.sh/hook-weight: "1" - spec: - repositories: -- # This policy allows all images to be deployed into this namespace. This policy prevents breaking any existing third party applications in this namespace. -- # IMPORTANT: Review this policy and replace it with one that meets your requirements. If you do not run any third party applications in this namespace, you can remove this policy entirely. -- - name: "*" -- policy: -- {{ if .Values.IBMContainerService }} -- # These policies allow all IBM Cloud Container Service images from the global and all regional registries to deploy in this namespace. -- # IMPORTANT: When you create your own policy in this namespace, make sure to include these repositories. If you do not, the cluster might not function properly. -- - name: "*.icr.io/armada/*" -- policy: -- - name: "*.icr.io/armada-worker/*" -- policy: -- - name: "*.icr.io/armada-master/*" -- policy: -- {{ end }} -- # This policy prevents Portieris from blocking itself -- - name: "{{ .Values.image.host }}/{{ .Values.image.image }}:{{ .Values.image.tag }}" -- policy: -- # This policy allows Portieris to use Hyperkube to configure your cluster. This policy must exist if you uninstall Portieris. -+ # This policy prevents Portieris from denying its own updates. Do not remove this policy or portieris may not function correctly. -+ - name: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}" -+ # This policy allows Portieris to use Hyperkube to configure your cluster. This policy must exist if order to uninstall Portieris. - - name: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -- policies: -- - --- - apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 - kind: ImagePolicy - metadata: -- name: portieris-default-image-policy -+ name: default - namespace: kube-system - annotations: - helm.sh/hook: post-install - helm.sh/hook-weight: "1" - spec: - repositories: -- # This policy allows all images to be deployed into this namespace. This policy prevents breaking any existing third party applications in this namespace. -- # IMPORTANT: Review this policy and replace it with one that meets your requirements. If you do not run any third party applications in this namespace, you can remove this policy entirely. -+ # This permissive policy allows all images to be deployed into this namespace. -+ # IMPORTANT: Review this policy and replace it with one that meets your requirements. - - name: "*" -- policy: - {{ if .Values.IBMContainerService }} -- # These policies allow all IBM Cloud Container Service images from the global and all regional registries to deploy in this namespace. -- # IMPORTANT: When you create your own policy in this namespace, make sure to include these repositories. If you do not, the cluster might not function properly. -+ # These policies allow all IBM Cloud Container Service images to deploy in this namespace. -+ # IMPORTANT: When you create your own policy in this namespace, be sure to retain these policies. If you do not, the cluster might not update or function properly. -+ - name: "registry*.bluemix.net/armada/*" -+ - name: "registry*.bluemix.net/armada-worker/*" -+ - name: "registry*.bluemix.net/armada-master/*" - - name: "*.icr.io/armada/*" -- policy: - - name: "*.icr.io/armada-worker/*" -- policy: - - name: "*.icr.io/armada-master/*" -- policy: -+ - name: "icr.io/armada/*" -+ - name: "icr.io/armada-worker/*" -+ - name: "icr.io/armada-master/*" - {{ end }} - --- -+{{ if .Values.IBMContainerService }} -+apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 -+kind: ImagePolicy -+metadata: -+ name: default -+ namespace: ibm-system -+ annotations: -+ helm.sh/hook: post-install -+ helm.sh/hook-weight: "1" -+spec: -+ repositories: -+ # These policies allow all IBM Cloud Container Service images to deploy in this namespace. -+ # IMPORTANT: When you create your own policy in this namespace, make sure to retain these policies. If you do not, the cluster might not update or function properly. -+ - name: "registry*.bluemix.net/armada/*" -+ - name: "registry*.bluemix.net/armada-worker/*" -+ - name: "registry*.bluemix.net/armada-master/*" -+ - name: "*.icr.io/armada/*" -+ - name: "*.icr.io/armada-worker/*" -+ - name: "*.icr.io/armada-master/*" -+ - name: "icr.io/armada/*" -+ - name: "icr.io/armada-worker/*" -+ - name: "icr.io/armada-master/*" -+--- -+{{ end }} - apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 - kind: ClusterImagePolicy - metadata: -- name: portieris-default-cluster-image-policy -+ name: default - annotations: - helm.sh/hook: post-install - helm.sh/hook-weight: "1" - spec: - repositories: -- # This enforces that all images deployed to this cluster pass trust -+ # This permissive policy allows all images in namespaces which do not have an ImagePolicy. - # IMPORTANT: Review this policy and replace it with one that meets your requirements. - - name: "*" -- policy: -- trust: -- enabled: true - {{ end }} -diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml -index 977b6c3..b72c599 100644 ---- a/helm/portieris/templates/deployment.yaml -+++ b/helm/portieris/templates/deployment.yaml -@@ -17,7 +17,7 @@ spec: - template: - metadata: - labels: -- app: {{ template "portieris.name" . }} -+ app: portieris - release: {{ .Release.Name }} - spec: - serviceAccountName: portieris -@@ -38,11 +38,15 @@ spec: - port: 8000 - path: "/health/liveness" - scheme: HTTPS -+ initialDelaySeconds: 10 -+ timeoutSeconds: 10 - readinessProbe: - httpGet: - port: 8000 - path: "/health/readiness" - scheme: HTTPS -+ initialDelaySeconds: 10 -+ timeoutSeconds: 10 - env: - resources: - {{ toYaml .Values.resources | indent 12 }} -@@ -59,7 +63,7 @@ spec: - {{ toYaml . | indent 8 }} - {{- end }} - securityContext: -- runAsUser: 1000060001 -+ runAsUser: {{ .Values.securityContext.runAsUser }} - volumes: - - name: portieris-certs - secret: -diff --git a/helm/portieris/templates/secret.yaml b/helm/portieris/templates/secret.yaml -index 0f5b038..f14fa24 100644 ---- a/helm/portieris/templates/secret.yaml -+++ b/helm/portieris/templates/secret.yaml -@@ -1,4 +1,25 @@ - {{ if not .Values.SkipSecretCreation }} -+{{ if .Values.UseCertManager }} -+apiVersion: cert-manager.io/v1alpha2 -+kind: Issuer -+metadata: -+ name: portieris -+ namespace: {{ .Values.namespace }} -+spec: -+ selfSigned: {} -+--- -+apiVersion: cert-manager.io/v1alpha2 -+kind: Certificate -+metadata: -+ name: portieris-certs -+ namespace: {{ .Values.namespace }} -+spec: -+ dnsNames: -+ - portieris.{{ .Values.namespace }}.svc -+ secretName: portieris-certs -+ issuerRef: -+ name: portieris -+{{ else }} - apiVersion: v1 - kind: Secret - metadata: -@@ -6,6 +27,7 @@ metadata: - namespace: {{ .Values.namespace }} - type: Opaque - data: -- serverCert.pem: {{ .Files.Get "certs/serverCert.pem" | b64enc }} -- serverKey.pem: {{ .Files.Get "certs/serverKey.pem" | b64enc }} -+ tls.crt: {{ .Files.Get "certs/tls.crt" | b64enc }} -+ tls.key: {{ .Files.Get "certs/tls.key" | b64enc }} -+{{ end }} - {{ end }} -diff --git a/helm/portieris/templates/securitycontextconstraint.yaml b/helm/portieris/templates/securitycontextconstraint.yaml -new file mode 100644 -index 0000000..3890ddb ---- /dev/null -+++ b/helm/portieris/templates/securitycontextconstraint.yaml -@@ -0,0 +1,43 @@ -+{{ if .Capabilities.APIVersions.Has "clusterversions.config.openshift.io" }} -+apiVersion: security.openshift.io/v1 -+kind: SecurityContextConstraints -+metadata: -+ annotations: -+ kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID. -+ helm.sh/hook: pre-install -+ helm.sh/hook-weight: "1" -+ name: anyuid-portieris -+allowHostDirVolumePlugin: false -+allowHostIPC: false -+allowHostNetwork: false -+allowHostPID: false -+allowHostPorts: false -+allowPrivilegeEscalation: true -+allowPrivilegedContainer: false -+allowedCapabilities: [] -+defaultAddCapabilities: [] -+fsGroup: -+ type: RunAsAny -+groups: -+- system:cluster-admins -+priority: 10 -+readOnlyRootFilesystem: false -+requiredDropCapabilities: -+- MKNOD -+runAsUser: -+ type: MustRunAs -+ uid: {{ .Values.securityContext.runAsUser }} -+seLinuxContext: -+ type: MustRunAs -+supplementalGroups: -+ type: RunAsAny -+users: -+- system:serviceaccount:portieris:portieris -+volumes: -+- configMap -+- downwardAPI -+- emptyDir -+- persistentVolumeClaim -+- projected -+- secret -+{{ end }} -diff --git a/helm/portieris/templates/service.yaml b/helm/portieris/templates/service.yaml -index bb3d2e9..8e25eca 100644 ---- a/helm/portieris/templates/service.yaml -+++ b/helm/portieris/templates/service.yaml -@@ -14,7 +14,7 @@ spec: - - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.targetPort }} - protocol: TCP -- name: http -+ name: https - selector: - app: {{ template "portieris.name" . }} - release: {{ .Release.Name }} -diff --git a/helm/portieris/templates/serviceaccount.yaml b/helm/portieris/templates/serviceaccount.yaml -index a0b41fb..88dfa2c 100644 ---- a/helm/portieris/templates/serviceaccount.yaml -+++ b/helm/portieris/templates/serviceaccount.yaml -@@ -12,3 +12,6 @@ metadata: - chart: {{ template "portieris.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -+ annotations: -+ helm.sh/hook: pre-install -+ helm.sh/hook-weight: "-7" -diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml -index b75dc61..8b1a13e 100644 ---- a/helm/portieris/values.yaml -+++ b/helm/portieris/values.yaml -@@ -3,7 +3,7 @@ - # Declare variables to be passed into your templates. - - replicaCount: 3 --namespace: ibm-system -+namespace: portieris - - image: - host: -@@ -17,29 +17,56 @@ service: - port: 443 - targetPort: 8000 - -+securityContext: -+ runAsUser: 1000060001 -+ - # If not running on IBM Cloud Container Service set to false - IBMContainerService: true - - # If managing portieris-certs secret externally - SkipSecretCreation: false - --resources: {} -- # We usually recommend not to specify default resources and to leave this as a conscious -- # choice for the user. This also increases chances charts run on environments with little -- # resources, such as Minikube. If you do want to specify resources, uncomment the following -- # lines, adjust them as necessary, and remove the curly braces after 'resources:'. -- # limits: -- # cpu: 100m -- # memory: 128Mi -- # requests: -- # cpu: 100m -- # memory: 128Mi -+# If using cert-manager to handle secrets -+UseCertManager: false -+ -+# Resoures defined to assist scheduling -+# request is typical x10, limit is typical x100 -+resources: -+ limits: -+ cpu: 400m -+ memory: 600Mi -+ requests: -+ cpu: 40m -+ memory: 60Mi - - nodeSelector: {} - - tolerations: [] - --affinity: {} -+# Affinity settings -+# the `podAntiAffinity` defined here results in the distribution of pods over nodes where possible -+# intended to improve availability in the face of node and zone instability, reducing the potential of admission deadlock -+affinity: -+ podAntiAffinity: -+ preferredDuringSchedulingIgnoredDuringExecution: -+ - podAffinityTerm: -+ labelSelector: -+ matchExpressions: -+ - key: app -+ operator: In -+ values: -+ - portieris -+ topologyKey: "kubernetes.io/hostname" -+ weight: 50 -+ - podAffinityTerm: -+ labelSelector: -+ matchExpressions: -+ - key: app -+ operator: In -+ values: -+ - portieris -+ topologyKey: "failure-domain.beta.kubernetes.io/zone" -+ weight: 50 - - # Not recommended for user to configure this. Hyperkube image to use when creating custom resources - hyperkube: -diff --git a/helpers/image/image.go b/helpers/image/image.go -index 8ae59b4..9da3eaa 100644 ---- a/helpers/image/image.go -+++ b/helpers/image/image.go -@@ -31,6 +31,7 @@ type Reference struct { - digest string - hostname string - port string -+ repo string - } - - // NewReference parses the image name and returns an error if the name is invalid. -@@ -50,6 +51,7 @@ func NewReference(name string) (*Reference, error) { - return nil, err - } - result.name = ref.Name() -+ result.repo = reference.Path(ref) - - // Get the hostname - hostname := reference.Domain(ref) -@@ -142,3 +144,8 @@ func (r Reference) NameWithoutTag() string { - func (r Reference) String() string { - return r.original - } -+ -+// RepoName returns the image name without the tag and doesn't contain the server/host detals. -+func (r Reference) RepoName() string { -+ return r.repo -+} -diff --git a/helpers/oauth/header.go b/helpers/oauth/header.go -new file mode 100644 -index 0000000..b7a385b ---- /dev/null -+++ b/helpers/oauth/header.go -@@ -0,0 +1,178 @@ -+// Copyright 2018 Portieris Authors. -+// -+// Licensed under the Apache License, Version 2.0 (the "License"); -+// you may not use this file except in compliance with the License. -+// You may obtain a copy of the License at -+// -+// http://www.apache.org/licenses/LICENSE-2.0 -+// -+// Unless required by applicable law or agreed to in writing, software -+// distributed under the License is distributed on an "AS IS" BASIS, -+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+// See the License for the specific language governing permissions and -+// limitations under the License. -+ -+package oauth -+ -+import ( -+ "net/http" -+ "strings" -+) -+ -+// Challenge carries information from a WWW-Authenticate response header. -+// See RFC 2617. -+type Challenge struct { -+ // Scheme is the auth-scheme according to RFC 2617 -+ Scheme string -+ -+ // Parameters are the auth-params according to RFC 2617 -+ Parameters map[string]string -+} -+ -+// Octet types from RFC 2616. -+type octetType byte -+ -+var octetTypes [256]octetType -+ -+const ( -+ isToken octetType = 1 << iota -+ isSpace -+) -+ -+func init() { -+ // OCTET = -+ // CHAR = -+ // CTL = -+ // CR = -+ // LF = -+ // SP = -+ // HT = -+ // <"> = -+ // CRLF = CR LF -+ // LWS = [CRLF] 1*( SP | HT ) -+ // TEXT = -+ // separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> -+ // | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT -+ // token = 1* -+ // qdtext = > -+ -+ for c := 0; c < 256; c++ { -+ var t octetType -+ isCtl := c <= 31 || c == 127 -+ isChar := 0 <= c && c <= 127 -+ isSeparator := strings.ContainsRune(" \t\"(),/:;<=>?@[]\\{}", rune(c)) -+ if strings.ContainsRune(" \t\r\n", rune(c)) { -+ t |= isSpace -+ } -+ if isChar && !isCtl && !isSeparator { -+ t |= isToken -+ } -+ octetTypes[c] = t -+ } -+} -+ -+// ResponseChallenges takes in the response and it is unauthorized returns a challenge containing realm and service information -+func ResponseChallenges(resp *http.Response) []Challenge { -+ if resp.StatusCode == http.StatusUnauthorized { -+ // Parse the WWW-Authenticate Header and store the challenges -+ // on this endpoint object. -+ return parseAuthHeader(resp.Header) -+ } -+ return nil -+} -+ -+// ParseAuthHeader takes the header info from a response and gives back realm and service information -+func parseAuthHeader(header http.Header) []Challenge { -+ challenges := []Challenge{} -+ for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] { -+ v, p := parseValueAndParams(h) -+ if v != "" { -+ challenges = append(challenges, Challenge{Scheme: v, Parameters: p}) -+ } -+ } -+ return challenges -+} -+ -+func parseValueAndParams(header string) (value string, params map[string]string) { -+ params = make(map[string]string) -+ value, s := expectToken(header) -+ if value == "" { -+ return -+ } -+ value = strings.ToLower(value) -+ s = "," + skipSpace(s) -+ for strings.HasPrefix(s, ",") { -+ var pkey string -+ pkey, s = expectToken(skipSpace(s[1:])) -+ if pkey == "" { -+ return -+ } -+ if !strings.HasPrefix(s, "=") { -+ return -+ } -+ var pvalue string -+ pvalue, s = expectTokenOrQuoted(s[1:]) -+ if pvalue == "" { -+ return -+ } -+ pkey = strings.ToLower(pkey) -+ params[pkey] = pvalue -+ s = skipSpace(s) -+ } -+ return -+} -+ -+func skipSpace(s string) (rest string) { -+ i := 0 -+ for ; i < len(s); i++ { -+ if octetTypes[s[i]]&isSpace == 0 { -+ break -+ } -+ } -+ return s[i:] -+} -+ -+func expectToken(s string) (token, rest string) { -+ i := 0 -+ for ; i < len(s); i++ { -+ if octetTypes[s[i]]&isToken == 0 { -+ break -+ } -+ } -+ return s[:i], s[i:] -+} -+ -+func expectTokenOrQuoted(s string) (value, rest string) { -+ if !strings.HasPrefix(s, "\"") { -+ return expectToken(s) -+ } -+ s = s[1:] -+ for i := 0; i < len(s); i++ { -+ switch s[i] { -+ case '"': -+ return s[:i], s[i+1:] -+ case '\\': -+ p := make([]byte, len(s)-1) -+ j := copy(p, s[:i]) -+ escape := true -+ for i = i + 1; i < len(s); i++ { -+ b := s[i] -+ switch { -+ case escape: -+ escape = false -+ p[j] = b -+ j++ -+ case b == '\\': -+ escape = true -+ case b == '"': -+ return string(p[:j]), s[i+1:] -+ default: -+ p[j] = b -+ j++ -+ } -+ } -+ return "", "" -+ } -+ } -+ return "", "" -+} -diff --git a/helpers/oauth/oauth.go b/helpers/oauth/oauth.go -index bbfdce3..98ab65e 100644 ---- a/helpers/oauth/oauth.go -+++ b/helpers/oauth/oauth.go -@@ -73,38 +73,70 @@ func GetHTTPClient(customFile string) *http.Client { - // token - Auth token being used for the request - // repo - Repo you are requesting access too e.g. bainsy88/busybox - // username - Username for the OAuth request, identifies the type of token being passed in. Valid usernames are token (for registry token), iambearer, iamapikey, bearer (UAA bearer (legacy)), iamrefresh --// writeAccessRequired - Whether or not you require write (push and delete) access as well as read (pull) --// service - The service you are retrieving the OAuth token for. Current services are either "notary" or "registry" --// hostname - Hostname of the registry you wish to call e.g. https://icr.io -+// ChallengeSlice - Challenge slice contains the www-authenticate details - // Returns: - // *auth.TokenResponse - Details of the type is here https://github.ibm.com/alchemy-registry/registry-types/tree/master/auth#type-tokenresponse - // Token is the element you will need to forward to the registry/notary as part of a Bearer Authorization Header - // error --func Request(token string, repo string, username string, writeAccessRequired bool, service string, hostname string) (*TokenResponse, error) { -- var actions string -- //If you want to verify if a the credential supplied has read and write access to the repo we ask oauth for pull,push and * -- if writeAccessRequired { -- actions = "pull,push,*" -- } else { -- actions = "pull" -+func Request(token, repo, username string, challengeSlice []Challenge) (*TokenResponse, error) { -+ oauthEndpoint := "" -+ service := "" -+ scope := "" -+ -+ if challengeSlice == nil { -+ errMessage := "unable to fetch www-authenticate header details" -+ glog.Errorf(errMessage) -+ return nil, fmt.Errorf(errMessage) -+ } -+ -+ for _, challenge := range challengeSlice { -+ oauthEndpoint = challenge.Parameters["realm"] -+ service = challenge.Parameters["service"] -+ scope = challenge.Parameters["scope"] -+ } -+ -+ if oauthEndpoint == "" || service == "" { -+ errMessage := "unable to fetch oauth realm and service header details" -+ glog.Errorf(errMessage) -+ return nil, fmt.Errorf(errMessage) - } - - client := GetHTTPClient("/etc/certs/ca.pem") - -- resp, err := client.PostForm(hostname+"/oauth/token", url.Values{ -+ glog.Infof("Calling oauth endpoint: %s for registry service: %s and scope %s", oauthEndpoint, service, scope) -+ var resp *http.Response -+ var err error -+ resp, err = client.PostForm(oauthEndpoint, url.Values{ - "service": {service}, - "grant_type": {"password"}, -- "client_id": {"testclient"}, -+ "client_id": {"portieris-client"}, - "username": {username}, - "password": {token}, -- "scope": {"repository:" + repo + ":" + actions}, -+ "scope": {scope}, - }) -- - if err != nil { -- glog.Errorf("Error sending request to registry-oauth: %v", err) -+ glog.Errorf("Error sending POST request to registry-oauth: %v", err) - return nil, err - } - -+ // TODO: confirm if status code of 405 needs to be handled in the below block -+ if resp.StatusCode == 404 || resp.StatusCode == 405 { -+ glog.Info("Calling: " + oauthEndpoint + "?service=" + service + "&scope=" + scope) -+ getURL, err := url.Parse(oauthEndpoint) -+ if err != nil { -+ return nil, err -+ } -+ q := getURL.Query() -+ q.Set("service", service) -+ q.Set("scope", scope) -+ getURL.RawQuery = q.Encode() -+ resp, err = client.Get(getURL.String()) -+ if err != nil { -+ glog.Errorf("Error sending GET request to registry-oauth: %v", err) -+ return nil, err -+ } -+ } -+ - if resp.StatusCode < 200 || resp.StatusCode >= 300 { - // Unexpected, read body for more information and close. It is the upstream callers - // responsibility to close the response body if an error is not returned. -@@ -125,3 +157,26 @@ func Request(token string, repo string, username string, writeAccessRequired boo - - return &tokenResponse, nil - } -+ -+// CheckAuthRequired - checks if the given image needs to be authenticated to fetch metadata or not and returns the response -+func CheckAuthRequired(notaryURL, hostName, repoName string, official bool) (*http.Response, error) { -+ glog.Infof("Notary URL: %s Hostname %s RepoName %s", notaryURL, hostName, repoName) -+ // Github issue 51 Fix -+ var req *http.Request -+ var err error -+ client := GetHTTPClient("/etc/certs/ca.pem") -+ if hostName == "docker.io" && official { -+ req, err = http.NewRequest("GET", notaryURL+"/v2/"+hostName+"/library/"+repoName+"/_trust/tuf/root.json", nil) -+ } else { -+ req, err = http.NewRequest("GET", notaryURL+"/v2/"+hostName+"/"+repoName+"/_trust/tuf/root.json", nil) -+ } -+ -+ resp, err := client.Do(req) -+ -+ if err != nil { -+ glog.Errorf("Failed to query v2 tuf endpoint for notaryURL: %s", notaryURL) -+ return nil, err -+ } -+ -+ return resp, nil -+} -diff --git a/pkg/controller/multi/notary_test.go b/pkg/controller/multi/notary_test.go -index d16c57d..9a36370 100644 ---- a/pkg/controller/multi/notary_test.go -+++ b/pkg/controller/multi/notary_test.go -@@ -276,6 +276,7 @@ var _ = Describe("Main", func() { - "policy": { - "trust": { - "enabled": true -+ "trustServer": "https://us.icr.io:4443" - }, - "va": { - "enabled": false -@@ -290,7 +291,7 @@ var _ = Describe("Main", func() { - wh.HandleAdmissionRequest(w, req) - parseResponse() - Expect(resp.Response.Allowed).To(BeFalse()) -- Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "no-secret.icr.io/hello", no valid ImagePullSecret defined for no-secret.icr.io`)) -+ Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "no-secret.icr.io/hello", no matching repositories in the ImagePolicies`)) - }) - }) - -@@ -343,7 +344,7 @@ var _ = Describe("Main", func() { - wh.HandleAdmissionRequest(w, req) - parseResponse() - Expect(resp.Response.Allowed).To(BeFalse()) -- Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "us.icr.io/hello", no valid ImagePullSecret defined for us.icr.io`)) -+ Expect(resp.Response.Result.Message).To(ContainSubstring(`Some error occurred while trying to fetch token for unauthenticated pubilc pull FAKE_INVALID_TOKEN_ERROR`)) - }) - }) - -@@ -620,7 +621,7 @@ var _ = Describe("Main", func() { - Expect(len(trust.GetNotaryRepoArgsForCall)).To(Equal(1)) - Expect(trust.GetNotaryRepoArgsForCall[0].Server).To(Equal("https://some-trust-server.com:4443")) - Expect(resp.Response.Allowed).To(BeFalse()) -- Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "us.icr.io/hello", failed to get content trust information: unable to reach trust server at this time: 0.`)) -+ Expect(resp.Response.Result.Message).To(ContainSubstring(`Some error occurred while checking if authentication is required to fetch target metadata`)) - }) - }) - -@@ -665,7 +666,7 @@ var _ = Describe("Main", func() { - "policy": { - "trust": { - "enabled": true, -- "trustServer": "https://some-trust-server.com:4443" -+ "trustServer": "https://notary.docker.io"" - }, - "va": { - "enabled": false -@@ -683,8 +684,8 @@ var _ = Describe("Main", func() { - wh.HandleAdmissionRequest(w, req) - parseResponse() - Expect(len(trust.GetNotaryRepoArgsForCall)).To(Equal(2)) -- Expect(trust.GetNotaryRepoArgsForCall[0].Server).To(Equal("https://some-trust-server.com:4443")) -- Expect(trust.GetNotaryRepoArgsForCall[1].Server).To(Equal("https://some-trust-server.com:4443")) -+ Expect(trust.GetNotaryRepoArgsForCall[0].Server).To(Equal("https://notary.docker.io")) -+ Expect(trust.GetNotaryRepoArgsForCall[1].Server).To(Equal("https://notary.docker.io")) - Expect(resp.Response.Allowed).To(BeFalse()) - Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "us.icr.io/hello", failed to get content trust information: FAKE_NO_SIGNED_IMAGE_ERROR`)) - Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "us.icr.io/goodbye", failed to get content trust information: FAKE_NO_SIGNED_IMAGE_ERROR`)) -@@ -739,6 +740,7 @@ var _ = Describe("Main", func() { - "policy": { - "trust": { - "enabled": true -+ "trustServer": "https://notary.docker.io" - }, - "va": { - "enabled": false -@@ -770,7 +772,7 @@ var _ = Describe("Main", func() { - Expect(len(trust.GetNotaryRepoArgsForCall)).To(Equal(2)) - Expect(trust.GetNotaryRepoArgsForCall[0].Server).To(Equal("https://us.icr.io:4443")) - Expect(trust.GetNotaryRepoArgsForCall[0].Image).To(Equal("us.icr.io/hello")) -- Expect(trust.GetNotaryRepoArgsForCall[1].Server).To(Equal("https://some-trust-server.com:4443")) -+ Expect(trust.GetNotaryRepoArgsForCall[1].Server).To(Equal("https://notary.docker.io")) - Expect(trust.GetNotaryRepoArgsForCall[1].Image).To(Equal("icr.io/goodbye")) - Expect(resp.Response.Allowed).To(BeFalse()) - }) -diff --git a/pkg/registry/fakeregistry/fakeregistry.go b/pkg/registry/fakeregistry/fakeregistry.go -index 2e9d97e..342be8c 100644 ---- a/pkg/registry/fakeregistry/fakeregistry.go -+++ b/pkg/registry/fakeregistry/fakeregistry.go -@@ -18,6 +18,7 @@ import ( - "fmt" - "sync" - -+ "github.com/IBM/portieris/helpers/oauth" - "github.com/IBM/portieris/pkg/registry" - ) - -@@ -25,13 +26,13 @@ var _ registry.Interface = &FakeRegistry{} - - // FakeRegistry . - type FakeRegistry struct { -- GetContentTrustTokenStub func(username, password, imageRepo, hostname string) (string, error) -+ GetContentTrustTokenStub func(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) - getContentTrustTokenMutex sync.RWMutex - getContentTrustTokenArgsForCall []struct { -- username string -- password string -- imageRepo string -- hostname string -+ username string -+ password string -+ imageRepo string -+ challengeSlice []oauth.Challenge - } - getContentTrustTokenReturns struct { - token string -@@ -40,17 +41,17 @@ type FakeRegistry struct { - } - - // GetContentTrustToken ... --func (fake *FakeRegistry) GetContentTrustToken(username, password, imageRepo, hostname string) (string, error) { -+func (fake *FakeRegistry) GetContentTrustToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) { - fake.getContentTrustTokenMutex.Lock() - fake.getContentTrustTokenArgsForCall = append(fake.getContentTrustTokenArgsForCall, struct { -- username string -- password string -- imageRepo string -- hostname string -- }{username, password, imageRepo, hostname}) -+ username string -+ password string -+ imageRepo string -+ challengeSlice []oauth.Challenge -+ }{username, password, imageRepo, challengeSlice}) - fake.getContentTrustTokenMutex.Unlock() - if fake.GetContentTrustTokenStub != nil { -- return fake.GetContentTrustTokenStub(username, password, imageRepo, hostname) -+ return fake.GetContentTrustTokenStub(username, password, imageRepo, challengeSlice) - } - return fake.getContentTrustTokenReturns.token, fake.getContentTrustTokenReturns.err - } -@@ -66,6 +67,6 @@ func (fake *FakeRegistry) GetContentTrustTokenReturns(token string, err error) { - } - - // GetRegistryToken ... --func (fake *FakeRegistry) GetRegistryToken(username, password, imageRepo, hostname string) (string, error) { -+func (fake *FakeRegistry) GetRegistryToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) { - return "", fmt.Errorf("not implemented") - } -diff --git a/pkg/registry/registry.go b/pkg/registry/registry.go -index 375de38..febaa69 100644 ---- a/pkg/registry/registry.go -+++ b/pkg/registry/registry.go -@@ -23,8 +23,8 @@ type Client struct{} - - // Interface . - type Interface interface { -- GetContentTrustToken(username, password, imageRepo, hostname string) (string, error) -- GetRegistryToken(username, password, imageRepo, hostname string) (string, error) -+ GetContentTrustToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) -+ GetRegistryToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) - } - - // NewClient . -@@ -33,8 +33,8 @@ func NewClient() Interface { - } - - // GetContentTrustToken . --func (c Client) GetContentTrustToken(username, password, imageRepo, hostname string) (string, error) { -- token, err := oauth.Request(password, imageRepo, username, false, "notary", hostname) -+func (c Client) GetContentTrustToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) { -+ token, err := oauth.Request(password, imageRepo, username, challengeSlice) - if err != nil { - return "", err - } -@@ -42,8 +42,8 @@ func (c Client) GetContentTrustToken(username, password, imageRepo, hostname str - } - - // GetRegistryToken . --func (c Client) GetRegistryToken(username, password, imageRepo, hostname string) (string, error) { -- token, err := oauth.Request(password, imageRepo, username, false, "registry", hostname) -+func (c Client) GetRegistryToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) { -+ token, err := oauth.Request(password, imageRepo, username, challengeSlice) - if err != nil { - return "", err - } -diff --git a/pkg/verifier/trust/verifier.go b/pkg/verifier/trust/verifier.go -index 00aee83..7dce484 100644 ---- a/pkg/verifier/trust/verifier.go -+++ b/pkg/verifier/trust/verifier.go -@@ -17,9 +17,11 @@ package trust - import ( - "bytes" - "fmt" -+ "net/http" - "strings" - - "github.com/IBM/portieris/helpers/image" -+ "github.com/IBM/portieris/helpers/oauth" - securityenforcementv1beta1 "github.com/IBM/portieris/pkg/apis/securityenforcement/v1beta1" - "github.com/IBM/portieris/pkg/kubernetes" - "github.com/IBM/portieris/pkg/notary" -@@ -74,14 +76,61 @@ func (v *Verifier) VerifyByPolicy(namespace string, img *image.Reference, creden - } - } - -+ official := !strings.ContainsRune(img.RepoName(), '/') -+ -+ hostname := img.GetHostname() -+ port := img.GetPort() -+ if port != "" { -+ port = ":" + port -+ } -+ repo := hostname + port -+ -+ resp, err := oauth.CheckAuthRequired(notaryURL, repo, img.RepoName(), official) -+ if err != nil { -+ glog.Error(err) -+ return nil, nil, fmt.Errorf("Some error occurred while checking if authentication is required to fetch target metadata") -+ } -+ -+ if resp.StatusCode == http.StatusUnauthorized { -+ glog.Infof("Need to get token for %s to fetch target metadata", notaryURL) -+ } else if resp.StatusCode == http.StatusOK { -+ glog.Infof("No need to fetch token for %s to get the target metadata", notaryURL) -+ } else { -+ glog.Infof("Status code: %v was returned", resp.StatusCode) -+ return nil, nil, fmt.Errorf("Status code: %v was returned while checking if authentication is required to fetch target metadata", resp.StatusCode) -+ } -+ -+ glog.Infof("Status code: %v returned for repo: %v", resp.StatusCode, img.NameWithoutTag()) -+ -+ var challengeSlice []oauth.Challenge -+ -+ if resp.StatusCode == http.StatusUnauthorized { -+ challengeSlice = oauth.ResponseChallenges(resp) -+ if err != nil { -+ glog.Error(err) -+ return nil, nil, fmt.Errorf("Some error occurred when fetching challenge slice %s", err.Error()) -+ } -+ } -+ - for _, cred := range credentials { -- notaryToken, err := v.cr.GetContentTrustToken(cred[0], cred[1], img.NameWithoutTag(), img.GetRegistryURL()) -+ notaryToken, err := v.cr.GetContentTrustToken(cred[0], cred[1], img.NameWithoutTag(), challengeSlice) - if err != nil { - glog.Error(err) - continue - } - -- digest, err := v.getDigest(notaryURL, img.NameWithoutTag(), notaryToken, img.GetTag(), signers) -+ // Get image digest -+ glog.Infof("getting signed image... %v", img.RepoName()) -+ // notaryToken will be blank for unauthorized calls -+ var image string -+ if official { -+ image = "docker.io/library/" + img.RepoName() -+ } else { -+ image = img.NameWithoutTag() -+ } -+ glog.Infof("Image: %v", image) -+ -+ digest, err := v.getDigest(notaryURL, image, notaryToken, img.GetTag(), signers) - if err != nil { - if strings.Contains(err.Error(), "401") { - continue -@@ -95,5 +144,37 @@ func (v *Verifier) VerifyByPolicy(namespace string, img *image.Reference, creden - } - return digest, nil, nil - } -- return nil, fmt.Errorf("Deny %q, no valid ImagePullSecret defined for %s", img.String(), img.String()), nil -+ -+ // if no credentials defined and pulling signed images from public docker -+ notaryToken, err := v.cr.GetContentTrustToken("", "", img.NameWithoutTag(), challengeSlice) -+ if err != nil { -+ glog.Error(err) -+ return nil, nil, fmt.Errorf("Some error occurred while trying to fetch token for unauthenticated pubilc pull %s", err.Error()) -+ } -+ -+ // Get image digest -+ glog.Infof("getting signed image for %v", img.RepoName()) -+ // notaryToken will be blank for unauthorized calls -+ var image string -+ if official { -+ image = "docker.io/library/" + img.RepoName() -+ } else { -+ image = img.NameWithoutTag() -+ } -+ glog.Infof("Image: %v and tag: %v", image, img.GetTag()) -+ glog.Infof("Notary URL: %v", notaryURL) -+ digest, err := v.getDigest(notaryURL, image, notaryToken, img.GetTag(), signers) -+ if err != nil { -+ glog.Infof(err.Error()) -+ if strings.Contains(err.Error(), "401") { -+ return nil, fmt.Errorf("Deny %q, no valid ImagePullSecret defined for %s", img.String(), img.String()), nil -+ } -+ -+ if _, ok := err.(store.ErrServerUnavailable); ok { -+ glog.Errorf("Trust server unavailable: %v", err) -+ return nil, nil, fmt.Errorf("Deny %q, failed to get content trust information: %s", img.String(), err.Error()) -+ } -+ return nil, fmt.Errorf("Deny %q, failed to get content trust information: %s", img.String(), err.Error()), nil -+ } -+ return digest, nil, nil - } --- -1.8.3.1 - diff --git a/portieris-helm/debian/deb_folder/patches/0002-add-image-pull-secrets-to-images.patch b/portieris-helm/debian/deb_folder/patches/0002-add-image-pull-secrets-to-images.patch deleted file mode 100644 index 8a51266..0000000 --- a/portieris-helm/debian/deb_folder/patches/0002-add-image-pull-secrets-to-images.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 77a11903c2486d07cd3b078f99476b3a855fdce0 Mon Sep 17 00:00:00 2001 -From: Michel Thebeau -Date: Mon, 18 Jan 2021 17:02:39 -0500 -Subject: [PATCH] add image pull secrets to images - -Signed-off-by: Michel Thebeau ---- - helm/portieris/templates/deployment.yaml | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml -index b72c599..d8f3590 100644 ---- a/helm/portieris/templates/deployment.yaml -+++ b/helm/portieris/templates/deployment.yaml -@@ -21,6 +21,10 @@ spec: - release: {{ .Release.Name }} - spec: - serviceAccountName: portieris -+ {{ if .Values.image.host }} -+ imagePullSecrets: -+ - name: default-registry-key -+ {{ end }} - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}" --- -2.29.2 - diff --git a/portieris-helm/debian/deb_folder/patches/0003-add-toggle-to-reinstall-the-admission-webhook.patch b/portieris-helm/debian/deb_folder/patches/0003-add-toggle-to-reinstall-the-admission-webhook.patch deleted file mode 100644 index fee8cde..0000000 --- a/portieris-helm/debian/deb_folder/patches/0003-add-toggle-to-reinstall-the-admission-webhook.patch +++ /dev/null @@ -1,51 +0,0 @@ -From b5defc7482fa8a0b1ad7c96a1ad8d8b578fb7d2c Mon Sep 17 00:00:00 2001 -From: Michel Thebeau -Date: Wed, 1 Sep 2021 10:34:54 -0400 -Subject: [PATCH 3/4] add toggle to reinstall the admission webhook - -The backup and restore procedure will set ReapplyAdmissionWebhook to -true to force an "upgrade" of an already installed Portieris -application. The webhooks job is run on the helm chart's post-upgrade -hook. The chart value ReapplyAdmissionWebhook is reserved to simplify -its handling by backup and restore. - -Signed-off-by: Michel Thebeau ---- - .../admission-webhooks/create-admission-webhooks.yaml | 4 ++++ - helm/portieris/values.yaml | 4 ++++ - 2 files changed, 8 insertions(+) - -diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -index 04bb56a..7773413 100644 ---- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -@@ -4,7 +4,11 @@ metadata: - name: create-admission-webhooks - namespace: {{ .Values.namespace }} - annotations: -+ {{ if .Values.ReapplyAdmissionWebhook }} -+ helm.sh/hook: post-install,post-upgrade -+ {{ else }} - helm.sh/hook: post-install -+ {{ end }} - helm.sh/hook-weight: "5" - helm.sh/hook-delete-policy: hook-succeeded - labels: -diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml -index 8b1a13e..d73d6f2 100644 ---- a/helm/portieris/values.yaml -+++ b/helm/portieris/values.yaml -@@ -29,6 +29,10 @@ SkipSecretCreation: false - # If using cert-manager to handle secrets - UseCertManager: false - -+# Set to force helm upgrade, rerun the create-admission-webhooks job -+# This value is reserved for the StarlingX backup and restore procedure -+ReapplyAdmissionWebhook: false -+ - # Resoures defined to assist scheduling - # request is typical x10, limit is typical x100 - resources: --- -2.29.2 - diff --git a/portieris-helm/debian/deb_folder/patches/0004-run-admission-webhooks-as-non-root.patch b/portieris-helm/debian/deb_folder/patches/0004-run-admission-webhooks-as-non-root.patch deleted file mode 100644 index 7275d54..0000000 --- a/portieris-helm/debian/deb_folder/patches/0004-run-admission-webhooks-as-non-root.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 8a6d884de01c2ce8ad9f68284b69a0ae2e5dea2a Mon Sep 17 00:00:00 2001 -From: Michel Thebeau -Date: Wed, 1 Sep 2021 18:54:44 -0400 -Subject: [PATCH 4/4] run admission webhooks as non-root - -With pod security policies enabled the webhooks will not run as root, -with "Error: container has runAsNonRoot and image will run as root". - -Copy the securityContext from portieris chart, run as 'portieris' -service account. - -Fix subsequent jobs that fail with the absent securityContext, -permissions. Add patch verb to customresourcedefinitions for portieris -service add account. - -Signed-off-by: Michel Thebeau ---- - .../admission-webhooks/create-admission-webhooks.yaml | 3 +++ - .../admission-webhooks/delete-admission-webhooks.yaml | 3 +++ - helm/portieris/templates/clusterrole.yaml | 4 ++-- - helm/portieris/templates/crd-creation/create-crds.yaml | 4 +++- - helm/portieris/templates/crd-creation/delete-crds.yaml | 4 +++- - .../templates/crd-creation/validate-crd-creation.yaml | 4 +++- - 6 files changed, 17 insertions(+), 5 deletions(-) - -diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -index 7773413..cbe0eb7 100644 ---- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -@@ -44,3 +44,6 @@ spec: - configMap: - name: admission-webhooks - restartPolicy: OnFailure -+ securityContext: -+ runAsUser: {{ .Values.securityContext.runAsUser }} -+ -diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -index ce34927..dd8c259 100644 ---- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -@@ -40,3 +40,6 @@ spec: - configMap: - name: admission-webhooks - restartPolicy: OnFailure -+ securityContext: -+ runAsUser: {{ .Values.securityContext.runAsUser }} -+ -diff --git a/helm/portieris/templates/clusterrole.yaml b/helm/portieris/templates/clusterrole.yaml -index 67c5912..13b4cb4 100644 ---- a/helm/portieris/templates/clusterrole.yaml -+++ b/helm/portieris/templates/clusterrole.yaml -@@ -16,10 +16,10 @@ rules: - verbs: ["get", "watch", "list", "create", "patch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] -- verbs: ["get", "create", "delete"] -+ verbs: ["get", "create", "delete", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] -- verbs: ["get", "create", "delete"] -+ verbs: ["get", "create", "delete", "patch"] - - apiGroups: [""] - resources: ["secrets", "serviceaccounts"] - verbs: ["get"] -diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml -index 3ac36f6..13b0ca2 100644 ---- a/helm/portieris/templates/crd-creation/create-crds.yaml -+++ b/helm/portieris/templates/crd-creation/create-crds.yaml -@@ -39,4 +39,6 @@ spec: - configMap: - name: image-policy-crds - restartPolicy: OnFailure -- -\ No newline at end of file -+ securityContext: -+ runAsUser: {{ .Values.securityContext.runAsUser }} -+ -diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml -index 9080511..783fe23 100644 ---- a/helm/portieris/templates/crd-creation/delete-crds.yaml -+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml -@@ -40,4 +40,6 @@ spec: - configMap: - name: image-policy-crds - restartPolicy: OnFailure -- -+ securityContext: -+ runAsUser: {{ .Values.securityContext.runAsUser }} -+ -diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -index 5c68466..d3075da 100644 ---- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -+++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -@@ -33,4 +33,6 @@ spec: - - imagepolicies.securityenforcement.admission.cloud.ibm.com - - clusterimagepolicies.securityenforcement.admission.cloud.ibm.com - restartPolicy: OnFailure -- -\ No newline at end of file -+ securityContext: -+ runAsUser: {{ .Values.securityContext.runAsUser }} -+ --- -2.29.2 - diff --git a/portieris-helm/debian/deb_folder/patches/0005-add-toleration.patch b/portieris-helm/debian/deb_folder/patches/0005-add-toleration.patch deleted file mode 100644 index 9186ffe..0000000 --- a/portieris-helm/debian/deb_folder/patches/0005-add-toleration.patch +++ /dev/null @@ -1,130 +0,0 @@ -From ed939af4c374f834f6e15e2f6c3d5cbff53c90ec Mon Sep 17 00:00:00 2001 -From: Rafael Camargos -Date: Tue, 28 Sep 2021 11:05:29 -0400 -Subject: [PATCH] Add toleration to deployment and jobs - ---- - .../admission-webhooks/create-admission-webhooks.yaml | 4 ++++ - .../admission-webhooks/delete-admission-webhooks.yaml | 4 ++++ - helm/portieris/templates/crd-creation/create-crds.yaml | 4 ++++ - helm/portieris/templates/crd-creation/delete-crds.yaml | 4 ++++ - .../templates/crd-creation/validate-crd-creation.yaml | 4 ++++ - .../templates/default/create-default-policies.yaml | 6 +++++- - helm/portieris/templates/deployment.yaml | 4 ++++ - 7 files changed, 29 insertions(+), 1 deletion(-) - -diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -index cbe0eb7..fe3e5c2 100644 ---- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -@@ -27,6 +27,10 @@ spec: - heritage: {{ .Release.Service }} - spec: - serviceAccountName: portieris -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -index dd8c259..e8edc3d 100644 ---- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -@@ -23,6 +23,10 @@ spec: - heritage: {{ .Release.Service }} - spec: - serviceAccountName: portieris -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml -index 13b0ca2..2033ee6 100644 ---- a/helm/portieris/templates/crd-creation/create-crds.yaml -+++ b/helm/portieris/templates/crd-creation/create-crds.yaml -@@ -23,6 +23,10 @@ spec: - heritage: {{ .Release.Service }} - spec: - serviceAccountName: portieris -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml -index 783fe23..894598a 100644 ---- a/helm/portieris/templates/crd-creation/delete-crds.yaml -+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml -@@ -23,6 +23,10 @@ spec: - heritage: {{ .Release.Service }} - spec: - serviceAccountName: portieris -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -index d3075da..58e501e 100644 ---- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -+++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -@@ -23,6 +23,10 @@ spec: - heritage: {{ .Release.Service }} - spec: - serviceAccountName: portieris -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/default/create-default-policies.yaml b/helm/portieris/templates/default/create-default-policies.yaml -index 31a38c0..fae1597 100644 ---- a/helm/portieris/templates/default/create-default-policies.yaml -+++ b/helm/portieris/templates/default/create-default-policies.yaml -@@ -23,6 +23,10 @@ spec: - heritage: {{ .Release.Service }} - spec: - serviceAccountName: portieris -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -@@ -39,4 +43,4 @@ spec: - configMap: - name: default-image-policies - restartPolicy: OnFailure -- -\ No newline at end of file -+ -diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml -index d8f3590..e6c4184 100644 ---- a/helm/portieris/templates/deployment.yaml -+++ b/helm/portieris/templates/deployment.yaml -@@ -25,6 +25,10 @@ spec: - imagePullSecrets: - - name: default-registry-key - {{ end }} -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}" --- -2.29.2 - diff --git a/portieris-helm/debian/deb_folder/patches/0006-Add-toleration-to-deployment-and-jobs.patch b/portieris-helm/debian/deb_folder/patches/0006-Add-toleration-to-deployment-and-jobs.patch deleted file mode 100644 index 43ee792..0000000 --- a/portieris-helm/debian/deb_folder/patches/0006-Add-toleration-to-deployment-and-jobs.patch +++ /dev/null @@ -1,119 +0,0 @@ -From ed8b4b884a2a73b07934461206db66adf8da8218 Mon Sep 17 00:00:00 2001 -From: Boovan Rajendran -Date: Fri, 28 Oct 2022 10:37:56 -0400 -Subject: [PATCH] Add toleration to deployment and jobs - -The tolerations address the nodeselectors for kubernetes versions 1.24 and earlier. - -Signed-off-by: Rafael Camargos ---- - .../admission-webhooks/create-admission-webhooks.yaml | 3 +++ - .../admission-webhooks/delete-admission-webhooks.yaml | 3 +++ - helm/portieris/templates/crd-creation/create-crds.yaml | 3 +++ - helm/portieris/templates/crd-creation/delete-crds.yaml | 3 +++ - .../templates/crd-creation/validate-crd-creation.yaml | 3 +++ - helm/portieris/templates/default/create-default-policies.yaml | 3 +++ - helm/portieris/templates/deployment.yaml | 3 +++ - 7 files changed, 21 insertions(+) - -diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -index fe3e5c2..6674602 100644 ---- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -@@ -31,6 +31,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -index e8edc3d..abd1538 100644 ---- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -@@ -27,6 +27,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml -index 2033ee6..1237920 100644 ---- a/helm/portieris/templates/crd-creation/create-crds.yaml -+++ b/helm/portieris/templates/crd-creation/create-crds.yaml -@@ -27,6 +27,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml -index 894598a..b0a3c0a 100644 ---- a/helm/portieris/templates/crd-creation/delete-crds.yaml -+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml -@@ -27,6 +27,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -index 58e501e..430c1ab 100644 ---- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -+++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -@@ -27,6 +27,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/default/create-default-policies.yaml b/helm/portieris/templates/default/create-default-policies.yaml -index fae1597..6f55ccc 100644 ---- a/helm/portieris/templates/default/create-default-policies.yaml -+++ b/helm/portieris/templates/default/create-default-policies.yaml -@@ -27,6 +27,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml -index e6c4184..7835f29 100644 ---- a/helm/portieris/templates/deployment.yaml -+++ b/helm/portieris/templates/deployment.yaml -@@ -29,6 +29,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}" --- -2.25.1 - diff --git a/portieris-helm/debian/deb_folder/patches/series b/portieris-helm/debian/deb_folder/patches/series index 6aa46de..43898f1 100644 --- a/portieris-helm/debian/deb_folder/patches/series +++ b/portieris-helm/debian/deb_folder/patches/series @@ -1,6 +1 @@ -0001-Squash-required-portieris-fixes.patch -0002-add-image-pull-secrets-to-images.patch -0003-add-toggle-to-reinstall-the-admission-webhook.patch -0004-run-admission-webhooks-as-non-root.patch -0005-add-toleration.patch -0006-Add-toleration-to-deployment-and-jobs.patch +0001-Add-permissive-cluster-policy-by-default.patch diff --git a/portieris-helm/debian/deb_folder/rules b/portieris-helm/debian/deb_folder/rules index 90a9234..ffe220c 100755 --- a/portieris-helm/debian/deb_folder/rules +++ b/portieris-helm/debian/deb_folder/rules @@ -3,7 +3,7 @@ export ROOT = debian/tmp export CHART_FOLDER = $(ROOT)/usr/lib/helm -export PORTIERIS_VERSION = 0.7.0 +export PORTIERIS_VERSION = v0.13.1 export PORTIERIS_TARBALL = portieris-$(PORTIERIS_VERSION).tgz %: diff --git a/portieris-helm/debian/meta_data.yaml b/portieris-helm/debian/meta_data.yaml index 8ed0786..db9756e 100644 --- a/portieris-helm/debian/meta_data.yaml +++ b/portieris-helm/debian/meta_data.yaml @@ -2,9 +2,9 @@ debname: portieris-helm debver: 1.0-1 dl_path: - name: portieris-0.7.0.tgz - url: https://github.com/IBM/portieris/archive/0.7.0.tar.gz - md5sum: ef9c907c5fe0e49db91fd0072d39111e + name: portieris-0.13.1.tgz + url: https://github.com/IBM/portieris/archive/refs/tags/v0.13.1.tar.gz + md5sum: 3c5b2a092172dfd0fd51d4319305680f src_files: - files/metadata.yaml - files/index.yaml diff --git a/portieris-helm/files/0001-Add-permissive-cluster-policy-by-default.patch b/portieris-helm/files/0001-Add-permissive-cluster-policy-by-default.patch new file mode 100644 index 0000000..4308a3f --- /dev/null +++ b/portieris-helm/files/0001-Add-permissive-cluster-policy-by-default.patch @@ -0,0 +1,37 @@ +From 0eff41601723e51d975af4e4663dc788bb067f0a Mon Sep 17 00:00:00 2001 +From: Jerry Sun +Date: Mon, 16 Jan 2023 11:35:58 -0500 +Subject: [PATCH 1/1] Add permissive cluster policy by default + +The default permissive policy is only added if the policy set is +set to IKS. In the non IKS case, no default cluster image policy +is created. This means all pod deployment is denied in all +namespaces that don't have any imagepolicies. This patch applies +the default permissive cluster image policy to not interfere with +platform functionality when Portieris is applied. + +Signed-off-by: Jerry Sun +--- + helm/portieris/templates/policies.yaml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/helm/portieris/templates/policies.yaml b/helm/portieris/templates/policies.yaml +index 6e67ffc..ed8c84f 100644 +--- a/helm/portieris/templates/policies.yaml ++++ b/helm/portieris/templates/policies.yaml +@@ -65,7 +65,6 @@ spec: + --- + {{ end }} + +-{{- if (eq .Values.PolicySet "IKS") }} + apiVersion: portieris.cloud.ibm.com/v1 + kind: ClusterImagePolicy + metadata: +@@ -77,4 +76,3 @@ spec: + repositories: + {{- .Values.clusterPolicy.allowedRepositories | toYaml | nindent 4 }} + --- +-{{ end }} +-- +2.34.1 + diff --git a/portieris-helm/files/0001-Squash-required-portieris-fixes.patch b/portieris-helm/files/0001-Squash-required-portieris-fixes.patch deleted file mode 100644 index b71b0cf..0000000 --- a/portieris-helm/files/0001-Squash-required-portieris-fixes.patch +++ /dev/null @@ -1,1296 +0,0 @@ -From 42bd348d6a6b656d62dc436313b4dd2d8c838993 Mon Sep 17 00:00:00 2001 -From: Joseph Richard -Date: Thu, 23 Jul 2020 15:45:17 -0400 -Subject: [PATCH] Squash required portieris fixes - -Add fixes for these issues to portieris build: - * https://github.com/IBM/portieris/issues/51 - * https://github.com/IBM/portieris/issues/59 - -This should be rebased once those issues are fixed in a published -release of portieris. - -Signed-off-by: Joseph Richard ---- - CHANGELOG.md | 23 +++ - README.md | 19 ++- - cmd/trust/main.go | 8 +- - helm/cleanup.sh | 7 +- - helm/portieris/gencerts | 10 +- - .../delete-admission-webhooks.yaml | 2 +- - .../templates/admission-webhooks/webhooks.yaml | 8 +- - helm/portieris/templates/clusterrole.yaml | 7 +- - helm/portieris/templates/clusterrolebinding.yaml | 3 + - .../templates/crd-creation/configmap.yaml | 3 + - .../templates/crd-creation/create-crds.yaml | 2 +- - .../templates/crd-creation/delete-crds.yaml | 6 +- - helm/portieris/templates/default/policies.yaml | 76 +++++---- - helm/portieris/templates/deployment.yaml | 8 +- - helm/portieris/templates/secret.yaml | 26 ++- - .../templates/securitycontextconstraint.yaml | 43 +++++ - helm/portieris/templates/service.yaml | 2 +- - helm/portieris/templates/serviceaccount.yaml | 3 + - helm/portieris/values.yaml | 53 ++++-- - helpers/image/image.go | 7 + - helpers/oauth/header.go | 178 +++++++++++++++++++++ - helpers/oauth/oauth.go | 85 ++++++++-- - pkg/controller/multi/notary_test.go | 16 +- - pkg/registry/fakeregistry/fakeregistry.go | 27 ++-- - pkg/registry/registry.go | 12 +- - pkg/verifier/trust/verifier.go | 87 +++++++++- - 26 files changed, 598 insertions(+), 123 deletions(-) - create mode 100644 CHANGELOG.md - create mode 100644 helm/portieris/templates/securitycontextconstraint.yaml - create mode 100644 helpers/oauth/header.go - -diff --git a/CHANGELOG.md b/CHANGELOG.md -new file mode 100644 -index 0000000..0c93f86 ---- /dev/null -+++ b/CHANGELOG.md -@@ -0,0 +1,23 @@ -+# Change Log -+ -+Notable changes recorded here. -+This project adheres to [Semantic Versioning](http://semver.org/). -+ -+# 0.7.1 -+## 2020-06-xx -+ -+* Fix the port name in service template ([PR#149](https://github.com/IBM/portieris/pull/149)) -+* Change the default namespace to portieris ([#117](https://github.com/IBM/portieris/issues/117)) -+* Support Helm3 and Openshift 4 ([#130](https://github.com/IBM/portieris/pull/130)) -+* anti-affinity and liveness/readiness probes ([#66](https://github.com/IBM/portieris/issues/66)) -+* Support sourcing webhook certificates from cert-manager ([#59](https://github.com/IBM/portieris/issues/59)) -+ -+# 0.7.0 -+## 2020-06-09 -+ -+* Support for reading simple signatures from lookaside storage, ([#93](https://github.com/IBM/portieris/issues/93)) -+ -+# 0.6.0 -+## 2020-03-26 -+ -+* Support for the verification of simple signatures using [containers/image](https://github.com/containers/image). ([#70](https://github.com/IBM/portieris/issues/70)) -diff --git a/README.md b/README.md -index b417d36..af69444 100644 ---- a/README.md -+++ b/README.md -@@ -29,18 +29,27 @@ Portieris' Admission Webhook is configured to fail closed. Three instances of Po - - ## Installing Portieris - --Portieris is installed using a Helm chart. Before you begin, make sure that you have Kubernetes 1.9 or above, and Helm 2.8 or above (not Helm 3.x) installed in your cluster. -+Portieris is installed using a Helm chart. Before you begin, make sure that you have Kubernetes 1.16 or above and Helm 3.0 or above installed on your workstation. - --To install Portieris: -+To install Portieris in the default namespace (portieris): - - * Clone the Portieris Git repository to your workstation. - * Change directory into the Portieris Git repository. --* Run `./helm/portieris/gencerts `. The `gencerts` script generates new SSL certificates and keys for Portieris. Portieris presents this certificates to the Kubernetes API server when the API server makes admission requests. If you do not generate new certificates, it could be possible for an attacker to spoof Portieris in your cluster. --* Run `helm upgrade --install portieris --set namespace= helm/portieris`. -+* Run `./helm/portieris/gencerts`. The `gencerts` script generates new SSL certificates and keys for Portieris. Portieris presents this certificates to the Kubernetes API server when the API server makes admission requests. If you do not generate new certificates, it could be possible for an attacker to spoof Portieris in your cluster. -+* Run `kubectl create namespace portieris` -+* Run `helm install portieris helm/portieris`. -+ -+To use an alternative namespace: -+* Run `./helm/portieris/gencerts `. -+* Run `kubectl create namespace `. -+* Run `helm install portieris --set namespace= helm/portieris`. -+ -+To manage certificates through installed cert-manager(https://cert-manager.io/): -+* Run `helm install portieris --set UseCertManager=true helm/portieris`. - - ## Uninstalling Portieris - --You can uninstall Portieris at any time by running `helm delete --purge portieris`. Note that all your image security policies are deleted when you uninstall Portieris. -+You can uninstall Portieris at any time by running `helm delete portieris`. Note that all your image security policies are deleted when you uninstall Portieris. - - ## Image security policies - -diff --git a/cmd/trust/main.go b/cmd/trust/main.go -index e07daa4..4295842 100644 ---- a/cmd/trust/main.go -+++ b/cmd/trust/main.go -@@ -77,13 +77,13 @@ func main() { - glog.Fatal("Could not get trust client", err) - } - -- serverCert, err := ioutil.ReadFile("/etc/certs/serverCert.pem") -+ serverCert, err := ioutil.ReadFile("/etc/certs/tls.crt") - if err != nil { -- glog.Fatal("Could not read /etc/certs/serverCert.pem", err) -+ glog.Fatal("Could not read /etc/certs/tls.crt", err) - } -- serverKey, err := ioutil.ReadFile("/etc/certs/serverKey.pem") -+ serverKey, err := ioutil.ReadFile("/etc/certs/tls.key") - if err != nil { -- glog.Fatal("Could not read /etc/certs/serverKey.pem", err) -+ glog.Fatal("Could not read /etc/certs/tls.key", err) - } - - cr := registryclient.NewClient() -diff --git a/helm/cleanup.sh b/helm/cleanup.sh -index 89dd681..06b69a8 100755 ---- a/helm/cleanup.sh -+++ b/helm/cleanup.sh -@@ -1,9 +1,9 @@ - #! /bin/bash - - RELEASE_NAME=${1:-portieris} --NAMESPACE=${2:-ibm-system} -+NAMESPACE=${2:-portieris} - --echo Purging release ${RELEASE_NAME} in ${NAMESPACE} -+echo Deleting release ${RELEASE_NAME} in ${NAMESPACE} - - kubectl delete MutatingWebhookConfiguration image-admission-config --ignore-not-found=true - kubectl delete ValidatingWebhookConfiguration image-admission-config --ignore-not-found=true -@@ -12,6 +12,5 @@ kubectl delete crd clusterimagepolicies.securityenforcement.admission.cloud.ibm. - - kubectl delete jobs -n ${NAMESPACE} create-admission-webhooks create-armada-image-policies create-crds validate-crd-creation --ignore-not-found=true - --helm delete --purge ${RELEASE_NAME} -+helm delete ${RELEASE_NAME} --no-hooks - --kubectl delete jobs -n ${NAMESPACE} delete-admission-webhooks delete-crds --ignore-not-found=true -diff --git a/helm/portieris/gencerts b/helm/portieris/gencerts -index 3e1c724..d1dc2fa 100755 ---- a/helm/portieris/gencerts -+++ b/helm/portieris/gencerts -@@ -3,7 +3,7 @@ - SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - - SERVICE_NAME=portieris --NAMESPACE=${1:-ibm-system} -+NAMESPACE=${1:-portieris} - - echo "Using $SERVICE_NAME as the service name" - echo "Using $NAMESPACE as the namespace" -@@ -26,12 +26,12 @@ EOF - - # Create a certificate authority - openssl genrsa -out $CERT_DIR/caKey.pem 2048 --openssl req -x509 -new -nodes -key $CERT_DIR/caKey.pem -days 100000 -out $CERT_DIR/caCert.pem -subj "/CN=${SERVICE_NAME}_ca" -+openssl req -x509 -new -nodes -key $CERT_DIR/caKey.pem -days 100000 -out $CERT_DIR/ca.crt -subj "/CN=${SERVICE_NAME}_ca" - - # Create a server certiticate --openssl genrsa -out $CERT_DIR/serverKey.pem 2048 -+openssl genrsa -out $CERT_DIR/tls.key 2048 - # Note the CN is the DNS name of the service of the webhook. --openssl req -new -key $CERT_DIR/serverKey.pem -out $CERT_DIR/server.csr -subj "/CN=${SERVICE_NAME}.${NAMESPACE}.svc" -config $CERT_DIR/server.conf --openssl x509 -req -in $CERT_DIR/server.csr -CA $CERT_DIR/caCert.pem -CAkey $CERT_DIR/caKey.pem -CAcreateserial -out $CERT_DIR/serverCert.pem -days 100000 -extensions v3_req -extfile $CERT_DIR/server.conf -+openssl req -new -key $CERT_DIR/tls.key -out $CERT_DIR/server.csr -subj "/CN=${SERVICE_NAME}.${NAMESPACE}.svc" -config $CERT_DIR/server.conf -+openssl x509 -req -in $CERT_DIR/server.csr -CA $CERT_DIR/ca.crt -CAkey $CERT_DIR/caKey.pem -CAcreateserial -out $CERT_DIR/tls.crt -days 100000 -extensions v3_req -extfile $CERT_DIR/server.conf - - rm $CERT_DIR/caKey.pem $CERT_DIR/server.conf $CERT_DIR/server.csr -diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -index 35a3812..ce34927 100644 ---- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -@@ -5,7 +5,7 @@ metadata: - namespace: {{ .Values.namespace }} - annotations: - helm.sh/hook: pre-delete -- helm.sh/hook-weight: "-10" -+ helm.sh/hook-weight: "-8" - helm.sh/hook-delete-policy: hook-succeeded - labels: - app: {{ template "portieris.name" . }} -diff --git a/helm/portieris/templates/admission-webhooks/webhooks.yaml b/helm/portieris/templates/admission-webhooks/webhooks.yaml -index caee941..0f013a0 100644 ---- a/helm/portieris/templates/admission-webhooks/webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/webhooks.yaml -@@ -3,6 +3,10 @@ apiVersion: admissionregistration.k8s.io/v1beta1 - kind: MutatingWebhookConfiguration - metadata: - name: image-admission-config -+ {{ if .Values.UseCertManager }} -+ annotations: -+ cert-manager.io/inject-ca-from: {{ .Values.namespace }}/portieris-certs -+ {{ end }} - namespace: {{ .Values.namespace }} - labels: - app: {{ template "portieris.name" . }} -@@ -16,7 +20,9 @@ webhooks: - name: {{ template "portieris.name" . }} - namespace: {{ .Values.namespace }} - path: "/admit" -- caBundle: {{ .Files.Get "certs/caCert.pem" | b64enc }} -+ {{ if not .Values.UseCertManager }} -+ caBundle: {{ .Files.Get "certs/ca.crt" | b64enc }} -+ {{ end }} - rules: - - operations: [ "CREATE", "UPDATE" ] - apiGroups: ["*"] -diff --git a/helm/portieris/templates/clusterrole.yaml b/helm/portieris/templates/clusterrole.yaml -index 2090543..67c5912 100644 ---- a/helm/portieris/templates/clusterrole.yaml -+++ b/helm/portieris/templates/clusterrole.yaml -@@ -7,10 +7,13 @@ metadata: - chart: {{ template "portieris.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -+ annotations: -+ helm.sh/hook: pre-install -+ helm.sh/hook-weight: "-10" - rules: - - apiGroups: ["securityenforcement.admission.cloud.ibm.com"] - resources: ["imagepolicies", "clusterimagepolicies"] -- verbs: ["get", "watch", "list", "create"] -+ verbs: ["get", "watch", "list", "create", "patch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "create", "delete"] -@@ -19,4 +22,4 @@ rules: - verbs: ["get", "create", "delete"] - - apiGroups: [""] - resources: ["secrets", "serviceaccounts"] -- verbs: ["get"] -\ No newline at end of file -+ verbs: ["get"] -diff --git a/helm/portieris/templates/clusterrolebinding.yaml b/helm/portieris/templates/clusterrolebinding.yaml -index 3468bb0..0bfdac7 100644 ---- a/helm/portieris/templates/clusterrolebinding.yaml -+++ b/helm/portieris/templates/clusterrolebinding.yaml -@@ -7,6 +7,9 @@ metadata: - chart: {{ template "portieris.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -+ annotations: -+ helm.sh/hook: pre-install -+ helm.sh/hook-weight: "-9" - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -diff --git a/helm/portieris/templates/crd-creation/configmap.yaml b/helm/portieris/templates/crd-creation/configmap.yaml -index 5c185af..0cdeb40 100644 ---- a/helm/portieris/templates/crd-creation/configmap.yaml -+++ b/helm/portieris/templates/crd-creation/configmap.yaml -@@ -8,6 +8,9 @@ metadata: - chart: {{ template "portieris.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -+ annotations: -+ helm.sh/hook: pre-install -+ helm.sh/hook-weight: "-7" - data: - custom-resource-definitions.yaml: |- - {{- include "crds.yaml.tpl" . | indent 4}} -diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml -index 7be3d51..3ac36f6 100644 ---- a/helm/portieris/templates/crd-creation/create-crds.yaml -+++ b/helm/portieris/templates/crd-creation/create-crds.yaml -@@ -4,7 +4,7 @@ metadata: - name: create-crds - namespace: {{ .Values.namespace }} - annotations: -- helm.sh/hook: post-install -+ helm.sh/hook: pre-install - helm.sh/hook-weight: "-6" - helm.sh/hook-delete-policy: hook-succeeded - labels: -diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml -index 7313d23..9080511 100644 ---- a/helm/portieris/templates/crd-creation/delete-crds.yaml -+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml -@@ -4,8 +4,8 @@ metadata: - name: delete-crds - namespace: {{ .Values.namespace }} - annotations: -- helm.sh/hook: pre-delete -- helm.sh/hook-weight: "-9" -+ helm.sh/hook: post-delete -+ helm.sh/hook-weight: "-8" - helm.sh/hook-delete-policy: hook-succeeded - labels: - app: {{ template "portieris.name" . }} -@@ -40,4 +40,4 @@ spec: - configMap: - name: image-policy-crds - restartPolicy: OnFailure -- -\ No newline at end of file -+ -diff --git a/helm/portieris/templates/default/policies.yaml b/helm/portieris/templates/default/policies.yaml -index d9dc0e7..f47fa8f 100644 ---- a/helm/portieris/templates/default/policies.yaml -+++ b/helm/portieris/templates/default/policies.yaml -@@ -2,73 +2,79 @@ - apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 - kind: ImagePolicy - metadata: -- name: portieris-default-image-policy -+ name: default - namespace: {{ .Values.namespace }} - annotations: - helm.sh/hook: post-install - helm.sh/hook-weight: "1" - spec: - repositories: -- # This policy allows all images to be deployed into this namespace. This policy prevents breaking any existing third party applications in this namespace. -- # IMPORTANT: Review this policy and replace it with one that meets your requirements. If you do not run any third party applications in this namespace, you can remove this policy entirely. -- - name: "*" -- policy: -- {{ if .Values.IBMContainerService }} -- # These policies allow all IBM Cloud Container Service images from the global and all regional registries to deploy in this namespace. -- # IMPORTANT: When you create your own policy in this namespace, make sure to include these repositories. If you do not, the cluster might not function properly. -- - name: "*.icr.io/armada/*" -- policy: -- - name: "*.icr.io/armada-worker/*" -- policy: -- - name: "*.icr.io/armada-master/*" -- policy: -- {{ end }} -- # This policy prevents Portieris from blocking itself -- - name: "{{ .Values.image.host }}/{{ .Values.image.image }}:{{ .Values.image.tag }}" -- policy: -- # This policy allows Portieris to use Hyperkube to configure your cluster. This policy must exist if you uninstall Portieris. -+ # This policy prevents Portieris from denying its own updates. Do not remove this policy or portieris may not function correctly. -+ - name: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}" -+ # This policy allows Portieris to use Hyperkube to configure your cluster. This policy must exist if order to uninstall Portieris. - - name: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -- policies: -- - --- - apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 - kind: ImagePolicy - metadata: -- name: portieris-default-image-policy -+ name: default - namespace: kube-system - annotations: - helm.sh/hook: post-install - helm.sh/hook-weight: "1" - spec: - repositories: -- # This policy allows all images to be deployed into this namespace. This policy prevents breaking any existing third party applications in this namespace. -- # IMPORTANT: Review this policy and replace it with one that meets your requirements. If you do not run any third party applications in this namespace, you can remove this policy entirely. -+ # This permissive policy allows all images to be deployed into this namespace. -+ # IMPORTANT: Review this policy and replace it with one that meets your requirements. - - name: "*" -- policy: - {{ if .Values.IBMContainerService }} -- # These policies allow all IBM Cloud Container Service images from the global and all regional registries to deploy in this namespace. -- # IMPORTANT: When you create your own policy in this namespace, make sure to include these repositories. If you do not, the cluster might not function properly. -+ # These policies allow all IBM Cloud Container Service images to deploy in this namespace. -+ # IMPORTANT: When you create your own policy in this namespace, be sure to retain these policies. If you do not, the cluster might not update or function properly. -+ - name: "registry*.bluemix.net/armada/*" -+ - name: "registry*.bluemix.net/armada-worker/*" -+ - name: "registry*.bluemix.net/armada-master/*" - - name: "*.icr.io/armada/*" -- policy: - - name: "*.icr.io/armada-worker/*" -- policy: - - name: "*.icr.io/armada-master/*" -- policy: -+ - name: "icr.io/armada/*" -+ - name: "icr.io/armada-worker/*" -+ - name: "icr.io/armada-master/*" - {{ end }} - --- -+{{ if .Values.IBMContainerService }} -+apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 -+kind: ImagePolicy -+metadata: -+ name: default -+ namespace: ibm-system -+ annotations: -+ helm.sh/hook: post-install -+ helm.sh/hook-weight: "1" -+spec: -+ repositories: -+ # These policies allow all IBM Cloud Container Service images to deploy in this namespace. -+ # IMPORTANT: When you create your own policy in this namespace, make sure to retain these policies. If you do not, the cluster might not update or function properly. -+ - name: "registry*.bluemix.net/armada/*" -+ - name: "registry*.bluemix.net/armada-worker/*" -+ - name: "registry*.bluemix.net/armada-master/*" -+ - name: "*.icr.io/armada/*" -+ - name: "*.icr.io/armada-worker/*" -+ - name: "*.icr.io/armada-master/*" -+ - name: "icr.io/armada/*" -+ - name: "icr.io/armada-worker/*" -+ - name: "icr.io/armada-master/*" -+--- -+{{ end }} - apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 - kind: ClusterImagePolicy - metadata: -- name: portieris-default-cluster-image-policy -+ name: default - annotations: - helm.sh/hook: post-install - helm.sh/hook-weight: "1" - spec: - repositories: -- # This enforces that all images deployed to this cluster pass trust -+ # This permissive policy allows all images in namespaces which do not have an ImagePolicy. - # IMPORTANT: Review this policy and replace it with one that meets your requirements. - - name: "*" -- policy: -- trust: -- enabled: true - {{ end }} -diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml -index 977b6c3..b72c599 100644 ---- a/helm/portieris/templates/deployment.yaml -+++ b/helm/portieris/templates/deployment.yaml -@@ -17,7 +17,7 @@ spec: - template: - metadata: - labels: -- app: {{ template "portieris.name" . }} -+ app: portieris - release: {{ .Release.Name }} - spec: - serviceAccountName: portieris -@@ -38,11 +38,15 @@ spec: - port: 8000 - path: "/health/liveness" - scheme: HTTPS -+ initialDelaySeconds: 10 -+ timeoutSeconds: 10 - readinessProbe: - httpGet: - port: 8000 - path: "/health/readiness" - scheme: HTTPS -+ initialDelaySeconds: 10 -+ timeoutSeconds: 10 - env: - resources: - {{ toYaml .Values.resources | indent 12 }} -@@ -59,7 +63,7 @@ spec: - {{ toYaml . | indent 8 }} - {{- end }} - securityContext: -- runAsUser: 1000060001 -+ runAsUser: {{ .Values.securityContext.runAsUser }} - volumes: - - name: portieris-certs - secret: -diff --git a/helm/portieris/templates/secret.yaml b/helm/portieris/templates/secret.yaml -index 0f5b038..f14fa24 100644 ---- a/helm/portieris/templates/secret.yaml -+++ b/helm/portieris/templates/secret.yaml -@@ -1,4 +1,25 @@ - {{ if not .Values.SkipSecretCreation }} -+{{ if .Values.UseCertManager }} -+apiVersion: cert-manager.io/v1alpha2 -+kind: Issuer -+metadata: -+ name: portieris -+ namespace: {{ .Values.namespace }} -+spec: -+ selfSigned: {} -+--- -+apiVersion: cert-manager.io/v1alpha2 -+kind: Certificate -+metadata: -+ name: portieris-certs -+ namespace: {{ .Values.namespace }} -+spec: -+ dnsNames: -+ - portieris.{{ .Values.namespace }}.svc -+ secretName: portieris-certs -+ issuerRef: -+ name: portieris -+{{ else }} - apiVersion: v1 - kind: Secret - metadata: -@@ -6,6 +27,7 @@ metadata: - namespace: {{ .Values.namespace }} - type: Opaque - data: -- serverCert.pem: {{ .Files.Get "certs/serverCert.pem" | b64enc }} -- serverKey.pem: {{ .Files.Get "certs/serverKey.pem" | b64enc }} -+ tls.crt: {{ .Files.Get "certs/tls.crt" | b64enc }} -+ tls.key: {{ .Files.Get "certs/tls.key" | b64enc }} -+{{ end }} - {{ end }} -diff --git a/helm/portieris/templates/securitycontextconstraint.yaml b/helm/portieris/templates/securitycontextconstraint.yaml -new file mode 100644 -index 0000000..3890ddb ---- /dev/null -+++ b/helm/portieris/templates/securitycontextconstraint.yaml -@@ -0,0 +1,43 @@ -+{{ if .Capabilities.APIVersions.Has "clusterversions.config.openshift.io" }} -+apiVersion: security.openshift.io/v1 -+kind: SecurityContextConstraints -+metadata: -+ annotations: -+ kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID. -+ helm.sh/hook: pre-install -+ helm.sh/hook-weight: "1" -+ name: anyuid-portieris -+allowHostDirVolumePlugin: false -+allowHostIPC: false -+allowHostNetwork: false -+allowHostPID: false -+allowHostPorts: false -+allowPrivilegeEscalation: true -+allowPrivilegedContainer: false -+allowedCapabilities: [] -+defaultAddCapabilities: [] -+fsGroup: -+ type: RunAsAny -+groups: -+- system:cluster-admins -+priority: 10 -+readOnlyRootFilesystem: false -+requiredDropCapabilities: -+- MKNOD -+runAsUser: -+ type: MustRunAs -+ uid: {{ .Values.securityContext.runAsUser }} -+seLinuxContext: -+ type: MustRunAs -+supplementalGroups: -+ type: RunAsAny -+users: -+- system:serviceaccount:portieris:portieris -+volumes: -+- configMap -+- downwardAPI -+- emptyDir -+- persistentVolumeClaim -+- projected -+- secret -+{{ end }} -diff --git a/helm/portieris/templates/service.yaml b/helm/portieris/templates/service.yaml -index bb3d2e9..8e25eca 100644 ---- a/helm/portieris/templates/service.yaml -+++ b/helm/portieris/templates/service.yaml -@@ -14,7 +14,7 @@ spec: - - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.targetPort }} - protocol: TCP -- name: http -+ name: https - selector: - app: {{ template "portieris.name" . }} - release: {{ .Release.Name }} -diff --git a/helm/portieris/templates/serviceaccount.yaml b/helm/portieris/templates/serviceaccount.yaml -index a0b41fb..88dfa2c 100644 ---- a/helm/portieris/templates/serviceaccount.yaml -+++ b/helm/portieris/templates/serviceaccount.yaml -@@ -12,3 +12,6 @@ metadata: - chart: {{ template "portieris.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -+ annotations: -+ helm.sh/hook: pre-install -+ helm.sh/hook-weight: "-7" -diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml -index b75dc61..8b1a13e 100644 ---- a/helm/portieris/values.yaml -+++ b/helm/portieris/values.yaml -@@ -3,7 +3,7 @@ - # Declare variables to be passed into your templates. - - replicaCount: 3 --namespace: ibm-system -+namespace: portieris - - image: - host: -@@ -17,29 +17,56 @@ service: - port: 443 - targetPort: 8000 - -+securityContext: -+ runAsUser: 1000060001 -+ - # If not running on IBM Cloud Container Service set to false - IBMContainerService: true - - # If managing portieris-certs secret externally - SkipSecretCreation: false - --resources: {} -- # We usually recommend not to specify default resources and to leave this as a conscious -- # choice for the user. This also increases chances charts run on environments with little -- # resources, such as Minikube. If you do want to specify resources, uncomment the following -- # lines, adjust them as necessary, and remove the curly braces after 'resources:'. -- # limits: -- # cpu: 100m -- # memory: 128Mi -- # requests: -- # cpu: 100m -- # memory: 128Mi -+# If using cert-manager to handle secrets -+UseCertManager: false -+ -+# Resoures defined to assist scheduling -+# request is typical x10, limit is typical x100 -+resources: -+ limits: -+ cpu: 400m -+ memory: 600Mi -+ requests: -+ cpu: 40m -+ memory: 60Mi - - nodeSelector: {} - - tolerations: [] - --affinity: {} -+# Affinity settings -+# the `podAntiAffinity` defined here results in the distribution of pods over nodes where possible -+# intended to improve availability in the face of node and zone instability, reducing the potential of admission deadlock -+affinity: -+ podAntiAffinity: -+ preferredDuringSchedulingIgnoredDuringExecution: -+ - podAffinityTerm: -+ labelSelector: -+ matchExpressions: -+ - key: app -+ operator: In -+ values: -+ - portieris -+ topologyKey: "kubernetes.io/hostname" -+ weight: 50 -+ - podAffinityTerm: -+ labelSelector: -+ matchExpressions: -+ - key: app -+ operator: In -+ values: -+ - portieris -+ topologyKey: "failure-domain.beta.kubernetes.io/zone" -+ weight: 50 - - # Not recommended for user to configure this. Hyperkube image to use when creating custom resources - hyperkube: -diff --git a/helpers/image/image.go b/helpers/image/image.go -index 8ae59b4..9da3eaa 100644 ---- a/helpers/image/image.go -+++ b/helpers/image/image.go -@@ -31,6 +31,7 @@ type Reference struct { - digest string - hostname string - port string -+ repo string - } - - // NewReference parses the image name and returns an error if the name is invalid. -@@ -50,6 +51,7 @@ func NewReference(name string) (*Reference, error) { - return nil, err - } - result.name = ref.Name() -+ result.repo = reference.Path(ref) - - // Get the hostname - hostname := reference.Domain(ref) -@@ -142,3 +144,8 @@ func (r Reference) NameWithoutTag() string { - func (r Reference) String() string { - return r.original - } -+ -+// RepoName returns the image name without the tag and doesn't contain the server/host detals. -+func (r Reference) RepoName() string { -+ return r.repo -+} -diff --git a/helpers/oauth/header.go b/helpers/oauth/header.go -new file mode 100644 -index 0000000..b7a385b ---- /dev/null -+++ b/helpers/oauth/header.go -@@ -0,0 +1,178 @@ -+// Copyright 2018 Portieris Authors. -+// -+// Licensed under the Apache License, Version 2.0 (the "License"); -+// you may not use this file except in compliance with the License. -+// You may obtain a copy of the License at -+// -+// http://www.apache.org/licenses/LICENSE-2.0 -+// -+// Unless required by applicable law or agreed to in writing, software -+// distributed under the License is distributed on an "AS IS" BASIS, -+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+// See the License for the specific language governing permissions and -+// limitations under the License. -+ -+package oauth -+ -+import ( -+ "net/http" -+ "strings" -+) -+ -+// Challenge carries information from a WWW-Authenticate response header. -+// See RFC 2617. -+type Challenge struct { -+ // Scheme is the auth-scheme according to RFC 2617 -+ Scheme string -+ -+ // Parameters are the auth-params according to RFC 2617 -+ Parameters map[string]string -+} -+ -+// Octet types from RFC 2616. -+type octetType byte -+ -+var octetTypes [256]octetType -+ -+const ( -+ isToken octetType = 1 << iota -+ isSpace -+) -+ -+func init() { -+ // OCTET = -+ // CHAR = -+ // CTL = -+ // CR = -+ // LF = -+ // SP = -+ // HT = -+ // <"> = -+ // CRLF = CR LF -+ // LWS = [CRLF] 1*( SP | HT ) -+ // TEXT = -+ // separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> -+ // | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT -+ // token = 1* -+ // qdtext = > -+ -+ for c := 0; c < 256; c++ { -+ var t octetType -+ isCtl := c <= 31 || c == 127 -+ isChar := 0 <= c && c <= 127 -+ isSeparator := strings.ContainsRune(" \t\"(),/:;<=>?@[]\\{}", rune(c)) -+ if strings.ContainsRune(" \t\r\n", rune(c)) { -+ t |= isSpace -+ } -+ if isChar && !isCtl && !isSeparator { -+ t |= isToken -+ } -+ octetTypes[c] = t -+ } -+} -+ -+// ResponseChallenges takes in the response and it is unauthorized returns a challenge containing realm and service information -+func ResponseChallenges(resp *http.Response) []Challenge { -+ if resp.StatusCode == http.StatusUnauthorized { -+ // Parse the WWW-Authenticate Header and store the challenges -+ // on this endpoint object. -+ return parseAuthHeader(resp.Header) -+ } -+ return nil -+} -+ -+// ParseAuthHeader takes the header info from a response and gives back realm and service information -+func parseAuthHeader(header http.Header) []Challenge { -+ challenges := []Challenge{} -+ for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] { -+ v, p := parseValueAndParams(h) -+ if v != "" { -+ challenges = append(challenges, Challenge{Scheme: v, Parameters: p}) -+ } -+ } -+ return challenges -+} -+ -+func parseValueAndParams(header string) (value string, params map[string]string) { -+ params = make(map[string]string) -+ value, s := expectToken(header) -+ if value == "" { -+ return -+ } -+ value = strings.ToLower(value) -+ s = "," + skipSpace(s) -+ for strings.HasPrefix(s, ",") { -+ var pkey string -+ pkey, s = expectToken(skipSpace(s[1:])) -+ if pkey == "" { -+ return -+ } -+ if !strings.HasPrefix(s, "=") { -+ return -+ } -+ var pvalue string -+ pvalue, s = expectTokenOrQuoted(s[1:]) -+ if pvalue == "" { -+ return -+ } -+ pkey = strings.ToLower(pkey) -+ params[pkey] = pvalue -+ s = skipSpace(s) -+ } -+ return -+} -+ -+func skipSpace(s string) (rest string) { -+ i := 0 -+ for ; i < len(s); i++ { -+ if octetTypes[s[i]]&isSpace == 0 { -+ break -+ } -+ } -+ return s[i:] -+} -+ -+func expectToken(s string) (token, rest string) { -+ i := 0 -+ for ; i < len(s); i++ { -+ if octetTypes[s[i]]&isToken == 0 { -+ break -+ } -+ } -+ return s[:i], s[i:] -+} -+ -+func expectTokenOrQuoted(s string) (value, rest string) { -+ if !strings.HasPrefix(s, "\"") { -+ return expectToken(s) -+ } -+ s = s[1:] -+ for i := 0; i < len(s); i++ { -+ switch s[i] { -+ case '"': -+ return s[:i], s[i+1:] -+ case '\\': -+ p := make([]byte, len(s)-1) -+ j := copy(p, s[:i]) -+ escape := true -+ for i = i + 1; i < len(s); i++ { -+ b := s[i] -+ switch { -+ case escape: -+ escape = false -+ p[j] = b -+ j++ -+ case b == '\\': -+ escape = true -+ case b == '"': -+ return string(p[:j]), s[i+1:] -+ default: -+ p[j] = b -+ j++ -+ } -+ } -+ return "", "" -+ } -+ } -+ return "", "" -+} -diff --git a/helpers/oauth/oauth.go b/helpers/oauth/oauth.go -index bbfdce3..98ab65e 100644 ---- a/helpers/oauth/oauth.go -+++ b/helpers/oauth/oauth.go -@@ -73,38 +73,70 @@ func GetHTTPClient(customFile string) *http.Client { - // token - Auth token being used for the request - // repo - Repo you are requesting access too e.g. bainsy88/busybox - // username - Username for the OAuth request, identifies the type of token being passed in. Valid usernames are token (for registry token), iambearer, iamapikey, bearer (UAA bearer (legacy)), iamrefresh --// writeAccessRequired - Whether or not you require write (push and delete) access as well as read (pull) --// service - The service you are retrieving the OAuth token for. Current services are either "notary" or "registry" --// hostname - Hostname of the registry you wish to call e.g. https://icr.io -+// ChallengeSlice - Challenge slice contains the www-authenticate details - // Returns: - // *auth.TokenResponse - Details of the type is here https://github.ibm.com/alchemy-registry/registry-types/tree/master/auth#type-tokenresponse - // Token is the element you will need to forward to the registry/notary as part of a Bearer Authorization Header - // error --func Request(token string, repo string, username string, writeAccessRequired bool, service string, hostname string) (*TokenResponse, error) { -- var actions string -- //If you want to verify if a the credential supplied has read and write access to the repo we ask oauth for pull,push and * -- if writeAccessRequired { -- actions = "pull,push,*" -- } else { -- actions = "pull" -+func Request(token, repo, username string, challengeSlice []Challenge) (*TokenResponse, error) { -+ oauthEndpoint := "" -+ service := "" -+ scope := "" -+ -+ if challengeSlice == nil { -+ errMessage := "unable to fetch www-authenticate header details" -+ glog.Errorf(errMessage) -+ return nil, fmt.Errorf(errMessage) -+ } -+ -+ for _, challenge := range challengeSlice { -+ oauthEndpoint = challenge.Parameters["realm"] -+ service = challenge.Parameters["service"] -+ scope = challenge.Parameters["scope"] -+ } -+ -+ if oauthEndpoint == "" || service == "" { -+ errMessage := "unable to fetch oauth realm and service header details" -+ glog.Errorf(errMessage) -+ return nil, fmt.Errorf(errMessage) - } - - client := GetHTTPClient("/etc/certs/ca.pem") - -- resp, err := client.PostForm(hostname+"/oauth/token", url.Values{ -+ glog.Infof("Calling oauth endpoint: %s for registry service: %s and scope %s", oauthEndpoint, service, scope) -+ var resp *http.Response -+ var err error -+ resp, err = client.PostForm(oauthEndpoint, url.Values{ - "service": {service}, - "grant_type": {"password"}, -- "client_id": {"testclient"}, -+ "client_id": {"portieris-client"}, - "username": {username}, - "password": {token}, -- "scope": {"repository:" + repo + ":" + actions}, -+ "scope": {scope}, - }) -- - if err != nil { -- glog.Errorf("Error sending request to registry-oauth: %v", err) -+ glog.Errorf("Error sending POST request to registry-oauth: %v", err) - return nil, err - } - -+ // TODO: confirm if status code of 405 needs to be handled in the below block -+ if resp.StatusCode == 404 || resp.StatusCode == 405 { -+ glog.Info("Calling: " + oauthEndpoint + "?service=" + service + "&scope=" + scope) -+ getURL, err := url.Parse(oauthEndpoint) -+ if err != nil { -+ return nil, err -+ } -+ q := getURL.Query() -+ q.Set("service", service) -+ q.Set("scope", scope) -+ getURL.RawQuery = q.Encode() -+ resp, err = client.Get(getURL.String()) -+ if err != nil { -+ glog.Errorf("Error sending GET request to registry-oauth: %v", err) -+ return nil, err -+ } -+ } -+ - if resp.StatusCode < 200 || resp.StatusCode >= 300 { - // Unexpected, read body for more information and close. It is the upstream callers - // responsibility to close the response body if an error is not returned. -@@ -125,3 +157,26 @@ func Request(token string, repo string, username string, writeAccessRequired boo - - return &tokenResponse, nil - } -+ -+// CheckAuthRequired - checks if the given image needs to be authenticated to fetch metadata or not and returns the response -+func CheckAuthRequired(notaryURL, hostName, repoName string, official bool) (*http.Response, error) { -+ glog.Infof("Notary URL: %s Hostname %s RepoName %s", notaryURL, hostName, repoName) -+ // Github issue 51 Fix -+ var req *http.Request -+ var err error -+ client := GetHTTPClient("/etc/certs/ca.pem") -+ if hostName == "docker.io" && official { -+ req, err = http.NewRequest("GET", notaryURL+"/v2/"+hostName+"/library/"+repoName+"/_trust/tuf/root.json", nil) -+ } else { -+ req, err = http.NewRequest("GET", notaryURL+"/v2/"+hostName+"/"+repoName+"/_trust/tuf/root.json", nil) -+ } -+ -+ resp, err := client.Do(req) -+ -+ if err != nil { -+ glog.Errorf("Failed to query v2 tuf endpoint for notaryURL: %s", notaryURL) -+ return nil, err -+ } -+ -+ return resp, nil -+} -diff --git a/pkg/controller/multi/notary_test.go b/pkg/controller/multi/notary_test.go -index d16c57d..9a36370 100644 ---- a/pkg/controller/multi/notary_test.go -+++ b/pkg/controller/multi/notary_test.go -@@ -276,6 +276,7 @@ var _ = Describe("Main", func() { - "policy": { - "trust": { - "enabled": true -+ "trustServer": "https://us.icr.io:4443" - }, - "va": { - "enabled": false -@@ -290,7 +291,7 @@ var _ = Describe("Main", func() { - wh.HandleAdmissionRequest(w, req) - parseResponse() - Expect(resp.Response.Allowed).To(BeFalse()) -- Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "no-secret.icr.io/hello", no valid ImagePullSecret defined for no-secret.icr.io`)) -+ Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "no-secret.icr.io/hello", no matching repositories in the ImagePolicies`)) - }) - }) - -@@ -343,7 +344,7 @@ var _ = Describe("Main", func() { - wh.HandleAdmissionRequest(w, req) - parseResponse() - Expect(resp.Response.Allowed).To(BeFalse()) -- Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "us.icr.io/hello", no valid ImagePullSecret defined for us.icr.io`)) -+ Expect(resp.Response.Result.Message).To(ContainSubstring(`Some error occurred while trying to fetch token for unauthenticated pubilc pull FAKE_INVALID_TOKEN_ERROR`)) - }) - }) - -@@ -620,7 +621,7 @@ var _ = Describe("Main", func() { - Expect(len(trust.GetNotaryRepoArgsForCall)).To(Equal(1)) - Expect(trust.GetNotaryRepoArgsForCall[0].Server).To(Equal("https://some-trust-server.com:4443")) - Expect(resp.Response.Allowed).To(BeFalse()) -- Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "us.icr.io/hello", failed to get content trust information: unable to reach trust server at this time: 0.`)) -+ Expect(resp.Response.Result.Message).To(ContainSubstring(`Some error occurred while checking if authentication is required to fetch target metadata`)) - }) - }) - -@@ -665,7 +666,7 @@ var _ = Describe("Main", func() { - "policy": { - "trust": { - "enabled": true, -- "trustServer": "https://some-trust-server.com:4443" -+ "trustServer": "https://notary.docker.io"" - }, - "va": { - "enabled": false -@@ -683,8 +684,8 @@ var _ = Describe("Main", func() { - wh.HandleAdmissionRequest(w, req) - parseResponse() - Expect(len(trust.GetNotaryRepoArgsForCall)).To(Equal(2)) -- Expect(trust.GetNotaryRepoArgsForCall[0].Server).To(Equal("https://some-trust-server.com:4443")) -- Expect(trust.GetNotaryRepoArgsForCall[1].Server).To(Equal("https://some-trust-server.com:4443")) -+ Expect(trust.GetNotaryRepoArgsForCall[0].Server).To(Equal("https://notary.docker.io")) -+ Expect(trust.GetNotaryRepoArgsForCall[1].Server).To(Equal("https://notary.docker.io")) - Expect(resp.Response.Allowed).To(BeFalse()) - Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "us.icr.io/hello", failed to get content trust information: FAKE_NO_SIGNED_IMAGE_ERROR`)) - Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "us.icr.io/goodbye", failed to get content trust information: FAKE_NO_SIGNED_IMAGE_ERROR`)) -@@ -739,6 +740,7 @@ var _ = Describe("Main", func() { - "policy": { - "trust": { - "enabled": true -+ "trustServer": "https://notary.docker.io" - }, - "va": { - "enabled": false -@@ -770,7 +772,7 @@ var _ = Describe("Main", func() { - Expect(len(trust.GetNotaryRepoArgsForCall)).To(Equal(2)) - Expect(trust.GetNotaryRepoArgsForCall[0].Server).To(Equal("https://us.icr.io:4443")) - Expect(trust.GetNotaryRepoArgsForCall[0].Image).To(Equal("us.icr.io/hello")) -- Expect(trust.GetNotaryRepoArgsForCall[1].Server).To(Equal("https://some-trust-server.com:4443")) -+ Expect(trust.GetNotaryRepoArgsForCall[1].Server).To(Equal("https://notary.docker.io")) - Expect(trust.GetNotaryRepoArgsForCall[1].Image).To(Equal("icr.io/goodbye")) - Expect(resp.Response.Allowed).To(BeFalse()) - }) -diff --git a/pkg/registry/fakeregistry/fakeregistry.go b/pkg/registry/fakeregistry/fakeregistry.go -index 2e9d97e..342be8c 100644 ---- a/pkg/registry/fakeregistry/fakeregistry.go -+++ b/pkg/registry/fakeregistry/fakeregistry.go -@@ -18,6 +18,7 @@ import ( - "fmt" - "sync" - -+ "github.com/IBM/portieris/helpers/oauth" - "github.com/IBM/portieris/pkg/registry" - ) - -@@ -25,13 +26,13 @@ var _ registry.Interface = &FakeRegistry{} - - // FakeRegistry . - type FakeRegistry struct { -- GetContentTrustTokenStub func(username, password, imageRepo, hostname string) (string, error) -+ GetContentTrustTokenStub func(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) - getContentTrustTokenMutex sync.RWMutex - getContentTrustTokenArgsForCall []struct { -- username string -- password string -- imageRepo string -- hostname string -+ username string -+ password string -+ imageRepo string -+ challengeSlice []oauth.Challenge - } - getContentTrustTokenReturns struct { - token string -@@ -40,17 +41,17 @@ type FakeRegistry struct { - } - - // GetContentTrustToken ... --func (fake *FakeRegistry) GetContentTrustToken(username, password, imageRepo, hostname string) (string, error) { -+func (fake *FakeRegistry) GetContentTrustToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) { - fake.getContentTrustTokenMutex.Lock() - fake.getContentTrustTokenArgsForCall = append(fake.getContentTrustTokenArgsForCall, struct { -- username string -- password string -- imageRepo string -- hostname string -- }{username, password, imageRepo, hostname}) -+ username string -+ password string -+ imageRepo string -+ challengeSlice []oauth.Challenge -+ }{username, password, imageRepo, challengeSlice}) - fake.getContentTrustTokenMutex.Unlock() - if fake.GetContentTrustTokenStub != nil { -- return fake.GetContentTrustTokenStub(username, password, imageRepo, hostname) -+ return fake.GetContentTrustTokenStub(username, password, imageRepo, challengeSlice) - } - return fake.getContentTrustTokenReturns.token, fake.getContentTrustTokenReturns.err - } -@@ -66,6 +67,6 @@ func (fake *FakeRegistry) GetContentTrustTokenReturns(token string, err error) { - } - - // GetRegistryToken ... --func (fake *FakeRegistry) GetRegistryToken(username, password, imageRepo, hostname string) (string, error) { -+func (fake *FakeRegistry) GetRegistryToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) { - return "", fmt.Errorf("not implemented") - } -diff --git a/pkg/registry/registry.go b/pkg/registry/registry.go -index 375de38..febaa69 100644 ---- a/pkg/registry/registry.go -+++ b/pkg/registry/registry.go -@@ -23,8 +23,8 @@ type Client struct{} - - // Interface . - type Interface interface { -- GetContentTrustToken(username, password, imageRepo, hostname string) (string, error) -- GetRegistryToken(username, password, imageRepo, hostname string) (string, error) -+ GetContentTrustToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) -+ GetRegistryToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) - } - - // NewClient . -@@ -33,8 +33,8 @@ func NewClient() Interface { - } - - // GetContentTrustToken . --func (c Client) GetContentTrustToken(username, password, imageRepo, hostname string) (string, error) { -- token, err := oauth.Request(password, imageRepo, username, false, "notary", hostname) -+func (c Client) GetContentTrustToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) { -+ token, err := oauth.Request(password, imageRepo, username, challengeSlice) - if err != nil { - return "", err - } -@@ -42,8 +42,8 @@ func (c Client) GetContentTrustToken(username, password, imageRepo, hostname str - } - - // GetRegistryToken . --func (c Client) GetRegistryToken(username, password, imageRepo, hostname string) (string, error) { -- token, err := oauth.Request(password, imageRepo, username, false, "registry", hostname) -+func (c Client) GetRegistryToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) { -+ token, err := oauth.Request(password, imageRepo, username, challengeSlice) - if err != nil { - return "", err - } -diff --git a/pkg/verifier/trust/verifier.go b/pkg/verifier/trust/verifier.go -index 00aee83..7dce484 100644 ---- a/pkg/verifier/trust/verifier.go -+++ b/pkg/verifier/trust/verifier.go -@@ -17,9 +17,11 @@ package trust - import ( - "bytes" - "fmt" -+ "net/http" - "strings" - - "github.com/IBM/portieris/helpers/image" -+ "github.com/IBM/portieris/helpers/oauth" - securityenforcementv1beta1 "github.com/IBM/portieris/pkg/apis/securityenforcement/v1beta1" - "github.com/IBM/portieris/pkg/kubernetes" - "github.com/IBM/portieris/pkg/notary" -@@ -74,14 +76,61 @@ func (v *Verifier) VerifyByPolicy(namespace string, img *image.Reference, creden - } - } - -+ official := !strings.ContainsRune(img.RepoName(), '/') -+ -+ hostname := img.GetHostname() -+ port := img.GetPort() -+ if port != "" { -+ port = ":" + port -+ } -+ repo := hostname + port -+ -+ resp, err := oauth.CheckAuthRequired(notaryURL, repo, img.RepoName(), official) -+ if err != nil { -+ glog.Error(err) -+ return nil, nil, fmt.Errorf("Some error occurred while checking if authentication is required to fetch target metadata") -+ } -+ -+ if resp.StatusCode == http.StatusUnauthorized { -+ glog.Infof("Need to get token for %s to fetch target metadata", notaryURL) -+ } else if resp.StatusCode == http.StatusOK { -+ glog.Infof("No need to fetch token for %s to get the target metadata", notaryURL) -+ } else { -+ glog.Infof("Status code: %v was returned", resp.StatusCode) -+ return nil, nil, fmt.Errorf("Status code: %v was returned while checking if authentication is required to fetch target metadata", resp.StatusCode) -+ } -+ -+ glog.Infof("Status code: %v returned for repo: %v", resp.StatusCode, img.NameWithoutTag()) -+ -+ var challengeSlice []oauth.Challenge -+ -+ if resp.StatusCode == http.StatusUnauthorized { -+ challengeSlice = oauth.ResponseChallenges(resp) -+ if err != nil { -+ glog.Error(err) -+ return nil, nil, fmt.Errorf("Some error occurred when fetching challenge slice %s", err.Error()) -+ } -+ } -+ - for _, cred := range credentials { -- notaryToken, err := v.cr.GetContentTrustToken(cred[0], cred[1], img.NameWithoutTag(), img.GetRegistryURL()) -+ notaryToken, err := v.cr.GetContentTrustToken(cred[0], cred[1], img.NameWithoutTag(), challengeSlice) - if err != nil { - glog.Error(err) - continue - } - -- digest, err := v.getDigest(notaryURL, img.NameWithoutTag(), notaryToken, img.GetTag(), signers) -+ // Get image digest -+ glog.Infof("getting signed image... %v", img.RepoName()) -+ // notaryToken will be blank for unauthorized calls -+ var image string -+ if official { -+ image = "docker.io/library/" + img.RepoName() -+ } else { -+ image = img.NameWithoutTag() -+ } -+ glog.Infof("Image: %v", image) -+ -+ digest, err := v.getDigest(notaryURL, image, notaryToken, img.GetTag(), signers) - if err != nil { - if strings.Contains(err.Error(), "401") { - continue -@@ -95,5 +144,37 @@ func (v *Verifier) VerifyByPolicy(namespace string, img *image.Reference, creden - } - return digest, nil, nil - } -- return nil, fmt.Errorf("Deny %q, no valid ImagePullSecret defined for %s", img.String(), img.String()), nil -+ -+ // if no credentials defined and pulling signed images from public docker -+ notaryToken, err := v.cr.GetContentTrustToken("", "", img.NameWithoutTag(), challengeSlice) -+ if err != nil { -+ glog.Error(err) -+ return nil, nil, fmt.Errorf("Some error occurred while trying to fetch token for unauthenticated pubilc pull %s", err.Error()) -+ } -+ -+ // Get image digest -+ glog.Infof("getting signed image for %v", img.RepoName()) -+ // notaryToken will be blank for unauthorized calls -+ var image string -+ if official { -+ image = "docker.io/library/" + img.RepoName() -+ } else { -+ image = img.NameWithoutTag() -+ } -+ glog.Infof("Image: %v and tag: %v", image, img.GetTag()) -+ glog.Infof("Notary URL: %v", notaryURL) -+ digest, err := v.getDigest(notaryURL, image, notaryToken, img.GetTag(), signers) -+ if err != nil { -+ glog.Infof(err.Error()) -+ if strings.Contains(err.Error(), "401") { -+ return nil, fmt.Errorf("Deny %q, no valid ImagePullSecret defined for %s", img.String(), img.String()), nil -+ } -+ -+ if _, ok := err.(store.ErrServerUnavailable); ok { -+ glog.Errorf("Trust server unavailable: %v", err) -+ return nil, nil, fmt.Errorf("Deny %q, failed to get content trust information: %s", img.String(), err.Error()) -+ } -+ return nil, fmt.Errorf("Deny %q, failed to get content trust information: %s", img.String(), err.Error()), nil -+ } -+ return digest, nil, nil - } --- -1.8.3.1 - diff --git a/portieris-helm/files/0002-add-image-pull-secrets-to-images.patch b/portieris-helm/files/0002-add-image-pull-secrets-to-images.patch deleted file mode 100644 index 8a51266..0000000 --- a/portieris-helm/files/0002-add-image-pull-secrets-to-images.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 77a11903c2486d07cd3b078f99476b3a855fdce0 Mon Sep 17 00:00:00 2001 -From: Michel Thebeau -Date: Mon, 18 Jan 2021 17:02:39 -0500 -Subject: [PATCH] add image pull secrets to images - -Signed-off-by: Michel Thebeau ---- - helm/portieris/templates/deployment.yaml | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml -index b72c599..d8f3590 100644 ---- a/helm/portieris/templates/deployment.yaml -+++ b/helm/portieris/templates/deployment.yaml -@@ -21,6 +21,10 @@ spec: - release: {{ .Release.Name }} - spec: - serviceAccountName: portieris -+ {{ if .Values.image.host }} -+ imagePullSecrets: -+ - name: default-registry-key -+ {{ end }} - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}" --- -2.29.2 - diff --git a/portieris-helm/files/0003-add-toggle-to-reinstall-the-admission-webhook.patch b/portieris-helm/files/0003-add-toggle-to-reinstall-the-admission-webhook.patch deleted file mode 100644 index fee8cde..0000000 --- a/portieris-helm/files/0003-add-toggle-to-reinstall-the-admission-webhook.patch +++ /dev/null @@ -1,51 +0,0 @@ -From b5defc7482fa8a0b1ad7c96a1ad8d8b578fb7d2c Mon Sep 17 00:00:00 2001 -From: Michel Thebeau -Date: Wed, 1 Sep 2021 10:34:54 -0400 -Subject: [PATCH 3/4] add toggle to reinstall the admission webhook - -The backup and restore procedure will set ReapplyAdmissionWebhook to -true to force an "upgrade" of an already installed Portieris -application. The webhooks job is run on the helm chart's post-upgrade -hook. The chart value ReapplyAdmissionWebhook is reserved to simplify -its handling by backup and restore. - -Signed-off-by: Michel Thebeau ---- - .../admission-webhooks/create-admission-webhooks.yaml | 4 ++++ - helm/portieris/values.yaml | 4 ++++ - 2 files changed, 8 insertions(+) - -diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -index 04bb56a..7773413 100644 ---- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -@@ -4,7 +4,11 @@ metadata: - name: create-admission-webhooks - namespace: {{ .Values.namespace }} - annotations: -+ {{ if .Values.ReapplyAdmissionWebhook }} -+ helm.sh/hook: post-install,post-upgrade -+ {{ else }} - helm.sh/hook: post-install -+ {{ end }} - helm.sh/hook-weight: "5" - helm.sh/hook-delete-policy: hook-succeeded - labels: -diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml -index 8b1a13e..d73d6f2 100644 ---- a/helm/portieris/values.yaml -+++ b/helm/portieris/values.yaml -@@ -29,6 +29,10 @@ SkipSecretCreation: false - # If using cert-manager to handle secrets - UseCertManager: false - -+# Set to force helm upgrade, rerun the create-admission-webhooks job -+# This value is reserved for the StarlingX backup and restore procedure -+ReapplyAdmissionWebhook: false -+ - # Resoures defined to assist scheduling - # request is typical x10, limit is typical x100 - resources: --- -2.29.2 - diff --git a/portieris-helm/files/0004-run-admission-webhooks-as-non-root.patch b/portieris-helm/files/0004-run-admission-webhooks-as-non-root.patch deleted file mode 100644 index 7275d54..0000000 --- a/portieris-helm/files/0004-run-admission-webhooks-as-non-root.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 8a6d884de01c2ce8ad9f68284b69a0ae2e5dea2a Mon Sep 17 00:00:00 2001 -From: Michel Thebeau -Date: Wed, 1 Sep 2021 18:54:44 -0400 -Subject: [PATCH 4/4] run admission webhooks as non-root - -With pod security policies enabled the webhooks will not run as root, -with "Error: container has runAsNonRoot and image will run as root". - -Copy the securityContext from portieris chart, run as 'portieris' -service account. - -Fix subsequent jobs that fail with the absent securityContext, -permissions. Add patch verb to customresourcedefinitions for portieris -service add account. - -Signed-off-by: Michel Thebeau ---- - .../admission-webhooks/create-admission-webhooks.yaml | 3 +++ - .../admission-webhooks/delete-admission-webhooks.yaml | 3 +++ - helm/portieris/templates/clusterrole.yaml | 4 ++-- - helm/portieris/templates/crd-creation/create-crds.yaml | 4 +++- - helm/portieris/templates/crd-creation/delete-crds.yaml | 4 +++- - .../templates/crd-creation/validate-crd-creation.yaml | 4 +++- - 6 files changed, 17 insertions(+), 5 deletions(-) - -diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -index 7773413..cbe0eb7 100644 ---- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -@@ -44,3 +44,6 @@ spec: - configMap: - name: admission-webhooks - restartPolicy: OnFailure -+ securityContext: -+ runAsUser: {{ .Values.securityContext.runAsUser }} -+ -diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -index ce34927..dd8c259 100644 ---- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -@@ -40,3 +40,6 @@ spec: - configMap: - name: admission-webhooks - restartPolicy: OnFailure -+ securityContext: -+ runAsUser: {{ .Values.securityContext.runAsUser }} -+ -diff --git a/helm/portieris/templates/clusterrole.yaml b/helm/portieris/templates/clusterrole.yaml -index 67c5912..13b4cb4 100644 ---- a/helm/portieris/templates/clusterrole.yaml -+++ b/helm/portieris/templates/clusterrole.yaml -@@ -16,10 +16,10 @@ rules: - verbs: ["get", "watch", "list", "create", "patch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] -- verbs: ["get", "create", "delete"] -+ verbs: ["get", "create", "delete", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] -- verbs: ["get", "create", "delete"] -+ verbs: ["get", "create", "delete", "patch"] - - apiGroups: [""] - resources: ["secrets", "serviceaccounts"] - verbs: ["get"] -diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml -index 3ac36f6..13b0ca2 100644 ---- a/helm/portieris/templates/crd-creation/create-crds.yaml -+++ b/helm/portieris/templates/crd-creation/create-crds.yaml -@@ -39,4 +39,6 @@ spec: - configMap: - name: image-policy-crds - restartPolicy: OnFailure -- -\ No newline at end of file -+ securityContext: -+ runAsUser: {{ .Values.securityContext.runAsUser }} -+ -diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml -index 9080511..783fe23 100644 ---- a/helm/portieris/templates/crd-creation/delete-crds.yaml -+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml -@@ -40,4 +40,6 @@ spec: - configMap: - name: image-policy-crds - restartPolicy: OnFailure -- -+ securityContext: -+ runAsUser: {{ .Values.securityContext.runAsUser }} -+ -diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -index 5c68466..d3075da 100644 ---- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -+++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -@@ -33,4 +33,6 @@ spec: - - imagepolicies.securityenforcement.admission.cloud.ibm.com - - clusterimagepolicies.securityenforcement.admission.cloud.ibm.com - restartPolicy: OnFailure -- -\ No newline at end of file -+ securityContext: -+ runAsUser: {{ .Values.securityContext.runAsUser }} -+ --- -2.29.2 - diff --git a/portieris-helm/files/0005-add-toleration.patch b/portieris-helm/files/0005-add-toleration.patch deleted file mode 100644 index 9186ffe..0000000 --- a/portieris-helm/files/0005-add-toleration.patch +++ /dev/null @@ -1,130 +0,0 @@ -From ed939af4c374f834f6e15e2f6c3d5cbff53c90ec Mon Sep 17 00:00:00 2001 -From: Rafael Camargos -Date: Tue, 28 Sep 2021 11:05:29 -0400 -Subject: [PATCH] Add toleration to deployment and jobs - ---- - .../admission-webhooks/create-admission-webhooks.yaml | 4 ++++ - .../admission-webhooks/delete-admission-webhooks.yaml | 4 ++++ - helm/portieris/templates/crd-creation/create-crds.yaml | 4 ++++ - helm/portieris/templates/crd-creation/delete-crds.yaml | 4 ++++ - .../templates/crd-creation/validate-crd-creation.yaml | 4 ++++ - .../templates/default/create-default-policies.yaml | 6 +++++- - helm/portieris/templates/deployment.yaml | 4 ++++ - 7 files changed, 29 insertions(+), 1 deletion(-) - -diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -index cbe0eb7..fe3e5c2 100644 ---- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -@@ -27,6 +27,10 @@ spec: - heritage: {{ .Release.Service }} - spec: - serviceAccountName: portieris -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -index dd8c259..e8edc3d 100644 ---- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -@@ -23,6 +23,10 @@ spec: - heritage: {{ .Release.Service }} - spec: - serviceAccountName: portieris -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml -index 13b0ca2..2033ee6 100644 ---- a/helm/portieris/templates/crd-creation/create-crds.yaml -+++ b/helm/portieris/templates/crd-creation/create-crds.yaml -@@ -23,6 +23,10 @@ spec: - heritage: {{ .Release.Service }} - spec: - serviceAccountName: portieris -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml -index 783fe23..894598a 100644 ---- a/helm/portieris/templates/crd-creation/delete-crds.yaml -+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml -@@ -23,6 +23,10 @@ spec: - heritage: {{ .Release.Service }} - spec: - serviceAccountName: portieris -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -index d3075da..58e501e 100644 ---- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -+++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -@@ -23,6 +23,10 @@ spec: - heritage: {{ .Release.Service }} - spec: - serviceAccountName: portieris -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/default/create-default-policies.yaml b/helm/portieris/templates/default/create-default-policies.yaml -index 31a38c0..fae1597 100644 ---- a/helm/portieris/templates/default/create-default-policies.yaml -+++ b/helm/portieris/templates/default/create-default-policies.yaml -@@ -23,6 +23,10 @@ spec: - heritage: {{ .Release.Service }} - spec: - serviceAccountName: portieris -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -@@ -39,4 +43,4 @@ spec: - configMap: - name: default-image-policies - restartPolicy: OnFailure -- -\ No newline at end of file -+ -diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml -index d8f3590..e6c4184 100644 ---- a/helm/portieris/templates/deployment.yaml -+++ b/helm/portieris/templates/deployment.yaml -@@ -25,6 +25,10 @@ spec: - imagePullSecrets: - - name: default-registry-key - {{ end }} -+ tolerations: -+ - key: "node-role.kubernetes.io/master" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}" --- -2.29.2 - diff --git a/portieris-helm/files/0006-Add-toleration-to-deployment-and-jobs.patch b/portieris-helm/files/0006-Add-toleration-to-deployment-and-jobs.patch deleted file mode 100644 index 43ee792..0000000 --- a/portieris-helm/files/0006-Add-toleration-to-deployment-and-jobs.patch +++ /dev/null @@ -1,119 +0,0 @@ -From ed8b4b884a2a73b07934461206db66adf8da8218 Mon Sep 17 00:00:00 2001 -From: Boovan Rajendran -Date: Fri, 28 Oct 2022 10:37:56 -0400 -Subject: [PATCH] Add toleration to deployment and jobs - -The tolerations address the nodeselectors for kubernetes versions 1.24 and earlier. - -Signed-off-by: Rafael Camargos ---- - .../admission-webhooks/create-admission-webhooks.yaml | 3 +++ - .../admission-webhooks/delete-admission-webhooks.yaml | 3 +++ - helm/portieris/templates/crd-creation/create-crds.yaml | 3 +++ - helm/portieris/templates/crd-creation/delete-crds.yaml | 3 +++ - .../templates/crd-creation/validate-crd-creation.yaml | 3 +++ - helm/portieris/templates/default/create-default-policies.yaml | 3 +++ - helm/portieris/templates/deployment.yaml | 3 +++ - 7 files changed, 21 insertions(+) - -diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -index fe3e5c2..6674602 100644 ---- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml -@@ -31,6 +31,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -index e8edc3d..abd1538 100644 ---- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml -@@ -27,6 +27,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml -index 2033ee6..1237920 100644 ---- a/helm/portieris/templates/crd-creation/create-crds.yaml -+++ b/helm/portieris/templates/crd-creation/create-crds.yaml -@@ -27,6 +27,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml -index 894598a..b0a3c0a 100644 ---- a/helm/portieris/templates/crd-creation/delete-crds.yaml -+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml -@@ -27,6 +27,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -index 58e501e..430c1ab 100644 ---- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -+++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml -@@ -27,6 +27,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/default/create-default-policies.yaml b/helm/portieris/templates/default/create-default-policies.yaml -index fae1597..6f55ccc 100644 ---- a/helm/portieris/templates/default/create-default-policies.yaml -+++ b/helm/portieris/templates/default/create-default-policies.yaml -@@ -27,6 +27,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: hyperkube - image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" -diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml -index e6c4184..7835f29 100644 ---- a/helm/portieris/templates/deployment.yaml -+++ b/helm/portieris/templates/deployment.yaml -@@ -29,6 +29,9 @@ spec: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" -+ - key: "node-role.kubernetes.io/control-plane" -+ operator: "Exists" -+ effect: "NoSchedule" - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}" --- -2.25.1 - diff --git a/stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/portieris/helmrelease.yaml b/stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/portieris/helmrelease.yaml index 5773896..f8b0f9b 100644 --- a/stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/portieris/helmrelease.yaml +++ b/stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/portieris/helmrelease.yaml @@ -15,7 +15,7 @@ spec: chart: spec: chart: portieris - version: 0.7.0 + version: 0.13.1 sourceRef: kind: HelmRepository name: stx-platform diff --git a/stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/portieris/portieris-static-overrides.yaml b/stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/portieris/portieris-static-overrides.yaml index 8975f22..982ede0 100644 --- a/stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/portieris/portieris-static-overrides.yaml +++ b/stx-portieris-helm/stx-portieris-helm/fluxcd-manifests/portieris/portieris-static-overrides.yaml @@ -8,13 +8,15 @@ replicaCount: 3 namespace: portieris images: tags: - portieris: docker.io/starlingx/portieris:stx.5.0-v0.7.0 + portieris: icr.io/portieris/portieris:v0.13.1 image: - host: registry.local:9001/docker.io/starlingx + host: registry.local:9001/icr.io/portieris + pullSecret: default-registry-key image: portieris - tags: stx.5.0-v0.7.0 - tag: stx.5.0-v0.7.0 -IBMContainerService: false + tag: v0.13.1 +tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" SkipSecretCreation: true UseCertManager: true -