Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Control the policy controller monitoring resources from chart, enhanc… #1687

Open
wants to merge 24 commits into
base: main
Choose a base branch
from
Open

Control the policy controller monitoring resources from chart, enhanc… #1687

wants to merge 24 commits into from

Conversation

senanz
Copy link

@senanz senanz commented Nov 3, 2024
edited
Loading

…ment for the current implmentation to hadd all the resources by default, The new change add avail to pass resourcesNames through the chart with list of resources comma sperataed for which resources to be monitored by the policy controller, the default is all resources if the flag wasn't presented in the chart

This PR resolves #1388

Signed-off-by: Senan Zedan (EXT-Nokia) [email protected]

Summary

The new change add avail to pass resourcesNames through the chart with list of resources comma sperataed for which resources to be monitored by the policy controller, the default is all resources if the flag wasn't presented in the chart

codysoyland and others added 3 commits November 3, 2024 15:06
@codysoyland
Add check for ACR registry in ACR credential helper (sigstore#1658)
44b4cc6 
Signed-off-by: Cody Soyland <[email protected]>
Signed-off-by: Senan Zedan (EXT-Nokia) <[email protected]>
@dependabot
chore(deps): Bump google-github-actions/auth from 2.1.6 to 2.1.7 (sig…
7895e28 
…store#1683)

Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 2.1.6 to 2.1.7.
- [Release notes](https://github.com/google-github-actions/auth/releases)
- [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md)
- [Commits](google-github-actions/auth@8254fb7...6fc4af4)

---
updated-dependencies:
- dependency-name: google-github-actions/auth
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Senan Zedan (EXT-Nokia) <[email protected]>
Control the policy controller monitoring resources from chart, enhanc…
513fa0c 
…ment for the current implmentation to hadd all the resources by default, The new change add avail to pass resourcesNames through the chart with list of resources comma sperataed for which resources to be monitored by the policy controller, the default is all resources if the flag wasn't presented in the chart

Signed-off-by: Senan Zedan (EXT-Nokia) <[email protected]>
@senanz senanz mentioned this pull request Nov 3, 2024
Open
@senanz
Copy link
Author

senanz commented Nov 11, 2024

@vaikas - Could you please look into this?

@vaikas
Copy link
Collaborator

vaikas commented Nov 11, 2024

Could you add some tests, maybe here: https://github.com/sigstore/policy-controller/tree/main/test

@senanz
Copy link
Author

senanz commented Nov 12, 2024

@vaikas - per your request, test added.

@vaikas
Copy link
Collaborator

vaikas commented Nov 12, 2024

@vaikas - per your request, test added.

That does not really test any of this new code. You'd have to add a test that launches policy controller with these new flags, here's one example where we change the policy-controller behaviour by the flags:

policy-controller/.github/workflows/kind-cluster-image-policy-tsa.yaml

Line 125 in b3af2f0

# Install policy-controller that does not have TUF embedded or installed.

So, create a new kustomize file that launches policy controller with say --resource-name=pods, and customize it like here:

policy-controller/.github/workflows/kind-cluster-image-policy-tsa.yaml

Line 136 in b3af2f0

kustomize build test/kustomize-no-tuf | kubectl apply -f -

And then after the policy-controller has been started with the flags under test, you'd run your new test:

policy-controller/.github/workflows/kind-cluster-image-policy-tsa.yaml

Line 177 in b3af2f0

./test/e2e_test_cluster_image_policy_with_tsa.sh

It should at the bare minimum have a negative test and a positive test. So, if you're using resource-name pods, then launching a deployment with a failing config should succeed if you instead launch a pod.

vaikas
vaikas requested changes Nov 29, 2024
View reviewed changes
Copy link
Collaborator

@vaikas vaikas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking great! There's just some nits for naming, namespaces. One change that should be made it so make sure the tag->digest resolution does not actually happen. The webhook configuration is a good check, but it's easy enough to also make sure the actual resource (deployment) does not get modified.

.github/workflows/kind-cluster-custom-resources.yaml Outdated Show resolved Hide resolved
.github/workflows/kind-cluster-custom-resources.yaml Show resolved Hide resolved
.github/workflows/kind-cluster-custom-resources.yaml Outdated Show resolved Hide resolved
.github/workflows/kind-cluster-custom-resources.yaml Show resolved Hide resolved
test/e2e_test_policy_custom_resource.sh Show resolved Hide resolved
test/testdata/policy-controller/e2e/test-deployment-with-custom-resource.yaml Outdated Show resolved Hide resolved
test/testdata/policy-controller/e2e/test-deployment-with-custom-resource.yaml Outdated Show resolved Hide resolved
@codecov Codecov
Copy link

codecov bot commented Dec 9, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 26 lines in your changes missing coverage. Please review.

Project coverage is 42.66%. Comparing base (50ef092) to head (aa63abe).
Report is 296 commits behind head on main.

Files with missing lines Patch % Lines
cmd/webhook/main.go 0.00% 26 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #1687       +/-   ##
===========================================
- Coverage   52.92%   42.66%   -10.27%     
===========================================
  Files          44      121       +77     
  Lines        3979     9010     +5031     
===========================================
+ Hits         2106     3844     +1738     
- Misses       1651     4811     +3160     
- Partials      222      355      +133

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@vaikas
Copy link
Collaborator

vaikas commented Dec 9, 2024

Looks like some of the changes I requested, and you marked as fixed have not made it in to this PR 🤔 ?

Also, looks like bunch of sed commands are failing, for example:
https://github.com/sigstore/policy-controller/actions/runs/12234409121/job/34140387122?pr=1687#step:14:132

@senanz
Copy link
Author

senanz commented Dec 9, 2024 via email

@senanz
Copy link
Author

senanz commented Dec 12, 2024

apolofize for the delay, updated.

@senanz senanz requested a review from vaikas December 12, 2024 12:58
vaikas
vaikas reviewed Dec 20, 2024
View reviewed changes
cmd/webhook/main.go Outdated Show resolved Hide resolved
cmd/webhook/main.go Outdated Show resolved Hide resolved
.github/workflows/kind-cluster-custom-resources.yaml Show resolved Hide resolved
@senanz senanz requested a review from vaikas December 22, 2024 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vaikas vaikas Awaiting requested review from vaikas

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Verify only pods
3 participants
@senanz @vaikas @codysoyland