Add image repository access control list to API

- add `AccessFrom` to ImageRepositorySpec for granting cross-namespace access to repositories - change `ImageRepositoryRef` type from local reference to namespaced reference Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-08-06 11:51:02 +03:00 · 2021-08-06 11:51:02 +03:00 · 52960ab911
parent 7084da9283
commit 52960ab911
6 changed files with 175 additions and 5 deletions
--- a/api/v1beta1/imagepolicy_types.go
+++ b/api/v1beta1/imagepolicy_types.go
@ -30,7 +30,7 @@ type ImagePolicySpec struct {
 	// ImageRepositoryRef points at the object specifying the image
 	// being scanned
 	// +required
-	ImageRepositoryRef meta.LocalObjectReference `json:"imageRepositoryRef"`
+	ImageRepositoryRef meta.NamespacedObjectReference `json:"imageRepositoryRef"`
 	// Policy gives the particulars of the policy to be followed in
 	// selecting the most recent image
 	// +required
--- a/api/v1beta1/imagerepository_types.go
+++ b/api/v1beta1/imagerepository_types.go
@ -67,6 +67,19 @@ type ImageRepositorySpec struct {
 	// It does not apply to already started scans. Defaults to false.
 	// +optional
 	Suspend bool `json:"suspend,omitempty"`
+
+	// AccessFrom defines an ACL for allowing cross-namespace references
+	// to the ImageRepository object based on the caller's namespace labels.
+	// +optional
+	AccessFrom *AccessFrom `json:"accessFrom,omitempty"`
+}
+
+type AccessFrom struct {
+	NamespaceSelectors []NamespaceSelector `json:"namespaceSelector,omitempty"`
+}
+
+type NamespaceSelector struct {
+	MatchLabels map[string]string `json:"matchLabels,omitempty"`
 }

 type ScanResult struct {
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@ -26,6 +26,28 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AccessFrom) DeepCopyInto(out *AccessFrom) {
+	*out = *in
+	if in.NamespaceSelectors != nil {
+		in, out := &in.NamespaceSelectors, &out.NamespaceSelectors
+		*out = make([]NamespaceSelector, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessFrom.
+func (in *AccessFrom) DeepCopy() *AccessFrom {
+	if in == nil {
+		return nil
+	}
+	out := new(AccessFrom)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AlphabeticalPolicy) DeepCopyInto(out *AlphabeticalPolicy) {
 	*out = *in
@ -252,6 +274,11 @@ func (in *ImageRepositorySpec) DeepCopyInto(out *ImageRepositorySpec) {
 		*out = new(meta.LocalObjectReference)
 		**out = **in
 	}
+	if in.AccessFrom != nil {
+		in, out := &in.AccessFrom, &out.AccessFrom
+		*out = new(AccessFrom)
+		(*in).DeepCopyInto(*out)
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRepositorySpec.
@ -292,6 +319,28 @@ func (in *ImageRepositoryStatus) DeepCopy() *ImageRepositoryStatus {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceSelector) DeepCopyInto(out *NamespaceSelector) {
+	*out = *in
+	if in.MatchLabels != nil {
+		in, out := &in.MatchLabels, &out.MatchLabels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceSelector.
+func (in *NamespaceSelector) DeepCopy() *NamespaceSelector {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceSelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NumericalPolicy) DeepCopyInto(out *NumericalPolicy) {
 	*out = *in
--- a/config/crd/bases/image.toolkit.fluxcd.io_imagepolicies.yaml
+++ b/config/crd/bases/image.toolkit.fluxcd.io_imagepolicies.yaml
@ -324,6 +324,9 @@ spec:
                  name:
                    description: Name of the referent
                    type: string
+                  namespace:
+                    description: Namespace of the referent, when not specified it acts as LocalObjectReference
+                    type: string
                required:
                - name
                type: object
--- a/config/crd/bases/image.toolkit.fluxcd.io_imagerepositories.yaml
+++ b/config/crd/bases/image.toolkit.fluxcd.io_imagerepositories.yaml
@ -293,6 +293,19 @@ spec:
          spec:
            description: ImageRepositorySpec defines the parameters for scanning an image repository, e.g., `fluxcd/flux`.
            properties:
+              accessFrom:
+                description: AccessFrom defines an ACL for allowing cross-namespace references to the ImageRepository object based on the caller's namespace labels.
+                properties:
+                  namespaceSelector:
+                    items:
+                      properties:
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          type: object
+                      type: object
+                    type: array
+                type: object
              certSecretRef:
                description: "CertSecretRef can be given the name of a secret containing either or both of \n  - a PEM-encoded client certificate (`certFile`) and private  key (`keyFile`);  - a PEM-encoded CA certificate (`caFile`) \n  and whichever are supplied, will be used for connecting to the  registry. The client cert and key are useful if you are  authenticating with a certificate; the CA cert is useful if  you are using a self-signed server certificate."
                properties:
--- a/docs/api/image-reflector.md
+++ b/docs/api/image-reflector.md
@ -12,6 +12,38 @@ OCI image repositories into a cluster, so they can be consulted for
 e.g., automation.</p>
 Resource Types:
 <ul class="simple"></ul>
+<h3 id="image.toolkit.fluxcd.io/v1beta1.AccessFrom">AccessFrom
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#image.toolkit.fluxcd.io/v1beta1.ImageRepositorySpec">ImageRepositorySpec</a>)
+</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>namespaceSelector</code><br>
+<em>
+<a href="#image.toolkit.fluxcd.io/v1beta1.NamespaceSelector">
+[]NamespaceSelector
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
 <h3 id="image.toolkit.fluxcd.io/v1beta1.AlphabeticalPolicy">AlphabeticalPolicy
 </h3>
 <p>
@ -91,8 +123,8 @@ ImagePolicySpec
 <td>
 <code>imageRepositoryRef</code><br>
 <em>
-<a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
-github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+<a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#NamespacedObjectReference">
+github.com/fluxcd/pkg/apis/meta.NamespacedObjectReference
 </a>
 </em>
 </td>
@ -237,8 +269,8 @@ ImagePolicy</p>
 <td>
 <code>imageRepositoryRef</code><br>
 <em>
-<a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
-github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+<a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#NamespacedObjectReference">
+github.com/fluxcd/pkg/apis/meta.NamespacedObjectReference
 </a>
 </em>
 </td>
@ -473,6 +505,21 @@ bool
 It does not apply to already started scans. Defaults to false.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>accessFrom</code><br>
+<em>
+<a href="#image.toolkit.fluxcd.io/v1beta1.AccessFrom">
+AccessFrom
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>AccessFrom defines an ACL for allowing cross-namespace references
+to the ImageRepository object based on the caller&rsquo;s namespace labels.</p>
+</td>
+</tr>
 </table>
 </td>
 </tr>
@ -604,6 +651,21 @@ bool
 It does not apply to already started scans. Defaults to false.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>accessFrom</code><br>
+<em>
+<a href="#image.toolkit.fluxcd.io/v1beta1.AccessFrom">
+AccessFrom
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>AccessFrom defines an ACL for allowing cross-namespace references
+to the ImageRepository object based on the caller&rsquo;s namespace labels.</p>
+</td>
+</tr>
 </tbody>
 </table>
 </div>
@ -697,6 +759,36 @@ github.com/fluxcd/pkg/apis/meta.ReconcileRequestStatus
 </table>
 </div>
 </div>
+<h3 id="image.toolkit.fluxcd.io/v1beta1.NamespaceSelector">NamespaceSelector
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#image.toolkit.fluxcd.io/v1beta1.AccessFrom">AccessFrom</a>)
+</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>matchLabels</code><br>
+<em>
+map[string]string
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
 <h3 id="image.toolkit.fluxcd.io/v1beta1.NumericalPolicy">NumericalPolicy
 </h3>
 <p>