Dependency Updates (#474)

Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>

backend/pkg/cluster/wrapper.go

@@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
-	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	eventsv1 "k8s.io/client-go/kubernetes/typed/events/v1"
 )
 
 // Overwrite write actions to dry run
@@ -23,7 +23,7 @@ func (c *Client) GetKubeClient() kubernetes.Interface {
 	return c.inner.GetKubeClient()
 }
 
-func (c *Client) GetEventsInterface() corev1.EventInterface {
+func (c *Client) GetEventsInterface() eventsv1.EventsV1Interface {
 	return c.inner.GetEventsInterface()
 }
 
@@ -79,6 +79,14 @@ func (c *Client) UpdateStatusResource(ctx context.Context, apiVersion string, ki
 	return c.fake.UpdateStatusResource(ctx, apiVersion, kind, namespace, obj, dryRun)
 }
 
+func (c *Client) ApplyResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, obj interface{}, dryRun bool, fieldManager string, subresources ...string) (*unstructured.Unstructured, error) {
+	return c.fake.ApplyResource(ctx, apiVersion, kind, namespace, name, obj, dryRun, fieldManager, subresources...)
+}
+
+func (c *Client) ApplyStatusResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, obj interface{}, dryRun bool, fieldManager string) (*unstructured.Unstructured, error) {
+	return c.fake.ApplyStatusResource(ctx, apiVersion, kind, namespace, name, obj, dryRun, fieldManager)
+}
+
 func NewWrapper(client dclient.Interface) dclient.Interface {
 	return &Client{
 		inner: client,

backend/pkg/engine/mocks/contextloader.go

@@ -7,31 +7,33 @@ import (
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
+	"github.com/kyverno/kyverno/pkg/imageverifycache"
 )
 
-type withoutApiCalls struct {
+type withoutAPICalls struct {
 	next engineapi.ContextLoader
 }
 
-func WithoutApiCalls(next engineapi.ContextLoader) engineapi.ContextLoader {
-	return withoutApiCalls{
+func WithoutAPICalls(next engineapi.ContextLoader) engineapi.ContextLoader {
+	return withoutAPICalls{
 		next: next,
 	}
 }
 
-func (cl withoutApiCalls) Load(
+func (cl withoutAPICalls) Load(
 	ctx context.Context,
 	jp jmespath.Interface,
 	client engineapi.RawClient,
-	imgClient engineapi.ImageDataClient,
+	rclientFactory engineapi.RegistryClientFactory,
+	ivCache imageverifycache.Client,
 	contextEntries []kyvernov1.ContextEntry,
 	jsonContext enginecontext.Interface,
 ) error {
-	var contextEntriesWithoutApiCalls []kyvernov1.ContextEntry
+	var contextEntriesWithoutAPICalls []kyvernov1.ContextEntry
 	for _, entry := range contextEntries {
 		if entry.APICall == nil {
-			contextEntriesWithoutApiCalls = append(contextEntriesWithoutApiCalls, entry)
+			contextEntriesWithoutAPICalls = append(contextEntriesWithoutAPICalls, entry)
 		}
 	}
-	return cl.next.Load(ctx, jp, client, imgClient, contextEntriesWithoutApiCalls, jsonContext)
+	return cl.next.Load(ctx, jp, client, rclientFactory, ivCache, contextEntriesWithoutAPICalls, jsonContext)
 }

backend/pkg/engine/mocks/contextloaderfactory.go

@@ -3,13 +3,14 @@ package mocks
 import (
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 )
 
 func ContextLoaderFactory(cmResolver engineapi.ConfigmapResolver) engineapi.ContextLoaderFactory {
-	next := engineapi.DefaultContextLoaderFactory(cmResolver)
+	next := factories.DefaultContextLoaderFactory(cmResolver)
 	return func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) engineapi.ContextLoader {
 		chain := next(policy, rule)
-		chain = WithoutApiCalls(chain)
+		chain = WithoutAPICalls(chain)
 		return chain
 	}
 }

backend/pkg/engine/mocks/imagedata.go

@@ -5,28 +5,31 @@ import (
 	"encoding/json"
 	"fmt"
 
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	"github.com/kyverno/kyverno/pkg/engine/adapters"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/registryclient"
 
 	"github.com/kyverno/playground/backend/pkg/engine/models"
 )
 
-type imageDataClient struct {
-	next      engineapi.ImageDataClient
+type registryClientAdapter struct {
+	engineapi.RegistryClient
 	imageData map[string]models.ImageData
 }
 
-func ImageDataClient(next engineapi.ImageDataClient, imageData map[string]models.ImageData) engineapi.ImageDataClient {
+func ImageDataClient(next engineapi.RegistryClient, imageData map[string]models.ImageData) engineapi.RegistryClient {
 	if next == nil {
 		return nil
 	}
-	return imageDataClient{
-		next:      next,
-		imageData: imageData,
+	return registryClientAdapter{
+		RegistryClient: next,
+		imageData:      imageData,
 	}
 }
 
-func (c imageDataClient) ForRef(ctx context.Context, ref string) (*engineapi.ImageData, error) {
-	if data, err := c.next.ForRef(ctx, ref); err == nil {
+func (c registryClientAdapter) ForRef(ctx context.Context, ref string) (*engineapi.ImageData, error) {
+	if data, err := c.RegistryClient.ForRef(ctx, ref); err == nil {
 		return data, err
 	}
 	if c.imageData == nil {
@@ -54,3 +57,17 @@ func (c imageDataClient) ForRef(ctx context.Context, ref string) (*engineapi.Ima
 		Manifest:      manifest,
 	}, nil
 }
+
+type registryClientFactory struct {
+	client engineapi.RegistryClient
+}
+
+func (f *registryClientFactory) GetClient(_ context.Context, _ *kyvernov1.ImageRegistryCredentials) (engineapi.RegistryClient, error) {
+	return f.client, nil
+}
+
+func NewRegistryClientFactory(rclient registryclient.Client, imageData map[string]models.ImageData) engineapi.RegistryClientFactory {
+	return &registryClientFactory{
+		client: &registryClientAdapter{RegistryClient: adapters.RegistryClient(rclient), imageData: imageData},
+	}
+}

backend/pkg/engine/mocks/toggles.go

@@ -5,12 +5,14 @@ import "github.com/kyverno/kyverno/pkg/toggle"
 type toggles struct {
 	protectManagedResources  bool
 	forceFailurePolicyIgnore bool
+	enableDeferredLoading    bool
 }
 
-func Toggles(protectManagedResources, forceFailurePolicyIgnore bool) toggle.Toggles {
+func Toggles(protectManagedResources, forceFailurePolicyIgnore, enableDeferredLoading bool) toggle.Toggles {
 	return toggles{
 		protectManagedResources:  protectManagedResources,
 		forceFailurePolicyIgnore: forceFailurePolicyIgnore,
+		enableDeferredLoading:    enableDeferredLoading,
 	}
 }
 
@@ -21,3 +23,7 @@ func (t toggles) ProtectManagedResources() bool {
 func (t toggles) ForceFailurePolicyIgnore() bool {
 	return t.forceFailurePolicyIgnore
 }
+
+func (t toggles) EnableDeferredLoading() bool {
+	return t.enableDeferredLoading
+}

backend/pkg/engine/models/enableDeferredLoading.go

@@ -0,0 +1,5 @@
+package models
+
+type EnableDeferredLoading struct {
+	Enabled bool `json:"enabled"`
+}

backend/pkg/engine/models/flags.go

@@ -6,4 +6,5 @@ type Flags struct {
 	Registry                 Registry                 `json:"registry"`
 	ProtectManagedResources  ProtectManagedResources  `json:"protectManagedResources"`
 	ForceFailurePolicyIgnore ForceFailurePolicyIgnore `json:"forceFailurePolicyIgnore"`
+	EnableDeferredLoading    EnableDeferredLoading    `json:"enableDeferredLoading"`
 }

backend/pkg/engine/models/response.go

@@ -1,7 +1,7 @@
 package models
 
 import (
-	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
@@ -11,7 +11,7 @@ type Response struct {
 	// Resource is the original resource
 	Resource unstructured.Unstructured `json:"resource"`
 	// Policy is the original policy
-	Policy kyvernov1.PolicyInterface `json:"policy"`
+	Policy engineapi.GenericPolicy `json:"policy"`
 	// namespaceLabels given by policy context
 	NamespaceLabels map[string]string `json:"namespaceLabels"`
 	// PatchedResource is the resource patched with the engine action changes

backend/pkg/engine/processor.go

@@ -18,6 +18,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
 	"github.com/kyverno/kyverno/pkg/engine/policycontext"
+	"github.com/kyverno/kyverno/pkg/imageverifycache"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	"github.com/kyverno/kyverno/pkg/toggle"
 	jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
@@ -49,7 +50,11 @@ func (p *Processor) Run(
 	resources []unstructured.Unstructured,
 	oldResources []unstructured.Unstructured,
 ) (*models.Results, error) {
-	ctx = toggle.NewContext(ctx, mocks.Toggles(p.params.Flags.ProtectManagedResources.Enabled, p.params.Flags.ForceFailurePolicyIgnore.Enabled))
+	ctx = toggle.NewContext(ctx, mocks.Toggles(
+		p.params.Flags.ProtectManagedResources.Enabled,
+		p.params.Flags.ForceFailurePolicyIgnore.Enabled,
+		p.params.Flags.EnableDeferredLoading.Enabled,
+	))
 	if violations := validatePolicies(policies); len(violations) > 0 {
 		return nil, PolicyViolationError{Violations: violations}
 	}
@@ -345,8 +350,8 @@ func newEngine(
 	cfg config.Configuration,
 	jp jmespath.Interface,
 	client engineapi.Client,
-	imgClient engineapi.ImageDataClient,
-	rclient registryclient.Client,
+	ivClient imageverifycache.Client,
+	rclient engineapi.RegistryClientFactory,
 	factory engineapi.ContextLoaderFactory,
 	exceptionSelector engineapi.PolicyExceptionSelector,
 	imageSignatureRepository string,
@@ -356,8 +361,8 @@ func newEngine(
 		config.NewDefaultMetricsConfiguration(),
 		jp,
 		client,
-		imgClient,
 		rclient,
+		ivClient,
 		factory,
 		exceptionSelector,
 		imageSignatureRepository,
@@ -381,13 +386,18 @@ func NewProcessor(
 	if err != nil {
 		return nil, err
 	}
-	imgClient := mocks.ImageDataClient(adapters.ImageDataClient(rclient), params.ImageData)
+
+	ivClient, err := imageverifycache.New(imageverifycache.WithCacheEnableFlag(true))
+	if err != nil {
+		return nil, err
+	}
+
 	engine, err := newEngine(
 		cfg,
 		jp,
 		adapters.Client(dClient),
-		imgClient,
-		rclient,
+		ivClient,
+		mocks.NewRegistryClientFactory(rclient, params.ImageData),
 		mocks.ContextLoaderFactory(cmResolver),
 		exceptionSelector,
 		params.Flags.Cosign.ImageSignatureRepository,

backend/pkg/engine/wrapper.go

@@ -11,7 +11,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
-	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	eventsv1 "k8s.io/client-go/kubernetes/typed/events/v1"
 )
 
 // Overwrite write actions to dry run
@@ -26,7 +26,7 @@ func (c *Client) GetKubeClient() kubernetes.Interface {
 	return c.inner.GetKubeClient()
 }
 
-func (c *Client) GetEventsInterface() corev1.EventInterface {
+func (c *Client) GetEventsInterface() eventsv1.EventsV1Interface {
 	return c.inner.GetEventsInterface()
 }
 
@@ -97,6 +97,24 @@ func (c *Client) UpdateStatusResource(_ context.Context, _ string, _ string, _ s
 	return nil, nil
 }
 
+func (c *Client) ApplyResource(_ context.Context, _, _, _, _ string, obj interface{}, _ bool, _ string, _ ...string) (*unstructured.Unstructured, error) {
+	if o, ok := obj.(*unstructured.Unstructured); ok {
+		c.addObject(o)
+		return o, nil
+	}
+
+	return nil, nil
+}
+
+func (c *Client) ApplyStatusResource(_ context.Context, _, _, _, _ string, obj interface{}, _ bool, _ string) (*unstructured.Unstructured, error) {
+	if o, ok := obj.(*unstructured.Unstructured); ok {
+		c.addObject(o)
+		return o, nil
+	}
+
+	return nil, nil
+}
+
 func (c *Client) addObject(obj *unstructured.Unstructured) {
 	c.mx.Lock()
 	defer c.mx.Unlock()

backend/pkg/resource/loader/loader.go

@@ -40,7 +40,6 @@ func (l *loader) Load(document []byte) (unstructured.Unstructured, error) {
 	}
 	validator, err := l.factory.ValidatorsForGVK(gvk)
 	if err != nil {
-		fmt.Println(err)
 		return unstructured.Unstructured{}, err
 	}
 	decoder, err := validator.Decoder(gvk)
@@ -56,5 +55,17 @@ func (l *loader) Load(document []byte) (unstructured.Unstructured, error) {
 	if err != nil {
 		return unstructured.Unstructured{}, err
 	}
+
+	c := result.UnstructuredContent()
+	if m, ok := c["metadata"]; ok {
+		if mm, ok := m.(map[string]any); ok {
+			if cT, ok := mm["creationTimestamp"]; ok {
+				if _, ok := cT.(map[string]any); ok {
+					mm["creationTimestamp"] = nil
+				}
+			}
+		}
+	}
+
 	return result, err
 }

backend/pkg/resource/loader/loader_test.go

@@ -18,7 +18,7 @@ import (
 
 type errClient struct{}
 
-func (_ errClient) Paths() (map[string]openapi.GroupVersion, error) {
+func (errClient) Paths() (map[string]openapi.GroupVersion, error) {
 	return nil, errors.New("error")
 }
 
@@ -63,25 +63,13 @@ func TestNew(t *testing.T) {
 			}
 		}(),
 	}, {
-		name:   "composite - err client",
-		client: openapiclient.NewComposite(errClient{}),
-		want: func() Loader {
-			factory, err := validatorfactory.New(openapiclient.NewComposite(errClient{}))
-			require.NoError(t, err)
-			return &loader{
-				factory: factory,
-			}
-		}(),
+		name:    "composite - err client",
+		client:  openapiclient.NewComposite(errClient{}),
+		wantErr: true,
 	}, {
-		name:   "composite - with err client",
-		client: openapiclient.NewComposite(openapiclient.NewHardcodedBuiltins("1.27"), errClient{}),
-		want: func() Loader {
-			factory, err := validatorfactory.New(openapiclient.NewComposite(openapiclient.NewHardcodedBuiltins("1.27"), errClient{}))
-			require.NoError(t, err)
-			return &loader{
-				factory: factory,
-			}
-		}(),
+		name:    "composite - with err client",
+		client:  openapiclient.NewComposite(openapiclient.NewHardcodedBuiltins("1.27"), errClient{}),
+		wantErr: true,
 	}, {
 		name:   "composite - invalid local",
 		client: openapiclient.NewComposite(openapiclient.NewLocalSchemaFiles(data.Schemas(), "blam")),