kwctl is the go-to CLI tool for Kubewarden users.

Kubewarden

Last update: Dec 21, 2022

Related tags

Command-line kwctl

Overview

`kwctl`

kwctl is the go-to CLI tool for Kubewarden users.

Think of it as the docker CLI tool if you were working with containers.

How does `kwctl` help me?

As a policy author

e2e testing of your policy. Test your policy against crafted Kubernetes requests, and ensure your policy behaves as you expect. You can even test context-aware policies, that require access to a running cluster.
Embed metadata in your Wasm module, so the binary is annotated with the permissions it needs to execute.
Publish policies to OCI registries.
Generate initial ClusterAdmissionPolicy scaffolding for your policy.

As a cluster administrator

Inspect remote policies. Given a policy in an OCI registry, or in an HTTP server, show all static information about the policy.
Dry-run of a policy in your cluster. Test the policy against crafted Kubernetes requests, and ensure the policy behaves as you expect given the input data you provide. You can even test context-aware policies, that require access to a running cluster, also in a dry-run mode.
Generate ClusterAdmissionPolicy scaffolding for a given policy.

Everyone

The UX of this tool is intended to be as easy and intuitive as possible.

Comments

AWS ECR Authorization not recognized after Docker Login
Is there an existing issue for this?

[X] I have searched the existing issues

Current Behavior

When trying to interact with aws ECR to push or pull an artifact I'm getting a 401 unauthorized even after a successful docker login and display of ability to push/pull normal docker images. Verified a few things over on the slack channel so I'll repeat them here for simplicity:

Logging in to docker from the cli piping the result from aws ecr get-login-password to the login command.

Verified I was using a token that wasn't expired

Tried passing in the .docker/config.json file itself with no change

Same functionality on v0.2.5 and v0.3.0

Expected Behavior

Authentication through docker cli to aws ecr enables kwctl interaction with aws ecr as well. Alternatively some other auth solution for aws would work as well.

Steps To Reproduce

Docker Login to aws ecr

Verify that Docker push/pull [some ecr repo] is successful after authentication

kwctl push [some ecr repo]

Here I'm encountering a 401 response from aws

Environment

- OS: Mac - Architecture:x86-64

Anything else?

No response
kind/bug
opened by Jawery 17

Pushing to an artifactory OCI registry results in 406 Not Acceptable

Although Artifactory is OCI compliant, https://www.jfrog.com/confluence/display/JFROG/Docker+Registry, following the official docs for distributing policies (https://docs.kubewarden.io/distributing-policies.html) results in:

kwctl push annotated-policy.wasm registry://<registry fqdn>/palindromify-policy:v0.0.1
Error: could not push policy: could not push policy: An unexpected error occured: code=406 Not Acceptable, message='{
  "errors" : [ {
    "status" : 406,
    "message" : "Not Acceptable"
  } ]
}'

How can I troubleshoot further?

LE: Using the same registry with ORAS, works as expected https://github.com/oras-project/oras

oras push  <registry fqdn>/palindromify-policy:v0.0.1 --manifest-config "config.json:application/vnd.wasm.config.v1+json" ./annotated-policy.wasm:application/vnd.wasm.content.layer.v1+wasm
Uploading 1e0afe56fa4e annotated-policy.wasm
Pushed <registry fqdn>/palindromify-policy:v0.0.1
Digest: sha256:<sha>

Then, applying the policy works as expected.

kind/bug

opened by lsoica 9

build(deps): bump syntect from 4.6.0 to 5.0.0
Bumps syntect from 4.6.0 to 5.0.0.

Release notes

Sourced from syntect's releases.

Breaking changes for improved startup time and error handling!

Thanks to @Enselic for basically all the work to make this release happen!

Breaking changes

Lazy-load syntaxes to significantly improve startup time. This changes the binary format of syntax dump files.

Remove ContextId::new() from public API to support lazy-loading of syntaxes

Rename HighlightLines::highlight() to HighlightLines::highlight_line() to make it clear that the function takes one line at a time

Make plist dependency (used for loading themes) optional via new plist-load feature

Remove obsolete dump-load-rs and dump-create-rs features that has been identical to dump-load and dump-create for two years

Remove deprecated items ThemeSettings::highlight_foreground, ThemeSettings::selection_background, ClassedHTMLGenerator::new, ClassedHTMLGenerator::parse_html_for_line, html::css_for_theme, html::tokens_to_classed_html and html::tokens_to_classed_spans

Mark all error enums as #[non_exhaustive]

These functions have been changed to return a Result to allow propagation of errors:

html::ClassedHTMLGenerator::parse_html_for_line_which_includes_newline

html::append_highlighted_html_for_styled_line

html::css_for_theme_with_class_style

html::highlighted_html_for_string

html::line_tokens_to_classed_spans

html::styled_line_to_highlighted_html

parsing::ParseState::parse_line

parsing::ScopeStack::apply

parsing::ScopeStack::apply_with_hook

parsing::syntax_definition::Context::match_at

parsing::syntax_definition::ContextReference::id

parsing::syntax_definition::ContextReference::resolve

Other changes

Fall back to Plain Text if a referenced syntax is missing

Add support for hidden_file_extensions key in syntaxes.

Implement Error and Display for all error enums by using thiserror

Replace lazycell with once_cell to fix crash on lazy initialization

Add ScopeRangeIterator

Add CI check for Minimum Supported Rust Version. This is currently Rust 1.53.

Make looking up a syntax by extension use case-insensitive comparison

Make from_dump_file() ~15% faster

Blend alpha value on converting colors to ANSI color sequences

Fix sample code in documentation to avoid double newlines

Fix lots of build warnings and lints

Add Criterion benchmarks for a whole syntect pipeline and for from_dump_file()

Patch of v4.7.0 without the semver violations that broke things

See the release notes for v4.7.0, this release removes a new Cargo feature which constituted a semver violation:

Remove 'plist-load' feature again due to semver violation. #403

Much faster startup through lazy-loading, and much more!

Big release this time thanks to tons of fantastic contributions from @Enselic, this release was basically all him! The headline feature is much faster startup time due to lazy-loading at the syntax level.

Lazy-load syntaxes to significantly improve startup time

... (truncated)

Changelog

Sourced from syntect's changelog.

Version 5.0.0 (2022-05-03)

Breaking changes

Lazy-load syntaxes to significantly improve startup time. This changes the binary format of syntax dump files.

Remove ContextId::new() from public API to support lazy-loading of syntaxes

Rename HighlightLines::highlight() to HighlightLines::highlight_line() to make it clear that the function takes one line at a time

Make plist dependency (used for loading themes) optional via new plist-load feature

Remove obsolete dump-load-rs and dump-create-rs features that has been identical to dump-load and dump-create for two years

Remove deprecated items ThemeSettings::highlight_foreground, ThemeSettings::selection_background, ClassedHTMLGenerator::new, ClassedHTMLGenerator::parse_html_for_line, html::css_for_theme, html::tokens_to_classed_html and html::tokens_to_classed_spans

Mark all error enums as #[non_exhaustive]

These functions have been changed to return a Result to allow propagation of errors:

html::ClassedHTMLGenerator::parse_html_for_line_which_includes_newline

html::append_highlighted_html_for_styled_line

html::css_for_theme_with_class_style

html::highlighted_html_for_string

html::line_tokens_to_classed_spans

html::styled_line_to_highlighted_html

parsing::ParseState::parse_line

parsing::ScopeStack::apply

parsing::ScopeStack::apply_with_hook

parsing::syntax_definition::Context::match_at

parsing::syntax_definition::ContextReference::id

parsing::syntax_definition::ContextReference::resolve

Other changes

Fall back to Plain Text if a referenced syntax is missing

Add support for hidden_file_extensions key in syntaxes.

Implement Error and Display for all error enums by using thiserror

Replace lazycell with once_cell to fix crash on lazy initialization

Add ScopeRangeIterator

Add CI check for Minimum Supported Rust Version. This is currently Rust 1.53.

Make looking up a syntax by extension use case-insensitive comparison

Make from_dump_file() ~15% faster

Blend alpha value on converting colors to ANSI color sequences

Fix sample code in documentation to avoid double newlines

Fix lots of build warnings and lints

Add Criterion benchmarks for a whole syntect pipeline and for from_dump_file()

Version 4.7.1 (2022-01-03)

This version was yanked from crates.io due to a semver violation issue.

Version 4.7.0 (2021-12-25)

This version was yanked from crates.io due to a semver violation issue.

Commits

e8c1f31 Release date for 5.0.0

1184978 Merge pull request #409 from Enselic/prepare-for-5.0.0

a47dbdf Merge pull request #432 from Enselic/dont-panic

e8535c1 CHANGELOG.md: Update to include PR #432

dcd439e CHANGELOG.md: Update with latest changes on master

c7ee51e Merge remote-tracking branch 'origin/master' into prepare-for-5.0.0

46882e1 Replace direct panics with Errors

6b211f9 Merge pull request #419 from sourcegraph/vg/upstream/hidden-file-extensions

e54eef3 Add support for hidden_file_extensions key.

ce1ba5b Merge pull request #426 from Enselic/parse-and-highlight-line-with-result

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

area/dependencies
opened by dependabot[bot] 6

feat: Add `kwctl scaffold manifest` & `kwctl scaffold verification-config`

Description

Fix https://github.com/kubewarden/kwctl/issues/170

Create mew kwctl scaffold:
- Move kwctl manifest to kwctl scaffold manifest as subcommand.
- Add kwctl scaffold verification-config: Output default Sigstore verification configuration.

Example config:

# Default Kubewarden verification config
#
# With this config, the only valid policies are those signed by Kubewarden
# infrastructure.
#
# This config can be saved to its default location (for this OS) with:
#   kwctl scaffold verification-config > /home/vic/.config/kubewarden/verification-config.yml
#
# Providing a config in the default location enables Sigstore verification.
# See https://docs.kubewarden.io for more Sigstore verification options.
---
apiVersion: v1
allOf:
  - kind: githubAction
    owner: kubewarden
    repo: ~
    annotations: ~
anyOf: ~

Test

Added to make e2e-test

Additional Information

Make bats e2e-tests run against tmp path.

Tradeoff

Potential improvement

area/sigstore

opened by viccuad 6

feat: Support metadata.backgroundAudit

Description

Depends on https://github.com/kubewarden/policy-evaluator/pull/197 Fix https://github.com/kubewarden/kwctl/issues/330 Fix https://github.com/kubewarden/kwctl/issues/331

kwctl annotate will default it to true if not provided. kwctl scaffold will default it to true if not provided. kwctl inspect shows it, defaulting to true if not present.

Test

Tested in policy-evaluator. Backwards compatibility is working; the e2e tests pass, without needing to re-annotate the policies with backgroundAudit.

Additional Information

Tradeoff

Potential improvement

opened by viccuad 5
feat: Keyless verification for kwctl {verify,pull,run}

Description

Part of https://github.com/kubewarden/policy-server/issues/142

Implement Sigstore keyless verification forkwctl {verify,pull,run}. Now, accept new --verification-config-path that contains the config from the Sigstore verification RFC. Previous flags are still supported: they get translated into a VerificationSettings config, to be used with the verification.

Test

Run make test e2e-test. Added e2e-tests that exercise --verification-config-path.

Additional Information

Depends on https://github.com/kubewarden/policy-fetcher/pull/55.

Tradeoff

Potential improvement

Create verification-config: Provide better info on missing signatures: opened https://github.com/kubewarden/policy-fetcher/issues/57 Provide default verification-config: opened https://github.com/kubewarden/kwctl/issues/170
area/sigstore

opened by viccuad 5
Allow user to define a "default" `sources.yml`
The problem

Now that we moved to rustls, system certificates are ignored by kwctl. Because of that, pushing and pulling from registries using self-signed certificates need some extra hops: all the run, pull and push commands must be invoked using the --sources-path flag.

The same applies to interactions with registries that are not secured with TLS. But this is a problem that happened also before the move to rustls.

Desired workflow

As a user, I want to define a sources.yml file somewhere inside of my home directory. kwctl should then use it by default whenever I invoke a command that has the --sources-path flag.

The desired outcome is to not force the user to specify this flag every time.

However, the user must still be able to provide a different sources.yml.

The sources.yml file should be stored under the user's home directory, inside of a "configuration" path.

Acceptance criteria

kwctl looks for this configuration file before running a command that has the --sources-path flag

If the file is not found, no error is raised

If the file exists, its contents are silently loaded. Errors caused by wrong values are obviously raised

If the user provides a sources.yml file via the --sources-path flag, the $HOME/<config path>/sources.yml file is ignored. Only the contents from the "flag defined" file are used

The documentation of kwctl is updated to explain the user where this file is located

kind/enhancement good first issue
opened by flavio 5

`kwctl policies` failed

When executed the kwctl policies command, it is possible to see the following error:

$ ./target/release/kwctl -V                                                            
kwctl 0.2.4
$ ./target/release/kwctl policies
Error: Bad magic number (at offset 0)

This is happening in the main branch as well.

opened by jvanz 5

kwctl does not honor trusted certificate authorities on the system
Is there an existing issue for this?

[X] I have searched the existing issues

Current Behavior

kwctl pull against on-premise registry with self-signed certificate / certificate authority fails with:

kwctl pull registry://registry01.suse:5000/rke-prod/ghcr.io/kubewarden/policies/user-group-psp:v0.2.0

2022-11-22T15:54:48.099449Z WARN rustls::conn: Sending fatal alert BadCertificate Error: the policy registry://registry01.suse:5000/rke-prod/ghcr.io/kubewarden/policies/user-group-psp:v0.2.0 could not be downloaded due to error: error sending request for url (https://registry01.suse:5000/v2/): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

Expected Behavior

The tool should trust the CA of the systems ca-bundle.pem.

A cli parameter to specify the trusted CA bundle should be available.

Steps To Reproduce

Use on premise registry for policies and try to use pull / push with kwctl.

Environment

- OS: SLES 15 SP4 - Architecture: x86_64

Anything else?

No response
kind/bug
opened by Martin-Weiss 4
ci: Added CI Job to release Apple Silicon binary with the release GH Actions flow
Description

This PR involves just a CI Job to be executed on release time.

[x] Added new target aarch64-apple-darwin on release.yml which supports Apple Silicon processors from new M1/M2 Mac

Test

To test this pull request, you can run the following commands:

rustup target add aarch64-apple-darwin cargo build --target=aarch64-apple-darwin --release

Additional Information

I already validated that it works on a M1 processor

Signed-off-by: Juan Manuel Parrilla Madrid [email protected]
opened by jparrill 4

Azure ACR: Authorization not recognized after Docker Login

Is there an existing issue for this?

[X] I have searched the existing issues

Current Behavior

This is similar to https://github.com/kubewarden/kwctl/issues/208

Push does not works after Docker Login Push with wasm-to-oci works

kwctl push  annotated-policy.wasm registry://redacted.azurecr.io/polices/test:1
2022-04-28T13:03:04.416833Z  WARN rustls::check: Received a ServerHelloDone handshake message while expecting [CertificateRequest]    
Error: could not push policy: could not push policy: failed to authenticate: {"errors":[{"code":"UNAUTHORIZED","message":"authentication required, visit https://aka.ms/acr/authorization for more information."}]}

Expected Behavior

Push works

Steps To Reproduce

No response

Environment

- OS: Linux
- Architecture: amd64

Anything else?

No response

kind/bug

opened by floriankoch 4

build(deps): bump mdcat from 0.30.3 to 1.0.0
Bumps mdcat from 0.30.3 to 1.0.0.

Release notes

Sourced from mdcat's releases.

mdcat-1.0.0

Added

Add --detect-terminal to print the name of the detected terminal program (see GH-232).

Add --ansi to skip terminal detection and use ANSI-formatting only (see GH-232).

Changed

Replace ureq with reqwest (see GH-229). This implies that the default build now creates a binary linked against the system standard SSL library, i.e. openssl under Linux. A fully static build now requires --no-default-features --features static for cargo build.

Terminal detection always checks $TERM first and trusts its value if it denotes a specific terminal emulator (see GH-232).

Update all dependencies.

Fixed

Correctly detect kitty started from iTerm (see GH-230 and GH-232).

GH-229: swsnr/mdcat#229 GH-229: swsnr/mdcat#229 GH-230: swsnr/mdcat#230 GH-230: swsnr/mdcat#230 GH-232: swsnr/mdcat#232 GH-232: swsnr/mdcat#232

GH-218: swsnr/mdcat#218 GH-214: swsnr/mdcat#214 GH-216: swsnr/mdcat#216 GH-204: swsnr/mdcat#204 #201: https://codeberg.org/flausch/mdcat/pulls/201 #147: https://codeberg.org/flausch/mdcat/issues/147 #154: https://codeberg.org/flausch/mdcat/issues/154 #198: https://codeberg.org/flausch/mdcat/issues/198 #191: swsnr/mdcat#191 #192: swsnr/mdcat#192 #193: swsnr/mdcat#193 #190: swsnr/mdcat#190 #186: swsnr/mdcat#186 #185: swsnr/mdcat#185 #182: swsnr/mdcat#182 #183: swsnr/mdcat#183 #184: swsnr/mdcat#184 #176: swsnr/mdcat#176 #177: swsnr/mdcat#177 #168: swsnr/mdcat#168 #169: swsnr/mdcat#169 [kitty-0.19]: https://sw.kovidgoyal.net/kitty/changelog.html#id2 [kitty #68]: kovidgoyal/kitty#68 [allow_hyperlinks]: https://sw.kovidgoyal.net/kitty/conf.html?highlight=hyperlinks#opt-kitty.allow_hyperlinks #165: swsnr/mdcat#165

... (truncated)

Changelog

Sourced from mdcat's changelog.

[1.0.0] – 2023-01-07

Added

Add --detect-terminal to print the name of the detected terminal program (see GH-232).

Add --ansi to skip terminal detection and use ANSI-formatting only (see GH-232).

Changed

Replace ureq with reqwest (see GH-229). This implies that the default build now creates a binary linked against the system standard SSL library, i.e. openssl under Linux. A fully static build now requires --no-default-features --features static for cargo build.

Terminal detection always checks $TERM first and trusts its value if it denotes a specific terminal emulator (see GH-232).

Update all dependencies.

Fixed

Correctly detect kitty started from iTerm (see GH-230 and GH-232).

GH-229: swsnr/mdcat#229 GH-230: swsnr/mdcat#230 GH-232: swsnr/mdcat#232

Commits

d2999ef Release 1.0.0

aff6b9f Update dependencies

a1c3b02 Merge pull request #232 from swsnr/refactor-terminal-detection

eedb1f7 Expose --ansi flag

48f77b3 Add --detect-terminal option

800701d Refactor terminal detection

29ec771 Merge pull request #229 from swsnr/use-reqwest-again

f8a5fa4 Use reqwest again

e81a047 Merge pull request #228 from swsnr/drop-test-generator-dependency

5000d3d Drop test generator dependency

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies
opened by dependabot[bot] 0
chore(deps): lock file maintenance
This PR contains the following updates:

| Update | Change | |---|---| | lockFileMaintenance | All locks refreshed |

🔧 This Pull Request updates lock files to use the latest dependency versions.

Configuration

📅 Schedule: Branch creation - "before 5am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.
dependencies kind/chore area/dependencies
opened by renovate[bot] 0
Trigger Helm chart release.

Description

Updates the release kwctl CI job to trigger an event to the Helm chart repository to ensure that the major and minor releases will be in sync between all Kubewarden components.

Fix #366
release/skip-changelog

opened by jvanz 1
build(deps): bump tokio from 1.23.0 to 1.24.1
Bumps tokio from 1.23.0 to 1.24.1.

Release notes

Sourced from tokio's releases.

Tokio v1.24.1

This release fixes a compilation failure on targets without AtomicU64 when using rustc older than 1.63. (#5356)

#5356: tokio-rs/tokio#5356

Tokio v1.24.0

The highlight of this release is the reduction of lock contention for all I/O operations (#5300). We have received reports of up to a 20% improvement in CPU utilization and increased throughput for real-world I/O heavy applications.

Fixed

rt: improve native AtomicU64 support detection (#5284)

Added

rt: add configuration option for max number of I/O events polled from the OS per tick (#5186)

rt: add an environment variable for configuring the default number of worker threads per runtime instance (#4250)

Changed

sync: reduce MPSC channel stack usage (#5294)

io: reduce lock contention in I/O operations (#5300)

fs: speed up read_dir() by chunking operations (#5309)

rt: use internal ThreadId implementation (#5329)

test: don't auto-advance time when a spawn_blocking task is running (#5115)

#5186: tokio-rs/tokio#5186 #5294: tokio-rs/tokio#5294 #5284: tokio-rs/tokio#5284 #4250: tokio-rs/tokio#4250 #5300: tokio-rs/tokio#5300 #5329: tokio-rs/tokio#5329 #5115: tokio-rs/tokio#5115 #5309: tokio-rs/tokio#5309

Tokio v1.23.1

This release forward ports changes from 1.18.4.

Fixed

net: fix Windows named pipe server builder to maintain option when toggling pipe mode (#5336).

#5336: tokio-rs/tokio#5336

Commits

31c7e82 chore: prepare Tokio v1.24.1 (#5357)

8d8db27 tokio: add load and compare_exchange_weak to loom StaticAtomicU64 (#5356)

dfe252d chore: prepare Tokio v1.24.0 release (#5353)

21b233f test: bump version of async-stream (#5347)

7299304 Merge branch 'tokio-1.23.x' into master

1a997ff chore: prepare Tokio v1.23.1 release

a8fe333 Merge branch 'tokio-1.20.x' into tokio-1.23.x

ba81945 chore: prepare Tokio 1.20.3 release

763bdc9 ci: run WASI tasks using latest Rust

9f98535 Merge remote-tracking branch 'origin/tokio-1.18.x' into fix-named-pipes-1.20

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies
opened by dependabot[bot] 0
build(deps): bump k8s-openapi from 0.16.0 to 0.17.0
Bumps k8s-openapi from 0.16.0 to 0.17.0.

Release notes

Sourced from k8s-openapi's releases.

v0.17.0

k8s-openapi

BREAKING CHANGE: Added support for Kubernetes 1.26 under the v1_26 feature.

BREAKING CHANGE: Dropped support for Kubernetes 1.18 and 1.19.

FEATURE: Allow deserializing non-optional ByteStrings from JSON null. The API server is known to allow these nulls in the ConfigMap::binary_data and Secret::data maps. The deserialization results in an empty ByteString, to match the behavior of the API server when given a null value in the ConfigMap::data map.

Corresponding Kubernetes API server versions:

v1.20.15

v1.21.14

v1.22.17

v1.23.15

v1.24.9

v1.25.5

v1.26.0

Changelog

Sourced from k8s-openapi's changelog.

v0.17.0 (2023-01-04)

k8s-openapi

BREAKING CHANGE: Added support for Kubernetes 1.26 under the v1_26 feature.

BREAKING CHANGE: Dropped support for Kubernetes 1.18 and 1.19.

FEATURE: Allow deserializing non-optional ByteStrings from JSON null. The API server is known to allow these nulls in the ConfigMap::binary_data and Secret::data maps. The deserialization results in an empty ByteString, to match the behavior of the API server when given a null value in the ConfigMap::data map.

Corresponding Kubernetes API server versions:

v1.20.15

v1.21.14

v1.22.17

v1.23.15

v1.24.9

v1.25.5

v1.26.0

Commits

35a7fd5 v0.17.0

b619ade Allow deserializing JSON null as an empty ByteString.

1e5ab30 Mention the possibility of multiple crate versions in the no-feature-enabled ...

4d3c81b Clarify that the feature used to make cargo check work needs to be enabled ...

5155c30 Update env_logger to v0.10

f8b1fc4 Update clap to v4

a2d4ba8 Update base64 dep in tests to v0.20

abf7faf Bump base64 to 0.20

f599c87 Remove support for k8s 1.19

95f5269 Remove support for k8s 1.18

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies
opened by dependabot[bot] 0

Improve airgap workflow

Description

Airgap workflow is currently cumbersome, this is an attempt to improve it

This combines 4 scripts for saving & loading images and policies into one. Also adding defaults for parameters that can be guessed from other files.

New Workflow:

# Generate list of dependencies required by airgap. Save in file for other commands:
airgap list | tee file.json

# Pull images and policies and save them to archives in current directory:
airgap pull --list file.json

# Push images and policies from created archives to local registry. Run in DRY mode:
airgap push --list file.json --registry=localhost:5123 --dry --insecure

# Helm install charts from local files. Registry is used for recommendedPolicies setup:
airgap install --list file.json --registry 172.18.0.4:5000 --insecure

opened by kravciak 1