Add policy-controller annotations

cmd/webhook/main.go

@@ -202,6 +202,11 @@
 }
 
 func NewMutatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	store := config.NewStore(logging.FromContext(ctx).Named("config-store"))
+	store.WatchConfigs(cmw)
+	policyControllerConfigStore := policycontrollerconfig.NewStore(logging.FromContext(ctx).Named("config-policy-controller"))
+	policyControllerConfigStore.WatchConfigs(cmw)
+
 	kc := kubeclient.Get(ctx)
 	validator := cwebhook.NewValidator(ctx)
 
@@ -218,10 +223,12 @@
 		// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
 		func(ctx context.Context) context.Context {
 			ctx = context.WithValue(ctx, kubeclient.Key{}, kc)
-			ctx = policyduckv1beta1.WithPodScalableDefaulter(ctx, validator.ResolvePodScalable)
-			ctx = duckv1.WithPodDefaulter(ctx, validator.ResolvePod)
-			ctx = duckv1.WithPodSpecDefaulter(ctx, validator.ResolvePodSpecable)
-			ctx = duckv1.WithCronJobDefaulter(ctx, validator.ResolveCronJob)
+			ctx = store.ToContext(ctx)
+			ctx = policyControllerConfigStore.ToContext(ctx)
+			ctx = policyduckv1beta1.WithPodScalableDefaulter(ctx, validator.PodScalableDefaulter)
+			ctx = duckv1.WithPodDefaulter(ctx, validator.PodDefaulter)
+			ctx = duckv1.WithPodSpecDefaulter(ctx, validator.PodSpecableDefaulter)
+			ctx = duckv1.WithCronJobDefaulter(ctx, validator.CronJobDefaulter)
 			return ctx
 		},
 

config/config-policy-controller.yaml

@@ -25,3 +25,4 @@ data:
     #                              #
     ################################
     no-match-policy: warn
+    annotate-validation-results: false

pkg/config/store.go

@@ -43,6 +43,8 @@ const (
 	NoMatchPolicyKey = "no-match-policy"
 
 	FailOnEmptyAuthorities = "fail-on-empty-authorities"
+
+	AnnotateResultsKey = "annotate-validation-results"
 )
 
 // PolicyControllerConfig controls the behaviour of policy-controller that needs
@@ -56,10 +58,12 @@ type PolicyControllerConfig struct {
 	NoMatchPolicy string `json:"no-match-policy"`
 	// FailOnEmptyAuthorities configures the validating webhook to allow creating CIP without a list authorities
 	FailOnEmptyAuthorities bool `json:"fail-on-empty-authorities"`
+	// AnnotateResults configures writing the validation results as an annotation in the resource
+	AnnotateResults bool `json:"annotate-validation-results"`
 }
 
 func NewPolicyControllerConfigFromMap(data map[string]string) (*PolicyControllerConfig, error) {
-	ret := &PolicyControllerConfig{NoMatchPolicy: "deny", FailOnEmptyAuthorities: true}
+	ret := &PolicyControllerConfig{NoMatchPolicy: "deny", FailOnEmptyAuthorities: true, AnnotateResults: false}
 	switch data[NoMatchPolicyKey] {
 	case DenyAll:
 		ret.NoMatchPolicy = DenyAll
@@ -76,6 +80,14 @@ func NewPolicyControllerConfigFromMap(data map[string]string) (*PolicyController
 		return ret, err
 	}
 	ret.FailOnEmptyAuthorities = true
+
+	if val, ok := data[AnnotateResultsKey]; ok {
+		var err error
+		ret.AnnotateResults, err = strconv.ParseBool(val)
+		return ret, err
+	}
+	ret.AnnotateResults = false
+
 	return ret, nil
 }
 
@@ -102,6 +114,7 @@ func FromContextOrDefaults(ctx context.Context) *PolicyControllerConfig {
 	return &PolicyControllerConfig{
 		NoMatchPolicy:          DenyAll,
 		FailOnEmptyAuthorities: true,
+		AnnotateResults:        false,
 	}
 }
 

pkg/config/store_test.go

@@ -27,6 +27,7 @@ import (
 type testData struct {
 	noMatchPolicy          string
 	failOnEmptyAuthorities bool
+	AnnotateResults        bool
 }
 
 var testfiles = map[string]testData{
@@ -35,6 +36,7 @@ var testfiles = map[string]testData{
 	"warn-all":                {noMatchPolicy: WarnAll, failOnEmptyAuthorities: true},
 	"deny-all-default":        {noMatchPolicy: DenyAll, failOnEmptyAuthorities: true},
 	"allow-empty-authorities": {noMatchPolicy: DenyAll, failOnEmptyAuthorities: false},
+	"annotate-results":        {noMatchPolicy: AllowAll, failOnEmptyAuthorities: true, AnnotateResults: true},
 }
 
 func TestStoreLoadWithContext(t *testing.T) {
@@ -55,6 +57,9 @@ func TestStoreLoadWithContext(t *testing.T) {
 			if diff := cmp.Diff(want.failOnEmptyAuthorities, expected.FailOnEmptyAuthorities); diff != "" {
 				t.Error("Unexpected defaults config (-want, +got):", diff)
 			}
+			if diff := cmp.Diff(want.AnnotateResults, expected.AnnotateResults); diff != "" {
+				t.Error("Unexpected defaults config (-want, +got):", diff)
+			}
 			if diff := cmp.Diff(expected, config); diff != "" {
 				t.Error("Unexpected defaults config (-want, +got):", diff)
 			}
@@ -74,6 +79,9 @@ func TestStoreLoadWithContextOrDefaults(t *testing.T) {
 			if diff := cmp.Diff(DenyAll, expected.NoMatchPolicy); diff != "" {
 				t.Error("Unexpected defaults config (-want, +got):", diff)
 			}
+			if diff := cmp.Diff(false, expected.AnnotateResults); diff != "" {
+				t.Error("Unexpected defaults config (-want, +got):", diff)
+			}
 			if diff := cmp.Diff(expected, config); diff != "" {
 				t.Error("Unexpected defaults config (-want, +got):", diff)
 			}

pkg/config/testdata/annotate-results.yaml

@@ -0,0 +1,26 @@
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-policy-controller
+  namespace: cosign-system
+  labels:
+    policy.sigstore.dev/release: devel
+
+data:
+  _example: |
+    no-match-policy: allow
+    annotate-validation-results: true