fix(chart): correct behavior for global image registry
Explanation
This fix behavior when both global.image.registry and specific eg. policyReportsCleanup.image.registry are set.
Before this change global.image.registry has priority upon more specific setting for "component".
We need this change to be able to use registry pull through cache. We are setting global.image.registry to our GitHub proxy and we need to set different registry for policyReportsCleanup and webhooksCleanup since they are using bitnami images on Docker Hub.
What type of PR is this
/kind bug
Proposed Changes
We are proposing change of priority for determination with registry to use to prefer more specific registry instead of global one.
Proof Manifests
global:
image:
registry: "ghcr.io"
policyReportsCleanup:
image:
registry: "docker.io"
webhooksCleanup:
image:
registry: "docker.io"Befor change
# Source: kyverno/templates/hooks/pre-delete-configmap.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: test-kyverno-remove-configmap
namespace: default
labels:
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: test
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: test-kyverno
app.kubernetes.io/version: v0.0.0
helm.sh/chart: kyverno-v0.0.0
annotations:
helm.sh/hook: pre-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "10"
spec:
backoffLimit: 2
template:
metadata:
spec:
serviceAccount: test-kyverno-remove-configmap
restartPolicy: Never
containers:
- name: kubectl
image: "ghcr.io/bitnami/kubectl:1.30.2"
imagePullPolicy:
command:
- /bin/bash
- '-c'
- |-
set -euo pipefail
kubectl delete cm -n default test-kyverno
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefaultAfter change
# Source: kyverno/templates/hooks/pre-delete-configmap.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: test-kyverno-remove-configmap
namespace: default
labels:
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: test
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: test-kyverno
app.kubernetes.io/version: v0.0.0
helm.sh/chart: kyverno-v0.0.0
annotations:
helm.sh/hook: pre-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "10"
spec:
backoffLimit: 2
template:
metadata:
spec:
serviceAccount: test-kyverno-remove-configmap
restartPolicy: Never
containers:
- name: kubectl
image: "docker.io/bitnami/kubectl:1.30.2"
imagePullPolicy:
command:
- /bin/bash
- '-c'
- |-
set -euo pipefail
kubectl delete cm -n default test-kyverno
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefaultChecklist
-
I have read the contributing guidelines. -
I have read the PR documentation guide and followed the process including adding proof manifests to this PR. -
This is a bug fix and I have added unit tests that prove my fix is effective. -
This is a feature and I have added CLI tests that are applicable. -
My PR needs to be cherry picked to a specific release branch which is . -
My PR contains new or altered behavior to Kyverno and -
CLI support should be added and my PR doesn't contain that functionality.
-