Change --registry-scanning to --registry-disable-scanning

cmd/fluxctl/install_cmd.go

@@ -48,8 +48,8 @@ fluxctl install --git-url '[email protected]:<your username>/flux-get-started' --gi
 		"whether to enable manifest generation")
 	cmd.Flags().StringVar(&opts.Namespace, "namespace", "",
 		"cluster namespace where to install flux")
-	cmd.Flags().BoolVar(&opts.RegistryScanning, "registry-scanning", true,
-		"scan container image registries to fill in the registry cache")
+	cmd.Flags().BoolVar(&opts.RegistryDisableScanning, "registry-disable-scanning", false,
+		"do not scan container image registries to fill in the registry cache")
 	cmd.Flags().StringVarP(&opts.outputDir, "output-dir", "o", "", "a directory in which to write individual manifests, rather than printing to stdout")
 	cmd.Flags().BoolVar(&opts.AddSecurityContext, "add-security-context", true, "Ensure security context information is added to the pod specs. Defaults to 'true'")
 

cmd/fluxd/main.go

@@ -151,15 +151,15 @@ func main() {
 		memcachedTimeout  = fs.Duration("memcached-timeout", time.Second, "maximum time to wait before giving up on memcached requests.")
 		memcachedService  = fs.String("memcached-service", "memcached", "SRV service used to discover memcache servers.")
 
-		registryScanning     = fs.Bool("registry-scanning", true, "scan container image registries to fill in the registry cache")
-		automationInterval   = fs.Duration("automation-interval", 5*time.Minute, "period at which to check for image updates for automated workloads")
-		registryPollInterval = fs.Duration("registry-poll-interval", 5*time.Minute, "period at which to check for updated images")
-		registryRPS          = fs.Float64("registry-rps", 50, "maximum registry requests per second per host")
-		registryBurst        = fs.Int("registry-burst", defaultRemoteConnections, "maximum number of warmer connections to remote and memcache")
-		registryTrace        = fs.Bool("registry-trace", false, "output trace of image registry requests to log")
-		registryInsecure     = fs.StringSlice("registry-insecure-host", []string{}, "let these registry hosts skip TLS host verification and fall back to using HTTP instead of HTTPS; this allows man-in-the-middle attacks, so use with extreme caution")
-		registryExcludeImage = fs.StringSlice("registry-exclude-image", []string{"k8s.gcr.io/*"}, "do not scan images that match these glob expressions; the default is to exclude the 'k8s.gcr.io/*' images")
-		registryUseLabels    = fs.StringSlice("registry-use-labels", []string{"index.docker.io/weaveworks/*", "index.docker.io/fluxcd/*"}, "use the timestamp (RFC3339) from labels for (canonical) image refs that match these glob expression")
+		registryDisableScanning = fs.Bool("registry-disable-scanning", false, "do not scan container image registries to fill in the registry cache")
+		automationInterval      = fs.Duration("automation-interval", 5*time.Minute, "period at which to check for image updates for automated workloads")
+		registryPollInterval    = fs.Duration("registry-poll-interval", 5*time.Minute, "period at which to check for updated images")
+		registryRPS             = fs.Float64("registry-rps", 50, "maximum registry requests per second per host")
+		registryBurst           = fs.Int("registry-burst", defaultRemoteConnections, "maximum number of warmer connections to remote and memcache")
+		registryTrace           = fs.Bool("registry-trace", false, "output trace of image registry requests to log")
+		registryInsecure        = fs.StringSlice("registry-insecure-host", []string{}, "let these registry hosts skip TLS host verification and fall back to using HTTP instead of HTTPS; this allows man-in-the-middle attacks, so use with extreme caution")
+		registryExcludeImage    = fs.StringSlice("registry-exclude-image", []string{"k8s.gcr.io/*"}, "do not scan images that match these glob expressions; the default is to exclude the 'k8s.gcr.io/*' images")
+		registryUseLabels       = fs.StringSlice("registry-use-labels", []string{"index.docker.io/weaveworks/*", "index.docker.io/fluxcd/*"}, "use the timestamp (RFC3339) from labels for (canonical) image refs that match these glob expression")
 
 		// AWS authentication
 		registryAWSRegions         = fs.StringSlice("registry-ecr-region", nil, "include just these AWS regions when scanning images in ECR; when not supplied, the cluster's region will included if it can be detected through the AWS API")
@@ -560,7 +560,7 @@ func main() {
 	// Registry components
 	var imageRegistry registry.Registry = registry.ImageScanDisabledRegistry{}
 	var cacheWarmer *cache.Warmer
-	if *registryScanning {
+	if !*registryDisableScanning {
 		// Cache client, for use by registry and cache warmer
 		var cacheClient cache.Client
 		var memcacheClient *registryMemcache.MemcacheClient
@@ -659,7 +659,7 @@ func main() {
 		"sync-tag", *gitSyncTag,
 		"state", *syncState,
 		"readonly", *gitReadonly,
-		"registry-scanning", *registryScanning,
+		"registry-disable-scanning", *registryDisableScanning,
 		"notes-ref", *gitNotesRef,
 		"set-author", *gitSetAuthor,
 		"git-secret", *gitSecret,
@@ -727,7 +727,7 @@ func main() {
 			AutomationInterval:  *automationInterval,
 			GitTimeout:          *gitTimeout,
 			GitVerifySignatures: *gitVerifySignatures,
-			ImageScanEnabled:    *registryScanning,
+			ImageScanDisabled:   *registryDisableScanning,
 		},
 	}
 
@@ -763,7 +763,7 @@ func main() {
 	shutdownWg.Add(1)
 	go daemon.Loop(shutdown, shutdownWg, log.With(logger, "component", "sync-loop"))
 
-	if *registryScanning {
+	if !*registryDisableScanning {
 		cacheWarmer.Notify = daemon.AskForAutomatedWorkloadImageUpdates
 		cacheWarmer.Priority = daemon.ImageRefresh
 		cacheWarmer.Trace = *registryTrace

docs/faq.md

@@ -340,13 +340,13 @@ If the replicas field is not present in Git, Flux will not override the replica
 ### Can I disable Flux registry scanning?
 
 You can completely disable registry scanning by using the
-`--registry-scanning=false` flag. This allows deploying Flux without Memcached.
+`--registry-disable-scanning` flag. This allows deploying Flux without
+ Memcached.
 
 
-If you only want to disable scanning for certain images, you can keep
-`--registry-scanning` set to `true` (its default value) and tell Flux
-what images to exclude. This is done by supplying a list of glob expressions
-using the `registry-exclude-image` flag.
+If you only want to disable scanning for certain images, don't set
+`--registry-disable-scanning`. Instead, you can tell Flux what images to exclude
+by supplying a list of glob expressions to the `--registry-exclude-image` flag.
 
 To exclude images from Docker Hub and Quay.io, use:
 

docs/references/daemon.md

@@ -79,7 +79,7 @@ Version controlling of cluster manifests provides reproducibility and a historic
 | --registry-ecr-include-id                        | `[]`                               | include these AWS account ID(s) when scanning images in ECR (multiple values allowed); empty means allow all, unless excluded
 | --registry-ecr-exclude-id                        | `[<EKS SYSTEM ACCOUNT>]`           | exclude these AWS account ID(s) when scanning ECR (multiple values allowed); defaults to the EKS system account, so system images will not be scanned
 | --registry-require                               | `[]`                               | exit with an error if the given services are not available. Useful for escalating misconfiguration or outages that might otherwise go undetected. Presently supported values: {`ecr`} |
-| --registry-scanning                              | `true`                             | scan container image registries to fill in the registry cache
+| --registry-disable-scanning                      | `false`                            | do not scan container image registries to fill in the registry cache
 | **k8s-secret backed ssh keyring configuration**
 | --k8s-secret-name                                | `flux-git-deploy`                  | name of the k8s secret used to store the private SSH key
 | --k8s-secret-volume-mount-path                   | `/etc/fluxd/ssh`                   | mount location of the k8s secret storing the private SSH key

pkg/daemon/daemon_test.go

@@ -741,7 +741,7 @@ func mockDaemon(t *testing.T) (*Daemon, func(), func(), *mock.Mock, *mockEventWr
 		JobStatusCache: &job.StatusCache{Size: 100},
 		EventWriter:    events,
 		Logger:         logger,
-		LoopVars:       &LoopVars{SyncTimeout: timeout, GitTimeout: timeout, SyncState: gitSync, ImageScanEnabled: true},
+		LoopVars:       &LoopVars{SyncTimeout: timeout, GitTimeout: timeout, SyncState: gitSync},
 	}
 
 	start := func() {

pkg/daemon/loop.go

@@ -20,7 +20,7 @@ type LoopVars struct {
 	GitTimeout          time.Duration
 	GitVerifySignatures bool
 	SyncState           fluxsync.State
-	ImageScanEnabled    bool
+	ImageScanDisabled   bool
 
 	initOnce               sync.Once
 	syncSoon               chan struct{}
@@ -62,7 +62,7 @@ func (d *Daemon) Loop(stop chan struct{}, wg *sync.WaitGroup, logger log.Logger)
 	}
 
 	// Same for registry scanning
-	if !d.ImageScanEnabled {
+	if d.ImageScanDisabled {
 		logger.Log("info", "Registry scanning is disabled; no image updates will be attempted")
 	}
 
@@ -82,7 +82,7 @@ func (d *Daemon) Loop(stop chan struct{}, wg *sync.WaitGroup, logger log.Logger)
 				default:
 				}
 			}
-			if d.Repo.Readonly() || !d.ImageScanEnabled {
+			if d.Repo.Readonly() || d.ImageScanDisabled {
 				// don't bother trying to update images, and don't
 				// bother setting the timer again
 				continue

pkg/daemon/sync_test.go

@@ -76,7 +76,7 @@ func daemon(t *testing.T) (*Daemon, func()) {
 		JobStatusCache: &job.StatusCache{Size: 100},
 		EventWriter:    events,
 		Logger:         log.NewLogfmtLogger(os.Stdout),
-		LoopVars:       &LoopVars{SyncTimeout: timeout, GitTimeout: timeout, ImageScanEnabled: true},
+		LoopVars:       &LoopVars{SyncTimeout: timeout, GitTimeout: timeout},
 	}
 	return d, func() {
 		close(shutdown)

pkg/install/install.go

@@ -15,18 +15,18 @@ import (
 //go:generate go run generate.go
 
 type TemplateParameters struct {
-	GitURL             string
-	GitBranch          string
-	GitPaths           []string
-	GitLabel           string
-	GitUser            string
-	GitEmail           string
-	GitReadOnly        bool
-	RegistryScanning   bool
-	Namespace          string
-	ManifestGeneration bool
-	AdditionalFluxArgs []string
-	AddSecurityContext bool
+	GitURL                  string
+	GitBranch               string
+	GitPaths                []string
+	GitLabel                string
+	GitUser                 string
+	GitEmail                string
+	GitReadOnly             bool
+	RegistryDisableScanning bool
+	Namespace               string
+	ManifestGeneration      bool
+	AdditionalFluxArgs      []string
+	AddSecurityContext      bool
 }
 
 func FillInTemplates(params TemplateParameters) (map[string][]byte, error) {
@@ -38,8 +38,8 @@ func FillInTemplates(params TemplateParameters) (map[string][]byte, error) {
 		if info.IsDir() {
 			return nil
 		}
-		if (params.GitReadOnly || !params.RegistryScanning) && strings.Contains(info.Name(), "memcache") {
-			// do not include memcached resources in readonly mode or when registry scanning is disabled
+		if params.RegistryDisableScanning && strings.Contains(info.Name(), "memcache") {
+			// do not include memcached resources when registry scanning is disabled
 			return nil
 		}
 		manifestTemplateBytes, err := ioutil.ReadAll(rs)

pkg/install/install_test.go

@@ -58,35 +58,27 @@ func TestFillInTemplatesAllParameters(t *testing.T) {
 		GitReadOnly:        false,
 		ManifestGeneration: true,
 		AdditionalFluxArgs: []string{"arg1=foo", "arg2=bar"},
-		RegistryScanning:   true,
 		AddSecurityContext: true,
 	})
 }
 
 func TestFillInTemplatesMissingValues(t *testing.T) {
 	testFillInTemplates(t, 5, TemplateParameters{
-		GitURL:           "[email protected]:fluxcd/flux-get-started",
-		GitBranch:        "branch",
-		GitPaths:         []string{},
-		GitLabel:         "label",
-		RegistryScanning: true,
+		GitURL:                  "[email protected]:fluxcd/flux-get-started",
+		GitBranch:               "branch",
+		GitPaths:                []string{},
+		GitLabel:                "label",
+		RegistryDisableScanning: true,
 	})
 }
 
 func TestFillInTemplatesNoMemcached(t *testing.T) {
 	testFillInTemplates(t, 3, TemplateParameters{
-		GitURL:           "[email protected]:fluxcd/flux-get-started",
-		GitBranch:        "branch",
-		GitPaths:         []string{},
-		GitLabel:         "label",
-		RegistryScanning: false,
-	})
-	testFillInTemplates(t, 3, TemplateParameters{
-		GitURL:      "[email protected]:fluxcd/flux-get-started",
-		GitBranch:   "branch",
-		GitPaths:    []string{},
-		GitLabel:    "label",
-		GitReadOnly: false,
+		GitURL:                  "[email protected]:fluxcd/flux-get-started",
+		GitBranch:               "branch",
+		GitPaths:                []string{},
+		GitLabel:                "label",
+		RegistryDisableScanning: true,
 	})
 }
 
@@ -102,7 +94,6 @@ func TestTestFillInTemplatesAddSecurityContext(t *testing.T) {
 		GitReadOnly:        false,
 		ManifestGeneration: true,
 		AdditionalFluxArgs: []string{"arg1=foo", "arg2=bar"},
-		RegistryScanning:   true,
 		AddSecurityContext: true,
 	}
 
@@ -129,7 +120,6 @@ func TestFillInTemplatesNoSecurityContext(t *testing.T) {
 		GitReadOnly:        false,
 		ManifestGeneration: true,
 		AdditionalFluxArgs: []string{"arg1=foo", "arg2=bar"},
-		RegistryScanning:   true,
 		AddSecurityContext: false,
 	}
 

pkg/install/templates/flux-deployment.yaml.tmpl

@@ -184,8 +184,8 @@ spec:
         # Serve /metrics endpoint at different port;
         # make sure to set prometheus' annotation to scrape the port value.
         - --listen-metrics=:3031
-{{- if not .RegistryScanning }}
-        - --registry-scanning=false
+{{- if .RegistryDisableScanning }}
+        - --registry-disable-scanning
 {{- end }}
 {{ if .AdditionalFluxArgs }}
         # Additional arguments{{ range .AdditionalFluxArgs }}

test/e2e/fixtures/kustom/14_release_image/release_image_patch.yaml

@@ -1,6 +1,6 @@
 - op: add
   path: /spec/template/spec/containers/0/args/-
-  value: --registry-scanning=true
+  value: --registry-disable-scanning=false
 - op: add
   path: /spec/template/spec/containers/0/args/-
   value: --registry-exclude-image=*bitnami/mongodb,*bitnami/redis,*k8s.gcr.io*,*docker/kube-*,*fluxcd/flux,*alpine,*memcached,*stefanprodan/gitsrv,*registry

test/e2e/fixtures/kustom/base/flux/e2e_patch.yaml

@@ -10,7 +10,7 @@
   value: --sync-interval=10s
 - op: add
   path: /spec/template/spec/containers/0/args/-
-  value: --registry-scanning=false
+  value: --registry-disable-scanning
 - op: add
   path: /spec/template/spec/containers/0/volumeMounts/-
   value: