fluxcd · 2opremio · Feb 5, 2020 · Feb 3, 2020 · Feb 4, 2020
diff --git a/cmd/fluxctl/install_cmd.go b/cmd/fluxctl/install_cmd.go
@@ -48,8 +48,8 @@ fluxctl install --git-url '[email protected]:<your username>/flux-get-started' --gi
 		"whether to enable manifest generation")
 	cmd.Flags().StringVar(&opts.Namespace, "namespace", "",
 		"cluster namespace where to install flux")
-	cmd.Flags().BoolVar(&opts.RegistryScanning, "registry-scanning", true,
-		"scan container image registries to fill in the registry cache")
+	cmd.Flags().BoolVar(&opts.RegistryDisableScanning, "registry-disable-scanning", false,
+		"do not scan container image registries to fill in the registry cache")
 	cmd.Flags().StringVarP(&opts.outputDir, "output-dir", "o", "", "a directory in which to write individual manifests, rather than printing to stdout")
 	cmd.Flags().BoolVar(&opts.AddSecurityContext, "add-security-context", true, "Ensure security context information is added to the pod specs. Defaults to 'true'")
 

diff --git a/cmd/fluxd/main.go b/cmd/fluxd/main.go
@@ -117,7 +117,7 @@ func main() {
 		gitURL       = fs.String("git-url", "", "URL of git repo with Kubernetes manifests; e.g., [email protected]:fluxcd/flux-get-started")
 		gitBranch    = fs.String("git-branch", "master", "branch of git repo to use for Kubernetes manifests")
 		gitPath      = fs.StringSlice("git-path", []string{}, "relative paths within the git repo to locate Kubernetes manifests")
-		gitReadonly  = fs.Bool("git-readonly", false, fmt.Sprintf("use to prevent Flux from pushing changes to git; implies --sync-state=%s and --registry-scanning=false", fluxsync.NativeStateMode))
+		gitReadonly  = fs.Bool("git-readonly", false, fmt.Sprintf("use to prevent Flux from pushing changes to git; implies --sync-state=%s", fluxsync.NativeStateMode))
 		gitUser      = fs.String("git-user", "Weave Flux", "username to use as git committer")
 		gitEmail     = fs.String("git-email", "[email protected]", "email to use as git committer")
 		gitSetAuthor = fs.Bool("git-set-author", false, "if set, the author of git commits will reflect the user who initiated the commit and will differ from the git committer.")
@@ -151,15 +151,15 @@ func main() {
 		memcachedTimeout  = fs.Duration("memcached-timeout", time.Second, "maximum time to wait before giving up on memcached requests.")
 		memcachedService  = fs.String("memcached-service", "memcached", "SRV service used to discover memcache servers.")
 
-		registryScanning     = fs.Bool("registry-scanning", true, "scan container image registries to fill in the registry cache; --registry-scanning=false implies --read-only=true")
-		automationInterval   = fs.Duration("automation-interval", 5*time.Minute, "period at which to check for image updates for automated workloads")
-		registryPollInterval = fs.Duration("registry-poll-interval", 5*time.Minute, "period at which to check for updated images")
-		registryRPS          = fs.Float64("registry-rps", 50, "maximum registry requests per second per host")
-		registryBurst        = fs.Int("registry-burst", defaultRemoteConnections, "maximum number of warmer connections to remote and memcache")
-		registryTrace        = fs.Bool("registry-trace", false, "output trace of image registry requests to log")
-		registryInsecure     = fs.StringSlice("registry-insecure-host", []string{}, "let these registry hosts skip TLS host verification and fall back to using HTTP instead of HTTPS; this allows man-in-the-middle attacks, so use with extreme caution")
-		registryExcludeImage = fs.StringSlice("registry-exclude-image", []string{"k8s.gcr.io/*"}, "do not scan images that match these glob expressions; the default is to exclude the 'k8s.gcr.io/*' images")
-		registryUseLabels    = fs.StringSlice("registry-use-labels", []string{"index.docker.io/weaveworks/*", "index.docker.io/fluxcd/*"}, "use the timestamp (RFC3339) from labels for (canonical) image refs that match these glob expression")
+		registryDisableScanning = fs.Bool("registry-disable-scanning", false, "do not scan container image registries to fill in the registry cache")
+		automationInterval      = fs.Duration("automation-interval", 5*time.Minute, "period at which to check for image updates for automated workloads")
+		registryPollInterval    = fs.Duration("registry-poll-interval", 5*time.Minute, "period at which to check for updated images")
+		registryRPS             = fs.Float64("registry-rps", 50, "maximum registry requests per second per host")
+		registryBurst           = fs.Int("registry-burst", defaultRemoteConnections, "maximum number of warmer connections to remote and memcache")
+		registryTrace           = fs.Bool("registry-trace", false, "output trace of image registry requests to log")
+		registryInsecure        = fs.StringSlice("registry-insecure-host", []string{}, "let these registry hosts skip TLS host verification and fall back to using HTTP instead of HTTPS; this allows man-in-the-middle attacks, so use with extreme caution")
+		registryExcludeImage    = fs.StringSlice("registry-exclude-image", []string{"k8s.gcr.io/*"}, "do not scan images that match these glob expressions; the default is to exclude the 'k8s.gcr.io/*' images")
+		registryUseLabels       = fs.StringSlice("registry-use-labels", []string{"index.docker.io/weaveworks/*", "index.docker.io/fluxcd/*"}, "use the timestamp (RFC3339) from labels for (canonical) image refs that match these glob expression")
 
 		// AWS authentication
 		registryAWSRegions         = fs.StringSlice("registry-ecr-region", nil, "include just these AWS regions when scanning images in ECR; when not supplied, the cluster's region will included if it can be detected through the AWS API")
@@ -277,7 +277,6 @@ func main() {
 	// Argument validation
 
 	if *gitReadonly {
-		*registryScanning = false
 		if *syncState == fluxsync.GitTagStateMode {
 			logger.Log("warning", fmt.Sprintf("--git-readonly prevents use of --sync-state=%s. Forcing to --sync-state=%s", fluxsync.GitTagStateMode, fluxsync.NativeStateMode))
 			*syncState = fluxsync.NativeStateMode
@@ -561,7 +560,7 @@ func main() {
 	// Registry components
 	var imageRegistry registry.Registry = registry.ImageScanDisabledRegistry{}
 	var cacheWarmer *cache.Warmer
-	if *registryScanning {
+	if !*registryDisableScanning {
 		// Cache client, for use by registry and cache warmer
 		var cacheClient cache.Client
 		var memcacheClient *registryMemcache.MemcacheClient
@@ -660,7 +659,7 @@ func main() {
 		"sync-tag", *gitSyncTag,
 		"state", *syncState,
 		"readonly", *gitReadonly,
-		"registry-scanning", *registryScanning,
+		"registry-disable-scanning", *registryDisableScanning,
 		"notes-ref", *gitNotesRef,
 		"set-author", *gitSetAuthor,
 		"git-secret", *gitSecret,
@@ -728,6 +727,7 @@ func main() {
 			AutomationInterval:  *automationInterval,
 			GitTimeout:          *gitTimeout,
 			GitVerifySignatures: *gitVerifySignatures,
+			ImageScanDisabled:   *registryDisableScanning,
 		},
 	}
 
@@ -763,7 +763,7 @@ func main() {
 	shutdownWg.Add(1)
 	go daemon.Loop(shutdown, shutdownWg, log.With(logger, "component", "sync-loop"))
 
-	if *registryScanning {
+	if !*registryDisableScanning {
 		cacheWarmer.Notify = daemon.AskForAutomatedWorkloadImageUpdates
 		cacheWarmer.Priority = daemon.ImageRefresh
 		cacheWarmer.Trace = *registryTrace

diff --git a/docs/faq.md b/docs/faq.md
@@ -340,27 +340,27 @@ If the replicas field is not present in Git, Flux will not override the replica
 ### Can I disable Flux registry scanning?
 
 You can completely disable registry scanning by using the
-`--registry-scanning=false` flag. This allows deploying Flux without Memcached.
+`--registry-disable-scanning` flag. This allows deploying Flux without
+ Memcached.
 
 
-If you only want to disable scanning for certain images, you can keep
-`--registry-scanning` set to `true` (its default value) and tell Flux
-what images to exclude. This is done by supplying a list of glob expressions
-using the `registry-exclude-image` flag.
+If you only want to disable scanning for certain images, don't set
+`--registry-disable-scanning`. Instead, you can tell Flux what images to exclude
+by supplying a list of glob expressions to the `--registry-exclude-image` flag.
 
-Exclude images from Docker Hub and Quay.io:
+To exclude images from Docker Hub and Quay.io, use:
 
 ```
 --registry-exclude-image=docker.io/*,quay.io/*
 ```
 
-And the Helm install equivalent (note the `\,` separator):
+Here is the Helm install equivalent (note the `\,` separator):
 
 ```
 --set registry.excludeImage="docker.io/*\,quay.io/*"
 ```
 
-Exclude images containing `test` in the FQN:
+To exclude images containing `test` in the FQN, use:
 
 ```
 --registry-exclude-image=*test*

diff --git a/docs/references/daemon.md b/docs/references/daemon.md
@@ -57,7 +57,7 @@ Version controlling of cluster manifests provides reproducibility and a historic
 | --git-notes-ref                                  | `flux`                   | ref to use for keeping commit annotations in git notes
 | --git-poll-interval                              | `5m`                     | period at which to fetch any new commits from the git repo
 | --git-timeout                                    | `20s`                    | duration after which git operations time out
-| --git-readonly                                   | `false`                  | If `true`, the git repo will be considered read-only, and Flux will not attempt to write to it. Implies --sync-state=secret and --registry-scanning=false
+| --git-readonly                                   | `false`                  | If `true`, the git repo will be considered read-only, and Flux will not attempt to write to it. Implies --sync-state=secret
 | **syncing:** control over how config is applied to the cluster
 | --sync-interval                                  | `5m`                     | apply the git config to the cluster at least this often. New commits may provoke more frequent syncs
 | --sync-timeout                                   | `1m`                     | duration after which sync operations time out
@@ -79,7 +79,7 @@ Version controlling of cluster manifests provides reproducibility and a historic
 | --registry-ecr-include-id                        | `[]`                               | include these AWS account ID(s) when scanning images in ECR (multiple values allowed); empty means allow all, unless excluded
 | --registry-ecr-exclude-id                        | `[<EKS SYSTEM ACCOUNT>]`           | exclude these AWS account ID(s) when scanning ECR (multiple values allowed); defaults to the EKS system account, so system images will not be scanned
 | --registry-require                               | `[]`                               | exit with an error if the given services are not available. Useful for escalating misconfiguration or outages that might otherwise go undetected. Presently supported values: {`ecr`} |
-| --registry-scanning                              | `true`                             | scan container image registries to fill in the registry cache; --registry-scanning=false implies --read-only=true
+| --registry-disable-scanning                      | `false`                            | do not scan container image registries to fill in the registry cache
 | **k8s-secret backed ssh keyring configuration**
 | --k8s-secret-name                                | `flux-git-deploy`                  | name of the k8s secret used to store the private SSH key
 | --k8s-secret-volume-mount-path                   | `/etc/fluxd/ssh`                   | mount location of the k8s secret storing the private SSH key

diff --git a/pkg/daemon/loop.go b/pkg/daemon/loop.go
@@ -20,6 +20,7 @@ type LoopVars struct {
 	GitTimeout          time.Duration
 	GitVerifySignatures bool
 	SyncState           fluxsync.State
+	ImageScanDisabled   bool
 
 	initOnce               sync.Once
 	syncSoon               chan struct{}
@@ -53,13 +54,18 @@ func (d *Daemon) Loop(stop chan struct{}, wg *sync.WaitGroup, logger log.Logger)
 	// In-memory sync tag state
 	ratchet := &lastKnownSyncState{logger: logger, state: d.SyncState}
 
-	// If the git repo is read-only, the image update will fail; to
+	// If the git repo is read-only, the image updates will fail; to
 	// avoid repeated failures in the log, mention it here and
 	// otherwise skip it when it comes around.
 	if d.Repo.Readonly() {
 		logger.Log("info", "Repo is read-only; no image updates will be attempted")
 	}
 
+	// Same for registry scanning
+	if d.ImageScanDisabled {
+		logger.Log("info", "Registry scanning is disabled; no image updates will be attempted")
+	}
+
 	// Ask for a sync, and to check
 	d.AskForSync()
 	d.AskForAutomatedWorkloadImageUpdates()
@@ -76,7 +82,7 @@ func (d *Daemon) Loop(stop chan struct{}, wg *sync.WaitGroup, logger log.Logger)
 				default:
 				}
 			}
-			if d.Repo.Readonly() {
+			if d.Repo.Readonly() || d.ImageScanDisabled {
 				// don't bother trying to update images, and don't
 				// bother setting the timer again
 				continue