Skip to content

Commit

Permalink
validaiton with featuregate
Browse files Browse the repository at this point in the history
Signed-off-by: Qi Wang <[email protected]>
  • Loading branch information
QiWang19 committed Nov 18, 2024
1 parent 4eac6f9 commit 536d063
Show file tree
Hide file tree
Showing 19 changed files with 87 additions and 83 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -450,30 +450,4 @@ tests:
policyType: PublicKey
publicKey:
keyData: Zm9vIGJhcg==
- name: Should be able to create a minimal ClusterImagePolicy with policyType PKI
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ClusterImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
expected: |
apiVersion: config.openshift.io/v1alpha1
kind: ClusterImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
Original file line number Diff line number Diff line change
Expand Up @@ -450,30 +450,4 @@ tests:
policyType: PublicKey
publicKey:
keyData: Zm9vIGJhcg==
- name: Should be able to create a minimal ImagePolicy with policyType PKI
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
expected: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
8 changes: 5 additions & 3 deletions config/v1alpha1/types_image_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ type Policy struct {
// +union
// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise"
// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise"
type PolicyRootOfTrust struct {
// policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
// "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
Expand All @@ -95,7 +96,8 @@ type PolicyRootOfTrust struct {
PKI *PKI `json:"pki,omitempty"`
}

// +kubebuilder:validation:Enum=PublicKey;FulcioCAWithRekor;PKI
// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerification,enum=PublicKey;FulcioCAWithRekor
// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI
type PolicyType string

const (
Expand Down Expand Up @@ -174,11 +176,11 @@ type PKI struct {
type PKICertificateSubject struct {
// email specifies the expected email address imposed on the subject to which the certificate was issued.
// +optional
// +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address in pkiCertificateSubject"
// +kubebuilder:validation:XValidation:rule=`has(self) ? self.matches('^\\S+@\\S+$') : true`,message="invalid email address in pkiCertificateSubject"
Email string `json:"email,omitempty"`
// Hostname specifies the expected hostname imposed on the subject to which the certificate was issued.
// +optional
// +kubebuilder:validation:XValidation:rule=`self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')`,message="invalid hostname in pkiCertificateSubject"
// +kubebuilder:validation:XValidation:rule=`has(self) ? self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') : true`,message="invalid hostname in pkiCertificateSubject"
Hostname string `json:"hostname,omitempty"`
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'has(self) ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'has(self) ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ spec:
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'has(self) ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'has(self) ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ spec:
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ spec:
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'has(self) ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ spec:
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'has(self) ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'has(self) ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
Loading

0 comments on commit 536d063

Please sign in to comment.