From 536d0633fd7291e200d93b48c13295881b2884d6 Mon Sep 17 00:00:00 2001 From: Qi Wang Date: Thu, 14 Nov 2024 17:11:23 -0500 Subject: [PATCH] validaiton with featuregate Signed-off-by: Qi Wang --- .../SigstoreImageVerification.yaml | 28 +------------------ .../SigstoreImageVerification.yaml | 28 +------------------ config/v1alpha1/types_image_policy.go | 8 ++++-- ...sterimagepolicies-CustomNoUpgrade.crd.yaml | 10 +++++-- ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 10 +++++-- ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 1 - ..._01_imagepolicies-CustomNoUpgrade.crd.yaml | 10 +++++-- ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 10 +++++-- ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 1 - .../SigstoreImageVerification.yaml | 1 - .../SigstoreImageVerificationPKI.yaml | 10 +++++-- .../SigstoreImageVerification.yaml | 1 - .../SigstoreImageVerificationPKI.yaml | 10 +++++-- ...sterimagepolicies-CustomNoUpgrade.crd.yaml | 10 +++++-- ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 10 +++++-- ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 1 - ..._01_imagepolicies-CustomNoUpgrade.crd.yaml | 10 +++++-- ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 10 +++++-- ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 1 - 19 files changed, 87 insertions(+), 83 deletions(-) diff --git a/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml index ad32f44b9ac..94c98c04ad3 100644 --- a/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ b/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -450,30 +450,4 @@ tests: policyType: PublicKey publicKey: keyData: Zm9vIGJhcg== - - name: Should be able to create a minimal ClusterImagePolicy with policyType PKI - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: Zm9vIGJhcg== - pkiCertificateSubject: - email: test-user@example.com - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: Zm9vIGJhcg== - pkiCertificateSubject: - email: test-user@example.com + diff --git a/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml index f27de891e49..2f096afaf91 100644 --- a/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ b/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -450,30 +450,4 @@ tests: policyType: PublicKey publicKey: keyData: Zm9vIGJhcg== - - name: Should be able to create a minimal ImagePolicy with policyType PKI - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: Zm9vIGJhcg== - pkiCertificateSubject: - email: test-user@example.com - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: Zm9vIGJhcg== - pkiCertificateSubject: - email: test-user@example.com + diff --git a/config/v1alpha1/types_image_policy.go b/config/v1alpha1/types_image_policy.go index 73d6470c7aa..3abd11eeef7 100644 --- a/config/v1alpha1/types_image_policy.go +++ b/config/v1alpha1/types_image_policy.go @@ -73,6 +73,7 @@ type Policy struct { // +union // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise" type PolicyRootOfTrust struct { // policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. // "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. @@ -95,7 +96,8 @@ type PolicyRootOfTrust struct { PKI *PKI `json:"pki,omitempty"` } -// +kubebuilder:validation:Enum=PublicKey;FulcioCAWithRekor;PKI +// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerification,enum=PublicKey;FulcioCAWithRekor +// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI type PolicyType string const ( @@ -174,11 +176,11 @@ type PKI struct { type PKICertificateSubject struct { // email specifies the expected email address imposed on the subject to which the certificate was issued. // +optional - // +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address in pkiCertificateSubject" + // +kubebuilder:validation:XValidation:rule=`has(self) ? self.matches('^\\S+@\\S+$') : true`,message="invalid email address in pkiCertificateSubject" Email string `json:"email,omitempty"` // Hostname specifies the expected hostname imposed on the subject to which the certificate was issued. // +optional - // +kubebuilder:validation:XValidation:rule=`self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')`,message="invalid hostname in pkiCertificateSubject" + // +kubebuilder:validation:XValidation:rule=`has(self) ? self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') : true`,message="invalid hostname in pkiCertificateSubject" Hostname string `json:"hostname,omitempty"` } diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml index 30d41a09e85..3b3c8f58006 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml @@ -133,7 +133,8 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'has(self) ? self.matches(''^\\S+@\\S+$'') + : true' hostname: description: Hostname specifies the expected hostname imposed on the subject to which the certificate @@ -141,7 +142,8 @@ spec: type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set @@ -187,6 +189,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml index 27268d207db..6142a03b956 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -133,7 +133,8 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'has(self) ? self.matches(''^\\S+@\\S+$'') + : true' hostname: description: Hostname specifies the expected hostname imposed on the subject to which the certificate @@ -141,7 +142,8 @@ spec: type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set @@ -187,6 +189,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml index 727efc92f3d..5b741d16ec6 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml index 955771035ef..a392edf09ca 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml @@ -133,7 +133,8 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'has(self) ? self.matches(''^\\S+@\\S+$'') + : true' hostname: description: Hostname specifies the expected hostname imposed on the subject to which the certificate @@ -141,7 +142,8 @@ spec: type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set @@ -187,6 +189,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml index fcfddacb9e0..60fc8e298c9 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -133,7 +133,8 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'has(self) ? self.matches(''^\\S+@\\S+$'') + : true' hostname: description: Hostname specifies the expected hostname imposed on the subject to which the certificate @@ -141,7 +142,8 @@ spec: type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set @@ -187,6 +189,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml index 8da264ed7f1..7534d8b5307 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml index 313a7c19bb3..b345146042f 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml index 49d16eada24..4b0ddb6a451 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -133,7 +133,8 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'has(self) ? self.matches(''^\\S+@\\S+$'') + : true' hostname: description: Hostname specifies the expected hostname imposed on the subject to which the certificate @@ -141,7 +142,8 @@ spec: type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set @@ -187,6 +189,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml index d0747f8c231..008fea2e3e6 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml index e9103f6fab6..259799d9526 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -133,7 +133,8 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'has(self) ? self.matches(''^\\S+@\\S+$'') + : true' hostname: description: Hostname specifies the expected hostname imposed on the subject to which the certificate @@ -141,7 +142,8 @@ spec: type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set @@ -187,6 +189,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml index 30d41a09e85..3b3c8f58006 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml @@ -133,7 +133,8 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'has(self) ? self.matches(''^\\S+@\\S+$'') + : true' hostname: description: Hostname specifies the expected hostname imposed on the subject to which the certificate @@ -141,7 +142,8 @@ spec: type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set @@ -187,6 +189,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml index 27268d207db..6142a03b956 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -133,7 +133,8 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'has(self) ? self.matches(''^\\S+@\\S+$'') + : true' hostname: description: Hostname specifies the expected hostname imposed on the subject to which the certificate @@ -141,7 +142,8 @@ spec: type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set @@ -187,6 +189,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml index 727efc92f3d..5b741d16ec6 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml index 955771035ef..a392edf09ca 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml @@ -133,7 +133,8 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'has(self) ? self.matches(''^\\S+@\\S+$'') + : true' hostname: description: Hostname specifies the expected hostname imposed on the subject to which the certificate @@ -141,7 +142,8 @@ spec: type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set @@ -187,6 +189,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml index fcfddacb9e0..60fc8e298c9 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -133,7 +133,8 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'has(self) ? self.matches(''^\\S+@\\S+$'') + : true' hostname: description: Hostname specifies the expected hostname imposed on the subject to which the certificate @@ -141,7 +142,8 @@ spec: type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'has(self) ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set @@ -187,6 +189,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml index 8da264ed7f1..7534d8b5307 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on