Skip to content

Commit

Permalink
use PKI fg not add kubebuilder validation
Browse files Browse the repository at this point in the history
Signed-off-by: Qi Wang <qiwan@redhat.com>
  • Loading branch information
QiWang19 committed Nov 8, 2024
1 parent eee345a commit 7e78ef6
Showing 18 changed files with 809 additions and 351 deletions.
2 changes: 1 addition & 1 deletion config/v1alpha1/types_image_policy.go
Original file line number Diff line number Diff line change
@@ -73,7 +73,6 @@ type Policy struct {
// +union
// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise"
type PolicyRootOfTrust struct {
// policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
// "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
@@ -92,6 +91,7 @@ type PolicyRootOfTrust struct {
FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"`
// pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.
// +optional
// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI
PKI *PKI `json:"pki,omitempty"`
}

Original file line number Diff line number Diff line change
@@ -195,10 +195,6 @@ spec:
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor''
? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)'
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
signedIdentity:
description: signedIdentity specifies what image identity the
signature claims about the image. The required matchPolicy field
Original file line number Diff line number Diff line change
@@ -195,10 +195,6 @@ spec:
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor''
? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)'
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
signedIdentity:
description: signedIdentity specifies what image identity the
signature claims about the image. The required matchPolicy field
Original file line number Diff line number Diff line change
@@ -102,55 +102,6 @@ spec:
- fulcioSubject
- rekorKeyData
type: object
pki:
description: pki defines the root of trust based on Bring
Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and
corresponding intermediate certificates.
properties:
caIntermediatesData:
description: |-
caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format.
caIntermediatesData requires CertificateAuthorityRoots to be set.
format: byte
maxLength: 8192
type: string
caRootsData:
description: caRootsData contains base64-encoded data
of a certificate bundle PEM file, which contains one
or more CA roots in the PEM format.
format: byte
maxLength: 8192
type: string
pkiCertificateSubject:
description: pkiCertificateSubject defines the requirements
imposed on the subject to which the certificate was
issued.
properties:
email:
description: email specifies the expected email address
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
in pkiCertificateSubject
rule: has(self.email) || has(self.hostname)
required:
- caRootsData
- pkiCertificateSubject
type: object
policyType:
description: |-
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
@@ -195,10 +146,6 @@ spec:
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor''
? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)'
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
signedIdentity:
description: signedIdentity specifies what image identity the
signature claims about the image. The required matchPolicy field
Original file line number Diff line number Diff line change
@@ -195,10 +195,6 @@ spec:
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor''
? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)'
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
signedIdentity:
description: signedIdentity specifies what image identity the
signature claims about the image. The required matchPolicy field
Original file line number Diff line number Diff line change
@@ -195,10 +195,6 @@ spec:
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor''
? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)'
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
signedIdentity:
description: signedIdentity specifies what image identity the
signature claims about the image. The required matchPolicy field
Original file line number Diff line number Diff line change
@@ -102,55 +102,6 @@ spec:
- fulcioSubject
- rekorKeyData
type: object
pki:
description: pki defines the root of trust based on Bring
Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and
corresponding intermediate certificates.
properties:
caIntermediatesData:
description: |-
caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format.
caIntermediatesData requires CertificateAuthorityRoots to be set.
format: byte
maxLength: 8192
type: string
caRootsData:
description: caRootsData contains base64-encoded data
of a certificate bundle PEM file, which contains one
or more CA roots in the PEM format.
format: byte
maxLength: 8192
type: string
pkiCertificateSubject:
description: pkiCertificateSubject defines the requirements
imposed on the subject to which the certificate was
issued.
properties:
email:
description: email specifies the expected email address
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
in pkiCertificateSubject
rule: has(self.email) || has(self.hostname)
required:
- caRootsData
- pkiCertificateSubject
type: object
policyType:
description: |-
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
@@ -195,10 +146,6 @@ spec:
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor''
? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)'
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
signedIdentity:
description: signedIdentity specifies what image identity the
signature claims about the image. The required matchPolicy field
2 changes: 2 additions & 0 deletions config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
Original file line number Diff line number Diff line change
@@ -29,6 +29,7 @@ clusterimagepolicies.config.openshift.io:
Category: ""
FeatureGates:
- SigstoreImageVerification
- SigstoreImageVerificationPKI
FilenameOperatorName: config-operator
FilenameOperatorOrdering: "01"
FilenameRunLevel: "0000_10"
@@ -52,6 +53,7 @@ imagepolicies.config.openshift.io:
Category: ""
FeatureGates:
- SigstoreImageVerification
- SigstoreImageVerificationPKI
FilenameOperatorName: config-operator
FilenameOperatorOrdering: "01"
FilenameRunLevel: "0000_10"
Original file line number Diff line number Diff line change
@@ -102,55 +102,6 @@ spec:
- fulcioSubject
- rekorKeyData
type: object
pki:
description: pki defines the root of trust based on Bring
Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and
corresponding intermediate certificates.
properties:
caIntermediatesData:
description: |-
caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format.
caIntermediatesData requires CertificateAuthorityRoots to be set.
format: byte
maxLength: 8192
type: string
caRootsData:
description: caRootsData contains base64-encoded data
of a certificate bundle PEM file, which contains one
or more CA roots in the PEM format.
format: byte
maxLength: 8192
type: string
pkiCertificateSubject:
description: pkiCertificateSubject defines the requirements
imposed on the subject to which the certificate was
issued.
properties:
email:
description: email specifies the expected email address
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
in pkiCertificateSubject
rule: has(self.email) || has(self.hostname)
required:
- caRootsData
- pkiCertificateSubject
type: object
policyType:
description: |-
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
@@ -195,10 +146,6 @@ spec:
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor''
? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)'
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
signedIdentity:
description: signedIdentity specifies what image identity the
signature claims about the image. The required matchPolicy field
Loading

0 comments on commit 7e78ef6

Please sign in to comment.