Skip to content

Commit

Permalink
validaiton with featuregate
Browse files Browse the repository at this point in the history 
Signed-off-by: Qi Wang <[email protected]>
  • Loading branch information
@QiWang19
QiWang19 committed Nov 18, 2024
1 parent 0c69e82 commit e43b2c9
Show file tree
Hide file tree
Showing 19 changed files with 87 additions and 83 deletions.
28 changes: 1 addition & 27 deletions ...ig/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -450,30 +450,4 @@ tests:
policyType: PublicKey
publicKey:
keyData: Zm9vIGJhcg==
- name: Should be able to create a minimal ClusterImagePolicy with policyType PKI
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ClusterImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
expected: |
apiVersion: config.openshift.io/v1alpha1
kind: ClusterImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
28 changes: 1 addition & 27 deletions config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -450,30 +450,4 @@ tests:
policyType: PublicKey
publicKey:
keyData: Zm9vIGJhcg==
- name: Should be able to create a minimal ImagePolicy with policyType PKI
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
expected: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
8 changes: 5 additions & 3 deletions config/v1alpha1/types_image_policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ type Policy struct {
// +union
// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise"
// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise"
type PolicyRootOfTrust struct {
// policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
// "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
Expand All @@ -95,7 +96,8 @@ type PolicyRootOfTrust struct {
PKI *PKI `json:"pki,omitempty"`
}

// +kubebuilder:validation:Enum=PublicKey;FulcioCAWithRekor;PKI
// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerification,enum=PublicKey;FulcioCAWithRekor
// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI
type PolicyType string

const (
Expand Down Expand Up @@ -174,11 +176,11 @@ type PKI struct {
type PKICertificateSubject struct {
// email specifies the expected email address imposed on the subject to which the certificate was issued.
// +optional
// +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address in pkiCertificateSubject"
// +kubebuilder:validation:XValidation:rule=`self != '' ? self.matches('^\\S+@\\S+$') : true`,message="invalid email address in pkiCertificateSubject"
Email string `json:"email,omitempty"`
// Hostname specifies the expected hostname imposed on the subject to which the certificate was issued.
// +optional
// +kubebuilder:validation:XValidation:rule=`self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')`,message="invalid hostname in pkiCertificateSubject"
// +kubebuilder:validation:XValidation:rule=`self != '' ? self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') : true`,message="invalid hostname in pkiCertificateSubject"
Hostname string `json:"hostname,omitempty"`
}

Expand Down
10 changes: 8 additions & 2 deletions ...ed.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
10 changes: 8 additions & 2 deletions ...rd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
1 change: 0 additions & 1 deletion ...d-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ spec:
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down
10 changes: 8 additions & 2 deletions ...generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
10 changes: 8 additions & 2 deletions ...rated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
1 change: 0 additions & 1 deletion ...ated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ spec:
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down
1 change: 0 additions & 1 deletion ...ted-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ spec:
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down
10 changes: 8 additions & 2 deletions ...-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
1 change: 0 additions & 1 deletion ...aturegated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ spec:
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down
10 changes: 8 additions & 2 deletions ...regated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
10 changes: 8 additions & 2 deletions ...d-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,15 +133,17 @@ spec:
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'')
: true'
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'')
: true'
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
Expand Down Expand Up @@ -187,6 +189,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
Loading

0 comments on commit e43b2c9

Please sign in to comment.