Skip to content

Commit

Permalink
not use SigstoreImageVerificationPKI fg
Browse files Browse the repository at this point in the history 
Signed-off-by: Qi Wang <[email protected]>
  • Loading branch information
@QiWang19
QiWang19 committed Nov 8, 2024
1 parent 3ad0c06 commit eee345a
Show file tree
Hide file tree
Showing 12 changed files with 348 additions and 817 deletions.
27 changes: 27 additions & 0 deletions ...ig/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -450,3 +450,30 @@ tests:
policyType: PublicKey
publicKey:
keyData: Zm9vIGJhcg==
- name: Should be able to create a minimal ClusterImagePolicy with policyType PKI
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ClusterImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
expected: |
apiVersion: config.openshift.io/v1alpha1
kind: ClusterImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
27 changes: 27 additions & 0 deletions config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -450,3 +450,30 @@ tests:
policyType: PublicKey
publicKey:
keyData: Zm9vIGJhcg==
- name: Should be able to create a minimal ImagePolicy with policyType PKI
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
expected: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
1 change: 0 additions & 1 deletion config/v1alpha1/types_image_policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,6 @@ type PolicyRootOfTrust struct {
FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"`
// pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.
// +optional
// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI
PKI *PKI `json:"pki,omitempty"`
}

Expand Down
49 changes: 49 additions & 0 deletions ...d-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,55 @@ spec:
- fulcioSubject
- rekorKeyData
type: object
pki:
description: pki defines the root of trust based on Bring
Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and
corresponding intermediate certificates.
properties:
caIntermediatesData:
description: |-
caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format.
caIntermediatesData requires CertificateAuthorityRoots to be set.
format: byte
maxLength: 8192
type: string
caRootsData:
description: caRootsData contains base64-encoded data
of a certificate bundle PEM file, which contains one
or more CA roots in the PEM format.
format: byte
maxLength: 8192
type: string
pkiCertificateSubject:
description: pkiCertificateSubject defines the requirements
imposed on the subject to which the certificate was
issued.
properties:
email:
description: email specifies the expected email address
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
in pkiCertificateSubject
rule: has(self.email) || has(self.hostname)
required:
- caRootsData
- pkiCertificateSubject
type: object
policyType:
description: |-
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
Expand Down
49 changes: 49 additions & 0 deletions ...ated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,55 @@ spec:
- fulcioSubject
- rekorKeyData
type: object
pki:
description: pki defines the root of trust based on Bring
Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and
corresponding intermediate certificates.
properties:
caIntermediatesData:
description: |-
caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format.
caIntermediatesData requires CertificateAuthorityRoots to be set.
format: byte
maxLength: 8192
type: string
caRootsData:
description: caRootsData contains base64-encoded data
of a certificate bundle PEM file, which contains one
or more CA roots in the PEM format.
format: byte
maxLength: 8192
type: string
pkiCertificateSubject:
description: pkiCertificateSubject defines the requirements
imposed on the subject to which the certificate was
issued.
properties:
email:
description: email specifies the expected email address
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
in pkiCertificateSubject
rule: has(self.email) || has(self.hostname)
required:
- caRootsData
- pkiCertificateSubject
type: object
policyType:
description: |-
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
Expand Down
2 changes: 0 additions & 2 deletions config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ clusterimagepolicies.config.openshift.io:
Category: ""
FeatureGates:
- SigstoreImageVerification
- SigstoreImageVerificationPKI
FilenameOperatorName: config-operator
FilenameOperatorOrdering: "01"
FilenameRunLevel: "0000_10"
Expand All @@ -53,7 +52,6 @@ imagepolicies.config.openshift.io:
Category: ""
FeatureGates:
- SigstoreImageVerification
- SigstoreImageVerificationPKI
FilenameOperatorName: config-operator
FilenameOperatorOrdering: "01"
FilenameRunLevel: "0000_10"
Expand Down
49 changes: 49 additions & 0 deletions ...ted-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,55 @@ spec:
- fulcioSubject
- rekorKeyData
type: object
pki:
description: pki defines the root of trust based on Bring
Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and
corresponding intermediate certificates.
properties:
caIntermediatesData:
description: |-
caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format.
caIntermediatesData requires CertificateAuthorityRoots to be set.
format: byte
maxLength: 8192
type: string
caRootsData:
description: caRootsData contains base64-encoded data
of a certificate bundle PEM file, which contains one
or more CA roots in the PEM format.
format: byte
maxLength: 8192
type: string
pkiCertificateSubject:
description: pkiCertificateSubject defines the requirements
imposed on the subject to which the certificate was
issued.
properties:
email:
description: email specifies the expected email address
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
in pkiCertificateSubject
rule: has(self.email) || has(self.hostname)
required:
- caRootsData
- pkiCertificateSubject
type: object
policyType:
description: |-
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
Expand Down
Loading

0 comments on commit eee345a

Please sign in to comment.