From 85c1377d1ff9fbbe9afabfc4b27c231f8aa92c87 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Wed, 11 Mar 2026 16:07:17 -0700 Subject: [PATCH 1/2] config/v1alpha1: Drop (Cluster)ImagePolicy since the hard cut to v1 d1ee05174e (Add clusterimgepolicy/imagepolicy to payload, 2025-07-23, #2384) hard cut from v1alpha1 to v1 back when the API was still TechPreviewNoUpgrade. This v1alpha1 Go has been dead code since then. Delete it, to avoid confusing folks who might see it and think it still matters somewhere (as set of people that included me up until a few hours ago ;). --- config/v1alpha1/register.go | 4 - .../SigstoreImageVerification.yaml | 453 ------------------ .../SigstoreImageVerificationPKI.yaml | 117 ----- .../SigstoreImageVerification.yaml | 453 ------------------ .../SigstoreImageVerificationPKI.yaml | 117 ----- config/v1alpha1/types_cluster_image_policy.go | 80 ---- config/v1alpha1/types_image_policy.go | 289 ----------- ...-operator_01_clusterimagepolicies.crd.yaml | 442 ----------------- ..._config-operator_01_imagepolicies.crd.yaml | 442 ----------------- .../SigstoreImageVerification.yaml | 350 -------------- .../SigstoreImageVerificationPKI.yaml | 443 ----------------- .../SigstoreImageVerification.yaml | 350 -------------- .../SigstoreImageVerificationPKI.yaml | 443 ----------------- 13 files changed, 3983 deletions(-) delete mode 100644 config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml delete mode 100644 config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml delete mode 100644 config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml delete mode 100644 config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml delete mode 100644 config/v1alpha1/types_cluster_image_policy.go delete mode 100644 config/v1alpha1/types_image_policy.go delete mode 100644 config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies.crd.yaml delete mode 100644 config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies.crd.yaml delete mode 100644 config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml delete mode 100644 config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml delete mode 100644 config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml delete mode 100644 config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml diff --git a/config/v1alpha1/register.go b/config/v1alpha1/register.go index 383d19e7e61..1d84b710792 100644 --- a/config/v1alpha1/register.go +++ b/config/v1alpha1/register.go @@ -36,10 +36,6 @@ func addKnownTypes(scheme *runtime.Scheme) error { &InsightsDataGatherList{}, &Backup{}, &BackupList{}, - &ImagePolicy{}, - &ImagePolicyList{}, - &ClusterImagePolicy{}, - &ClusterImagePolicyList{}, &CRIOCredentialProviderConfig{}, &CRIOCredentialProviderConfigList{}, &PKI{}, diff --git a/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml deleted file mode 100644 index dbc2464dec4..00000000000 --- a/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ /dev/null @@ -1,453 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this -name: "ClusterImagePolicy" -crdName: clusterimagepolicies.config.openshift.io -featureGates: -- SigstoreImageVerification -tests: - onCreate: - - name: Should be able to create a minimal ImagePolicy with policyType PublicKey - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - - name: Should be able to create a minimal ImagePolicy with policyType FulcioCAWithRekor - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: FulcioCAWithRekor - fulcioCAWithRekor: - fulcioCAData: Zm9vIGJhcg== - rekorKeyData: Zm9vIGJhcg== - fulcioSubject: - oidcIssuer: https://oidc.localhost - signedEmail: test-user@example.com - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: FulcioCAWithRekor - fulcioCAWithRekor: - fulcioCAData: Zm9vIGJhcg== - rekorKeyData: Zm9vIGJhcg== - fulcioSubject: - oidcIssuer: https://oidc.localhost - signedEmail: test-user@example.com - - name: Should not allow policyType PublicKey but not set publicKey - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - FulcioCAWithRekor: - fulcioCAData: Zm9vIGJhcg== - rekorKeyData: Zm9vIGJhcg== - fulcioSubject: - oidcIssuer: https://oidc.localhost - signedEmail: test-user@example.com - expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" - - name: Should not allow policyType FulcioCAData but not set fulcioCAWithRekor - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: FulcioCAWithRekor - PublicKey: - keyData: Zm9vIGJhcg== - expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" - - name: Should not allow policyType set but not set corresponding policy - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" - - name: Should not allow policyType set FulcioCAWith but not set corresponding policy - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: FulcioCAWithRekor - expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" - - name: Should not allow signedIdentity matchPolicy ExactRepository but not set repository - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: ExactRepository - expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" - - name: Should not allow signedIdentity matchPolicy RemapIdentity but not set prefixes - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: RemapIdentity - expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" - - name: Test scope should not allow 'busybox' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - busybox - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" - - name: Test scope should not allow start with subnamesapces '*.example.com/test' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - "*.example.com/test" - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching" - - name: Test scope should not allow invalid digest - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com/namespace/namespace@sha256:12dsdf - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid repository namespace or image specification in the image scope" - - name: Test should not allow tag in ExactRepository repository - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: ExactRepository - exactRepository: - repository: example.com/namespace/namespace:latest - expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" - - name: Test should not allow tag in ExactRepository repository - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: ExactRepository - exactRepository: - repository: localhost:1234/namespace/namespace:latest - expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" - - name: Test should not allow digest in ExactRepository repository - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: ExactRepository - exactRepository: - repository: localhost:1234/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 - expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" - - name: Test should not allow tag in prefix/signedPrefix - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: RemapIdentity - remapIdentity: - prefix: example.com/namespace:latest - signedPrefix: example.com/namespace - expectedError: "[spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" - - name: Test should allow valid ExactRepository repository - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: ExactRepository - exactRepository: - repository: example.com - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: ExactRepository - exactRepository: - repository: example.com - - name: Test should allow valid signedIdentity prefix/signedPrefix - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: RemapIdentity - remapIdentity: - prefix: example.com - signedPrefix: mirror.com - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: RemapIdentity - remapIdentity: - prefix: example.com - signedPrefix: mirror.com - - name: Test scope should allow localhost name with port 'localhost:1234/namespace/namespace' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - localhost:1234/namespace/namespace - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - localhost:1234/namespace/namespace - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - - name: Test scope should allow localhost 'localhost/foo/bar' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - localhost/foo/bar - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - localhost/foo/bar - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - - name: Test scope should allow 'example.com/foo/bar' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com/foo/bar - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com/foo/bar - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - - name: Test scope should allow tag 'example.com/foo/bar:latest' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com/foo/bar:latest - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com/foo/bar:latest - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - - name: Test scope should allow full specification digest - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - - name: Test scope should allow '*.example.com' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - "*.example.com" - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - "*.example.com" - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== diff --git a/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml deleted file mode 100644 index 683f781abab..00000000000 --- a/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml +++ /dev/null @@ -1,117 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this -name: "ClusterImagePolicy" -crdName: clusterimagepolicies.config.openshift.io -featureGates: -- SigstoreImageVerificationPKI -tests: - onCreate: - - name: Should be able to create a minimal ClusterImagePolicy with policyType PKI - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t - pkiCertificateSubject: - email: test-user@example.com - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t - pkiCertificateSubject: - email: test-user@example.com - - name: Should not allow policyType PKI but not set pki - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": pki is required when policyType is PKI, and forbidden otherwise" - - name: Should not allow pkiCertificateSubject invalid email - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t - pkiCertificateSubject: - email: invalid-email - expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.email: Invalid value: \"string\": invalid email address in pkiCertificateSubject" - - name: Should not allow pkiCertificateSubject invalid hostname - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t - pkiCertificateSubject: - hostname: invaild-.com - expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.hostname: Invalid value: \"string\": hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.'. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk." - - name: Should not allow poliyType PKI but not set pki - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: {} - expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Required value, spec.policy.rootOfTrust.pki.pkiCertificateSubject: Required value, : Invalid value: \"null\": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation" - - name: Should not allow caRootsData not encoded from PEM - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: Zm9vIGJhcg== - pkiCertificateSubject: - email: test-user@example.com - expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Invalid value: \"string\": the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." - - name: PRM start and end markers must match if multiple CA root intermediates are provided. - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlGMXpDQ0E3K2dBd0lCQWdJVUhWTExqbVQxVVRYcDRoS3hJT3NDOWRNOERuTXdEUVlKS29aSWh2Y05BUUVMCkJRQXdiakVMTUFrR0ExVUVCaE1DUlZNeEVUQVBCZ05WQkFjTUNGWmhiR1Z1WTJsaE1Rc3dDUVlEVlFRS0RBSkoKVkRFUk1BOEdBMVVFQ3d3SVUyVmpkWEpwZEhreExEQXFCZ05WQkFNTUkweHBiblY0WlhKaElGSnZiM1FnUTJWeQpkR2xtYVdOaGRHVWdRWFYwYUc5eWFYUjVNQ0FYRFRJME1EZ3hNREUzTVRRd05Gb1lEekl3TlRFeE1qSTJNVGN4Ck5EQTBXakIyTVFzd0NRWURWUVFHRXdKRlV6RVJNQThHQTFVRUJ3d0lWbUZzWlc1amFXRXhDekFKQmdOVkJBb00KQWtsVU1SRXdEd1lEVlFRTERBaFRaV04xY21sMGVURTBNRElHQTFVRUF3d3JUR2x1ZFhobGNtRWdTVzUwWlhKdApaV1JwWVhSbElFTmxjblJwWm1sallYUmxJRUYxZEdodmNtbDBlVENDQWlJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnSVBBRENDQWdvQ2dnSUJBS2IrcUY5M3dVV1dBdUhxZTFldHFja0RLbFR5amlsTmJKS2YxZWkxODNSdCtYM2wKckYzRklYN2F0dHdSTS9EZXNRSTgvYk9tSWpDNnFvTUJqbVVUdG5WclAxUHkxSXd2bWh2cUFESUVJSlNlS1NVMwpzSVJzNG1ldHdVckZrV0hoQXJtWVJSMUdJK2VBdGUxckdoNE9QcWEwcm1FMHpvbEc1dGoxdDB5dUVQSjdDVUlrCndQSGR4amErakRXQ1V5aXBrOGdvNWlwMGhxWkJ1U2tqNDErY0pZbFVTeDZXUHo3NStIZytpdEh0NUhCZGc1T0MKVXNoeVlyVzdzYnJKMDBCREhYYmdzRm9qemh1aXAxQkYzbnNQWWcxU2dwMlZib2JWUjAzOWdJZ0l1NDR6cXA4NApvSkk5Rys4a1V2Ri9OY0g5YWdIZzJpaXZXQnZwS0J2Q3JxV2NZZTNUQ1Z0V3YwWWJqc0RUbGZyMXphVWlqR2RICnM3QTZ2d1RibTNZTlh0SCtjbEx0eVcvMkl0T2x4aTBqTG9yQnp4aURnN283UTh1V2FBQmhYdGRuTExpbVhCU1UKSEludjMzbGFoNDFabXByUTJUT2pOQmZzYytXQ0RLVzFuRzlSciswakYzK3BEb29LV3RnYm9hV0QrQ2JtWUozVQpuZXMrcXp3Q0FTeDN6YU1pNWcyeW1qUjZqakZmSmhvMzlCckEzZXh0dTN0Qys3dnE5R2Fhc0llZDN3MWlhbnpLCnJNWmpDMWVNZTlJbS9ndGZ1QVd6Vk8xR2hUZ3NGTG5MS3NMRTVUaDZmbEVTdWFCOUgyaHBWdWRBekNqM091MjUKejYxSVdaMzE2amM2TDJOREx4WmExZjdXeVBhMWRjVlRHeDFuc1o1dTgzRkthc2VQMXArYzU2dEtmUC9GQWdNQgpBQUdqWXpCaE1CMEdBMVVkRGdRV0JCUkJYM3Z0WEgzcWRBNlNqUGtjTTJNTjRjQ1J1ekFMQmdOVkhROEVCQU1DCkFnUXdFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBakFmQmdOVkhTTUVHREFXZ0JTVWpXdk9pb3g5V3FXb2w4R3gKcVRPYXRSLzNQekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBTDNIQ2xYbVNEbjRyd1lrbzVVY2swVkp4ZDBPZApVWTRmYThtRXoxdFVuSjF0TU1qdkh4c2dNY2ZJTXNDbldkMEREaDVQK2V0QmYwbHd6R0xLdGhIRXZ4RTZZU3ZvClYyYnpxRjdUT2trd3VKZEFYdGIwRGRPejJ2T2ZFcnBhNnpjWkFGcmFwdnhyaVdkZGR4bk1SQWkwRHkzZ2RqYS8KVDc1bzlDRVk5WFdlZTY4bFlVVXpuUm1IRFU3ek5vUWtVSmw0ajVJWkllT2pwU2d3ejF1NFhIMGs0bnVGYXJ0Vwpab1Z2UWMwZURtUE44cktJYWdvejRRNzlPbm9lek03ZG1GZERXcitNVDIzY3hpMStlZ3VPTmdpOE8vYVhBUk5TCkJiUHI5aS9VTGI4K0h5VmJ6T1lZdHE0NXhnMmdDYTRGYnM0ejZjUkovRU45eTFaQnpwT3paRmdzOXJFeU1XQmIKdW0zYnZ0MHRtOGxKUDMwMWhuemRGRi9FZ2FPL2Z6bVZsVk5yTDNUcURZYmdwTWxOakI5MzlkOVhxMGZRUkZFWApWQTVUckFadGk3NktzYUpmZlRycjJOR201SW9CRHNseEV0ZWo3R2pvWUNzZmcrZ2RlbVJTWEliSFAvNmhLK09UCkpsNmNETy95Wmp4QkE0a3h6WERCUUhhL1pJM3UvQlJKRm40bFZiNkM1bzFwTGxrQ0ROSEF3Qmd6QjFnS05lVWQKaUhLYzN1Y3lHQ1BkWTE1eFJxdFhDUUkyYmZQQkp5cEJuMktYMjlSOFQ1ejhBTW5FdFphQXVkdm81MExLRHprdgpUQ25WRDVpRjltenRUWTdrekJNSXJFaTQ4bTJMMG5XQ2VyMk9TRWVrdjlsUFJKUUJQaFNUOEdrZnlDWnlnSWZ3CmdiQzNrNUVrS3NweUZJRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - pkiCertificateSubject: - email: test-user@example.com - expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Invalid value: \"string\": caRootsData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." diff --git a/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml deleted file mode 100644 index c772324c829..00000000000 --- a/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ /dev/null @@ -1,453 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this -name: "ImagePolicy" -crdName: imagepolicies.config.openshift.io -featureGates: -- SigstoreImageVerification -tests: - onCreate: - - name: Should be able to create a minimal ImagePolicy with policyType PublicKey - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - - name: Should be able to create a minimal ImagePolicy with policyType FulcioCAWithRekor - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: FulcioCAWithRekor - fulcioCAWithRekor: - fulcioCAData: Zm9vIGJhcg== - rekorKeyData: Zm9vIGJhcg== - fulcioSubject: - oidcIssuer: https://oidc.localhost - signedEmail: test-user@example.com - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: FulcioCAWithRekor - fulcioCAWithRekor: - fulcioCAData: Zm9vIGJhcg== - rekorKeyData: Zm9vIGJhcg== - fulcioSubject: - oidcIssuer: https://oidc.localhost - signedEmail: test-user@example.com - - name: Should not allow policyType PublicKey but not set publicKey - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - FulcioCAWithRekor: - fulcioCAData: Zm9vIGJhcg== - rekorKeyData: Zm9vIGJhcg== - fulcioSubject: - oidcIssuer: https://oidc.localhost - signedEmail: test-user@example.com - expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" - - name: Should not allow policyType FulcioCAData but not set fulcioCAWithRekor - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: FulcioCAWithRekor - PublicKey: - keyData: Zm9vIGJhcg== - expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" - - name: Should not allow policyType set but not set corresponding policy - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" - - name: Should not allow policyType set FulcioCAWith but not set corresponding policy - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: FulcioCAWithRekor - expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" - - name: Should not allow signedIdentity matchPolicy ExactRepository but not set repository - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: ExactRepository - expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" - - name: Should not allow signedIdentity matchPolicy RemapIdentity but not set prefixes - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: RemapIdentity - expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" - - name: Test scope should not allow 'busybox' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - busybox - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" - - name: Test scope should not allow start with subnamesapces '*.example.com/test' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - "*.example.com/test" - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching" - - name: Test scope should not allow invalid digest - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com/namespace/namespace@sha256:12dsdf - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid repository namespace or image specification in the image scope" - - name: Test should not allow tag in ExactRepository repository - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: ExactRepository - exactRepository: - repository: example.com/namespace/namespace:latest - expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" - - name: Test should not allow tag in ExactRepository repository - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: ExactRepository - exactRepository: - repository: localhost:1234/namespace/namespace:latest - expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" - - name: Test should not allow digest in ExactRepository repository - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: ExactRepository - exactRepository: - repository: localhost:1234/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 - expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" - - name: Test should not allow tag in prefix/signedPrefix - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: RemapIdentity - remapIdentity: - prefix: example.com/namespace:latest - signedPrefix: example.com/namespace - expectedError: "[spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity]" - - name: Test should allow valid ExactRepository repository - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: ExactRepository - exactRepository: - repository: example.com - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: ExactRepository - exactRepository: - repository: example.com - - name: Test should allow valid signedIdentity prefix/signedPrefix - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: RemapIdentity - remapIdentity: - prefix: example.com - signedPrefix: mirror.com - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - signedIdentity: - matchPolicy: RemapIdentity - remapIdentity: - prefix: example.com - signedPrefix: mirror.com - - name: Test scope should allow localhost name with port 'localhost:1234/namespace/namespace' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - localhost:1234/namespace/namespace - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - localhost:1234/namespace/namespace - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - - name: Test scope should allow localhost 'localhost/foo/bar' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - localhost/foo/bar - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - localhost/foo/bar - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - - name: Test scope should allow 'example.com/foo/bar' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com/foo/bar - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com/foo/bar - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - - name: Test scope should allow tag 'example.com/foo/bar:latest' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com/foo/bar:latest - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com/foo/bar:latest - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - - name: Test scope should allow full specification digest - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - - name: Test scope should allow '*.example.com' - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - "*.example.com" - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - "*.example.com" - policy: - rootOfTrust: - policyType: PublicKey - publicKey: - keyData: Zm9vIGJhcg== diff --git a/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml deleted file mode 100644 index f1c4fd98024..00000000000 --- a/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml +++ /dev/null @@ -1,117 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this -name: "ImagePolicy" -crdName: imagepolicies.config.openshift.io -featureGates: -- SigstoreImageVerificationPKI -tests: - onCreate: - - name: Should be able to create a minimal ImagePolicy with policyType PKI - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t - pkiCertificateSubject: - email: test-user@example.com - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t - pkiCertificateSubject: - email: test-user@example.com - - name: Should not allow policyType PKI but not set pki - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": pki is required when policyType is PKI, and forbidden otherwise" - - name: Should not allow pkiCertificateSubject invalid email - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t - pkiCertificateSubject: - email: invalid-email - expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.email: Invalid value: \"string\": invalid email address in pkiCertificateSubject" - - name: Should not allow pkiCertificateSubject invalid hostname - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t - pkiCertificateSubject: - hostname: invaild-.com - expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.hostname: Invalid value: \"string\": hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.'. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk." - - name: Should not allow poliyType PKI but not set pki - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: {} - expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Required value, spec.policy.rootOfTrust.pki.pkiCertificateSubject: Required value, : Invalid value: \"null\": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation" - - name: Should not allow caRootsData not encoded from PEM - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: Zm9vIGJhcg== - pkiCertificateSubject: - email: test-user@example.com - expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Invalid value: \"string\": the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." - - name: PRM start and end markers must match if multiple CA root intermediates are provided. - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlGMXpDQ0E3K2dBd0lCQWdJVUhWTExqbVQxVVRYcDRoS3hJT3NDOWRNOERuTXdEUVlKS29aSWh2Y05BUUVMCkJRQXdiakVMTUFrR0ExVUVCaE1DUlZNeEVUQVBCZ05WQkFjTUNGWmhiR1Z1WTJsaE1Rc3dDUVlEVlFRS0RBSkoKVkRFUk1BOEdBMVVFQ3d3SVUyVmpkWEpwZEhreExEQXFCZ05WQkFNTUkweHBiblY0WlhKaElGSnZiM1FnUTJWeQpkR2xtYVdOaGRHVWdRWFYwYUc5eWFYUjVNQ0FYRFRJME1EZ3hNREUzTVRRd05Gb1lEekl3TlRFeE1qSTJNVGN4Ck5EQTBXakIyTVFzd0NRWURWUVFHRXdKRlV6RVJNQThHQTFVRUJ3d0lWbUZzWlc1amFXRXhDekFKQmdOVkJBb00KQWtsVU1SRXdEd1lEVlFRTERBaFRaV04xY21sMGVURTBNRElHQTFVRUF3d3JUR2x1ZFhobGNtRWdTVzUwWlhKdApaV1JwWVhSbElFTmxjblJwWm1sallYUmxJRUYxZEdodmNtbDBlVENDQWlJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnSVBBRENDQWdvQ2dnSUJBS2IrcUY5M3dVV1dBdUhxZTFldHFja0RLbFR5amlsTmJKS2YxZWkxODNSdCtYM2wKckYzRklYN2F0dHdSTS9EZXNRSTgvYk9tSWpDNnFvTUJqbVVUdG5WclAxUHkxSXd2bWh2cUFESUVJSlNlS1NVMwpzSVJzNG1ldHdVckZrV0hoQXJtWVJSMUdJK2VBdGUxckdoNE9QcWEwcm1FMHpvbEc1dGoxdDB5dUVQSjdDVUlrCndQSGR4amErakRXQ1V5aXBrOGdvNWlwMGhxWkJ1U2tqNDErY0pZbFVTeDZXUHo3NStIZytpdEh0NUhCZGc1T0MKVXNoeVlyVzdzYnJKMDBCREhYYmdzRm9qemh1aXAxQkYzbnNQWWcxU2dwMlZib2JWUjAzOWdJZ0l1NDR6cXA4NApvSkk5Rys4a1V2Ri9OY0g5YWdIZzJpaXZXQnZwS0J2Q3JxV2NZZTNUQ1Z0V3YwWWJqc0RUbGZyMXphVWlqR2RICnM3QTZ2d1RibTNZTlh0SCtjbEx0eVcvMkl0T2x4aTBqTG9yQnp4aURnN283UTh1V2FBQmhYdGRuTExpbVhCU1UKSEludjMzbGFoNDFabXByUTJUT2pOQmZzYytXQ0RLVzFuRzlSciswakYzK3BEb29LV3RnYm9hV0QrQ2JtWUozVQpuZXMrcXp3Q0FTeDN6YU1pNWcyeW1qUjZqakZmSmhvMzlCckEzZXh0dTN0Qys3dnE5R2Fhc0llZDN3MWlhbnpLCnJNWmpDMWVNZTlJbS9ndGZ1QVd6Vk8xR2hUZ3NGTG5MS3NMRTVUaDZmbEVTdWFCOUgyaHBWdWRBekNqM091MjUKejYxSVdaMzE2amM2TDJOREx4WmExZjdXeVBhMWRjVlRHeDFuc1o1dTgzRkthc2VQMXArYzU2dEtmUC9GQWdNQgpBQUdqWXpCaE1CMEdBMVVkRGdRV0JCUkJYM3Z0WEgzcWRBNlNqUGtjTTJNTjRjQ1J1ekFMQmdOVkhROEVCQU1DCkFnUXdFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBakFmQmdOVkhTTUVHREFXZ0JTVWpXdk9pb3g5V3FXb2w4R3gKcVRPYXRSLzNQekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBTDNIQ2xYbVNEbjRyd1lrbzVVY2swVkp4ZDBPZApVWTRmYThtRXoxdFVuSjF0TU1qdkh4c2dNY2ZJTXNDbldkMEREaDVQK2V0QmYwbHd6R0xLdGhIRXZ4RTZZU3ZvClYyYnpxRjdUT2trd3VKZEFYdGIwRGRPejJ2T2ZFcnBhNnpjWkFGcmFwdnhyaVdkZGR4bk1SQWkwRHkzZ2RqYS8KVDc1bzlDRVk5WFdlZTY4bFlVVXpuUm1IRFU3ek5vUWtVSmw0ajVJWkllT2pwU2d3ejF1NFhIMGs0bnVGYXJ0Vwpab1Z2UWMwZURtUE44cktJYWdvejRRNzlPbm9lek03ZG1GZERXcitNVDIzY3hpMStlZ3VPTmdpOE8vYVhBUk5TCkJiUHI5aS9VTGI4K0h5VmJ6T1lZdHE0NXhnMmdDYTRGYnM0ejZjUkovRU45eTFaQnpwT3paRmdzOXJFeU1XQmIKdW0zYnZ0MHRtOGxKUDMwMWhuemRGRi9FZ2FPL2Z6bVZsVk5yTDNUcURZYmdwTWxOakI5MzlkOVhxMGZRUkZFWApWQTVUckFadGk3NktzYUpmZlRycjJOR201SW9CRHNseEV0ZWo3R2pvWUNzZmcrZ2RlbVJTWEliSFAvNmhLK09UCkpsNmNETy95Wmp4QkE0a3h6WERCUUhhL1pJM3UvQlJKRm40bFZiNkM1bzFwTGxrQ0ROSEF3Qmd6QjFnS05lVWQKaUhLYzN1Y3lHQ1BkWTE1eFJxdFhDUUkyYmZQQkp5cEJuMktYMjlSOFQ1ejhBTW5FdFphQXVkdm81MExLRHprdgpUQ25WRDVpRjltenRUWTdrekJNSXJFaTQ4bTJMMG5XQ2VyMk9TRWVrdjlsUFJKUUJQaFNUOEdrZnlDWnlnSWZ3CmdiQzNrNUVrS3NweUZJRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - pkiCertificateSubject: - email: test-user@example.com - expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Invalid value: \"string\": caRootsData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." diff --git a/config/v1alpha1/types_cluster_image_policy.go b/config/v1alpha1/types_cluster_image_policy.go deleted file mode 100644 index e8d7603d7b6..00000000000 --- a/config/v1alpha1/types_cluster_image_policy.go +++ /dev/null @@ -1,80 +0,0 @@ -package v1alpha1 - -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -// +genclient -// +genclient:nonNamespaced -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// ClusterImagePolicy holds cluster-wide configuration for image signature verification -// -// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. -// +kubebuilder:object:root=true -// +kubebuilder:resource:path=clusterimagepolicies,scope=Cluster -// +kubebuilder:subresource:status -// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1457 -// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 -// +openshift:enable:FeatureGate=SigstoreImageVerification -// +openshift:compatibility-gen:level=4 -type ClusterImagePolicy struct { - metav1.TypeMeta `json:",inline"` - - // metadata is the standard object's metadata. - // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - metav1.ObjectMeta `json:"metadata,omitempty"` - - // spec contains the configuration for the cluster image policy. - // +required - Spec ClusterImagePolicySpec `json:"spec"` - // status contains the observed state of the resource. - // +optional - Status ClusterImagePolicyStatus `json:"status,omitempty"` -} - -// CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource. -type ClusterImagePolicySpec struct { - // scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - // Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - // More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - // namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - // Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - // If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - // In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - // quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - // If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - // For additional details about the format, please refer to the document explaining the docker transport field, - // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - // +required - // +kubebuilder:validation:MaxItems=256 - // +listType=set - Scopes []ImageScope `json:"scopes"` - // policy contains configuration to allow scopes to be verified, and defines how - // images not matching the verification policy will be treated. - // +required - Policy ImageSigstoreVerificationPolicy `json:"policy"` -} - -// +k8s:deepcopy-gen=true -type ClusterImagePolicyStatus struct { - // conditions provide details on the status of this API Resource. - // +listType=map - // +listMapKey=type - // +optional - Conditions []metav1.Condition `json:"conditions,omitempty"` -} - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// ClusterImagePolicyList is a list of ClusterImagePolicy resources -// -// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. -// +openshift:compatibility-gen:level=4 -type ClusterImagePolicyList struct { - metav1.TypeMeta `json:",inline"` - - // metadata is the standard list's metadata. - // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - metav1.ListMeta `json:"metadata"` - - Items []ClusterImagePolicy `json:"items"` -} diff --git a/config/v1alpha1/types_image_policy.go b/config/v1alpha1/types_image_policy.go deleted file mode 100644 index 977ca3dde32..00000000000 --- a/config/v1alpha1/types_image_policy.go +++ /dev/null @@ -1,289 +0,0 @@ -package v1alpha1 - -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -// +genclient -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// ImagePolicy holds namespace-wide configuration for image signature verification -// -// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. -// +kubebuilder:object:root=true -// +kubebuilder:resource:path=imagepolicies,scope=Namespaced -// +kubebuilder:subresource:status -// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1457 -// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 -// +openshift:enable:FeatureGate=SigstoreImageVerification -// +openshift:compatibility-gen:level=4 -type ImagePolicy struct { - metav1.TypeMeta `json:",inline"` - - // metadata is the standard object's metadata. - // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - metav1.ObjectMeta `json:"metadata,omitempty"` - - // spec holds user settable values for configuration - // +required - Spec ImagePolicySpec `json:"spec"` - // status contains the observed state of the resource. - // +optional - Status ImagePolicyStatus `json:"status,omitempty"` -} - -// ImagePolicySpec is the specification of the ImagePolicy CRD. -type ImagePolicySpec struct { - // scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - // Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - // More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - // namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - // Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - // If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - // In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - // quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - // If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - // For additional details about the format, please refer to the document explaining the docker transport field, - // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - // +required - // +kubebuilder:validation:MaxItems=256 - // +listType=set - Scopes []ImageScope `json:"scopes"` - // policy contains configuration to allow scopes to be verified, and defines how - // images not matching the verification policy will be treated. - // +required - Policy ImageSigstoreVerificationPolicy `json:"policy"` -} - -// +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" -// +kubebuilder:validation:XValidation:rule=`self.contains('*') ? self.matches('^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$') : true`,message="invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching" -// +kubebuilder:validation:XValidation:rule=`!self.contains('*') ? self.matches('^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$') : true`,message="invalid repository namespace or image specification in the image scope" -// +kubebuilder:validation:MaxLength=512 -type ImageScope string - -// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list. -type ImageSigstoreVerificationPolicy struct { - // rootOfTrust specifies the root of trust for the policy. - // +required - RootOfTrust PolicyRootOfTrust `json:"rootOfTrust"` - // signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". - // +optional - SignedIdentity PolicyIdentity `json:"signedIdentity,omitempty"` -} - -// PolicyRootOfTrust defines the root of trust based on the selected policyType. -// +union -// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise" -// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" -// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise" -type PolicyRootOfTrust struct { - // policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. - // "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - // "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - // "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - // +unionDiscriminator - // +required - PolicyType PolicyType `json:"policyType"` - // publicKey defines the root of trust based on a sigstore public key. - // +optional - PublicKey *ImagePolicyPublicKeyRootOfTrust `json:"publicKey,omitempty"` - // fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. - // For more information about Fulcio and Rekor, please refer to the document at: - // https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - // +optional - FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrust `json:"fulcioCAWithRekor,omitempty"` - // pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. - // +optional - // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI - PKI *ImagePolicyPKIRootOfTrust `json:"pki,omitempty"` -} - -// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor -// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI -type PolicyType string - -const ( - PublicKeyRootOfTrust PolicyType = "PublicKey" - FulcioCAWithRekorRootOfTrust PolicyType = "FulcioCAWithRekor" - PKIRootOfTrust PolicyType = "PKI" -) - -// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key. -type ImagePolicyPublicKeyRootOfTrust struct { - // keyData contains inline base64-encoded data for the PEM format public key. - // KeyData must be at most 8192 characters. - // +required - // +kubebuilder:validation:MaxLength=8192 - KeyData []byte `json:"keyData"` - // rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - // rekorKeyData must be at most 8192 characters. - // +optional - // +kubebuilder:validation:MaxLength=8192 - RekorKeyData []byte `json:"rekorKeyData,omitempty"` -} - -// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key. -type ImagePolicyFulcioCAWithRekorRootOfTrust struct { - // fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. - // fulcioCAData must be at most 8192 characters. - // +required - // +kubebuilder:validation:MaxLength=8192 - FulcioCAData []byte `json:"fulcioCAData"` - // rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - // rekorKeyData must be at most 8192 characters. - // +required - // +kubebuilder:validation:MaxLength=8192 - RekorKeyData []byte `json:"rekorKeyData"` - // fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration. - // +required - FulcioSubject PolicyFulcioSubject `json:"fulcioSubject"` -} - -// PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration. -type PolicyFulcioSubject struct { - // oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - // Example: "https://expected.OIDC.issuer/" - // +required - // +kubebuilder:validation:XValidation:rule="isURL(self)",message="oidcIssuer must be a valid URL" - OIDCIssuer string `json:"oidcIssuer"` - // signedEmail holds the email address the the Fulcio certificate is issued for. - // Example: "expected-signing-user@example.com" - // +required - // +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address" - SignedEmail string `json:"signedEmail"` -} - -// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates. -type ImagePolicyPKIRootOfTrust struct { - // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. - // +required - // +kubebuilder:validation:MaxLength=8192 - // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." - // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caRootsData must end with base64 encoding of '-----END CERTIFICATE-----'." - // +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caRootsData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." - CertificateAuthorityRootsData []byte `json:"caRootsData"` - // caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. - // caIntermediatesData requires caRootsData to be set. - // +optional - // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caIntermediatesData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." - // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caIntermediatesData must end with base64 encoding of '-----END CERTIFICATE-----'." - // +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caIntermediatesData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." - // +kubebuilder:validation:MaxLength=8192 - CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"` - - // pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued. - // +required - PKICertificateSubject PKICertificateSubject `json:"pkiCertificateSubject"` -} - -// PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued. -// +kubebuilder:validation:XValidation:rule="has(self.email) || has(self.hostname)", message="at least one of email or hostname must be set in pkiCertificateSubject" -// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI -type PKICertificateSubject struct { - // email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. - // The email should be a valid email address and at most 320 characters in length. - // +optional - // +kubebuilder:validation:MaxLength:=320 - // +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address in pkiCertificateSubject" - Email string `json:"email,omitempty"` - // hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. - // The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. - // It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. - // +optional - // +kubebuilder:validation:MaxLength:=253 - // +kubebuilder:validation:XValidation:rule="self.startsWith('*.') ? !format.dns1123Subdomain().validate(self.replace('*.', '', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()",message="hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.'. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk." - Hostname string `json:"hostname,omitempty"` -} - -// PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is "MatchRepoDigestOrExact". -// +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'ExactRepository') ? has(self.exactRepository) : !has(self.exactRepository)",message="exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" -// +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'RemapIdentity') ? has(self.remapIdentity) : !has(self.remapIdentity)",message="remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" -// +union -type PolicyIdentity struct { - // matchPolicy sets the type of matching to be used. - // Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - // If set matchPolicy to ExactRepository, then the exactRepository must be specified. - // If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. - // "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - // "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. - // "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". - // "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - // +unionDiscriminator - // +required - MatchPolicy IdentityMatchPolicy `json:"matchPolicy"` - // exactRepository is required if matchPolicy is set to "ExactRepository". - // +optional - PolicyMatchExactRepository *PolicyMatchExactRepository `json:"exactRepository,omitempty"` - // remapIdentity is required if matchPolicy is set to "RemapIdentity". - // +optional - PolicyMatchRemapIdentity *PolicyMatchRemapIdentity `json:"remapIdentity,omitempty"` -} - -// +kubebuilder:validation:MaxLength=512 -// +kubebuilder:validation:XValidation:rule=`self.matches('.*:([\\w][\\w.-]{0,127})$')? self.matches('^(localhost:[0-9]+)$'): true`,message="invalid repository or prefix in the signedIdentity, should not include the tag or digest" -// +kubebuilder:validation:XValidation:rule=`self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$')`,message="invalid repository or prefix in the signedIdentity" -type IdentityRepositoryPrefix string - -type PolicyMatchExactRepository struct { - // repository is the reference of the image identity to be matched. - // The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - // +required - Repository IdentityRepositoryPrefix `json:"repository"` -} - -type PolicyMatchRemapIdentity struct { - // prefix is the prefix of the image identity to be matched. - // If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - // This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - // The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - // or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - // For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - // +required - Prefix IdentityRepositoryPrefix `json:"prefix"` - // signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - // or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - // For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - // +required - SignedPrefix IdentityRepositoryPrefix `json:"signedPrefix"` -} - -// IdentityMatchPolicy defines the type of matching for "matchPolicy". -// +kubebuilder:validation:Enum=MatchRepoDigestOrExact;MatchRepository;ExactRepository;RemapIdentity -type IdentityMatchPolicy string - -const ( - IdentityMatchPolicyMatchRepoDigestOrExact IdentityMatchPolicy = "MatchRepoDigestOrExact" - IdentityMatchPolicyMatchRepository IdentityMatchPolicy = "MatchRepository" - IdentityMatchPolicyExactRepository IdentityMatchPolicy = "ExactRepository" - IdentityMatchPolicyRemapIdentity IdentityMatchPolicy = "RemapIdentity" -) - -// +k8s:deepcopy-gen=true -type ImagePolicyStatus struct { - // conditions provide details on the status of this API Resource. - // +listType=map - // +listMapKey=type - // +optional - Conditions []metav1.Condition `json:"conditions,omitempty"` -} - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// ImagePolicyList is a list of ImagePolicy resources -// -// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. -// +openshift:compatibility-gen:level=4 -type ImagePolicyList struct { - metav1.TypeMeta `json:",inline"` - - // metadata is the standard list's metadata. - // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - metav1.ListMeta `json:"metadata"` - - Items []ImagePolicy `json:"items"` -} - -const ( - // ImagePolicyPending indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. - ImagePolicyPending = "Pending" - // ImagePolicyApplied indicates that the policy has been applied - ImagePolicyApplied = "Applied" -) diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies.crd.yaml deleted file mode 100644 index acd885a131a..00000000000 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies.crd.yaml +++ /dev/null @@ -1,442 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1457 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - name: clusterimagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ClusterImagePolicy - listKind: ClusterImagePolicyList - plural: clusterimagepolicies - singular: clusterimagepolicy - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ClusterImagePolicy holds cluster-wide configuration for image signature verification - - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec contains the configuration for the cluster image policy. - properties: - policy: - description: |- - policy contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: rootOfTrust specifies the root of trust for the policy. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - fulcioSubject: - description: fulcioSubject specifies OIDC issuer and the - email of the Fulcio authentication configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail holds the email address the the Fulcio certificate is issued for. - Example: "expected-signing-user@example.com" - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - pki: - description: pki defines the root of trust based on Bring - Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and - corresponding intermediate certificates. - properties: - caIntermediatesData: - description: |- - caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. - caIntermediatesData requires caRootsData to be set. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the caIntermediatesData must start with base64 - encoding of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caIntermediatesData must end with base64 - encoding of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caIntermediatesData must be base64 encoding - of valid PEM format data contain the same number of - '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - caRootsData: - description: caRootsData contains base64-encoded data - of a certificate bundle PEM file, which contains one - or more CA roots in the PEM format. The total length - of the data must not exceed 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the caRootsData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caRootsData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caRootsData must be base64 encoding of valid - PEM format data contain the same number of '-----BEGIN - CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - pkiCertificateSubject: - description: pkiCertificateSubject defines the requirements - imposed on the subject to which the certificate was - issued. - properties: - email: - description: |- - email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. - The email should be a valid email address and at most 320 characters in length. - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') - hostname: - description: |- - hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. - The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. - It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: hostname should be a valid dns 1123 subdomain - name, optionally prefixed by '*.'. It should consist - only of lowercase alphanumeric characters, hyphens, - periods and the optional preceding asterisk. - rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', - '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' - type: object - x-kubernetes-validations: - - message: at least one of email or hostname must be set - in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) - required: - - caRootsData - - pkiCertificateSubject - type: object - policyType: - description: |- - policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. - "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - enum: - - PublicKey - - FulcioCAWithRekor - - PKI - type: string - publicKey: - description: publicKey defines the root of trust based on - a sigstore public key. - properties: - keyData: - description: |- - keyData contains inline base64-encoded data for the PEM format public key. - KeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - rekorKeyData: - description: |- - rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: pki is required when policyType is PKI, and forbidden - otherwise - rule: 'has(self.policyType) && self.policyType == ''PKI'' ? - has(self.pki) : !has(self.pki)' - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: signedIdentity specifies what image identity the - signature claims about the image. The required matchPolicy field - specifies the approach used in the verification process to verify - the identity in the signature and the actual image identity, - the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: exactRepository is required if matchPolicy is - set to "ExactRepository". - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy sets the type of matching to be used. - Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - If set matchPolicy to ExactRepository, then the exactRepository must be specified. - If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. - "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. - "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". - "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: remapIdentity is required if matchPolicy is set - to "RemapIdentity". - properties: - prefix: - description: |- - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: conditions provide details on the status of this API - Resource. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies.crd.yaml deleted file mode 100644 index 1b5c0cc4a40..00000000000 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies.crd.yaml +++ /dev/null @@ -1,442 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1457 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - name: imagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ImagePolicy - listKind: ImagePolicyList - plural: imagepolicies - singular: imagepolicy - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ImagePolicy holds namespace-wide configuration for image signature verification - - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - policy: - description: |- - policy contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: rootOfTrust specifies the root of trust for the policy. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - fulcioSubject: - description: fulcioSubject specifies OIDC issuer and the - email of the Fulcio authentication configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail holds the email address the the Fulcio certificate is issued for. - Example: "expected-signing-user@example.com" - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - pki: - description: pki defines the root of trust based on Bring - Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and - corresponding intermediate certificates. - properties: - caIntermediatesData: - description: |- - caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. - caIntermediatesData requires caRootsData to be set. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the caIntermediatesData must start with base64 - encoding of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caIntermediatesData must end with base64 - encoding of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caIntermediatesData must be base64 encoding - of valid PEM format data contain the same number of - '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - caRootsData: - description: caRootsData contains base64-encoded data - of a certificate bundle PEM file, which contains one - or more CA roots in the PEM format. The total length - of the data must not exceed 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the caRootsData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caRootsData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caRootsData must be base64 encoding of valid - PEM format data contain the same number of '-----BEGIN - CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - pkiCertificateSubject: - description: pkiCertificateSubject defines the requirements - imposed on the subject to which the certificate was - issued. - properties: - email: - description: |- - email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. - The email should be a valid email address and at most 320 characters in length. - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') - hostname: - description: |- - hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. - The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. - It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: hostname should be a valid dns 1123 subdomain - name, optionally prefixed by '*.'. It should consist - only of lowercase alphanumeric characters, hyphens, - periods and the optional preceding asterisk. - rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', - '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' - type: object - x-kubernetes-validations: - - message: at least one of email or hostname must be set - in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) - required: - - caRootsData - - pkiCertificateSubject - type: object - policyType: - description: |- - policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. - "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - enum: - - PublicKey - - FulcioCAWithRekor - - PKI - type: string - publicKey: - description: publicKey defines the root of trust based on - a sigstore public key. - properties: - keyData: - description: |- - keyData contains inline base64-encoded data for the PEM format public key. - KeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - rekorKeyData: - description: |- - rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: pki is required when policyType is PKI, and forbidden - otherwise - rule: 'has(self.policyType) && self.policyType == ''PKI'' ? - has(self.pki) : !has(self.pki)' - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: signedIdentity specifies what image identity the - signature claims about the image. The required matchPolicy field - specifies the approach used in the verification process to verify - the identity in the signature and the actual image identity, - the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: exactRepository is required if matchPolicy is - set to "ExactRepository". - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy sets the type of matching to be used. - Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - If set matchPolicy to ExactRepository, then the exactRepository must be specified. - If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. - "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. - "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". - "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: remapIdentity is required if matchPolicy is set - to "RemapIdentity". - properties: - prefix: - description: |- - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: conditions provide details on the status of this API - Resource. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml deleted file mode 100644 index 425711cb0d2..00000000000 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ /dev/null @@ -1,350 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1457 - api.openshift.io/filename-cvo-runlevel: "0000_10" - api.openshift.io/filename-operator: config-operator - api.openshift.io/filename-ordering: "01" - feature-gate.release.openshift.io/SigstoreImageVerification: "true" - name: clusterimagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ClusterImagePolicy - listKind: ClusterImagePolicyList - plural: clusterimagepolicies - singular: clusterimagepolicy - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ClusterImagePolicy holds cluster-wide configuration for image signature verification - - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec contains the configuration for the cluster image policy. - properties: - policy: - description: |- - policy contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: rootOfTrust specifies the root of trust for the policy. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - fulcioSubject: - description: fulcioSubject specifies OIDC issuer and the - email of the Fulcio authentication configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail holds the email address the the Fulcio certificate is issued for. - Example: "expected-signing-user@example.com" - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - policyType: - description: |- - policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. - "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - type: string - publicKey: - description: publicKey defines the root of trust based on - a sigstore public key. - properties: - keyData: - description: |- - keyData contains inline base64-encoded data for the PEM format public key. - KeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - rekorKeyData: - description: |- - rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: signedIdentity specifies what image identity the - signature claims about the image. The required matchPolicy field - specifies the approach used in the verification process to verify - the identity in the signature and the actual image identity, - the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: exactRepository is required if matchPolicy is - set to "ExactRepository". - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy sets the type of matching to be used. - Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - If set matchPolicy to ExactRepository, then the exactRepository must be specified. - If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. - "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. - "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". - "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: remapIdentity is required if matchPolicy is set - to "RemapIdentity". - properties: - prefix: - description: |- - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: conditions provide details on the status of this API - Resource. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml deleted file mode 100644 index 7339a2c32e4..00000000000 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml +++ /dev/null @@ -1,443 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1457 - api.openshift.io/filename-cvo-runlevel: "0000_10" - api.openshift.io/filename-operator: config-operator - api.openshift.io/filename-ordering: "01" - feature-gate.release.openshift.io/SigstoreImageVerificationPKI: "true" - name: clusterimagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ClusterImagePolicy - listKind: ClusterImagePolicyList - plural: clusterimagepolicies - singular: clusterimagepolicy - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ClusterImagePolicy holds cluster-wide configuration for image signature verification - - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec contains the configuration for the cluster image policy. - properties: - policy: - description: |- - policy contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: rootOfTrust specifies the root of trust for the policy. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - fulcioSubject: - description: fulcioSubject specifies OIDC issuer and the - email of the Fulcio authentication configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail holds the email address the the Fulcio certificate is issued for. - Example: "expected-signing-user@example.com" - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - pki: - description: pki defines the root of trust based on Bring - Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and - corresponding intermediate certificates. - properties: - caIntermediatesData: - description: |- - caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. - caIntermediatesData requires caRootsData to be set. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the caIntermediatesData must start with base64 - encoding of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caIntermediatesData must end with base64 - encoding of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caIntermediatesData must be base64 encoding - of valid PEM format data contain the same number of - '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - caRootsData: - description: caRootsData contains base64-encoded data - of a certificate bundle PEM file, which contains one - or more CA roots in the PEM format. The total length - of the data must not exceed 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the caRootsData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caRootsData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caRootsData must be base64 encoding of valid - PEM format data contain the same number of '-----BEGIN - CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - pkiCertificateSubject: - description: pkiCertificateSubject defines the requirements - imposed on the subject to which the certificate was - issued. - properties: - email: - description: |- - email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. - The email should be a valid email address and at most 320 characters in length. - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') - hostname: - description: |- - hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. - The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. - It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: hostname should be a valid dns 1123 subdomain - name, optionally prefixed by '*.'. It should consist - only of lowercase alphanumeric characters, hyphens, - periods and the optional preceding asterisk. - rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', - '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' - type: object - x-kubernetes-validations: - - message: at least one of email or hostname must be set - in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) - required: - - caRootsData - - pkiCertificateSubject - type: object - policyType: - description: |- - policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. - "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - enum: - - PublicKey - - FulcioCAWithRekor - - PKI - type: string - publicKey: - description: publicKey defines the root of trust based on - a sigstore public key. - properties: - keyData: - description: |- - keyData contains inline base64-encoded data for the PEM format public key. - KeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - rekorKeyData: - description: |- - rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: pki is required when policyType is PKI, and forbidden - otherwise - rule: 'has(self.policyType) && self.policyType == ''PKI'' ? - has(self.pki) : !has(self.pki)' - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: signedIdentity specifies what image identity the - signature claims about the image. The required matchPolicy field - specifies the approach used in the verification process to verify - the identity in the signature and the actual image identity, - the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: exactRepository is required if matchPolicy is - set to "ExactRepository". - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy sets the type of matching to be used. - Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - If set matchPolicy to ExactRepository, then the exactRepository must be specified. - If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. - "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. - "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". - "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: remapIdentity is required if matchPolicy is set - to "RemapIdentity". - properties: - prefix: - description: |- - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: conditions provide details on the status of this API - Resource. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml deleted file mode 100644 index 3675dc8338d..00000000000 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ /dev/null @@ -1,350 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1457 - api.openshift.io/filename-cvo-runlevel: "0000_10" - api.openshift.io/filename-operator: config-operator - api.openshift.io/filename-ordering: "01" - feature-gate.release.openshift.io/SigstoreImageVerification: "true" - name: imagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ImagePolicy - listKind: ImagePolicyList - plural: imagepolicies - singular: imagepolicy - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ImagePolicy holds namespace-wide configuration for image signature verification - - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - policy: - description: |- - policy contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: rootOfTrust specifies the root of trust for the policy. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - fulcioSubject: - description: fulcioSubject specifies OIDC issuer and the - email of the Fulcio authentication configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail holds the email address the the Fulcio certificate is issued for. - Example: "expected-signing-user@example.com" - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - policyType: - description: |- - policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. - "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - type: string - publicKey: - description: publicKey defines the root of trust based on - a sigstore public key. - properties: - keyData: - description: |- - keyData contains inline base64-encoded data for the PEM format public key. - KeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - rekorKeyData: - description: |- - rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: signedIdentity specifies what image identity the - signature claims about the image. The required matchPolicy field - specifies the approach used in the verification process to verify - the identity in the signature and the actual image identity, - the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: exactRepository is required if matchPolicy is - set to "ExactRepository". - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy sets the type of matching to be used. - Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - If set matchPolicy to ExactRepository, then the exactRepository must be specified. - If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. - "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. - "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". - "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: remapIdentity is required if matchPolicy is set - to "RemapIdentity". - properties: - prefix: - description: |- - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: conditions provide details on the status of this API - Resource. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml deleted file mode 100644 index b7ab3e4b9e6..00000000000 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml +++ /dev/null @@ -1,443 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/1457 - api.openshift.io/filename-cvo-runlevel: "0000_10" - api.openshift.io/filename-operator: config-operator - api.openshift.io/filename-ordering: "01" - feature-gate.release.openshift.io/SigstoreImageVerificationPKI: "true" - name: imagepolicies.config.openshift.io -spec: - group: config.openshift.io - names: - kind: ImagePolicy - listKind: ImagePolicyList - plural: imagepolicies - singular: imagepolicy - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ImagePolicy holds namespace-wide configuration for image signature verification - - Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - policy: - description: |- - policy contains configuration to allow scopes to be verified, and defines how - images not matching the verification policy will be treated. - properties: - rootOfTrust: - description: rootOfTrust specifies the root of trust for the policy. - properties: - fulcioCAWithRekor: - description: |- - fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. - For more information about Fulcio and Rekor, please refer to the document at: - https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor - properties: - fulcioCAData: - description: |- - fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. - fulcioCAData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - fulcioSubject: - description: fulcioSubject specifies OIDC issuer and the - email of the Fulcio authentication configuration. - properties: - oidcIssuer: - description: |- - oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. - Example: "https://expected.OIDC.issuer/" - type: string - x-kubernetes-validations: - - message: oidcIssuer must be a valid URL - rule: isURL(self) - signedEmail: - description: |- - signedEmail holds the email address the the Fulcio certificate is issued for. - Example: "expected-signing-user@example.com" - type: string - x-kubernetes-validations: - - message: invalid email address - rule: self.matches('^\\S+@\\S+$') - required: - - oidcIssuer - - signedEmail - type: object - rekorKeyData: - description: |- - rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - required: - - fulcioCAData - - fulcioSubject - - rekorKeyData - type: object - pki: - description: pki defines the root of trust based on Bring - Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and - corresponding intermediate certificates. - properties: - caIntermediatesData: - description: |- - caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. - caIntermediatesData requires caRootsData to be set. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the caIntermediatesData must start with base64 - encoding of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caIntermediatesData must end with base64 - encoding of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caIntermediatesData must be base64 encoding - of valid PEM format data contain the same number of - '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - caRootsData: - description: caRootsData contains base64-encoded data - of a certificate bundle PEM file, which contains one - or more CA roots in the PEM format. The total length - of the data must not exceed 8192 characters. - format: byte - maxLength: 8192 - type: string - x-kubernetes-validations: - - message: the caRootsData must start with base64 encoding - of '-----BEGIN CERTIFICATE-----'. - rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') - - message: the caRootsData must end with base64 encoding - of '-----END CERTIFICATE-----'. - rule: string(self).endsWith('-----END CERTIFICATE-----\n') - || string(self).endsWith('-----END CERTIFICATE-----') - - message: caRootsData must be base64 encoding of valid - PEM format data contain the same number of '-----BEGIN - CERTIFICATE-----' and '-----END CERTIFICATE-----' - markers. - rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() - == string(self).findAll('-----END CERTIFICATE-----').size() - pkiCertificateSubject: - description: pkiCertificateSubject defines the requirements - imposed on the subject to which the certificate was - issued. - properties: - email: - description: |- - email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. - The email should be a valid email address and at most 320 characters in length. - maxLength: 320 - type: string - x-kubernetes-validations: - - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') - hostname: - description: |- - hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. - The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. - It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: hostname should be a valid dns 1123 subdomain - name, optionally prefixed by '*.'. It should consist - only of lowercase alphanumeric characters, hyphens, - periods and the optional preceding asterisk. - rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', - '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' - type: object - x-kubernetes-validations: - - message: at least one of email or hostname must be set - in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) - required: - - caRootsData - - pkiCertificateSubject - type: object - policyType: - description: |- - policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. - "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. - "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. - enum: - - PublicKey - - FulcioCAWithRekor - - PKI - type: string - publicKey: - description: publicKey defines the root of trust based on - a sigstore public key. - properties: - keyData: - description: |- - keyData contains inline base64-encoded data for the PEM format public key. - KeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - rekorKeyData: - description: |- - rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. - rekorKeyData must be at most 8192 characters. - format: byte - maxLength: 8192 - type: string - required: - - keyData - type: object - required: - - policyType - type: object - x-kubernetes-validations: - - message: pki is required when policyType is PKI, and forbidden - otherwise - rule: 'has(self.policyType) && self.policyType == ''PKI'' ? - has(self.pki) : !has(self.pki)' - - message: publicKey is required when policyType is PublicKey, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''PublicKey'' - ? has(self.publicKey) : !has(self.publicKey)' - - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, - and forbidden otherwise - rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' - ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' - signedIdentity: - description: signedIdentity specifies what image identity the - signature claims about the image. The required matchPolicy field - specifies the approach used in the verification process to verify - the identity in the signature and the actual image identity, - the default matchPolicy is "MatchRepoDigestOrExact". - properties: - exactRepository: - description: exactRepository is required if matchPolicy is - set to "ExactRepository". - properties: - repository: - description: |- - repository is the reference of the image identity to be matched. - The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - repository - type: object - matchPolicy: - description: |- - matchPolicy sets the type of matching to be used. - Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". - If set matchPolicy to ExactRepository, then the exactRepository must be specified. - If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. - "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. - "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. - "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". - "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. - enum: - - MatchRepoDigestOrExact - - MatchRepository - - ExactRepository - - RemapIdentity - type: string - remapIdentity: - description: remapIdentity is required if matchPolicy is set - to "RemapIdentity". - properties: - prefix: - description: |- - prefix is the prefix of the image identity to be matched. - If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). - This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. - The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - signedPrefix: - description: |- - signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, - or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. - For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid repository or prefix in the signedIdentity, - should not include the tag or digest - rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? - self.matches(''^(localhost:[0-9]+)$''): true' - - message: invalid repository or prefix in the signedIdentity - rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') - required: - - prefix - - signedPrefix - type: object - required: - - matchPolicy - type: object - x-kubernetes-validations: - - message: exactRepository is required when matchPolicy is ExactRepository, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') - ? has(self.exactRepository) : !has(self.exactRepository)' - - message: remapIdentity is required when matchPolicy is RemapIdentity, - and forbidden otherwise - rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') - ? has(self.remapIdentity) : !has(self.remapIdentity)' - required: - - rootOfTrust - type: object - scopes: - description: |- - scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". - Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). - More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository - namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). - Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. - In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories - quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. - If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. - For additional details about the format, please refer to the document explaining the docker transport field, - which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker - items: - maxLength: 512 - type: string - x-kubernetes-validations: - - message: invalid image scope format, scope must contain a fully - qualified domain name or 'localhost' - rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] - == ''localhost'' : true' - - message: invalid image scope with wildcard, a wildcard can only - be at the start of the domain and is only supported for subdomain - matching, not path matching - rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') - : true' - - message: invalid repository namespace or image specification in - the image scope - rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') - : true' - maxItems: 256 - type: array - x-kubernetes-list-type: set - required: - - policy - - scopes - type: object - status: - description: status contains the observed state of the resource. - properties: - conditions: - description: conditions provide details on the status of this API - Resource. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} From 7b00e56de124911026fbf2dffacc81b4ef124fad Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Fri, 13 Mar 2026 15:25:11 -0700 Subject: [PATCH 2/2] *: Renenerate after removing v1alpha1 (Cluster)ImagePolicy Generated with: $ PROTO_OPTIONAL=1 make update --- config/v1alpha1/zz_generated.deepcopy.go | 431 --------- ..._generated.featuregated-crd-manifests.yaml | 48 - .../zz_generated.swagger_doc_generated.go | 178 ---- .../generated_openapi/zz_generated.openapi.go | 826 ++---------------- 4 files changed, 52 insertions(+), 1431 deletions(-) diff --git a/config/v1alpha1/zz_generated.deepcopy.go b/config/v1alpha1/zz_generated.deepcopy.go index 92adab71880..ad6afabff98 100644 --- a/config/v1alpha1/zz_generated.deepcopy.go +++ b/config/v1alpha1/zz_generated.deepcopy.go @@ -376,112 +376,6 @@ func (in *CertificateConfig) DeepCopy() *CertificateConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - in.Status.DeepCopyInto(&out.Status) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicy. -func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy { - if in == nil { - return nil - } - out := new(ClusterImagePolicy) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]ClusterImagePolicy, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyList. -func (in *ClusterImagePolicyList) DeepCopy() *ClusterImagePolicyList { - if in == nil { - return nil - } - out := new(ClusterImagePolicyList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec) { - *out = *in - if in.Scopes != nil { - in, out := &in.Scopes, &out.Scopes - *out = make([]ImageScope, len(*in)) - copy(*out, *in) - } - in.Policy.DeepCopyInto(&out.Policy) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicySpec. -func (in *ClusterImagePolicySpec) DeepCopy() *ClusterImagePolicySpec { - if in == nil { - return nil - } - out := new(ClusterImagePolicySpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ClusterImagePolicyStatus) DeepCopyInto(out *ClusterImagePolicyStatus) { - *out = *in - if in.Conditions != nil { - in, out := &in.Conditions, &out.Conditions - *out = make([]metav1.Condition, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyStatus. -func (in *ClusterImagePolicyStatus) DeepCopy() *ClusterImagePolicyStatus { - if in == nil { - return nil - } - out := new(ClusterImagePolicyStatus) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterMonitoring) DeepCopyInto(out *ClusterMonitoring) { *out = *in @@ -725,210 +619,6 @@ func (in *HashModActionConfig) DeepCopy() *HashModActionConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ImagePolicy) DeepCopyInto(out *ImagePolicy) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - in.Status.DeepCopyInto(&out.Status) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicy. -func (in *ImagePolicy) DeepCopy() *ImagePolicy { - if in == nil { - return nil - } - out := new(ImagePolicy) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *ImagePolicy) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopyInto(out *ImagePolicyFulcioCAWithRekorRootOfTrust) { - *out = *in - if in.FulcioCAData != nil { - in, out := &in.FulcioCAData, &out.FulcioCAData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.FulcioSubject = in.FulcioSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyFulcioCAWithRekorRootOfTrust. -func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopy() *ImagePolicyFulcioCAWithRekorRootOfTrust { - if in == nil { - return nil - } - out := new(ImagePolicyFulcioCAWithRekorRootOfTrust) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]ImagePolicy, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyList. -func (in *ImagePolicyList) DeepCopy() *ImagePolicyList { - if in == nil { - return nil - } - out := new(ImagePolicyList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *ImagePolicyList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ImagePolicyPKIRootOfTrust) DeepCopyInto(out *ImagePolicyPKIRootOfTrust) { - *out = *in - if in.CertificateAuthorityRootsData != nil { - in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.CertificateAuthorityIntermediatesData != nil { - in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.PKICertificateSubject = in.PKICertificateSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPKIRootOfTrust. -func (in *ImagePolicyPKIRootOfTrust) DeepCopy() *ImagePolicyPKIRootOfTrust { - if in == nil { - return nil - } - out := new(ImagePolicyPKIRootOfTrust) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopyInto(out *ImagePolicyPublicKeyRootOfTrust) { - *out = *in - if in.KeyData != nil { - in, out := &in.KeyData, &out.KeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPublicKeyRootOfTrust. -func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopy() *ImagePolicyPublicKeyRootOfTrust { - if in == nil { - return nil - } - out := new(ImagePolicyPublicKeyRootOfTrust) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) { - *out = *in - if in.Scopes != nil { - in, out := &in.Scopes, &out.Scopes - *out = make([]ImageScope, len(*in)) - copy(*out, *in) - } - in.Policy.DeepCopyInto(&out.Policy) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicySpec. -func (in *ImagePolicySpec) DeepCopy() *ImagePolicySpec { - if in == nil { - return nil - } - out := new(ImagePolicySpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ImagePolicyStatus) DeepCopyInto(out *ImagePolicyStatus) { - *out = *in - if in.Conditions != nil { - in, out := &in.Conditions, &out.Conditions - *out = make([]metav1.Condition, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyStatus. -func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus { - if in == nil { - return nil - } - out := new(ImagePolicyStatus) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ImageSigstoreVerificationPolicy) DeepCopyInto(out *ImageSigstoreVerificationPolicy) { - *out = *in - in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) - in.SignedIdentity.DeepCopyInto(&out.SignedIdentity) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSigstoreVerificationPolicy. -func (in *ImageSigstoreVerificationPolicy) DeepCopy() *ImageSigstoreVerificationPolicy { - if in == nil { - return nil - } - out := new(ImageSigstoreVerificationPolicy) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *InsightsDataGather) DeepCopyInto(out *InsightsDataGather) { *out = *in @@ -1322,22 +1012,6 @@ func (in *PKICertificateManagement) DeepCopy() *PKICertificateManagement { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateSubject. -func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject { - if in == nil { - return nil - } - out := new(PKICertificateSubject) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PKIList) DeepCopyInto(out *PKIList) { *out = *in @@ -1441,111 +1115,6 @@ func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyFulcioSubject. -func (in *PolicyFulcioSubject) DeepCopy() *PolicyFulcioSubject { - if in == nil { - return nil - } - out := new(PolicyFulcioSubject) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PolicyIdentity) DeepCopyInto(out *PolicyIdentity) { - *out = *in - if in.PolicyMatchExactRepository != nil { - in, out := &in.PolicyMatchExactRepository, &out.PolicyMatchExactRepository - *out = new(PolicyMatchExactRepository) - **out = **in - } - if in.PolicyMatchRemapIdentity != nil { - in, out := &in.PolicyMatchRemapIdentity, &out.PolicyMatchRemapIdentity - *out = new(PolicyMatchRemapIdentity) - **out = **in - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyIdentity. -func (in *PolicyIdentity) DeepCopy() *PolicyIdentity { - if in == nil { - return nil - } - out := new(PolicyIdentity) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PolicyMatchExactRepository) DeepCopyInto(out *PolicyMatchExactRepository) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyMatchExactRepository. -func (in *PolicyMatchExactRepository) DeepCopy() *PolicyMatchExactRepository { - if in == nil { - return nil - } - out := new(PolicyMatchExactRepository) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PolicyMatchRemapIdentity) DeepCopyInto(out *PolicyMatchRemapIdentity) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyMatchRemapIdentity. -func (in *PolicyMatchRemapIdentity) DeepCopy() *PolicyMatchRemapIdentity { - if in == nil { - return nil - } - out := new(PolicyMatchRemapIdentity) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { - *out = *in - if in.PublicKey != nil { - in, out := &in.PublicKey, &out.PublicKey - *out = new(ImagePolicyPublicKeyRootOfTrust) - (*in).DeepCopyInto(*out) - } - if in.FulcioCAWithRekor != nil { - in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor - *out = new(ImagePolicyFulcioCAWithRekorRootOfTrust) - (*in).DeepCopyInto(*out) - } - if in.PKI != nil { - in, out := &in.PKI, &out.PKI - *out = new(ImagePolicyPKIRootOfTrust) - (*in).DeepCopyInto(*out) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRootOfTrust. -func (in *PolicyRootOfTrust) DeepCopy() *PolicyRootOfTrust { - if in == nil { - return nil - } - out := new(PolicyRootOfTrust) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PrometheusConfig) DeepCopyInto(out *PrometheusConfig) { *out = *in diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml index dc2d249a997..b2a12419377 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml @@ -44,30 +44,6 @@ criocredentialproviderconfigs.config.openshift.io: - CRIOCredentialProviderConfig Version: v1alpha1 -clusterimagepolicies.config.openshift.io: - Annotations: {} - ApprovedPRNumber: https://github.com/openshift/api/pull/1457 - CRDName: clusterimagepolicies.config.openshift.io - Capability: "" - Category: "" - FeatureGates: - - SigstoreImageVerification - - SigstoreImageVerificationPKI - FilenameOperatorName: config-operator - FilenameOperatorOrdering: "01" - FilenameRunLevel: "0000_10" - GroupName: config.openshift.io - HasStatus: true - KindName: ClusterImagePolicy - Labels: {} - PluralName: clusterimagepolicies - PrinterColumns: [] - Scope: Cluster - ShortNames: null - TopLevelFeatureGates: - - SigstoreImageVerification - Version: v1alpha1 - clustermonitorings.config.openshift.io: Annotations: description: Cluster Monitoring Operators configuration API @@ -92,30 +68,6 @@ clustermonitorings.config.openshift.io: - ClusterMonitoringConfig Version: v1alpha1 -imagepolicies.config.openshift.io: - Annotations: {} - ApprovedPRNumber: https://github.com/openshift/api/pull/1457 - CRDName: imagepolicies.config.openshift.io - Capability: "" - Category: "" - FeatureGates: - - SigstoreImageVerification - - SigstoreImageVerificationPKI - FilenameOperatorName: config-operator - FilenameOperatorOrdering: "01" - FilenameRunLevel: "0000_10" - GroupName: config.openshift.io - HasStatus: true - KindName: ImagePolicy - Labels: {} - PluralName: imagepolicies - PrinterColumns: [] - Scope: Namespaced - ShortNames: null - TopLevelFeatureGates: - - SigstoreImageVerification - Version: v1alpha1 - insightsdatagathers.config.openshift.io: Annotations: {} ApprovedPRNumber: https://github.com/openshift/api/pull/1245 diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index 6ab03a158f9..b79cbbf774d 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -80,44 +80,6 @@ func (RetentionSizeConfig) SwaggerDoc() map[string]string { return map_RetentionSizeConfig } -var map_ClusterImagePolicy = map[string]string{ - "": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "spec": "spec contains the configuration for the cluster image policy.", - "status": "status contains the observed state of the resource.", -} - -func (ClusterImagePolicy) SwaggerDoc() map[string]string { - return map_ClusterImagePolicy -} - -var map_ClusterImagePolicyList = map[string]string{ - "": "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", -} - -func (ClusterImagePolicyList) SwaggerDoc() map[string]string { - return map_ClusterImagePolicyList -} - -var map_ClusterImagePolicySpec = map[string]string{ - "": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", - "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", - "policy": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", -} - -func (ClusterImagePolicySpec) SwaggerDoc() map[string]string { - return map_ClusterImagePolicySpec -} - -var map_ClusterImagePolicyStatus = map[string]string{ - "conditions": "conditions provide details on the status of this API Resource.", -} - -func (ClusterImagePolicyStatus) SwaggerDoc() map[string]string { - return map_ClusterImagePolicyStatus -} - var map_AdditionalAlertmanagerConfig = map[string]string{ "": "AdditionalAlertmanagerConfig represents configuration for additional Alertmanager instances. The `AdditionalAlertmanagerConfig` resource defines settings for how a component communicates with additional Alertmanager instances.", "name": "name is a unique identifier for this Alertmanager configuration entry. The name must be a valid DNS subdomain (RFC 1123): lowercase alphanumeric characters, hyphens, or periods, and must start and end with an alphanumeric character. Minimum length is 1 character (empty string is invalid). Maximum length is 253 characters.", @@ -610,146 +572,6 @@ func (CRIOCredentialProviderConfigStatus) SwaggerDoc() map[string]string { return map_CRIOCredentialProviderConfigStatus } -var map_ImagePolicy = map[string]string{ - "": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "spec": "spec holds user settable values for configuration", - "status": "status contains the observed state of the resource.", -} - -func (ImagePolicy) SwaggerDoc() map[string]string { - return map_ImagePolicy -} - -var map_ImagePolicyFulcioCAWithRekorRootOfTrust = map[string]string{ - "": "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", - "fulcioCAData": "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "fulcioSubject": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", -} - -func (ImagePolicyFulcioCAWithRekorRootOfTrust) SwaggerDoc() map[string]string { - return map_ImagePolicyFulcioCAWithRekorRootOfTrust -} - -var map_ImagePolicyList = map[string]string{ - "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", -} - -func (ImagePolicyList) SwaggerDoc() map[string]string { - return map_ImagePolicyList -} - -var map_ImagePolicyPKIRootOfTrust = map[string]string{ - "": "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", - "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", - "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", -} - -func (ImagePolicyPKIRootOfTrust) SwaggerDoc() map[string]string { - return map_ImagePolicyPKIRootOfTrust -} - -var map_ImagePolicyPublicKeyRootOfTrust = map[string]string{ - "": "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", - "keyData": "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", - "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", -} - -func (ImagePolicyPublicKeyRootOfTrust) SwaggerDoc() map[string]string { - return map_ImagePolicyPublicKeyRootOfTrust -} - -var map_ImagePolicySpec = map[string]string{ - "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", - "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", - "policy": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", -} - -func (ImagePolicySpec) SwaggerDoc() map[string]string { - return map_ImagePolicySpec -} - -var map_ImagePolicyStatus = map[string]string{ - "conditions": "conditions provide details on the status of this API Resource.", -} - -func (ImagePolicyStatus) SwaggerDoc() map[string]string { - return map_ImagePolicyStatus -} - -var map_ImageSigstoreVerificationPolicy = map[string]string{ - "": "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", - "rootOfTrust": "rootOfTrust specifies the root of trust for the policy.", - "signedIdentity": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", -} - -func (ImageSigstoreVerificationPolicy) SwaggerDoc() map[string]string { - return map_ImageSigstoreVerificationPolicy -} - -var map_PKICertificateSubject = map[string]string{ - "": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - "email": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email should be a valid email address and at most 320 characters in length.", - "hostname": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", -} - -func (PKICertificateSubject) SwaggerDoc() map[string]string { - return map_PKICertificateSubject -} - -var map_PolicyFulcioSubject = map[string]string{ - "": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", - "oidcIssuer": "oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", - "signedEmail": "signedEmail holds the email address the the Fulcio certificate is issued for. Example: \"expected-signing-user@example.com\"", -} - -func (PolicyFulcioSubject) SwaggerDoc() map[string]string { - return map_PolicyFulcioSubject -} - -var map_PolicyIdentity = map[string]string{ - "": "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", - "matchPolicy": "matchPolicy sets the type of matching to be used. Valid values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". If set matchPolicy to ExactRepository, then the exactRepository must be specified. If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. \"MatchRepoDigestOrExact\" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. \"MatchRepository\" means that the identity in the signature must be in the same repository as the image identity. \"ExactRepository\" means that the identity in the signature must be in the same repository as a specific identity specified by \"repository\". \"RemapIdentity\" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", - "exactRepository": "exactRepository is required if matchPolicy is set to \"ExactRepository\".", - "remapIdentity": "remapIdentity is required if matchPolicy is set to \"RemapIdentity\".", -} - -func (PolicyIdentity) SwaggerDoc() map[string]string { - return map_PolicyIdentity -} - -var map_PolicyMatchExactRepository = map[string]string{ - "repository": "repository is the reference of the image identity to be matched. The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", -} - -func (PolicyMatchExactRepository) SwaggerDoc() map[string]string { - return map_PolicyMatchExactRepository -} - -var map_PolicyMatchRemapIdentity = map[string]string{ - "prefix": "prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", - "signedPrefix": "signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", -} - -func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { - return map_PolicyMatchRemapIdentity -} - -var map_PolicyRootOfTrust = map[string]string{ - "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - "policyType": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", - "publicKey": "publicKey defines the root of trust based on a sigstore public key.", - "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", - "pki": "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", -} - -func (PolicyRootOfTrust) SwaggerDoc() map[string]string { - return map_PolicyRootOfTrust -} - var map_GatherConfig = map[string]string{ "": "gatherConfig provides data gathering configuration options.", "dataPolicy": "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 80b41d270b5..0ab77079354 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -464,10 +464,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigSpec": schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigSpec(ref), "github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigStatus": schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigStatus(ref), "github.com/openshift/api/config/v1alpha1.CertificateConfig": schema_openshift_api_config_v1alpha1_CertificateConfig(ref), - "github.com/openshift/api/config/v1alpha1.ClusterImagePolicy": schema_openshift_api_config_v1alpha1_ClusterImagePolicy(ref), - "github.com/openshift/api/config/v1alpha1.ClusterImagePolicyList": schema_openshift_api_config_v1alpha1_ClusterImagePolicyList(ref), - "github.com/openshift/api/config/v1alpha1.ClusterImagePolicySpec": schema_openshift_api_config_v1alpha1_ClusterImagePolicySpec(ref), - "github.com/openshift/api/config/v1alpha1.ClusterImagePolicyStatus": schema_openshift_api_config_v1alpha1_ClusterImagePolicyStatus(ref), "github.com/openshift/api/config/v1alpha1.ClusterMonitoring": schema_openshift_api_config_v1alpha1_ClusterMonitoring(ref), "github.com/openshift/api/config/v1alpha1.ClusterMonitoringList": schema_openshift_api_config_v1alpha1_ClusterMonitoringList(ref), "github.com/openshift/api/config/v1alpha1.ClusterMonitoringSpec": schema_openshift_api_config_v1alpha1_ClusterMonitoringSpec(ref), @@ -480,14 +476,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.EtcdBackupSpec": schema_openshift_api_config_v1alpha1_EtcdBackupSpec(ref), "github.com/openshift/api/config/v1alpha1.GatherConfig": schema_openshift_api_config_v1alpha1_GatherConfig(ref), "github.com/openshift/api/config/v1alpha1.HashModActionConfig": schema_openshift_api_config_v1alpha1_HashModActionConfig(ref), - "github.com/openshift/api/config/v1alpha1.ImagePolicy": schema_openshift_api_config_v1alpha1_ImagePolicy(ref), - "github.com/openshift/api/config/v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust": schema_openshift_api_config_v1alpha1_ImagePolicyFulcioCAWithRekorRootOfTrust(ref), - "github.com/openshift/api/config/v1alpha1.ImagePolicyList": schema_openshift_api_config_v1alpha1_ImagePolicyList(ref), - "github.com/openshift/api/config/v1alpha1.ImagePolicyPKIRootOfTrust": schema_openshift_api_config_v1alpha1_ImagePolicyPKIRootOfTrust(ref), - "github.com/openshift/api/config/v1alpha1.ImagePolicyPublicKeyRootOfTrust": schema_openshift_api_config_v1alpha1_ImagePolicyPublicKeyRootOfTrust(ref), - "github.com/openshift/api/config/v1alpha1.ImagePolicySpec": schema_openshift_api_config_v1alpha1_ImagePolicySpec(ref), - "github.com/openshift/api/config/v1alpha1.ImagePolicyStatus": schema_openshift_api_config_v1alpha1_ImagePolicyStatus(ref), - "github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy": schema_openshift_api_config_v1alpha1_ImageSigstoreVerificationPolicy(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGather": schema_openshift_api_config_v1alpha1_InsightsDataGather(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherList": schema_openshift_api_config_v1alpha1_InsightsDataGatherList(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherSpec": schema_openshift_api_config_v1alpha1_InsightsDataGatherSpec(ref), @@ -505,17 +493,11 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.OpenShiftStateMetricsConfig": schema_openshift_api_config_v1alpha1_OpenShiftStateMetricsConfig(ref), "github.com/openshift/api/config/v1alpha1.PKI": schema_openshift_api_config_v1alpha1_PKI(ref), "github.com/openshift/api/config/v1alpha1.PKICertificateManagement": schema_openshift_api_config_v1alpha1_PKICertificateManagement(ref), - "github.com/openshift/api/config/v1alpha1.PKICertificateSubject": schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref), "github.com/openshift/api/config/v1alpha1.PKIList": schema_openshift_api_config_v1alpha1_PKIList(ref), "github.com/openshift/api/config/v1alpha1.PKIProfile": schema_openshift_api_config_v1alpha1_PKIProfile(ref), "github.com/openshift/api/config/v1alpha1.PKISpec": schema_openshift_api_config_v1alpha1_PKISpec(ref), "github.com/openshift/api/config/v1alpha1.PersistentVolumeClaimReference": schema_openshift_api_config_v1alpha1_PersistentVolumeClaimReference(ref), "github.com/openshift/api/config/v1alpha1.PersistentVolumeConfig": schema_openshift_api_config_v1alpha1_PersistentVolumeConfig(ref), - "github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject": schema_openshift_api_config_v1alpha1_PolicyFulcioSubject(ref), - "github.com/openshift/api/config/v1alpha1.PolicyIdentity": schema_openshift_api_config_v1alpha1_PolicyIdentity(ref), - "github.com/openshift/api/config/v1alpha1.PolicyMatchExactRepository": schema_openshift_api_config_v1alpha1_PolicyMatchExactRepository(ref), - "github.com/openshift/api/config/v1alpha1.PolicyMatchRemapIdentity": schema_openshift_api_config_v1alpha1_PolicyMatchRemapIdentity(ref), - "github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust": schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref), "github.com/openshift/api/config/v1alpha1.PrometheusConfig": schema_openshift_api_config_v1alpha1_PrometheusConfig(ref), "github.com/openshift/api/config/v1alpha1.PrometheusOperatorAdmissionWebhookConfig": schema_openshift_api_config_v1alpha1_PrometheusOperatorAdmissionWebhookConfig(ref), "github.com/openshift/api/config/v1alpha1.PrometheusOperatorConfig": schema_openshift_api_config_v1alpha1_PrometheusOperatorConfig(ref), @@ -23053,186 +23035,6 @@ func schema_openshift_api_config_v1alpha1_CertificateConfig(ref common.Reference } } -func schema_openshift_api_config_v1alpha1_ClusterImagePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref(metav1.ObjectMeta{}.OpenAPIModelName()), - }, - }, - "spec": { - SchemaProps: spec.SchemaProps{ - Description: "spec contains the configuration for the cluster image policy.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.ClusterImagePolicySpec"), - }, - }, - "status": { - SchemaProps: spec.SchemaProps{ - Description: "status contains the observed state of the resource.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.ClusterImagePolicyStatus"), - }, - }, - }, - Required: []string{"spec"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.ClusterImagePolicySpec", "github.com/openshift/api/config/v1alpha1.ClusterImagePolicyStatus", metav1.ObjectMeta{}.OpenAPIModelName()}, - } -} - -func schema_openshift_api_config_v1alpha1_ClusterImagePolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref(metav1.ListMeta{}.OpenAPIModelName()), - }, - }, - "items": { - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.ClusterImagePolicy"), - }, - }, - }, - }, - }, - }, - Required: []string{"metadata", "items"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.ClusterImagePolicy", metav1.ListMeta{}.OpenAPIModelName()}, - } -} - -func schema_openshift_api_config_v1alpha1_ClusterImagePolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "scopes": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "set", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "policy": { - SchemaProps: spec.SchemaProps{ - Description: "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy"), - }, - }, - }, - Required: []string{"scopes", "policy"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy"}, - } -} - -func schema_openshift_api_config_v1alpha1_ClusterImagePolicyStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "conditions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "conditions provide details on the status of this API Resource.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref(metav1.Condition{}.OpenAPIModelName()), - }, - }, - }, - }, - }, - }, - }, - }, - Dependencies: []string{ - metav1.Condition{}.OpenAPIModelName()}, - } -} - func schema_openshift_api_config_v1alpha1_ClusterMonitoring(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -23568,422 +23370,110 @@ func schema_openshift_api_config_v1alpha1_EtcdBackupSpec(ref common.ReferenceCal Format: "", }, }, - "timeZone": { - SchemaProps: spec.SchemaProps{ - Description: "The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified, this will default to the time zone of the kube-controller-manager process. See https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "retentionPolicy": { - SchemaProps: spec.SchemaProps{ - Description: "retentionPolicy defines the retention policy for retaining and deleting existing backups.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.RetentionPolicy"), - }, - }, - "pvcName": { - SchemaProps: spec.SchemaProps{ - Description: "pvcName specifies the name of the PersistentVolumeClaim (PVC) which binds a PersistentVolume where the etcd backup files would be saved The PVC itself must always be created in the \"openshift-etcd\" namespace If the PVC is left unspecified \"\" then the platform will choose a reasonable default location to save the backup. In the future this would be backups saved across the control-plane master nodes.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.RetentionPolicy"}, - } -} - -func schema_openshift_api_config_v1alpha1_GatherConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "gatherConfig provides data gathering configuration options.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "dataPolicy": { - SchemaProps: spec.SchemaProps{ - Description: "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", - Type: []string{"string"}, - Format: "", - }, - }, - "disabledGatherers": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "disabledGatherers is a list of gatherers to be excluded from the gathering. All the gatherers can be disabled by providing \"all\" value. If all the gatherers are disabled, the Insights operator does not gather any data. The format for the disabledGatherer should be: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\" An example of disabling gatherers looks like this: `disabledGatherers: [\"clusterconfig/machine_configs\", \"workloads/workload_info\"]`", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "storage": { - SchemaProps: spec.SchemaProps{ - Description: "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", - Ref: ref("github.com/openshift/api/config/v1alpha1.Storage"), - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.Storage"}, - } -} - -func schema_openshift_api_config_v1alpha1_HashModActionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "HashModActionConfig configures the HashMod action. target_label is set to the modulus of a hash of the concatenated source_labels (target = hash % modulus).", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "targetLabel": { - SchemaProps: spec.SchemaProps{ - Description: "targetLabel is the label name where the hash modulus result is written. Must be between 1 and 128 characters in length.", - Type: []string{"string"}, - Format: "", - }, - }, - "modulus": { - SchemaProps: spec.SchemaProps{ - Description: "modulus is the divisor applied to the hash of the concatenated source label values (target = hash % modulus). Required when using the HashMod action so the intended behavior is explicit. Must be between 1 and 1000000.", - Type: []string{"integer"}, - Format: "int64", - }, - }, - }, - Required: []string{"targetLabel", "modulus"}, - }, - }, - } -} - -func schema_openshift_api_config_v1alpha1_ImagePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref(metav1.ObjectMeta{}.OpenAPIModelName()), - }, - }, - "spec": { - SchemaProps: spec.SchemaProps{ - Description: "spec holds user settable values for configuration", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicySpec"), - }, - }, - "status": { - SchemaProps: spec.SchemaProps{ - Description: "status contains the observed state of the resource.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicyStatus"), - }, - }, - }, - Required: []string{"spec"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.ImagePolicySpec", "github.com/openshift/api/config/v1alpha1.ImagePolicyStatus", metav1.ObjectMeta{}.OpenAPIModelName()}, - } -} - -func schema_openshift_api_config_v1alpha1_ImagePolicyFulcioCAWithRekorRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "fulcioCAData": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "rekorKeyData": { - SchemaProps: spec.SchemaProps{ - Description: "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "fulcioSubject": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject"), - }, - }, - }, - Required: []string{"fulcioCAData", "rekorKeyData", "fulcioSubject"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject"}, - } -} - -func schema_openshift_api_config_v1alpha1_ImagePolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref(metav1.ListMeta{}.OpenAPIModelName()), - }, - }, - "items": { - SchemaProps: spec.SchemaProps{ - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicy"), - }, - }, - }, - }, - }, - }, - Required: []string{"metadata", "items"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.ImagePolicy", metav1.ListMeta{}.OpenAPIModelName()}, - } -} - -func schema_openshift_api_config_v1alpha1_ImagePolicyPKIRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "caRootsData": { - SchemaProps: spec.SchemaProps{ - Description: "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "caIntermediatesData": { - SchemaProps: spec.SchemaProps{ - Description: "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "pkiCertificateSubject": { - SchemaProps: spec.SchemaProps{ - Description: "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.PKICertificateSubject"), - }, - }, - }, - Required: []string{"caRootsData", "pkiCertificateSubject"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.PKICertificateSubject"}, - } -} - -func schema_openshift_api_config_v1alpha1_ImagePolicyPublicKeyRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "keyData": { - SchemaProps: spec.SchemaProps{ - Description: "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "rekorKeyData": { - SchemaProps: spec.SchemaProps{ - Description: "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - }, - Required: []string{"keyData"}, - }, - }, - } -} - -func schema_openshift_api_config_v1alpha1_ImagePolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ImagePolicySpec is the specification of the ImagePolicy CRD.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "scopes": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "set", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + "timeZone": { + SchemaProps: spec.SchemaProps{ + Description: "The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified, this will default to the time zone of the kube-controller-manager process. See https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones", + Default: "", + Type: []string{"string"}, + Format: "", }, }, - "policy": { + "retentionPolicy": { SchemaProps: spec.SchemaProps{ - Description: "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", + Description: "retentionPolicy defines the retention policy for retaining and deleting existing backups.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy"), + Ref: ref("github.com/openshift/api/config/v1alpha1.RetentionPolicy"), + }, + }, + "pvcName": { + SchemaProps: spec.SchemaProps{ + Description: "pvcName specifies the name of the PersistentVolumeClaim (PVC) which binds a PersistentVolume where the etcd backup files would be saved The PVC itself must always be created in the \"openshift-etcd\" namespace If the PVC is left unspecified \"\" then the platform will choose a reasonable default location to save the backup. In the future this would be backups saved across the control-plane master nodes.", + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, - Required: []string{"scopes", "policy"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy"}, + "github.com/openshift/api/config/v1alpha1.RetentionPolicy"}, } } -func schema_openshift_api_config_v1alpha1_ImagePolicyStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1alpha1_GatherConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "gatherConfig provides data gathering configuration options.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "conditions": { + "dataPolicy": { + SchemaProps: spec.SchemaProps{ + Description: "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", + Type: []string{"string"}, + Format: "", + }, + }, + "disabledGatherers": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "type", - }, - "x-kubernetes-list-type": "map", + "x-kubernetes-list-type": "atomic", }, }, SchemaProps: spec.SchemaProps{ - Description: "conditions provide details on the status of this API Resource.", + Description: "disabledGatherers is a list of gatherers to be excluded from the gathering. All the gatherers can be disabled by providing \"all\" value. If all the gatherers are disabled, the Insights operator does not gather any data. The format for the disabledGatherer should be: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\" An example of disabling gatherers looks like this: `disabledGatherers: [\"clusterconfig/machine_configs\", \"workloads/workload_info\"]`", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref(metav1.Condition{}.OpenAPIModelName()), + Default: "", + Type: []string{"string"}, + Format: "", }, }, }, }, }, + "storage": { + SchemaProps: spec.SchemaProps{ + Description: "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", + Ref: ref("github.com/openshift/api/config/v1alpha1.Storage"), + }, + }, }, }, }, Dependencies: []string{ - metav1.Condition{}.OpenAPIModelName()}, + "github.com/openshift/api/config/v1alpha1.Storage"}, } } -func schema_openshift_api_config_v1alpha1_ImageSigstoreVerificationPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1alpha1_HashModActionConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", + Description: "HashModActionConfig configures the HashMod action. target_label is set to the modulus of a hash of the concatenated source_labels (target = hash % modulus).", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "rootOfTrust": { + "targetLabel": { SchemaProps: spec.SchemaProps{ - Description: "rootOfTrust specifies the root of trust for the policy.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust"), + Description: "targetLabel is the label name where the hash modulus result is written. Must be between 1 and 128 characters in length.", + Type: []string{"string"}, + Format: "", }, }, - "signedIdentity": { + "modulus": { SchemaProps: spec.SchemaProps{ - Description: "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyIdentity"), + Description: "modulus is the divisor applied to the hash of the concatenated source label values (target = hash % modulus). Required when using the HashMod action so the intended behavior is explicit. Must be between 1 and 1000000.", + Type: []string{"integer"}, + Format: "int64", }, }, }, - Required: []string{"rootOfTrust"}, + Required: []string{"targetLabel", "modulus"}, }, }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.PolicyIdentity", "github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust"}, } } @@ -24707,33 +24197,6 @@ func schema_openshift_api_config_v1alpha1_PKICertificateManagement(ref common.Re } } -func schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "email": { - SchemaProps: spec.SchemaProps{ - Description: "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email should be a valid email address and at most 320 characters in length.", - Type: []string{"string"}, - Format: "", - }, - }, - "hostname": { - SchemaProps: spec.SchemaProps{ - Description: "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - } -} - func schema_openshift_api_config_v1alpha1_PKIList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -24904,191 +24367,6 @@ func schema_openshift_api_config_v1alpha1_PersistentVolumeConfig(ref common.Refe } } -func schema_openshift_api_config_v1alpha1_PolicyFulcioSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "oidcIssuer": { - SchemaProps: spec.SchemaProps{ - Description: "oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "signedEmail": { - SchemaProps: spec.SchemaProps{ - Description: "signedEmail holds the email address the the Fulcio certificate is issued for. Example: \"expected-signing-user@example.com\"", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"oidcIssuer", "signedEmail"}, - }, - }, - } -} - -func schema_openshift_api_config_v1alpha1_PolicyIdentity(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "matchPolicy": { - SchemaProps: spec.SchemaProps{ - Description: "matchPolicy sets the type of matching to be used. Valid values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". If set matchPolicy to ExactRepository, then the exactRepository must be specified. If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. \"MatchRepoDigestOrExact\" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. \"MatchRepository\" means that the identity in the signature must be in the same repository as the image identity. \"ExactRepository\" means that the identity in the signature must be in the same repository as a specific identity specified by \"repository\". \"RemapIdentity\" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "exactRepository": { - SchemaProps: spec.SchemaProps{ - Description: "exactRepository is required if matchPolicy is set to \"ExactRepository\".", - Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyMatchExactRepository"), - }, - }, - "remapIdentity": { - SchemaProps: spec.SchemaProps{ - Description: "remapIdentity is required if matchPolicy is set to \"RemapIdentity\".", - Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyMatchRemapIdentity"), - }, - }, - }, - Required: []string{"matchPolicy"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "matchPolicy", - "fields-to-discriminateBy": map[string]interface{}{ - "exactRepository": "PolicyMatchExactRepository", - "remapIdentity": "PolicyMatchRemapIdentity", - }, - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.PolicyMatchExactRepository", "github.com/openshift/api/config/v1alpha1.PolicyMatchRemapIdentity"}, - } -} - -func schema_openshift_api_config_v1alpha1_PolicyMatchExactRepository(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "repository": { - SchemaProps: spec.SchemaProps{ - Description: "repository is the reference of the image identity to be matched. The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"repository"}, - }, - }, - } -} - -func schema_openshift_api_config_v1alpha1_PolicyMatchRemapIdentity(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "prefix": { - SchemaProps: spec.SchemaProps{ - Description: "prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "signedPrefix": { - SchemaProps: spec.SchemaProps{ - Description: "signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"prefix", "signedPrefix"}, - }, - }, - } -} - -func schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "policyType": { - SchemaProps: spec.SchemaProps{ - Description: "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "publicKey": { - SchemaProps: spec.SchemaProps{ - Description: "publicKey defines the root of trust based on a sigstore public key.", - Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicyPublicKeyRootOfTrust"), - }, - }, - "fulcioCAWithRekor": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", - Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust"), - }, - }, - "pki": { - SchemaProps: spec.SchemaProps{ - Description: "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", - Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicyPKIRootOfTrust"), - }, - }, - }, - Required: []string{"policyType"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "policyType", - "fields-to-discriminateBy": map[string]interface{}{ - "fulcioCAWithRekor": "FulcioCAWithRekor", - "pki": "PKI", - "publicKey": "PublicKey", - }, - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust", "github.com/openshift/api/config/v1alpha1.ImagePolicyPKIRootOfTrust", "github.com/openshift/api/config/v1alpha1.ImagePolicyPublicKeyRootOfTrust"}, - } -} - func schema_openshift_api_config_v1alpha1_PrometheusConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{