diff --git a/config/v1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml new file mode 100644 index 00000000000..e8a27e1fbdc --- /dev/null +++ b/config/v1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -0,0 +1,453 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "ClusterImagePolicy" +crdName: clusterimagepolicies.config.openshift.io +featureGates: +- SigstoreImageVerification +tests: + onCreate: + - name: Should be able to create a minimal ImagePolicy with policyType PublicKey + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + - name: Should be able to create a minimal ImagePolicy with policyType FulcioCAWithRekor + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + fulcioCAWithRekor: + fulcioCAData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + rekorKeyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMkcyWSsydGFiZFRWNUJjR2lCSXgwYTlmQUZ3cgprQmJtTFNHdGtzNEwzcVg2eVlZMHp1ZkJuaEM4VXIvaXk1NUdoV1AvOUEvYlkyTGhDMzBNOStSWXR3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + fulcioCAWithRekor: + fulcioCAData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + rekorKeyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMkcyWSsydGFiZFRWNUJjR2lCSXgwYTlmQUZ3cgprQmJtTFNHdGtzNEwzcVg2eVlZMHp1ZkJuaEM4VXIvaXk1NUdoV1AvOUEvYlkyTGhDMzBNOStSWXR3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + - name: Should not allow policyType PublicKey but not set publicKey + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + FulcioCAWithRekor: + fulcioCAData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + rekorKeyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMkcyWSsydGFiZFRWNUJjR2lCSXgwYTlmQUZ3cgprQmJtTFNHdGtzNEwzcVg2eVlZMHp1ZkJuaEM4VXIvaXk1NUdoV1AvOUEvYlkyTGhDMzBNOStSWXR3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" + - name: Should not allow policyType FulcioCAData but not set fulcioCAWithRekor + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + PublicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" + - name: Should not allow policyType set but not set corresponding policy + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" + - name: Should not allow policyType set FulcioCAWith but not set corresponding policy + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" + - name: Should not allow signedIdentity matchPolicy ExactRepository but not set repository + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: ExactRepository + expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" + - name: Should not allow signedIdentity matchPolicy RemapIdentity but not set prefixes + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + signedIdentity: + matchPolicy: RemapIdentity + expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" + - name: Test scope should not allow 'busybox' + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - busybox + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" + - name: Test scope should not allow start with subnamesapces '*.example.com/test' + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - "*.example.com/test" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: Zm9vIGJhcg== + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching" + - name: Test scope should not allow invalid digest + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:12dsdf + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid repository namespace or image specification in the image scope" + - name: Test should not allow tag in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com/namespace/namespace:latest + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity. The repository or prefix must starts with 'localhost' or a valid '.' separated domain. If contains registry paths, the path component names must start with at least one letter or number, with following parts able to be separated by one period, one or two underscore and multiple dashes.]" + - name: Test should not allow tag in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: localhost:1234/namespace/namespace:latest + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity. The repository or prefix must starts with 'localhost' or a valid '.' separated domain. If contains registry paths, the path component names must start with at least one letter or number, with following parts able to be separated by one period, one or two underscore and multiple dashes.]" + - name: Test should not allow digest in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: localhost:1234/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity. The repository or prefix must starts with 'localhost' or a valid '.' separated domain. If contains registry paths, the path component names must start with at least one letter or number, with following parts able to be separated by one period, one or two underscore and multiple dashes.]" + - name: Test should not allow tag in prefix/signedPrefix + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com/namespace:latest + signedPrefix: example.com/namespace + expectedError: "[spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity. The repository or prefix must starts with 'localhost' or a valid '.' separated domain. If contains registry paths, the path component names must start with at least one letter or number, with following parts able to be separated by one period, one or two underscore and multiple dashes.]" + - name: Test should allow valid ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com + - name: Test should allow valid signedIdentity prefix/signedPrefix + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com + signedPrefix: mirror.com + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com + signedPrefix: mirror.com + - name: Test scope should allow localhost name with port 'localhost:1234/namespace/namespace' + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - localhost:1234/namespace/namespace + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - localhost:1234/namespace/namespace + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + - name: Test scope should allow localhost 'localhost/foo/bar' + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - localhost/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - localhost/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + - name: Test scope should allow 'example.com/foo/bar' + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + - name: Test scope should allow tag 'example.com/foo/bar:latest' + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/foo/bar:latest + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/foo/bar:latest + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + - name: Test scope should allow full specification digest + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + - name: Test scope should allow '*.example.com' + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - "*.example.com" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - "*.example.com" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t diff --git a/config/v1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml new file mode 100644 index 00000000000..c9180dd1446 --- /dev/null +++ b/config/v1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -0,0 +1,117 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "ClusterImagePolicy" +crdName: clusterimagepolicies.config.openshift.io +featureGates: +- SigstoreImageVerificationPKI +tests: + onCreate: + - name: Should be able to create a minimal ClusterImagePolicy with policyType PKI + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + email: test-user@example.com + expected: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + email: test-user@example.com + - name: Should not allow policyType PKI but not set pki + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": pki is required when policyType is PKI, and forbidden otherwise" + - name: Should not allow pkiCertificateSubject invalid email + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + email: invalid-email + expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.email: Invalid value: \"string\": invalid email address" + - name: Should not allow pkiCertificateSubject invalid hostname + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + hostname: invaild-.com + expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.hostname: Invalid value: \"string\": hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.'. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk." + - name: Should not allow poliyType PKI but not set pki + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: {} + expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Required value, spec.policy.rootOfTrust.pki.pkiCertificateSubject: Required value, : Invalid value: \"null\": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation" + - name: Should not allow caRootsData not encoded from PEM + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: Zm9vIGJhcg== + pkiCertificateSubject: + email: test-user@example.com + expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Invalid value: \"string\": the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + - name: PRM start and end markers must match if multiple CA root intermediates are provided. + initial: | + apiVersion: config.openshift.io/v1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlGMXpDQ0E3K2dBd0lCQWdJVUhWTExqbVQxVVRYcDRoS3hJT3NDOWRNOERuTXdEUVlKS29aSWh2Y05BUUVMCkJRQXdiakVMTUFrR0ExVUVCaE1DUlZNeEVUQVBCZ05WQkFjTUNGWmhiR1Z1WTJsaE1Rc3dDUVlEVlFRS0RBSkoKVkRFUk1BOEdBMVVFQ3d3SVUyVmpkWEpwZEhreExEQXFCZ05WQkFNTUkweHBiblY0WlhKaElGSnZiM1FnUTJWeQpkR2xtYVdOaGRHVWdRWFYwYUc5eWFYUjVNQ0FYRFRJME1EZ3hNREUzTVRRd05Gb1lEekl3TlRFeE1qSTJNVGN4Ck5EQTBXakIyTVFzd0NRWURWUVFHRXdKRlV6RVJNQThHQTFVRUJ3d0lWbUZzWlc1amFXRXhDekFKQmdOVkJBb00KQWtsVU1SRXdEd1lEVlFRTERBaFRaV04xY21sMGVURTBNRElHQTFVRUF3d3JUR2x1ZFhobGNtRWdTVzUwWlhKdApaV1JwWVhSbElFTmxjblJwWm1sallYUmxJRUYxZEdodmNtbDBlVENDQWlJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnSVBBRENDQWdvQ2dnSUJBS2IrcUY5M3dVV1dBdUhxZTFldHFja0RLbFR5amlsTmJKS2YxZWkxODNSdCtYM2wKckYzRklYN2F0dHdSTS9EZXNRSTgvYk9tSWpDNnFvTUJqbVVUdG5WclAxUHkxSXd2bWh2cUFESUVJSlNlS1NVMwpzSVJzNG1ldHdVckZrV0hoQXJtWVJSMUdJK2VBdGUxckdoNE9QcWEwcm1FMHpvbEc1dGoxdDB5dUVQSjdDVUlrCndQSGR4amErakRXQ1V5aXBrOGdvNWlwMGhxWkJ1U2tqNDErY0pZbFVTeDZXUHo3NStIZytpdEh0NUhCZGc1T0MKVXNoeVlyVzdzYnJKMDBCREhYYmdzRm9qemh1aXAxQkYzbnNQWWcxU2dwMlZib2JWUjAzOWdJZ0l1NDR6cXA4NApvSkk5Rys4a1V2Ri9OY0g5YWdIZzJpaXZXQnZwS0J2Q3JxV2NZZTNUQ1Z0V3YwWWJqc0RUbGZyMXphVWlqR2RICnM3QTZ2d1RibTNZTlh0SCtjbEx0eVcvMkl0T2x4aTBqTG9yQnp4aURnN283UTh1V2FBQmhYdGRuTExpbVhCU1UKSEludjMzbGFoNDFabXByUTJUT2pOQmZzYytXQ0RLVzFuRzlSciswakYzK3BEb29LV3RnYm9hV0QrQ2JtWUozVQpuZXMrcXp3Q0FTeDN6YU1pNWcyeW1qUjZqakZmSmhvMzlCckEzZXh0dTN0Qys3dnE5R2Fhc0llZDN3MWlhbnpLCnJNWmpDMWVNZTlJbS9ndGZ1QVd6Vk8xR2hUZ3NGTG5MS3NMRTVUaDZmbEVTdWFCOUgyaHBWdWRBekNqM091MjUKejYxSVdaMzE2amM2TDJOREx4WmExZjdXeVBhMWRjVlRHeDFuc1o1dTgzRkthc2VQMXArYzU2dEtmUC9GQWdNQgpBQUdqWXpCaE1CMEdBMVVkRGdRV0JCUkJYM3Z0WEgzcWRBNlNqUGtjTTJNTjRjQ1J1ekFMQmdOVkhROEVCQU1DCkFnUXdFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBakFmQmdOVkhTTUVHREFXZ0JTVWpXdk9pb3g5V3FXb2w4R3gKcVRPYXRSLzNQekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBTDNIQ2xYbVNEbjRyd1lrbzVVY2swVkp4ZDBPZApVWTRmYThtRXoxdFVuSjF0TU1qdkh4c2dNY2ZJTXNDbldkMEREaDVQK2V0QmYwbHd6R0xLdGhIRXZ4RTZZU3ZvClYyYnpxRjdUT2trd3VKZEFYdGIwRGRPejJ2T2ZFcnBhNnpjWkFGcmFwdnhyaVdkZGR4bk1SQWkwRHkzZ2RqYS8KVDc1bzlDRVk5WFdlZTY4bFlVVXpuUm1IRFU3ek5vUWtVSmw0ajVJWkllT2pwU2d3ejF1NFhIMGs0bnVGYXJ0Vwpab1Z2UWMwZURtUE44cktJYWdvejRRNzlPbm9lek03ZG1GZERXcitNVDIzY3hpMStlZ3VPTmdpOE8vYVhBUk5TCkJiUHI5aS9VTGI4K0h5VmJ6T1lZdHE0NXhnMmdDYTRGYnM0ejZjUkovRU45eTFaQnpwT3paRmdzOXJFeU1XQmIKdW0zYnZ0MHRtOGxKUDMwMWhuemRGRi9FZ2FPL2Z6bVZsVk5yTDNUcURZYmdwTWxOakI5MzlkOVhxMGZRUkZFWApWQTVUckFadGk3NktzYUpmZlRycjJOR201SW9CRHNseEV0ZWo3R2pvWUNzZmcrZ2RlbVJTWEliSFAvNmhLK09UCkpsNmNETy95Wmp4QkE0a3h6WERCUUhhL1pJM3UvQlJKRm40bFZiNkM1bzFwTGxrQ0ROSEF3Qmd6QjFnS05lVWQKaUhLYzN1Y3lHQ1BkWTE1eFJxdFhDUUkyYmZQQkp5cEJuMktYMjlSOFQ1ejhBTW5FdFphQXVkdm81MExLRHprdgpUQ25WRDVpRjltenRUWTdrekJNSXJFaTQ4bTJMMG5XQ2VyMk9TRWVrdjlsUFJKUUJQaFNUOEdrZnlDWnlnSWZ3CmdiQzNrNUVrS3NweUZJRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + pkiCertificateSubject: + email: test-user@example.com + expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Invalid value: \"string\": caRootsData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." diff --git a/config/v1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml new file mode 100644 index 00000000000..0103be186cb --- /dev/null +++ b/config/v1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -0,0 +1,453 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "ImagePolicy" +crdName: imagepolicies.config.openshift.io +featureGates: +- SigstoreImageVerification +tests: + onCreate: + - name: Should be able to create a minimal ImagePolicy with policyType PublicKey + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + - name: Should be able to create a minimal ImagePolicy with policyType FulcioCAWithRekor + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + fulcioCAWithRekor: + fulcioCAData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + rekorKeyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMkcyWSsydGFiZFRWNUJjR2lCSXgwYTlmQUZ3cgprQmJtTFNHdGtzNEwzcVg2eVlZMHp1ZkJuaEM4VXIvaXk1NUdoV1AvOUEvYlkyTGhDMzBNOStSWXR3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + expected: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + fulcioCAWithRekor: + fulcioCAData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + rekorKeyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMkcyWSsydGFiZFRWNUJjR2lCSXgwYTlmQUZ3cgprQmJtTFNHdGtzNEwzcVg2eVlZMHp1ZkJuaEM4VXIvaXk1NUdoV1AvOUEvYlkyTGhDMzBNOStSWXR3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + - name: Should not allow policyType PublicKey but not set publicKey + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + FulcioCAWithRekor: + fulcioCAData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + rekorKeyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMkcyWSsydGFiZFRWNUJjR2lCSXgwYTlmQUZ3cgprQmJtTFNHdGtzNEwzcVg2eVlZMHp1ZkJuaEM4VXIvaXk1NUdoV1AvOUEvYlkyTGhDMzBNOStSWXR3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== + fulcioSubject: + oidcIssuer: https://oidc.localhost + signedEmail: test-user@example.com + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" + - name: Should not allow policyType FulcioCAData but not set fulcioCAWithRekor + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + PublicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" + - name: Should not allow policyType set but not set corresponding policy + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": publicKey is required when policyType is PublicKey, and forbidden otherwise" + - name: Should not allow policyType set FulcioCAWith but not set corresponding policy + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: FulcioCAWithRekor + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" + - name: Should not allow signedIdentity matchPolicy ExactRepository but not set repository + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: ExactRepository + expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" + - name: Should not allow signedIdentity matchPolicy RemapIdentity but not set prefixes + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: RemapIdentity + expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" + - name: Test scope should not allow 'busybox' + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - busybox + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" + - name: Test scope should not allow start with subnamesapces '*.example.com/test' + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - "*.example.com/test" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching" + - name: Test scope should not allow invalid digest + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:12dsdf + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expectedError: "spec.scopes[0]: Invalid value: \"string\": invalid repository namespace or image specification in the image scope" + - name: Test should not allow tag in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com/namespace/namespace:latest + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity. The repository or prefix must starts with 'localhost' or a valid '.' separated domain. If contains registry paths, the path component names must start with at least one letter or number, with following parts able to be separated by one period, one or two underscore and multiple dashes.]" + - name: Test should not allow tag in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: localhost:1234/namespace/namespace:latest + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity. The repository or prefix must starts with 'localhost' or a valid '.' separated domain. If contains registry paths, the path component names must start with at least one letter or number, with following parts able to be separated by one period, one or two underscore and multiple dashes.]" + - name: Test should not allow digest in ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: localhost:1234/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + expectedError: "[spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.exactRepository.repository: Invalid value: \"string\": invalid repository or prefix in the signedIdentity. The repository or prefix must starts with 'localhost' or a valid '.' separated domain. If contains registry paths, the path component names must start with at least one letter or number, with following parts able to be separated by one period, one or two underscore and multiple dashes.]" + - name: Test should not allow tag in prefix/signedPrefix + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com/namespace:latest + signedPrefix: example.com/namespace + expectedError: "[spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity, should not include the tag or digest, spec.policy.signedIdentity.remapIdentity.prefix: Invalid value: \"string\": invalid repository or prefix in the signedIdentity. The repository or prefix must starts with 'localhost' or a valid '.' separated domain. If contains registry paths, the path component names must start with at least one letter or number, with following parts able to be separated by one period, one or two underscore and multiple dashes.]" + - name: Test should allow valid ExactRepository repository + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com + expected: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: ExactRepository + exactRepository: + repository: example.com + - name: Test should allow valid signedIdentity prefix/signedPrefix + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com + signedPrefix: mirror.com + expected: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + signedIdentity: + matchPolicy: RemapIdentity + remapIdentity: + prefix: example.com + signedPrefix: mirror.com + - name: Test scope should allow localhost name with port 'localhost:1234/namespace/namespace' + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - localhost:1234/namespace/namespace + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - localhost:1234/namespace/namespace + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + - name: Test scope should allow localhost 'localhost/foo/bar' + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - localhost/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - localhost/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + - name: Test scope should allow 'example.com/foo/bar' + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com/foo/bar + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + - name: Test scope should allow tag 'example.com/foo/bar:latest' + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com/foo/bar:latest + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com/foo/bar:latest + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + - name: Test scope should allow full specification digest + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com/namespace/namespace@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + - name: Test scope should allow '*.example.com' + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - "*.example.com" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + expected: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - "*.example.com" + policy: + rootOfTrust: + policyType: PublicKey + publicKey: + keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFK0tpN0I3K2tpTFdPSmRQWXBZanRqUmtXVnBxRgpuNHl1TjU2VjZHaGdLRm5SZjJqemlweEFWR084cm0vWUVQU3d2clBORHJqdnA0YlpoNm5NR0Z0NzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t diff --git a/config/v1/tests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1/tests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml new file mode 100644 index 00000000000..60c6b96c873 --- /dev/null +++ b/config/v1/tests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -0,0 +1,117 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "ImagePolicy" +crdName: imagepolicies.config.openshift.io +featureGates: +- SigstoreImageVerificationPKI +tests: + onCreate: + - name: Should be able to create a minimal ImagePolicy with policyType PKI + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + email: test-user@example.com + expected: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + email: test-user@example.com + - name: Should not allow policyType PKI but not set pki + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": pki is required when policyType is PKI, and forbidden otherwise" + - name: Should not allow pkiCertificateSubject invalid email + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + email: invalid-email + expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.email: Invalid value: \"string\": invalid email address" + - name: Should not allow pkiCertificateSubject invalid hostname + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + hostname: invaild-.com + expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.hostname: Invalid value: \"string\": hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.'. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk." + - name: Should not allow poliyType PKI but not set pki + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: {} + expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Required value, spec.policy.rootOfTrust.pki.pkiCertificateSubject: Required value, : Invalid value: \"null\": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation" + - name: Should not allow caRootsData not encoded from PEM + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: Zm9vIGJhcg== + pkiCertificateSubject: + email: test-user@example.com + expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Invalid value: \"string\": the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + - name: PRM start and end markers must match if multiple CA root intermediates are provided. + initial: | + apiVersion: config.openshift.io/v1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlGMXpDQ0E3K2dBd0lCQWdJVUhWTExqbVQxVVRYcDRoS3hJT3NDOWRNOERuTXdEUVlKS29aSWh2Y05BUUVMCkJRQXdiakVMTUFrR0ExVUVCaE1DUlZNeEVUQVBCZ05WQkFjTUNGWmhiR1Z1WTJsaE1Rc3dDUVlEVlFRS0RBSkoKVkRFUk1BOEdBMVVFQ3d3SVUyVmpkWEpwZEhreExEQXFCZ05WQkFNTUkweHBiblY0WlhKaElGSnZiM1FnUTJWeQpkR2xtYVdOaGRHVWdRWFYwYUc5eWFYUjVNQ0FYRFRJME1EZ3hNREUzTVRRd05Gb1lEekl3TlRFeE1qSTJNVGN4Ck5EQTBXakIyTVFzd0NRWURWUVFHRXdKRlV6RVJNQThHQTFVRUJ3d0lWbUZzWlc1amFXRXhDekFKQmdOVkJBb00KQWtsVU1SRXdEd1lEVlFRTERBaFRaV04xY21sMGVURTBNRElHQTFVRUF3d3JUR2x1ZFhobGNtRWdTVzUwWlhKdApaV1JwWVhSbElFTmxjblJwWm1sallYUmxJRUYxZEdodmNtbDBlVENDQWlJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnSVBBRENDQWdvQ2dnSUJBS2IrcUY5M3dVV1dBdUhxZTFldHFja0RLbFR5amlsTmJKS2YxZWkxODNSdCtYM2wKckYzRklYN2F0dHdSTS9EZXNRSTgvYk9tSWpDNnFvTUJqbVVUdG5WclAxUHkxSXd2bWh2cUFESUVJSlNlS1NVMwpzSVJzNG1ldHdVckZrV0hoQXJtWVJSMUdJK2VBdGUxckdoNE9QcWEwcm1FMHpvbEc1dGoxdDB5dUVQSjdDVUlrCndQSGR4amErakRXQ1V5aXBrOGdvNWlwMGhxWkJ1U2tqNDErY0pZbFVTeDZXUHo3NStIZytpdEh0NUhCZGc1T0MKVXNoeVlyVzdzYnJKMDBCREhYYmdzRm9qemh1aXAxQkYzbnNQWWcxU2dwMlZib2JWUjAzOWdJZ0l1NDR6cXA4NApvSkk5Rys4a1V2Ri9OY0g5YWdIZzJpaXZXQnZwS0J2Q3JxV2NZZTNUQ1Z0V3YwWWJqc0RUbGZyMXphVWlqR2RICnM3QTZ2d1RibTNZTlh0SCtjbEx0eVcvMkl0T2x4aTBqTG9yQnp4aURnN283UTh1V2FBQmhYdGRuTExpbVhCU1UKSEludjMzbGFoNDFabXByUTJUT2pOQmZzYytXQ0RLVzFuRzlSciswakYzK3BEb29LV3RnYm9hV0QrQ2JtWUozVQpuZXMrcXp3Q0FTeDN6YU1pNWcyeW1qUjZqakZmSmhvMzlCckEzZXh0dTN0Qys3dnE5R2Fhc0llZDN3MWlhbnpLCnJNWmpDMWVNZTlJbS9ndGZ1QVd6Vk8xR2hUZ3NGTG5MS3NMRTVUaDZmbEVTdWFCOUgyaHBWdWRBekNqM091MjUKejYxSVdaMzE2amM2TDJOREx4WmExZjdXeVBhMWRjVlRHeDFuc1o1dTgzRkthc2VQMXArYzU2dEtmUC9GQWdNQgpBQUdqWXpCaE1CMEdBMVVkRGdRV0JCUkJYM3Z0WEgzcWRBNlNqUGtjTTJNTjRjQ1J1ekFMQmdOVkhROEVCQU1DCkFnUXdFZ1lEVlIwVEFRSC9CQWd3QmdFQi93SUJBakFmQmdOVkhTTUVHREFXZ0JTVWpXdk9pb3g5V3FXb2w4R3gKcVRPYXRSLzNQekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBTDNIQ2xYbVNEbjRyd1lrbzVVY2swVkp4ZDBPZApVWTRmYThtRXoxdFVuSjF0TU1qdkh4c2dNY2ZJTXNDbldkMEREaDVQK2V0QmYwbHd6R0xLdGhIRXZ4RTZZU3ZvClYyYnpxRjdUT2trd3VKZEFYdGIwRGRPejJ2T2ZFcnBhNnpjWkFGcmFwdnhyaVdkZGR4bk1SQWkwRHkzZ2RqYS8KVDc1bzlDRVk5WFdlZTY4bFlVVXpuUm1IRFU3ek5vUWtVSmw0ajVJWkllT2pwU2d3ejF1NFhIMGs0bnVGYXJ0Vwpab1Z2UWMwZURtUE44cktJYWdvejRRNzlPbm9lek03ZG1GZERXcitNVDIzY3hpMStlZ3VPTmdpOE8vYVhBUk5TCkJiUHI5aS9VTGI4K0h5VmJ6T1lZdHE0NXhnMmdDYTRGYnM0ejZjUkovRU45eTFaQnpwT3paRmdzOXJFeU1XQmIKdW0zYnZ0MHRtOGxKUDMwMWhuemRGRi9FZ2FPL2Z6bVZsVk5yTDNUcURZYmdwTWxOakI5MzlkOVhxMGZRUkZFWApWQTVUckFadGk3NktzYUpmZlRycjJOR201SW9CRHNseEV0ZWo3R2pvWUNzZmcrZ2RlbVJTWEliSFAvNmhLK09UCkpsNmNETy95Wmp4QkE0a3h6WERCUUhhL1pJM3UvQlJKRm40bFZiNkM1bzFwTGxrQ0ROSEF3Qmd6QjFnS05lVWQKaUhLYzN1Y3lHQ1BkWTE1eFJxdFhDUUkyYmZQQkp5cEJuMktYMjlSOFQ1ejhBTW5FdFphQXVkdm81MExLRHprdgpUQ25WRDVpRjltenRUWTdrekJNSXJFaTQ4bTJMMG5XQ2VyMk9TRWVrdjlsUFJKUUJQaFNUOEdrZnlDWnlnSWZ3CmdiQzNrNUVrS3NweUZJRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + pkiCertificateSubject: + email: test-user@example.com + expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Invalid value: \"string\": caRootsData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." diff --git a/config/v1/types_cluster_image_policy.go b/config/v1/types_cluster_image_policy.go new file mode 100644 index 00000000000..ca604e05c5b --- /dev/null +++ b/config/v1/types_cluster_image_policy.go @@ -0,0 +1,87 @@ +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ClusterImagePolicy holds cluster-wide configuration for image signature verification +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=clusterimagepolicies,scope=Cluster +// +kubebuilder:subresource:status +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2310 +// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 +// +openshift:enable:FeatureGate=SigstoreImageVerification +// +openshift:compatibility-gen:level=1 +type ClusterImagePolicy struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata"` + + // spec contains the configuration for the cluster image policy. + // +required + Spec ClusterImagePolicySpec `json:"spec"` + // status contains the observed state of the resource. + // +optional + Status ClusterImagePolicyStatus `json:"status"` +} + +// CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource. +type ClusterImagePolicySpec struct { + // scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + // Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + // More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + // namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + // Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + // This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + // In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + // quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + // If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + // For additional details about the format, please refer to the document explaining the docker transport field, + // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + // +required + // +kubebuilder:validation:MaxItems=256 + // +listType=set + Scopes []ImageScope `json:"scopes"` + // policy is a required field that contains configuration to allow scopes to be verified, and defines how + // images not matching the verification policy will be treated. + // +required + Policy Policy `json:"policy"` +} + +// +k8s:deepcopy-gen=true +type ClusterImagePolicyStatus struct { + // conditions provide details on the status of this API Resource. + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ClusterImagePolicyList is a list of ClusterImagePolicy resources +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type ClusterImagePolicyList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +required + metav1.ListMeta `json:"metadata"` + + // items is a list of ClusterImagePolices + // +kubebuilder:validation:MaxItems=1000 + // +required + Items []ClusterImagePolicy `json:"items"` +} diff --git a/config/v1/types_image_policy.go b/config/v1/types_image_policy.go new file mode 100644 index 00000000000..54bd21adb4e --- /dev/null +++ b/config/v1/types_image_policy.go @@ -0,0 +1,322 @@ +package v1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ImagePolicy holds namespace-wide configuration for image signature verification +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=imagepolicies,scope=Namespaced +// +kubebuilder:subresource:status +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2310 +// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 +// +openshift:enable:FeatureGate=SigstoreImageVerification +// +openshift:compatibility-gen:level=1 +type ImagePolicy struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata"` + + // spec holds user settable values for configuration + // +required + Spec ImagePolicySpec `json:"spec"` + // status contains the observed state of the resource. + // +optional + Status ImagePolicyStatus `json:"status"` +} + +// ImagePolicySpec is the specification of the ImagePolicy CRD. +type ImagePolicySpec struct { + // scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + // Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + // More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + // namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + // Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + // This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + // In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + // quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + // If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + // For additional details about the format, please refer to the document explaining the docker transport field, + // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + // +required + // +kubebuilder:validation:MaxItems=256 + // +listType=set + Scopes []ImageScope `json:"scopes"` + // policy is a required field that contains configuration to allow scopes to be verified, and defines how + // images not matching the verification policy will be treated. + // +required + Policy Policy `json:"policy"` +} + +// +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" +// +kubebuilder:validation:XValidation:rule=`self.contains('*') ? self.matches('^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$') : true`,message="invalid image scope with wildcard, a wildcard can only be at the start of the domain and is only supported for subdomain matching, not path matching" +// +kubebuilder:validation:XValidation:rule=`!self.contains('*') ? self.matches('^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$') : true`,message="invalid repository namespace or image specification in the image scope" +// +kubebuilder:validation:MaxLength=512 +type ImageScope string + +// Policy defines the verification policy for the items in the scopes list. +type Policy struct { + // rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + // This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + // +required + RootOfTrust PolicyRootOfTrust `json:"rootOfTrust"` + // signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + // The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + // +optional + SignedIdentity *PolicyIdentity `json:"signedIdentity,omitempty"` +} + +// PolicyRootOfTrust defines the root of trust based on the selected policyType. +// +union +// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise" +type PolicyRootOfTrust struct { + // policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + // Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + // When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + // When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + // When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + // +unionDiscriminator + // +required + PolicyType PolicyType `json:"policyType"` + // publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + // publicKey is required when policyType is PublicKey, and forbidden otherwise. + // +optional + PublicKey *PublicKey `json:"publicKey,omitempty"` + // fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + // fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + // For more information about Fulcio and Rekor, please refer to the document at: + // https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + // +optional + FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"` + // pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + // pki is required when policyType is PKI, and forbidden otherwise. + // +optional + // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI + PKI *PKI `json:"pki,omitempty"` +} + +// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor +// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI +type PolicyType string + +const ( + PublicKeyRootOfTrust PolicyType = "PublicKey" + FulcioCAWithRekorRootOfTrust PolicyType = "FulcioCAWithRekor" + PKIRootOfTrust PolicyType = "PKI" +) + +// PublicKey defines the root of trust based on a sigstore public key. +type PublicKey struct { + // keyData is a required field contains inline base64-encoded data for the PEM format public key. + // keyData must be at most 8192 characters. + // +required + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:MinLength=68 + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN PUBLIC KEY-----')",message="the keyData must start with base64 encoding of '-----BEGIN PUBLIC KEY-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END PUBLIC KEY-----\\n') || string(self).endsWith('-----END PUBLIC KEY-----')",message="the keyData must end with base64 encoding of '-----END PUBLIC KEY-----'." + KeyData []byte `json:"keyData"` + // rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + // rekorKeyData must be at most 8192 characters. + // +optional + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN PUBLIC KEY-----')",message="the rekorKeyData must start with base64 encoding of '-----BEGIN PUBLIC KEY-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END PUBLIC KEY-----\\n') || string(self).endsWith('-----END PUBLIC KEY-----')",message="the rekorKeyData must end with base64 encoding of '-----END PUBLIC KEY-----'." + RekorKeyData []byte `json:"rekorKeyData,omitempty"` +} + +// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. +type FulcioCAWithRekor struct { + // fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + // fulcioCAData must be at most 8192 characters. + // +required + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the fulcioCAData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the fulcioCAData must end with base64 encoding of '-----END CERTIFICATE-----'." + FulcioCAData []byte `json:"fulcioCAData"` + // rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + // rekorKeyData must be at most 8192 characters. + // +required + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN PUBLIC KEY-----')",message="the rekorKeyData must start with base64 encoding of '-----BEGIN PUBLIC KEY-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END PUBLIC KEY-----\\n') || string(self).endsWith('-----END PUBLIC KEY-----')",message="the rekorKeyData must end with base64 encoding of '-----END PUBLIC KEY-----'." + RekorKeyData []byte `json:"rekorKeyData"` + // fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration. + // +required + FulcioSubject PolicyFulcioSubject `json:"fulcioSubject"` +} + +// PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration. +type PolicyFulcioSubject struct { + // oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + // It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + // When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + // Example: "https://expected.OIDC.issuer/" + // +required + // +kubebuilder:validation:MaxLength=2048 + // +kubebuilder:validation:XValidation:rule="isURL(self)",message="oidcIssuer must be a valid URL" + OIDCIssuer string `json:"oidcIssuer"` + // signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + // The signedEmail must be a valid email address and at most 320 characters in length. + // Example: "expected-signing-user@example.com" + // +required + // +kubebuilder:validation:MaxLength=320 + // +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address" + SignedEmail string `json:"signedEmail"` +} + +// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates. +type PKI struct { + // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. + // +required + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:MinLength=72 + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caRootsData must end with base64 encoding of '-----END CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caRootsData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." + CertificateAuthorityRootsData []byte `json:"caRootsData"` + // caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + // caIntermediatesData requires caRootsData to be set. + // +optional + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caIntermediatesData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caIntermediatesData must end with base64 encoding of '-----END CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).findAll('-----BEGIN CERTIFICATE-----').size() == string(self).findAll('-----END CERTIFICATE-----').size()",message="caIntermediatesData must be base64 encoding of valid PEM format data contain the same number of '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' markers." + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:MinLength=72 + CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"` + + // pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued. + // +required + PKICertificateSubject PKICertificateSubject `json:"pkiCertificateSubject"` +} + +// PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued. +// +kubebuilder:validation:XValidation:rule="has(self.email) || has(self.hostname)", message="at least one of email or hostname must be set in pkiCertificateSubject" +// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI +type PKICertificateSubject struct { + // email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + // The email must be a valid email address and at most 320 characters in length. + // +optional + // +kubebuilder:validation:MaxLength:=320 + // +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address" + Email string `json:"email,omitempty"` + // hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + // The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + // It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + // +optional + // +kubebuilder:validation:MaxLength:=253 + // +kubebuilder:validation:XValidation:rule="self.startsWith('*.') ? !format.dns1123Subdomain().validate(self.replace('*.', '', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()",message="hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.'. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk." + Hostname string `json:"hostname,omitempty"` +} + +// PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is "MatchRepoDigestOrExact". +// +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'ExactRepository') ? has(self.exactRepository) : !has(self.exactRepository)",message="exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'RemapIdentity') ? has(self.remapIdentity) : !has(self.remapIdentity)",message="remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" +// +union +type PolicyIdentity struct { + // matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + // Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + // When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + // When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + // When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + // When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + // +unionDiscriminator + // +required + MatchPolicy IdentityMatchPolicy `json:"matchPolicy"` + // exactRepository specifies the repository that must be exactly matched by the identity in the signature. + // exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + // +optional + PolicyMatchExactRepository *PolicyMatchExactRepository `json:"exactRepository,omitempty"` + // remapIdentity specifies the prefix remapping rule for verifying image identity. + // remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + // +optional + PolicyMatchRemapIdentity *PolicyMatchRemapIdentity `json:"remapIdentity,omitempty"` +} + +// +kubebuilder:validation:MaxLength=512 +// +kubebuilder:validation:XValidation:rule=`self.matches('.*:([\\w][\\w.-]{0,127})$')? self.matches('^(localhost:[0-9]+)$'): true`,message="invalid repository or prefix in the signedIdentity, should not include the tag or digest" +// +kubebuilder:validation:XValidation:rule=`self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$')`,message="invalid repository or prefix in the signedIdentity. The repository or prefix must starts with 'localhost' or a valid '.' separated domain. If contains registry paths, the path component names must start with at least one letter or number, with following parts able to be separated by one period, one or two underscore and multiple dashes." +type IdentityRepositoryPrefix string + +type PolicyMatchExactRepository struct { + // repository is the reference of the image identity to be matched. + // repository is required if matchPolicy is set to "ExactRepository". + // The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + // +required + Repository IdentityRepositoryPrefix `json:"repository"` +} + +type PolicyMatchRemapIdentity struct { + // prefix is required if matchPolicy is set to "RemapIdentity". + // prefix is the prefix of the image identity to be matched. + // If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + // This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + // The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + // or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + // For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + // +required + Prefix IdentityRepositoryPrefix `json:"prefix"` + // signedPrefix is required if matchPolicy is set to "RemapIdentity". + // signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + // or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + // For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + // +required + SignedPrefix IdentityRepositoryPrefix `json:"signedPrefix"` +} + +// IdentityMatchPolicy defines the type of matching for "matchPolicy". +// +kubebuilder:validation:Enum=MatchRepoDigestOrExact;MatchRepository;ExactRepository;RemapIdentity +type IdentityMatchPolicy string + +const ( + IdentityMatchPolicyMatchRepoDigestOrExact IdentityMatchPolicy = "MatchRepoDigestOrExact" + IdentityMatchPolicyMatchRepository IdentityMatchPolicy = "MatchRepository" + IdentityMatchPolicyExactRepository IdentityMatchPolicy = "ExactRepository" + IdentityMatchPolicyRemapIdentity IdentityMatchPolicy = "RemapIdentity" +) + +// +k8s:deepcopy-gen=true +type ImagePolicyStatus struct { + // conditions provide details on the status of this API Resource. + // condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + // +kubebuilder:validation:MaxItems=8 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ImagePolicyList is a list of ImagePolicy resources +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type ImagePolicyList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +required + metav1.ListMeta `json:"metadata"` + + // items is a list of ImagePolicies + // +kubebuilder:validation:MaxItems=1000 + // +required + Items []ImagePolicy `json:"items"` +} + +const ( + // ImagePolicyPending indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + ImagePolicyPending = "Pending" + // ImagePolicyApplied indicates that the policy has been applied + ImagePolicyApplied = "Applied" +) diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..8794f271fa0 --- /dev/null +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml @@ -0,0 +1,510 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: clusterimagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterImagePolicy + listKind: ClusterImagePolicyList + plural: clusterimagepolicies + singular: clusterimagepolicy + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterImagePolicy holds cluster-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the configuration for the cluster image policy. + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: conditions provide details on the status of this API + Resource. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..c36e20e2da3 --- /dev/null +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,510 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: clusterimagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterImagePolicy + listKind: ClusterImagePolicyList + plural: clusterimagepolicies + singular: clusterimagepolicy + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterImagePolicy holds cluster-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the configuration for the cluster image policy. + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: conditions provide details on the status of this API + Resource. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..d4b1ae9cb38 --- /dev/null +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,510 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: clusterimagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterImagePolicy + listKind: ClusterImagePolicyList + plural: clusterimagepolicies + singular: clusterimagepolicy + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterImagePolicy holds cluster-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the configuration for the cluster image policy. + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: conditions provide details on the status of this API + Resource. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..f71c6495243 --- /dev/null +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml @@ -0,0 +1,511 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ImagePolicy holds namespace-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: |- + conditions provide details on the status of this API Resource. + condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..99d2af1333c --- /dev/null +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,511 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ImagePolicy holds namespace-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: |- + conditions provide details on the status of this API Resource. + condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..a8b7aba7c2a --- /dev/null +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,511 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ImagePolicy holds namespace-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: |- + conditions provide details on the status of this API Resource. + condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index 361b56087dc..70edc176996 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -1024,6 +1024,112 @@ func (in *ClusterCondition) DeepCopy() *ClusterCondition { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicy. +func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy { + if in == nil { + return nil + } + out := new(ClusterImagePolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ClusterImagePolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyList. +func (in *ClusterImagePolicyList) DeepCopy() *ClusterImagePolicyList { + if in == nil { + return nil + } + out := new(ClusterImagePolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec) { + *out = *in + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]ImageScope, len(*in)) + copy(*out, *in) + } + in.Policy.DeepCopyInto(&out.Policy) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicySpec. +func (in *ClusterImagePolicySpec) DeepCopy() *ClusterImagePolicySpec { + if in == nil { + return nil + } + out := new(ClusterImagePolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterImagePolicyStatus) DeepCopyInto(out *ClusterImagePolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyStatus. +func (in *ClusterImagePolicyStatus) DeepCopy() *ClusterImagePolicyStatus { + if in == nil { + return nil + } + out := new(ClusterImagePolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterNetworkEntry) DeepCopyInto(out *ClusterNetworkEntry) { *out = *in @@ -2229,6 +2335,33 @@ func (in *FeatureGateTests) DeepCopy() *FeatureGateTests { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) { + *out = *in + if in.FulcioCAData != nil { + in, out := &in.FulcioCAData, &out.FulcioCAData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.FulcioSubject = in.FulcioSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor. +func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor { + if in == nil { + return nil + } + out := new(FulcioCAWithRekor) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GCPPlatformSpec) DeepCopyInto(out *GCPPlatformSpec) { *out = *in @@ -2922,6 +3055,112 @@ func (in *ImageList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicy) DeepCopyInto(out *ImagePolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicy. +func (in *ImagePolicy) DeepCopy() *ImagePolicy { + if in == nil { + return nil + } + out := new(ImagePolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ImagePolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ImagePolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyList. +func (in *ImagePolicyList) DeepCopy() *ImagePolicyList { + if in == nil { + return nil + } + out := new(ImagePolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ImagePolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) { + *out = *in + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]ImageScope, len(*in)) + copy(*out, *in) + } + in.Policy.DeepCopyInto(&out.Policy) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicySpec. +func (in *ImagePolicySpec) DeepCopy() *ImagePolicySpec { + if in == nil { + return nil + } + out := new(ImagePolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyStatus) DeepCopyInto(out *ImagePolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyStatus. +func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus { + if in == nil { + return nil + } + out := new(ImagePolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageSpec) DeepCopyInto(out *ImageSpec) { *out = *in @@ -4732,6 +4971,49 @@ func (in *OvirtPlatformStatus) DeepCopy() *OvirtPlatformStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKI) DeepCopyInto(out *PKI) { + *out = *in + if in.CertificateAuthorityRootsData != nil { + in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CertificateAuthorityIntermediatesData != nil { + in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.PKICertificateSubject = in.PKICertificateSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. +func (in *PKI) DeepCopy() *PKI { + if in == nil { + return nil + } + out := new(PKI) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateSubject. +func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject { + if in == nil { + return nil + } + out := new(PKICertificateSubject) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) { *out = *in @@ -4904,6 +5186,133 @@ func (in *PlatformStatus) DeepCopy() *PlatformStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Policy) DeepCopyInto(out *Policy) { + *out = *in + in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) + if in.SignedIdentity != nil { + in, out := &in.SignedIdentity, &out.SignedIdentity + *out = new(PolicyIdentity) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. +func (in *Policy) DeepCopy() *Policy { + if in == nil { + return nil + } + out := new(Policy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyFulcioSubject. +func (in *PolicyFulcioSubject) DeepCopy() *PolicyFulcioSubject { + if in == nil { + return nil + } + out := new(PolicyFulcioSubject) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyIdentity) DeepCopyInto(out *PolicyIdentity) { + *out = *in + if in.PolicyMatchExactRepository != nil { + in, out := &in.PolicyMatchExactRepository, &out.PolicyMatchExactRepository + *out = new(PolicyMatchExactRepository) + **out = **in + } + if in.PolicyMatchRemapIdentity != nil { + in, out := &in.PolicyMatchRemapIdentity, &out.PolicyMatchRemapIdentity + *out = new(PolicyMatchRemapIdentity) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyIdentity. +func (in *PolicyIdentity) DeepCopy() *PolicyIdentity { + if in == nil { + return nil + } + out := new(PolicyIdentity) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyMatchExactRepository) DeepCopyInto(out *PolicyMatchExactRepository) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyMatchExactRepository. +func (in *PolicyMatchExactRepository) DeepCopy() *PolicyMatchExactRepository { + if in == nil { + return nil + } + out := new(PolicyMatchExactRepository) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyMatchRemapIdentity) DeepCopyInto(out *PolicyMatchRemapIdentity) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyMatchRemapIdentity. +func (in *PolicyMatchRemapIdentity) DeepCopy() *PolicyMatchRemapIdentity { + if in == nil { + return nil + } + out := new(PolicyMatchRemapIdentity) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { + *out = *in + if in.PublicKey != nil { + in, out := &in.PublicKey, &out.PublicKey + *out = new(PublicKey) + (*in).DeepCopyInto(*out) + } + if in.FulcioCAWithRekor != nil { + in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor + *out = new(FulcioCAWithRekor) + (*in).DeepCopyInto(*out) + } + if in.PKI != nil { + in, out := &in.PKI, &out.PKI + *out = new(PKI) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRootOfTrust. +func (in *PolicyRootOfTrust) DeepCopy() *PolicyRootOfTrust { + if in == nil { + return nil + } + out := new(PolicyRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PowerVSPlatformSpec) DeepCopyInto(out *PowerVSPlatformSpec) { *out = *in @@ -5204,6 +5613,32 @@ func (in *ProxyStatus) DeepCopy() *ProxyStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PublicKey) DeepCopyInto(out *PublicKey) { + *out = *in + if in.KeyData != nil { + in, out := &in.KeyData, &out.KeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey. +func (in *PublicKey) DeepCopy() *PublicKey { + if in == nil { + return nil + } + out := new(PublicKey) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RegistryLocation) DeepCopyInto(out *RegistryLocation) { *out = *in diff --git a/config/v1/zz_generated.featuregated-crd-manifests.yaml b/config/v1/zz_generated.featuregated-crd-manifests.yaml index a681631cf6d..19a304c17bf 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -66,6 +66,30 @@ builds.config.openshift.io: TopLevelFeatureGates: [] Version: v1 +clusterimagepolicies.config.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2310 + CRDName: clusterimagepolicies.config.openshift.io + Capability: "" + Category: "" + FeatureGates: + - SigstoreImageVerification + - SigstoreImageVerificationPKI + FilenameOperatorName: config-operator + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_10" + GroupName: config.openshift.io + HasStatus: true + KindName: ClusterImagePolicy + Labels: {} + PluralName: clusterimagepolicies + PrinterColumns: [] + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - SigstoreImageVerification + Version: v1 + clusteroperators.config.openshift.io: Annotations: include.release.openshift.io/self-managed-high-availability: "true" @@ -282,6 +306,30 @@ imagedigestmirrorsets.config.openshift.io: TopLevelFeatureGates: [] Version: v1 +imagepolicies.config.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2310 + CRDName: imagepolicies.config.openshift.io + Capability: "" + Category: "" + FeatureGates: + - SigstoreImageVerification + - SigstoreImageVerificationPKI + FilenameOperatorName: config-operator + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_10" + GroupName: config.openshift.io + HasStatus: true + KindName: ImagePolicy + Labels: {} + PluralName: imagepolicies + PrinterColumns: [] + Scope: Namespaced + ShortNames: null + TopLevelFeatureGates: + - SigstoreImageVerification + Version: v1 + imagetagmirrorsets.config.openshift.io: Annotations: release.openshift.io/bootstrap-required: "true" diff --git a/config/v1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml new file mode 100644 index 00000000000..080032c1f53 --- /dev/null +++ b/config/v1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -0,0 +1,415 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/SigstoreImageVerification: "true" + name: clusterimagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterImagePolicy + listKind: ClusterImagePolicyList + plural: clusterimagepolicies + singular: clusterimagepolicy + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterImagePolicy holds cluster-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the configuration for the cluster image policy. + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: conditions provide details on the status of this API + Resource. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml new file mode 100644 index 00000000000..1e2f15e1aea --- /dev/null +++ b/config/v1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -0,0 +1,510 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/SigstoreImageVerificationPKI: "true" + name: clusterimagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterImagePolicy + listKind: ClusterImagePolicyList + plural: clusterimagepolicies + singular: clusterimagepolicy + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ClusterImagePolicy holds cluster-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the configuration for the cluster image policy. + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: conditions provide details on the status of this API + Resource. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml new file mode 100644 index 00000000000..5b63d565c89 --- /dev/null +++ b/config/v1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -0,0 +1,416 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/SigstoreImageVerification: "true" + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ImagePolicy holds namespace-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: |- + conditions provide details on the status of this API Resource. + condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml new file mode 100644 index 00000000000..39eece1cfd4 --- /dev/null +++ b/config/v1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -0,0 +1,511 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2310 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/SigstoreImageVerificationPKI: "true" + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + ImagePolicy holds namespace-wide configuration for image signature verification + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + policy: + description: |- + policy is a required field that contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: |- + rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. + This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. + fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the fulcioCAData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the fulcioCAData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + fulcioSubject: + description: fulcioSubject is a required field specifies + OIDC issuer and the email of the Fulcio authentication + configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. + It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. + When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + maxLength: 2048 + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail is a required field holds the email address that the Fulcio certificate is issued for. + The signedEmail must be a valid email address and at most 320 characters in length. + Example: "expected-signing-user@example.com" + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: |- + pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + pki is required when policyType is PKI, and forbidden otherwise. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. + caIntermediatesData requires caRootsData to be set. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caIntermediatesData must be base64 encoding + of valid PEM format data contain the same number of + '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 characters. + format: byte + maxLength: 8192 + minLength: 72 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: string(self).endsWith('-----END CERTIFICATE-----\n') + || string(self).endsWith('-----END CERTIFICATE-----') + - message: caRootsData must be base64 encoding of valid + PEM format data contain the same number of '-----BEGIN + CERTIFICATE-----' and '-----END CERTIFICATE-----' + markers. + rule: string(self).findAll('-----BEGIN CERTIFICATE-----').size() + == string(self).findAll('-----END CERTIFICATE-----').size() + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: |- + email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + The email must be a valid email address and at most 320 characters in length. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + hostname: + description: |- + hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. + It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname must be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It must consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. + Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". + When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. + When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: |- + publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. + publicKey is required when policyType is PublicKey, and forbidden otherwise. + properties: + keyData: + description: |- + keyData is a required field contains inline base64-encoded data for the PEM format public key. + keyData must be at most 8192 characters. + format: byte + maxLength: 8192 + minLength: 68 + type: string + x-kubernetes-validations: + - message: the keyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the keyData must end with base64 encoding of + '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + rekorKeyData: + description: |- + rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the rekorKeyData must start with base64 encoding + of '-----BEGIN PUBLIC KEY-----'. + rule: string(self).startsWith('-----BEGIN PUBLIC KEY-----') + - message: the rekorKeyData must end with base64 encoding + of '-----END PUBLIC KEY-----'. + rule: string(self).endsWith('-----END PUBLIC KEY-----\n') + || string(self).endsWith('-----END PUBLIC KEY-----') + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: |- + signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. + The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: |- + exactRepository specifies the repository that must be exactly matched by the identity in the signature. + exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity. + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + repository is required if matchPolicy is set to "ExactRepository". + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. + Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity. + When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository". + When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: |- + remapIdentity specifies the prefix remapping rule for verifying image identity. + remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image. + properties: + prefix: + description: |- + prefix is required if matchPolicy is set to "RemapIdentity". + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is required if matchPolicy is set to "RemapIdentity". + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity. + The repository or prefix must starts with 'localhost' + or a valid '.' separated domain. If contains registry + paths, the path component names must start with at + least one letter or number, with following parts able + to be separated by one period, one or two underscore + and multiple dashes. + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: |- + conditions provide details on the status of this API Resource. + condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 485f47ae791..d165cab6fbd 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -611,6 +611,45 @@ func (ImageLabel) SwaggerDoc() map[string]string { return map_ImageLabel } +var map_ClusterImagePolicy = map[string]string{ + "": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec contains the configuration for the cluster image policy.", + "status": "status contains the observed state of the resource.", +} + +func (ClusterImagePolicy) SwaggerDoc() map[string]string { + return map_ClusterImagePolicy +} + +var map_ClusterImagePolicyList = map[string]string{ + "": "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "items is a list of ClusterImagePolices", +} + +func (ClusterImagePolicyList) SwaggerDoc() map[string]string { + return map_ClusterImagePolicyList +} + +var map_ClusterImagePolicySpec = map[string]string{ + "": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", + "scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "policy": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", +} + +func (ClusterImagePolicySpec) SwaggerDoc() map[string]string { + return map_ClusterImagePolicySpec +} + +var map_ClusterImagePolicyStatus = map[string]string{ + "conditions": "conditions provide details on the status of this API Resource.", +} + +func (ClusterImagePolicyStatus) SwaggerDoc() map[string]string { + return map_ClusterImagePolicyStatus +} + var map_ClusterOperator = map[string]string{ "": "ClusterOperator is the Custom Resource object which holds the current state of an operator. This object is used by operators to convey their state to the rest of the cluster.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -1175,6 +1214,147 @@ func (ImageDigestMirrors) SwaggerDoc() map[string]string { return map_ImageDigestMirrors } +var map_FulcioCAWithRekor = map[string]string{ + "": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "fulcioCAData": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", + "fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", +} + +func (FulcioCAWithRekor) SwaggerDoc() map[string]string { + return map_FulcioCAWithRekor +} + +var map_ImagePolicy = map[string]string{ + "": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec holds user settable values for configuration", + "status": "status contains the observed state of the resource.", +} + +func (ImagePolicy) SwaggerDoc() map[string]string { + return map_ImagePolicy +} + +var map_ImagePolicyList = map[string]string{ + "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "items is a list of ImagePolicies", +} + +func (ImagePolicyList) SwaggerDoc() map[string]string { + return map_ImagePolicyList +} + +var map_ImagePolicySpec = map[string]string{ + "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", + "scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "policy": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", +} + +func (ImagePolicySpec) SwaggerDoc() map[string]string { + return map_ImagePolicySpec +} + +var map_ImagePolicyStatus = map[string]string{ + "conditions": "conditions provide details on the status of this API Resource. condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.", +} + +func (ImagePolicyStatus) SwaggerDoc() map[string]string { + return map_ImagePolicyStatus +} + +var map_PKI = map[string]string{ + "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", + "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", + "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +} + +func (PKI) SwaggerDoc() map[string]string { + return map_PKI +} + +var map_PKICertificateSubject = map[string]string{ + "": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "email": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email must be a valid email address and at most 320 characters in length.", + "hostname": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", +} + +func (PKICertificateSubject) SwaggerDoc() map[string]string { + return map_PKICertificateSubject +} + +var map_Policy = map[string]string{ + "": "Policy defines the verification policy for the items in the scopes list.", + "rootOfTrust": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + "signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", +} + +func (Policy) SwaggerDoc() map[string]string { + return map_Policy +} + +var map_PolicyFulcioSubject = map[string]string{ + "": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", + "oidcIssuer": "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", + "signedEmail": "signedEmail is a required field holds the email address that the Fulcio certificate is issued for. The signedEmail must be a valid email address and at most 320 characters in length. Example: \"expected-signing-user@example.com\"", +} + +func (PolicyFulcioSubject) SwaggerDoc() map[string]string { + return map_PolicyFulcioSubject +} + +var map_PolicyIdentity = map[string]string{ + "": "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", + "matchPolicy": "matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. Allowed values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". When set to \"MatchRepoDigestOrExact\", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. When set to \"MatchRepository\", the identity in the signature must be in the same repository as the image identity. When set to \"ExactRepository\", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by \"repository\". When set to \"RemapIdentity\", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", + "exactRepository": "exactRepository specifies the repository that must be exactly matched by the identity in the signature. exactRepository is required if matchPolicy is set to \"ExactRepository\". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.", + "remapIdentity": "remapIdentity specifies the prefix remapping rule for verifying image identity. remapIdentity is required if matchPolicy is set to \"RemapIdentity\". It is used to verify that the signature claims a different registry/repository prefix than the original image.", +} + +func (PolicyIdentity) SwaggerDoc() map[string]string { + return map_PolicyIdentity +} + +var map_PolicyMatchExactRepository = map[string]string{ + "repository": "repository is the reference of the image identity to be matched. repository is required if matchPolicy is set to \"ExactRepository\". The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", +} + +func (PolicyMatchExactRepository) SwaggerDoc() map[string]string { + return map_PolicyMatchExactRepository +} + +var map_PolicyMatchRemapIdentity = map[string]string{ + "prefix": "prefix is required if matchPolicy is set to \"RemapIdentity\". prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", + "signedPrefix": "signedPrefix is required if matchPolicy is set to \"RemapIdentity\". signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", +} + +func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { + return map_PolicyMatchRemapIdentity +} + +var map_PolicyRootOfTrust = map[string]string{ + "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", + "policyType": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "publicKey": "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", + "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", + "pki": "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", +} + +func (PolicyRootOfTrust) SwaggerDoc() map[string]string { + return map_PolicyRootOfTrust +} + +var map_PublicKey = map[string]string{ + "": "PublicKey defines the root of trust based on a sigstore public key.", + "keyData": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", +} + +func (PublicKey) SwaggerDoc() map[string]string { + return map_PublicKey +} + var map_ImageTagMirrorSet = map[string]string{ "": "ImageTagMirrorSet holds cluster-wide information about how to handle registry mirror rules on using tag pull specification. When multiple policies are defined, the outcome of the behavior is defined on each field.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", diff --git a/hack/update-payload-crds.sh b/hack/update-payload-crds.sh index 518ce267347..426ed574d27 100755 --- a/hack/update-payload-crds.sh +++ b/hack/update-payload-crds.sh @@ -4,7 +4,6 @@ source "$(dirname "${BASH_SOURCE}")/lib/init.sh" crd_globs="\ authorization/v1/zz_generated.crd-manifests/*_config-operator_*.crd*yaml\ - config/v1/zz_generated.crd-manifests/*_config-operator_*.crd*yaml\ machine/v1/zz_generated.crd-manifests/*.crd*yaml\ operator/v1/zz_generated.crd-manifests//*_config-operator_*.crd*yaml\ operator/v1alpha1/zz_generated.crd-manifests//*_config-operator_*.crd*yaml\ @@ -28,6 +27,23 @@ crd_globs="\ config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring*.crd.yaml operator/v1/zz_generated.crd-manifests/*_storage_01_storages*.crd.yaml operator/v1/zz_generated.crd-manifests/*_csi-driver_01_clustercsidrivers*.crd.yaml + config/v1/zz_generated.crd-manifests/0000_03_config-operator_01_proxies.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-*.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-*.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_consoles.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_dnses.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_featuregates.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagecontentpolicies.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagedigestmirrorsets.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-*.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_imagetagmirrorsets.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-*.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_ingresses.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_networks.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_nodes-*.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_oauths.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_projects.crd.yaml + config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_schedulers-*.crd.yaml " # To allow the crd_globs to be sourced in the verify script, diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index d0797367f00..3c0150b3ec9 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -185,6 +185,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.CloudLoadBalancerConfig": schema_openshift_api_config_v1_CloudLoadBalancerConfig(ref), "github.com/openshift/api/config/v1.CloudLoadBalancerIPs": schema_openshift_api_config_v1_CloudLoadBalancerIPs(ref), "github.com/openshift/api/config/v1.ClusterCondition": schema_openshift_api_config_v1_ClusterCondition(ref), + "github.com/openshift/api/config/v1.ClusterImagePolicy": schema_openshift_api_config_v1_ClusterImagePolicy(ref), + "github.com/openshift/api/config/v1.ClusterImagePolicyList": schema_openshift_api_config_v1_ClusterImagePolicyList(ref), + "github.com/openshift/api/config/v1.ClusterImagePolicySpec": schema_openshift_api_config_v1_ClusterImagePolicySpec(ref), + "github.com/openshift/api/config/v1.ClusterImagePolicyStatus": schema_openshift_api_config_v1_ClusterImagePolicyStatus(ref), "github.com/openshift/api/config/v1.ClusterNetworkEntry": schema_openshift_api_config_v1_ClusterNetworkEntry(ref), "github.com/openshift/api/config/v1.ClusterOperator": schema_openshift_api_config_v1_ClusterOperator(ref), "github.com/openshift/api/config/v1.ClusterOperatorList": schema_openshift_api_config_v1_ClusterOperatorList(ref), @@ -237,6 +241,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.FeatureGateSpec": schema_openshift_api_config_v1_FeatureGateSpec(ref), "github.com/openshift/api/config/v1.FeatureGateStatus": schema_openshift_api_config_v1_FeatureGateStatus(ref), "github.com/openshift/api/config/v1.FeatureGateTests": schema_openshift_api_config_v1_FeatureGateTests(ref), + "github.com/openshift/api/config/v1.FulcioCAWithRekor": schema_openshift_api_config_v1_FulcioCAWithRekor(ref), "github.com/openshift/api/config/v1.GCPPlatformSpec": schema_openshift_api_config_v1_GCPPlatformSpec(ref), "github.com/openshift/api/config/v1.GCPPlatformStatus": schema_openshift_api_config_v1_GCPPlatformStatus(ref), "github.com/openshift/api/config/v1.GCPResourceLabel": schema_openshift_api_config_v1_GCPResourceLabel(ref), @@ -267,6 +272,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.ImageDigestMirrors": schema_openshift_api_config_v1_ImageDigestMirrors(ref), "github.com/openshift/api/config/v1.ImageLabel": schema_openshift_api_config_v1_ImageLabel(ref), "github.com/openshift/api/config/v1.ImageList": schema_openshift_api_config_v1_ImageList(ref), + "github.com/openshift/api/config/v1.ImagePolicy": schema_openshift_api_config_v1_ImagePolicy(ref), + "github.com/openshift/api/config/v1.ImagePolicyList": schema_openshift_api_config_v1_ImagePolicyList(ref), + "github.com/openshift/api/config/v1.ImagePolicySpec": schema_openshift_api_config_v1_ImagePolicySpec(ref), + "github.com/openshift/api/config/v1.ImagePolicyStatus": schema_openshift_api_config_v1_ImagePolicyStatus(ref), "github.com/openshift/api/config/v1.ImageSpec": schema_openshift_api_config_v1_ImageSpec(ref), "github.com/openshift/api/config/v1.ImageStatus": schema_openshift_api_config_v1_ImageStatus(ref), "github.com/openshift/api/config/v1.ImageTagMirrorSet": schema_openshift_api_config_v1_ImageTagMirrorSet(ref), @@ -342,8 +351,16 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.OvirtPlatformLoadBalancer": schema_openshift_api_config_v1_OvirtPlatformLoadBalancer(ref), "github.com/openshift/api/config/v1.OvirtPlatformSpec": schema_openshift_api_config_v1_OvirtPlatformSpec(ref), "github.com/openshift/api/config/v1.OvirtPlatformStatus": schema_openshift_api_config_v1_OvirtPlatformStatus(ref), + "github.com/openshift/api/config/v1.PKI": schema_openshift_api_config_v1_PKI(ref), + "github.com/openshift/api/config/v1.PKICertificateSubject": schema_openshift_api_config_v1_PKICertificateSubject(ref), "github.com/openshift/api/config/v1.PlatformSpec": schema_openshift_api_config_v1_PlatformSpec(ref), "github.com/openshift/api/config/v1.PlatformStatus": schema_openshift_api_config_v1_PlatformStatus(ref), + "github.com/openshift/api/config/v1.Policy": schema_openshift_api_config_v1_Policy(ref), + "github.com/openshift/api/config/v1.PolicyFulcioSubject": schema_openshift_api_config_v1_PolicyFulcioSubject(ref), + "github.com/openshift/api/config/v1.PolicyIdentity": schema_openshift_api_config_v1_PolicyIdentity(ref), + "github.com/openshift/api/config/v1.PolicyMatchExactRepository": schema_openshift_api_config_v1_PolicyMatchExactRepository(ref), + "github.com/openshift/api/config/v1.PolicyMatchRemapIdentity": schema_openshift_api_config_v1_PolicyMatchRemapIdentity(ref), + "github.com/openshift/api/config/v1.PolicyRootOfTrust": schema_openshift_api_config_v1_PolicyRootOfTrust(ref), "github.com/openshift/api/config/v1.PowerVSPlatformSpec": schema_openshift_api_config_v1_PowerVSPlatformSpec(ref), "github.com/openshift/api/config/v1.PowerVSPlatformStatus": schema_openshift_api_config_v1_PowerVSPlatformStatus(ref), "github.com/openshift/api/config/v1.PowerVSServiceEndpoint": schema_openshift_api_config_v1_PowerVSServiceEndpoint(ref), @@ -358,6 +375,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.ProxyList": schema_openshift_api_config_v1_ProxyList(ref), "github.com/openshift/api/config/v1.ProxySpec": schema_openshift_api_config_v1_ProxySpec(ref), "github.com/openshift/api/config/v1.ProxyStatus": schema_openshift_api_config_v1_ProxyStatus(ref), + "github.com/openshift/api/config/v1.PublicKey": schema_openshift_api_config_v1_PublicKey(ref), "github.com/openshift/api/config/v1.RegistryLocation": schema_openshift_api_config_v1_RegistryLocation(ref), "github.com/openshift/api/config/v1.RegistrySources": schema_openshift_api_config_v1_RegistrySources(ref), "github.com/openshift/api/config/v1.Release": schema_openshift_api_config_v1_Release(ref), @@ -10243,6 +10261,187 @@ func schema_openshift_api_config_v1_ClusterCondition(ref common.ReferenceCallbac } } +func schema_openshift_api_config_v1_ClusterImagePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "spec contains the configuration for the cluster image policy.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ClusterImagePolicySpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status contains the observed state of the resource.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ClusterImagePolicyStatus"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ClusterImagePolicySpec", "github.com/openshift/api/config/v1.ClusterImagePolicyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_config_v1_ClusterImagePolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Description: "items is a list of ClusterImagePolices", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ClusterImagePolicy"), + }, + }, + }, + }, + }, + }, + Required: []string{"metadata", "items"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ClusterImagePolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_openshift_api_config_v1_ClusterImagePolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "scopes": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "policy": { + SchemaProps: spec.SchemaProps{ + Description: "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.Policy"), + }, + }, + }, + Required: []string{"scopes", "policy"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.Policy"}, + } +} + +func schema_openshift_api_config_v1_ClusterImagePolicyStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditions provide details on the status of this API Resource.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + } +} + func schema_openshift_api_config_v1_ClusterNetworkEntry(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -12519,6 +12718,43 @@ func schema_openshift_api_config_v1_FeatureGateTests(ref common.ReferenceCallbac } } +func schema_openshift_api_config_v1_FulcioCAWithRekor(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "fulcioCAData": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "rekorKeyData": { + SchemaProps: spec.SchemaProps{ + Description: "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "fulcioSubject": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.PolicyFulcioSubject"), + }, + }, + }, + Required: []string{"fulcioCAData", "rekorKeyData", "fulcioSubject"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PolicyFulcioSubject"}, + } +} + func schema_openshift_api_config_v1_GCPPlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -13954,70 +14190,251 @@ func schema_openshift_api_config_v1_ImageList(ref common.ReferenceCallback) comm } } -func schema_openshift_api_config_v1_ImageSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1_ImagePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, Properties: map[string]spec.Schema{ - "allowedRegistriesForImport": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, + "kind": { SchemaProps: spec.SchemaProps{ - Description: "allowedRegistriesForImport limits the container image registries that normal users may import images from. Set this list to the registries that you trust to contain valid Docker images and that you want applications to be able to import from. Users with permission to create Images or ImageStreamMappings via the API are not affected by this policy - typically only administrators or system integrations will have those permissions.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.RegistryLocation"), - }, - }, - }, + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", }, }, - "externalRegistryHostnames": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "externalRegistryHostnames provides the hostnames for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The first value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in \"hostname[:port]\" format.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", }, }, - "additionalTrustedCA": { + "metadata": { SchemaProps: spec.SchemaProps{ - Description: "additionalTrustedCA is a reference to a ConfigMap containing additional CAs that should be trusted during imagestream import, pod image pull, build image pull, and imageregistry pullthrough. The namespace for this config map is openshift-config.", + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.ConfigMapNameReference"), + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), }, }, - "registrySources": { + "spec": { SchemaProps: spec.SchemaProps{ - Description: "registrySources contains configuration that determines how the container runtime should treat individual registries when accessing images for builds+pods. (e.g. whether or not to allow insecure access). It does not contain configuration for the internal cluster registry.", + Description: "spec holds user settable values for configuration", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.RegistrySources"), + Ref: ref("github.com/openshift/api/config/v1.ImagePolicySpec"), }, }, - "imageStreamImportMode": { + "status": { SchemaProps: spec.SchemaProps{ - Description: "imageStreamImportMode controls the import mode behaviour of imagestreams. It can be set to `Legacy` or `PreserveOriginal` or the empty string. If this value is specified, this setting is applied to all newly created imagestreams which do not have the value set. `Legacy` indicates that the legacy behaviour should be used. For manifest lists, the legacy behaviour will discard the manifest list and import a single sub-manifest. In this case, the platform is chosen in the following order of priority: 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list. `PreserveOriginal` indicates that the original manifest will be preserved. For manifest lists, the manifest list and all its sub-manifests will be imported. When empty, the behaviour will be decided based on the payload type advertised by the ClusterVersion status, i.e single arch payload implies the import mode is Legacy and multi payload implies PreserveOriginal.\n\nPossible enum values:\n - `\"Legacy\"` indicates that the legacy behaviour should be used. For manifest lists, the legacy behaviour will discard the manifest list and import a single sub-manifest. In this case, the platform is chosen in the following order of priority: 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list. This mode is the default.\n - `\"PreserveOriginal\"` indicates that the original manifest will be preserved. For manifest lists, the manifest list and all its sub-manifests will be imported.", - Default: "", - Type: []string{"string"}, + Description: "status contains the observed state of the resource.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ImagePolicyStatus"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ImagePolicySpec", "github.com/openshift/api/config/v1.ImagePolicyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_config_v1_ImagePolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Description: "items is a list of ImagePolicies", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ImagePolicy"), + }, + }, + }, + }, + }, + }, + Required: []string{"metadata", "items"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ImagePolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_openshift_api_config_v1_ImagePolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicySpec is the specification of the ImagePolicy CRD.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "scopes": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "policy": { + SchemaProps: spec.SchemaProps{ + Description: "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.Policy"), + }, + }, + }, + Required: []string{"scopes", "policy"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.Policy"}, + } +} + +func schema_openshift_api_config_v1_ImagePolicyStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditions provide details on the status of this API Resource. condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + } +} + +func schema_openshift_api_config_v1_ImageSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "allowedRegistriesForImport": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "allowedRegistriesForImport limits the container image registries that normal users may import images from. Set this list to the registries that you trust to contain valid Docker images and that you want applications to be able to import from. Users with permission to create Images or ImageStreamMappings via the API are not affected by this policy - typically only administrators or system integrations will have those permissions.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.RegistryLocation"), + }, + }, + }, + }, + }, + "externalRegistryHostnames": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "externalRegistryHostnames provides the hostnames for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The first value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in \"hostname[:port]\" format.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "additionalTrustedCA": { + SchemaProps: spec.SchemaProps{ + Description: "additionalTrustedCA is a reference to a ConfigMap containing additional CAs that should be trusted during imagestream import, pod image pull, build image pull, and imageregistry pullthrough. The namespace for this config map is openshift-config.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ConfigMapNameReference"), + }, + }, + "registrySources": { + SchemaProps: spec.SchemaProps{ + Description: "registrySources contains configuration that determines how the container runtime should treat individual registries when accessing images for builds+pods. (e.g. whether or not to allow insecure access). It does not contain configuration for the internal cluster registry.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.RegistrySources"), + }, + }, + "imageStreamImportMode": { + SchemaProps: spec.SchemaProps{ + Description: "imageStreamImportMode controls the import mode behaviour of imagestreams. It can be set to `Legacy` or `PreserveOriginal` or the empty string. If this value is specified, this setting is applied to all newly created imagestreams which do not have the value set. `Legacy` indicates that the legacy behaviour should be used. For manifest lists, the legacy behaviour will discard the manifest list and import a single sub-manifest. In this case, the platform is chosen in the following order of priority: 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list. `PreserveOriginal` indicates that the original manifest will be preserved. For manifest lists, the manifest list and all its sub-manifests will be imported. When empty, the behaviour will be decided based on the payload type advertised by the ClusterVersion status, i.e single arch payload implies the import mode is Legacy and multi payload implies PreserveOriginal.\n\nPossible enum values:\n - `\"Legacy\"` indicates that the legacy behaviour should be used. For manifest lists, the legacy behaviour will discard the manifest list and import a single sub-manifest. In this case, the platform is chosen in the following order of priority: 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list. This mode is the default.\n - `\"PreserveOriginal\"` indicates that the original manifest will be preserved. For manifest lists, the manifest list and all its sub-manifests will be imported.", + Default: "", + Type: []string{"string"}, Format: "", Enum: []interface{}{"Legacy", "PreserveOriginal"}, }, @@ -17511,6 +17928,70 @@ func schema_openshift_api_config_v1_OvirtPlatformStatus(ref common.ReferenceCall } } +func schema_openshift_api_config_v1_PKI(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "caRootsData": { + SchemaProps: spec.SchemaProps{ + Description: "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "caIntermediatesData": { + SchemaProps: spec.SchemaProps{ + Description: "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "pkiCertificateSubject": { + SchemaProps: spec.SchemaProps{ + Description: "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.PKICertificateSubject"), + }, + }, + }, + Required: []string{"caRootsData", "pkiCertificateSubject"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PKICertificateSubject"}, + } +} + +func schema_openshift_api_config_v1_PKICertificateSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "email": { + SchemaProps: spec.SchemaProps{ + Description: "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email must be a valid email address and at most 320 characters in length.", + Type: []string{"string"}, + Format: "", + }, + }, + "hostname": { + SchemaProps: spec.SchemaProps{ + Description: "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_openshift_api_config_v1_PlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -17727,6 +18208,220 @@ func schema_openshift_api_config_v1_PlatformStatus(ref common.ReferenceCallback) } } +func schema_openshift_api_config_v1_Policy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Policy defines the verification policy for the items in the scopes list.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "rootOfTrust": { + SchemaProps: spec.SchemaProps{ + Description: "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.PolicyRootOfTrust"), + }, + }, + "signedIdentity": { + SchemaProps: spec.SchemaProps{ + Description: "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", + Ref: ref("github.com/openshift/api/config/v1.PolicyIdentity"), + }, + }, + }, + Required: []string{"rootOfTrust"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PolicyIdentity", "github.com/openshift/api/config/v1.PolicyRootOfTrust"}, + } +} + +func schema_openshift_api_config_v1_PolicyFulcioSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "oidcIssuer": { + SchemaProps: spec.SchemaProps{ + Description: "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "signedEmail": { + SchemaProps: spec.SchemaProps{ + Description: "signedEmail is a required field holds the email address that the Fulcio certificate is issued for. The signedEmail must be a valid email address and at most 320 characters in length. Example: \"expected-signing-user@example.com\"", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"oidcIssuer", "signedEmail"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_PolicyIdentity(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "matchPolicy": { + SchemaProps: spec.SchemaProps{ + Description: "matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. Allowed values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". When set to \"MatchRepoDigestOrExact\", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. When set to \"MatchRepository\", the identity in the signature must be in the same repository as the image identity. When set to \"ExactRepository\", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by \"repository\". When set to \"RemapIdentity\", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "exactRepository": { + SchemaProps: spec.SchemaProps{ + Description: "exactRepository specifies the repository that must be exactly matched by the identity in the signature. exactRepository is required if matchPolicy is set to \"ExactRepository\". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.", + Ref: ref("github.com/openshift/api/config/v1.PolicyMatchExactRepository"), + }, + }, + "remapIdentity": { + SchemaProps: spec.SchemaProps{ + Description: "remapIdentity specifies the prefix remapping rule for verifying image identity. remapIdentity is required if matchPolicy is set to \"RemapIdentity\". It is used to verify that the signature claims a different registry/repository prefix than the original image.", + Ref: ref("github.com/openshift/api/config/v1.PolicyMatchRemapIdentity"), + }, + }, + }, + Required: []string{"matchPolicy"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "matchPolicy", + "fields-to-discriminateBy": map[string]interface{}{ + "exactRepository": "PolicyMatchExactRepository", + "remapIdentity": "PolicyMatchRemapIdentity", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PolicyMatchExactRepository", "github.com/openshift/api/config/v1.PolicyMatchRemapIdentity"}, + } +} + +func schema_openshift_api_config_v1_PolicyMatchExactRepository(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "repository": { + SchemaProps: spec.SchemaProps{ + Description: "repository is the reference of the image identity to be matched. repository is required if matchPolicy is set to \"ExactRepository\". The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"repository"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_PolicyMatchRemapIdentity(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "prefix": { + SchemaProps: spec.SchemaProps{ + Description: "prefix is required if matchPolicy is set to \"RemapIdentity\". prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "signedPrefix": { + SchemaProps: spec.SchemaProps{ + Description: "signedPrefix is required if matchPolicy is set to \"RemapIdentity\". signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"prefix", "signedPrefix"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_PolicyRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PolicyRootOfTrust defines the root of trust based on the selected policyType.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "policyType": { + SchemaProps: spec.SchemaProps{ + Description: "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "publicKey": { + SchemaProps: spec.SchemaProps{ + Description: "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", + Ref: ref("github.com/openshift/api/config/v1.PublicKey"), + }, + }, + "fulcioCAWithRekor": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", + Ref: ref("github.com/openshift/api/config/v1.FulcioCAWithRekor"), + }, + }, + "pki": { + SchemaProps: spec.SchemaProps{ + Description: "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", + Ref: ref("github.com/openshift/api/config/v1.PKI"), + }, + }, + }, + Required: []string{"policyType"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "policyType", + "fields-to-discriminateBy": map[string]interface{}{ + "fulcioCAWithRekor": "FulcioCAWithRekor", + "pki": "PKI", + "publicKey": "PublicKey", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.FulcioCAWithRekor", "github.com/openshift/api/config/v1.PKI", "github.com/openshift/api/config/v1.PublicKey"}, + } +} + func schema_openshift_api_config_v1_PowerVSPlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -18277,6 +18972,34 @@ func schema_openshift_api_config_v1_ProxyStatus(ref common.ReferenceCallback) co } } +func schema_openshift_api_config_v1_PublicKey(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PublicKey defines the root of trust based on a sigstore public key.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "keyData": { + SchemaProps: spec.SchemaProps{ + Description: "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "rekorKeyData": { + SchemaProps: spec.SchemaProps{ + Description: "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + }, + Required: []string{"keyData"}, + }, + }, + } +} + func schema_openshift_api_config_v1_RegistryLocation(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index e26a740f3d3..db0013d74e4 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -5127,6 +5127,110 @@ } } }, + "com.github.openshift.api.config.v1.ClusterImagePolicy": { + "description": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "spec contains the configuration for the cluster image policy.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterImagePolicySpec" + }, + "status": { + "description": "status contains the observed state of the resource.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterImagePolicyStatus" + } + } + }, + "com.github.openshift.api.config.v1.ClusterImagePolicyList": { + "description": "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "metadata", + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "items is a list of ClusterImagePolices", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterImagePolicy" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.config.v1.ClusterImagePolicySpec": { + "description": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", + "type": "object", + "required": [ + "scopes", + "policy" + ], + "properties": { + "policy": { + "description": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.Policy" + }, + "scopes": { + "description": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + } + } + }, + "com.github.openshift.api.config.v1.ClusterImagePolicyStatus": { + "type": "object", + "properties": { + "conditions": { + "description": "conditions provide details on the status of this API Resource.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + } + } + }, "com.github.openshift.api.config.v1.ClusterNetworkEntry": { "description": "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", "type": "object", @@ -6449,6 +6553,32 @@ } } }, + "com.github.openshift.api.config.v1.FulcioCAWithRekor": { + "description": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "type": "object", + "required": [ + "fulcioCAData", + "rekorKeyData", + "fulcioSubject" + ], + "properties": { + "fulcioCAData": { + "description": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + "type": "string", + "format": "byte" + }, + "fulcioSubject": { + "description": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyFulcioSubject" + }, + "rekorKeyData": { + "description": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + "type": "string", + "format": "byte" + } + } + }, "com.github.openshift.api.config.v1.GCPPlatformSpec": { "description": "GCPPlatformSpec holds the desired state of the Google Cloud Platform infrastructure provider. This only includes fields that can be modified in the cluster.", "type": "object" @@ -7327,6 +7457,110 @@ } } }, + "com.github.openshift.api.config.v1.ImagePolicy": { + "description": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "spec holds user settable values for configuration", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ImagePolicySpec" + }, + "status": { + "description": "status contains the observed state of the resource.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ImagePolicyStatus" + } + } + }, + "com.github.openshift.api.config.v1.ImagePolicyList": { + "description": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "type": "object", + "required": [ + "metadata", + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "items is a list of ImagePolicies", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ImagePolicy" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.config.v1.ImagePolicySpec": { + "description": "ImagePolicySpec is the specification of the ImagePolicy CRD.", + "type": "object", + "required": [ + "scopes", + "policy" + ], + "properties": { + "policy": { + "description": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.Policy" + }, + "scopes": { + "description": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + } + } + }, + "com.github.openshift.api.config.v1.ImagePolicyStatus": { + "type": "object", + "properties": { + "conditions": { + "description": "conditions provide details on the status of this API Resource. condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + } + } + }, "com.github.openshift.api.config.v1.ImageSpec": { "type": "object", "properties": { @@ -9369,6 +9603,45 @@ } } }, + "com.github.openshift.api.config.v1.PKI": { + "description": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "type": "object", + "required": [ + "caRootsData", + "pkiCertificateSubject" + ], + "properties": { + "caIntermediatesData": { + "description": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", + "type": "string", + "format": "byte" + }, + "caRootsData": { + "description": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", + "type": "string", + "format": "byte" + }, + "pkiCertificateSubject": { + "description": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.PKICertificateSubject" + } + } + }, + "com.github.openshift.api.config.v1.PKICertificateSubject": { + "description": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "type": "object", + "properties": { + "email": { + "description": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email must be a valid email address and at most 320 characters in length.", + "type": "string" + }, + "hostname": { + "description": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.PlatformSpec": { "description": "PlatformSpec holds the desired state specific to the underlying infrastructure provider of the current cluster. Since these are used at spec-level for the underlying cluster, it is supposed that only one of the spec structs is set.", "type": "object", @@ -9509,6 +9782,143 @@ } } }, + "com.github.openshift.api.config.v1.Policy": { + "description": "Policy defines the verification policy for the items in the scopes list.", + "type": "object", + "required": [ + "rootOfTrust" + ], + "properties": { + "rootOfTrust": { + "description": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyRootOfTrust" + }, + "signedIdentity": { + "description": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", + "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyIdentity" + } + } + }, + "com.github.openshift.api.config.v1.PolicyFulcioSubject": { + "description": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", + "type": "object", + "required": [ + "oidcIssuer", + "signedEmail" + ], + "properties": { + "oidcIssuer": { + "description": "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", + "type": "string", + "default": "" + }, + "signedEmail": { + "description": "signedEmail is a required field holds the email address that the Fulcio certificate is issued for. The signedEmail must be a valid email address and at most 320 characters in length. Example: \"expected-signing-user@example.com\"", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.config.v1.PolicyIdentity": { + "description": "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", + "type": "object", + "required": [ + "matchPolicy" + ], + "properties": { + "exactRepository": { + "description": "exactRepository specifies the repository that must be exactly matched by the identity in the signature. exactRepository is required if matchPolicy is set to \"ExactRepository\". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyMatchExactRepository" + }, + "matchPolicy": { + "description": "matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope. Allowed values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". When set to \"MatchRepoDigestOrExact\", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. When set to \"MatchRepository\", the identity in the signature must be in the same repository as the image identity. When set to \"ExactRepository\", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by \"repository\". When set to \"RemapIdentity\", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", + "type": "string", + "default": "" + }, + "remapIdentity": { + "description": "remapIdentity specifies the prefix remapping rule for verifying image identity. remapIdentity is required if matchPolicy is set to \"RemapIdentity\". It is used to verify that the signature claims a different registry/repository prefix than the original image.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyMatchRemapIdentity" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "matchPolicy", + "fields-to-discriminateBy": { + "exactRepository": "PolicyMatchExactRepository", + "remapIdentity": "PolicyMatchRemapIdentity" + } + } + ] + }, + "com.github.openshift.api.config.v1.PolicyMatchExactRepository": { + "type": "object", + "required": [ + "repository" + ], + "properties": { + "repository": { + "description": "repository is the reference of the image identity to be matched. repository is required if matchPolicy is set to \"ExactRepository\". The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.config.v1.PolicyMatchRemapIdentity": { + "type": "object", + "required": [ + "prefix", + "signedPrefix" + ], + "properties": { + "prefix": { + "description": "prefix is required if matchPolicy is set to \"RemapIdentity\". prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", + "type": "string", + "default": "" + }, + "signedPrefix": { + "description": "signedPrefix is required if matchPolicy is set to \"RemapIdentity\". signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", + "type": "string", + "default": "" + } + } + }, + "com.github.openshift.api.config.v1.PolicyRootOfTrust": { + "description": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", + "type": "object", + "required": [ + "policyType" + ], + "properties": { + "fulcioCAWithRekor": { + "description": "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", + "$ref": "#/definitions/com.github.openshift.api.config.v1.FulcioCAWithRekor" + }, + "pki": { + "description": "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.PKI" + }, + "policyType": { + "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "type": "string", + "default": "" + }, + "publicKey": { + "description": "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.PublicKey" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "policyType", + "fields-to-discriminateBy": { + "fulcioCAWithRekor": "FulcioCAWithRekor", + "pki": "PKI", + "publicKey": "PublicKey" + } + } + ] + }, "com.github.openshift.api.config.v1.PowerVSPlatformSpec": { "description": "PowerVSPlatformSpec holds the desired state of the IBM Power Systems Virtual Servers infrastructure provider. This only includes fields that can be modified in the cluster.", "type": "object", @@ -9828,6 +10238,25 @@ } } }, + "com.github.openshift.api.config.v1.PublicKey": { + "description": "PublicKey defines the root of trust based on a sigstore public key.", + "type": "object", + "required": [ + "keyData" + ], + "properties": { + "keyData": { + "description": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters.", + "type": "string", + "format": "byte" + }, + "rekorKeyData": { + "description": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + "type": "string", + "format": "byte" + } + } + }, "com.github.openshift.api.config.v1.RegistryLocation": { "description": "RegistryLocation contains a location of the registry specified by the registry domain name. The domain name might include wildcards, like '*' or '??'.", "type": "object",