Skip to content

Commit

Permalink
Run api test
Browse files Browse the repository at this point in the history
Signed-off-by: Qi Wang <[email protected]>
  • Loading branch information
QiWang19 committed Jul 1, 2023
1 parent 1a45b5e commit 0d6b7b0
Show file tree
Hide file tree
Showing 7 changed files with 513 additions and 234 deletions.
103 changes: 63 additions & 40 deletions config/v1alpha1/0000_10_config-operator_01_imagepolicy.crd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,63 +37,82 @@ spec:
description: spec holds user settable values for configuration
type: object
required:
- images
- policy
- scopes
properties:
images:
description: 'images defines the list of images assigned to a policy. Each item refers to an image or repository in a registry implementing the "Docker Registry HTTP API V2". "images" uses one of the following scopes: - complete image name, either using a tag or digest - prefixes of individual-image scopes - a wildcarded expression for matching all subdomains, the wildcard only presents at the beginning, *.example.com is a valid case, but example*.*.com is not. For more information about the format, see the document about the docker transport field: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker'
type: array
items:
description: ImageScope is the item of the images list.
type: string
pattern: ^\*(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$|^((?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?/)?[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\w][\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$
x-kubernetes-list-type: set
policy:
description: policy defines the verification policy for the images in the images list
description: policy defines the verification policy for the items in the scopes list
type: object
properties:
fulcioCAData:
description: fulcioCAData contains inline base64 data for the fulcio CA certificate.
type: string
keyData:
description: keyData contains inline base64 data of the public key. keyData can be empty if the image got signed keyless. Requires oidcIssuer, subjectEmail, and fulcioCAData to be empty if keyData is set.
type: string
oidcIssuer:
description: 'oidcIssuer contains the expected OIDC issuer. Example: "https://expected.OIDC.issuer/" Required if fulcioCAData is set. subjectEmail must be set and keyData must be empty if oidcIssuer is set'
type: string
rekorKeyData:
description: rekorKeyData contains inline base64 data of the rekor public key. Required if fulcioCAData is set.
type: string
signedIdentity:
description: signedIdentity specifies what image identity the signature. claims about the image.
fulcioSubject:
description: fulcioSubject specifies OIDC issuer and the email of the fulcio authentication configuration. Required if rootOfTrust.fulcioCAData is set.
type: object
properties:
dockerRepository:
description: dockerReference is the reference of the image identity to be matched. This field is required if identityMatchPolicy is set to "exactReference".
oidcIssuer:
description: 'oidcIssuer contains the expected OIDC issuer. Example: "https://expected.OIDC.issuer/" Required if rootOfTrust.fulcioCAData is set.'
type: string
signedEmail:
description: 'signedEmail holds the email address the the certificate is issued for. Example: "[email protected]" Required if rootOfTrust.fulcioCAData is set.'
type: string
rootOfTrust:
description: rootOfTrust specifies the public key, the Fulcio certificate and the Rekor public key. Requires only one of keyData or fulcioCAData must be set.
type: object
properties:
fulcioCAData:
description: fulcioCAData contains inline base64 data for the fulcio CA certificate. Requires only one of keyData and fulcioCAData must be set.
type: string
keyData:
description: keyData contains inline base64 data of the public key. keyData can be empty if the image got signed keyless. Requires only one of keyData and fulcioCAData must be set.
type: string
identityMatchPolicy:
description: identityMatchPolicy set the type of matching to be used. Valid values are "MatchRepository", "ExactRepository". When omitted, the default value is "MatchRepoDigestOrExact". If set identityMatchPolicy to ExactRepository, then the dockerRepository must be specified. If set identityMatchPolicy to remapIdentity, then the prefix, and signedPrefix must be specified. "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "dockerRepository". "remapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signed prefix” if the the image identity matches the specified prefix.
rekorKeyData:
description: rekorKeyData contains inline base64 data of the Rekor public key. Required if fulcioCAData is set.
type: string
x-kubernetes-validations:
- rule: 'has(self.fulcioCAData) ? has(self.rekorKeyData) : true'
message: rekorKeyData must be set if fulcioCAData is set
- rule: has(self.keyData) != has(self.fulcioCAData)
message: only one of keyData and fulcioCAData must be set
signedIdentity:
description: signedIdentity specifies what image identity the signature claims about the image.
type: object
properties:
matchPolicy:
description: matchPolicy sets the type of matching to be used. Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". If set matchPolicy to ExactRepository, then the repository must be specified. If set matchPolicy to remapIdentity, then the remapPrefix, and remapSignedPrefix must be specified. "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "dockerRepository". "remapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "remapPrefix" with the specified “remapSignedPrefix” if the the image identity matches the specified remapPrefix.
type: string
enum:
- MatchRepoDigestOrExact
- MatchRepository
- ExactRepository
- RemapIdentity
prefix:
description: prefix is the prefix of the image identity to be matched. This field is required if identityMatchPolicy is set to "remapIdentity".
remapPrefix:
description: remapPrefix is the prefix of the image identity to be matched. This field is required if identityMatchPolicy is set to "remapIdentity".
type: string
signedPrefix:
description: signedPrefix is the prefix of the image identity to be matched in the signature. This field is required if identityMatchPolicy is set to "remapIdentity".
remapSignedPrefix:
description: remapSignedPrefix is the prefix of the image identity to be matched in the signature. This field is required if identityMatchPolicy is set to "remapIdentity".
type: string
repository:
description: reference is the reference of the image identity to be matched. This field is required if identityMatchPolicy is set to "exactReference".
type: string
x-kubernetes-validations:
- rule: 'has(self.identityMatchPolicy) && self.identityMatchPolicy == ''ExactRepository'' ? self.dockerRepository != '''' : true'
message: must set dockerRepository if identityMatchPolicy is ExactRepository
- rule: 'has(self.identityMatchPolicy) && self.identityMatchPolicy == ''RemapIdentity'' ? self.prefix != '''' && self.signedPrefix != '''' : true'
message: must set prefix and signedPrefix if identityMatchPolicy is RemapIdentity
subjectEmail:
description: 'subjectEmail holds the email address of the subject. Example: "[email protected]" Required if fulcioCAData is set. oidcIssuer must be set and keyData must be empty if subjectEmail is set.'
type: string
- rule: 'has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'' ? has(self.repository) : true'
message: must set repository if matchPolicy is ExactRepository
- rule: 'has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'' ? has(self.remapPrefix) && has(self.remapSignedPrefix) : true'
message: must set remapPrefix and remapSignedPrefix if matchPolicy is RemapIdentity
x-kubernetes-validations:
- rule: (has(self.keyData) && self.keyData != '' && !has(self.oidcIssuer) && !has(self.subjectEmail) && !has(self.fulcioCAData) && !has(self.rekorKeyData)) || (!has(self.keyData) && has(self.oidcIssuer) && self.oidcIssuer != '' && has(self.subjectEmail) && self.subjectEmail != '' && has(self.fulcioCAData) && self.fulcioCAData != '' && has(self.rekorKeyData) && self.rekorKeyData != '')
- rule: '(has(self.rootOfTrust) && has(self.rootOfTrust.fulcioCAData)) ? has(self.fulcioSubject) : true'
message: fulcioSubject must be set if fulcioCAData is set
- rule: 'has(self.fulcioSubject) ? has(self.fulcioSubject.oidcIssuer) && has(self.fulcioSubject.signedEmail): true'
message: oidcIssuer and signedEmail must be set if fulcioSubject is set
- rule: 'has(self.signedIdentity) ? has(self.signedIdentity.matchPolicy): true'
message: matchPolicy must be set if signedIdentity is set
scopes:
description: 'scopes defines the list of image identities assigned to a policy. Each item refers to an image or repository in a registry implementing the "Docker Registry HTTP API V2". "scopes" uses one of the following: - complete image name, either using a tag or digest - prefixes of individual-image scopes - a wildcarded expression for matching all subdomains, the wildcard only presents at the beginning, *.example.com is a valid case, but example*.*.com is not. For more information about the format, see the document about the docker transport field: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker'
type: array
items:
description: ImageScope is the item of the scopes list.
type: string
pattern: ^\*(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$|^((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(((?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(:[0-9]+))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+:([\w][\w.-]{0,127}))?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$
x-kubernetes-list-type: set
status:
description: status contains the observed state of the resource.
type: object
Expand Down Expand Up @@ -145,3 +164,7 @@ spec:
policyJSON:
description: policyJSON contains the whole policy applied to the namespace which got written to disk. This includes cluster-wide policies from the `openshift-config` namespace as well.
type: string
served: true
storage: true
subresources:
status: {}
118 changes: 113 additions & 5 deletions config/v1alpha1/techpreview.imagepolicy.testsuite.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,128 @@ name: "[TechPreviewNoUpgrade] ImagePolicy"
crd: 0000_10_config-operator_01_imagepolicy.crd.yaml
tests:
onCreate:
- name: Should be able to create a minimal ImagePolicy
- name: Should be able to create a minimal ImagePolicy with kayData rootOfTrust
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
images:
scopes:
- hostname:5000/myns/sigstore-signed-with-full-references
policy:
keyData: Zm9vIGJhcg==
rootOfTrust:
keyData: Zm9vIGJhcg==
expected: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
images:
scopes:
- hostname:5000/myns/sigstore-signed-with-full-references
policy:
keyData: Zm9vIGJhcg==
rootOfTrust:
keyData: Zm9vIGJhcg==
- name: Should be able to create a minimal ImagePolicy with fulcio and rekor rootOfTrust
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- hostname:5000/myns/sigstore-signed-with-full-references
policy:
rootOfTrust:
fulcioCAData: Zm9vIGJhcg==
rekorKeyData: Zm9vIGJhcg==
fulcioSubject:
oidcIssuer: https://oidc.localhost
signedEmail: [email protected]
expected: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- hostname:5000/myns/sigstore-signed-with-full-references
policy:
rootOfTrust:
fulcioCAData: Zm9vIGJhcg==
rekorKeyData: Zm9vIGJhcg==
fulcioSubject:
oidcIssuer: https://oidc.localhost
signedEmail: [email protected]
- name: Should not allow both keyData and fulcioCAData
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- hostname:5000/myns/sigstore-signed-with-full-references
policy:
rootOfTrust:
keyData: Zm9vIGJhcg==
fulcioCAData: Zm9vIGJhcg==
rekorKeyData: Zm9vIGJhcg==
fulcioSubject:
oidcIssuer: https://oidc.localhost
signedEmail: [email protected]
expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": only one of keyData and fulcioCAData must be set"
- name: Should not allow both keyData and fulcioCAData not set
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- hostname:5000/myns/sigstore-signed-with-full-references
policy:
rootOfTrust:
rekorKeyData: Zm9vIGJhcg==
expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": only one of keyData and fulcioCAData must be set"
- name: Should not allow fulcioCAData rootOfTrust set but not set rekorKeyData
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- hostname:5000/myns/sigstore-signed-with-full-references
policy:
rootOfTrust:
fulcioCAData: Zm9vIGJhcg==
fulcioSubject:
oidcIssuer: https://oidc.localhost
signedEmail: [email protected]
expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": rekorKeyData must be set if fulcioCAData is set"
- name: Should not allow fulcioCAData rootOfTrust set but not set fulcioSubject
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- hostname:5000/myns/sigstore-signed-with-full-references
policy:
rootOfTrust:
fulcioCAData: Zm9vIGJhcg==
rekorKeyData: Zm9vIGJhcg==
expectedError: "spec.policy: Invalid value: \"object\": fulcioSubject must be set if fulcioCAData is set"
- name: Should not allow ExactRepository signedIdentity but not set repository
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- hostname:5000/myns/sigstore-signed-with-full-references
policy:
rootOfTrust:
keyData: Zm9vIGJhcg==
signedIdentity:
matchPolicy: ExactRepository
expectedError: "spec.policy.signedIdentity: Invalid value: \"object\": must set repository if matchPolicy is ExactRepository"
- name: Should not allow RemapIdentity signedIdentity set but not set remapPrefix and remapSignedPrefix
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- hostname:5000/myns/sigstore-signed-with-full-references
policy:
rootOfTrust:
keyData: Zm9vIGJhcg==
signedIdentity:
matchPolicy: RemapIdentity
expectedError: "Invalid value: \"object\": must set remapPrefix and remapSignedPrefix if matchPolicy is RemapIdentity"
Loading

0 comments on commit 0d6b7b0

Please sign in to comment.