Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add ClusterImageSigPolicy
Browse files Browse the repository at this point in the history
Signed-off-by: Qi Wang <[email protected]>
QiWang19 committed May 10, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 894b49f commit 419efd4
Showing 6 changed files with 874 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.openshift.io: https://github.com/openshift/api/pull/1245
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
release.openshift.io/feature-set: TechPreviewNoUpgrade
name: clusterimagepolicy.config.openshift.io
spec:
group: config.openshift.io
names:
kind: ClusterImageSigPolicy
listKind: ClusterImagePolicyList
plural: clusterimagepolicies
singular: clusterimagepolicy
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: 'Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.'
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
properties:
imagePolicies:
type: array
items:
type: object
properties:
cosignPolicy:
type: object
properties:
keyReference:
type: object
properties:
data:
type: string
path:
type: string
fulcioPolicy:
type: object
properties:
keyReference:
type: object
properties:
data:
type: string
path:
type: string
rockerKeyReference:
type: object
properties:
data:
type: string
path:
type: string
images:
type: array
items:
type: string
x-kubernetes-list-type: atomic
status:
type: object
76 changes: 76 additions & 0 deletions config/v1alpha1/types_cluster_image_policy.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
package v1alpha1

import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
//
// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
// +openshift:compatibility-gen:level=4
type ClusterImagePolicy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// +required
Spec ClusterImagePolicySpec `json:"spec"`
// +optional
Status ClusterImagePolicyStatus `json:"status,omitempty"`
}

type ClusterImagePolicySpec struct {
// imagePolicies defines a list of images and their verification policy
// +optional
ImagePolicies []ImagePolicy `json:"imagePolicies"`
}

type ImagePolicy struct {
// images holds images/repositories to be verified
Images []Image `json:"images"`

// cosignPolicy holds key reference for image signed by cosign (cosign-created signatures only contain a repository)
CosignPolicy *CosignPolicy `json:"cosignPolicy,omitempty"`

// sigstorePolicy holds key reference for image will be verified by inline public key data or path of the key file
SigstorePolicy *SigstorePolicy `json:"sigstorePolicy,omitempty"`

// fulcioPolicy holds configuration to verify images signed by fulcio and rekor
FulcioPolicy *FulcioPolicy `json:"fulcioPolicy,omitempty"`
}

// cosignPolicy holds key reference for image signed by cosign (cosign-created signatures only contain a repository)
type CosignPolicy struct {
KeyReference *KeyRef `json:"keyReference,omitempty"`
}

// sigstorePolicy holds key reference for image will be verified by inline public key data or path of the key file
type SigstorePolicy struct {
KeyReference *KeyRef `json:"keyReference,omitempty"`
}

// fulcioPolicy holds configuration to verify images signed by fulcio and rekor
type FulcioPolicy struct {
KeyReference *KeyRef `json:"keyReference,omitempty"`
RekorKeyReference *KeyRef `json:"rekorKeyReference,omitempty"`
OIDCIssuer string `json:"oidcIssuer,omitempty"`
SubjectEmail string `json:"subjectEmail,omitempty"`
}

type KeyRef struct {
Path string `json:"path,omitempty"`
Data string `json:"data,omitempty"`
}

type Image string

type ClusterImagePolicyStatus struct{}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
// +openshift:compatibility-gen:level=4
type ClusterImagePolicyList struct {
metav1.TypeMeta `json:",inline"`

// metadata is the standard list's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ListMeta `json:"metadata"`
Items []ClusterImagePolicy `json:"items"`
}
220 changes: 220 additions & 0 deletions config/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 419efd4

Please sign in to comment.