-
Notifications
You must be signed in to change notification settings - Fork 522
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Qi Wang <[email protected]>
Showing
6 changed files
with
874 additions
and
0 deletions.
There are no files selected for viewing
74 changes: 74 additions & 0 deletions
74
config/v1alpha1/0000_10_config-operator_01_imagesigstorepolicy.crd.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
api-approved.openshift.io: https://github.com/openshift/api/pull/1245 | ||
include.release.openshift.io/ibm-cloud-managed: "true" | ||
include.release.openshift.io/self-managed-high-availability: "true" | ||
include.release.openshift.io/single-node-developer: "true" | ||
release.openshift.io/feature-set: TechPreviewNoUpgrade | ||
name: clusterimagepolicy.config.openshift.io | ||
spec: | ||
group: config.openshift.io | ||
names: | ||
kind: ClusterImageSigPolicy | ||
listKind: ClusterImagePolicyList | ||
plural: clusterimagepolicies | ||
singular: clusterimagepolicy | ||
versions: | ||
- name: v1alpha1 | ||
schema: | ||
openAPIV3Schema: | ||
description: 'Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.' | ||
type: object | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
type: object | ||
properties: | ||
imagePolicies: | ||
type: array | ||
items: | ||
type: object | ||
properties: | ||
cosignPolicy: | ||
type: object | ||
properties: | ||
keyReference: | ||
type: object | ||
properties: | ||
data: | ||
type: string | ||
path: | ||
type: string | ||
fulcioPolicy: | ||
type: object | ||
properties: | ||
keyReference: | ||
type: object | ||
properties: | ||
data: | ||
type: string | ||
path: | ||
type: string | ||
rockerKeyReference: | ||
type: object | ||
properties: | ||
data: | ||
type: string | ||
path: | ||
type: string | ||
images: | ||
type: array | ||
items: | ||
type: string | ||
x-kubernetes-list-type: atomic | ||
status: | ||
type: object |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
package v1alpha1 | ||
|
||
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
|
||
// +genclient | ||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||
// | ||
// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. | ||
// +openshift:compatibility-gen:level=4 | ||
type ClusterImagePolicy struct { | ||
metav1.TypeMeta `json:",inline"` | ||
metav1.ObjectMeta `json:"metadata,omitempty"` | ||
// +required | ||
Spec ClusterImagePolicySpec `json:"spec"` | ||
// +optional | ||
Status ClusterImagePolicyStatus `json:"status,omitempty"` | ||
} | ||
|
||
type ClusterImagePolicySpec struct { | ||
// imagePolicies defines a list of images and their verification policy | ||
// +optional | ||
ImagePolicies []ImagePolicy `json:"imagePolicies"` | ||
} | ||
|
||
type ImagePolicy struct { | ||
// images holds images/repositories to be verified | ||
Images []Image `json:"images"` | ||
|
||
// cosignPolicy holds key reference for image signed by cosign (cosign-created signatures only contain a repository) | ||
CosignPolicy *CosignPolicy `json:"cosignPolicy,omitempty"` | ||
|
||
// sigstorePolicy holds key reference for image will be verified by inline public key data or path of the key file | ||
SigstorePolicy *SigstorePolicy `json:"sigstorePolicy,omitempty"` | ||
|
||
// fulcioPolicy holds configuration to verify images signed by fulcio and rekor | ||
FulcioPolicy *FulcioPolicy `json:"fulcioPolicy,omitempty"` | ||
} | ||
|
||
// cosignPolicy holds key reference for image signed by cosign (cosign-created signatures only contain a repository) | ||
type CosignPolicy struct { | ||
KeyReference *KeyRef `json:"keyReference,omitempty"` | ||
} | ||
|
||
// sigstorePolicy holds key reference for image will be verified by inline public key data or path of the key file | ||
type SigstorePolicy struct { | ||
KeyReference *KeyRef `json:"keyReference,omitempty"` | ||
} | ||
|
||
// fulcioPolicy holds configuration to verify images signed by fulcio and rekor | ||
type FulcioPolicy struct { | ||
KeyReference *KeyRef `json:"keyReference,omitempty"` | ||
RekorKeyReference *KeyRef `json:"rekorKeyReference,omitempty"` | ||
OIDCIssuer string `json:"oidcIssuer,omitempty"` | ||
SubjectEmail string `json:"subjectEmail,omitempty"` | ||
} | ||
|
||
type KeyRef struct { | ||
Path string `json:"path,omitempty"` | ||
Data string `json:"data,omitempty"` | ||
} | ||
|
||
type Image string | ||
|
||
type ClusterImagePolicyStatus struct{} | ||
|
||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||
// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. | ||
// +openshift:compatibility-gen:level=4 | ||
type ClusterImagePolicyList struct { | ||
metav1.TypeMeta `json:",inline"` | ||
|
||
// metadata is the standard list's metadata. | ||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata | ||
metav1.ListMeta `json:"metadata"` | ||
Items []ClusterImagePolicy `json:"items"` | ||
} |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.