From 484198d645fd0b8fb3962dd4e53897112be4d6dd Mon Sep 17 00:00:00 2001 From: Qi Wang Date: Tue, 9 May 2023 23:03:58 -0400 Subject: [PATCH] Add ImagePolicy CRD Add API for ImagePolicy CRD Signed-off-by: Qi Wang --- ...10_config-operator_01_imagepolicy.crd.yaml | 137 +++++++++ .../techpreview.imagepolicy.testsuite.yaml | 14 + config/v1alpha1/types_image_policy.go | 162 +++++++++++ config/v1alpha1/zz_generated.deepcopy.go | 140 ++++++++++ .../zz_generated.swagger_doc_generated.go | 60 ++++ .../generated_openapi/zz_generated.openapi.go | 261 ++++++++++++++++++ openapi/openapi.json | 144 ++++++++++ 7 files changed, 918 insertions(+) create mode 100644 config/v1alpha1/0000_10_config-operator_01_imagepolicy.crd.yaml create mode 100644 config/v1alpha1/techpreview.imagepolicy.testsuite.yaml create mode 100644 config/v1alpha1/types_image_policy.go diff --git a/config/v1alpha1/0000_10_config-operator_01_imagepolicy.crd.yaml b/config/v1alpha1/0000_10_config-operator_01_imagepolicy.crd.yaml new file mode 100644 index 00000000000..913c03f0f7f --- /dev/null +++ b/config/v1alpha1/0000_10_config-operator_01_imagepolicy.crd.yaml @@ -0,0 +1,137 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1457 + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: "ImagePolicy holds namespace-wide configuration configuration for image signature verification \n Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + type: object + required: + - images + - policy + properties: + images: + description: 'images defines the list of images assigned to a policy. Each item refers to an image or repository in a registry implementing the "Docker Registry HTTP API V2". "images" uses one of the following scopes: - complete image name, either using a tag or digest - prefixes of individual-image scopes - a wildcarded expression for matching all subdomains, the wildcard only presents at the beginning, *.example.com is a valid case, but example*.*.com is not. For more information about the format, see the document about the docker transport field: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker' + type: array + items: + description: ImageScope is the item of the images list. + type: string + pattern: ^\*(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$|^((?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?/)?[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\w][\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$ + x-kubernetes-list-type: set + policy: + description: policy defines the verification policy for the images in the images list + type: object + properties: + keyData: + description: keyData contains inline base64 data of the public key. Can be empty if the image got signed keyless. Requires OIDCIssuer and SubjectEmail to be empty. the sigstore community Fulcio instance(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/fulcio_v1.crt.pem) will be used to verify the sigstore signature. the sigstore community Rekor public key(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/rekor.pub) will be used to verify the sigstore signature. + type: string + oidcIssuer: + description: 'oidcIssuer contains the expected OIDC issuer. Example: "https://expected.OIDC.issuer/" subjectEmail must be set and keyData must be empty if oidcIssuer is set' + type: string + signedIdentity: + description: signedIdentity specifies what image identity the signature. claims about the image. + type: object + properties: + dockerRepository: + description: dockerReference is the reference of the image identity to be matched. This field is required if identityMatchPolicy is set to "exactReference". + type: string + identityMatchPolicy: + description: identityMatchPolicy set the type of matching to be used. Valid values are "MatchRepository", "ExactRepository". When omitted, the default value is "MatchRepository". If set identityMatchPolicy to ExactRepository, then the dockerRepository must be specified. "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "dockerRepository". + type: string + enum: + - MatchRepository + - ExactRepository + x-kubernetes-validations: + - rule: 'has(self.identityMatchPolicy) && self.identityMatchPolicy == ''ExactRepository'' ? self.dockerRepository != '''' : true' + message: must set dockerRepository if identityMatchPolicy is ExactRepository + subjectEmail: + description: 'subjectEmail holds the email address of the subject. Example: "expected-signing-user@example.com" oidcIssuer must be set and keyData must be empty if subjectEmail is set.' + type: string + x-kubernetes-validations: + - rule: 'self.oidcIssuer != '''' ? (self.subjectEmail != '''' && self.keyData == '''') : true' + message: subjectEmail must be set and keyData must be empty if oidcIssuer is set + - rule: 'self.subjectEmail != '''' ? (self.oidcIssuer != '''' && self.keyData == '''') : true' + message: oidcIssuer must be set and keyData must be empty if subjectEmail is set + - rule: 'self.keyData != '''' ? (self.oidcIssuer == '''' && self.subjectEmail == '''') : true' + message: cannot set both oidcIssuer and subjectEmail if keyData is set + status: + description: status contains the observed state of the resource. + type: object + properties: + conditions: + description: conditions provide details on the status of the gatherer job. + type: array + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + type: object + required: + - lastTransitionTime + - message + - reason + - status + - type + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + type: string + format: date-time + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + type: string + maxLength: 32768 + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + type: integer + format: int64 + minimum: 0 + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + type: string + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + status: + description: status of the condition, one of True, False, Unknown. + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + type: string + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + policyJSON: + description: policyJSON contains the whole policy applied to the namespace which got written to disk. This includes cluster-wide policies from the `openshift-config` namespace as well. + type: string diff --git a/config/v1alpha1/techpreview.imagepolicy.testsuite.yaml b/config/v1alpha1/techpreview.imagepolicy.testsuite.yaml new file mode 100644 index 00000000000..3b85da6ea38 --- /dev/null +++ b/config/v1alpha1/techpreview.imagepolicy.testsuite.yaml @@ -0,0 +1,14 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "[TechPreviewNoUpgrade] ImagePolicy" +crd: 0000_10_config-operator_01_imagepolicy.crd.yaml +tests: + onCreate: + - name: Should be able to create a minimal ImagePolicy + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: {} # No spec is required for a ImagePolicy + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: {} diff --git a/config/v1alpha1/types_image_policy.go b/config/v1alpha1/types_image_policy.go new file mode 100644 index 00000000000..a212ffe49b1 --- /dev/null +++ b/config/v1alpha1/types_image_policy.go @@ -0,0 +1,162 @@ +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ImagePolicy holds namespace-wide configuration configuration for image signature verification +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +openshift:compatibility-gen:level=4 +// +openshift:enable:FeatureSets=TechPreviewNoUpgrade +type ImagePolicy struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ObjectMeta `json:"metadata,omitempty"` + + // spec holds user settable values for configuration + // +kubebuilder:validation:Required + // +required + Spec ImagePolicySpec `json:"spec"` + // status contains the observed state of the resource. + // +optional + Status ImagePolicyStatus `json:"status,omitempty"` +} + +// ImagePolicySpec is the specification of the ImagePolicy CRD. +type ImagePolicySpec struct { + // images defines the list of images assigned to a policy. Each item refers to an image or repository in a registry implementing the "Docker Registry HTTP API V2". + // "images" uses one of the following scopes: + // - complete image name, either using a tag or digest + // - prefixes of individual-image scopes + // - a wildcarded expression for matching all subdomains, the wildcard only presents at the beginning, *.example.com is a valid case, but example*.*.com is not. + // For more information about the format, see the document + // about the docker transport field: + // https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + // +kubebuilder:validation:Required + // +required + // +listType=set + Images []ImageScope `json:"images"` + // policy defines the verification policy for the images in the images list + // +kubebuilder:validation:Required + // +required + Policy Policy `json:"policy"` +} + +// ImageScope is the item of the images list. +// +kubebuilder:validation:Pattern=`^\*(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$|^((?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?/)?[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\w][\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$` +type ImageScope string + +// Policy defines the verification policy for the images in the images list. +// +kubebuilder:validation:XValidation:rule="self.oidcIssuer != '' ? (self.subjectEmail != '' && self.keyData == '') : true",message="subjectEmail must be set and keyData must be empty if oidcIssuer is set" +// +kubebuilder:validation:XValidation:rule="self.subjectEmail != '' ? (self.oidcIssuer != '' && self.keyData == '') : true",message="oidcIssuer must be set and keyData must be empty if subjectEmail is set" +// +kubebuilder:validation:XValidation:rule="self.keyData != '' ? (self.oidcIssuer == '' && self.subjectEmail == '') : true",message="cannot set both oidcIssuer and subjectEmail if keyData is set" +type Policy struct { + // oidcIssuer contains the expected OIDC issuer. + // Example: "https://expected.OIDC.issuer/" + // subjectEmail must be set and keyData must be empty if oidcIssuer is set + // +optional + OIDCIssuer string `json:"oidcIssuer,omitempty"` + + // subjectEmail holds the email address of the subject. + // Example: "expected-signing-user@example.com" + // oidcIssuer must be set and keyData must be empty if subjectEmail is set. + // +optional + SubjectEmail string `json:"subjectEmail,omitempty"` + + // keyData contains inline base64 data of the public key. + // Can be empty if the image got signed keyless. + // Requires OIDCIssuer and SubjectEmail to be empty. + // the sigstore community Fulcio instance(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/fulcio_v1.crt.pem) + // will be used to verify the sigstore signature. + // the sigstore community Rekor public key(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/rekor.pub) + // will be used to verify the sigstore signature. + // +optional + KeyData string `json:"keyData,omitempty"` + + // signedIdentity specifies what image identity the signature. + // claims about the image. + // +optional + SignedIdentity Identity `json:"signedIdentity,omitempty"` +} + +// +kubebuilder:validation:XValidation:rule="has(self.identityMatchPolicy) && self.identityMatchPolicy == 'ExactRepository' ? self.dockerRepository != '' : true",message="must set dockerRepository if identityMatchPolicy is ExactRepository" +type Identity struct { + // identityMatchPolicy set the type of matching to be used. + // Valid values are "MatchRepository", "ExactRepository". When omitted, the default value is "MatchRepository". + // If set identityMatchPolicy to ExactRepository, then the dockerRepository must be specified. + // "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. + // "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "dockerRepository". + // +kubebuilder:validation:Enum=MatchRepository;ExactRepository + // +optional + IdentityMatchPolicy IdentityMatchPolicy `json:"identityMatchPolicy,omitempty"` + // dockerReference is the reference of the image identity to be matched. This field is required if identityMatchPolicy is set to "exactReference". + // +optional + DockerRepository string `json:"dockerRepository,omitempty"` +} + +// IdentityMatchPolicy defines the type of matching to be used. +type IdentityMatchPolicy string + +const ( + IdentityMatchPolicyMatchRepository = "MatchRepository" + IdentityMatchPolicyExactRepository = "ExactRepository" +) + +// +k8s:deepcopy-gen=true +type ImagePolicyStatus struct { + + // policyJSON contains the whole policy applied to the namespace + // which got written to disk. This includes cluster-wide policies + // from the `openshift-config` namespace as well. + PolicyJSON string `json:"policyJSON,omitempty"` + + // conditions provide details on the status of the gatherer job. + // +patchMergeKey=type + // +patchStrategy=merge + Conditions []metav1.Condition `json:"conditions" patchStrategy:"merge" patchMergeKey:"type"` +} + +// ImagePolicyStatusConditionType is the state of the operator's reconciliation functionality. +type ImagePolicyStatusConditionType string + +const ( + // ImagePolicySuccess designates a successful application of a ImagePolicy CR. + ImagePolicySuccess ImagePolicyStatusConditionType = "Success" + + // ImagePolicyFailure designates a failure applying a ImagePolicy CR. + ImagePolicyFailure ImagePolicyStatusConditionType = "Failure" +) + +// ImagePolicyStatusConditionReason is the reason for the operator's reconciliation functionality state. +type ImagePolicyStatusConditionReason string + +const ( + // ImagePolicyPending designates a failure application of a ImagePolicy CR. + ImagePolicyPending ImagePolicyStatusConditionReason = "Pending" + + // ImagePolicyUpdating designates applying a ImagePolicy CR to the machine config. + ImagePolicyUpdating ImagePolicyStatusConditionReason = "Updating" + + // ImagePolicyAvailable designates a successful application of a ImagePolicy CR to the machine config. + ImagePolicyAvailable ImagePolicyStatusConditionReason = "Available" +) + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// ImagePolicyList is a list of ImagePolicy resources +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +openshift:compatibility-gen:level=4 +type ImagePolicyList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ListMeta `json:"metadata"` + + Items []ImagePolicy `json:"items"` +} diff --git a/config/v1alpha1/zz_generated.deepcopy.go b/config/v1alpha1/zz_generated.deepcopy.go index 440cfd2e0bc..ab0cc173621 100644 --- a/config/v1alpha1/zz_generated.deepcopy.go +++ b/config/v1alpha1/zz_generated.deepcopy.go @@ -6,6 +6,7 @@ package v1alpha1 import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -30,6 +31,128 @@ func (in *GatherConfig) DeepCopy() *GatherConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Identity) DeepCopyInto(out *Identity) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Identity. +func (in *Identity) DeepCopy() *Identity { + if in == nil { + return nil + } + out := new(Identity) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicy) DeepCopyInto(out *ImagePolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicy. +func (in *ImagePolicy) DeepCopy() *ImagePolicy { + if in == nil { + return nil + } + out := new(ImagePolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ImagePolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ImagePolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyList. +func (in *ImagePolicyList) DeepCopy() *ImagePolicyList { + if in == nil { + return nil + } + out := new(ImagePolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ImagePolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) { + *out = *in + if in.Images != nil { + in, out := &in.Images, &out.Images + *out = make([]ImageScope, len(*in)) + copy(*out, *in) + } + out.Policy = in.Policy + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicySpec. +func (in *ImagePolicySpec) DeepCopy() *ImagePolicySpec { + if in == nil { + return nil + } + out := new(ImagePolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyStatus) DeepCopyInto(out *ImagePolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyStatus. +func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus { + if in == nil { + return nil + } + out := new(ImagePolicyStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *InsightsDataGather) DeepCopyInto(out *InsightsDataGather) { *out = *in @@ -123,3 +246,20 @@ func (in *InsightsDataGatherStatus) DeepCopy() *InsightsDataGatherStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Policy) DeepCopyInto(out *Policy) { + *out = *in + out.SignedIdentity = in.SignedIdentity + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. +func (in *Policy) DeepCopy() *Policy { + if in == nil { + return nil + } + out := new(Policy) + in.DeepCopyInto(out) + return out +} diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index 6bc6e2522c5..d85ec84236a 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -11,6 +11,66 @@ package v1alpha1 // Those methods can be generated by using hack/update-swagger-docs.sh // AUTO-GENERATED FUNCTIONS START HERE +var map_Identity = map[string]string{ + "identityMatchPolicy": "identityMatchPolicy set the type of matching to be used. Valid values are \"MatchRepository\", \"ExactRepository\". When omitted, the default value is \"MatchRepository\". If set identityMatchPolicy to ExactRepository, then the dockerRepository must be specified. \"MatchRepository\" means that the identity in the signature must be in the same repository as the image identity. \"ExactRepository\" means that the identity in the signature must be in the same repository as a specific identity specified by \"dockerRepository\".", + "dockerRepository": "dockerReference is the reference of the image identity to be matched. This field is required if identityMatchPolicy is set to \"exactReference\".", +} + +func (Identity) SwaggerDoc() map[string]string { + return map_Identity +} + +var map_ImagePolicy = map[string]string{ + "": "ImagePolicy holds namespace-wide configuration configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec holds user settable values for configuration", + "status": "status contains the observed state of the resource.", +} + +func (ImagePolicy) SwaggerDoc() map[string]string { + return map_ImagePolicy +} + +var map_ImagePolicyList = map[string]string{ + "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", +} + +func (ImagePolicyList) SwaggerDoc() map[string]string { + return map_ImagePolicyList +} + +var map_ImagePolicySpec = map[string]string{ + "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", + "images": "images defines the list of images assigned to a policy. Each item refers to an image or repository in a registry implementing the \"Docker Registry HTTP API V2\". \"images\" uses one of the following scopes: - complete image name, either using a tag or digest - prefixes of individual-image scopes - a wildcarded expression for matching all subdomains, the wildcard only presents at the beginning, *.example.com is a valid case, but example*.*.com is not. For more information about the format, see the document about the docker transport field: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "policy": "policy defines the verification policy for the images in the images list", +} + +func (ImagePolicySpec) SwaggerDoc() map[string]string { + return map_ImagePolicySpec +} + +var map_ImagePolicyStatus = map[string]string{ + "policyJSON": "policyJSON contains the whole policy applied to the namespace which got written to disk. This includes cluster-wide policies from the `openshift-config` namespace as well.", + "conditions": "conditions provide details on the status of the gatherer job.", +} + +func (ImagePolicyStatus) SwaggerDoc() map[string]string { + return map_ImagePolicyStatus +} + +var map_Policy = map[string]string{ + "": "Policy defines the verification policy for the images in the images list.", + "oidcIssuer": "oidcIssuer contains the expected OIDC issuer. Example: \"https://expected.OIDC.issuer/\" subjectEmail must be set and keyData must be empty if oidcIssuer is set", + "subjectEmail": "subjectEmail holds the email address of the subject. Example: \"expected-signing-user@example.com\" oidcIssuer must be set and keyData must be empty if subjectEmail is set.", + "keyData": "keyData contains inline base64 data of the public key. Can be empty if the image got signed keyless. Requires OIDCIssuer and SubjectEmail to be empty. the sigstore community Fulcio instance(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/fulcio_v1.crt.pem) will be used to verify the sigstore signature. the sigstore community Rekor public key(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/rekor.pub) will be used to verify the sigstore signature.", + "signedIdentity": "signedIdentity specifies what image identity the signature. claims about the image.", +} + +func (Policy) SwaggerDoc() map[string]string { + return map_Policy +} + var map_GatherConfig = map[string]string{ "": "gatherConfig provides data gathering configuration options.", "dataPolicy": "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is None.", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 428a3d3049e..00bbf47050c 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -371,10 +371,16 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.WebhookTokenAuthenticator": schema_openshift_api_config_v1_WebhookTokenAuthenticator(ref), "github.com/openshift/api/config/v1.featureSetBuilder": schema_openshift_api_config_v1_featureSetBuilder(ref), "github.com/openshift/api/config/v1alpha1.GatherConfig": schema_openshift_api_config_v1alpha1_GatherConfig(ref), + "github.com/openshift/api/config/v1alpha1.Identity": schema_openshift_api_config_v1alpha1_Identity(ref), + "github.com/openshift/api/config/v1alpha1.ImagePolicy": schema_openshift_api_config_v1alpha1_ImagePolicy(ref), + "github.com/openshift/api/config/v1alpha1.ImagePolicyList": schema_openshift_api_config_v1alpha1_ImagePolicyList(ref), + "github.com/openshift/api/config/v1alpha1.ImagePolicySpec": schema_openshift_api_config_v1alpha1_ImagePolicySpec(ref), + "github.com/openshift/api/config/v1alpha1.ImagePolicyStatus": schema_openshift_api_config_v1alpha1_ImagePolicyStatus(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGather": schema_openshift_api_config_v1alpha1_InsightsDataGather(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherList": schema_openshift_api_config_v1alpha1_InsightsDataGatherList(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherSpec": schema_openshift_api_config_v1alpha1_InsightsDataGatherSpec(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherStatus": schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref), + "github.com/openshift/api/config/v1alpha1.Policy": schema_openshift_api_config_v1alpha1_Policy(ref), "github.com/openshift/api/console/v1.ApplicationMenuSpec": schema_openshift_api_console_v1_ApplicationMenuSpec(ref), "github.com/openshift/api/console/v1.CLIDownloadLink": schema_openshift_api_console_v1_CLIDownloadLink(ref), "github.com/openshift/api/console/v1.ConsoleCLIDownload": schema_openshift_api_console_v1_ConsoleCLIDownload(ref), @@ -18016,6 +18022,218 @@ func schema_openshift_api_config_v1alpha1_GatherConfig(ref common.ReferenceCallb } } +func schema_openshift_api_config_v1alpha1_Identity(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "identityMatchPolicy": { + SchemaProps: spec.SchemaProps{ + Description: "identityMatchPolicy set the type of matching to be used. Valid values are \"MatchRepository\", \"ExactRepository\". When omitted, the default value is \"MatchRepository\". If set identityMatchPolicy to ExactRepository, then the dockerRepository must be specified. \"MatchRepository\" means that the identity in the signature must be in the same repository as the image identity. \"ExactRepository\" means that the identity in the signature must be in the same repository as a specific identity specified by \"dockerRepository\".", + Type: []string{"string"}, + Format: "", + }, + }, + "dockerRepository": { + SchemaProps: spec.SchemaProps{ + Description: "dockerReference is the reference of the image identity to be matched. This field is required if identityMatchPolicy is set to \"exactReference\".", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_openshift_api_config_v1alpha1_ImagePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicy holds namespace-wide configuration configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "spec holds user settable values for configuration", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicySpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status contains the observed state of the resource.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicyStatus"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.ImagePolicySpec", "github.com/openshift/api/config/v1alpha1.ImagePolicyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_config_v1alpha1_ImagePolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicy"), + }, + }, + }, + }, + }, + }, + Required: []string{"metadata", "items"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.ImagePolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_openshift_api_config_v1alpha1_ImagePolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicySpec is the specification of the ImagePolicy CRD.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "images": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "images defines the list of images assigned to a policy. Each item refers to an image or repository in a registry implementing the \"Docker Registry HTTP API V2\". \"images\" uses one of the following scopes: - complete image name, either using a tag or digest - prefixes of individual-image scopes - a wildcarded expression for matching all subdomains, the wildcard only presents at the beginning, *.example.com is a valid case, but example*.*.com is not. For more information about the format, see the document about the docker transport field: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "policy": { + SchemaProps: spec.SchemaProps{ + Description: "policy defines the verification policy for the images in the images list", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.Policy"), + }, + }, + }, + Required: []string{"images", "policy"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.Policy"}, + } +} + +func schema_openshift_api_config_v1alpha1_ImagePolicyStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "policyJSON": { + SchemaProps: spec.SchemaProps{ + Description: "policyJSON contains the whole policy applied to the namespace which got written to disk. This includes cluster-wide policies from the `openshift-config` namespace as well.", + Type: []string{"string"}, + Format: "", + }, + }, + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditions provide details on the status of the gatherer job.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, + }, + }, + }, + Required: []string{"conditions"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + } +} + func schema_openshift_api_config_v1alpha1_InsightsDataGather(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -18148,6 +18366,49 @@ func schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref common.Re } } +func schema_openshift_api_config_v1alpha1_Policy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Policy defines the verification policy for the images in the images list.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "oidcIssuer": { + SchemaProps: spec.SchemaProps{ + Description: "oidcIssuer contains the expected OIDC issuer. Example: \"https://expected.OIDC.issuer/\" subjectEmail must be set and keyData must be empty if oidcIssuer is set", + Type: []string{"string"}, + Format: "", + }, + }, + "subjectEmail": { + SchemaProps: spec.SchemaProps{ + Description: "subjectEmail holds the email address of the subject. Example: \"expected-signing-user@example.com\" oidcIssuer must be set and keyData must be empty if subjectEmail is set.", + Type: []string{"string"}, + Format: "", + }, + }, + "keyData": { + SchemaProps: spec.SchemaProps{ + Description: "keyData contains inline base64 data of the public key. Can be empty if the image got signed keyless. Requires OIDCIssuer and SubjectEmail to be empty. the sigstore community Fulcio instance(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/fulcio_v1.crt.pem) will be used to verify the sigstore signature. the sigstore community Rekor public key(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/rekor.pub) will be used to verify the sigstore signature.", + Type: []string{"string"}, + Format: "", + }, + }, + "signedIdentity": { + SchemaProps: spec.SchemaProps{ + Description: "signedIdentity specifies what image identity the signature. claims about the image.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.Identity"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.Identity"}, + } +} + func schema_openshift_api_console_v1_ApplicationMenuSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index e0f188af8f5..00ec458b689 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -9910,6 +9910,127 @@ } } }, + "com.github.openshift.api.config.v1alpha1.Identity": { + "type": "object", + "properties": { + "dockerRepository": { + "description": "dockerReference is the reference of the image identity to be matched. This field is required if identityMatchPolicy is set to \"exactReference\".", + "type": "string" + }, + "identityMatchPolicy": { + "description": "identityMatchPolicy set the type of matching to be used. Valid values are \"MatchRepository\", \"ExactRepository\". When omitted, the default value is \"MatchRepository\". If set identityMatchPolicy to ExactRepository, then the dockerRepository must be specified. \"MatchRepository\" means that the identity in the signature must be in the same repository as the image identity. \"ExactRepository\" means that the identity in the signature must be in the same repository as a specific identity specified by \"dockerRepository\".", + "type": "string" + } + } + }, + "com.github.openshift.api.config.v1alpha1.ImagePolicy": { + "description": "ImagePolicy holds namespace-wide configuration configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "type": "object", + "required": [ + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "spec holds user settable values for configuration", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicySpec" + }, + "status": { + "description": "status contains the observed state of the resource.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyStatus" + } + } + }, + "com.github.openshift.api.config.v1alpha1.ImagePolicyList": { + "description": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "type": "object", + "required": [ + "metadata", + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicy" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.config.v1alpha1.ImagePolicySpec": { + "description": "ImagePolicySpec is the specification of the ImagePolicy CRD.", + "type": "object", + "required": [ + "images", + "policy" + ], + "properties": { + "images": { + "description": "images defines the list of images assigned to a policy. Each item refers to an image or repository in a registry implementing the \"Docker Registry HTTP API V2\". \"images\" uses one of the following scopes: - complete image name, either using a tag or digest - prefixes of individual-image scopes - a wildcarded expression for matching all subdomains, the wildcard only presents at the beginning, *.example.com is a valid case, but example*.*.com is not. For more information about the format, see the document about the docker transport field: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + }, + "policy": { + "description": "policy defines the verification policy for the images in the images list", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Policy" + } + } + }, + "com.github.openshift.api.config.v1alpha1.ImagePolicyStatus": { + "type": "object", + "required": [ + "conditions" + ], + "properties": { + "conditions": { + "description": "conditions provide details on the status of the gatherer job.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge" + }, + "policyJSON": { + "description": "policyJSON contains the whole policy applied to the namespace which got written to disk. This includes cluster-wide policies from the `openshift-config` namespace as well.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1alpha1.InsightsDataGather": { "description": "InsightsDataGather provides data gather configuration options for the the Insights Operator.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -9985,6 +10106,29 @@ "com.github.openshift.api.config.v1alpha1.InsightsDataGatherStatus": { "type": "object" }, + "com.github.openshift.api.config.v1alpha1.Policy": { + "description": "Policy defines the verification policy for the images in the images list.", + "type": "object", + "properties": { + "keyData": { + "description": "keyData contains inline base64 data of the public key. Can be empty if the image got signed keyless. Requires OIDCIssuer and SubjectEmail to be empty. the sigstore community Fulcio instance(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/fulcio_v1.crt.pem) will be used to verify the sigstore signature. the sigstore community Rekor public key(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/rekor.pub) will be used to verify the sigstore signature.", + "type": "string" + }, + "oidcIssuer": { + "description": "oidcIssuer contains the expected OIDC issuer. Example: \"https://expected.OIDC.issuer/\" subjectEmail must be set and keyData must be empty if oidcIssuer is set", + "type": "string" + }, + "signedIdentity": { + "description": "signedIdentity specifies what image identity the signature. claims about the image.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Identity" + }, + "subjectEmail": { + "description": "subjectEmail holds the email address of the subject. Example: \"expected-signing-user@example.com\" oidcIssuer must be set and keyData must be empty if subjectEmail is set.", + "type": "string" + } + } + }, "com.github.openshift.api.console.v1.ApplicationMenuSpec": { "description": "ApplicationMenuSpec is the specification of the desired section and icon used for the link in the application menu.", "type": "object",