From 5279772125109d958412d48aa851b44467915b48 Mon Sep 17 00:00:00 2001 From: junczhu Date: Wed, 4 Sep 2024 06:44:42 +0000 Subject: [PATCH 1/6] chore: update crd field design --- api/v1beta1/namespacedverifier_types.go | 2 ++ api/v1beta1/verifier_types.go | 2 ++ pkg/controllers/clusterresource/verifier_controller.go | 1 + pkg/controllers/namespaceresource/verifier_controller.go | 1 + 4 files changed, 6 insertions(+) diff --git a/api/v1beta1/namespacedverifier_types.go b/api/v1beta1/namespacedverifier_types.go index 31e1c8e9f..eeeb95175 100644 --- a/api/v1beta1/namespacedverifier_types.go +++ b/api/v1beta1/namespacedverifier_types.go @@ -31,6 +31,8 @@ type NamespacedVerifierSpec struct { // Name of the verifier Name string `json:"name"` + // should be Type of the verifier + // Type string `json:"type,omitempty"` // Version of the verifier plugin. Optional Version string `json:"version,omitempty"` diff --git a/api/v1beta1/verifier_types.go b/api/v1beta1/verifier_types.go index 5d4bf0974..eb8c3494d 100644 --- a/api/v1beta1/verifier_types.go +++ b/api/v1beta1/verifier_types.go @@ -27,6 +27,8 @@ type VerifierSpec struct { // Name of the verifier Name string `json:"name"` + // should be Type of the verifier + // Type string `json:"type,omitempty"` // Version of the verifier plugin. Optional Version string `json:"version,omitempty"` diff --git a/pkg/controllers/clusterresource/verifier_controller.go b/pkg/controllers/clusterresource/verifier_controller.go index 2b7245926..3cbb9a974 100644 --- a/pkg/controllers/clusterresource/verifier_controller.go +++ b/pkg/controllers/clusterresource/verifier_controller.go @@ -83,6 +83,7 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c } // creates a verifier reference from CRD spec and add store to map +// replace spec.Name to spec.Type func verifierAddOrReplace(spec configv1beta1.VerifierSpec, objectName string) error { verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, spec.Name, spec.ArtifactTypes, spec.Source) if err != nil { diff --git a/pkg/controllers/namespaceresource/verifier_controller.go b/pkg/controllers/namespaceresource/verifier_controller.go index e78bd8d48..1f4f26c82 100644 --- a/pkg/controllers/namespaceresource/verifier_controller.go +++ b/pkg/controllers/namespaceresource/verifier_controller.go @@ -82,6 +82,7 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c } // creates a verifier reference from CRD spec and add store to map +// rename spec.Name to spec.Type func verifierAddOrReplace(spec configv1beta1.NamespacedVerifierSpec, objectName string, namespace string) error { verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, spec.Name, spec.ArtifactTypes, spec.Source) if err != nil { From 781a44f1f46a777d75cbb78a354f79ac2f347725 Mon Sep 17 00:00:00 2001 From: junczhu Date: Thu, 5 Sep 2024 09:34:39 +0000 Subject: [PATCH 2/6] chore: support both Name and Type field until v2.0 --- api/v1beta1/namespacedverifier_types.go | 14 ++++++++++++-- api/v1beta1/verifier_types.go | 14 ++++++++++++-- .../clusterresource/verifier_controller.go | 4 ++-- .../namespaceresource/verifier_controller.go | 4 ++-- 4 files changed, 28 insertions(+), 8 deletions(-) diff --git a/api/v1beta1/namespacedverifier_types.go b/api/v1beta1/namespacedverifier_types.go index eeeb95175..b05631ec8 100644 --- a/api/v1beta1/namespacedverifier_types.go +++ b/api/v1beta1/namespacedverifier_types.go @@ -29,10 +29,12 @@ type NamespacedVerifierSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster // Important: Run "make" to regenerate code after modifying this file + // TODO: update all docs spec to use type and add deprecation warning in spec to name field // Name of the verifier Name string `json:"name"` - // should be Type of the verifier - // Type string `json:"type,omitempty"` + + // Type of the verifier + Type string `json:"type,omitempty"` // Version of the verifier plugin. Optional Version string `json:"version,omitempty"` @@ -51,6 +53,14 @@ type NamespacedVerifierSpec struct { Parameters runtime.RawExtension `json:"parameters,omitempty"` } +// GetType returns verifier spec type and is backward compatible with the old name field +func (spec *NamespacedVerifierSpec) GetType() string { + if spec.Type == "" { + return spec.Name + } + return spec.Type +} + // NamespacedVerifierStatus defines the observed state of NamespacedVerifier type NamespacedVerifierStatus struct { // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster diff --git a/api/v1beta1/verifier_types.go b/api/v1beta1/verifier_types.go index eb8c3494d..f85e1e2dd 100644 --- a/api/v1beta1/verifier_types.go +++ b/api/v1beta1/verifier_types.go @@ -25,10 +25,12 @@ import ( type VerifierSpec struct { // Important: Run "make install-crds" to regenerate code after modifying this file + // TODO: update all docs spec to use type and add deprecation warning in spec to name field // Name of the verifier Name string `json:"name"` - // should be Type of the verifier - // Type string `json:"type,omitempty"` + + // Type of the verifier + Type string `json:"type,omitempty"` // Version of the verifier plugin. Optional Version string `json:"version,omitempty"` @@ -47,6 +49,14 @@ type VerifierSpec struct { Parameters runtime.RawExtension `json:"parameters,omitempty"` } +// GetType returns verifier spec type and is backward compatible with the old name field +func (spec *VerifierSpec) GetType() string { + if spec.Type == "" { + return spec.Name + } + return spec.Type +} + // VerifierStatus defines the observed state of Verifier type VerifierStatus struct { // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster diff --git a/pkg/controllers/clusterresource/verifier_controller.go b/pkg/controllers/clusterresource/verifier_controller.go index 3cbb9a974..6efaabee2 100644 --- a/pkg/controllers/clusterresource/verifier_controller.go +++ b/pkg/controllers/clusterresource/verifier_controller.go @@ -83,9 +83,9 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c } // creates a verifier reference from CRD spec and add store to map -// replace spec.Name to spec.Type func verifierAddOrReplace(spec configv1beta1.VerifierSpec, objectName string) error { - verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, spec.Name, spec.ArtifactTypes, spec.Source) + specType := spec.GetType() + verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, specType, spec.ArtifactTypes, spec.Source) if err != nil { logrus.Error(err) return err diff --git a/pkg/controllers/namespaceresource/verifier_controller.go b/pkg/controllers/namespaceresource/verifier_controller.go index 1f4f26c82..b57ac41c6 100644 --- a/pkg/controllers/namespaceresource/verifier_controller.go +++ b/pkg/controllers/namespaceresource/verifier_controller.go @@ -82,9 +82,9 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c } // creates a verifier reference from CRD spec and add store to map -// rename spec.Name to spec.Type func verifierAddOrReplace(spec configv1beta1.NamespacedVerifierSpec, objectName string, namespace string) error { - verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, spec.Name, spec.ArtifactTypes, spec.Source) + specType := spec.GetType() + verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, specType, spec.ArtifactTypes, spec.Source) if err != nil { logrus.Error(err) return err From 33da5cb3cc2ee270471b30ae75b3cb772e4f3f6a Mon Sep 17 00:00:00 2001 From: junczhu Date: Mon, 9 Sep 2024 02:00:28 +0000 Subject: [PATCH 3/6] chore: run make manifests generate --- .../keymanagementprovider_types.go | 4 + .../namespacedkeymanagementprovider_types.go | 4 + api/unversioned/namespacedverifier_types.go | 3 + api/unversioned/verifier_types.go | 3 + api/v1alpha1/zz_generated.conversion.go | 1 + api/v1beta1/namespacedverifier_types.go | 2 +- api/v1beta1/verifier_types.go | 2 +- api/v1beta1/zz_generated.conversion.go | 8 ++ ...atify.deislabs.io_namespacedverifiers.yaml | 7 +- .../config.ratify.deislabs.io_verifiers.yaml | 7 +- config/rbac/role.yaml | 83 ++++--------------- 11 files changed, 52 insertions(+), 72 deletions(-) diff --git a/api/unversioned/keymanagementprovider_types.go b/api/unversioned/keymanagementprovider_types.go index 9b3a77db9..b347b9692 100644 --- a/api/unversioned/keymanagementprovider_types.go +++ b/api/unversioned/keymanagementprovider_types.go @@ -32,6 +32,10 @@ type KeyManagementProviderSpec struct { // Name of the key management provider Type string `json:"type,omitempty"` + // Refresh interval for fetching the certificate/key files from the provider. Only for providers that are refreshable. The value is in the format of "1h30m" where "h" means hour and "m" means minute. Valid time units are units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + // +kubebuilder:default="" + RefreshInterval string `json:"refreshInterval,omitempty"` + // Parameters of the key management provider Parameters runtime.RawExtension `json:"parameters,omitempty"` } diff --git a/api/unversioned/namespacedkeymanagementprovider_types.go b/api/unversioned/namespacedkeymanagementprovider_types.go index 70dcf557c..cdccfe7f1 100644 --- a/api/unversioned/namespacedkeymanagementprovider_types.go +++ b/api/unversioned/namespacedkeymanagementprovider_types.go @@ -33,6 +33,10 @@ type NamespacedKeyManagementProviderSpec struct { // Name of the key management provider Type string `json:"type,omitempty"` + // Refresh interval for fetching the certificate/key files from the provider. Only for providers that are refreshable. The value is in the format of "1h30m" where "h" means hour and "m" means minute. Valid time units are units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + // +kubebuilder:default="" + RefreshInterval string `json:"refreshInterval,omitempty"` + // +kubebuilder:pruning:PreserveUnknownFields // Parameters of the key management provider Parameters runtime.RawExtension `json:"parameters,omitempty"` diff --git a/api/unversioned/namespacedverifier_types.go b/api/unversioned/namespacedverifier_types.go index 7e196a233..a72261044 100644 --- a/api/unversioned/namespacedverifier_types.go +++ b/api/unversioned/namespacedverifier_types.go @@ -30,6 +30,9 @@ type NamespacedVerifierSpec struct { // Name of the verifier Name string `json:"name"` + // # Optional. Type of the verifier + Type string `json:"type,omitempty"` + // Version of the verifier plugin. Optional Version string `json:"version,omitempty"` diff --git a/api/unversioned/verifier_types.go b/api/unversioned/verifier_types.go index 74b8bdf73..ab2d7a746 100644 --- a/api/unversioned/verifier_types.go +++ b/api/unversioned/verifier_types.go @@ -29,6 +29,9 @@ type VerifierSpec struct { // Name of the verifier Name string `json:"name,omitempty"` + // # Optional. Type of the verifier + Type string `json:"type,omitempty"` + // Version of the verifier plugin. Optional Version string `json:"version,omitempty"` diff --git a/api/v1alpha1/zz_generated.conversion.go b/api/v1alpha1/zz_generated.conversion.go index 467a815ca..9be9f8190 100644 --- a/api/v1alpha1/zz_generated.conversion.go +++ b/api/v1alpha1/zz_generated.conversion.go @@ -642,6 +642,7 @@ func Convert_v1alpha1_VerifierSpec_To_unversioned_VerifierSpec(in *VerifierSpec, func autoConvert_unversioned_VerifierSpec_To_v1alpha1_VerifierSpec(in *unversioned.VerifierSpec, out *VerifierSpec, s conversion.Scope) error { out.Name = in.Name + // WARNING: in.Type requires manual conversion: does not exist in peer-type // WARNING: in.Version requires manual conversion: does not exist in peer-type out.ArtifactTypes = in.ArtifactTypes out.Address = in.Address diff --git a/api/v1beta1/namespacedverifier_types.go b/api/v1beta1/namespacedverifier_types.go index b05631ec8..8fbb16225 100644 --- a/api/v1beta1/namespacedverifier_types.go +++ b/api/v1beta1/namespacedverifier_types.go @@ -33,7 +33,7 @@ type NamespacedVerifierSpec struct { // Name of the verifier Name string `json:"name"` - // Type of the verifier + // # Optional. Type of the verifier Type string `json:"type,omitempty"` // Version of the verifier plugin. Optional diff --git a/api/v1beta1/verifier_types.go b/api/v1beta1/verifier_types.go index f85e1e2dd..19ccaf495 100644 --- a/api/v1beta1/verifier_types.go +++ b/api/v1beta1/verifier_types.go @@ -29,7 +29,7 @@ type VerifierSpec struct { // Name of the verifier Name string `json:"name"` - // Type of the verifier + // # Optional. Type of the verifier Type string `json:"type,omitempty"` // Version of the verifier plugin. Optional diff --git a/api/v1beta1/zz_generated.conversion.go b/api/v1beta1/zz_generated.conversion.go index fafb65bab..0b69afaf9 100644 --- a/api/v1beta1/zz_generated.conversion.go +++ b/api/v1beta1/zz_generated.conversion.go @@ -569,6 +569,7 @@ func Convert_unversioned_KeyManagementProviderList_To_v1beta1_KeyManagementProvi func autoConvert_v1beta1_KeyManagementProviderSpec_To_unversioned_KeyManagementProviderSpec(in *KeyManagementProviderSpec, out *unversioned.KeyManagementProviderSpec, s conversion.Scope) error { out.Type = in.Type + out.RefreshInterval = in.RefreshInterval out.Parameters = in.Parameters return nil } @@ -580,6 +581,7 @@ func Convert_v1beta1_KeyManagementProviderSpec_To_unversioned_KeyManagementProvi func autoConvert_unversioned_KeyManagementProviderSpec_To_v1beta1_KeyManagementProviderSpec(in *unversioned.KeyManagementProviderSpec, out *KeyManagementProviderSpec, s conversion.Scope) error { out.Type = in.Type + out.RefreshInterval = in.RefreshInterval out.Parameters = in.Parameters return nil } @@ -673,6 +675,7 @@ func Convert_unversioned_NamespacedKeyManagementProviderList_To_v1beta1_Namespac func autoConvert_v1beta1_NamespacedKeyManagementProviderSpec_To_unversioned_NamespacedKeyManagementProviderSpec(in *NamespacedKeyManagementProviderSpec, out *unversioned.NamespacedKeyManagementProviderSpec, s conversion.Scope) error { out.Type = in.Type + out.RefreshInterval = in.RefreshInterval out.Parameters = in.Parameters return nil } @@ -684,6 +687,7 @@ func Convert_v1beta1_NamespacedKeyManagementProviderSpec_To_unversioned_Namespac func autoConvert_unversioned_NamespacedKeyManagementProviderSpec_To_v1beta1_NamespacedKeyManagementProviderSpec(in *unversioned.NamespacedKeyManagementProviderSpec, out *NamespacedKeyManagementProviderSpec, s conversion.Scope) error { out.Type = in.Type + out.RefreshInterval = in.RefreshInterval out.Parameters = in.Parameters return nil } @@ -983,6 +987,7 @@ func Convert_unversioned_NamespacedVerifierList_To_v1beta1_NamespacedVerifierLis func autoConvert_v1beta1_NamespacedVerifierSpec_To_unversioned_NamespacedVerifierSpec(in *NamespacedVerifierSpec, out *unversioned.NamespacedVerifierSpec, s conversion.Scope) error { out.Name = in.Name + out.Type = in.Type out.Version = in.Version out.ArtifactTypes = in.ArtifactTypes out.Address = in.Address @@ -998,6 +1003,7 @@ func Convert_v1beta1_NamespacedVerifierSpec_To_unversioned_NamespacedVerifierSpe func autoConvert_unversioned_NamespacedVerifierSpec_To_v1beta1_NamespacedVerifierSpec(in *unversioned.NamespacedVerifierSpec, out *NamespacedVerifierSpec, s conversion.Scope) error { out.Name = in.Name + out.Type = in.Type out.Version = in.Version out.ArtifactTypes = in.ArtifactTypes out.Address = in.Address @@ -1319,6 +1325,7 @@ func Convert_unversioned_VerifierList_To_v1beta1_VerifierList(in *unversioned.Ve func autoConvert_v1beta1_VerifierSpec_To_unversioned_VerifierSpec(in *VerifierSpec, out *unversioned.VerifierSpec, s conversion.Scope) error { out.Name = in.Name + out.Type = in.Type out.Version = in.Version out.ArtifactTypes = in.ArtifactTypes out.Address = in.Address @@ -1334,6 +1341,7 @@ func Convert_v1beta1_VerifierSpec_To_unversioned_VerifierSpec(in *VerifierSpec, func autoConvert_unversioned_VerifierSpec_To_v1beta1_VerifierSpec(in *unversioned.VerifierSpec, out *VerifierSpec, s conversion.Scope) error { out.Name = in.Name + out.Type = in.Type out.Version = in.Version out.ArtifactTypes = in.ArtifactTypes out.Address = in.Address diff --git a/config/crd/bases/config.ratify.deislabs.io_namespacedverifiers.yaml b/config/crd/bases/config.ratify.deislabs.io_namespacedverifiers.yaml index 784bcb5f5..e91349f35 100644 --- a/config/crd/bases/config.ratify.deislabs.io_namespacedverifiers.yaml +++ b/config/crd/bases/config.ratify.deislabs.io_namespacedverifiers.yaml @@ -54,7 +54,9 @@ spec: description: The type of artifact this verifier handles type: string name: - description: Name of the verifier + description: |- + TODO: update all docs spec to use type and add deprecation warning in spec to name field + Name of the verifier type: string parameters: description: Parameters for this verifier @@ -72,6 +74,9 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true type: object + type: + description: '# Optional. Type of the verifier' + type: string version: description: Version of the verifier plugin. Optional type: string diff --git a/config/crd/bases/config.ratify.deislabs.io_verifiers.yaml b/config/crd/bases/config.ratify.deislabs.io_verifiers.yaml index a23d9819f..a950b66d3 100644 --- a/config/crd/bases/config.ratify.deislabs.io_verifiers.yaml +++ b/config/crd/bases/config.ratify.deislabs.io_verifiers.yaml @@ -113,7 +113,9 @@ spec: description: The type of artifact this verifier handles type: string name: - description: Name of the verifier + description: |- + TODO: update all docs spec to use type and add deprecation warning in spec to name field + Name of the verifier type: string parameters: description: Parameters for this verifier @@ -131,6 +133,9 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true type: object + type: + description: '# Optional. Type of the verifier' + type: string version: description: Version of the verifier plugin. Optional type: string diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index f0f702745..17c9b4963 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: manager-role rules: - apiGroups: @@ -31,32 +30,6 @@ rules: - get - patch - update -- apiGroups: - - config.ratify.deislabs.io - resources: - - keymanagementproviders - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - config.ratify.deislabs.io - resources: - - keymanagementproviders/finalizers - verbs: - - update -- apiGroups: - - config.ratify.deislabs.io - resources: - - keymanagementproviders/status - verbs: - - get - - patch - - update - apiGroups: - config.ratify.deislabs.io resources: @@ -86,7 +59,7 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - policies + - namespacedstores verbs: - create - delete @@ -98,13 +71,13 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - policies/finalizers + - namespacedstores/finalizers verbs: - update - apiGroups: - config.ratify.deislabs.io resources: - - policies/status + - namespacedstores/status verbs: - get - patch @@ -112,7 +85,7 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - stores + - namespacedverifiers verbs: - create - delete @@ -124,13 +97,13 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - stores/finalizers + - namespacedverifiers/finalizers verbs: - update - apiGroups: - config.ratify.deislabs.io resources: - - stores/status + - namespacedverifiers/status verbs: - get - patch @@ -138,7 +111,7 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - verifiers + - policies verbs: - create - delete @@ -150,13 +123,13 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - verifiers/finalizers + - policies/finalizers verbs: - update - apiGroups: - config.ratify.deislabs.io resources: - - verifiers/status + - policies/status verbs: - get - patch @@ -164,7 +137,7 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - namespacedstores + - stores verbs: - create - delete @@ -176,13 +149,13 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - namespacedstores/finalizers + - stores/finalizers verbs: - update - apiGroups: - config.ratify.deislabs.io resources: - - namespacedstores/status + - stores/status verbs: - get - patch @@ -190,7 +163,7 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - namespacedkeymanagementproviders + - verifiers verbs: - create - delete @@ -202,40 +175,14 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - namespacedkeymanagementproviders/finalizers - verbs: - - update -- apiGroups: - - config.ratify.deislabs.io - resources: - - namespacedkeymanagementproviders/status + - verifiers/finalizers verbs: - - get - - patch - update - apiGroups: - config.ratify.deislabs.io resources: - - namespacedverifiers + - verifiers/status verbs: - - create - - delete - get - - list - patch - update - - watch -- apiGroups: - - config.ratify.deislabs.io - resources: - - namespacedverifiers/finalizers - verbs: - - update -- apiGroups: - - config.ratify.deislabs.io - resources: - - namespacedverifiers/status - verbs: - - get - - patch - - update \ No newline at end of file From 989e073604932a5fa82260130678b247db4b5503 Mon Sep 17 00:00:00 2001 From: junczhu Date: Mon, 9 Sep 2024 05:33:36 +0000 Subject: [PATCH 4/6] chore: run make manifests generate 2 --- api/v1beta1/namespacedverifier_types.go | 14 +--- api/v1beta1/verifier_types.go | 14 +--- config/rbac/role.yaml | 83 +++++++++++++++---- .../clusterresource/verifier_controller.go | 3 +- .../namespaceresource/verifier_controller.go | 3 +- pkg/controllers/utils/verifier.go | 19 +++++ pkg/controllers/utils/verifier_test.go | 43 ++++++++++ 7 files changed, 138 insertions(+), 41 deletions(-) diff --git a/api/v1beta1/namespacedverifier_types.go b/api/v1beta1/namespacedverifier_types.go index 8fbb16225..0bea41706 100644 --- a/api/v1beta1/namespacedverifier_types.go +++ b/api/v1beta1/namespacedverifier_types.go @@ -33,7 +33,7 @@ type NamespacedVerifierSpec struct { // Name of the verifier Name string `json:"name"` - // # Optional. Type of the verifier + // Type of the verifier. Optional Type string `json:"type,omitempty"` // Version of the verifier plugin. Optional @@ -42,10 +42,10 @@ type NamespacedVerifierSpec struct { // The type of artifact this verifier handles ArtifactTypes string `json:"artifactTypes"` - // # Optional. URL/file path + // URL/file path. Optional Address string `json:"address,omitempty"` - // OCI Artifact source to download the plugin from, optional + // OCI Artifact source to download the plugin from. Optional Source *PluginSource `json:"source,omitempty"` // +kubebuilder:pruning:PreserveUnknownFields @@ -53,14 +53,6 @@ type NamespacedVerifierSpec struct { Parameters runtime.RawExtension `json:"parameters,omitempty"` } -// GetType returns verifier spec type and is backward compatible with the old name field -func (spec *NamespacedVerifierSpec) GetType() string { - if spec.Type == "" { - return spec.Name - } - return spec.Type -} - // NamespacedVerifierStatus defines the observed state of NamespacedVerifier type NamespacedVerifierStatus struct { // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster diff --git a/api/v1beta1/verifier_types.go b/api/v1beta1/verifier_types.go index 19ccaf495..dfb326731 100644 --- a/api/v1beta1/verifier_types.go +++ b/api/v1beta1/verifier_types.go @@ -29,7 +29,7 @@ type VerifierSpec struct { // Name of the verifier Name string `json:"name"` - // # Optional. Type of the verifier + // Type of the verifier. Optional Type string `json:"type,omitempty"` // Version of the verifier plugin. Optional @@ -38,10 +38,10 @@ type VerifierSpec struct { // The type of artifact this verifier handles ArtifactTypes string `json:"artifactTypes"` - // # Optional. URL/file path + // URL/file path. Optional Address string `json:"address,omitempty"` - // OCI Artifact source to download the plugin from, optional + // OCI Artifact source to download the plugin from. Optional Source *PluginSource `json:"source,omitempty"` // +kubebuilder:pruning:PreserveUnknownFields @@ -49,14 +49,6 @@ type VerifierSpec struct { Parameters runtime.RawExtension `json:"parameters,omitempty"` } -// GetType returns verifier spec type and is backward compatible with the old name field -func (spec *VerifierSpec) GetType() string { - if spec.Type == "" { - return spec.Name - } - return spec.Type -} - // VerifierStatus defines the observed state of Verifier type VerifierStatus struct { // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 17c9b4963..f0f702745 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + creationTimestamp: null name: manager-role rules: - apiGroups: @@ -30,6 +31,32 @@ rules: - get - patch - update +- apiGroups: + - config.ratify.deislabs.io + resources: + - keymanagementproviders + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.ratify.deislabs.io + resources: + - keymanagementproviders/finalizers + verbs: + - update +- apiGroups: + - config.ratify.deislabs.io + resources: + - keymanagementproviders/status + verbs: + - get + - patch + - update - apiGroups: - config.ratify.deislabs.io resources: @@ -59,7 +86,7 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - namespacedstores + - policies verbs: - create - delete @@ -71,13 +98,13 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - namespacedstores/finalizers + - policies/finalizers verbs: - update - apiGroups: - config.ratify.deislabs.io resources: - - namespacedstores/status + - policies/status verbs: - get - patch @@ -85,7 +112,7 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - namespacedverifiers + - stores verbs: - create - delete @@ -97,13 +124,13 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - namespacedverifiers/finalizers + - stores/finalizers verbs: - update - apiGroups: - config.ratify.deislabs.io resources: - - namespacedverifiers/status + - stores/status verbs: - get - patch @@ -111,7 +138,7 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - policies + - verifiers verbs: - create - delete @@ -123,13 +150,13 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - policies/finalizers + - verifiers/finalizers verbs: - update - apiGroups: - config.ratify.deislabs.io resources: - - policies/status + - verifiers/status verbs: - get - patch @@ -137,7 +164,7 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - stores + - namespacedstores verbs: - create - delete @@ -149,13 +176,13 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - stores/finalizers + - namespacedstores/finalizers verbs: - update - apiGroups: - config.ratify.deislabs.io resources: - - stores/status + - namespacedstores/status verbs: - get - patch @@ -163,7 +190,7 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - verifiers + - namespacedkeymanagementproviders verbs: - create - delete @@ -175,14 +202,40 @@ rules: - apiGroups: - config.ratify.deislabs.io resources: - - verifiers/finalizers + - namespacedkeymanagementproviders/finalizers verbs: - update - apiGroups: - config.ratify.deislabs.io resources: - - verifiers/status + - namespacedkeymanagementproviders/status verbs: - get - patch - update +- apiGroups: + - config.ratify.deislabs.io + resources: + - namespacedverifiers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.ratify.deislabs.io + resources: + - namespacedverifiers/finalizers + verbs: + - update +- apiGroups: + - config.ratify.deislabs.io + resources: + - namespacedverifiers/status + verbs: + - get + - patch + - update \ No newline at end of file diff --git a/pkg/controllers/clusterresource/verifier_controller.go b/pkg/controllers/clusterresource/verifier_controller.go index 6efaabee2..b804bc415 100644 --- a/pkg/controllers/clusterresource/verifier_controller.go +++ b/pkg/controllers/clusterresource/verifier_controller.go @@ -84,8 +84,7 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c // creates a verifier reference from CRD spec and add store to map func verifierAddOrReplace(spec configv1beta1.VerifierSpec, objectName string) error { - specType := spec.GetType() - verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, specType, spec.ArtifactTypes, spec.Source) + verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, cutils.GetType(spec), spec.ArtifactTypes, spec.Source) if err != nil { logrus.Error(err) return err diff --git a/pkg/controllers/namespaceresource/verifier_controller.go b/pkg/controllers/namespaceresource/verifier_controller.go index b57ac41c6..c93dc0964 100644 --- a/pkg/controllers/namespaceresource/verifier_controller.go +++ b/pkg/controllers/namespaceresource/verifier_controller.go @@ -83,8 +83,7 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c // creates a verifier reference from CRD spec and add store to map func verifierAddOrReplace(spec configv1beta1.NamespacedVerifierSpec, objectName string, namespace string) error { - specType := spec.GetType() - verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, specType, spec.ArtifactTypes, spec.Source) + verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, cutils.GetType(spec), spec.ArtifactTypes, spec.Source) if err != nil { logrus.Error(err) return err diff --git a/pkg/controllers/utils/verifier.go b/pkg/controllers/utils/verifier.go index 0b2557996..f9ddf597e 100644 --- a/pkg/controllers/utils/verifier.go +++ b/pkg/controllers/utils/verifier.go @@ -69,3 +69,22 @@ func SpecToVerifierConfig(raw []byte, verifierName, verifierType, artifactTypes return verifierConfig, nil } + +// GetType returns verifier spec type and is backward compatible with the old name field +func GetType(input interface{}) string { + switch spec := input.(type) { + case configv1beta1.VerifierSpec: + if spec.Type == "" { + return spec.Name + } + return spec.Type + case configv1beta1.NamespacedVerifierSpec: + if spec.Type == "" { + return spec.Name + } + return spec.Type + default: + logrus.Error("unable to assert verifierSpec type", spec) + } + return "" +} diff --git a/pkg/controllers/utils/verifier_test.go b/pkg/controllers/utils/verifier_test.go index 8ccf9a6d7..85c0df15a 100644 --- a/pkg/controllers/utils/verifier_test.go +++ b/pkg/controllers/utils/verifier_test.go @@ -119,3 +119,46 @@ func TestSpecToVerifierConfig(t *testing.T) { func resetVerifierMap() { controllers.NamespacedVerifiers = verifiers.NewActiveVerifiers() } + +func TestGetType(t *testing.T) { + tests := []struct { + name string + input interface{} + expected string + }{ + { + name: "cluster verifier spec with name", + input: configv1beta1.VerifierSpec{Name: "clusterV"}, + expected: "clusterV", + }, + { + name: "cluster verifier spec with type", + input: configv1beta1.VerifierSpec{Type: "clusterV"}, + expected: "clusterV", + }, + { + name: "namespaced verifier spec with name", + input: configv1beta1.NamespacedVerifierSpec{Name: "namespacedV"}, + expected: "namespacedV", + }, + { + name: "namespaced verifier spec with type", + input: configv1beta1.NamespacedVerifierSpec{Type: "namespacedV"}, + expected: "namespacedV", + }, + { + name: "verifier spec with no name or type", + input: "", + expected: "", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + output := GetType(tt.input) + if tt.expected != output { + t.Fatalf("GetType() expected %v, actual %v", tt.expected, output) + } + }) + } +} From 76b93d67fcab1488f903d8aa335a5d81dfbfc025 Mon Sep 17 00:00:00 2001 From: junczhu Date: Mon, 9 Sep 2024 08:44:17 +0000 Subject: [PATCH 5/6] chore: update CRD --- api/unversioned/namespacedverifier_types.go | 8 ++++---- api/unversioned/verifier_types.go | 8 ++++---- api/v1beta1/namespacedverifier_types.go | 3 +-- api/v1beta1/verifier_types.go | 3 +-- .../config.ratify.deislabs.io_namespacedverifiers.yaml | 10 ++++------ .../crd/bases/config.ratify.deislabs.io_verifiers.yaml | 10 ++++------ pkg/controllers/clusterresource/verifier_controller.go | 2 +- .../namespaceresource/verifier_controller.go | 2 +- pkg/controllers/utils/verifier.go | 6 +++--- pkg/controllers/utils/verifier_test.go | 2 +- 10 files changed, 24 insertions(+), 30 deletions(-) diff --git a/api/unversioned/namespacedverifier_types.go b/api/unversioned/namespacedverifier_types.go index a72261044..994e9d1f8 100644 --- a/api/unversioned/namespacedverifier_types.go +++ b/api/unversioned/namespacedverifier_types.go @@ -27,10 +27,10 @@ type NamespacedVerifierSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster // Important: Run "make" to regenerate code after modifying this file - // Name of the verifier + // Name of the verifier. Deprecated Name string `json:"name"` - // # Optional. Type of the verifier + // Type of the verifier. Optional Type string `json:"type,omitempty"` // Version of the verifier plugin. Optional @@ -39,10 +39,10 @@ type NamespacedVerifierSpec struct { // The type of artifact this verifier handles ArtifactTypes string `json:"artifactTypes"` - // # Optional. URL/file path + // URL/file path. Optional Address string `json:"address,omitempty"` - // OCI Artifact source to download the plugin from, optional + // OCI Artifact source to download the plugin from. Optional Source *PluginSource `json:"source,omitempty"` // Parameters for this verifier diff --git a/api/unversioned/verifier_types.go b/api/unversioned/verifier_types.go index ab2d7a746..0bcc543bb 100644 --- a/api/unversioned/verifier_types.go +++ b/api/unversioned/verifier_types.go @@ -26,10 +26,10 @@ import ( type VerifierSpec struct { // Important: Run "make" to regenerate code after modifying this file - // Name of the verifier + // Name of the verifier. Deprecated Name string `json:"name,omitempty"` - // # Optional. Type of the verifier + // Type of the verifier. Deprecated Type string `json:"type,omitempty"` // Version of the verifier plugin. Optional @@ -38,10 +38,10 @@ type VerifierSpec struct { // The type of artifact this verifier handles ArtifactTypes string `json:"artifactTypes,omitempty"` - // # Optional. URL/file path + // URL/file path. Deprecated Address string `json:"address,omitempty"` - // OCI Artifact source to download the plugin from, optional + // OCI Artifact source to download the plugin from. Optional Source *PluginSource `json:"source,omitempty"` // Parameters for this verifier diff --git a/api/v1beta1/namespacedverifier_types.go b/api/v1beta1/namespacedverifier_types.go index 0bea41706..17809a456 100644 --- a/api/v1beta1/namespacedverifier_types.go +++ b/api/v1beta1/namespacedverifier_types.go @@ -29,8 +29,7 @@ type NamespacedVerifierSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster // Important: Run "make" to regenerate code after modifying this file - // TODO: update all docs spec to use type and add deprecation warning in spec to name field - // Name of the verifier + // Name of the verifier. Deprecated Name string `json:"name"` // Type of the verifier. Optional diff --git a/api/v1beta1/verifier_types.go b/api/v1beta1/verifier_types.go index dfb326731..b273a4898 100644 --- a/api/v1beta1/verifier_types.go +++ b/api/v1beta1/verifier_types.go @@ -25,8 +25,7 @@ import ( type VerifierSpec struct { // Important: Run "make install-crds" to regenerate code after modifying this file - // TODO: update all docs spec to use type and add deprecation warning in spec to name field - // Name of the verifier + // Name of the verifier. Deprecated Name string `json:"name"` // Type of the verifier. Optional diff --git a/config/crd/bases/config.ratify.deislabs.io_namespacedverifiers.yaml b/config/crd/bases/config.ratify.deislabs.io_namespacedverifiers.yaml index e91349f35..b61b07734 100644 --- a/config/crd/bases/config.ratify.deislabs.io_namespacedverifiers.yaml +++ b/config/crd/bases/config.ratify.deislabs.io_namespacedverifiers.yaml @@ -48,22 +48,20 @@ spec: description: NamespacedVerifierSpec defines the desired state of NamespacedVerifier properties: address: - description: '# Optional. URL/file path' + description: URL/file path. Optional type: string artifactTypes: description: The type of artifact this verifier handles type: string name: - description: |- - TODO: update all docs spec to use type and add deprecation warning in spec to name field - Name of the verifier + description: Name of the verifier. Deprecated type: string parameters: description: Parameters for this verifier type: object x-kubernetes-preserve-unknown-fields: true source: - description: OCI Artifact source to download the plugin from, optional + description: OCI Artifact source to download the plugin from. Optional properties: artifact: description: OCI Artifact source to download the plugin from @@ -75,7 +73,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object type: - description: '# Optional. Type of the verifier' + description: Type of the verifier. Optional type: string version: description: Version of the verifier plugin. Optional diff --git a/config/crd/bases/config.ratify.deislabs.io_verifiers.yaml b/config/crd/bases/config.ratify.deislabs.io_verifiers.yaml index a950b66d3..8d08f76e5 100644 --- a/config/crd/bases/config.ratify.deislabs.io_verifiers.yaml +++ b/config/crd/bases/config.ratify.deislabs.io_verifiers.yaml @@ -107,22 +107,20 @@ spec: description: VerifierSpec defines the desired state of Verifier properties: address: - description: '# Optional. URL/file path' + description: URL/file path. Optional type: string artifactTypes: description: The type of artifact this verifier handles type: string name: - description: |- - TODO: update all docs spec to use type and add deprecation warning in spec to name field - Name of the verifier + description: Name of the verifier. Deprecated type: string parameters: description: Parameters for this verifier type: object x-kubernetes-preserve-unknown-fields: true source: - description: OCI Artifact source to download the plugin from, optional + description: OCI Artifact source to download the plugin from. Optional properties: artifact: description: OCI Artifact source to download the plugin from @@ -134,7 +132,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object type: - description: '# Optional. Type of the verifier' + description: Type of the verifier. Optional type: string version: description: Version of the verifier plugin. Optional diff --git a/pkg/controllers/clusterresource/verifier_controller.go b/pkg/controllers/clusterresource/verifier_controller.go index b804bc415..ff889e1bb 100644 --- a/pkg/controllers/clusterresource/verifier_controller.go +++ b/pkg/controllers/clusterresource/verifier_controller.go @@ -84,7 +84,7 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c // creates a verifier reference from CRD spec and add store to map func verifierAddOrReplace(spec configv1beta1.VerifierSpec, objectName string) error { - verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, cutils.GetType(spec), spec.ArtifactTypes, spec.Source) + verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, cutils.GetVerifierType(spec), spec.ArtifactTypes, spec.Source) if err != nil { logrus.Error(err) return err diff --git a/pkg/controllers/namespaceresource/verifier_controller.go b/pkg/controllers/namespaceresource/verifier_controller.go index c93dc0964..67eddd33c 100644 --- a/pkg/controllers/namespaceresource/verifier_controller.go +++ b/pkg/controllers/namespaceresource/verifier_controller.go @@ -83,7 +83,7 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c // creates a verifier reference from CRD spec and add store to map func verifierAddOrReplace(spec configv1beta1.NamespacedVerifierSpec, objectName string, namespace string) error { - verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, cutils.GetType(spec), spec.ArtifactTypes, spec.Source) + verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, cutils.GetVerifierType(spec), spec.ArtifactTypes, spec.Source) if err != nil { logrus.Error(err) return err diff --git a/pkg/controllers/utils/verifier.go b/pkg/controllers/utils/verifier.go index f9ddf597e..97e708141 100644 --- a/pkg/controllers/utils/verifier.go +++ b/pkg/controllers/utils/verifier.go @@ -70,9 +70,9 @@ func SpecToVerifierConfig(raw []byte, verifierName, verifierType, artifactTypes return verifierConfig, nil } -// GetType returns verifier spec type and is backward compatible with the old name field -func GetType(input interface{}) string { - switch spec := input.(type) { +// GetVerifierType returns verifier spec type and is backward compatible with the old name field +func GetVerifierType(verifierSpec interface{}) string { + switch spec := verifierSpec.(type) { case configv1beta1.VerifierSpec: if spec.Type == "" { return spec.Name diff --git a/pkg/controllers/utils/verifier_test.go b/pkg/controllers/utils/verifier_test.go index 85c0df15a..349653a07 100644 --- a/pkg/controllers/utils/verifier_test.go +++ b/pkg/controllers/utils/verifier_test.go @@ -155,7 +155,7 @@ func TestGetType(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - output := GetType(tt.input) + output := GetVerifierType(tt.input) if tt.expected != output { t.Fatalf("GetType() expected %v, actual %v", tt.expected, output) } From f2a25c852e48fc63bb3bffc342f6f62b07440b6d Mon Sep 17 00:00:00 2001 From: junczhu Date: Tue, 10 Sep 2024 05:42:12 +0000 Subject: [PATCH 6/6] fix: typo --- api/unversioned/verifier_types.go | 4 ++-- pkg/controllers/utils/verifier.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/api/unversioned/verifier_types.go b/api/unversioned/verifier_types.go index 0bcc543bb..fbdd69b43 100644 --- a/api/unversioned/verifier_types.go +++ b/api/unversioned/verifier_types.go @@ -29,7 +29,7 @@ type VerifierSpec struct { // Name of the verifier. Deprecated Name string `json:"name,omitempty"` - // Type of the verifier. Deprecated + // Type of the verifier. Optional Type string `json:"type,omitempty"` // Version of the verifier plugin. Optional @@ -38,7 +38,7 @@ type VerifierSpec struct { // The type of artifact this verifier handles ArtifactTypes string `json:"artifactTypes,omitempty"` - // URL/file path. Deprecated + // URL/file path. Optional Address string `json:"address,omitempty"` // OCI Artifact source to download the plugin from. Optional diff --git a/pkg/controllers/utils/verifier.go b/pkg/controllers/utils/verifier.go index 97e708141..c569388a3 100644 --- a/pkg/controllers/utils/verifier.go +++ b/pkg/controllers/utils/verifier.go @@ -70,7 +70,7 @@ func SpecToVerifierConfig(raw []byte, verifierName, verifierType, artifactTypes return verifierConfig, nil } -// GetVerifierType returns verifier spec type and is backward compatible with the old name field +// GetVerifierType returns verifier type and is backward compatible with the deprecated name field func GetVerifierType(verifierSpec interface{}) string { switch spec := verifierSpec.(type) { case configv1beta1.VerifierSpec: