NO-JIRA: Rename ImagePolicy nested types to prevent PKI collision

[sanchezl]

Rename some types in the config package to prevent name collisions.

I was specifically interested in the PKI type used in the ImagePolicySpec because it conflicts with a new top level type I want to introduce. I also renamed the other types in the ImagePolicySpec discriminated union for consistency. Additionally, I renamed the Policy type. The machine-config-operator is the only know client of these types, and would require a single one-line update when it bumps to an openshift/client-go version containing these changes.

I did not do an extensive search amongst the entire package and focused only on these few cases.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Walkthrough

Replaces the previous Policy model with ImageSigstoreVerificationPolicy and renames root-of-trust types to ImagePolicy...RootOfTrust across v1 and v1alpha1; updates ClusterImagePolicySpec.Policy/ImagePolicySpec.Policy types, and regenerates deepcopy, Swagger, and OpenAPI artifacts to match the new type names and shapes.

Changes

Cohort / File(s)	Summary
v1 type changes config/v1/types_image_policy.go, config/v1/types_cluster_image_policy.go	Replaces Policy with ImageSigstoreVerificationPolicy (field policy), and renames root-of-trust types: PublicKey → ImagePolicyPublicKeyRootOfTrust, FulcioCAWithRekor → ImagePolicyFulcioCAWithRekorRootOfTrust, PKI → ImagePolicyPKIRootOfTrust. Updates ImagePolicySpec.Policy and ClusterImagePolicySpec.Policy signatures accordingly.
v1 generated deepcopy config/v1/zz_generated.deepcopy.go	Removes legacy deepcopies for old root types; adds DeepCopyInto/DeepCopy implementations for ImageSigstoreVerificationPolicy, ImagePolicyPublicKeyRootOfTrust, ImagePolicyFulcioCAWithRekorRootOfTrust, ImagePolicyPKIRootOfTrust, and updates PolicyRootOfTrust deepcopy paths to use the new root types.
v1 generated swagger/docs config/v1/zz_generated.swagger_doc_generated.go	Adds SwaggerDoc maps and methods for ImageSigstoreVerificationPolicy and the ImagePolicy...RootOfTrust types; removes legacy maps for Policy, PKI, PublicKey, and FulcioCAWithRekor.
v1alpha1 type changes config/v1alpha1/types_image_policy.go, config/v1alpha1/types_cluster_image_policy.go	Mirrors v1 renames: introduces ImageSigstoreVerificationPolicy, renames root-of-trust types to ImagePolicy...RootOfTrust, and changes ImagePolicySpec.Policy/ClusterImagePolicySpec.Policy signatures (v1alpha1 uses pointer *ImageSigstoreVerificationPolicy / omitempty).
v1alpha1 generated deepcopy config/v1alpha1/zz_generated.deepcopy.go	Removes deepcopies for legacy root types; adds DeepCopyInto/DeepCopy for new ImagePolicy...RootOfTrust types and ImageSigstoreVerificationPolicy, and updates nested deepcopy logic to reference the new types.
v1alpha1 generated swagger/docs config/v1alpha1/zz_generated.swagger_doc_generated.go	Adds SwaggerDoc maps/methods for ImageSigstoreVerificationPolicy and ImagePolicy...RootOfTrust types; removes legacy Policy/PKI/PublicKey maps.
Generated OpenAPI openapi/generated_openapi/zz_generated.openapi.go, openapi/openapi.json	Removes legacy OpenAPI definitions for Policy, PKI, PublicKey, FulcioCAWithRekor (v1 and v1alpha1); adds OpenAPI schemas and refs for ImageSigstoreVerificationPolicy, ImagePolicyPublicKeyRootOfTrust, ImagePolicyFulcioCAWithRekorRootOfTrust, and ImagePolicyPKIRootOfTrust; updates schema refs and union discriminators accordingly.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Areas to focus during review:
  • DeepCopy implementations: correctness for byte-slice copying, nil checks, and nested structs.
  • Consistency of JSON tags and pointer vs. value semantics for policy fields between v1 and v1alpha1 (omitempty behavior).
  • Swagger/OpenAPI artifacts: ensure all refs and generated docs point to new types with no leftover references to removed legacy types.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@sanchezl: This pull request explicitly references no jira issue.

Details

In response to this:

• rename types that were too generic
• make update

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

Hello @sanchezl! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[sanchezl]

Proof/Follow up PRs:

• NO-JIRA: bump openshift/api client-go#354
• NO-JIRA: bump openshift/client-go machine-config-operator#5500

[JoelSpeed]

This is likely to have a fairly wide impact across the existing image policy implementation when it merges, are the appropriate PRs being lined up to rename this across OCP?

[everettraven]

@sanchezl Reached out to me yesterday with the associated PRs but I haven't yet gotten around to taking a look at them:

• NO-JIRA: bump openshift/api client-go#354
• NO-JIRA: bump openshift/client-go machine-config-operator#5500

[sanchezl]

This is likely to have a fairly wide impact across the existing image policy implementation when it merges, are the appropriate PRs being lined up to rename this across OCP?

The original author expects this to only be used in MCO. I confirmed with a search that that appears to be the case. Given that I did not change the actual field names, the only impact I found was a one line mention of a specific type in the MCO.

P.S. The linter insisted that I change some field to/from pointer and that I add tweak some uses of 'omitzero/omitempty`. I will need to propagate those changes to be sure that the impact has remained small.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

config/v1alpha1/types_cluster_image_policy.go (1)

51-55: Clarify whether spec.policy is truly required now that it’s *ImageScopeVerificationPolicy with omitempty.

The field is still documented/annotated as +required, but the Go type is a pointer and the JSON tag is omitempty. Please confirm whether:

• the API intends policy to remain required (in which case omitempty may be misleading), or
• you actually want it optional (and should drop +required / update the comment and validation accordingly).

Also ensure any consumers of ClusterImagePolicySpec.Policy now handle a nil pointer correctly.

config/v1/types_image_policy.go (1)

51-55: Reconcile policy being marked required with its new pointer/omitempty representation.

ImagePolicySpec.Policy is now *ImageScopeVerificationPolicy with json:"policy,omitempty" but is still documented and annotated as +required. For this level‑1 stable API, it’s worth being explicit about intent:

• If policy must always be present, consider dropping omitempty (and/or not using a pointer) to avoid implying optionality.
• If you want to allow omitting policy, then the +required marker and “required field” wording should be adjusted, and CRD/OpenAPI validation regenerated accordingly.

Also check that all in‑tree and downstream consumers now nil‑check spec.Policy where appropriate.

config/v1alpha1/types_image_policy.go (1)

50-54: Double‑check spec.policy requiredness vs pointer and omitempty here as well.

As with the v1 type, ImagePolicySpec.Policy is now a *ImageScopeVerificationPolicy with omitempty but still carries a +required marker and “policy contains …” wording that reads as required.

Even though this is alpha (compat level 4), it would be good to:

• either keep it truly required and consider dropping omitempty, or
• explicitly make it optional and update annotations/comments plus validation to match.

Clients also now need to guard for nil spec.Policy when reading alpha objects.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 78d4b6a and 756c352.

📒 Files selected for processing (7)

• config/v1/types_cluster_image_policy.go (1 hunks)
• config/v1/types_image_policy.go (6 hunks)
• config/v1/zz_generated.deepcopy.go (9 hunks)
• config/v1alpha1/types_cluster_image_policy.go (1 hunks)
• config/v1alpha1/types_image_policy.go (6 hunks)
• config/v1alpha1/zz_generated.deepcopy.go (9 hunks)
• openapi/generated_openapi/zz_generated.openapi.go (21 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• config/v1/types_cluster_image_policy.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• config/v1/types_image_policy.go
• config/v1alpha1/types_image_policy.go
• config/v1alpha1/types_cluster_image_policy.go
• openapi/generated_openapi/zz_generated.openapi.go
• config/v1/zz_generated.deepcopy.go
• config/v1alpha1/zz_generated.deepcopy.go

🧬 Code graph analysis (4)

config/v1alpha1/types_image_policy.go (1)

config/v1alpha1/zz_generated.swagger_doc_generated.go (4)

• ImageScopeVerificationPolicy (295-297)
• PublicKeyVerificationPolicyRootOfTrust (365-367)
• FulcioCAWithRekorVerificationPolicyRootOfTrust (247-249)
• CertificateChainVerificationPolicyRootOfTrust (236-238)

config/v1alpha1/types_cluster_image_policy.go (2)

config/v1alpha1/types_image_policy.go (1)

• ImageScopeVerificationPolicy (63-70)

config/v1alpha1/zz_generated.swagger_doc_generated.go (1)

• ImageScopeVerificationPolicy (295-297)

config/v1/zz_generated.deepcopy.go (3)

config/v1/types_image_policy.go (6)

• CertificateChainVerificationPolicyRootOfTrust (176-198)
• PKICertificateSubject (203-217)
• ImageScopeVerificationPolicy (64-73)
• FulcioCAWithRekorVerificationPolicyRootOfTrust (136-154)
• PolicyIdentity (223-241)
• PublicKeyVerificationPolicyRootOfTrust (117-133)

config/v1alpha1/zz_generated.swagger_doc_generated.go (6)

• CertificateChainVerificationPolicyRootOfTrust (236-238)
• PKICertificateSubject (305-307)
• ImageScopeVerificationPolicy (295-297)
• FulcioCAWithRekorVerificationPolicyRootOfTrust (247-249)
• PolicyIdentity (326-328)
• PublicKeyVerificationPolicyRootOfTrust (365-367)

config/v1/zz_generated.swagger_doc_generated.go (6)

• CertificateChainVerificationPolicyRootOfTrust (1224-1226)
• PKICertificateSubject (1294-1296)
• ImageScopeVerificationPolicy (1284-1286)
• FulcioCAWithRekorVerificationPolicyRootOfTrust (1235-1237)
• PolicyIdentity (1315-1317)
• PublicKeyVerificationPolicyRootOfTrust (1354-1356)

config/v1alpha1/zz_generated.deepcopy.go (2)

config/v1alpha1/types_image_policy.go (5)

• CertificateChainVerificationPolicyRootOfTrust (155-175)
• PKICertificateSubject (180-194)
• ImageScopeVerificationPolicy (63-70)
• FulcioCAWithRekorVerificationPolicyRootOfTrust (124-138)
• PublicKeyVerificationPolicyRootOfTrust (110-121)

config/v1alpha1/zz_generated.swagger_doc_generated.go (5)

• CertificateChainVerificationPolicyRootOfTrust (236-238)
• PKICertificateSubject (305-307)
• ImageScopeVerificationPolicy (295-297)
• FulcioCAWithRekorVerificationPolicyRootOfTrust (247-249)
• PublicKeyVerificationPolicyRootOfTrust (365-367)

🔇 Additional comments (12)

config/v1/types_image_policy.go (1)

63-73: ImageScopeVerificationPolicy and root‑of‑trust type renames look consistent.

Renaming Policy → ImageScopeVerificationPolicy and the root‑of‑trust structs (PublicKey*, FulcioCAWithRekor*, PKI → CertificateChainVerificationPolicyRootOfTrust) is internally consistent here and in the union (PolicyRootOfTrust). JSON field names and discriminator values are preserved, so on‑the‑wire compatibility is maintained while avoiding future type name collisions.

Also applies to: 92-104, 116-155, 175-198

config/v1alpha1/types_image_policy.go (1)

62-97: Renamed verification policy and root‑of‑trust types are coherent with the v1 surface.

The ImageScopeVerificationPolicy rename and the new *VerificationPolicyRootOfTrust structs, along with updating PolicyRootOfTrust to use pointers to these types, align v1alpha1 with the v1 API while avoiding the planned PKI name collision. Union annotations and JSON field names (publicKey, fulcioCAWithRekor, pki) remain consistent.

Also applies to: 109-121, 123-138, 154-175

config/v1/zz_generated.deepcopy.go (2)

927-952: DeepCopy implementations for renamed root‑of‑trust types look correct.

The generated DeepCopy functions for CertificateChainVerificationPolicyRootOfTrust, FulcioCAWithRekorVerificationPolicyRootOfTrust, PublicKeyVerificationPolicyRootOfTrust, and the updated PolicyRootOfTrust all correctly:

• copy scalar fields by value, and
• allocate and copy the underlying []byte slices and nested structs where present.

This matches the struct definitions in config/v1/types_image_policy.go and avoids shared backing storage.

Also applies to: 2375-2399, 5601-5624, 5278-5287

---

1121-1132: Pointer Policy fields are deep‑copied safely for Image/ClusterImagePolicy specs.

ClusterImagePolicySpec.DeepCopyInto and ImagePolicySpec.DeepCopyInto now correctly handle nil vs non‑nil Policy by allocating a new ImageScopeVerificationPolicy and delegating to its DeepCopy. The ImageScopeVerificationPolicy DeepCopy in turn deep‑copies RootOfTrust and SignedIdentity, so no shallow copies remain.

Also applies to: 3135-3147, 3183-3203

openapi/generated_openapi/zz_generated.openapi.go (1)

183-183: Generated code changes are consistent with the type renames.

This auto-generated file correctly reflects the type renames across both v1 and v1alpha1 API versions:

• PKI → CertificateChainVerificationPolicyRootOfTrust
• FulcioCAWithRekor → FulcioCAWithRekorVerificationPolicyRootOfTrust
• PublicKey → PublicKeyVerificationPolicyRootOfTrust
• Policy → ImageScopeVerificationPolicy

All schema definitions, references, and dependencies are updated uniformly. The PKICertificateSubject type is correctly preserved as it was outside the scope of this rename.

Also applies to: 245-245, 279-279, 377-377, 431-431, 442-442, 448-448, 462-462, 10095-10130, 10471-10483, 12796-12803, 14345-14357, 14396-14423, 18391-18431, 18984-18991, 21531-21567, 21696-21708, 21976-21983, 22184-22196, 22235-22263, 22729-22767, 22770-22777

config/v1alpha1/zz_generated.deepcopy.go (7)

195-220: LGTM: Correct deepcopy for CertificateChainVerificationPolicyRootOfTrust.

The generated deepcopy implementation properly handles the byte slice fields and struct field for the renamed type.

---

291-295: LGTM: Correct pointer handling for ClusterImagePolicySpec.Policy.

The generated code properly handles the Policy field as a pointer to ImageScopeVerificationPolicy, with appropriate nil checking and deep copying.

---

464-488: LGTM: Correct deepcopy for FulcioCAWithRekorVerificationPolicyRootOfTrust.

The generated deepcopy implementation properly handles byte slices and the FulcioSubject field for the renamed type.

---

585-589: LGTM: Consistent pointer handling for ImagePolicySpec.Policy.

The generated code properly handles the Policy field with the same correct pattern used in ClusterImagePolicySpec.

---

626-642: LGTM: Correct deepcopy for ImageScopeVerificationPolicy.

The generated deepcopy implementation properly calls DeepCopyInto on the RootOfTrust and SignedIdentity nested fields.

---

907-924: LGTM: Correct type references in PolicyRootOfTrust deepcopy.

The generated code properly references all three renamed root-of-trust types (PublicKeyVerificationPolicyRootOfTrust, FulcioCAWithRekorVerificationPolicyRootOfTrust, CertificateChainVerificationPolicyRootOfTrust) with correct deepcopy logic.

---

938-961: LGTM: Correct deepcopy for PublicKeyVerificationPolicyRootOfTrust.

The generated deepcopy implementation properly handles both byte slice fields (KeyData and RekorKeyData) for the renamed type.

[sanchezl]

P.S. The linter insisted that I change some field to/from pointer and that I add tweak some uses of 'omitzero/omitempty`. I will need to propagate those changes to be sure that the impact has remained small.

This change resulted in no changes to the client-go generated code.

[JoelSpeed]

Please don't change this to a pointer/change the omitempty. The field has shipped and we shouldn't change the structure now as this could impact folks who've built tooling against these types

[sanchezl]

Got it. How do I get past the linter?

[JoelSpeed]

/override at the discretion of the API approvers

[JoelSpeed]

/override ci/prow/lint

The linting errors cannot be fixed on these pre-existing APIs without breaking folks. So will override.

Looking at the PRs, you've got client-go and MCO to update, are those the only two? Have we tested those sufficiently? Looks like the MCO one has a bunch of red on it

[openshift-ci]

@JoelSpeed: Overrode contexts on behalf of JoelSpeed: ci/prow/lint

Details

In response to this:

/override ci/prow/lint

The linting errors cannot be fixed on these pre-existing APIs without breaking folks. So will override.

Looking at the PRs, you've got client-go and MCO to update, are those the only two? Have we tested those sufficiently? Looks like the MCO one has a bunch of red on it

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[QiWang19]

I suggested renaming to better reflect the specific intent. Hope it works to avoid naming collisions.

[sanchezl]

@JoelSpeed:

The linting errors cannot be fixed on these pre-existing APIs without breaking folks. So will override.

Thank you, I had to rebase with the naming preferred by @QiWang19 (the engineer who introduced these types).

Looking at the PRs, you've got client-go and MCO to update, are those the only two?

I confirmed with @QiWang19 that there should not be any others.

Have we tested those sufficiently? Looks like the MCO one has a bunch of red on it

There were some updated commits I needed to push. It should look much better now.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

openapi/generated_openapi/zz_generated.openapi.go (2)

14194-14229: LGTM: Root-of-trust type definitions are structurally sound.

The new ImagePolicy*RootOfTrust type schemas are properly defined with correct field types, required fields, and dependency references for both v1 and v1alpha1.

Optional: Documentation string consistency.

Minor documentation inconsistencies exist between v1 and v1alpha1 (e.g., Line 14203 "is a required field contains" vs Line 22043 "contains"), and Line 22167 has inconsistent capitalization ("KeyData" should be "keyData"). Since this is generated code, these likely originate from source type definitions and should be addressed there if cleanup is desired.

Also applies to: 14282-14345, 22034-22069, 22121-22184

---

14426-14453: LGTM: ImageSigstoreVerificationPolicy schemas defined correctly.

The new verification policy type is properly defined with required rootOfTrust and optional signedIdentity fields, correctly referencing PolicyRootOfTrust and PolicyIdentity types for both API versions.

Optional: Consider v1/v1alpha1 Default value alignment.

v1alpha1's signedIdentity (Line 22282) has a Default value while v1's (Line 14441) does not. This may be intentional API evolution, but if consistent behavior is desired across versions, verify whether this difference is intended.

Also applies to: 22265-22293

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 65b693c and adfa0f5.

📒 Files selected for processing (6)

• config/v1/zz_generated.deepcopy.go (4 hunks)
• config/v1/zz_generated.swagger_doc_generated.go (3 hunks)
• config/v1alpha1/zz_generated.deepcopy.go (4 hunks)
• config/v1alpha1/zz_generated.swagger_doc_generated.go (3 hunks)
• openapi/generated_openapi/zz_generated.openapi.go (16 hunks)
• openapi/openapi.json (13 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• config/v1alpha1/zz_generated.deepcopy.go
• openapi/openapi.json
• config/v1/zz_generated.swagger_doc_generated.go
• openapi/generated_openapi/zz_generated.openapi.go
• config/v1alpha1/zz_generated.swagger_doc_generated.go
• config/v1/zz_generated.deepcopy.go

🧬 Code graph analysis (1)

config/v1/zz_generated.deepcopy.go (1)

config/v1/types_image_policy.go (6)

• ImagePolicyFulcioCAWithRekorRootOfTrust (136-154)
• ImagePolicyPKIRootOfTrust (176-198)
• PKICertificateSubject (203-217)
• ImagePolicyPublicKeyRootOfTrust (117-133)
• ImageSigstoreVerificationPolicy (64-73)
• PolicyIdentity (223-241)

🔇 Additional comments (16)

openapi/openapi.json (3)

5207-5213: Type renames applied correctly for v1 API.

The renames from Policy to ImageSigstoreVerificationPolicy and the root-of-trust types (ImagePolicyFulcioCAWithRekorRootOfTrust, ImagePolicyPKIRootOfTrust, ImagePolicyPublicKeyRootOfTrust) are applied consistently throughout the v1 schema definitions. All $ref pointers correctly reference the v1 namespace.

Also applies to: 7433-7592, 9893-9912

---

11794-11800: Type renames applied correctly for v1alpha1 API.

The v1alpha1 schema mirrors the v1 changes with proper namespace prefixing. All renamed types and references are consistent between API versions.

Also applies to: 12012-12171, 12439-12458

---

7433-7458: Verify downstream consumers handle the breaking type rename.

The type rename from FulcioCAWithRekor to ImagePolicyFulcioCAWithRekorRootOfTrust (and similar renames) is a breaking change for any client code directly referencing these types. MCO is the only known consumer with a corresponding PR (openshift/machine-config-operator#5500, OPEN) that bumps openshift/client-go (openshift/client-go#354, OPEN).

Also applies to: 12012-12037

config/v1/zz_generated.deepcopy.go (5)

3043-3068: DeepCopy for ImagePolicyFulcioCAWithRekorRootOfTrust correctly handles slice fields

FulcioCAData and RekorKeyData slices are deep-copied and FulcioSubject (value type) is copied by value, which matches the struct definition and avoids aliasing.

---

3103-3128: DeepCopy for ImagePolicyPKIRootOfTrust matches BYO‑PKI shape

Both certificate bundle slices are deep-copied and PKICertificateSubject (value type) is copied by value; this is consistent with the struct in types_image_policy.go and avoids shared slice backing arrays.

---

3131-3154: DeepCopy for ImagePolicyPublicKeyRootOfTrust correctly copies key material

KeyData and optional RekorKeyData are deep-copied as new byte slices; no shared state is retained between copies.

---

3201-3221: DeepCopy for ImageSigstoreVerificationPolicy respects nested union and pointer

RootOfTrust is deep-copied via DeepCopyInto, and SignedIdentity is cloned with proper allocation and DeepCopyInto. This preserves the discriminated union semantics without pointer aliasing.

---

5296-5314: PolicyRootOfTrust now deep-copies renamed root‑of‑trust types

Pointer fields PublicKey, FulcioCAWithRekor, and PKI are retyped to ImagePolicy*RootOfTrust, allocated, and deep-copied, which aligns with the type rename and maintains correct deep-copy behavior for the union members.

config/v1alpha1/zz_generated.swagger_doc_generated.go (4)

240-249: Swagger docs for ImagePolicyFulcioCAWithRekorRootOfTrust align with type definition

Field descriptions for fulcioCAData, rekorKeyData, and fulcioSubject match the struct semantics (Fulcio CA, Rekor key, and subject) and use the updated type name, so generated API docs remain accurate.

---

260-269: Swagger docs for ImagePolicyPKIRootOfTrust correctly describe BYO‑PKI fields

The new map documents caRootsData, caIntermediatesData, and pkiCertificateSubject consistently with the PKI root‑of‑trust struct, preserving user‑facing behavior while reflecting the renamed type.

---

271-279: Swagger docs for ImagePolicyPublicKeyRootOfTrust match sigstore key usage

Descriptions for keyData and optional rekorKeyData accurately reflect the public key and Rekor key fields of the renamed root‑of‑trust type; no API semantics change.

---

299-307: ImageSigstoreVerificationPolicy swagger doc matches verification policy struct

Summary and field docs for rootOfTrust and signedIdentity are consistent with the struct definition and the discriminator-based identity matching, and correctly use the new policy type name.

openapi/generated_openapi/zz_generated.openapi.go (3)

271-280: LGTM: Map entries added consistently.

The new type entries are properly added to the OpenAPI definitions map for both v1 and v1alpha1, following the established naming convention.

Also applies to: 443-449

---

10435-10448: LGTM: Policy references updated consistently.

The policy field references have been correctly updated to use ImageSigstoreVerificationPolicy in both ClusterImagePolicySpec and ImagePolicySpec for v1 and v1alpha1, with matching dependency lists.

Also applies to: 14375-14388, 21660-21673, 22214-22227

---

18421-18439: LGTM: PolicyRootOfTrust references updated correctly.

All references within PolicyRootOfTrust have been updated to use the new ImagePolicy*RootOfTrust type names, and dependency lists have been updated accordingly for both v1 and v1alpha1.

Also applies to: 18455-18460, 22759-22777, 22793-22798

config/v1alpha1/zz_generated.deepcopy.go (1)

486-943: LGTM! Generated deepcopy code correctly implements the type renames.

The auto-generated deepcopy methods for the new ImagePolicy*RootOfTrust types and ImageSigstoreVerificationPolicy are correct. The implementations properly handle:

• Deep copying of byte slices with appropriate nil checks and allocations
• Correct delegation to nested struct deepcopy methods
• Updated type references in PolicyRootOfTrust.DeepCopyInto to use the renamed types

The changes align with the PR objective to rename nested types and avoid PKI collision.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Root-of-trust type renames look correct; consider tightening doc phrasing

The three new SwaggerDoc maps for ImagePolicyFulcioCAWithRekorRootOfTrust, ImagePolicyPKIRootOfTrust, and ImagePolicyPublicKeyRootOfTrust line up with the PR’s intent (distinct ImagePolicy-scoped root-of-trust variants with size limits and subject constraints), and the field keys look consistent with the JSON field names.

If you touch these comments again, you might want to fix the slightly awkward wording in the user-facing descriptions, e.g.:

• “fulcioCAData is a required field contains …” → “is a required field that contains …”
• “rekorKeyData is an optional field contains …” → “is an optional field that contains …”
• “fulcioSubject is a required field specifies …” → “is a required field that specifies …”

Same pattern applies to keyData/rekorKeyData in ImagePolicyPublicKeyRootOfTrust.

This is non-blocking, since it’s only doc text.

Also applies to: 1249-1258, 1260-1268

🤖 Prompt for AI Agents

In config/v1/zz_generated.swagger_doc_generated.go around lines 1228-1237 (and
similarly at 1249-1258, 1260-1268), the SwaggerDoc strings use awkward phrasing
like "is a required field contains" / "is an optional field contains" / "is a
required field specifies"; update those user-facing descriptions to include
"that" after "field" so they read e.g. "is a required field that contains ..."
or "is an optional field that contains ..." and "is a required field that
specifies ...", and make the same wording fix for the corresponding
keyData/rekorKeyData/fulcioSubject entries in the other two maps.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

ImageSigstoreVerificationPolicy mapping matches model; minor doc polish possible

map_ImageSigstoreVerificationPolicy and its SwaggerDoc correctly describe the new policy type and reference rootOfTrust/signedIdentity in a way that’s consistent with the surrounding PolicyRootOfTrust and PolicyIdentity docs.

As with the root-of-trust types, the description for signedIdentity (“is an optional field specifies …”) could be tightened to “is an optional field that specifies …” if you’re revisiting the comments, but this is purely cosmetic.

🤖 Prompt for AI Agents

In config/v1/zz_generated.swagger_doc_generated.go around lines 1288 to 1296,
the documentation string for the "signedIdentity" map entry has a minor
grammatical issue; change "is an optional field specifies what image
identity..." to "is an optional field that specifies what image identity..." so
the sentence is grammatically correct while keeping the rest of the wording
unchanged.

[JoelSpeed]

/approve
/override ci/prow/lint

This is good by me, @QiWang19 can you LGTM if you're happy

[openshift-ci]

@JoelSpeed: Overrode contexts on behalf of JoelSpeed: ci/prow/lint

Details

In response to this:

/approve
/override ci/prow/lint

This is good by me, @QiWang19 can you LGTM if you're happy

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@sanchezl: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-images	adfa0f5	link	true	/test okd-scos-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[QiWang19]

I just realized, apart from MCO, the ClusterImagePolicy and ImagePolicy API struct is also used in the origin test https://github.com/openshift/origin/blob/18eb1d61068413a12aba5867715f5036189b8a8c/test/extended/imagepolicy/imagepolicy.go#L364, we will also need a follow-up PR there.

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoelSpeed, QiWang19

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment