diff --git a/config/v1/types_cluster_image_policy.go b/config/v1/types_cluster_image_policy.go index ca604e05c5b..491390098c3 100644 --- a/config/v1/types_cluster_image_policy.go +++ b/config/v1/types_cluster_image_policy.go @@ -52,7 +52,7 @@ type ClusterImagePolicySpec struct { // policy is a required field that contains configuration to allow scopes to be verified, and defines how // images not matching the verification policy will be treated. // +required - Policy Policy `json:"policy"` + Policy ImageSigstoreVerificationPolicy `json:"policy"` } // +k8s:deepcopy-gen=true diff --git a/config/v1/types_image_policy.go b/config/v1/types_image_policy.go index a6a64051300..3cc46141c9c 100644 --- a/config/v1/types_image_policy.go +++ b/config/v1/types_image_policy.go @@ -51,7 +51,7 @@ type ImagePolicySpec struct { // policy is a required field that contains configuration to allow scopes to be verified, and defines how // images not matching the verification policy will be treated. // +required - Policy Policy `json:"policy"` + Policy ImageSigstoreVerificationPolicy `json:"policy"` } // +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" @@ -60,8 +60,8 @@ type ImagePolicySpec struct { // +kubebuilder:validation:MaxLength=512 type ImageScope string -// Policy defines the verification policy for the items in the scopes list. -type Policy struct { +// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list. +type ImageSigstoreVerificationPolicy struct { // rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. // This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated. // +required @@ -89,18 +89,18 @@ type PolicyRootOfTrust struct { // publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. // publicKey is required when policyType is PublicKey, and forbidden otherwise. // +optional - PublicKey *PublicKey `json:"publicKey,omitempty"` + PublicKey *ImagePolicyPublicKeyRootOfTrust `json:"publicKey,omitempty"` // fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. // fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise // For more information about Fulcio and Rekor, please refer to the document at: // https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor // +optional - FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"` + FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrust `json:"fulcioCAWithRekor,omitempty"` // pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. // pki is required when policyType is PKI, and forbidden otherwise. // +optional // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI - PKI *PKI `json:"pki,omitempty"` + PKI *ImagePolicyPKIRootOfTrust `json:"pki,omitempty"` } // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor @@ -113,8 +113,8 @@ const ( PKIRootOfTrust PolicyType = "PKI" ) -// PublicKey defines the root of trust based on a sigstore public key. -type PublicKey struct { +// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key. +type ImagePolicyPublicKeyRootOfTrust struct { // keyData is a required field contains inline base64-encoded data for the PEM format public key. // keyData must be at most 8192 characters. // +required @@ -132,8 +132,8 @@ type PublicKey struct { RekorKeyData []byte `json:"rekorKeyData,omitempty"` } -// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. -type FulcioCAWithRekor struct { +// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key. +type ImagePolicyFulcioCAWithRekorRootOfTrust struct { // fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. // fulcioCAData must be at most 8192 characters. // +required @@ -172,8 +172,8 @@ type PolicyFulcioSubject struct { SignedEmail string `json:"signedEmail"` } -// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates. -type PKI struct { +// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates. +type ImagePolicyPKIRootOfTrust struct { // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. // +required // +kubebuilder:validation:MaxLength=8192 diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index fe8c1122735..5652de79eba 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -2340,33 +2340,6 @@ func (in *FeatureGateTests) DeepCopy() *FeatureGateTests { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) { - *out = *in - if in.FulcioCAData != nil { - in, out := &in.FulcioCAData, &out.FulcioCAData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.FulcioSubject = in.FulcioSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor. -func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor { - if in == nil { - return nil - } - out := new(FulcioCAWithRekor) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GCPPlatformSpec) DeepCopyInto(out *GCPPlatformSpec) { *out = *in @@ -3067,6 +3040,33 @@ func (in *ImagePolicy) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopyInto(out *ImagePolicyFulcioCAWithRekorRootOfTrust) { + *out = *in + if in.FulcioCAData != nil { + in, out := &in.FulcioCAData, &out.FulcioCAData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.FulcioSubject = in.FulcioSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyFulcioCAWithRekorRootOfTrust. +func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopy() *ImagePolicyFulcioCAWithRekorRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyFulcioCAWithRekorRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) { *out = *in @@ -3100,6 +3100,59 @@ func (in *ImagePolicyList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyPKIRootOfTrust) DeepCopyInto(out *ImagePolicyPKIRootOfTrust) { + *out = *in + if in.CertificateAuthorityRootsData != nil { + in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CertificateAuthorityIntermediatesData != nil { + in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.PKICertificateSubject = in.PKICertificateSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPKIRootOfTrust. +func (in *ImagePolicyPKIRootOfTrust) DeepCopy() *ImagePolicyPKIRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyPKIRootOfTrust) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopyInto(out *ImagePolicyPublicKeyRootOfTrust) { + *out = *in + if in.KeyData != nil { + in, out := &in.KeyData, &out.KeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPublicKeyRootOfTrust. +func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopy() *ImagePolicyPublicKeyRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyPublicKeyRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) { *out = *in @@ -3145,6 +3198,28 @@ func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImageSigstoreVerificationPolicy) DeepCopyInto(out *ImageSigstoreVerificationPolicy) { + *out = *in + in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) + if in.SignedIdentity != nil { + in, out := &in.SignedIdentity, &out.SignedIdentity + *out = new(PolicyIdentity) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSigstoreVerificationPolicy. +func (in *ImageSigstoreVerificationPolicy) DeepCopy() *ImageSigstoreVerificationPolicy { + if in == nil { + return nil + } + out := new(ImageSigstoreVerificationPolicy) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageSpec) DeepCopyInto(out *ImageSpec) { *out = *in @@ -4955,33 +5030,6 @@ func (in *OvirtPlatformStatus) DeepCopy() *OvirtPlatformStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PKI) DeepCopyInto(out *PKI) { - *out = *in - if in.CertificateAuthorityRootsData != nil { - in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.CertificateAuthorityIntermediatesData != nil { - in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.PKICertificateSubject = in.PKICertificateSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. -func (in *PKI) DeepCopy() *PKI { - if in == nil { - return nil - } - out := new(PKI) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { *out = *in @@ -5170,28 +5218,6 @@ func (in *PlatformStatus) DeepCopy() *PlatformStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Policy) DeepCopyInto(out *Policy) { - *out = *in - in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) - if in.SignedIdentity != nil { - in, out := &in.SignedIdentity, &out.SignedIdentity - *out = new(PolicyIdentity) - (*in).DeepCopyInto(*out) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. -func (in *Policy) DeepCopy() *Policy { - if in == nil { - return nil - } - out := new(Policy) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) { *out = *in @@ -5271,17 +5297,17 @@ func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { *out = *in if in.PublicKey != nil { in, out := &in.PublicKey, &out.PublicKey - *out = new(PublicKey) + *out = new(ImagePolicyPublicKeyRootOfTrust) (*in).DeepCopyInto(*out) } if in.FulcioCAWithRekor != nil { in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor - *out = new(FulcioCAWithRekor) + *out = new(ImagePolicyFulcioCAWithRekorRootOfTrust) (*in).DeepCopyInto(*out) } if in.PKI != nil { in, out := &in.PKI, &out.PKI - *out = new(PKI) + *out = new(ImagePolicyPKIRootOfTrust) (*in).DeepCopyInto(*out) } return @@ -5597,32 +5623,6 @@ func (in *ProxyStatus) DeepCopy() *ProxyStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PublicKey) DeepCopyInto(out *PublicKey) { - *out = *in - if in.KeyData != nil { - in, out := &in.KeyData, &out.KeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey. -func (in *PublicKey) DeepCopy() *PublicKey { - if in == nil { - return nil - } - out := new(PublicKey) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RegistryLocation) DeepCopyInto(out *RegistryLocation) { *out = *in diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 766ac5ddab3..5bb46b54ac9 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -1214,17 +1214,6 @@ func (ImageDigestMirrors) SwaggerDoc() map[string]string { return map_ImageDigestMirrors } -var map_FulcioCAWithRekor = map[string]string{ - "": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - "fulcioCAData": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ", - "rekorKeyData": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", - "fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", -} - -func (FulcioCAWithRekor) SwaggerDoc() map[string]string { - return map_FulcioCAWithRekor -} - var map_ImagePolicy = map[string]string{ "": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -1236,6 +1225,17 @@ func (ImagePolicy) SwaggerDoc() map[string]string { return map_ImagePolicy } +var map_ImagePolicyFulcioCAWithRekorRootOfTrust = map[string]string{ + "": "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "fulcioCAData": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", + "fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", +} + +func (ImagePolicyFulcioCAWithRekorRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyFulcioCAWithRekorRootOfTrust +} + var map_ImagePolicyList = map[string]string{ "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -1246,6 +1246,27 @@ func (ImagePolicyList) SwaggerDoc() map[string]string { return map_ImagePolicyList } +var map_ImagePolicyPKIRootOfTrust = map[string]string{ + "": "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", + "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", + "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +} + +func (ImagePolicyPKIRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyPKIRootOfTrust +} + +var map_ImagePolicyPublicKeyRootOfTrust = map[string]string{ + "": "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", + "keyData": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ", + "rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", +} + +func (ImagePolicyPublicKeyRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyPublicKeyRootOfTrust +} + var map_ImagePolicySpec = map[string]string{ "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", "scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", @@ -1264,15 +1285,14 @@ func (ImagePolicyStatus) SwaggerDoc() map[string]string { return map_ImagePolicyStatus } -var map_PKI = map[string]string{ - "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", - "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", - "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +var map_ImageSigstoreVerificationPolicy = map[string]string{ + "": "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", + "rootOfTrust": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + "signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", } -func (PKI) SwaggerDoc() map[string]string { - return map_PKI +func (ImageSigstoreVerificationPolicy) SwaggerDoc() map[string]string { + return map_ImageSigstoreVerificationPolicy } var map_PKICertificateSubject = map[string]string{ @@ -1285,16 +1305,6 @@ func (PKICertificateSubject) SwaggerDoc() map[string]string { return map_PKICertificateSubject } -var map_Policy = map[string]string{ - "": "Policy defines the verification policy for the items in the scopes list.", - "rootOfTrust": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", - "signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", -} - -func (Policy) SwaggerDoc() map[string]string { - return map_Policy -} - var map_PolicyFulcioSubject = map[string]string{ "": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", "oidcIssuer": "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", @@ -1345,16 +1355,6 @@ func (PolicyRootOfTrust) SwaggerDoc() map[string]string { return map_PolicyRootOfTrust } -var map_PublicKey = map[string]string{ - "": "PublicKey defines the root of trust based on a sigstore public key.", - "keyData": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ", - "rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ", -} - -func (PublicKey) SwaggerDoc() map[string]string { - return map_PublicKey -} - var map_ImageTagMirrorSet = map[string]string{ "": "ImageTagMirrorSet holds cluster-wide information about how to handle registry mirror rules on using tag pull specification. When multiple policies are defined, the outcome of the behavior is defined on each field.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", diff --git a/config/v1alpha1/types_cluster_image_policy.go b/config/v1alpha1/types_cluster_image_policy.go index 107b9e29a48..e8d7603d7b6 100644 --- a/config/v1alpha1/types_cluster_image_policy.go +++ b/config/v1alpha1/types_cluster_image_policy.go @@ -51,7 +51,7 @@ type ClusterImagePolicySpec struct { // policy contains configuration to allow scopes to be verified, and defines how // images not matching the verification policy will be treated. // +required - Policy Policy `json:"policy"` + Policy ImageSigstoreVerificationPolicy `json:"policy"` } // +k8s:deepcopy-gen=true diff --git a/config/v1alpha1/types_image_policy.go b/config/v1alpha1/types_image_policy.go index 64a89e4a63f..977ca3dde32 100644 --- a/config/v1alpha1/types_image_policy.go +++ b/config/v1alpha1/types_image_policy.go @@ -50,7 +50,7 @@ type ImagePolicySpec struct { // policy contains configuration to allow scopes to be verified, and defines how // images not matching the verification policy will be treated. // +required - Policy Policy `json:"policy"` + Policy ImageSigstoreVerificationPolicy `json:"policy"` } // +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'" @@ -59,8 +59,8 @@ type ImagePolicySpec struct { // +kubebuilder:validation:MaxLength=512 type ImageScope string -// Policy defines the verification policy for the items in the scopes list. -type Policy struct { +// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list. +type ImageSigstoreVerificationPolicy struct { // rootOfTrust specifies the root of trust for the policy. // +required RootOfTrust PolicyRootOfTrust `json:"rootOfTrust"` @@ -84,16 +84,16 @@ type PolicyRootOfTrust struct { PolicyType PolicyType `json:"policyType"` // publicKey defines the root of trust based on a sigstore public key. // +optional - PublicKey *PublicKey `json:"publicKey,omitempty"` + PublicKey *ImagePolicyPublicKeyRootOfTrust `json:"publicKey,omitempty"` // fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. // For more information about Fulcio and Rekor, please refer to the document at: // https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor // +optional - FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"` + FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrust `json:"fulcioCAWithRekor,omitempty"` // pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. // +optional // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI - PKI *PKI `json:"pki,omitempty"` + PKI *ImagePolicyPKIRootOfTrust `json:"pki,omitempty"` } // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor @@ -106,8 +106,8 @@ const ( PKIRootOfTrust PolicyType = "PKI" ) -// PublicKey defines the root of trust based on a sigstore public key. -type PublicKey struct { +// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key. +type ImagePolicyPublicKeyRootOfTrust struct { // keyData contains inline base64-encoded data for the PEM format public key. // KeyData must be at most 8192 characters. // +required @@ -120,8 +120,8 @@ type PublicKey struct { RekorKeyData []byte `json:"rekorKeyData,omitempty"` } -// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. -type FulcioCAWithRekor struct { +// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key. +type ImagePolicyFulcioCAWithRekorRootOfTrust struct { // fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. // fulcioCAData must be at most 8192 characters. // +required @@ -151,8 +151,8 @@ type PolicyFulcioSubject struct { SignedEmail string `json:"signedEmail"` } -// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates. -type PKI struct { +// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates. +type ImagePolicyPKIRootOfTrust struct { // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. // +required // +kubebuilder:validation:MaxLength=8192 diff --git a/config/v1alpha1/zz_generated.deepcopy.go b/config/v1alpha1/zz_generated.deepcopy.go index 6549f6cbe43..9ead6aba26b 100644 --- a/config/v1alpha1/zz_generated.deepcopy.go +++ b/config/v1alpha1/zz_generated.deepcopy.go @@ -429,33 +429,6 @@ func (in *EtcdBackupSpec) DeepCopy() *EtcdBackupSpec { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) { - *out = *in - if in.FulcioCAData != nil { - in, out := &in.FulcioCAData, &out.FulcioCAData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.FulcioSubject = in.FulcioSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor. -func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor { - if in == nil { - return nil - } - out := new(FulcioCAWithRekor) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GatherConfig) DeepCopyInto(out *GatherConfig) { *out = *in @@ -510,6 +483,33 @@ func (in *ImagePolicy) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopyInto(out *ImagePolicyFulcioCAWithRekorRootOfTrust) { + *out = *in + if in.FulcioCAData != nil { + in, out := &in.FulcioCAData, &out.FulcioCAData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.FulcioSubject = in.FulcioSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyFulcioCAWithRekorRootOfTrust. +func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopy() *ImagePolicyFulcioCAWithRekorRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyFulcioCAWithRekorRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) { *out = *in @@ -543,6 +543,59 @@ func (in *ImagePolicyList) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyPKIRootOfTrust) DeepCopyInto(out *ImagePolicyPKIRootOfTrust) { + *out = *in + if in.CertificateAuthorityRootsData != nil { + in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CertificateAuthorityIntermediatesData != nil { + in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + out.PKICertificateSubject = in.PKICertificateSubject + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPKIRootOfTrust. +func (in *ImagePolicyPKIRootOfTrust) DeepCopy() *ImagePolicyPKIRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyPKIRootOfTrust) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopyInto(out *ImagePolicyPublicKeyRootOfTrust) { + *out = *in + if in.KeyData != nil { + in, out := &in.KeyData, &out.KeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.RekorKeyData != nil { + in, out := &in.RekorKeyData, &out.RekorKeyData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPublicKeyRootOfTrust. +func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopy() *ImagePolicyPublicKeyRootOfTrust { + if in == nil { + return nil + } + out := new(ImagePolicyPublicKeyRootOfTrust) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) { *out = *in @@ -588,6 +641,24 @@ func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImageSigstoreVerificationPolicy) DeepCopyInto(out *ImageSigstoreVerificationPolicy) { + *out = *in + in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) + in.SignedIdentity.DeepCopyInto(&out.SignedIdentity) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSigstoreVerificationPolicy. +func (in *ImageSigstoreVerificationPolicy) DeepCopy() *ImageSigstoreVerificationPolicy { + if in == nil { + return nil + } + out := new(ImageSigstoreVerificationPolicy) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *InsightsDataGather) DeepCopyInto(out *InsightsDataGather) { *out = *in @@ -727,33 +798,6 @@ func (in *MetricsServerConfig) DeepCopy() *MetricsServerConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PKI) DeepCopyInto(out *PKI) { - *out = *in - if in.CertificateAuthorityRootsData != nil { - in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.CertificateAuthorityIntermediatesData != nil { - in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - out.PKICertificateSubject = in.PKICertificateSubject - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. -func (in *PKI) DeepCopy() *PKI { - if in == nil { - return nil - } - out := new(PKI) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { *out = *in @@ -803,24 +847,6 @@ func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Policy) DeepCopyInto(out *Policy) { - *out = *in - in.RootOfTrust.DeepCopyInto(&out.RootOfTrust) - in.SignedIdentity.DeepCopyInto(&out.SignedIdentity) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. -func (in *Policy) DeepCopy() *Policy { - if in == nil { - return nil - } - out := new(Policy) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) { *out = *in @@ -900,17 +926,17 @@ func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { *out = *in if in.PublicKey != nil { in, out := &in.PublicKey, &out.PublicKey - *out = new(PublicKey) + *out = new(ImagePolicyPublicKeyRootOfTrust) (*in).DeepCopyInto(*out) } if in.FulcioCAWithRekor != nil { in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor - *out = new(FulcioCAWithRekor) + *out = new(ImagePolicyFulcioCAWithRekorRootOfTrust) (*in).DeepCopyInto(*out) } if in.PKI != nil { in, out := &in.PKI, &out.PKI - *out = new(PKI) + *out = new(ImagePolicyPKIRootOfTrust) (*in).DeepCopyInto(*out) } return @@ -926,32 +952,6 @@ func (in *PolicyRootOfTrust) DeepCopy() *PolicyRootOfTrust { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PublicKey) DeepCopyInto(out *PublicKey) { - *out = *in - if in.KeyData != nil { - in, out := &in.KeyData, &out.KeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - if in.RekorKeyData != nil { - in, out := &in.RekorKeyData, &out.RekorKeyData - *out = make([]byte, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey. -func (in *PublicKey) DeepCopy() *PublicKey { - if in == nil { - return nil - } - out := new(PublicKey) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RetentionNumberConfig) DeepCopyInto(out *RetentionNumberConfig) { *out = *in diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index 6ba6ad11f44..59a5b370856 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -226,17 +226,6 @@ func (UserDefinedMonitoring) SwaggerDoc() map[string]string { return map_UserDefinedMonitoring } -var map_FulcioCAWithRekor = map[string]string{ - "": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - "fulcioCAData": "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "fulcioSubject": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", -} - -func (FulcioCAWithRekor) SwaggerDoc() map[string]string { - return map_FulcioCAWithRekor -} - var map_ImagePolicy = map[string]string{ "": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -248,6 +237,17 @@ func (ImagePolicy) SwaggerDoc() map[string]string { return map_ImagePolicy } +var map_ImagePolicyFulcioCAWithRekorRootOfTrust = map[string]string{ + "": "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "fulcioCAData": "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + "fulcioSubject": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", +} + +func (ImagePolicyFulcioCAWithRekorRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyFulcioCAWithRekorRootOfTrust +} + var map_ImagePolicyList = map[string]string{ "": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", @@ -257,6 +257,27 @@ func (ImagePolicyList) SwaggerDoc() map[string]string { return map_ImagePolicyList } +var map_ImagePolicyPKIRootOfTrust = map[string]string{ + "": "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", + "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", + "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +} + +func (ImagePolicyPKIRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyPKIRootOfTrust +} + +var map_ImagePolicyPublicKeyRootOfTrust = map[string]string{ + "": "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", + "keyData": "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", + "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", +} + +func (ImagePolicyPublicKeyRootOfTrust) SwaggerDoc() map[string]string { + return map_ImagePolicyPublicKeyRootOfTrust +} + var map_ImagePolicySpec = map[string]string{ "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", @@ -275,15 +296,14 @@ func (ImagePolicyStatus) SwaggerDoc() map[string]string { return map_ImagePolicyStatus } -var map_PKI = map[string]string{ - "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ", - "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ", - "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +var map_ImageSigstoreVerificationPolicy = map[string]string{ + "": "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", + "rootOfTrust": "rootOfTrust specifies the root of trust for the policy.", + "signedIdentity": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", } -func (PKI) SwaggerDoc() map[string]string { - return map_PKI +func (ImageSigstoreVerificationPolicy) SwaggerDoc() map[string]string { + return map_ImageSigstoreVerificationPolicy } var map_PKICertificateSubject = map[string]string{ @@ -296,16 +316,6 @@ func (PKICertificateSubject) SwaggerDoc() map[string]string { return map_PKICertificateSubject } -var map_Policy = map[string]string{ - "": "Policy defines the verification policy for the items in the scopes list.", - "rootOfTrust": "rootOfTrust specifies the root of trust for the policy.", - "signedIdentity": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", -} - -func (Policy) SwaggerDoc() map[string]string { - return map_Policy -} - var map_PolicyFulcioSubject = map[string]string{ "": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", "oidcIssuer": "oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", @@ -356,16 +366,6 @@ func (PolicyRootOfTrust) SwaggerDoc() map[string]string { return map_PolicyRootOfTrust } -var map_PublicKey = map[string]string{ - "": "PublicKey defines the root of trust based on a sigstore public key.", - "keyData": "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", - "rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", -} - -func (PublicKey) SwaggerDoc() map[string]string { - return map_PublicKey -} - var map_GatherConfig = map[string]string{ "": "gatherConfig provides data gathering configuration options.", "dataPolicy": "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index f4ffe06c80f..e3443b5b33a 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -241,7 +241,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.FeatureGateSpec": schema_openshift_api_config_v1_FeatureGateSpec(ref), "github.com/openshift/api/config/v1.FeatureGateStatus": schema_openshift_api_config_v1_FeatureGateStatus(ref), "github.com/openshift/api/config/v1.FeatureGateTests": schema_openshift_api_config_v1_FeatureGateTests(ref), - "github.com/openshift/api/config/v1.FulcioCAWithRekor": schema_openshift_api_config_v1_FulcioCAWithRekor(ref), "github.com/openshift/api/config/v1.GCPPlatformSpec": schema_openshift_api_config_v1_GCPPlatformSpec(ref), "github.com/openshift/api/config/v1.GCPPlatformStatus": schema_openshift_api_config_v1_GCPPlatformStatus(ref), "github.com/openshift/api/config/v1.GCPResourceLabel": schema_openshift_api_config_v1_GCPResourceLabel(ref), @@ -272,9 +271,13 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.ImageLabel": schema_openshift_api_config_v1_ImageLabel(ref), "github.com/openshift/api/config/v1.ImageList": schema_openshift_api_config_v1_ImageList(ref), "github.com/openshift/api/config/v1.ImagePolicy": schema_openshift_api_config_v1_ImagePolicy(ref), + "github.com/openshift/api/config/v1.ImagePolicyFulcioCAWithRekorRootOfTrust": schema_openshift_api_config_v1_ImagePolicyFulcioCAWithRekorRootOfTrust(ref), "github.com/openshift/api/config/v1.ImagePolicyList": schema_openshift_api_config_v1_ImagePolicyList(ref), + "github.com/openshift/api/config/v1.ImagePolicyPKIRootOfTrust": schema_openshift_api_config_v1_ImagePolicyPKIRootOfTrust(ref), + "github.com/openshift/api/config/v1.ImagePolicyPublicKeyRootOfTrust": schema_openshift_api_config_v1_ImagePolicyPublicKeyRootOfTrust(ref), "github.com/openshift/api/config/v1.ImagePolicySpec": schema_openshift_api_config_v1_ImagePolicySpec(ref), "github.com/openshift/api/config/v1.ImagePolicyStatus": schema_openshift_api_config_v1_ImagePolicyStatus(ref), + "github.com/openshift/api/config/v1.ImageSigstoreVerificationPolicy": schema_openshift_api_config_v1_ImageSigstoreVerificationPolicy(ref), "github.com/openshift/api/config/v1.ImageSpec": schema_openshift_api_config_v1_ImageSpec(ref), "github.com/openshift/api/config/v1.ImageStatus": schema_openshift_api_config_v1_ImageStatus(ref), "github.com/openshift/api/config/v1.ImageTagMirrorSet": schema_openshift_api_config_v1_ImageTagMirrorSet(ref), @@ -350,11 +353,9 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.OvirtPlatformLoadBalancer": schema_openshift_api_config_v1_OvirtPlatformLoadBalancer(ref), "github.com/openshift/api/config/v1.OvirtPlatformSpec": schema_openshift_api_config_v1_OvirtPlatformSpec(ref), "github.com/openshift/api/config/v1.OvirtPlatformStatus": schema_openshift_api_config_v1_OvirtPlatformStatus(ref), - "github.com/openshift/api/config/v1.PKI": schema_openshift_api_config_v1_PKI(ref), "github.com/openshift/api/config/v1.PKICertificateSubject": schema_openshift_api_config_v1_PKICertificateSubject(ref), "github.com/openshift/api/config/v1.PlatformSpec": schema_openshift_api_config_v1_PlatformSpec(ref), "github.com/openshift/api/config/v1.PlatformStatus": schema_openshift_api_config_v1_PlatformStatus(ref), - "github.com/openshift/api/config/v1.Policy": schema_openshift_api_config_v1_Policy(ref), "github.com/openshift/api/config/v1.PolicyFulcioSubject": schema_openshift_api_config_v1_PolicyFulcioSubject(ref), "github.com/openshift/api/config/v1.PolicyIdentity": schema_openshift_api_config_v1_PolicyIdentity(ref), "github.com/openshift/api/config/v1.PolicyMatchExactRepository": schema_openshift_api_config_v1_PolicyMatchExactRepository(ref), @@ -374,7 +375,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.ProxyList": schema_openshift_api_config_v1_ProxyList(ref), "github.com/openshift/api/config/v1.ProxySpec": schema_openshift_api_config_v1_ProxySpec(ref), "github.com/openshift/api/config/v1.ProxyStatus": schema_openshift_api_config_v1_ProxyStatus(ref), - "github.com/openshift/api/config/v1.PublicKey": schema_openshift_api_config_v1_PublicKey(ref), "github.com/openshift/api/config/v1.RegistryLocation": schema_openshift_api_config_v1_RegistryLocation(ref), "github.com/openshift/api/config/v1.RegistrySources": schema_openshift_api_config_v1_RegistrySources(ref), "github.com/openshift/api/config/v1.Release": schema_openshift_api_config_v1_Release(ref), @@ -438,28 +438,28 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.ClusterMonitoringStatus": schema_openshift_api_config_v1alpha1_ClusterMonitoringStatus(ref), "github.com/openshift/api/config/v1alpha1.ContainerResource": schema_openshift_api_config_v1alpha1_ContainerResource(ref), "github.com/openshift/api/config/v1alpha1.EtcdBackupSpec": schema_openshift_api_config_v1alpha1_EtcdBackupSpec(ref), - "github.com/openshift/api/config/v1alpha1.FulcioCAWithRekor": schema_openshift_api_config_v1alpha1_FulcioCAWithRekor(ref), "github.com/openshift/api/config/v1alpha1.GatherConfig": schema_openshift_api_config_v1alpha1_GatherConfig(ref), "github.com/openshift/api/config/v1alpha1.ImagePolicy": schema_openshift_api_config_v1alpha1_ImagePolicy(ref), + "github.com/openshift/api/config/v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust": schema_openshift_api_config_v1alpha1_ImagePolicyFulcioCAWithRekorRootOfTrust(ref), "github.com/openshift/api/config/v1alpha1.ImagePolicyList": schema_openshift_api_config_v1alpha1_ImagePolicyList(ref), + "github.com/openshift/api/config/v1alpha1.ImagePolicyPKIRootOfTrust": schema_openshift_api_config_v1alpha1_ImagePolicyPKIRootOfTrust(ref), + "github.com/openshift/api/config/v1alpha1.ImagePolicyPublicKeyRootOfTrust": schema_openshift_api_config_v1alpha1_ImagePolicyPublicKeyRootOfTrust(ref), "github.com/openshift/api/config/v1alpha1.ImagePolicySpec": schema_openshift_api_config_v1alpha1_ImagePolicySpec(ref), "github.com/openshift/api/config/v1alpha1.ImagePolicyStatus": schema_openshift_api_config_v1alpha1_ImagePolicyStatus(ref), + "github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy": schema_openshift_api_config_v1alpha1_ImageSigstoreVerificationPolicy(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGather": schema_openshift_api_config_v1alpha1_InsightsDataGather(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherList": schema_openshift_api_config_v1alpha1_InsightsDataGatherList(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherSpec": schema_openshift_api_config_v1alpha1_InsightsDataGatherSpec(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherStatus": schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref), "github.com/openshift/api/config/v1alpha1.MetricsServerConfig": schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref), - "github.com/openshift/api/config/v1alpha1.PKI": schema_openshift_api_config_v1alpha1_PKI(ref), "github.com/openshift/api/config/v1alpha1.PKICertificateSubject": schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref), "github.com/openshift/api/config/v1alpha1.PersistentVolumeClaimReference": schema_openshift_api_config_v1alpha1_PersistentVolumeClaimReference(ref), "github.com/openshift/api/config/v1alpha1.PersistentVolumeConfig": schema_openshift_api_config_v1alpha1_PersistentVolumeConfig(ref), - "github.com/openshift/api/config/v1alpha1.Policy": schema_openshift_api_config_v1alpha1_Policy(ref), "github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject": schema_openshift_api_config_v1alpha1_PolicyFulcioSubject(ref), "github.com/openshift/api/config/v1alpha1.PolicyIdentity": schema_openshift_api_config_v1alpha1_PolicyIdentity(ref), "github.com/openshift/api/config/v1alpha1.PolicyMatchExactRepository": schema_openshift_api_config_v1alpha1_PolicyMatchExactRepository(ref), "github.com/openshift/api/config/v1alpha1.PolicyMatchRemapIdentity": schema_openshift_api_config_v1alpha1_PolicyMatchRemapIdentity(ref), "github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust": schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref), - "github.com/openshift/api/config/v1alpha1.PublicKey": schema_openshift_api_config_v1alpha1_PublicKey(ref), "github.com/openshift/api/config/v1alpha1.RetentionNumberConfig": schema_openshift_api_config_v1alpha1_RetentionNumberConfig(ref), "github.com/openshift/api/config/v1alpha1.RetentionPolicy": schema_openshift_api_config_v1alpha1_RetentionPolicy(ref), "github.com/openshift/api/config/v1alpha1.RetentionSizeConfig": schema_openshift_api_config_v1alpha1_RetentionSizeConfig(ref), @@ -10435,7 +10435,7 @@ func schema_openshift_api_config_v1_ClusterImagePolicySpec(ref common.ReferenceC SchemaProps: spec.SchemaProps{ Description: "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.Policy"), + Ref: ref("github.com/openshift/api/config/v1.ImageSigstoreVerificationPolicy"), }, }, }, @@ -10443,7 +10443,7 @@ func schema_openshift_api_config_v1_ClusterImagePolicySpec(ref common.ReferenceC }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.Policy"}, + "github.com/openshift/api/config/v1.ImageSigstoreVerificationPolicy"}, } } @@ -12757,43 +12757,6 @@ func schema_openshift_api_config_v1_FeatureGateTests(ref common.ReferenceCallbac } } -func schema_openshift_api_config_v1_FulcioCAWithRekor(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "fulcioCAData": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "rekorKeyData": { - SchemaProps: spec.SchemaProps{ - Description: "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "fulcioSubject": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.PolicyFulcioSubject"), - }, - }, - }, - Required: []string{"fulcioCAData", "rekorKeyData", "fulcioSubject"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.PolicyFulcioSubject"}, - } -} - func schema_openshift_api_config_v1_GCPPlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -14228,6 +14191,43 @@ func schema_openshift_api_config_v1_ImagePolicy(ref common.ReferenceCallback) co } } +func schema_openshift_api_config_v1_ImagePolicyFulcioCAWithRekorRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "fulcioCAData": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "rekorKeyData": { + SchemaProps: spec.SchemaProps{ + Description: "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "fulcioSubject": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.PolicyFulcioSubject"), + }, + }, + }, + Required: []string{"fulcioCAData", "rekorKeyData", "fulcioSubject"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PolicyFulcioSubject"}, + } +} + func schema_openshift_api_config_v1_ImagePolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -14279,6 +14279,71 @@ func schema_openshift_api_config_v1_ImagePolicyList(ref common.ReferenceCallback } } +func schema_openshift_api_config_v1_ImagePolicyPKIRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "caRootsData": { + SchemaProps: spec.SchemaProps{ + Description: "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "caIntermediatesData": { + SchemaProps: spec.SchemaProps{ + Description: "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "pkiCertificateSubject": { + SchemaProps: spec.SchemaProps{ + Description: "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.PKICertificateSubject"), + }, + }, + }, + Required: []string{"caRootsData", "pkiCertificateSubject"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PKICertificateSubject"}, + } +} + +func schema_openshift_api_config_v1_ImagePolicyPublicKeyRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "keyData": { + SchemaProps: spec.SchemaProps{ + Description: "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "rekorKeyData": { + SchemaProps: spec.SchemaProps{ + Description: "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + }, + Required: []string{"keyData"}, + }, + }, + } +} + func schema_openshift_api_config_v1_ImagePolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -14310,7 +14375,7 @@ func schema_openshift_api_config_v1_ImagePolicySpec(ref common.ReferenceCallback SchemaProps: spec.SchemaProps{ Description: "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.Policy"), + Ref: ref("github.com/openshift/api/config/v1.ImageSigstoreVerificationPolicy"), }, }, }, @@ -14318,7 +14383,7 @@ func schema_openshift_api_config_v1_ImagePolicySpec(ref common.ReferenceCallback }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.Policy"}, + "github.com/openshift/api/config/v1.ImageSigstoreVerificationPolicy"}, } } @@ -14358,6 +14423,35 @@ func schema_openshift_api_config_v1_ImagePolicyStatus(ref common.ReferenceCallba } } +func schema_openshift_api_config_v1_ImageSigstoreVerificationPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "rootOfTrust": { + SchemaProps: spec.SchemaProps{ + Description: "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.PolicyRootOfTrust"), + }, + }, + "signedIdentity": { + SchemaProps: spec.SchemaProps{ + Description: "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", + Ref: ref("github.com/openshift/api/config/v1.PolicyIdentity"), + }, + }, + }, + Required: []string{"rootOfTrust"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.PolicyIdentity", "github.com/openshift/api/config/v1.PolicyRootOfTrust"}, + } +} + func schema_openshift_api_config_v1_ImageSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -17937,43 +18031,6 @@ func schema_openshift_api_config_v1_OvirtPlatformStatus(ref common.ReferenceCall } } -func schema_openshift_api_config_v1_PKI(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "caRootsData": { - SchemaProps: spec.SchemaProps{ - Description: "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "caIntermediatesData": { - SchemaProps: spec.SchemaProps{ - Description: "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "pkiCertificateSubject": { - SchemaProps: spec.SchemaProps{ - Description: "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.PKICertificateSubject"), - }, - }, - }, - Required: []string{"caRootsData", "pkiCertificateSubject"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.PKICertificateSubject"}, - } -} - func schema_openshift_api_config_v1_PKICertificateSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -18217,35 +18274,6 @@ func schema_openshift_api_config_v1_PlatformStatus(ref common.ReferenceCallback) } } -func schema_openshift_api_config_v1_Policy(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "Policy defines the verification policy for the items in the scopes list.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "rootOfTrust": { - SchemaProps: spec.SchemaProps{ - Description: "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1.PolicyRootOfTrust"), - }, - }, - "signedIdentity": { - SchemaProps: spec.SchemaProps{ - Description: "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", - Ref: ref("github.com/openshift/api/config/v1.PolicyIdentity"), - }, - }, - }, - Required: []string{"rootOfTrust"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.PolicyIdentity", "github.com/openshift/api/config/v1.PolicyRootOfTrust"}, - } -} - func schema_openshift_api_config_v1_PolicyFulcioSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -18393,19 +18421,19 @@ func schema_openshift_api_config_v1_PolicyRootOfTrust(ref common.ReferenceCallba "publicKey": { SchemaProps: spec.SchemaProps{ Description: "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", - Ref: ref("github.com/openshift/api/config/v1.PublicKey"), + Ref: ref("github.com/openshift/api/config/v1.ImagePolicyPublicKeyRootOfTrust"), }, }, "fulcioCAWithRekor": { SchemaProps: spec.SchemaProps{ Description: "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", - Ref: ref("github.com/openshift/api/config/v1.FulcioCAWithRekor"), + Ref: ref("github.com/openshift/api/config/v1.ImagePolicyFulcioCAWithRekorRootOfTrust"), }, }, "pki": { SchemaProps: spec.SchemaProps{ Description: "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", - Ref: ref("github.com/openshift/api/config/v1.PKI"), + Ref: ref("github.com/openshift/api/config/v1.ImagePolicyPKIRootOfTrust"), }, }, }, @@ -18427,7 +18455,7 @@ func schema_openshift_api_config_v1_PolicyRootOfTrust(ref common.ReferenceCallba }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.FulcioCAWithRekor", "github.com/openshift/api/config/v1.PKI", "github.com/openshift/api/config/v1.PublicKey"}, + "github.com/openshift/api/config/v1.ImagePolicyFulcioCAWithRekorRootOfTrust", "github.com/openshift/api/config/v1.ImagePolicyPKIRootOfTrust", "github.com/openshift/api/config/v1.ImagePolicyPublicKeyRootOfTrust"}, } } @@ -18981,34 +19009,6 @@ func schema_openshift_api_config_v1_ProxyStatus(ref common.ReferenceCallback) co } } -func schema_openshift_api_config_v1_PublicKey(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PublicKey defines the root of trust based on a sigstore public key.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "keyData": { - SchemaProps: spec.SchemaProps{ - Description: "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "rekorKeyData": { - SchemaProps: spec.SchemaProps{ - Description: "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - }, - Required: []string{"keyData"}, - }, - }, - } -} - func schema_openshift_api_config_v1_RegistryLocation(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -21660,7 +21660,7 @@ func schema_openshift_api_config_v1alpha1_ClusterImagePolicySpec(ref common.Refe SchemaProps: spec.SchemaProps{ Description: "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.Policy"), + Ref: ref("github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy"), }, }, }, @@ -21668,7 +21668,7 @@ func schema_openshift_api_config_v1alpha1_ClusterImagePolicySpec(ref common.Refe }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.Policy"}, + "github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy"}, } } @@ -21937,43 +21937,6 @@ func schema_openshift_api_config_v1alpha1_EtcdBackupSpec(ref common.ReferenceCal } } -func schema_openshift_api_config_v1alpha1_FulcioCAWithRekor(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "fulcioCAData": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "rekorKeyData": { - SchemaProps: spec.SchemaProps{ - Description: "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "fulcioSubject": { - SchemaProps: spec.SchemaProps{ - Description: "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject"), - }, - }, - }, - Required: []string{"fulcioCAData", "rekorKeyData", "fulcioSubject"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject"}, - } -} - func schema_openshift_api_config_v1alpha1_GatherConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -22068,6 +22031,43 @@ func schema_openshift_api_config_v1alpha1_ImagePolicy(ref common.ReferenceCallba } } +func schema_openshift_api_config_v1alpha1_ImagePolicyFulcioCAWithRekorRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "fulcioCAData": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "rekorKeyData": { + SchemaProps: spec.SchemaProps{ + Description: "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "fulcioSubject": { + SchemaProps: spec.SchemaProps{ + Description: "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject"), + }, + }, + }, + Required: []string{"fulcioCAData", "rekorKeyData", "fulcioSubject"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject"}, + } +} + func schema_openshift_api_config_v1alpha1_ImagePolicyList(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -22118,6 +22118,71 @@ func schema_openshift_api_config_v1alpha1_ImagePolicyList(ref common.ReferenceCa } } +func schema_openshift_api_config_v1alpha1_ImagePolicyPKIRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "caRootsData": { + SchemaProps: spec.SchemaProps{ + Description: "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "caIntermediatesData": { + SchemaProps: spec.SchemaProps{ + Description: "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "pkiCertificateSubject": { + SchemaProps: spec.SchemaProps{ + Description: "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PKICertificateSubject"), + }, + }, + }, + Required: []string{"caRootsData", "pkiCertificateSubject"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PKICertificateSubject"}, + } +} + +func schema_openshift_api_config_v1alpha1_ImagePolicyPublicKeyRootOfTrust(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "keyData": { + SchemaProps: spec.SchemaProps{ + Description: "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "rekorKeyData": { + SchemaProps: spec.SchemaProps{ + Description: "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + Type: []string{"string"}, + Format: "byte", + }, + }, + }, + Required: []string{"keyData"}, + }, + }, + } +} + func schema_openshift_api_config_v1alpha1_ImagePolicySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -22149,7 +22214,7 @@ func schema_openshift_api_config_v1alpha1_ImagePolicySpec(ref common.ReferenceCa SchemaProps: spec.SchemaProps{ Description: "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.Policy"), + Ref: ref("github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy"), }, }, }, @@ -22157,7 +22222,7 @@ func schema_openshift_api_config_v1alpha1_ImagePolicySpec(ref common.ReferenceCa }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.Policy"}, + "github.com/openshift/api/config/v1alpha1.ImageSigstoreVerificationPolicy"}, } } @@ -22197,6 +22262,36 @@ func schema_openshift_api_config_v1alpha1_ImagePolicyStatus(ref common.Reference } } +func schema_openshift_api_config_v1alpha1_ImageSigstoreVerificationPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "rootOfTrust": { + SchemaProps: spec.SchemaProps{ + Description: "rootOfTrust specifies the root of trust for the policy.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust"), + }, + }, + "signedIdentity": { + SchemaProps: spec.SchemaProps{ + Description: "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyIdentity"), + }, + }, + }, + Required: []string{"rootOfTrust"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PolicyIdentity", "github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust"}, + } +} + func schema_openshift_api_config_v1alpha1_InsightsDataGather(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -22438,43 +22533,6 @@ func schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref common.Referen } } -func schema_openshift_api_config_v1alpha1_PKI(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "caRootsData": { - SchemaProps: spec.SchemaProps{ - Description: "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "caIntermediatesData": { - SchemaProps: spec.SchemaProps{ - Description: "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "pkiCertificateSubject": { - SchemaProps: spec.SchemaProps{ - Description: "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.PKICertificateSubject"), - }, - }, - }, - Required: []string{"caRootsData", "pkiCertificateSubject"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.PKICertificateSubject"}, - } -} - func schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -22554,36 +22612,6 @@ func schema_openshift_api_config_v1alpha1_PersistentVolumeConfig(ref common.Refe } } -func schema_openshift_api_config_v1alpha1_Policy(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "Policy defines the verification policy for the items in the scopes list.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "rootOfTrust": { - SchemaProps: spec.SchemaProps{ - Description: "rootOfTrust specifies the root of trust for the policy.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust"), - }, - }, - "signedIdentity": { - SchemaProps: spec.SchemaProps{ - Description: "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/config/v1alpha1.PolicyIdentity"), - }, - }, - }, - Required: []string{"rootOfTrust"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.PolicyIdentity", "github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust"}, - } -} - func schema_openshift_api_config_v1alpha1_PolicyFulcioSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -22731,19 +22759,19 @@ func schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref common.Reference "publicKey": { SchemaProps: spec.SchemaProps{ Description: "publicKey defines the root of trust based on a sigstore public key.", - Ref: ref("github.com/openshift/api/config/v1alpha1.PublicKey"), + Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicyPublicKeyRootOfTrust"), }, }, "fulcioCAWithRekor": { SchemaProps: spec.SchemaProps{ Description: "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", - Ref: ref("github.com/openshift/api/config/v1alpha1.FulcioCAWithRekor"), + Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust"), }, }, "pki": { SchemaProps: spec.SchemaProps{ Description: "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", - Ref: ref("github.com/openshift/api/config/v1alpha1.PKI"), + Ref: ref("github.com/openshift/api/config/v1alpha1.ImagePolicyPKIRootOfTrust"), }, }, }, @@ -22765,35 +22793,7 @@ func schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref common.Reference }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.FulcioCAWithRekor", "github.com/openshift/api/config/v1alpha1.PKI", "github.com/openshift/api/config/v1alpha1.PublicKey"}, - } -} - -func schema_openshift_api_config_v1alpha1_PublicKey(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "PublicKey defines the root of trust based on a sigstore public key.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "keyData": { - SchemaProps: spec.SchemaProps{ - Description: "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - "rekorKeyData": { - SchemaProps: spec.SchemaProps{ - Description: "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - Type: []string{"string"}, - Format: "byte", - }, - }, - }, - Required: []string{"keyData"}, - }, - }, + "github.com/openshift/api/config/v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust", "github.com/openshift/api/config/v1alpha1.ImagePolicyPKIRootOfTrust", "github.com/openshift/api/config/v1alpha1.ImagePolicyPublicKeyRootOfTrust"}, } } diff --git a/openapi/openapi.json b/openapi/openapi.json index 495fcd99a64..72aa7fd2da7 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -5207,7 +5207,7 @@ "policy": { "description": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.Policy" + "$ref": "#/definitions/com.github.openshift.api.config.v1.ImageSigstoreVerificationPolicy" }, "scopes": { "description": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", @@ -6552,32 +6552,6 @@ } } }, - "com.github.openshift.api.config.v1.FulcioCAWithRekor": { - "description": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - "type": "object", - "required": [ - "fulcioCAData", - "rekorKeyData", - "fulcioSubject" - ], - "properties": { - "fulcioCAData": { - "description": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - "type": "string", - "format": "byte" - }, - "fulcioSubject": { - "description": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyFulcioSubject" - }, - "rekorKeyData": { - "description": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - } - } - }, "com.github.openshift.api.config.v1.GCPPlatformSpec": { "description": "GCPPlatformSpec holds the desired state of the Google Cloud Platform infrastructure provider. This only includes fields that can be modified in the cluster.", "type": "object" @@ -7456,6 +7430,32 @@ } } }, + "com.github.openshift.api.config.v1.ImagePolicyFulcioCAWithRekorRootOfTrust": { + "description": "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "type": "object", + "required": [ + "fulcioCAData", + "rekorKeyData", + "fulcioSubject" + ], + "properties": { + "fulcioCAData": { + "description": "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + "type": "string", + "format": "byte" + }, + "fulcioSubject": { + "description": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyFulcioSubject" + }, + "rekorKeyData": { + "description": "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + "type": "string", + "format": "byte" + } + } + }, "com.github.openshift.api.config.v1.ImagePolicyList": { "description": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", @@ -7487,6 +7487,50 @@ } } }, + "com.github.openshift.api.config.v1.ImagePolicyPKIRootOfTrust": { + "description": "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "type": "object", + "required": [ + "caRootsData", + "pkiCertificateSubject" + ], + "properties": { + "caIntermediatesData": { + "description": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", + "type": "string", + "format": "byte" + }, + "caRootsData": { + "description": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", + "type": "string", + "format": "byte" + }, + "pkiCertificateSubject": { + "description": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.PKICertificateSubject" + } + } + }, + "com.github.openshift.api.config.v1.ImagePolicyPublicKeyRootOfTrust": { + "description": "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", + "type": "object", + "required": [ + "keyData" + ], + "properties": { + "keyData": { + "description": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters.", + "type": "string", + "format": "byte" + }, + "rekorKeyData": { + "description": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + "type": "string", + "format": "byte" + } + } + }, "com.github.openshift.api.config.v1.ImagePolicySpec": { "description": "ImagePolicySpec is the specification of the ImagePolicy CRD.", "type": "object", @@ -7498,7 +7542,7 @@ "policy": { "description": "policy is a required field that contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.Policy" + "$ref": "#/definitions/com.github.openshift.api.config.v1.ImageSigstoreVerificationPolicy" }, "scopes": { "description": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", @@ -7528,6 +7572,24 @@ } } }, + "com.github.openshift.api.config.v1.ImageSigstoreVerificationPolicy": { + "description": "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", + "type": "object", + "required": [ + "rootOfTrust" + ], + "properties": { + "rootOfTrust": { + "description": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyRootOfTrust" + }, + "signedIdentity": { + "description": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", + "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyIdentity" + } + } + }, "com.github.openshift.api.config.v1.ImageSpec": { "type": "object", "properties": { @@ -9585,31 +9647,6 @@ } } }, - "com.github.openshift.api.config.v1.PKI": { - "description": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - "type": "object", - "required": [ - "caRootsData", - "pkiCertificateSubject" - ], - "properties": { - "caIntermediatesData": { - "description": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", - "type": "string", - "format": "byte" - }, - "caRootsData": { - "description": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", - "type": "string", - "format": "byte" - }, - "pkiCertificateSubject": { - "description": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.PKICertificateSubject" - } - } - }, "com.github.openshift.api.config.v1.PKICertificateSubject": { "description": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", "type": "object", @@ -9764,24 +9801,6 @@ } } }, - "com.github.openshift.api.config.v1.Policy": { - "description": "Policy defines the verification policy for the items in the scopes list.", - "type": "object", - "required": [ - "rootOfTrust" - ], - "properties": { - "rootOfTrust": { - "description": "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyRootOfTrust" - }, - "signedIdentity": { - "description": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", - "$ref": "#/definitions/com.github.openshift.api.config.v1.PolicyIdentity" - } - } - }, "com.github.openshift.api.config.v1.PolicyFulcioSubject": { "description": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", "type": "object", @@ -9874,20 +9893,20 @@ "properties": { "fulcioCAWithRekor": { "description": "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", - "$ref": "#/definitions/com.github.openshift.api.config.v1.FulcioCAWithRekor" + "$ref": "#/definitions/com.github.openshift.api.config.v1.ImagePolicyFulcioCAWithRekorRootOfTrust" }, "pki": { "description": "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", - "$ref": "#/definitions/com.github.openshift.api.config.v1.PKI" + "$ref": "#/definitions/com.github.openshift.api.config.v1.ImagePolicyPKIRootOfTrust" }, "policyType": { - "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "description": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).", "type": "string", "default": "" }, "publicKey": { "description": "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", - "$ref": "#/definitions/com.github.openshift.api.config.v1.PublicKey" + "$ref": "#/definitions/com.github.openshift.api.config.v1.ImagePolicyPublicKeyRootOfTrust" } }, "x-kubernetes-unions": [ @@ -10220,25 +10239,6 @@ } } }, - "com.github.openshift.api.config.v1.PublicKey": { - "description": "PublicKey defines the root of trust based on a sigstore public key.", - "type": "object", - "required": [ - "keyData" - ], - "properties": { - "keyData": { - "description": "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - }, - "rekorKeyData": { - "description": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - } - } - }, "com.github.openshift.api.config.v1.RegistryLocation": { "description": "RegistryLocation contains a location of the registry specified by the registry domain name. The domain name might include wildcards, like '*' or '??'.", "type": "object", @@ -11794,7 +11794,7 @@ "policy": { "description": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Policy" + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy" }, "scopes": { "description": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", @@ -11955,32 +11955,6 @@ } } }, - "com.github.openshift.api.config.v1alpha1.FulcioCAWithRekor": { - "description": "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.", - "type": "object", - "required": [ - "fulcioCAData", - "rekorKeyData", - "fulcioSubject" - ], - "properties": { - "fulcioCAData": { - "description": "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - "type": "string", - "format": "byte" - }, - "fulcioSubject": { - "description": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject" - }, - "rekorKeyData": { - "description": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - } - } - }, "com.github.openshift.api.config.v1alpha1.GatherConfig": { "description": "gatherConfig provides data gathering configuration options.", "type": "object", @@ -12035,6 +12009,32 @@ } } }, + "com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust": { + "description": "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", + "type": "object", + "required": [ + "fulcioCAData", + "rekorKeyData", + "fulcioSubject" + ], + "properties": { + "fulcioCAData": { + "description": "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", + "type": "string", + "format": "byte" + }, + "fulcioSubject": { + "description": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject" + }, + "rekorKeyData": { + "description": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + "type": "string", + "format": "byte" + } + } + }, "com.github.openshift.api.config.v1alpha1.ImagePolicyList": { "description": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -12065,6 +12065,50 @@ } } }, + "com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust": { + "description": "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "type": "object", + "required": [ + "caRootsData", + "pkiCertificateSubject" + ], + "properties": { + "caIntermediatesData": { + "description": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", + "type": "string", + "format": "byte" + }, + "caRootsData": { + "description": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", + "type": "string", + "format": "byte" + }, + "pkiCertificateSubject": { + "description": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PKICertificateSubject" + } + } + }, + "com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust": { + "description": "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", + "type": "object", + "required": [ + "keyData" + ], + "properties": { + "keyData": { + "description": "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", + "type": "string", + "format": "byte" + }, + "rekorKeyData": { + "description": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", + "type": "string", + "format": "byte" + } + } + }, "com.github.openshift.api.config.v1alpha1.ImagePolicySpec": { "description": "ImagePolicySpec is the specification of the ImagePolicy CRD.", "type": "object", @@ -12076,7 +12120,7 @@ "policy": { "description": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Policy" + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy" }, "scopes": { "description": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", @@ -12106,6 +12150,25 @@ } } }, + "com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy": { + "description": "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", + "type": "object", + "required": [ + "rootOfTrust" + ], + "properties": { + "rootOfTrust": { + "description": "rootOfTrust specifies the root of trust for the policy.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust" + }, + "signedIdentity": { + "description": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyIdentity" + } + } + }, "com.github.openshift.api.config.v1alpha1.InsightsDataGather": { "description": "InsightsDataGather provides data gather configuration options for the the Insights Operator.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -12238,31 +12301,6 @@ } } }, - "com.github.openshift.api.config.v1alpha1.PKI": { - "description": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - "type": "object", - "required": [ - "caRootsData", - "pkiCertificateSubject" - ], - "properties": { - "caIntermediatesData": { - "description": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", - "type": "string", - "format": "byte" - }, - "caRootsData": { - "description": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", - "type": "string", - "format": "byte" - }, - "pkiCertificateSubject": { - "description": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PKICertificateSubject" - } - } - }, "com.github.openshift.api.config.v1alpha1.PKICertificateSubject": { "description": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", "type": "object", @@ -12309,25 +12347,6 @@ } } }, - "com.github.openshift.api.config.v1alpha1.Policy": { - "description": "Policy defines the verification policy for the items in the scopes list.", - "type": "object", - "required": [ - "rootOfTrust" - ], - "properties": { - "rootOfTrust": { - "description": "rootOfTrust specifies the root of trust for the policy.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust" - }, - "signedIdentity": { - "description": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyIdentity" - } - } - }, "com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject": { "description": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", "type": "object", @@ -12420,11 +12439,11 @@ "properties": { "fulcioCAWithRekor": { "description": "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.FulcioCAWithRekor" + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust" }, "pki": { "description": "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PKI" + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust" }, "policyType": { "description": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", @@ -12433,7 +12452,7 @@ }, "publicKey": { "description": "publicKey defines the root of trust based on a sigstore public key.", - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PublicKey" + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust" } }, "x-kubernetes-unions": [ @@ -12447,25 +12466,6 @@ } ] }, - "com.github.openshift.api.config.v1alpha1.PublicKey": { - "description": "PublicKey defines the root of trust based on a sigstore public key.", - "type": "object", - "required": [ - "keyData" - ], - "properties": { - "keyData": { - "description": "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - }, - "rekorKeyData": { - "description": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - } - } - }, "com.github.openshift.api.config.v1alpha1.RetentionNumberConfig": { "description": "RetentionNumberConfig specifies the configuration of the retention policy on the number of backups", "type": "object",