From 151a1eecdbca695e281f06aeb39ae295bb9d5ed6 Mon Sep 17 00:00:00 2001 From: Qi Wang Date: Thu, 7 Nov 2024 16:11:29 -0500 Subject: [PATCH] Add PKI field with SigstoreImageVerificationPKI fg to (cluster)imagepolicy Add PKI to clusterimagepolicy with DevPreview featuregate SigstoreImageVerificationPKI. This field allow verification of image signature created by cosign BYOPKI feature. Signed-off-by: Qi Wang --- .../SigstoreImageVerificationPKI.yaml | 101 ++++ .../SigstoreImageVerification.yaml | 12 + .../SigstoreImageVerificationPKI.yaml | 101 ++++ config/v1alpha1/types_image_policy.go | 47 +- ...sterimagepolicies-CustomNoUpgrade.crd.yaml | 84 ++++ ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 84 ++++ ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 4 +- ..._01_imagepolicies-CustomNoUpgrade.crd.yaml | 84 ++++ ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 84 ++++ ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 4 +- config/v1alpha1/zz_generated.deepcopy.go | 52 +++ ..._generated.featuregated-crd-manifests.yaml | 2 + .../SigstoreImageVerification.yaml | 4 +- .../SigstoreImageVerificationPKI.yaml | 436 ++++++++++++++++++ .../SigstoreImageVerification.yaml | 4 +- .../SigstoreImageVerificationPKI.yaml | 436 ++++++++++++++++++ .../zz_generated.swagger_doc_generated.go | 24 +- features.md | 1 + features/features.go | 8 + .../generated_openapi/zz_generated.openapi.go | 76 ++- openapi/openapi.json | 45 +- ...sterimagepolicies-CustomNoUpgrade.crd.yaml | 84 ++++ ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 84 ++++ ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 4 +- ..._01_imagepolicies-CustomNoUpgrade.crd.yaml | 84 ++++ ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 84 ++++ ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 4 +- .../featureGate-Hypershift-Default.yaml | 3 + ...reGate-Hypershift-DevPreviewNoUpgrade.yaml | 3 + ...eGate-Hypershift-TechPreviewNoUpgrade.yaml | 3 + .../featureGate-SelfManagedHA-Default.yaml | 3 + ...ate-SelfManagedHA-DevPreviewNoUpgrade.yaml | 3 + ...te-SelfManagedHA-TechPreviewNoUpgrade.yaml | 3 + 33 files changed, 2032 insertions(+), 23 deletions(-) create mode 100644 config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml create mode 100644 config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml create mode 100644 config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml create mode 100644 config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml diff --git a/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml new file mode 100644 index 00000000000..81edd5124d4 --- /dev/null +++ b/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -0,0 +1,101 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "ClusterImagePolicy" +crdName: clusterimagepolicies.config.openshift.io +featureGate: SigstoreImageVerificationPKI +tests: + onCreate: + - name: Should be able to create a minimal ClusterImagePolicy with policyType PKI + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + email: test-user@example.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + email: test-user@example.com + - name: Should not allow policyType PKI but not set pki + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": pki is required when policyType is PKI, and forbidden otherwise" + - name: Should not allow pkiCertificateSubject invalid email + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + email: invalid-email + expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.email: Invalid value: \"string\": invalid email address in pkiCertificateSubject" + - name: Should not allow pkiCertificateSubject invalid hostname + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + hostname: invaild-.com + expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.hostname: Invalid value: \"string\": invalid hostname in pkiCertificateSubject" + - name: Should not allow poliyType PKI but not set pki + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: {} + expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Required value, spec.policy.rootOfTrust.pki.pkiCertificateSubject: Required value, : Invalid value: \"null\": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation" + - name: Should not allow caRootsData not encoded from PEM + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ClusterImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: Zm9vIGJhcg== + pkiCertificateSubject: + email: test-user@example.com + expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Invalid value: \"string\": the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." \ No newline at end of file diff --git a/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml index c772324c829..a67ddb9c8d4 100644 --- a/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ b/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -451,3 +451,15 @@ tests: policyType: PublicKey publicKey: keyData: Zm9vIGJhcg== + - name: Should not allow poliyType PKI but not set pki + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: {} + expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Required value, spec.policy.rootOfTrust.pki.pkiCertificateSubject: Required value, : Invalid value: \"null\": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation" \ No newline at end of file diff --git a/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml new file mode 100644 index 00000000000..daf56daeaf1 --- /dev/null +++ b/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -0,0 +1,101 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "ImagePolicy" +crdName: imagepolicies.config.openshift.io +featureGate: SigstoreImageVerificationPKI +tests: + onCreate: + - name: Should be able to create a minimal ImagePolicy with policyType PKI + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + email: test-user@example.com + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + email: test-user@example.com + - name: Should not allow policyType PKI but not set pki + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": pki is required when policyType is PKI, and forbidden otherwise" + - name: Should not allow pkiCertificateSubject invalid email + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + email: invalid-email + expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.email: Invalid value: \"string\": invalid email address in pkiCertificateSubject" + - name: Should not allow pkiCertificateSubject invalid hostname + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2ekNDQTZlZ0F3SUJBZ0lVRDVuLzdUMGszUHBVekMvZE5CRUVpWHhDaFVjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JqRUxNQWtHQTFVRUJoTUNSVk14RVRBUEJnTlZCQWNNQ0ZaaGJHVnVZMmxoTVFzd0NRWURWUVFLREFKSgpWREVSTUE4R0ExVUVDd3dJVTJWamRYSnBkSGt4TERBcUJnTlZCQU1NSTB4cGJuVjRaWEpoSUZKdmIzUWdRMlZ5CmRHbG1hV05oZEdVZ1FYVjBhRzl5YVhSNU1DQVhEVEkwTURneE1ERTNNVFF3TTFvWUR6SXdOVEV4TWpJMk1UY3gKTkRBeldqQnVNUXN3Q1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQnd3SVZtRnNaVzVqYVdFeEN6QUpCZ05WQkFvTQpBa2xVTVJFd0R3WURWUVFMREFoVFpXTjFjbWwwZVRFc01Db0dBMVVFQXd3alRHbHVkWGhsY21FZ1VtOXZkQ0JEClpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ1h5ekpBSGRlY0NES0tpdFN4MlN0d215RWdUc2psRHhMdUpEUlZkUGVYZWpNTzVZQ1lxdW4raXl6awpkZm5jZ3k4TTlOTHU1bWZUSWpUZ3dLRVBHWHhpQjZ4VXVtNjRPUmt2RUVnT0oyV3JWV3M5NHJLL21iaTB4eUl1ClZjTlNFT0M0Ry9OY2VmYlFJY3JJNk5PV0xsRTN3WEFlRlNQVTNDTnJlbzV5NGlkNEtmR29oWlN1QXJJNkxZQzcKTm0vRlQ5cGgzZW5JdTBubVFjUGZYaU0xS2E2ZWpKK3hHMk5TdXRFL1dWVTNUL0JPVWM5b3MvWUJSbHlvakZGbwpkSHZ4L2lLRGpWZXBFOGRySXZMa1c1OEFoUXZNbmh4VVErWk1YdHhYaDlyVXZzOTdEdjNsdE85ek91STRaTGVsCmt2ZjRvWW5PbGltQm1SNk5zZlAvaUNZR1dLVVQ2VmUxZTZFbGkzaG5COElOQ2tzQmF1cEYxZ0YyeWpOakYyc2sKQnowcmoydjFFb2ZsSEhsZ1BnM2NyYkNON2RoSnF6RHhGQmFaeXdXRjZjYzFNYjVDMUgrUFFudXVGOEI2L0JTQQp0VEF5M3hpNUVlcWhxeGNxdG5BS0pnSXc3Q0dTUHZGQ280OG5lVzlmdERlNkFrcEpTMjhBNVBRVCtuZDY1T3VjClpqbnBGNzhGdkE5aXdsSjNxaE90WE5DWVlQOVhMWnNvSjNJK2ZLaEQ0dE9kRklta3dFS3RYUW9xRGtuUmdKeEYKMmFrNDdndnZuQkpKa1o4ZEhpYU85ZWlzL1R3Q2p2ekhQbk9oaEZqWmRmNlFOTlVMVERXcGp3YW1kSDQrd3VjVgpjQXpmUlhtbEVpbnIyaXlXQW5ycEZzdGlSeHRySDRFTytqb25MbXpmUlNOVnoxL0xXd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVWxJMXJ6b3FNZlZxbHFKZkJzYWt6bXJVZjl6OHdId1lEVlIwakJCZ3dGb0FVbEkxcnpvcU0KZlZxbHFKZkJzYWt6bXJVZjl6OHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBZXEwMTJPWGxNRE9OUVNaSXRnd3pUaURsVHE1MzNCekkrak50cWVUTzBZZUNwTGZYRlROUXFxdyt6WVFuCi80UVlacW5lSUhkTnByaFlkZDdORUc5ak5jaXV0dW4vZUNaZXZYVktPc3d6VHk3a2l5Nm9Rek1hZklVZ2dMMTUKV2JFZlU5c3JjT0xBOXFVN2MvUHdPQURzdEhQTVBuZ3Z4UzdqWmw2Z0cwNUFVMGcyYXF2bkRiVmtmY3M2SUxMUgpFRnNUTXBLK1lHaWhBU1NrUTBwbVpUTGdEem1HVWdVOFFvejZFWTAwMzZiZzZJbTJKL0RNUU9ic0MvQmVqb1EzCnkxQmJWR1Job0F2bytQYkprd0hzaUE2SythR3RZYXJmSzR2VUpoVEJMb0JHSElNRDlPbkVRc0pDT2JvWnhsVU4KYmwxZVhjOHFzQzVqVmNWOG9TakNWbmVOZ241aW1HYVFLdEVWdjdBYUNvL3RCYXJYNVJucEdKZ1h0bnhuNjVmVApYNUh3NENCR2RIeUtmZTliWjV0K2lFSm1WbTgva2M2Z216V2JmNVZUcmkyTUp0ZEFwWGlnRmxIYzZVK09uMnk5CitYbU9pbWVDbVA5WTNqcGdITkIxVVA0Q2hFSEg0azdmWDFaSkpYeGVLWERJTWFxWmFRYjZ5VCtDbFJvU2lsQSsKQU95dEd4c3B0OVpmemN4ZGRaTUdNYXcrQzlaYW5WTjNRVTZ1Tk0wOGYra2lkRkdJL29vN1pNZ0xaQ1RKWnozSQpINktFSkl1L1ZpWFlONTFlM1ZpV0srNFBBKzZjRXVmZzMwZE52cFExTVVuYW10Sjc2QXQ2UVJnY3NBMzVYemxWCkZ0RlV6VVFkZk1KQnBSVVR1ZEtvK2d0TG9oT1BkZXdYM2xaUVA4QkJCZWdrdlJzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + pkiCertificateSubject: + hostname: invaild-.com + expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.hostname: Invalid value: \"string\": invalid hostname in pkiCertificateSubject" + - name: Should not allow poliyType PKI but not set pki + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: {} + expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Required value, spec.policy.rootOfTrust.pki.pkiCertificateSubject: Required value, : Invalid value: \"null\": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation" + - name: Should not allow caRootsData not encoded from PEM + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: ImagePolicy + spec: + scopes: + - example.com + policy: + rootOfTrust: + policyType: PKI + pki: + caRootsData: Zm9vIGJhcg== + pkiCertificateSubject: + email: test-user@example.com + expectedError: "spec.policy.rootOfTrust.pki.caRootsData: Invalid value: \"string\": the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." \ No newline at end of file diff --git a/config/v1alpha1/types_image_policy.go b/config/v1alpha1/types_image_policy.go index a177ddb0d66..f5c6954666a 100644 --- a/config/v1alpha1/types_image_policy.go +++ b/config/v1alpha1/types_image_policy.go @@ -73,10 +73,12 @@ type Policy struct { // +union // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise" type PolicyRootOfTrust struct { // policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. // "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. // "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + // "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. // +unionDiscriminator // +kubebuilder:validation:Required PolicyType PolicyType `json:"policyType"` @@ -88,14 +90,20 @@ type PolicyRootOfTrust struct { // https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor // +optional FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"` + // pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. + // +optional + // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI + PKI *PKI `json:"pki,omitempty"` } -// +kubebuilder:validation:Enum=PublicKey;FulcioCAWithRekor +// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor +// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI type PolicyType string const ( PublicKeyRootOfTrust PolicyType = "PublicKey" FulcioCAWithRekorRootOfTrust PolicyType = "FulcioCAWithRekor" + PKIRootOfTrust PolicyType = "PKI" ) // PublicKey defines the root of trust based on a sigstore public key. @@ -143,6 +151,43 @@ type PolicyFulcioSubject struct { SignedEmail string `json:"signedEmail"` } +// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates. +type PKI struct { + // caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 bytes. + // +required + // +kubebuilder:validation:MaxLength=8192 + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caRootsData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caRootsData must end with base64 encoding of '-----END CERTIFICATE-----'." + CertificateAuthorityRootsData []byte `json:"caRootsData"` + // caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. + // caIntermediatesData requires CertificateAuthorityRoots to be set. + // +optional + // +kubebuilder:validation:XValidation:rule="string(self).startsWith('-----BEGIN CERTIFICATE-----')",message="the caIntermediatesData must start with base64 encoding of '-----BEGIN CERTIFICATE-----'." + // +kubebuilder:validation:XValidation:rule="string(self).endsWith('-----END CERTIFICATE-----\n') || string(self).endsWith('-----END CERTIFICATE-----')",message="the caIntermediatesData must end with base64 encoding of '-----END CERTIFICATE-----'." + // +kubebuilder:validation:MaxLength=8192 + CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"` + + // pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued. + // +required + PKICertificateSubject *PKICertificateSubject `json:"pkiCertificateSubject"` +} + +// PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued. +// +kubebuilder:validation:XValidation:rule="has(self.email) || has(self.hostname)", message="at least one of email or hostname must be set in pkiCertificateSubject" +// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI +type PKICertificateSubject struct { + // email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. + // +optional + // +kubebuilder:validation:MaxLength:=320 + // +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address in pkiCertificateSubject" + Email string `json:"email,omitempty"` + // hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. + // +optional + // +kubebuilder:validation:MaxLength:=253 + // +kubebuilder:validation:XValidation:rule="self.startsWith('*.') ? !format.dns1123Subdomain().validate(self.replace('*.', '', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()",message="hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.'. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk." + Hostname string `json:"hostname,omitempty"` +} + // PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is "MatchRepoDigestOrExact". // +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'ExactRepository') ? has(self.exactRepository) : !has(self.exactRepository)",message="exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'RemapIdentity') ? has(self.remapIdentity) : !has(self.remapIdentity)",message="remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise" diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml index 4bf43427549..2ac2d491db8 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml @@ -102,14 +102,94 @@ spec: - fulcioSubject - rekorKeyData type: object + pki: + description: pki defines the root of trust based on Bring + Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and + corresponding intermediate certificates. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. + caIntermediatesData requires CertificateAuthorityRoots to be set. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 bytes. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: email specifies the expected email address + imposed on the subject to which the certificate + was issued, and must match the email address listed + in the Subject Alternative Name (SAN) field of the + certificate. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address in pkiCertificateSubject + rule: self.matches('^\\S+@\\S+$') + hostname: + description: hostname specifies the expected hostname + imposed on the subject to which the certificate + was issued, and it must match the hostname listed + in the Subject Alternative Name (SAN) DNS field + of the certificate. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname should be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It should consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object policyType: description: |- policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. enum: - PublicKey - FulcioCAWithRekor + - PKI type: string publicKey: description: publicKey defines the root of trust based on @@ -136,6 +216,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml index 5881ce95955..471ec2f3361 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -102,14 +102,94 @@ spec: - fulcioSubject - rekorKeyData type: object + pki: + description: pki defines the root of trust based on Bring + Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and + corresponding intermediate certificates. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. + caIntermediatesData requires CertificateAuthorityRoots to be set. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 bytes. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: email specifies the expected email address + imposed on the subject to which the certificate + was issued, and must match the email address listed + in the Subject Alternative Name (SAN) field of the + certificate. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address in pkiCertificateSubject + rule: self.matches('^\\S+@\\S+$') + hostname: + description: hostname specifies the expected hostname + imposed on the subject to which the certificate + was issued, and it must match the hostname listed + in the Subject Alternative Name (SAN) DNS field + of the certificate. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname should be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It should consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object policyType: description: |- policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. enum: - PublicKey - FulcioCAWithRekor + - PKI type: string publicKey: description: publicKey defines the root of trust based on @@ -136,6 +216,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml index bece5395b83..6c6a33d0814 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -107,9 +107,7 @@ spec: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - enum: - - PublicKey - - FulcioCAWithRekor + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml index 58102a8d741..8c96aaf80ab 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml @@ -102,14 +102,94 @@ spec: - fulcioSubject - rekorKeyData type: object + pki: + description: pki defines the root of trust based on Bring + Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and + corresponding intermediate certificates. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. + caIntermediatesData requires CertificateAuthorityRoots to be set. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 bytes. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: email specifies the expected email address + imposed on the subject to which the certificate + was issued, and must match the email address listed + in the Subject Alternative Name (SAN) field of the + certificate. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address in pkiCertificateSubject + rule: self.matches('^\\S+@\\S+$') + hostname: + description: hostname specifies the expected hostname + imposed on the subject to which the certificate + was issued, and it must match the hostname listed + in the Subject Alternative Name (SAN) DNS field + of the certificate. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname should be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It should consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object policyType: description: |- policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. enum: - PublicKey - FulcioCAWithRekor + - PKI type: string publicKey: description: publicKey defines the root of trust based on @@ -136,6 +216,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml index 4fb733479f2..5aa03b1c58f 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -102,14 +102,94 @@ spec: - fulcioSubject - rekorKeyData type: object + pki: + description: pki defines the root of trust based on Bring + Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and + corresponding intermediate certificates. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. + caIntermediatesData requires CertificateAuthorityRoots to be set. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 bytes. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: email specifies the expected email address + imposed on the subject to which the certificate + was issued, and must match the email address listed + in the Subject Alternative Name (SAN) field of the + certificate. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address in pkiCertificateSubject + rule: self.matches('^\\S+@\\S+$') + hostname: + description: hostname specifies the expected hostname + imposed on the subject to which the certificate + was issued, and it must match the hostname listed + in the Subject Alternative Name (SAN) DNS field + of the certificate. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname should be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It should consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object policyType: description: |- policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. enum: - PublicKey - FulcioCAWithRekor + - PKI type: string publicKey: description: publicKey defines the root of trust based on @@ -136,6 +216,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml index 7b531611db2..86f26ea8104 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -107,9 +107,7 @@ spec: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - enum: - - PublicKey - - FulcioCAWithRekor + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.deepcopy.go b/config/v1alpha1/zz_generated.deepcopy.go index ab39b5b9154..ee466b469f9 100644 --- a/config/v1alpha1/zz_generated.deepcopy.go +++ b/config/v1alpha1/zz_generated.deepcopy.go @@ -475,6 +475,53 @@ func (in *InsightsDataGatherStatus) DeepCopy() *InsightsDataGatherStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKI) DeepCopyInto(out *PKI) { + *out = *in + if in.CertificateAuthorityRootsData != nil { + in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.CertificateAuthorityIntermediatesData != nil { + in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData + *out = make([]byte, len(*in)) + copy(*out, *in) + } + if in.PKICertificateSubject != nil { + in, out := &in.PKICertificateSubject, &out.PKICertificateSubject + *out = new(PKICertificateSubject) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. +func (in *PKI) DeepCopy() *PKI { + if in == nil { + return nil + } + out := new(PKI) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateSubject. +func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject { + if in == nil { + return nil + } + out := new(PKICertificateSubject) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Policy) DeepCopyInto(out *Policy) { *out = *in @@ -580,6 +627,11 @@ func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) { *out = new(FulcioCAWithRekor) (*in).DeepCopyInto(*out) } + if in.PKI != nil { + in, out := &in.PKI, &out.PKI + *out = new(PKI) + (*in).DeepCopyInto(*out) + } return } diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml index 393365b41c3..176e0d907c3 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml @@ -29,6 +29,7 @@ clusterimagepolicies.config.openshift.io: Category: "" FeatureGates: - SigstoreImageVerification + - SigstoreImageVerificationPKI FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -52,6 +53,7 @@ imagepolicies.config.openshift.io: Category: "" FeatureGates: - SigstoreImageVerification + - SigstoreImageVerificationPKI FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml index 075d2cdaf79..9e6c1540ff5 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -107,9 +107,7 @@ spec: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - enum: - - PublicKey - - FulcioCAWithRekor + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml new file mode 100644 index 00000000000..868acc19c4d --- /dev/null +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -0,0 +1,436 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1457 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/SigstoreImageVerificationPKI: "true" + name: clusterimagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ClusterImagePolicy + listKind: ClusterImagePolicyList + plural: clusterimagepolicies + singular: clusterimagepolicy + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + ClusterImagePolicy holds cluster-wide configuration for image signature verification + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the configuration for the cluster image policy. + properties: + policy: + description: |- + policy contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: rootOfTrust specifies the root of trust for the policy. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + fulcioSubject: + description: fulcioSubject specifies OIDC issuer and the + email of the Fulcio authentication configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail holds the email address the the Fulcio certificate is issued for. + Example: "expected-signing-user@example.com" + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: pki defines the root of trust based on Bring + Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and + corresponding intermediate certificates. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. + caIntermediatesData requires CertificateAuthorityRoots to be set. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 bytes. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: email specifies the expected email address + imposed on the subject to which the certificate + was issued, and must match the email address listed + in the Subject Alternative Name (SAN) field of the + certificate. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address in pkiCertificateSubject + rule: self.matches('^\\S+@\\S+$') + hostname: + description: hostname specifies the expected hostname + imposed on the subject to which the certificate + was issued, and it must match the hostname listed + in the Subject Alternative Name (SAN) DNS field + of the certificate. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname should be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It should consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. + "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: publicKey defines the root of trust based on + a sigstore public key. + properties: + keyData: + description: |- + keyData contains inline base64-encoded data for the PEM format public key. + KeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + rekorKeyData: + description: |- + rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: signedIdentity specifies what image identity the + signature claims about the image. The required matchPolicy field + specifies the approach used in the verification process to verify + the identity in the signature and the actual image identity, + the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: exactRepository is required if matchPolicy is + set to "ExactRepository". + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy sets the type of matching to be used. + Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + If set matchPolicy to ExactRepository, then the exactRepository must be specified. + If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. + "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. + "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". + "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: remapIdentity is required if matchPolicy is set + to "RemapIdentity". + properties: + prefix: + description: |- + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: conditions provide details on the status of this API + Resource. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml index f74bdb973fb..fcfdf5d99ac 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -107,9 +107,7 @@ spec: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - enum: - - PublicKey - - FulcioCAWithRekor + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml new file mode 100644 index 00000000000..d4c40034c65 --- /dev/null +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -0,0 +1,436 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1457 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/SigstoreImageVerificationPKI: "true" + name: imagepolicies.config.openshift.io +spec: + group: config.openshift.io + names: + kind: ImagePolicy + listKind: ImagePolicyList + plural: imagepolicies + singular: imagepolicy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + ImagePolicy holds namespace-wide configuration for image signature verification + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + policy: + description: |- + policy contains configuration to allow scopes to be verified, and defines how + images not matching the verification policy will be treated. + properties: + rootOfTrust: + description: rootOfTrust specifies the root of trust for the policy. + properties: + fulcioCAWithRekor: + description: |- + fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. + For more information about Fulcio and Rekor, please refer to the document at: + https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor + properties: + fulcioCAData: + description: |- + fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. + fulcioCAData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + fulcioSubject: + description: fulcioSubject specifies OIDC issuer and the + email of the Fulcio authentication configuration. + properties: + oidcIssuer: + description: |- + oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. + Example: "https://expected.OIDC.issuer/" + type: string + x-kubernetes-validations: + - message: oidcIssuer must be a valid URL + rule: isURL(self) + signedEmail: + description: |- + signedEmail holds the email address the the Fulcio certificate is issued for. + Example: "expected-signing-user@example.com" + type: string + x-kubernetes-validations: + - message: invalid email address + rule: self.matches('^\\S+@\\S+$') + required: + - oidcIssuer + - signedEmail + type: object + rekorKeyData: + description: |- + rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + required: + - fulcioCAData + - fulcioSubject + - rekorKeyData + type: object + pki: + description: pki defines the root of trust based on Bring + Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and + corresponding intermediate certificates. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. + caIntermediatesData requires CertificateAuthorityRoots to be set. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 bytes. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: email specifies the expected email address + imposed on the subject to which the certificate + was issued, and must match the email address listed + in the Subject Alternative Name (SAN) field of the + certificate. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address in pkiCertificateSubject + rule: self.matches('^\\S+@\\S+$') + hostname: + description: hostname specifies the expected hostname + imposed on the subject to which the certificate + was issued, and it must match the hostname listed + in the Subject Alternative Name (SAN) DNS field + of the certificate. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname should be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It should consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object + policyType: + description: |- + policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. + "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. + "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + enum: + - PublicKey + - FulcioCAWithRekor + - PKI + type: string + publicKey: + description: publicKey defines the root of trust based on + a sigstore public key. + properties: + keyData: + description: |- + keyData contains inline base64-encoded data for the PEM format public key. + KeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + rekorKeyData: + description: |- + rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. + rekorKeyData must be at most 8192 characters. + format: byte + maxLength: 8192 + type: string + required: + - keyData + type: object + required: + - policyType + type: object + x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' + - message: publicKey is required when policyType is PublicKey, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''PublicKey'' + ? has(self.publicKey) : !has(self.publicKey)' + - message: fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, + and forbidden otherwise + rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor'' + ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)' + signedIdentity: + description: signedIdentity specifies what image identity the + signature claims about the image. The required matchPolicy field + specifies the approach used in the verification process to verify + the identity in the signature and the actual image identity, + the default matchPolicy is "MatchRepoDigestOrExact". + properties: + exactRepository: + description: exactRepository is required if matchPolicy is + set to "ExactRepository". + properties: + repository: + description: |- + repository is the reference of the image identity to be matched. + The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - repository + type: object + matchPolicy: + description: |- + matchPolicy sets the type of matching to be used. + Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact". + If set matchPolicy to ExactRepository, then the exactRepository must be specified. + If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. + "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. + "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. + "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository". + "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix. + enum: + - MatchRepoDigestOrExact + - MatchRepository + - ExactRepository + - RemapIdentity + type: string + remapIdentity: + description: remapIdentity is required if matchPolicy is set + to "RemapIdentity". + properties: + prefix: + description: |- + prefix is the prefix of the image identity to be matched. + If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). + This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. + The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + signedPrefix: + description: |- + signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, + or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. + For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox. + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid repository or prefix in the signedIdentity, + should not include the tag or digest + rule: 'self.matches(''.*:([\\w][\\w.-]{0,127})$'')? + self.matches(''^(localhost:[0-9]+)$''): true' + - message: invalid repository or prefix in the signedIdentity + rule: self.matches('^(((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$') + required: + - prefix + - signedPrefix + type: object + required: + - matchPolicy + type: object + x-kubernetes-validations: + - message: exactRepository is required when matchPolicy is ExactRepository, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''ExactRepository'') + ? has(self.exactRepository) : !has(self.exactRepository)' + - message: remapIdentity is required when matchPolicy is RemapIdentity, + and forbidden otherwise + rule: '(has(self.matchPolicy) && self.matchPolicy == ''RemapIdentity'') + ? has(self.remapIdentity) : !has(self.remapIdentity)' + required: + - rootOfTrust + type: object + scopes: + description: |- + scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". + Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). + More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository + namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). + Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. + If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. + If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. + For additional details about the format, please refer to the document explaining the docker transport field, + which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker + items: + maxLength: 512 + type: string + x-kubernetes-validations: + - message: invalid image scope format, scope must contain a fully + qualified domain name or 'localhost' + rule: 'size(self.split(''/'')[0].split(''.'')) == 1 ? self.split(''/'')[0].split(''.'')[0].split('':'')[0] + == ''localhost'' : true' + - message: invalid image scope with wildcard, a wildcard can only + be at the start of the domain and is only supported for subdomain + matching, not path matching + rule: 'self.contains(''*'') ? self.matches(''^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$'') + : true' + - message: invalid repository namespace or image specification in + the image scope + rule: '!self.contains(''*'') ? self.matches(''^((((?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+(?::[0-9]+)?)|(localhost(?::[0-9]+)?))(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\\w][\\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$'') + : true' + maxItems: 256 + type: array + x-kubernetes-list-type: set + required: + - policy + - scopes + type: object + status: + description: status contains the observed state of the resource. + properties: + conditions: + description: conditions provide details on the status of this API + Resource. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index 55468f38dac..c89474efd01 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -167,6 +167,27 @@ func (ImagePolicyStatus) SwaggerDoc() map[string]string { return map_ImagePolicyStatus } +var map_PKI = map[string]string{ + "": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "caRootsData": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 bytes. ", + "caIntermediatesData": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. caIntermediatesData requires CertificateAuthorityRoots to be set. ", + "pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", +} + +func (PKI) SwaggerDoc() map[string]string { + return map_PKI +} + +var map_PKICertificateSubject = map[string]string{ + "": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "email": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate.", + "hostname": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate.", +} + +func (PKICertificateSubject) SwaggerDoc() map[string]string { + return map_PKICertificateSubject +} + var map_Policy = map[string]string{ "": "Policy defines the verification policy for the items in the scopes list.", "rootOfTrust": "rootOfTrust specifies the root of trust for the policy.", @@ -217,9 +238,10 @@ func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { var map_PolicyRootOfTrust = map[string]string{ "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - "policyType": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.", + "policyType": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", "publicKey": "publicKey defines the root of trust based on a sigstore public key.", "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", + "pki": "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", } func (PolicyRootOfTrust) SwaggerDoc() map[string]string { diff --git a/features.md b/features.md index 50576155a72..1747dc40d16 100644 --- a/features.md +++ b/features.md @@ -7,6 +7,7 @@ | MachineAPIOperatorDisableMachineHealthCheckController| | | | | | | | MultiArchInstallAzure| | | | | | | | GatewayAPI| | | Enabled | Enabled | | | +| SigstoreImageVerificationPKI| | | Enabled | Enabled | | | | NewOLM| | Enabled | | Enabled | | Enabled | | AWSClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | | AdditionalRoutingCapabilities| | | Enabled | Enabled | Enabled | Enabled | diff --git a/features/features.go b/features/features.go index dcaf5712c02..2f15589d61b 100644 --- a/features/features.go +++ b/features/features.go @@ -171,6 +171,14 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateSigstoreImageVerificationPKI = newFeatureGate("SigstoreImageVerificationPKI"). + reportProblemsToJiraComponent("node"). + contactPerson("QiWang"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1658"). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() + FeatureGateGCPLabelsTags = newFeatureGate("GCPLabelsTags"). reportProblemsToJiraComponent("Installer"). contactPerson("bhb"). diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 719cf8994d6..e45b8e41e8b 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -418,6 +418,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.InsightsDataGatherList": schema_openshift_api_config_v1alpha1_InsightsDataGatherList(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherSpec": schema_openshift_api_config_v1alpha1_InsightsDataGatherSpec(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherStatus": schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref), + "github.com/openshift/api/config/v1alpha1.PKI": schema_openshift_api_config_v1alpha1_PKI(ref), + "github.com/openshift/api/config/v1alpha1.PKICertificateSubject": schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref), "github.com/openshift/api/config/v1alpha1.Policy": schema_openshift_api_config_v1alpha1_Policy(ref), "github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject": schema_openshift_api_config_v1alpha1_PolicyFulcioSubject(ref), "github.com/openshift/api/config/v1alpha1.PolicyIdentity": schema_openshift_api_config_v1alpha1_PolicyIdentity(ref), @@ -20866,6 +20868,69 @@ func schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref common.Re } } +func schema_openshift_api_config_v1alpha1_PKI(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "caRootsData": { + SchemaProps: spec.SchemaProps{ + Description: "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 bytes.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "caIntermediatesData": { + SchemaProps: spec.SchemaProps{ + Description: "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. caIntermediatesData requires CertificateAuthorityRoots to be set.", + Type: []string{"string"}, + Format: "byte", + }, + }, + "pkiCertificateSubject": { + SchemaProps: spec.SchemaProps{ + Description: "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + Ref: ref("github.com/openshift/api/config/v1alpha1.PKICertificateSubject"), + }, + }, + }, + Required: []string{"caRootsData", "pkiCertificateSubject"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PKICertificateSubject"}, + } +} + +func schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "email": { + SchemaProps: spec.SchemaProps{ + Description: "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate.", + Type: []string{"string"}, + Format: "", + }, + }, + "hostname": { + SchemaProps: spec.SchemaProps{ + Description: "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_openshift_api_config_v1alpha1_Policy(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -21034,7 +21099,7 @@ func schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref common.Reference Properties: map[string]spec.Schema{ "policyType": { SchemaProps: spec.SchemaProps{ - Description: "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.", + Description: "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", Default: "", Type: []string{"string"}, Format: "", @@ -21052,6 +21117,12 @@ func schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref common.Reference Ref: ref("github.com/openshift/api/config/v1alpha1.FulcioCAWithRekor"), }, }, + "pki": { + SchemaProps: spec.SchemaProps{ + Description: "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", + Ref: ref("github.com/openshift/api/config/v1alpha1.PKI"), + }, + }, }, Required: []string{"policyType"}, }, @@ -21062,6 +21133,7 @@ func schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref common.Reference "discriminator": "policyType", "fields-to-discriminateBy": map[string]interface{}{ "fulcioCAWithRekor": "FulcioCAWithRekor", + "pki": "PKI", "publicKey": "PublicKey", }, }, @@ -21070,7 +21142,7 @@ func schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref common.Reference }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1alpha1.FulcioCAWithRekor", "github.com/openshift/api/config/v1alpha1.PublicKey"}, + "github.com/openshift/api/config/v1alpha1.FulcioCAWithRekor", "github.com/openshift/api/config/v1alpha1.PKI", "github.com/openshift/api/config/v1alpha1.PublicKey"}, } } diff --git a/openapi/openapi.json b/openapi/openapi.json index f43d3613467..60b75b3a11f 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -11380,6 +11380,44 @@ "com.github.openshift.api.config.v1alpha1.InsightsDataGatherStatus": { "type": "object" }, + "com.github.openshift.api.config.v1alpha1.PKI": { + "description": "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", + "type": "object", + "required": [ + "caRootsData", + "pkiCertificateSubject" + ], + "properties": { + "caIntermediatesData": { + "description": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. caIntermediatesData requires CertificateAuthorityRoots to be set.", + "type": "string", + "format": "byte" + }, + "caRootsData": { + "description": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 bytes.", + "type": "string", + "format": "byte" + }, + "pkiCertificateSubject": { + "description": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PKICertificateSubject" + } + } + }, + "com.github.openshift.api.config.v1alpha1.PKICertificateSubject": { + "description": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + "type": "object", + "properties": { + "email": { + "description": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate.", + "type": "string" + }, + "hostname": { + "description": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1alpha1.Policy": { "description": "Policy defines the verification policy for the items in the scopes list.", "type": "object", @@ -11493,8 +11531,12 @@ "description": "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.FulcioCAWithRekor" }, + "pki": { + "description": "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PKI" + }, "policyType": { - "description": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.", + "description": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", "type": "string", "default": "" }, @@ -11508,6 +11550,7 @@ "discriminator": "policyType", "fields-to-discriminateBy": { "fulcioCAWithRekor": "FulcioCAWithRekor", + "pki": "PKI", "publicKey": "PublicKey" } } diff --git a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml index 4bf43427549..2ac2d491db8 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml @@ -102,14 +102,94 @@ spec: - fulcioSubject - rekorKeyData type: object + pki: + description: pki defines the root of trust based on Bring + Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and + corresponding intermediate certificates. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. + caIntermediatesData requires CertificateAuthorityRoots to be set. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 bytes. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: email specifies the expected email address + imposed on the subject to which the certificate + was issued, and must match the email address listed + in the Subject Alternative Name (SAN) field of the + certificate. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address in pkiCertificateSubject + rule: self.matches('^\\S+@\\S+$') + hostname: + description: hostname specifies the expected hostname + imposed on the subject to which the certificate + was issued, and it must match the hostname listed + in the Subject Alternative Name (SAN) DNS field + of the certificate. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname should be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It should consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object policyType: description: |- policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. enum: - PublicKey - FulcioCAWithRekor + - PKI type: string publicKey: description: publicKey defines the root of trust based on @@ -136,6 +216,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml index 5881ce95955..471ec2f3361 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -102,14 +102,94 @@ spec: - fulcioSubject - rekorKeyData type: object + pki: + description: pki defines the root of trust based on Bring + Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and + corresponding intermediate certificates. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. + caIntermediatesData requires CertificateAuthorityRoots to be set. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 bytes. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: email specifies the expected email address + imposed on the subject to which the certificate + was issued, and must match the email address listed + in the Subject Alternative Name (SAN) field of the + certificate. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address in pkiCertificateSubject + rule: self.matches('^\\S+@\\S+$') + hostname: + description: hostname specifies the expected hostname + imposed on the subject to which the certificate + was issued, and it must match the hostname listed + in the Subject Alternative Name (SAN) DNS field + of the certificate. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname should be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It should consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object policyType: description: |- policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. enum: - PublicKey - FulcioCAWithRekor + - PKI type: string publicKey: description: publicKey defines the root of trust based on @@ -136,6 +216,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml index bece5395b83..6c6a33d0814 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -107,9 +107,7 @@ spec: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - enum: - - PublicKey - - FulcioCAWithRekor + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. type: string publicKey: description: publicKey defines the root of trust based on diff --git a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml index 58102a8d741..8c96aaf80ab 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml @@ -102,14 +102,94 @@ spec: - fulcioSubject - rekorKeyData type: object + pki: + description: pki defines the root of trust based on Bring + Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and + corresponding intermediate certificates. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. + caIntermediatesData requires CertificateAuthorityRoots to be set. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 bytes. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: email specifies the expected email address + imposed on the subject to which the certificate + was issued, and must match the email address listed + in the Subject Alternative Name (SAN) field of the + certificate. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address in pkiCertificateSubject + rule: self.matches('^\\S+@\\S+$') + hostname: + description: hostname specifies the expected hostname + imposed on the subject to which the certificate + was issued, and it must match the hostname listed + in the Subject Alternative Name (SAN) DNS field + of the certificate. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname should be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It should consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object policyType: description: |- policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. enum: - PublicKey - FulcioCAWithRekor + - PKI type: string publicKey: description: publicKey defines the root of trust based on @@ -136,6 +216,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml index 4fb733479f2..5aa03b1c58f 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -102,14 +102,94 @@ spec: - fulcioSubject - rekorKeyData type: object + pki: + description: pki defines the root of trust based on Bring + Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and + corresponding intermediate certificates. + properties: + caIntermediatesData: + description: |- + caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 bytes. + caIntermediatesData requires CertificateAuthorityRoots to be set. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caIntermediatesData must start with base64 + encoding of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caIntermediatesData must end with base64 + encoding of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + caRootsData: + description: caRootsData contains base64-encoded data + of a certificate bundle PEM file, which contains one + or more CA roots in the PEM format. The total length + of the data must not exceed 8192 bytes. + format: byte + maxLength: 8192 + type: string + x-kubernetes-validations: + - message: the caRootsData must start with base64 encoding + of '-----BEGIN CERTIFICATE-----'. + rule: string(self).startsWith('-----BEGIN CERTIFICATE-----') + - message: the caRootsData must end with base64 encoding + of '-----END CERTIFICATE-----'. + rule: |- + string(self).endsWith('-----END CERTIFICATE----- + ') || string(self).endsWith('-----END CERTIFICATE-----') + pkiCertificateSubject: + description: pkiCertificateSubject defines the requirements + imposed on the subject to which the certificate was + issued. + properties: + email: + description: email specifies the expected email address + imposed on the subject to which the certificate + was issued, and must match the email address listed + in the Subject Alternative Name (SAN) field of the + certificate. + maxLength: 320 + type: string + x-kubernetes-validations: + - message: invalid email address in pkiCertificateSubject + rule: self.matches('^\\S+@\\S+$') + hostname: + description: hostname specifies the expected hostname + imposed on the subject to which the certificate + was issued, and it must match the hostname listed + in the Subject Alternative Name (SAN) DNS field + of the certificate. + maxLength: 253 + type: string + x-kubernetes-validations: + - message: hostname should be a valid dns 1123 subdomain + name, optionally prefixed by '*.'. It should consist + only of lowercase alphanumeric characters, hyphens, + periods and the optional preceding asterisk. + rule: 'self.startsWith(''*.'') ? !format.dns1123Subdomain().validate(self.replace(''*.'', + '''', 1)).hasValue() : !format.dns1123Subdomain().validate(self).hasValue()' + type: object + x-kubernetes-validations: + - message: at least one of email or hostname must be set + in pkiCertificateSubject + rule: has(self.email) || has(self.hostname) + required: + - caRootsData + - pkiCertificateSubject + type: object policyType: description: |- policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. enum: - PublicKey - FulcioCAWithRekor + - PKI type: string publicKey: description: publicKey defines the root of trust based on @@ -136,6 +216,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml index 7b531611db2..86f26ea8104 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -107,9 +107,7 @@ spec: policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. - enum: - - PublicKey - - FulcioCAWithRekor + "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. type: string publicKey: description: publicKey defines the root of trust based on diff --git a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml index a6c802e3d1e..a0bdacbc07a 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml @@ -151,6 +151,9 @@ { "name": "SigstoreImageVerification" }, + { + "name": "SigstoreImageVerificationPKI" + }, { "name": "TranslateStreamCloseWebsocketRequests" }, diff --git a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml index 6ec226a1af3..9f635a70c80 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml @@ -227,6 +227,9 @@ { "name": "SigstoreImageVerification" }, + { + "name": "SigstoreImageVerificationPKI" + }, { "name": "TranslateStreamCloseWebsocketRequests" }, diff --git a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml index 404c7d4d9f8..c604ad9d191 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml @@ -38,6 +38,9 @@ }, { "name": "NewOLM" + }, + { + "name": "SigstoreImageVerificationPKI" } ], "enabled": [ diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml index 06d18accaea..7e45fd2c66b 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml @@ -151,6 +151,9 @@ { "name": "SigstoreImageVerification" }, + { + "name": "SigstoreImageVerificationPKI" + }, { "name": "TranslateStreamCloseWebsocketRequests" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml index 13a79357ad6..69d11517594 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml @@ -227,6 +227,9 @@ { "name": "SigstoreImageVerification" }, + { + "name": "SigstoreImageVerificationPKI" + }, { "name": "TranslateStreamCloseWebsocketRequests" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml index b085aa4e23d..79639ed6df6 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml @@ -35,6 +35,9 @@ }, { "name": "MultiArchInstallAzure" + }, + { + "name": "SigstoreImageVerificationPKI" } ], "enabled": [