Documentation ¶
Index ¶
- Constants
- Variables
- func ValidatePolicy(ctx context.Context, policyConfig string) error
- type FakeKubernetesClient
- type Options
- type Policy
- func NewInertPolicy(ctx context.Context, policyRef string) (Policy, error)
- func NewInputPolicy(ctx context.Context, policyRef string, effectiveTime string) (Policy, error)
- func NewOfflinePolicy(ctx context.Context, effectiveTime string) (Policy, error)
- func NewPolicy(ctx context.Context, opts Options) (Policy, error)
- func PreProcessPolicy(ctx context.Context, policyOptions Options) (Policy, *cache.PolicyCache, error)
- type SigstoreOpts
Constants ¶
const ( Now = "now" AtAttestation = "attestation" DateFormat = "2006-01-02" )
Variables ¶
var PolicySourcesFrom = source.PolicySourcesFrom
Functions ¶
Types ¶
type FakeKubernetesClient ¶
type FakeKubernetesClient struct { Policy ecc.EnterpriseContractPolicySpec Snapshot app.SnapshotSpec FetchError bool }
func (*FakeKubernetesClient) FetchEnterpriseContractPolicy ¶
func (c *FakeKubernetesClient) FetchEnterpriseContractPolicy(ctx context.Context, ref string) (*ecc.EnterpriseContractPolicy, error)
func (*FakeKubernetesClient) FetchSnapshot ¶
type Policy ¶
type Policy interface { PublicKeyPEM() ([]byte, error) CheckOpts() (*cosign.CheckOpts, error) WithSpec(spec ecc.EnterpriseContractPolicySpec) Policy Spec() ecc.EnterpriseContractPolicySpec EffectiveTime() time.Time AttestationTime(time.Time) Identity() cosign.Identity Keyless() bool SigstoreOpts() (SigstoreOpts, error) }
func NewInertPolicy ¶
NewInertPolicy construct and return a new instance of Policy that doesn't perform strict checks on the consistency of the policy.
The policyRef parameter is expected to be either a JSON-encoded instance of EnterpriseContractPolicySpec, or reference to the location of the EnterpriseContractPolicy resource in Kubernetes using the format: [namespace/]name
If policyRef is blank, an empty EnterpriseContractPolicySpec is used.
func NewInputPolicy ¶
NewInputPolicy constructs and returns a new instance of Policy that doesn't perform strict checks on the consistency of the policy, but can evaluate based on provided effectiveTime
The policyRef parameter is expected to be either a YAML/JSON-encoded instance of EnterpriseContractPolicySpec, or reference to the location of the EnterpriseContractPolicy resource in Kubernetes using the format: [namespace/]name
If policyRef is blank, an empty EnterpriseContractPolicySpec is used.
func NewOfflinePolicy ¶
NewOfflinePolicy construct and return a new instance of Policy that is used in offline scenarios, i.e. without cluster or specific services access, and no signature verification being performed.
func NewPolicy ¶
NewPolicy construct and return a new instance of Policy.
The policyRef parameter is expected to be either a JSON-encoded instance of EnterpriseContractPolicySpec, or reference to the location of the EnterpriseContractPolicy resource in Kubernetes using the format: [namespace/]name
If policyRef is blank, an empty EnterpriseContractPolicySpec is used.
rekorUrl and publicKey provide a mechanism to overwrite the attributes, of same name, in the EnterpriseContractPolicySpec.
The public key is resolved as part of object construction. If the public key is a reference to a kubernetes resource, for example, the cluster will be contacted.
func PreProcessPolicy ¶ added in v0.6.53
func PreProcessPolicy(ctx context.Context, policyOptions Options) (Policy, *cache.PolicyCache, error)
PreProcessPolicy fetches policy sources and returns a policy object with pinned SHA/image digest URL where applicable, along with a policy cache object.
type SigstoreOpts ¶ added in v0.4.0
type SigstoreOpts struct { CertificateIdentity string `json:"certificate_identity"` CertificateIdentityRegExp string `json:"certificate_identity_regexp"` CertificateOIDCIssuer string `json:"certificate_oidc_issuer"` CertificateOIDCIssuerRegExp string `json:"certificate_oidc_issuer_regexp"` IgnoreRekor bool `json:"ignore_rekor"` PublicKey string `json:"public_key"` RekorURL string `json:"rekor_url"` }