Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type AttestationPolicy ¶
type AttestationPolicy struct {
// Name of the Attestation
Name string `json:"name"`
// PredicateType to attest, one of the accepted in verify-attestation
PredicateType string `json:"predicateType"`
// Type specifies how to evaluate policy, only rego/cue are understood.
Type string `json:"type,omitempty"`
// Data is the inlined version of the Policy used to evaluate the
// Attestation.
Data string `json:"data,omitempty"`
}
type Authority ¶
type Authority struct {
// Name is the name for this authority. Used by the CIP Policy
// validator to be able to reference matching signature or attestation
// verifications.
Name string `json:"name"`
// +optional
Key *KeyRef `json:"key,omitempty"`
// +optional
Keyless *KeylessRef `json:"keyless,omitempty"`
// +optional
Static *StaticRef `json:"static,omitempty"`
// +optional
Sources []v1alpha1.Source `json:"source,omitempty"`
// +optional
CTLog *v1alpha1.TLog `json:"ctlog,omitempty"`
// RemoteOpts are not marshalled because they are an unsupported type
// RemoteOpts will be populated by the Authority UnmarshalJSON override
// +optional
RemoteOpts []ociremote.Option `json:"-"`
// +optional
Attestations []AttestationPolicy `json:"attestations,omitempty"`
}
func (*Authority) SourceSignaturePullSecretsOpts ¶
func (a *Authority) SourceSignaturePullSecretsOpts(ctx context.Context, namespace string) ([]ociremote.Option, error)
SourceSignaturePullSecretsOpts creates the signaturePullSecrets remoteOpts This is not stored in the Authority under RemoteOpts as the namespace can be different
func (*Authority) UnmarshalJSON ¶
UnmarshalJSON populates the authority with the remoteOpts from authority sources
type ClusterImagePolicy ¶
type ClusterImagePolicy struct {
Images []v1alpha1.ImagePattern `json:"images"`
Authorities []Authority `json:"authorities"`
// Policy is an optional policy used to evaluate the results of valid
// Authorities. Will not get evaluated unless at least one Authority
// succeeds.
Policy *AttestationPolicy `json:"policy,omitempty"`
}
ClusterImagePolicy defines the images that go through verification and the authorities used for verification. This is the internal representation of the external v1alpha1.ClusterImagePolicy. KeyRef does not store secretRefs in internal representation. KeyRef does store parsed publicKeys from Data in internal representation.
func ConvertClusterImagePolicyV1alpha1ToWebhook ¶
func ConvertClusterImagePolicyV1alpha1ToWebhook(in *v1alpha1.ClusterImagePolicy) *ClusterImagePolicy
type KeyRef ¶
type KeyRef struct {
// Data contains the inline public key
// +optional
Data string `json:"data,omitempty"`
// PublicKeys are not marshalled because JSON unmarshalling
// errors for *big.Int
// +optional
PublicKeys []crypto.PublicKey `json:"-"`
}
This references a public verification key stored in a secret in the cosign-system namespace.
func (*KeyRef) UnmarshalJSON ¶
UnmarshalJSON populates the PublicKeys using Data because JSON unmashalling errors for *big.Int
Source Files