Documentation ¶
Overview ¶
+k8s:deepcopy-gen=package +groupName=policy.sigstore.dev
Index ¶
- Constants
- Variables
- func Kind(kind string) schema.GroupKind
- func Resource(resource string) schema.GroupResource
- func SplitPEMCertificateChain(pem []byte) (leaves, intermediates, roots []*x509.Certificate, err error)
- func ValidateCertificateAuthority(ctx context.Context, ca CertificateAuthority) (errors *apis.FieldError)
- func ValidateDistinguishedName(ctx context.Context, dn DistinguishedName) (errors *apis.FieldError)
- func ValidateGlob(g string) *apis.FieldError
- func ValidateRegex(regex string) *apis.FieldError
- func ValidateRoot(ctx context.Context, rootJSON []byte) *apis.FieldError
- func ValidateTimeStampAuthority(ctx context.Context, ca CertificateAuthority) (errors *apis.FieldError)
- func ValidateTransparencyLogInstance(ctx context.Context, tli TransparencyLogInstance) (errors *apis.FieldError)
- type Attestation
- type Authority
- func (authority *Authority) ConvertFrom(ctx context.Context, source *v1beta1.Authority) error
- func (authority *Authority) ConvertTo(ctx context.Context, sink *v1beta1.Authority) error
- func (in *Authority) DeepCopy() *Authority
- func (in *Authority) DeepCopyInto(out *Authority)
- func (authority *Authority) Validate(ctx context.Context) *apis.FieldError
- type CertificateAuthority
- type ClusterImagePolicy
- func (c *ClusterImagePolicy) ConvertFrom(ctx context.Context, obj apis.Convertible) error
- func (c *ClusterImagePolicy) ConvertTo(ctx context.Context, obj apis.Convertible) error
- func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy
- func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy)
- func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object
- func (c *ClusterImagePolicy) GetGroupVersionKind() schema.GroupVersionKind
- func (c *ClusterImagePolicy) SetDefaults(ctx context.Context)
- func (c *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldError
- type ClusterImagePolicyList
- type ClusterImagePolicySpec
- func (spec *ClusterImagePolicySpec) ConvertFrom(ctx context.Context, source *v1beta1.ClusterImagePolicySpec) error
- func (spec *ClusterImagePolicySpec) ConvertTo(ctx context.Context, sink *v1beta1.ClusterImagePolicySpec) error
- func (in *ClusterImagePolicySpec) DeepCopy() *ClusterImagePolicySpec
- func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec)
- func (spec *ClusterImagePolicySpec) SetDefaults(ctx context.Context)
- func (spec *ClusterImagePolicySpec) Validate(ctx context.Context) (errors *apis.FieldError)
- type ConfigMapReference
- type DistinguishedName
- type Identity
- type ImagePattern
- type KeyRef
- type KeylessRef
- type MatchResource
- func (matchResource *MatchResource) ConvertFrom(ctx context.Context, source *v1beta1.MatchResource) error
- func (matchResource *MatchResource) ConvertTo(ctx context.Context, sink *v1beta1.MatchResource) error
- func (in *MatchResource) DeepCopy() *MatchResource
- func (in *MatchResource) DeepCopyInto(out *MatchResource)
- func (matchResource *MatchResource) Validate(ctx context.Context) *apis.FieldError
- type Policy
- type RFC3161Timestamp
- type Remote
- type RemotePolicy
- type Repository
- type SigstoreKeys
- type Source
- type StaticRef
- type TLog
- type TransparencyLogInstance
- type TrustRoot
- func (in *TrustRoot) DeepCopy() *TrustRoot
- func (in *TrustRoot) DeepCopyInto(out *TrustRoot)
- func (in *TrustRoot) DeepCopyObject() runtime.Object
- func (c *TrustRoot) GetGroupVersionKind() schema.GroupVersionKind
- func (c *TrustRoot) SetDefaults(ctx context.Context)
- func (c *TrustRoot) Validate(ctx context.Context) *apis.FieldError
- type TrustRootList
- type TrustRootSpec
Constants ¶
const DefaultTUFRepoPrefix = "/repository/"
By default the TUF repo contains this prefix, so if it's there, remove it.
Variables ¶
var ( // SchemeBuilder builds a scheme with the types known to the package. SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) // AddToScheme adds the types known to this package to an existing schema. AddToScheme = SchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: policy.GroupName, Version: "v1alpha1"}
SchemeGroupVersion is group version used to register these objects
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
func SplitPEMCertificateChain ¶ added in v0.6.0
func SplitPEMCertificateChain(pem []byte) (leaves, intermediates, roots []*x509.Certificate, err error)
SplitPEMCertificateChain returns a list of leaf (non-CA) certificates, a certificate pool for intermediate CA certificates, and a certificate pool for root CA certificates
func ValidateCertificateAuthority ¶ added in v0.6.0
func ValidateCertificateAuthority(ctx context.Context, ca CertificateAuthority) (errors *apis.FieldError)
func ValidateDistinguishedName ¶ added in v0.6.0
func ValidateDistinguishedName(ctx context.Context, dn DistinguishedName) (errors *apis.FieldError)
func ValidateGlob ¶
func ValidateGlob(g string) *apis.FieldError
ValidateGlob glob compilation by testing against empty string
func ValidateRegex ¶
func ValidateRegex(regex string) *apis.FieldError
func ValidateRoot ¶ added in v0.6.0
func ValidateRoot(ctx context.Context, rootJSON []byte) *apis.FieldError
func ValidateTimeStampAuthority ¶ added in v0.6.0
func ValidateTimeStampAuthority(ctx context.Context, ca CertificateAuthority) (errors *apis.FieldError)
func ValidateTransparencyLogInstance ¶ added in v0.6.0
func ValidateTransparencyLogInstance(ctx context.Context, tli TransparencyLogInstance) (errors *apis.FieldError)
Types ¶
type Attestation ¶
type Attestation struct { // Name of the attestation. These can then be referenced at the CIP level // policy. Name string `json:"name"` // PredicateType defines which predicate type to verify. Matches cosign verify-attestation options. PredicateType string `json:"predicateType"` // Policy defines all of the matching signatures, and all of // the matching attestations (whose attestations are verified). // +optional Policy *Policy `json:"policy,omitempty"` }
Attestation defines the type of attestation to validate and optionally apply a policy decision to it. Authority block is used to verify the specified attestation types, and if Policy is specified, then it's applied only after the validation of the Attestation signature has been verified.
func (*Attestation) DeepCopy ¶
func (in *Attestation) DeepCopy() *Attestation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestation.
func (*Attestation) DeepCopyInto ¶
func (in *Attestation) DeepCopyInto(out *Attestation)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Attestation) Validate ¶
func (a *Attestation) Validate(ctx context.Context) *apis.FieldError
type Authority ¶
type Authority struct { // Name is the name for this authority. Used by the CIP Policy // validator to be able to reference matching signature or attestation // verifications. // If not specified, the name will be authority-<index in array> Name string `json:"name"` // Key defines the type of key to validate the image. // +optional Key *KeyRef `json:"key,omitempty"` // Keyless sets the configuration to verify the authority against a Fulcio instance. // +optional Keyless *KeylessRef `json:"keyless,omitempty"` // Static specifies that signatures / attestations are not validated but // instead a static policy is applied against matching images. // +optional Static *StaticRef `json:"static,omitempty"` // Sources sets the configuration to specify the sources from where to consume the signatures. // +optional Sources []Source `json:"source,omitempty"` // CTLog sets the configuration to verify the authority against a Rekor instance. // +optional CTLog *TLog `json:"ctlog,omitempty"` // Attestations is a list of individual attestations for this authority, // once the signature for this authority has been verified. // +optional Attestations []Attestation `json:"attestations,omitempty"` // RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. // +optional RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"` }
func (*Authority) ConvertFrom ¶
func (*Authority) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authority.
func (*Authority) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateAuthority ¶ added in v0.6.0
type CertificateAuthority struct { // The root certificate MUST be self-signed, and so the subject and // issuer are the same. Subject DistinguishedName `json:"subject"` // The URI at which the CA can be accessed. URI apis.URL `json:"uri"` // The certificate chain for this CA in PEM format. Last entry in this // chain is the Root certificate. CertChain []byte `json:"certChain"` }
func (*CertificateAuthority) DeepCopy ¶ added in v0.6.0
func (in *CertificateAuthority) DeepCopy() *CertificateAuthority
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthority.
func (*CertificateAuthority) DeepCopyInto ¶ added in v0.6.0
func (in *CertificateAuthority) DeepCopyInto(out *CertificateAuthority)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ClusterImagePolicy ¶
type ClusterImagePolicy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata"` // Spec holds the desired state of the ClusterImagePolicy (from the client). Spec ClusterImagePolicySpec `json:"spec"` }
+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*ClusterImagePolicy) ConvertFrom ¶
func (c *ClusterImagePolicy) ConvertFrom(ctx context.Context, obj apis.Convertible) error
ConvertFrom implements api.Convertible
func (*ClusterImagePolicy) ConvertTo ¶
func (c *ClusterImagePolicy) ConvertTo(ctx context.Context, obj apis.Convertible) error
ConvertTo implements api.Convertible
func (*ClusterImagePolicy) DeepCopy ¶
func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicy.
func (*ClusterImagePolicy) DeepCopyInto ¶
func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterImagePolicy) DeepCopyObject ¶
func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*ClusterImagePolicy) GetGroupVersionKind ¶
func (c *ClusterImagePolicy) GetGroupVersionKind() schema.GroupVersionKind
GetGroupVersionKind implements kmeta.OwnerRefable
func (*ClusterImagePolicy) SetDefaults ¶
func (c *ClusterImagePolicy) SetDefaults(ctx context.Context)
SetDefaults implements apis.Defaultable
func (*ClusterImagePolicy) Validate ¶
func (c *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldError
Validate implements apis.Validatable
type ClusterImagePolicyList ¶
type ClusterImagePolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` Items []ClusterImagePolicy `json:"items"` }
ClusterImagePolicyList is a list of ClusterImagePolicy resources
+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*ClusterImagePolicyList) DeepCopy ¶
func (in *ClusterImagePolicyList) DeepCopy() *ClusterImagePolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyList.
func (*ClusterImagePolicyList) DeepCopyInto ¶
func (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterImagePolicyList) DeepCopyObject ¶
func (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ClusterImagePolicySpec ¶
type ClusterImagePolicySpec struct { // Images defines the patterns of image names that should be subject to this policy. Images []ImagePattern `json:"images"` // Authorities defines the rules for discovering and validating signatures. // +optional Authorities []Authority `json:"authorities,omitempty"` // Policy is an optional policy that can be applied against all the // successfully validated Authorities. If no authorities pass, this does // not even get evaluated, as the Policy is considered failed. // +optional Policy *Policy `json:"policy,omitempty"` // Mode controls whether a failing policy will be rejected (not admitted), // or if errors are converted to Warnings. // enforce - Reject (default) // warn - allow but warn // +optional Mode string `json:"mode,omitempty"` // Match allows selecting resources based on their properties. // +optional Match []MatchResource `json:"match,omitempty"` }
ClusterImagePolicySpec defines a list of images that should be verified
func (*ClusterImagePolicySpec) ConvertFrom ¶
func (spec *ClusterImagePolicySpec) ConvertFrom(ctx context.Context, source *v1beta1.ClusterImagePolicySpec) error
func (*ClusterImagePolicySpec) ConvertTo ¶
func (spec *ClusterImagePolicySpec) ConvertTo(ctx context.Context, sink *v1beta1.ClusterImagePolicySpec) error
func (*ClusterImagePolicySpec) DeepCopy ¶
func (in *ClusterImagePolicySpec) DeepCopy() *ClusterImagePolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicySpec.
func (*ClusterImagePolicySpec) DeepCopyInto ¶
func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterImagePolicySpec) SetDefaults ¶
func (spec *ClusterImagePolicySpec) SetDefaults(ctx context.Context)
func (*ClusterImagePolicySpec) Validate ¶
func (spec *ClusterImagePolicySpec) Validate(ctx context.Context) (errors *apis.FieldError)
type ConfigMapReference ¶
type ConfigMapReference struct { // Name is unique within a namespace to reference a configmap resource. // +optional Name string `json:"name,omitempty"` // Namespace defines the space within which the configmap name must be unique. // +optional Namespace string `json:"namespace,omitempty"` // Key defines the key to pull from the configmap. // +optional Key string `json:"key,omitempty"` }
ConfigMapReference is cut&paste from SecretReference, but for the life of me couldn't find one in the public types. If there's one, use it.
func (*ConfigMapReference) DeepCopy ¶
func (in *ConfigMapReference) DeepCopy() *ConfigMapReference
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapReference.
func (*ConfigMapReference) DeepCopyInto ¶
func (in *ConfigMapReference) DeepCopyInto(out *ConfigMapReference)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ConfigMapReference) Validate ¶ added in v0.6.0
func (cmr *ConfigMapReference) Validate(ctx context.Context) *apis.FieldError
type DistinguishedName ¶ added in v0.6.0
type DistinguishedName struct { Organization string `json:"organization"` CommonName string `json:"commonName"` }
func (*DistinguishedName) DeepCopy ¶ added in v0.6.0
func (in *DistinguishedName) DeepCopy() *DistinguishedName
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DistinguishedName.
func (*DistinguishedName) DeepCopyInto ¶ added in v0.6.0
func (in *DistinguishedName) DeepCopyInto(out *DistinguishedName)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Identity ¶
type Identity struct { // Issuer defines the issuer for this identity. // +optional Issuer string `json:"issuer,omitempty"` // Subject defines the subject for this identity. // +optional Subject string `json:"subject,omitempty"` // IssuerRegExp specifies a regular expression to match the issuer for this identity. // +optional IssuerRegExp string `json:"issuerRegExp,omitempty"` // SubjectRegExp specifies a regular expression to match the subject for this identity. // +optional SubjectRegExp string `json:"subjectRegExp,omitempty"` }
Identity may contain the issuer and/or the subject found in the transparency log. Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp apply a regexp for matching.
func (*Identity) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Identity.
func (*Identity) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ImagePattern ¶
type ImagePattern struct { // Glob defines a globbing pattern. Glob string `json:"glob"` }
ImagePattern defines a pattern and its associated authorties If multiple patterns match a particular image, then ALL of those authorities must be satisfied for the image to be admitted.
func (*ImagePattern) DeepCopy ¶
func (in *ImagePattern) DeepCopy() *ImagePattern
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePattern.
func (*ImagePattern) DeepCopyInto ¶
func (in *ImagePattern) DeepCopyInto(out *ImagePattern)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ImagePattern) Validate ¶
func (image *ImagePattern) Validate(ctx context.Context) *apis.FieldError
type KeyRef ¶
type KeyRef struct { // SecretRef sets a reference to a secret with the key. // +optional SecretRef *v1.SecretReference `json:"secretRef,omitempty"` // Data contains the inline public key // +optional Data string `json:"data,omitempty"` // KMS contains the KMS url of the public key // Supported formats differ based on the KMS system used. // +optional KMS string `json:"kms,omitempty"` // HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set // +optional HashAlgorithm string `json:"hashAlgorithm,omitempty"` }
This references a public verification key stored in a secret in the cosign-system namespace. A KeyRef must specify only one of SecretRef, Data or KMS
func (*KeyRef) ConvertFrom ¶
func (*KeyRef) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyRef.
func (*KeyRef) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type KeylessRef ¶
type KeylessRef struct { // URL defines a url to the keyless instance. // +optional URL *apis.URL `json:"url,omitempty"` // Identities sets a list of identities. Identities []Identity `json:"identities"` // CACert sets a reference to CA certificate // +optional CACert *KeyRef `json:"ca-cert,omitempty"` // Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog // +optional TrustRootRef string `json:"trustRootRef,omitempty"` // InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT // +optional InsecureIgnoreSCT *bool `json:"insecureIgnoreSCT,omitempty"` }
KeylessRef contains location of the validating certificate and the identities against which to verify. KeylessRef will contain either the URL to the verifying certificate, or it will contain the certificate data inline or in a secret.
func (*KeylessRef) DeepCopy ¶
func (in *KeylessRef) DeepCopy() *KeylessRef
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeylessRef.
func (*KeylessRef) DeepCopyInto ¶
func (in *KeylessRef) DeepCopyInto(out *KeylessRef)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*KeylessRef) Validate ¶
func (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError
type MatchResource ¶ added in v0.4.0
type MatchResource struct { // +optional metav1.GroupVersionResource `json:",inline"` // +optional ResourceSelector *metav1.LabelSelector `json:"selector,omitempty"` }
MatchResource allows selecting resources based on its version, group and resource. It is also possible to select resources based on a list of matching labels.
func (*MatchResource) ConvertFrom ¶ added in v0.4.0
func (matchResource *MatchResource) ConvertFrom(ctx context.Context, source *v1beta1.MatchResource) error
func (*MatchResource) ConvertTo ¶ added in v0.4.0
func (matchResource *MatchResource) ConvertTo(ctx context.Context, sink *v1beta1.MatchResource) error
func (*MatchResource) DeepCopy ¶ added in v0.4.0
func (in *MatchResource) DeepCopy() *MatchResource
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResource.
func (*MatchResource) DeepCopyInto ¶ added in v0.4.0
func (in *MatchResource) DeepCopyInto(out *MatchResource)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*MatchResource) Validate ¶ added in v0.4.0
func (matchResource *MatchResource) Validate(ctx context.Context) *apis.FieldError
type Policy ¶
type Policy struct { // Which kind of policy this is, currently only rego or cue are supported. // Furthermore, only cue is tested :) Type string `json:"type"` // Data contains the policy definition. // +optional Data string `json:"data,omitempty"` // Remote defines the url to a policy. // +optional Remote *RemotePolicy `json:"remote,omitempty"` // ConfigMapRef defines the reference to a configMap with the policy definition. // +optional ConfigMapRef *ConfigMapReference `json:"configMapRef,omitempty"` // FetchConfigFile controls whether ConfigFile will be fetched and made // available for CIP level policy evaluation. Note that this only gets // evaluated (and hence fetched) iff at least one authority matches. // The ConfigFile will then be available in this format: // https://github.com/opencontainers/image-spec/blob/main/config.md // +optional FetchConfigFile *bool `json:"fetchConfigFile,omitempty"` // IncludeSpec controls whether resource `Spec` will be included and // made available for CIP level policy evaluation. Note that this only gets // evaluated iff at least one authority matches. // Also note that because Spec may be of a different shape depending // on the resource being evaluatied (see MatchResource for filtering) // you might want to configure these to match the policy file to ensure // the shape of the Spec is what you expect when evaling the policy. // +optional IncludeSpec *bool `json:"includeSpec,omitempty"` // IncludeObjectMeta controls whether the ObjectMeta will be included and // made available for CIP level policy evalutation. Note that this only gets // evaluated iff at least one authority matches. // +optional IncludeObjectMeta *bool `json:"includeObjectMeta,omitempty"` // IncludeTypeMeta controls whether the TypeMeta will be included and // made available for CIP level policy evalutation. Note that this only gets // evaluated iff at least one authority matches. // +optional IncludeTypeMeta *bool `json:"includeTypeMeta,omitempty"` }
Policy specifies a policy to use for Attestation or the CIP validation (iff at least one authority matches). Exactly one of Data, URL, or ConfigMapReference must be specified.
func (*Policy) ConvertFrom ¶ added in v0.5.0
func (*Policy) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
func (*Policy) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RFC3161Timestamp ¶ added in v0.6.0
type RFC3161Timestamp struct { // Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities // +optional TrustRootRef string `json:"trustRootRef,omitempty"` }
RFC3161Timestamp specifies the URL to a RFC3161 time-stamping server that holds the time-stamped verification for the signature
func (*RFC3161Timestamp) DeepCopy ¶ added in v0.6.0
func (in *RFC3161Timestamp) DeepCopy() *RFC3161Timestamp
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RFC3161Timestamp.
func (*RFC3161Timestamp) DeepCopyInto ¶ added in v0.6.0
func (in *RFC3161Timestamp) DeepCopyInto(out *RFC3161Timestamp)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Remote ¶ added in v0.6.0
type Remote struct { // Root is the base64 encoded, json trusted initial root. Root []byte `json:"root"` // Mirror is the remote mirror, for example: // https://sigstore-tuf-root.storage.googleapis.com Mirror apis.URL `json:"mirror"` // Targets is where the targets live off of the root of the Remote // If not specified 'targets' is defaulted. // +optional Targets string `json:"targets,omitempty"` }
Remote specifies the TUF with trusted initial root and remote mirror where to fetch updates from.
func (*Remote) DeepCopy ¶ added in v0.6.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Remote.
func (*Remote) DeepCopyInto ¶ added in v0.6.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RemotePolicy ¶ added in v0.6.0
type RemotePolicy struct { // URL to the policy data. URL apis.URL `json:"url,omitempty"` // Sha256sum defines the exact sha256sum computed out of the 'body' of the http response. Sha256sum string `json:"sha256sum,omitempty"` }
RemotePolicy defines all the properties to fetch a remote policy
func (*RemotePolicy) DeepCopy ¶ added in v0.6.0
func (in *RemotePolicy) DeepCopy() *RemotePolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemotePolicy.
func (*RemotePolicy) DeepCopyInto ¶ added in v0.6.0
func (in *RemotePolicy) DeepCopyInto(out *RemotePolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*RemotePolicy) Validate ¶ added in v0.6.0
func (r *RemotePolicy) Validate(ctx context.Context) *apis.FieldError
type Repository ¶ added in v0.6.0
type Repository struct { // Root is the base64 encoded, json trusted initial root. Root []byte `json:"root"` // MirrorFS is the base64 tarred, gzipped, and base64 encoded remote // repository that can be used for example in air-gap environments. Will // not make outbound network connections, and must then be kept up to date // in some other manner. // The repository must contain metadata as well as targets. MirrorFS []byte `json:"mirrorFS"` // Targets is where the targets live off of the root of the Repository // above. If not specified 'targets' is defaulted. // +optional Targets string `json:"targets,omitempty"` }
Repository specifies an airgapped TUF. Specifies the trusted initial root as well as a serialized repository.
func (*Repository) DeepCopy ¶ added in v0.6.0
func (in *Repository) DeepCopy() *Repository
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Repository.
func (*Repository) DeepCopyInto ¶ added in v0.6.0
func (in *Repository) DeepCopyInto(out *Repository)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Repository) Validate ¶ added in v0.6.0
func (repo *Repository) Validate(ctx context.Context) (errors *apis.FieldError)
type SigstoreKeys ¶ added in v0.6.0
type SigstoreKeys struct { // Trusted certificate authorities (e.g Fulcio). CertificateAuthorities []CertificateAuthority `json:"certificateAuthorities"` // Rekor log specifications // +optional TLogs []TransparencyLogInstance `json:"tLogs,omitempty"` // Certificate Transparency Log // +optional CTLogs []TransparencyLogInstance `json:"ctLogs,omitempty"` // Trusted timestamping authorities // +optional TimeStampAuthorities []CertificateAuthority `json:"timestampAuthorities,omitempty"` }
SigstoreKeys contains all the necessary Keys and Certificates for validating against a specific instance of Sigstore. This is used for bringing your own trusted keys/certs. TODO(vaikas): See about replacing these with the protos here once they land and see how easy it is to replace with protos instead of our custom defs above. https://github.com/sigstore/protobuf-specs/pull/5 And in particular: https://github.com/sigstore/protobuf-specs/pull/5/files#diff-b1f89b7fd3eb27b519380b092a2416f893a96fbba3f8c90cfa767e7687383ad4R70 Well, not the multi-root, but one instance of that is exactly the SigstoreKeys.
func (*SigstoreKeys) DeepCopy ¶ added in v0.6.0
func (in *SigstoreKeys) DeepCopy() *SigstoreKeys
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SigstoreKeys.
func (*SigstoreKeys) DeepCopyInto ¶ added in v0.6.0
func (in *SigstoreKeys) DeepCopyInto(out *SigstoreKeys)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SigstoreKeys) Validate ¶ added in v0.6.0
func (sigstoreKeys *SigstoreKeys) Validate(ctx context.Context) (errors *apis.FieldError)
type Source ¶
type Source struct { // OCI defines the registry from where to pull the signatures. // +optional OCI string `json:"oci,omitempty"` // SignaturePullSecrets is an optional list of references to secrets in the // same namespace as the deploying resource for pulling any of the signatures // used by this Source. // +optional SignaturePullSecrets []v1.LocalObjectReference `json:"signaturePullSecrets,omitempty"` }
Source specifies the location of the signature
func (*Source) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Source.
func (*Source) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type StaticRef ¶
type StaticRef struct { // Action defines how to handle a matching policy. Action string `json:"action"` }
StaticRef specifies that signatures / attestations are not validated but instead a static policy is applied against matching images.
func (*StaticRef) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticRef.
func (*StaticRef) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TLog ¶
type TLog struct { // URL sets the url to the rekor instance (by default the public rekor.sigstore.dev) // +optional URL *apis.URL `json:"url,omitempty"` // Use the Public Key from the referred TrustRoot.TLog // +optional TrustRootRef string `json:"trustRootRef,omitempty"` }
TLog specifies the URL to a transparency log that holds the signature and public key information
func (*TLog) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLog.
func (*TLog) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TransparencyLogInstance ¶ added in v0.6.0
type TransparencyLogInstance struct { // The base URL which can be used for URLs for clients. BaseURL apis.URL `json:"baseURL"` // / The hash algorithm used for the Merkle Tree HashAlgorithm string `json:"hashAlgorithm"` // PEM encoded public key PublicKey []byte `json:"publicKey"` }
TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters for more details. The incluced parameters are the minimal set required to identify a log, and verify an inclusion promise.
func (*TransparencyLogInstance) DeepCopy ¶ added in v0.6.0
func (in *TransparencyLogInstance) DeepCopy() *TransparencyLogInstance
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransparencyLogInstance.
func (*TransparencyLogInstance) DeepCopyInto ¶ added in v0.6.0
func (in *TransparencyLogInstance) DeepCopyInto(out *TransparencyLogInstance)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TrustRoot ¶ added in v0.6.0
type TrustRoot struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata"` // Spec is the definition for a trust root. This is either a TUF root and // remote or local repository. You can also bring your own keys/certs here. Spec TrustRootSpec `json:"spec"` }
+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*TrustRoot) DeepCopy ¶ added in v0.6.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustRoot.
func (*TrustRoot) DeepCopyInto ¶ added in v0.6.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*TrustRoot) DeepCopyObject ¶ added in v0.6.0
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*TrustRoot) GetGroupVersionKind ¶ added in v0.6.0
func (c *TrustRoot) GetGroupVersionKind() schema.GroupVersionKind
GetGroupVersionKind implements kmeta.OwnerRefable
func (*TrustRoot) SetDefaults ¶ added in v0.6.0
SetDefaults implements apis.Defaultable
type TrustRootList ¶ added in v0.6.0
type TrustRootList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` Items []TrustRoot `json:"items"` }
TrustRootList is a list of TrustRoot resources
+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*TrustRootList) DeepCopy ¶ added in v0.6.0
func (in *TrustRootList) DeepCopy() *TrustRootList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustRootList.
func (*TrustRootList) DeepCopyInto ¶ added in v0.6.0
func (in *TrustRootList) DeepCopyInto(out *TrustRootList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*TrustRootList) DeepCopyObject ¶ added in v0.6.0
func (in *TrustRootList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type TrustRootSpec ¶ added in v0.6.0
type TrustRootSpec struct { // Remote specifies initial root of trust & remote mirror. // +optional Remote *Remote `json:"remote,omitempty"` // Repository contains the serialized TUF remote repository. // +optional Repository *Repository `json:"repository,omitempty"` // SigstoreKeys contains the serialized keys. // +optional SigstoreKeys *SigstoreKeys `json:"sigstoreKeys,omitempty"` }
TrustRootSpec defines a trusted Root. This is typically either a TUF Root or a bring your own keys variation. It specifies either: root.json and remote or fully gzipped / tarred directory containing root and metadata directories or serialized keys / certificate chains (bring your own keys).
func (*TrustRootSpec) DeepCopy ¶ added in v0.6.0
func (in *TrustRootSpec) DeepCopy() *TrustRootSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustRootSpec.
func (*TrustRootSpec) DeepCopyInto ¶ added in v0.6.0
func (in *TrustRootSpec) DeepCopyInto(out *TrustRootSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*TrustRootSpec) SetDefaults ¶ added in v0.6.0
func (spec *TrustRootSpec) SetDefaults(ctx context.Context)
func (*TrustRootSpec) Validate ¶ added in v0.6.0
func (spec *TrustRootSpec) Validate(ctx context.Context) (errors *apis.FieldError)