Documentation
¶
Overview ¶
Package config holds the typed objects that define the schemas for ConfigMap objects that pertain to our API objects. This ConfigMap gets created by the Reconciler by combining all the ClusterImagePolicy CR into a single ConfigMap so that the AdmissionController only needs to deal with a single resource when validationg.
Index ¶
Constants ¶
const ( // ImagePoliciesConfigName is the name of ConfigMap created by the // reconciler and consumed by the admission webhook. ImagePoliciesConfigName = "config-image-policies" )
const ( // SigstoreKeysConfigName is the name of ConfigMap created by the // reconciler and consumed by the admission webhook for determining // which Keys/Certificates are trusted for things like Fulcio/Rekor, etc. SigstoreKeysConfigName = "config-sigstore-keys" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type CertificateAuthority ¶ added in v0.6.0
type CertificateAuthority struct {
// The root certificate MUST be self-signed, and so the subject and
// issuer are the same.
Subject DistinguishedName `json:"subject"`
// The URI at which the CA can be accessed.
URI apis.URL `json:"uri"`
// The certificate chain for this CA.
// CertChain is in PEM format.
CertChain []byte `json:"certChain"`
}
func ConvertCertificateAuthority ¶ added in v0.6.0
func ConvertCertificateAuthority(source v1alpha1.CertificateAuthority) CertificateAuthority
ConvertCertificateAuthority converts public into private CertificateAuthority
type Config ¶
type Config struct {
ImagePolicyConfig *ImagePolicyConfig
SigstoreKeysConfig *SigstoreKeysMap
}
Config holds the collection of configurations that we attach to contexts. +k8s:deepcopy-gen=false
func FromContext ¶
FromContext extracts a Config from the provided context.
func FromContextOrDefaults ¶
FromContextOrDefaults is like FromContext, but when no Config is attached it returns a Config populated with the defaults for each of the Config fields.
type DistinguishedName ¶ added in v0.6.0
type ImagePolicyConfig ¶
type ImagePolicyConfig struct {
// This is the list of ImagePolicies that a admission controller uses
// to make policy decisions.
Policies map[string]webhookcip.ClusterImagePolicy
}
func NewImagePoliciesConfigFromConfigMap ¶
func NewImagePoliciesConfigFromConfigMap(config *corev1.ConfigMap) (*ImagePolicyConfig, error)
NewImagePoliciesConfigFromConfigMap creates a Features from the supplied ConfigMap
func NewImagePoliciesConfigFromMap ¶
func NewImagePoliciesConfigFromMap(data map[string]string) (*ImagePolicyConfig, error)
NewImagePoliciesConfigFromMap creates an ImagePolicyConfig from the supplied Map
func (*ImagePolicyConfig) GetMatchingPolicies ¶
func (p *ImagePolicyConfig) GetMatchingPolicies(image string, kind, apiVersion string, labels map[string]string) (map[string]webhookcip.ClusterImagePolicy, error)
GetMatchingPolicies returns all matching Policies and their Authorities that need to be matched for the given kind, version and labels (if provided) to then match the Image. Returned map contains the name of the CIP as the key, and a normalized ClusterImagePolicy for it.
type SigstoreKeys ¶ added in v0.6.0
type SigstoreKeys struct {
// Trusted certificate authorities (e.g Fulcio).
CertificateAuthorities []CertificateAuthority `json:"certificateAuthorities,omitempty"`
// Rekor log specifications
TLogs []TransparencyLogInstance `json:"tLogs,omitempty"`
// Certificate Transparency Log
CTLogs []TransparencyLogInstance `json:"ctLogs,omitempty"`
// Trusted timestamping authorities
TimeStampAuthorities []CertificateAuthority `json:"timestampAuthorities"`
}
SigstoreKeys contains all the necessary Keys and Certificates for validating against a specific instance of Sigstore. TODO(vaikas): See about replacing these with the protos here once they land and see how easy it is to replace with protos instead of our custom defs above. https://github.com/sigstore/protobuf-specs/pull/5 And in particular: https://github.com/sigstore/protobuf-specs/pull/5/files#diff-b1f89b7fd3eb27b519380b092a2416f893a96fbba3f8c90cfa767e7687383ad4R70 Well, not the multi-root, but one instance of that is exactly the SigstoreKeys.
func (*SigstoreKeys) ConvertFrom ¶ added in v0.6.0
func (sk *SigstoreKeys) ConvertFrom(_ context.Context, source *v1alpha1.SigstoreKeys)
ConvertFrom takes a source and converts into a SigstoreKeys suitable for serialization into a ConfigMap entry.
type SigstoreKeysMap ¶ added in v0.6.0
type SigstoreKeysMap struct {
SigstoreKeys map[string]SigstoreKeys
}
func NewSigstoreKeysFromConfigMap ¶ added in v0.6.0
func NewSigstoreKeysFromConfigMap(config *corev1.ConfigMap) (*SigstoreKeysMap, error)
NewImagePoliciesConfigFromConfigMap creates a Features from the supplied ConfigMap
func NewSigstoreKeysFromMap ¶ added in v0.6.0
func NewSigstoreKeysFromMap(data map[string]string) (*SigstoreKeysMap, error)
NewSigstoreKeysFromMap creates a map of SigstoreKeys to use for validation.
type Store ¶
type Store struct {
*configmap.UntypedStore
}
Store is a typed wrapper around configmap.Untyped store to handle our configmaps. +k8s:deepcopy-gen=false
func NewStore ¶
NewStore creates a new store of Configs and optionally calls functions when ConfigMaps are updated.
type TransparencyLogInstance ¶ added in v0.6.0
type TransparencyLogInstance struct {
BaseURL apis.URL `json:"baseURL"`
HashAlgorithm string `json:"hashAlgorithm"`
// PEM encoded public key
PublicKey []byte `json:"publicKey"`
LogID string `json:"logID"`
}
TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters for more details. The incluced parameters are the minimal set required to identify a log, and verify an inclusion promise.
func ConvertTransparencyLogInstance ¶ added in v0.6.0
func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) TransparencyLogInstance
ConvertTransparencyLogInstance converts public into private TransparencyLogInstance.
Source Files