v1alpha1

package
v0.8.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 6, 2023 License: Apache-2.0 Imports: 26 Imported by: 1

Documentation

Overview

+k8s:deepcopy-gen=package +groupName=policy.sigstore.dev

Index

Constants

View Source
const (
	// ClusterImagePolicyConditionReady is set when the ClusterImagePolicy has
	// been compiled into the underlying ConfigMap properly.
	ClusterImagePolicyConditionReady = apis.ConditionReady
	// ClusterImagePolicyConditionKeysInlined is set to True when all the Keys
	// have been (Secrets, KMS, etc.) resolved, fetched, validated, and inlined
	// into the compiled representation.
	// In failure cases, the Condition will describe the errors in detail.
	ClusterImagePolicyConditionKeysInlined apis.ConditionType = "KeysInlined"
	// ClusterImagePolicyConditionPoliciesInlined is set to True when all the
	// policies have been resolved, fetched, validated, and inlined into the
	// compiled representation.
	// In failure cases, the Condition will describe the errors in detail.
	ClusterImagePolicyConditionPoliciesInlined apis.ConditionType = "PoliciesInlined"
	// ClusterImagePolicyConditionCMUpdated	is set to True when the CIP has been
	// successfully added into the ConfigMap holding all the compiled CIPs.
	// In failure cases, the Condition will describe the errors in detail.
	ClusterImagePolicyConditionCMUpdated apis.ConditionType = "ConfigMapUpdated"
)
View Source
const (
	// TrustRootConditionReady is set when the TrustRoot has been
	// compiled into the underlying ConfigMap properly.
	TrustRootConditionReady = apis.ConditionReady
	// TrustRootConditionKeysInlined is set to True when keys have been either
	// verified, fetched and verified and inlined into the intermediate
	// representation usable for validation.
	TrustRootConditionKeysInlined apis.ConditionType = "KeysInlined"
	// TrustRootConditionCMUpdated is set to True when the inline representation
	// has been successfully added to the ConfigMap holding all the TrustRoots.
	TrustRootConditionCMUpdated apis.ConditionType = "ConfigMapUpdated"
)
View Source
const DefaultTUFRepoPrefix = "/repository/"

By default the TUF repo contains this prefix, so if it's there, remove it.

Variables

View Source
var (
	// SchemeBuilder builds a scheme with the types known to the package.
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	// AddToScheme adds the types known to this package to an existing schema.
	AddToScheme = SchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: policy.GroupName, Version: "v1alpha1"}

SchemeGroupVersion is group version used to register these objects

Functions

func Kind

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns back a Group qualified GroupKind

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

func SplitPEMCertificateChain added in v0.6.0

func SplitPEMCertificateChain(pem []byte) (leaves, intermediates, roots []*x509.Certificate, err error)

SplitPEMCertificateChain returns a list of leaf (non-CA) certificates, a certificate pool for intermediate CA certificates, and a certificate pool for root CA certificates

func ValidateCertificateAuthority added in v0.6.0

func ValidateCertificateAuthority(ctx context.Context, ca CertificateAuthority) (errors *apis.FieldError)

func ValidateDistinguishedName added in v0.6.0

func ValidateDistinguishedName(_ context.Context, dn DistinguishedName) (errors *apis.FieldError)

func ValidateGlob

func ValidateGlob(g string) *apis.FieldError

ValidateGlob glob compilation by testing against empty string

func ValidateRegex

func ValidateRegex(regex string) *apis.FieldError

func ValidateRoot added in v0.6.0

func ValidateRoot(_ context.Context, rootJSON []byte) *apis.FieldError

func ValidateTimeStampAuthority added in v0.6.0

func ValidateTimeStampAuthority(ctx context.Context, ca CertificateAuthority) (errors *apis.FieldError)

func ValidateTransparencyLogInstance added in v0.6.0

func ValidateTransparencyLogInstance(_ context.Context, tli TransparencyLogInstance) (errors *apis.FieldError)

Types

type Attestation

type Attestation struct {
	// Name of the attestation. These can then be referenced at the CIP level
	// policy.
	Name string `json:"name"`
	// PredicateType defines which predicate type to verify. Matches cosign verify-attestation options.
	PredicateType string `json:"predicateType"`
	// Policy defines all of the matching signatures, and all of
	// the matching attestations (whose attestations are verified).
	// +optional
	Policy *Policy `json:"policy,omitempty"`
}

Attestation defines the type of attestation to validate and optionally apply a policy decision to it. Authority block is used to verify the specified attestation types, and if Policy is specified, then it's applied only after the validation of the Attestation signature has been verified.

func (*Attestation) DeepCopy

func (in *Attestation) DeepCopy() *Attestation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestation.

func (*Attestation) DeepCopyInto

func (in *Attestation) DeepCopyInto(out *Attestation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Attestation) Validate

func (a *Attestation) Validate(ctx context.Context) *apis.FieldError

type Authority

type Authority struct {
	// Name is the name for this authority. Used by the CIP Policy
	// validator to be able to reference matching signature or attestation
	// verifications.
	// If not specified, the name will be authority-<index in array>
	Name string `json:"name"`
	// Key defines the type of key to validate the image.
	// +optional
	Key *KeyRef `json:"key,omitempty"`
	// Keyless sets the configuration to verify the authority against a Fulcio instance.
	// +optional
	Keyless *KeylessRef `json:"keyless,omitempty"`
	// Static specifies that signatures / attestations are not validated but
	// instead a static policy is applied against matching images.
	// +optional
	Static *StaticRef `json:"static,omitempty"`
	// Sources sets the configuration to specify the sources from where to consume the signature and attestations.
	// +optional
	Sources []Source `json:"source,omitempty"`
	// CTLog sets the configuration to verify the authority against a Rekor instance.
	// +optional
	CTLog *TLog `json:"ctlog,omitempty"`
	// Attestations is a list of individual attestations for this authority,
	// once the signature for this authority has been verified.
	// +optional
	Attestations []Attestation `json:"attestations,omitempty"`
	// RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance.
	// +optional
	RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"`
}

func (*Authority) ConvertFrom

func (authority *Authority) ConvertFrom(ctx context.Context, source *v1beta1.Authority) error

func (*Authority) ConvertTo

func (authority *Authority) ConvertTo(ctx context.Context, sink *v1beta1.Authority) error

func (*Authority) DeepCopy

func (in *Authority) DeepCopy() *Authority

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authority.

func (*Authority) DeepCopyInto

func (in *Authority) DeepCopyInto(out *Authority)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Authority) Validate

func (authority *Authority) Validate(ctx context.Context) *apis.FieldError

type CertificateAuthority added in v0.6.0

type CertificateAuthority struct {
	// The root certificate MUST be self-signed, and so the subject and
	// issuer are the same.
	Subject DistinguishedName `json:"subject"`
	// The URI at which the CA can be accessed.
	URI apis.URL `json:"uri"`
	// The certificate chain for this CA in PEM format. Last entry in this
	// chain is the Root certificate.
	CertChain []byte `json:"certChain"`
}

func (*CertificateAuthority) DeepCopy added in v0.6.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthority.

func (*CertificateAuthority) DeepCopyInto added in v0.6.0

func (in *CertificateAuthority) DeepCopyInto(out *CertificateAuthority)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterImagePolicy

type ClusterImagePolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata"`

	// Spec holds the desired state of the ClusterImagePolicy (from the client).
	Spec ClusterImagePolicySpec `json:"spec"`

	// Status represents the current state of the ClusterImagePolicy.
	// This data may be out of date.
	// +optional
	Status ClusterImagePolicyStatus `json:"status,omitempty"`
}

ClusterImagePolicy defines the images that go through verification and the authorities used for verification

+genclient +genclient:nonNamespaced +genreconciler:krshapedlogic=true +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*ClusterImagePolicy) ConvertFrom

func (c *ClusterImagePolicy) ConvertFrom(ctx context.Context, obj apis.Convertible) error

ConvertFrom implements api.Convertible

func (*ClusterImagePolicy) ConvertTo

func (c *ClusterImagePolicy) ConvertTo(ctx context.Context, obj apis.Convertible) error

ConvertTo implements api.Convertible

func (*ClusterImagePolicy) DeepCopy

func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicy.

func (*ClusterImagePolicy) DeepCopyInto

func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicy) DeepCopyObject

func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterImagePolicy) GetConditionSet added in v0.7.0

func (*ClusterImagePolicy) GetConditionSet() apis.ConditionSet

GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.

func (*ClusterImagePolicy) GetGroupVersionKind

func (c *ClusterImagePolicy) GetGroupVersionKind() schema.GroupVersionKind

GetGroupVersionKind implements kmeta.OwnerRefable

func (*ClusterImagePolicy) GetStatus added in v0.7.0

func (c *ClusterImagePolicy) GetStatus() *duckv1.Status

GetStatus retrieves the status of the ClusterImagePolicy. Implements the KRShaped interface.

func (*ClusterImagePolicy) IsFailed added in v0.7.0

func (c *ClusterImagePolicy) IsFailed() bool

IsFailed returns true if the resource has observed the latest generation and ready is false.

func (*ClusterImagePolicy) IsReady added in v0.7.0

func (c *ClusterImagePolicy) IsReady() bool

IsReady returns if the ClusterImagePolicy was compiled successfully to ConfigMap.

func (*ClusterImagePolicy) SetDefaults

func (c *ClusterImagePolicy) SetDefaults(ctx context.Context)

SetDefaults implements apis.Defaultable

func (*ClusterImagePolicy) Validate

func (c *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldError

Validate implements apis.Validatable

type ClusterImagePolicyList

type ClusterImagePolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	Items []ClusterImagePolicy `json:"items"`
}

ClusterImagePolicyList is a list of ClusterImagePolicy resources

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*ClusterImagePolicyList) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyList.

func (*ClusterImagePolicyList) DeepCopyInto

func (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicyList) DeepCopyObject

func (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterImagePolicySpec

type ClusterImagePolicySpec struct {
	// Images defines the patterns of image names that should be subject to this policy.
	Images []ImagePattern `json:"images"`
	// Authorities defines the rules for discovering and validating signatures.
	// +optional
	Authorities []Authority `json:"authorities,omitempty"`
	// Policy is an optional policy that can be applied against all the
	// successfully validated Authorities. If no authorities pass, this does
	// not even get evaluated, as the Policy is considered failed.
	// +optional
	Policy *Policy `json:"policy,omitempty"`
	// Mode controls whether a failing policy will be rejected (not admitted),
	// or if errors are converted to Warnings.
	// enforce - Reject (default)
	// warn - allow but warn
	// +optional
	Mode string `json:"mode,omitempty"`
	// Match allows selecting resources based on their properties.
	// +optional
	Match []MatchResource `json:"match,omitempty"`
}

ClusterImagePolicySpec defines a list of images that should be verified

func (*ClusterImagePolicySpec) ConvertFrom

func (*ClusterImagePolicySpec) ConvertTo

func (*ClusterImagePolicySpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicySpec.

func (*ClusterImagePolicySpec) DeepCopyInto

func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicySpec) SetDefaults

func (spec *ClusterImagePolicySpec) SetDefaults(_ context.Context)

func (*ClusterImagePolicySpec) Validate

func (spec *ClusterImagePolicySpec) Validate(ctx context.Context) (errors *apis.FieldError)

type ClusterImagePolicyStatus added in v0.7.0

type ClusterImagePolicyStatus struct {
	// inherits duck/v1 Status, which currently provides:
	// * ObservedGeneration - the 'Generation' of the Broker that was last processed by the controller.
	// * Conditions - the latest available observations of a resource's current state.
	duckv1.Status `json:",inline"`
}

ClusterImagePolicyStatus represents the current state of a ClusterImagePolicy.

func (*ClusterImagePolicyStatus) DeepCopy added in v0.7.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyStatus.

func (*ClusterImagePolicyStatus) DeepCopyInto added in v0.7.0

func (in *ClusterImagePolicyStatus) DeepCopyInto(out *ClusterImagePolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicyStatus) InitializeConditions added in v0.7.0

func (cs *ClusterImagePolicyStatus) InitializeConditions()

InitializeConditions sets the initial values to the conditions.

func (*ClusterImagePolicyStatus) MarkCMUpdateFailed added in v0.7.0

func (cs *ClusterImagePolicyStatus) MarkCMUpdateFailed(msg string)

MarkCMUpdateFailed surfaces a failure that we were unable to reflect the CIP into the compiled ConfigMap.

func (*ClusterImagePolicyStatus) MarkCMUpdatedOK added in v0.7.0

func (cs *ClusterImagePolicyStatus) MarkCMUpdatedOK()

MarkCMUpdated marks the status saying that the ConfigMap has been updated.

func (*ClusterImagePolicyStatus) MarkInlineKeysFailed added in v0.7.0

func (cs *ClusterImagePolicyStatus) MarkInlineKeysFailed(msg string)

MarkInlineKeysFailed surfaces a failure that we were unable to inline the keys (from secrets or from KMS).

func (*ClusterImagePolicyStatus) MarkInlineKeysOk added in v0.7.0

func (cs *ClusterImagePolicyStatus) MarkInlineKeysOk()

MarkInlineKeysOk marks the status saying that the inlining of the keys had no errors.

func (*ClusterImagePolicyStatus) MarkInlinePoliciesFailed added in v0.7.0

func (cs *ClusterImagePolicyStatus) MarkInlinePoliciesFailed(msg string)

MarkInlinePoliciesFailed surfaces a failure that we were unable to inline the policies, either from ConfigMap or from URL.

func (*ClusterImagePolicyStatus) MarkInlinePoliciesOk added in v0.7.0

func (cs *ClusterImagePolicyStatus) MarkInlinePoliciesOk()

MarkInlinePoliciesdOk marks the status saying that the inlining of the policies had no errors.

type ConfigMapReference

type ConfigMapReference struct {
	// Name is unique within a namespace to reference a configmap resource.
	// +optional
	Name string `json:"name,omitempty"`
	// Namespace defines the space within which the configmap name must be unique.
	// +optional
	Namespace string `json:"namespace,omitempty"`
	// Key defines the key to pull from the configmap.
	// +optional
	Key string `json:"key,omitempty"`
}

ConfigMapReference is cut&paste from SecretReference, but for the life of me couldn't find one in the public types. If there's one, use it.

func (*ConfigMapReference) DeepCopy

func (in *ConfigMapReference) DeepCopy() *ConfigMapReference

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapReference.

func (*ConfigMapReference) DeepCopyInto

func (in *ConfigMapReference) DeepCopyInto(out *ConfigMapReference)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ConfigMapReference) Validate added in v0.6.0

func (cmr *ConfigMapReference) Validate(_ context.Context) *apis.FieldError

type DistinguishedName added in v0.6.0

type DistinguishedName struct {
	Organization string `json:"organization"`
	CommonName   string `json:"commonName"`
}

func (*DistinguishedName) DeepCopy added in v0.6.0

func (in *DistinguishedName) DeepCopy() *DistinguishedName

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DistinguishedName.

func (*DistinguishedName) DeepCopyInto added in v0.6.0

func (in *DistinguishedName) DeepCopyInto(out *DistinguishedName)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Identity

type Identity struct {
	// Issuer defines the issuer for this identity.
	// +optional
	Issuer string `json:"issuer,omitempty"`
	// Subject defines the subject for this identity.
	// +optional
	Subject string `json:"subject,omitempty"`
	// IssuerRegExp specifies a regular expression to match the issuer for this identity.
	// +optional
	IssuerRegExp string `json:"issuerRegExp,omitempty"`
	// SubjectRegExp specifies a regular expression to match the subject for this identity.
	// +optional
	SubjectRegExp string `json:"subjectRegExp,omitempty"`
}

Identity may contain the issuer and/or the subject found in the transparency log. Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp apply a regexp for matching.

func (*Identity) DeepCopy

func (in *Identity) DeepCopy() *Identity

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Identity.

func (*Identity) DeepCopyInto

func (in *Identity) DeepCopyInto(out *Identity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Identity) Validate

func (identity *Identity) Validate(_ context.Context) *apis.FieldError

type ImagePattern

type ImagePattern struct {
	// Glob defines a globbing pattern.
	Glob string `json:"glob"`
}

ImagePattern defines a pattern and its associated authorties If multiple patterns match a particular image, then ALL of those authorities must be satisfied for the image to be admitted.

func (*ImagePattern) DeepCopy

func (in *ImagePattern) DeepCopy() *ImagePattern

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePattern.

func (*ImagePattern) DeepCopyInto

func (in *ImagePattern) DeepCopyInto(out *ImagePattern)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ImagePattern) Validate

func (image *ImagePattern) Validate(_ context.Context) *apis.FieldError

type KeyRef

type KeyRef struct {
	// SecretRef sets a reference to a secret with the key.
	// +optional
	SecretRef *v1.SecretReference `json:"secretRef,omitempty"`
	// Data contains the inline public key
	// +optional
	Data string `json:"data,omitempty"`
	// KMS contains the KMS url of the public key
	// Supported formats differ based on the KMS system used.
	// +optional
	KMS string `json:"kms,omitempty"`
	// HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set
	// +optional
	HashAlgorithm string `json:"hashAlgorithm,omitempty"`
}

This references a public verification key stored in a secret in the cosign-system namespace. A KeyRef must specify only one of SecretRef, Data or KMS

func (*KeyRef) ConvertFrom

func (key *KeyRef) ConvertFrom(_ context.Context, source *v1beta1.KeyRef)

func (*KeyRef) ConvertTo

func (key *KeyRef) ConvertTo(_ context.Context, sink *v1beta1.KeyRef)

func (*KeyRef) DeepCopy

func (in *KeyRef) DeepCopy() *KeyRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyRef.

func (*KeyRef) DeepCopyInto

func (in *KeyRef) DeepCopyInto(out *KeyRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*KeyRef) Validate

func (key *KeyRef) Validate(_ context.Context) *apis.FieldError

type KeylessRef

type KeylessRef struct {
	// URL defines a url to the keyless instance.
	// +optional
	URL *apis.URL `json:"url,omitempty"`
	// Identities sets a list of identities.
	Identities []Identity `json:"identities"`
	// CACert sets a reference to CA certificate
	// +optional
	CACert *KeyRef `json:"ca-cert,omitempty"`
	// Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog
	// +optional
	TrustRootRef string `json:"trustRootRef,omitempty"`
	// InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT
	// +optional
	InsecureIgnoreSCT *bool `json:"insecureIgnoreSCT,omitempty"`
}

KeylessRef contains location of the validating certificate and the identities against which to verify. KeylessRef will contain either the URL to the verifying certificate, or it will contain the certificate data inline or in a secret.

func (*KeylessRef) DeepCopy

func (in *KeylessRef) DeepCopy() *KeylessRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeylessRef.

func (*KeylessRef) DeepCopyInto

func (in *KeylessRef) DeepCopyInto(out *KeylessRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*KeylessRef) Validate

func (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError

type MatchResource added in v0.4.0

type MatchResource struct {
	// +optional
	metav1.GroupVersionResource `json:",inline"`
	// +optional
	ResourceSelector *metav1.LabelSelector `json:"selector,omitempty"`
}

MatchResource allows selecting resources based on its version, group and resource. It is also possible to select resources based on a list of matching labels.

func (*MatchResource) ConvertFrom added in v0.4.0

func (matchResource *MatchResource) ConvertFrom(_ context.Context, source *v1beta1.MatchResource) error

func (*MatchResource) ConvertTo added in v0.4.0

func (matchResource *MatchResource) ConvertTo(_ context.Context, sink *v1beta1.MatchResource) error

func (*MatchResource) DeepCopy added in v0.4.0

func (in *MatchResource) DeepCopy() *MatchResource

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResource.

func (*MatchResource) DeepCopyInto added in v0.4.0

func (in *MatchResource) DeepCopyInto(out *MatchResource)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*MatchResource) Validate added in v0.4.0

func (matchResource *MatchResource) Validate(_ context.Context) *apis.FieldError

type Policy

type Policy struct {
	// Which kind of policy this is, currently only rego or cue are supported.
	// Furthermore, only cue is tested :)
	Type string `json:"type"`
	// Data contains the policy definition.
	// +optional
	Data string `json:"data,omitempty"`
	// Remote defines the url to a policy.
	// +optional
	Remote *RemotePolicy `json:"remote,omitempty"`
	// ConfigMapRef defines the reference to a configMap with the policy definition.
	// +optional
	ConfigMapRef *ConfigMapReference `json:"configMapRef,omitempty"`
	// FetchConfigFile controls whether ConfigFile will be fetched and made
	// available for CIP level policy evaluation. Note that this only gets
	// evaluated (and hence fetched) iff at least one authority matches.
	// The ConfigFile will then be available in this format:
	// https://github.com/opencontainers/image-spec/blob/main/config.md
	// +optional
	FetchConfigFile *bool `json:"fetchConfigFile,omitempty"`
	// IncludeSpec controls whether resource `Spec` will be included and
	// made available for CIP level policy evaluation. Note that this only gets
	// evaluated iff at least one authority matches.
	// Also note that because Spec may be of a different shape depending
	// on the resource being evaluatied (see MatchResource for filtering)
	// you might want to configure these to match the policy file to ensure
	// the shape of the Spec is what you expect when evaling the policy.
	// +optional
	IncludeSpec *bool `json:"includeSpec,omitempty"`
	// IncludeObjectMeta controls whether the ObjectMeta will be included and
	// made available for CIP level policy evalutation. Note that this only gets
	// evaluated iff at least one authority matches.
	// +optional
	IncludeObjectMeta *bool `json:"includeObjectMeta,omitempty"`
	// IncludeTypeMeta controls whether the TypeMeta will be included and
	// made available for CIP level policy evalutation. Note that this only gets
	// evaluated iff at least one authority matches.
	// +optional
	IncludeTypeMeta *bool `json:"includeTypeMeta,omitempty"`
}

Policy specifies a policy to use for Attestation or the CIP validation (iff at least one authority matches). Exactly one of Data, URL, or ConfigMapReference must be specified.

func (*Policy) ConvertFrom added in v0.5.0

func (p *Policy) ConvertFrom(_ context.Context, source *v1beta1.Policy)

func (*Policy) ConvertTo added in v0.5.0

func (p *Policy) ConvertTo(_ context.Context, sink *v1beta1.Policy)

func (*Policy) DeepCopy

func (in *Policy) DeepCopy() *Policy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.

func (*Policy) DeepCopyInto

func (in *Policy) DeepCopyInto(out *Policy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Policy) Validate

func (p *Policy) Validate(ctx context.Context) *apis.FieldError

type RFC3161Timestamp added in v0.6.0

type RFC3161Timestamp struct {
	// Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities
	// +optional
	TrustRootRef string `json:"trustRootRef,omitempty"`
}

RFC3161Timestamp specifies the URL to a RFC3161 time-stamping server that holds the time-stamped verification for the signature

func (*RFC3161Timestamp) DeepCopy added in v0.6.0

func (in *RFC3161Timestamp) DeepCopy() *RFC3161Timestamp

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RFC3161Timestamp.

func (*RFC3161Timestamp) DeepCopyInto added in v0.6.0

func (in *RFC3161Timestamp) DeepCopyInto(out *RFC3161Timestamp)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Remote added in v0.6.0

type Remote struct {
	// Root is the base64 encoded, json trusted initial root.
	Root []byte `json:"root"`

	// Mirror is the remote mirror, for example:
	// https://tuf-repo-cdn.sigstore.dev
	Mirror apis.URL `json:"mirror"`

	// Targets is where the targets live off of the root of the Remote
	// If not specified 'targets' is defaulted.
	// +optional
	Targets string `json:"targets,omitempty"`
}

Remote specifies the TUF with trusted initial root and remote mirror where to fetch updates from.

func (*Remote) DeepCopy added in v0.6.0

func (in *Remote) DeepCopy() *Remote

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Remote.

func (*Remote) DeepCopyInto added in v0.6.0

func (in *Remote) DeepCopyInto(out *Remote)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Remote) Validate added in v0.6.0

func (remote *Remote) Validate(ctx context.Context) (errors *apis.FieldError)

type RemotePolicy added in v0.6.0

type RemotePolicy struct {
	// URL to the policy data.
	URL apis.URL `json:"url,omitempty"`
	// Sha256sum defines the exact sha256sum computed out of the 'body' of the http response.
	Sha256sum string `json:"sha256sum,omitempty"`
}

RemotePolicy defines all the properties to fetch a remote policy

func (*RemotePolicy) DeepCopy added in v0.6.0

func (in *RemotePolicy) DeepCopy() *RemotePolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemotePolicy.

func (*RemotePolicy) DeepCopyInto added in v0.6.0

func (in *RemotePolicy) DeepCopyInto(out *RemotePolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RemotePolicy) Validate added in v0.6.0

func (r *RemotePolicy) Validate(_ context.Context) *apis.FieldError

type Repository added in v0.6.0

type Repository struct {
	// Root is the base64 encoded, json trusted initial root.
	Root []byte `json:"root"`

	// MirrorFS is the base64 tarred, gzipped, and base64 encoded remote
	// repository that can be used for example in air-gap environments. Will
	// not make outbound network connections, and must then be kept up to date
	// in some other manner.
	// The repository must contain metadata as well as targets.
	MirrorFS []byte `json:"mirrorFS"`

	// Targets is where the targets live off of the root of the Repository
	// above. If not specified 'targets' is defaulted.
	// +optional
	Targets string `json:"targets,omitempty"`
}

Repository specifies an airgapped TUF. Specifies the trusted initial root as well as a serialized repository.

func (*Repository) DeepCopy added in v0.6.0

func (in *Repository) DeepCopy() *Repository

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Repository.

func (*Repository) DeepCopyInto added in v0.6.0

func (in *Repository) DeepCopyInto(out *Repository)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Repository) Validate added in v0.6.0

func (repo *Repository) Validate(ctx context.Context) (errors *apis.FieldError)

type SigstoreKeys added in v0.6.0

type SigstoreKeys struct {
	// Trusted certificate authorities (e.g Fulcio).
	CertificateAuthorities []CertificateAuthority `json:"certificateAuthorities"`
	// Rekor log specifications
	// +optional
	TLogs []TransparencyLogInstance `json:"tLogs,omitempty"`
	// Certificate Transparency Log
	// +optional
	CTLogs []TransparencyLogInstance `json:"ctLogs,omitempty"`
	// Trusted timestamping authorities
	// +optional
	TimeStampAuthorities []CertificateAuthority `json:"timestampAuthorities,omitempty"`
}

SigstoreKeys contains all the necessary Keys and Certificates for validating against a specific instance of Sigstore. This is used for bringing your own trusted keys/certs. TODO(vaikas): See about replacing these with the protos here once they land and see how easy it is to replace with protos instead of our custom defs above. https://github.com/sigstore/protobuf-specs/pull/5 And in particular: https://github.com/sigstore/protobuf-specs/pull/5/files#diff-b1f89b7fd3eb27b519380b092a2416f893a96fbba3f8c90cfa767e7687383ad4R70 Well, not the multi-root, but one instance of that is exactly the SigstoreKeys.

func (*SigstoreKeys) DeepCopy added in v0.6.0

func (in *SigstoreKeys) DeepCopy() *SigstoreKeys

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SigstoreKeys.

func (*SigstoreKeys) DeepCopyInto added in v0.6.0

func (in *SigstoreKeys) DeepCopyInto(out *SigstoreKeys)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*SigstoreKeys) Validate added in v0.6.0

func (sigstoreKeys *SigstoreKeys) Validate(ctx context.Context) (errors *apis.FieldError)

type Source

type Source struct {
	// OCI defines the registry from where to pull the signature / attestations.
	// +optional
	OCI string `json:"oci,omitempty"`
	// SignaturePullSecrets is an optional list of references to secrets in the
	// same namespace as the deploying resource for pulling any of the signatures
	// used by this Source.
	// +optional
	SignaturePullSecrets []v1.LocalObjectReference `json:"signaturePullSecrets,omitempty"`
	// TagPrefix is an optional prefix that signature and attestations have.
	// This is the 'tag based discovery' and in the future once references are
	// fully supported that should likely be the preferred way to handle these.
	// +optional
	TagPrefix *string `json:"tagPrefix,omitempty"`
}

Source specifies the location of the signature / attestations.

func (*Source) DeepCopy

func (in *Source) DeepCopy() *Source

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Source.

func (*Source) DeepCopyInto

func (in *Source) DeepCopyInto(out *Source)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Source) Validate

func (source *Source) Validate(_ context.Context) *apis.FieldError

type StaticRef

type StaticRef struct {
	// Action defines how to handle a matching policy.
	Action string `json:"action"`
	// For fail actions, emit an optional custom message. This only makes
	// sense for 'fail' action because on 'pass' there's no place to jot down
	// the message.
	Message string `json:"message,omitempty"`
}

StaticRef specifies that signatures / attestations are not validated but instead a static policy is applied against matching images.

func (*StaticRef) DeepCopy

func (in *StaticRef) DeepCopy() *StaticRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticRef.

func (*StaticRef) DeepCopyInto

func (in *StaticRef) DeepCopyInto(out *StaticRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*StaticRef) Validate

func (s *StaticRef) Validate(_ context.Context) *apis.FieldError

type TLog

type TLog struct {
	// URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)
	// +optional
	URL *apis.URL `json:"url,omitempty"`
	// Use the Public Key from the referred TrustRoot.TLog
	// +optional
	TrustRootRef string `json:"trustRootRef,omitempty"`
}

TLog specifies the URL to a transparency log that holds the signature and public key information

func (*TLog) DeepCopy

func (in *TLog) DeepCopy() *TLog

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLog.

func (*TLog) DeepCopyInto

func (in *TLog) DeepCopyInto(out *TLog)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TransparencyLogInstance added in v0.6.0

type TransparencyLogInstance struct {
	// The base URL which can be used for URLs for clients.
	BaseURL apis.URL `json:"baseURL"`
	// / The hash algorithm used for the Merkle Tree
	HashAlgorithm string `json:"hashAlgorithm"`
	// PEM encoded public key
	PublicKey []byte `json:"publicKey"`
}

TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters for more details. The incluced parameters are the minimal set required to identify a log, and verify an inclusion promise.

func (*TransparencyLogInstance) DeepCopy added in v0.6.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransparencyLogInstance.

func (*TransparencyLogInstance) DeepCopyInto added in v0.6.0

func (in *TransparencyLogInstance) DeepCopyInto(out *TransparencyLogInstance)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TrustRoot added in v0.6.0

type TrustRoot struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata"`

	// Spec is the definition for a trust root. This is either a TUF root and
	// remote or local repository. You can also bring your own keys/certs here.
	Spec TrustRootSpec `json:"spec"`

	// Status represents the current state of the TrustRoot.
	// This data may be out of date.
	// +optional
	Status TrustRootStatus `json:"status,omitempty"`
}

TrustRoot defines the keys and certificates that are trusted for validating against. These can be specified as TUF Roots, serialized TUF repository (for air-gap scenarios), as well as serialized keys/certificates, for bring your own keys/certs.

+genclient +genclient:nonNamespaced +genreconciler:krshapedlogic=true +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*TrustRoot) DeepCopy added in v0.6.0

func (in *TrustRoot) DeepCopy() *TrustRoot

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustRoot.

func (*TrustRoot) DeepCopyInto added in v0.6.0

func (in *TrustRoot) DeepCopyInto(out *TrustRoot)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*TrustRoot) DeepCopyObject added in v0.6.0

func (in *TrustRoot) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*TrustRoot) GetConditionSet added in v0.7.0

func (*TrustRoot) GetConditionSet() apis.ConditionSet

GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.

func (*TrustRoot) GetGroupVersionKind added in v0.6.0

func (tr *TrustRoot) GetGroupVersionKind() schema.GroupVersionKind

GetGroupVersionKind implements kmeta.OwnerRefable

func (*TrustRoot) GetStatus added in v0.7.0

func (tr *TrustRoot) GetStatus() *duckv1.Status

GetStatus retrieves the status of the TrustRoot. Implements the KRShaped interface.

func (*TrustRoot) IsFailed added in v0.7.0

func (tr *TrustRoot) IsFailed() bool

IsFailed returns true if the resource has observed the latest generation and ready is false.

func (*TrustRoot) IsReady added in v0.7.0

func (tr *TrustRoot) IsReady() bool

IsReady returns if the TrustRoot was compiled successfully to ConfigMap.

func (*TrustRoot) SetDefaults added in v0.6.0

func (tr *TrustRoot) SetDefaults(ctx context.Context)

SetDefaults implements apis.Defaultable

func (*TrustRoot) Validate added in v0.6.0

func (tr *TrustRoot) Validate(ctx context.Context) *apis.FieldError

Validate implements apis.Validatable

type TrustRootList added in v0.6.0

type TrustRootList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	Items []TrustRoot `json:"items"`
}

TrustRootList is a list of TrustRoot resources

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*TrustRootList) DeepCopy added in v0.6.0

func (in *TrustRootList) DeepCopy() *TrustRootList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustRootList.

func (*TrustRootList) DeepCopyInto added in v0.6.0

func (in *TrustRootList) DeepCopyInto(out *TrustRootList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*TrustRootList) DeepCopyObject added in v0.6.0

func (in *TrustRootList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type TrustRootSpec added in v0.6.0

type TrustRootSpec struct {
	// Remote specifies initial root of trust & remote mirror.
	// +optional
	Remote *Remote `json:"remote,omitempty"`

	// Repository contains the serialized TUF remote repository.
	// +optional
	Repository *Repository `json:"repository,omitempty"`

	// SigstoreKeys contains the serialized keys.
	// +optional
	SigstoreKeys *SigstoreKeys `json:"sigstoreKeys,omitempty"`
}

TrustRootSpec defines a trusted Root. This is typically either a TUF Root or a bring your own keys variation. It specifies either: root.json and remote or fully gzipped / tarred directory containing root and metadata directories or serialized keys / certificate chains (bring your own keys).

func (*TrustRootSpec) DeepCopy added in v0.6.0

func (in *TrustRootSpec) DeepCopy() *TrustRootSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustRootSpec.

func (*TrustRootSpec) DeepCopyInto added in v0.6.0

func (in *TrustRootSpec) DeepCopyInto(out *TrustRootSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*TrustRootSpec) SetDefaults added in v0.6.0

func (spec *TrustRootSpec) SetDefaults(_ context.Context)

func (*TrustRootSpec) Validate added in v0.6.0

func (spec *TrustRootSpec) Validate(ctx context.Context) (errors *apis.FieldError)

type TrustRootStatus added in v0.7.0

type TrustRootStatus struct {
	// inherits duck/v1 Status, which currently provides:
	// * ObservedGeneration - the 'Generation' of the Broker that was last processed by the controller.
	// * Conditions - the latest available observations of a resource's current state.
	duckv1.Status `json:",inline"`
}

TrustRootStatus represents the current state of a TrustRoot.

func (*TrustRootStatus) DeepCopy added in v0.7.0

func (in *TrustRootStatus) DeepCopy() *TrustRootStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustRootStatus.

func (*TrustRootStatus) DeepCopyInto added in v0.7.0

func (in *TrustRootStatus) DeepCopyInto(out *TrustRootStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*TrustRootStatus) InitializeConditions added in v0.7.0

func (ts *TrustRootStatus) InitializeConditions()

InitializeConditions sets the initial values to the conditions.

func (*TrustRootStatus) MarkCMUpdateFailed added in v0.7.0

func (ts *TrustRootStatus) MarkCMUpdateFailed(msg string)

MarkCMUpdateFailed surfaces a failure that we were unable to reflect the TrustRoot into the compiled ConfigMap.

func (*TrustRootStatus) MarkCMUpdatedOK added in v0.7.0

func (ts *TrustRootStatus) MarkCMUpdatedOK()

MarkCMUpdated marks the status saying that the ConfigMap has been updated.

func (*TrustRootStatus) MarkInlineKeysFailed added in v0.7.0

func (ts *TrustRootStatus) MarkInlineKeysFailed(msg string)

MarkInlineKeysFailed surfaces a failure that we were unable to inline the keys (from secrets or from KMS).

func (*TrustRootStatus) MarkInlineKeysOk added in v0.7.0

func (ts *TrustRootStatus) MarkInlineKeysOk()

MarkInlineKeysOk marks the status saying that the inlining of the keys had no errors.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL