You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: config/v1alpha1/types_image_policy.go
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -78,7 +78,7 @@ type PolicyRootOfTrust struct {
78
78
// policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
79
79
// "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
80
80
// "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.
81
-
// "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
81
+
// "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
Copy file name to clipboardExpand all lines: config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -192,7 +192,7 @@ spec:
192
192
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
193
193
"PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
194
194
"FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.
195
-
"PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
195
+
"PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
Copy file name to clipboardExpand all lines: config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -192,7 +192,7 @@ spec:
192
192
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
193
193
"PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
194
194
"FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.
195
-
"PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
195
+
"PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
Copy file name to clipboardExpand all lines: config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml
+94-1Lines changed: 94 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -102,12 +102,101 @@ spec:
102
102
- fulcioSubject
103
103
- rekorKeyData
104
104
type: object
105
+
pki:
106
+
description: pki defines the root of trust based on Bring
107
+
Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and
108
+
corresponding intermediate certificates.
109
+
properties:
110
+
caIntermediatesData:
111
+
description: |-
112
+
caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters.
113
+
caIntermediatesData requires caRootsData to be set.
114
+
format: byte
115
+
maxLength: 8192
116
+
type: string
117
+
x-kubernetes-validations:
118
+
- message: the caIntermediatesData must start with base64
description: pkiCertificateSubject defines the requirements
155
+
imposed on the subject to which the certificate was
156
+
issued.
157
+
properties:
158
+
email:
159
+
description: |-
160
+
email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate.
161
+
The email should be a valid email address and at most 320 characters in length.
162
+
maxLength: 320
163
+
type: string
164
+
x-kubernetes-validations:
165
+
- message: invalid email address in pkiCertificateSubject
166
+
rule: self.matches('^\\S+@\\S+$')
167
+
hostname:
168
+
description: |-
169
+
hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate.
170
+
The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length.
171
+
It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.
172
+
maxLength: 253
173
+
type: string
174
+
x-kubernetes-validations:
175
+
- message: hostname should be a valid dns 1123 subdomain
176
+
name, optionally prefixed by '*.'. It should consist
177
+
only of lowercase alphanumeric characters, hyphens,
- message: at least one of email or hostname must be set
184
+
in pkiCertificateSubject
185
+
rule: has(self.email) || has(self.hostname)
186
+
required:
187
+
- caRootsData
188
+
- pkiCertificateSubject
189
+
type: object
105
190
policyType:
106
191
description: |-
107
192
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
108
193
"PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
109
194
"FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.
110
-
"PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
195
+
"PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
196
+
enum:
197
+
- PublicKey
198
+
- FulcioCAWithRekor
199
+
- PKI
111
200
type: string
112
201
publicKey:
113
202
description: publicKey defines the root of trust based on
@@ -134,6 +223,10 @@ spec:
134
223
- policyType
135
224
type: object
136
225
x-kubernetes-validations:
226
+
- message: pki is required when policyType is PKI, and forbidden
Copy file name to clipboardExpand all lines: config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -192,7 +192,7 @@ spec:
192
192
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
193
193
"PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
194
194
"FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.
195
-
"PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
195
+
"PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
Copy file name to clipboardExpand all lines: config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -192,7 +192,7 @@ spec:
192
192
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
193
193
"PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
194
194
"FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.
195
-
"PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
195
+
"PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
0 commit comments