Skip to content

Commit

Permalink
Add PKI field to (cluster)imagepolicy
Browse files Browse the repository at this point in the history 
Signed-off-by: Qi Wang <[email protected]>
  • Loading branch information
@QiWang19
QiWang19 committed Nov 7, 2024
1 parent d37bb9f commit 2b20927
Show file tree
Hide file tree
Showing 30 changed files with 1,550 additions and 5 deletions.
39 changes: 38 additions & 1 deletion config/v1alpha1/types_image_policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,10 +73,12 @@ type Policy struct {
// +union
// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise"
type PolicyRootOfTrust struct {
// policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
// "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
// "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.
// "PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).
// +unionDiscriminator
// +kubebuilder:validation:Required
PolicyType PolicyType `json:"policyType"`
Expand All @@ -88,14 +90,19 @@ type PolicyRootOfTrust struct {
// https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor
// +optional
FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"`
// pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.
// +optional
// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI
PKI *PKI `json:"pki,omitempty"`
}

// +kubebuilder:validation:Enum=PublicKey;FulcioCAWithRekor
// +kubebuilder:validation:Enum=PublicKey;FulcioCAWithRekor;PKI
type PolicyType string

const (
PublicKeyRootOfTrust PolicyType = "PublicKey"
FulcioCAWithRekorRootOfTrust PolicyType = "FulcioCAWithRekor"
PKIRootOfTrust PolicyType = "PKI"
)

// PublicKey defines the root of trust based on a sigstore public key.
Expand Down Expand Up @@ -143,6 +150,36 @@ type PolicyFulcioSubject struct {
SignedEmail string `json:"signedEmail"`
}

// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
type PKI struct {
// caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format.
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=8192
CertificateAuthorityRootsData []byte `json:"caRootsData"`
// caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format.
// caIntermediatesData requires CertificateAuthorityRoots to be set.
// +optional
// +kubebuilder:validation:MaxLength=8192
CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"`

// pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.
// +kubebuilder:validation:Required
PKICertificateSubject *PKICertificateSubject `json:"pkiCertificateSubject"`
}

// PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.
// +kubebuilder:validation:XValidation:rule="has(self.email) || has(self.hostname)", message="at least one of email or hostname must be set in pkiCertificateSubject"
type PKICertificateSubject struct {
// email specifies the expected email address imposed on the subject to which the certificate was issued.
// +optional
// +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address in pkiCertificateSubject"
Email string `json:"email,omitempty"`
// Hostname specifies the expected hostname imposed on the subject to which the certificate was issued.
// +optional
// +kubebuilder:validation:XValidation:rule=`self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')`,message="invalid hostname in pkiCertificateSubject"
Hostname string `json:"hostname,omitempty"`
}

// PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is "MatchRepoDigestOrExact".
// +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'ExactRepository') ? has(self.exactRepository) : !has(self.exactRepository)",message="exactRepository is required when matchPolicy is ExactRepository, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'RemapIdentity') ? has(self.remapIdentity) : !has(self.remapIdentity)",message="remapIdentity is required when matchPolicy is RemapIdentity, and forbidden otherwise"
Expand Down
55 changes: 55 additions & 0 deletions ...ed.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,14 +102,65 @@ spec:
- fulcioSubject
- rekorKeyData
type: object
pki:
description: pki defines the root of trust based on Bring
Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and
corresponding intermediate certificates.
properties:
caIntermediatesData:
description: |-
caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format.
caIntermediatesData requires CertificateAuthorityRoots to be set.
format: byte
maxLength: 8192
type: string
caRootsData:
description: caRootsData contains base64-encoded data
of a certificate bundle PEM file, which contains one
or more CA roots in the PEM format.
format: byte
maxLength: 8192
type: string
pkiCertificateSubject:
description: pkiCertificateSubject defines the requirements
imposed on the subject to which the certificate was
issued.
properties:
email:
description: email specifies the expected email address
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
in pkiCertificateSubject
rule: has(self.email) || has(self.hostname)
required:
- caRootsData
- pkiCertificateSubject
type: object
policyType:
description: |-
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
"PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
"FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.
"PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down Expand Up @@ -144,6 +195,10 @@ spec:
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor''
? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)'
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
signedIdentity:
description: signedIdentity specifies what image identity the
signature claims about the image. The required matchPolicy field
Expand Down
55 changes: 55 additions & 0 deletions ...rd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,14 +102,65 @@ spec:
- fulcioSubject
- rekorKeyData
type: object
pki:
description: pki defines the root of trust based on Bring
Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and
corresponding intermediate certificates.
properties:
caIntermediatesData:
description: |-
caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format.
caIntermediatesData requires CertificateAuthorityRoots to be set.
format: byte
maxLength: 8192
type: string
caRootsData:
description: caRootsData contains base64-encoded data
of a certificate bundle PEM file, which contains one
or more CA roots in the PEM format.
format: byte
maxLength: 8192
type: string
pkiCertificateSubject:
description: pkiCertificateSubject defines the requirements
imposed on the subject to which the certificate was
issued.
properties:
email:
description: email specifies the expected email address
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
x-kubernetes-validations:
- message: invalid hostname in pkiCertificateSubject
rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')
type: object
x-kubernetes-validations:
- message: at least one of email or hostname must be set
in pkiCertificateSubject
rule: has(self.email) || has(self.hostname)
required:
- caRootsData
- pkiCertificateSubject
type: object
policyType:
description: |-
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
"PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
"FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.
"PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down Expand Up @@ -144,6 +195,10 @@ spec:
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor''
? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)'
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
signedIdentity:
description: signedIdentity specifies what image identity the
signature claims about the image. The required matchPolicy field
Expand Down
6 changes: 6 additions & 0 deletions ...d-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,9 +107,11 @@ spec:
policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
"PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
"FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.
"PKI" is a DevPreview feature that indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down Expand Up @@ -144,6 +146,10 @@ spec:
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''FulcioCAWithRekor''
? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)'
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
signedIdentity:
description: signedIdentity specifies what image identity the
signature claims about the image. The required matchPolicy field
Expand Down
Loading

0 comments on commit 2b20927

Please sign in to comment.