Skip to content

Commit

Permalink
validaiton with featuregate
Browse files Browse the repository at this point in the history 
Signed-off-by: Qi Wang <[email protected]>
  • Loading branch information
@QiWang19
QiWang19 committed Nov 18, 2024
1 parent 0c69e82 commit 3f7784d
Show file tree
Hide file tree
Showing 23 changed files with 101 additions and 76 deletions.
28 changes: 1 addition & 27 deletions ...ig/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -450,30 +450,4 @@ tests:
policyType: PublicKey
publicKey:
keyData: Zm9vIGJhcg==
- name: Should be able to create a minimal ClusterImagePolicy with policyType PKI
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ClusterImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
expected: |
apiVersion: config.openshift.io/v1alpha1
kind: ClusterImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
28 changes: 1 addition & 27 deletions config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -450,30 +450,4 @@ tests:
policyType: PublicKey
publicKey:
keyData: Zm9vIGJhcg==
- name: Should be able to create a minimal ImagePolicy with policyType PKI
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
expected: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
43 changes: 42 additions & 1 deletion config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,45 @@ tests:
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: [email protected]
email: [email protected]
- name: Should not allow policyType PKI but not set pki
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
expectedError: "spec.policy.rootOfTrust: Invalid value: \"object\": pki is required when policyType is PKI, and forbidden otherwise"
- name: Should not allow pkiCertificateSubject invalid email
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
email: invalid-email
expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.email: Invalid value: \"string\": invalid email address in pkiCertificateSubject"
- name: Should not allow pkiCertificateSubject invalid hostname
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
scopes:
- example.com
policy:
rootOfTrust:
policyType: PKI
pki:
caRootsData: Zm9vIGJhcg==
pkiCertificateSubject:
hostname: invaild
expectedError: "spec.policy.rootOfTrust.pki.pkiCertificateSubject.hostname: Invalid value: \"string\": invalid hostname in pkiCertificateSubject"
6 changes: 4 additions & 2 deletions config/v1alpha1/types_image_policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ type Policy struct {
// +union
// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise"
// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise"
type PolicyRootOfTrust struct {
// policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
// "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
Expand All @@ -95,7 +96,8 @@ type PolicyRootOfTrust struct {
PKI *PKI `json:"pki,omitempty"`
}

// +kubebuilder:validation:Enum=PublicKey;FulcioCAWithRekor;PKI
// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerification,enum=PublicKey;FulcioCAWithRekor
// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI
type PolicyType string

const (
Expand Down Expand Up @@ -176,7 +178,7 @@ type PKICertificateSubject struct {
// +optional
// +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address in pkiCertificateSubject"
Email string `json:"email,omitempty"`
// Hostname specifies the expected hostname imposed on the subject to which the certificate was issued.
// hostname specifies the expected hostname imposed on the subject to which the certificate was issued.
// +optional
// +kubebuilder:validation:XValidation:rule=`self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')`,message="invalid hostname in pkiCertificateSubject"
Hostname string `json:"hostname,omitempty"`
Expand Down
6 changes: 5 additions & 1 deletion ...ed.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ spec:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
description: hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
Expand Down Expand Up @@ -187,6 +187,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
6 changes: 5 additions & 1 deletion ...rd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ spec:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
description: hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
Expand Down Expand Up @@ -187,6 +187,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
1 change: 0 additions & 1 deletion ...d-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ spec:
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down
6 changes: 5 additions & 1 deletion ...generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ spec:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
description: hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
Expand Down Expand Up @@ -187,6 +187,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
6 changes: 5 additions & 1 deletion ...rated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ spec:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
description: hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
Expand Down Expand Up @@ -187,6 +187,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
1 change: 0 additions & 1 deletion ...ated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ spec:
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down
1 change: 0 additions & 1 deletion ...ted-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ spec:
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down
6 changes: 5 additions & 1 deletion ...-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ spec:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
description: hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
Expand Down Expand Up @@ -187,6 +187,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
1 change: 0 additions & 1 deletion ...aturegated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ spec:
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down
6 changes: 5 additions & 1 deletion ...regated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ spec:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
description: hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
Expand Down Expand Up @@ -187,6 +187,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
2 changes: 1 addition & 1 deletion config/v1alpha1/zz_generated.swagger_doc_generated.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion openapi/generated_openapi/zz_generated.openapi.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion openapi/openapi.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11324,7 +11324,7 @@
"type": "string"
},
"hostname": {
"description": "Hostname specifies the expected hostname imposed on the subject to which the certificate was issued.",
"description": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued.",
"type": "string"
}
}
Expand Down
6 changes: 5 additions & 1 deletion ...d-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ spec:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
description: hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
Expand Down Expand Up @@ -187,6 +187,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
6 changes: 5 additions & 1 deletion ...nifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ spec:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
description: hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
Expand Down Expand Up @@ -187,6 +187,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
1 change: 0 additions & 1 deletion ...ifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ spec:
enum:
- PublicKey
- FulcioCAWithRekor
- PKI
type: string
publicKey:
description: publicKey defines the root of trust based on
Expand Down
6 changes: 5 additions & 1 deletion payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ spec:
- message: invalid email address in pkiCertificateSubject
rule: self.matches('^\\S+@\\S+$')
hostname:
description: Hostname specifies the expected hostname
description: hostname specifies the expected hostname
imposed on the subject to which the certificate
was issued.
type: string
Expand Down Expand Up @@ -187,6 +187,10 @@ spec:
- policyType
type: object
x-kubernetes-validations:
- message: pki is required when policyType is PKI, and forbidden
otherwise
rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
has(self.pki) : !has(self.pki)'
- message: publicKey is required when policyType is PublicKey,
and forbidden otherwise
rule: 'has(self.policyType) && self.policyType == ''PublicKey''
Expand Down
Loading

0 comments on commit 3f7784d

Please sign in to comment.