validaiton with featuregate

Signed-off-by: Qi Wang <[email protected]>

config/v1alpha1/types_image_policy.go

@@ -73,6 +73,7 @@ type Policy struct {
 // +union
 // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise"
 // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise"
 type PolicyRootOfTrust struct {
 	// policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
 	// "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
@@ -95,7 +96,8 @@ type PolicyRootOfTrust struct {
 	PKI *PKI `json:"pki,omitempty"`
 }
 
-// +kubebuilder:validation:Enum=PublicKey;FulcioCAWithRekor;PKI
+// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerification,enum=PublicKey;FulcioCAWithRekor
+// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI
 type PolicyType string
 
 const (

config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml

@@ -187,6 +187,10 @@ spec:
                     - policyType
                     type: object
                     x-kubernetes-validations:
+                    - message: pki is required when policyType is PKI, and forbidden
+                        otherwise
+                      rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
+                        has(self.pki) : !has(self.pki)'
                     - message: publicKey is required when policyType is PublicKey,
                         and forbidden otherwise
                       rule: 'has(self.policyType) && self.policyType == ''PublicKey''

config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml

@@ -187,6 +187,10 @@ spec:
                     - policyType
                     type: object
                     x-kubernetes-validations:
+                    - message: pki is required when policyType is PKI, and forbidden
+                        otherwise
+                      rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
+                        has(self.pki) : !has(self.pki)'
                     - message: publicKey is required when policyType is PublicKey,
                         and forbidden otherwise
                       rule: 'has(self.policyType) && self.policyType == ''PublicKey''

config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml

@@ -111,7 +111,6 @@ spec:
                         enum:
                         - PublicKey
                         - FulcioCAWithRekor
-                        - PKI
                         type: string
                       publicKey:
                         description: publicKey defines the root of trust based on

config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml

@@ -187,6 +187,10 @@ spec:
                     - policyType
                     type: object
                     x-kubernetes-validations:
+                    - message: pki is required when policyType is PKI, and forbidden
+                        otherwise
+                      rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
+                        has(self.pki) : !has(self.pki)'
                     - message: publicKey is required when policyType is PublicKey,
                         and forbidden otherwise
                       rule: 'has(self.policyType) && self.policyType == ''PublicKey''

config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml

@@ -187,6 +187,10 @@ spec:
                     - policyType
                     type: object
                     x-kubernetes-validations:
+                    - message: pki is required when policyType is PKI, and forbidden
+                        otherwise
+                      rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
+                        has(self.pki) : !has(self.pki)'
                     - message: publicKey is required when policyType is PublicKey,
                         and forbidden otherwise
                       rule: 'has(self.policyType) && self.policyType == ''PublicKey''

config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml

@@ -111,7 +111,6 @@ spec:
                         enum:
                         - PublicKey
                         - FulcioCAWithRekor
-                        - PKI
                         type: string
                       publicKey:
                         description: publicKey defines the root of trust based on

config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml

@@ -111,7 +111,6 @@ spec:
                         enum:
                         - PublicKey
                         - FulcioCAWithRekor
-                        - PKI
                         type: string
                       publicKey:
                         description: publicKey defines the root of trust based on

config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml

@@ -187,6 +187,10 @@ spec:
                     - policyType
                     type: object
                     x-kubernetes-validations:
+                    - message: pki is required when policyType is PKI, and forbidden
+                        otherwise
+                      rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
+                        has(self.pki) : !has(self.pki)'
                     - message: publicKey is required when policyType is PublicKey,
                         and forbidden otherwise
                       rule: 'has(self.policyType) && self.policyType == ''PublicKey''

config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml

@@ -111,7 +111,6 @@ spec:
                         enum:
                         - PublicKey
                         - FulcioCAWithRekor
-                        - PKI
                         type: string
                       publicKey:
                         description: publicKey defines the root of trust based on

config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml

@@ -187,6 +187,10 @@ spec:
                     - policyType
                     type: object
                     x-kubernetes-validations:
+                    - message: pki is required when policyType is PKI, and forbidden
+                        otherwise
+                      rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
+                        has(self.pki) : !has(self.pki)'
                     - message: publicKey is required when policyType is PublicKey,
                         and forbidden otherwise
                       rule: 'has(self.policyType) && self.policyType == ''PublicKey''

payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml

@@ -187,6 +187,10 @@ spec:
                     - policyType
                     type: object
                     x-kubernetes-validations:
+                    - message: pki is required when policyType is PKI, and forbidden
+                        otherwise
+                      rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
+                        has(self.pki) : !has(self.pki)'
                     - message: publicKey is required when policyType is PublicKey,
                         and forbidden otherwise
                       rule: 'has(self.policyType) && self.policyType == ''PublicKey''

payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml

@@ -187,6 +187,10 @@ spec:
                     - policyType
                     type: object
                     x-kubernetes-validations:
+                    - message: pki is required when policyType is PKI, and forbidden
+                        otherwise
+                      rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
+                        has(self.pki) : !has(self.pki)'
                     - message: publicKey is required when policyType is PublicKey,
                         and forbidden otherwise
                       rule: 'has(self.policyType) && self.policyType == ''PublicKey''

payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml

@@ -111,7 +111,6 @@ spec:
                         enum:
                         - PublicKey
                         - FulcioCAWithRekor
-                        - PKI
                         type: string
                       publicKey:
                         description: publicKey defines the root of trust based on

payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml

@@ -187,6 +187,10 @@ spec:
                     - policyType
                     type: object
                     x-kubernetes-validations:
+                    - message: pki is required when policyType is PKI, and forbidden
+                        otherwise
+                      rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
+                        has(self.pki) : !has(self.pki)'
                     - message: publicKey is required when policyType is PublicKey,
                         and forbidden otherwise
                       rule: 'has(self.policyType) && self.policyType == ''PublicKey''

payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml

@@ -187,6 +187,10 @@ spec:
                     - policyType
                     type: object
                     x-kubernetes-validations:
+                    - message: pki is required when policyType is PKI, and forbidden
+                        otherwise
+                      rule: 'has(self.policyType) && self.policyType == ''PKI'' ?
+                        has(self.pki) : !has(self.pki)'
                     - message: publicKey is required when policyType is PublicKey,
                         and forbidden otherwise
                       rule: 'has(self.policyType) && self.policyType == ''PublicKey''

payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml

@@ -111,7 +111,6 @@ spec:
                         enum:
                         - PublicKey
                         - FulcioCAWithRekor
-                        - PKI
                         type: string
                       publicKey:
                         description: publicKey defines the root of trust based on