From 4a82b167871a278fbdb8fe05cd65365b344b525d Mon Sep 17 00:00:00 2001 From: Qi Wang Date: Thu, 14 Nov 2024 17:11:23 -0500 Subject: [PATCH] validaiton with featuregate Signed-off-by: Qi Wang --- config/v1alpha1/types_image_policy.go | 4 +++- ...-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml | 4 ++++ ...rator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml | 4 ++++ ...ator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml | 1 - ..._config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml | 4 ++++ ...fig-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml | 4 ++++ ...ig-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml | 1 - .../SigstoreImageVerification.yaml | 1 - .../SigstoreImageVerificationPKI.yaml | 4 ++++ .../SigstoreImageVerification.yaml | 1 - .../SigstoreImageVerificationPKI.yaml | 4 ++++ ...-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml | 4 ++++ ...rator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml | 4 ++++ ...ator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml | 1 - ..._config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml | 4 ++++ ...fig-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml | 4 ++++ ...ig-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml | 1 - 17 files changed, 43 insertions(+), 7 deletions(-) diff --git a/config/v1alpha1/types_image_policy.go b/config/v1alpha1/types_image_policy.go index 73d6470c7aa..df484ec1fd4 100644 --- a/config/v1alpha1/types_image_policy.go +++ b/config/v1alpha1/types_image_policy.go @@ -73,6 +73,7 @@ type Policy struct { // +union // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise" type PolicyRootOfTrust struct { // policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. // "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. @@ -95,7 +96,8 @@ type PolicyRootOfTrust struct { PKI *PKI `json:"pki,omitempty"` } -// +kubebuilder:validation:Enum=PublicKey;FulcioCAWithRekor;PKI +// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerification,enum=PublicKey;FulcioCAWithRekor +// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI type PolicyType string const ( diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml index 30d41a09e85..d76d73aea1f 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml @@ -187,6 +187,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml index 27268d207db..99713c209f3 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -187,6 +187,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml index 727efc92f3d..5b741d16ec6 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml index 955771035ef..beda55a707a 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml @@ -187,6 +187,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml index fcfddacb9e0..dc9827473af 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -187,6 +187,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml index 8da264ed7f1..7534d8b5307 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml index 313a7c19bb3..b345146042f 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml index 49d16eada24..43a920299f5 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -187,6 +187,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml index d0747f8c231..008fea2e3e6 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml index e9103f6fab6..221a40c9cb9 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -187,6 +187,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml index 30d41a09e85..d76d73aea1f 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml @@ -187,6 +187,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml index 27268d207db..99713c209f3 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -187,6 +187,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml index 727efc92f3d..5b741d16ec6 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml index 955771035ef..beda55a707a 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml @@ -187,6 +187,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml index fcfddacb9e0..dc9827473af 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -187,6 +187,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml index 8da264ed7f1..7534d8b5307 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on