Created
May 16, 2023 08:17
-
-
Save saschagrunert/f7f9f66ca38b5b2a1e1ab1413663977c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package api | |
| import ( | |
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | |
| ) | |
| type ImagePolicy struct { | |
| metav1.TypeMeta `json:",inline"` | |
| metav1.ObjectMeta `json:"metadata,omitempty"` | |
| Spec ImagePolicySpec `json:"spec"` | |
| Status ImagePolicyStatus `json:"status,omitempty"` | |
| } | |
| type ImagePolicySpec struct { | |
| // Images holds images/repositories to be verified. | |
| Images []Image `json:"images"` | |
| // Policy defines the verification policy. | |
| Policy Policy `json:"policy"` | |
| } | |
| // Image defines the list of images assinged to a policy. For more information | |
| // about the format, see the document about the location field: | |
| // https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker | |
| type Image string | |
| type Policy struct { | |
| // KeyData contains inline base64 data of the public key. Can be empty if | |
| // the image got signed keyless. | |
| KeyData string `json:"keyData,omitempty"` | |
| // OIDCIssuer contains the expected OIDC issuer. | |
| // Example: "https://expected.OIDC.issuer/" | |
| OIDCIssuer string `json:"oidcIssuer,omitempty"` | |
| // SubjectEmail holds the email address of the subject. | |
| // Example: "expected-signing-user@example.com" | |
| SubjectEmail string `json:"subjectEmail,omitempty"` | |
| // SignedIdentity specifies what image identity the signature claims about | |
| // the image. | |
| SignedIdentity Identity `json:"signedIdentity,omitempty"` | |
| // FulcioCAData contains inline base64 data for the fulcio CA certificate. | |
| // Defaults to the base64 encoded contents of: | |
| // https://raw.githubusercontent.com/sigstore/root-signing/main/targets/fulcio_v1.crt.pem | |
| FulcioCAData string `json:"fulcioCAData,omitempty"` | |
| // RekorKeyData contains inline base64 data of the rekor public key. | |
| // Defaults to the base64 encoded contents of: | |
| // https://raw.githubusercontent.com/sigstore/root-signing/main/targets/rekor.pub | |
| RekorKeyData string `json:"rekorKeyData,omitempty"` | |
| } | |
| type Identity struct { | |
| IdentityMatchPolicy IdentityMatchPolicy `json:"identityMatchPolicy,omitempty"` | |
| Prefix string `json:"prefix,omitempty"` | |
| SignedPrefix string `json:"signedPrefix,omitempty"` | |
| } | |
| type ImagePolicyStatus struct { | |
| // TODO: DO we need conditions? | |
| // Conditions []Condition `json:"conditions,omitempty"` | |
| // PolicyJSON contains the whole policy applied to the namespace which got | |
| // written to disk. This includes cluster-wide policies from the | |
| // `openshift-config` namespace as well. | |
| PolicyJSON string `json:"policyJSON,omitempty"` | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment