mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

add keyless verification (#2677)

Browse source 
* add keyless verification

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* run make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter warning

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* wrap error with details

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
Jim Bugwadia 2021-11-04 23:26:22 -07:00 committed by GitHub
parent e5e849acfe
commit 50cb1859c3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 4913 additions and 4589 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
api/kyverno/v1/policy_types.go
View file

@ -545,6 +545,12 @@ type ImageVerification struct {
// Key is the PEM encoded public key that the image or attestation is signed with. // Key is the PEM encoded public key that the image or attestation is signed with.
Key string `json:"key,omitempty" yaml:"key,omitempty"` Key string `json:"key,omitempty" yaml:"key,omitempty"`
// Roots is the PEM encoded Root certificate chain used for keyless signing
Roots string `json:"roots,omitempty" yaml:"roots,omitempty"`
// Subject is the verified identity used for keyless signing, for example the email address
Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
// Repository is an optional alternate OCI repository to use for image signatures that match this rule. // Repository is an optional alternate OCI repository to use for image signatures that match this rule.
// If specified Repository will override the default OCI image repository configured for the installation. // If specified Repository will override the default OCI image repository configured for the installation.
Repository string `json:"repository,omitempty" yaml:"repository,omitempty"` Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`

8927
charts/kyverno/templates/crds.yaml
View file

File diff suppressed because it is too large Load diff

34
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -137,7 +137,7 @@ spec:
description: All allows specifying resources which will description: All allows specifying resources which will
be ANDed be ANDed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -352,7 +352,7 @@ spec:
description: Any allows specifying resources which will description: Any allows specifying resources which will
be ORed be ORed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -812,7 +812,7 @@ spec:
description: All allows specifying resources which will description: All allows specifying resources which will
be ANDed be ANDed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -1027,7 +1027,7 @@ spec:
description: Any allows specifying resources which will description: Any allows specifying resources which will
be ORed be ORed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -1438,11 +1438,11 @@ spec:
description: Mutation is used to modify matching resources. description: Mutation is used to modify matching resources.
properties: properties:
foreach: foreach:
description: ForEach applies policy rule changes to nested description: ForEachMutation applies policy rule changes
elements. to nested elements.
items: items:
description: ForEach applies policy rule changes to nested description: ForEachMutation applies policy rule changes
elements. to nested elements.
properties: properties:
context: context:
description: Context defines variables and data sources description: Context defines variables and data sources
@ -1507,7 +1507,7 @@ spec:
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
preconditions: preconditions:
description: 'Preconditions are used to determine description: 'AnyAllConditions are used to determine
if a policy rule should be applied by evaluating if a policy rule should be applied by evaluating
a set of conditions. The declaration can contain a set of conditions. The declaration can contain
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
@ -1682,8 +1682,8 @@ spec:
description: ForEach applies policy rule changes to nested description: ForEach applies policy rule changes to nested
elements. elements.
items: items:
description: ForEach applies policy rule checks to nested description: ForEachValidation applies policy rule checks
elements. to nested elements.
properties: properties:
anyPattern: anyPattern:
description: AnyPattern specifies list of validation description: AnyPattern specifies list of validation
@ -1765,7 +1765,7 @@ spec:
used to check resources. used to check resources.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
preconditions: preconditions:
description: 'Preconditions are used to determine description: 'AnyAllConditions are used to determine
if a policy rule should be applied by evaluating if a policy rule should be applied by evaluating
a set of conditions. The declaration can contain a set of conditions. The declaration can contain
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
@ -1902,7 +1902,7 @@ spec:
the attestation check is satisfied as long there the attestation check is satisfied as long there
are predicates that match the predicate type. are predicates that match the predicate type.
items: items:
description: AnyAllCondition consists of conditions description: AnyAllConditions consists of conditions
wrapped denoting a logical criteria to be fulfilled. wrapped denoting a logical criteria to be fulfilled.
AnyConditions get fulfilled when at least one AnyConditions get fulfilled when at least one
of its sub-conditions passes. AllConditions of its sub-conditions passes. AllConditions
@ -2026,6 +2026,14 @@ spec:
specified Repository will override the default OCI image specified Repository will override the default OCI image
repository configured for the installation. repository configured for the installation.
type: string type: string
roots:
description: Roots is the PEM encoded Root certificate
chain used for keyless signing
type: string
subject:
description: Subject is the verified identity used for
keyless signing, for example the email address
type: string
type: object type: object
type: array type: array
type: object type: object

2
config/crds/kyverno.io_generaterequests.yaml
View file

@ -61,6 +61,8 @@ spec:
description: Context ... description: Context ...
properties: properties:
admissionRequestInfo: admissionRequestInfo:
description: AdmissionRequestInfoObject stores the admission request
and operation details
properties: properties:
admissionRequest: admissionRequest:
type: string type: string

34
config/crds/kyverno.io_policies.yaml
View file

@ -138,7 +138,7 @@ spec:
description: All allows specifying resources which will description: All allows specifying resources which will
be ANDed be ANDed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -353,7 +353,7 @@ spec:
description: Any allows specifying resources which will description: Any allows specifying resources which will
be ORed be ORed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -813,7 +813,7 @@ spec:
description: All allows specifying resources which will description: All allows specifying resources which will
be ANDed be ANDed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -1028,7 +1028,7 @@ spec:
description: Any allows specifying resources which will description: Any allows specifying resources which will
be ORed be ORed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -1439,11 +1439,11 @@ spec:
description: Mutation is used to modify matching resources. description: Mutation is used to modify matching resources.
properties: properties:
foreach: foreach:
description: ForEach applies policy rule changes to nested description: ForEachMutation applies policy rule changes
elements. to nested elements.
items: items:
description: ForEach applies policy rule changes to nested description: ForEachMutation applies policy rule changes
elements. to nested elements.
properties: properties:
context: context:
description: Context defines variables and data sources description: Context defines variables and data sources
@ -1508,7 +1508,7 @@ spec:
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
preconditions: preconditions:
description: 'Preconditions are used to determine description: 'AnyAllConditions are used to determine
if a policy rule should be applied by evaluating if a policy rule should be applied by evaluating
a set of conditions. The declaration can contain a set of conditions. The declaration can contain
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
@ -1683,8 +1683,8 @@ spec:
description: ForEach applies policy rule changes to nested description: ForEach applies policy rule changes to nested
elements. elements.
items: items:
description: ForEach applies policy rule checks to nested description: ForEachValidation applies policy rule checks
elements. to nested elements.
properties: properties:
anyPattern: anyPattern:
description: AnyPattern specifies list of validation description: AnyPattern specifies list of validation
@ -1766,7 +1766,7 @@ spec:
used to check resources. used to check resources.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
preconditions: preconditions:
description: 'Preconditions are used to determine description: 'AnyAllConditions are used to determine
if a policy rule should be applied by evaluating if a policy rule should be applied by evaluating
a set of conditions. The declaration can contain a set of conditions. The declaration can contain
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
@ -1903,7 +1903,7 @@ spec:
the attestation check is satisfied as long there the attestation check is satisfied as long there
are predicates that match the predicate type. are predicates that match the predicate type.
items: items:
description: AnyAllCondition consists of conditions description: AnyAllConditions consists of conditions
wrapped denoting a logical criteria to be fulfilled. wrapped denoting a logical criteria to be fulfilled.
AnyConditions get fulfilled when at least one AnyConditions get fulfilled when at least one
of its sub-conditions passes. AllConditions of its sub-conditions passes. AllConditions
@ -2027,6 +2027,14 @@ spec:
specified Repository will override the default OCI image specified Repository will override the default OCI image
repository configured for the installation. repository configured for the installation.
type: string type: string
roots:
description: Roots is the PEM encoded Root certificate
chain used for keyless signing
type: string
subject:
description: Subject is the verified identity used for
keyless signing, for example the email address
type: string
type: object type: object
type: array type: array
type: object type: object

154
config/install.yaml
View file

@ -155,7 +155,7 @@ spec:
description: All allows specifying resources which will description: All allows specifying resources which will
be ANDed be ANDed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -370,7 +370,7 @@ spec:
description: Any allows specifying resources which will description: Any allows specifying resources which will
be ORed be ORed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -830,7 +830,7 @@ spec:
description: All allows specifying resources which will description: All allows specifying resources which will
be ANDed be ANDed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -1045,7 +1045,7 @@ spec:
description: Any allows specifying resources which will description: Any allows specifying resources which will
be ORed be ORed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -1456,11 +1456,11 @@ spec:
description: Mutation is used to modify matching resources. description: Mutation is used to modify matching resources.
properties: properties:
foreach: foreach:
description: ForEach applies policy rule changes to nested description: ForEachMutation applies policy rule changes
elements. to nested elements.
items: items:
description: ForEach applies policy rule changes to nested description: ForEachMutation applies policy rule changes
elements. to nested elements.
properties: properties:
context: context:
description: Context defines variables and data sources description: Context defines variables and data sources
@ -1525,7 +1525,7 @@ spec:
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
preconditions: preconditions:
description: 'Preconditions are used to determine description: 'AnyAllConditions are used to determine
if a policy rule should be applied by evaluating if a policy rule should be applied by evaluating
a set of conditions. The declaration can contain a set of conditions. The declaration can contain
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
@ -1548,12 +1548,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -1589,12 +1594,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -1690,8 +1700,8 @@ spec:
description: ForEach applies policy rule changes to nested description: ForEach applies policy rule changes to nested
elements. elements.
items: items:
description: ForEach applies policy rule checks to nested description: ForEachValidation applies policy rule checks
elements. to nested elements.
properties: properties:
anyPattern: anyPattern:
description: AnyPattern specifies list of validation description: AnyPattern specifies list of validation
@ -1773,7 +1783,7 @@ spec:
used to check resources. used to check resources.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
preconditions: preconditions:
description: 'Preconditions are used to determine description: 'AnyAllConditions are used to determine
if a policy rule should be applied by evaluating if a policy rule should be applied by evaluating
a set of conditions. The declaration can contain a set of conditions. The declaration can contain
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
@ -1796,12 +1806,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -1837,12 +1852,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -1900,7 +1920,7 @@ spec:
the attestation check is satisfied as long there the attestation check is satisfied as long there
are predicates that match the predicate type. are predicates that match the predicate type.
items: items:
description: AnyAllCondition consists of conditions description: AnyAllConditions consists of conditions
wrapped denoting a logical criteria to be fulfilled. wrapped denoting a logical criteria to be fulfilled.
AnyConditions get fulfilled when at least one AnyConditions get fulfilled when at least one
of its sub-conditions passes. AllConditions of its sub-conditions passes. AllConditions
@ -1926,12 +1946,17 @@ spec:
operator: operator:
description: Operator is the operation description: Operator is the operation
to perform. Valid operators are Equals, to perform. Valid operators are Equals,
NotEquals, In and NotIn. NotEquals, In, AnyIn, AllIn and NotIn,
AnyNotIn, AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -1968,12 +1993,17 @@ spec:
operator: operator:
description: Operator is the operation description: Operator is the operation
to perform. Valid operators are Equals, to perform. Valid operators are Equals,
NotEquals, In and NotIn. NotEquals, In, AnyIn, AllIn and NotIn,
AnyNotIn, AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -2014,6 +2044,14 @@ spec:
specified Repository will override the default OCI image specified Repository will override the default OCI image
repository configured for the installation. repository configured for the installation.
type: string type: string
roots:
description: Roots is the PEM encoded Root certificate
chain used for keyless signing
type: string
subject:
description: Subject is the verified identity used for
keyless signing, for example the email address
type: string
type: object type: object
type: array type: array
type: object type: object
@ -3494,6 +3532,8 @@ spec:
description: Context ... description: Context ...
properties: properties:
admissionRequestInfo: admissionRequestInfo:
description: AdmissionRequestInfoObject stores the admission request
and operation details
properties: properties:
admissionRequest: admissionRequest:
type: string type: string
@ -3767,7 +3807,7 @@ spec:
description: All allows specifying resources which will description: All allows specifying resources which will
be ANDed be ANDed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -3982,7 +4022,7 @@ spec:
description: Any allows specifying resources which will description: Any allows specifying resources which will
be ORed be ORed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -4442,7 +4482,7 @@ spec:
description: All allows specifying resources which will description: All allows specifying resources which will
be ANDed be ANDed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -4657,7 +4697,7 @@ spec:
description: Any allows specifying resources which will description: Any allows specifying resources which will
be ORed be ORed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -5068,11 +5108,11 @@ spec:
description: Mutation is used to modify matching resources. description: Mutation is used to modify matching resources.
properties: properties:
foreach: foreach:
description: ForEach applies policy rule changes to nested description: ForEachMutation applies policy rule changes
elements. to nested elements.
items: items:
description: ForEach applies policy rule changes to nested description: ForEachMutation applies policy rule changes
elements. to nested elements.
properties: properties:
context: context:
description: Context defines variables and data sources description: Context defines variables and data sources
@ -5137,7 +5177,7 @@ spec:
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
preconditions: preconditions:
description: 'Preconditions are used to determine description: 'AnyAllConditions are used to determine
if a policy rule should be applied by evaluating if a policy rule should be applied by evaluating
a set of conditions. The declaration can contain a set of conditions. The declaration can contain
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
@ -5160,12 +5200,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -5201,12 +5246,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -5302,8 +5352,8 @@ spec:
description: ForEach applies policy rule changes to nested description: ForEach applies policy rule changes to nested
elements. elements.
items: items:
description: ForEach applies policy rule checks to nested description: ForEachValidation applies policy rule checks
elements. to nested elements.
properties: properties:
anyPattern: anyPattern:
description: AnyPattern specifies list of validation description: AnyPattern specifies list of validation
@ -5385,7 +5435,7 @@ spec:
used to check resources. used to check resources.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
preconditions: preconditions:
description: 'Preconditions are used to determine description: 'AnyAllConditions are used to determine
if a policy rule should be applied by evaluating if a policy rule should be applied by evaluating
a set of conditions. The declaration can contain a set of conditions. The declaration can contain
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
@ -5408,12 +5458,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -5449,12 +5504,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -5512,7 +5572,7 @@ spec:
the attestation check is satisfied as long there the attestation check is satisfied as long there
are predicates that match the predicate type. are predicates that match the predicate type.
items: items:
description: AnyAllCondition consists of conditions description: AnyAllConditions consists of conditions
wrapped denoting a logical criteria to be fulfilled. wrapped denoting a logical criteria to be fulfilled.
AnyConditions get fulfilled when at least one AnyConditions get fulfilled when at least one
of its sub-conditions passes. AllConditions of its sub-conditions passes. AllConditions
@ -5538,12 +5598,17 @@ spec:
operator: operator:
description: Operator is the operation description: Operator is the operation
to perform. Valid operators are Equals, to perform. Valid operators are Equals,
NotEquals, In and NotIn. NotEquals, In, AnyIn, AllIn and NotIn,
AnyNotIn, AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -5580,12 +5645,17 @@ spec:
operator: operator:
description: Operator is the operation description: Operator is the operation
to perform. Valid operators are Equals, to perform. Valid operators are Equals,
NotEquals, In and NotIn. NotEquals, In, AnyIn, AllIn and NotIn,
AnyNotIn, AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -5626,6 +5696,14 @@ spec:
specified Repository will override the default OCI image specified Repository will override the default OCI image
repository configured for the installation. repository configured for the installation.
type: string type: string
roots:
description: Roots is the PEM encoded Root certificate
chain used for keyless signing
type: string
subject:
description: Subject is the verified identity used for
keyless signing, for example the email address
type: string
type: object type: object
type: array type: array
type: object type: object

154
config/install_debug.yaml
View file

@ -142,7 +142,7 @@ spec:
description: All allows specifying resources which will description: All allows specifying resources which will
be ANDed be ANDed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -357,7 +357,7 @@ spec:
description: Any allows specifying resources which will description: Any allows specifying resources which will
be ORed be ORed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -817,7 +817,7 @@ spec:
description: All allows specifying resources which will description: All allows specifying resources which will
be ANDed be ANDed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -1032,7 +1032,7 @@ spec:
description: Any allows specifying resources which will description: Any allows specifying resources which will
be ORed be ORed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -1443,11 +1443,11 @@ spec:
description: Mutation is used to modify matching resources. description: Mutation is used to modify matching resources.
properties: properties:
foreach: foreach:
description: ForEach applies policy rule changes to nested description: ForEachMutation applies policy rule changes
elements. to nested elements.
items: items:
description: ForEach applies policy rule changes to nested description: ForEachMutation applies policy rule changes
elements. to nested elements.
properties: properties:
context: context:
description: Context defines variables and data sources description: Context defines variables and data sources
@ -1512,7 +1512,7 @@ spec:
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
preconditions: preconditions:
description: 'Preconditions are used to determine description: 'AnyAllConditions are used to determine
if a policy rule should be applied by evaluating if a policy rule should be applied by evaluating
a set of conditions. The declaration can contain a set of conditions. The declaration can contain
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
@ -1535,12 +1535,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -1576,12 +1581,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -1677,8 +1687,8 @@ spec:
description: ForEach applies policy rule changes to nested description: ForEach applies policy rule changes to nested
elements. elements.
items: items:
description: ForEach applies policy rule checks to nested description: ForEachValidation applies policy rule checks
elements. to nested elements.
properties: properties:
anyPattern: anyPattern:
description: AnyPattern specifies list of validation description: AnyPattern specifies list of validation
@ -1760,7 +1770,7 @@ spec:
used to check resources. used to check resources.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
preconditions: preconditions:
description: 'Preconditions are used to determine description: 'AnyAllConditions are used to determine
if a policy rule should be applied by evaluating if a policy rule should be applied by evaluating
a set of conditions. The declaration can contain a set of conditions. The declaration can contain
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
@ -1783,12 +1793,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -1824,12 +1839,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -1887,7 +1907,7 @@ spec:
the attestation check is satisfied as long there the attestation check is satisfied as long there
are predicates that match the predicate type. are predicates that match the predicate type.
items: items:
description: AnyAllCondition consists of conditions description: AnyAllConditions consists of conditions
wrapped denoting a logical criteria to be fulfilled. wrapped denoting a logical criteria to be fulfilled.
AnyConditions get fulfilled when at least one AnyConditions get fulfilled when at least one
of its sub-conditions passes. AllConditions of its sub-conditions passes. AllConditions
@ -1913,12 +1933,17 @@ spec:
operator: operator:
description: Operator is the operation description: Operator is the operation
to perform. Valid operators are Equals, to perform. Valid operators are Equals,
NotEquals, In and NotIn. NotEquals, In, AnyIn, AllIn and NotIn,
AnyNotIn, AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -1955,12 +1980,17 @@ spec:
operator: operator:
description: Operator is the operation description: Operator is the operation
to perform. Valid operators are Equals, to perform. Valid operators are Equals,
NotEquals, In and NotIn. NotEquals, In, AnyIn, AllIn and NotIn,
AnyNotIn, AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -2001,6 +2031,14 @@ spec:
specified Repository will override the default OCI image specified Repository will override the default OCI image
repository configured for the installation. repository configured for the installation.
type: string type: string
roots:
description: Roots is the PEM encoded Root certificate
chain used for keyless signing
type: string
subject:
description: Subject is the verified identity used for
keyless signing, for example the email address
type: string
type: object type: object
type: array type: array
type: object type: object
@ -3460,6 +3498,8 @@ spec:
description: Context ... description: Context ...
properties: properties:
admissionRequestInfo: admissionRequestInfo:
description: AdmissionRequestInfoObject stores the admission request
and operation details
properties: properties:
admissionRequest: admissionRequest:
type: string type: string
@ -3726,7 +3766,7 @@ spec:
description: All allows specifying resources which will description: All allows specifying resources which will
be ANDed be ANDed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -3941,7 +3981,7 @@ spec:
description: Any allows specifying resources which will description: Any allows specifying resources which will
be ORed be ORed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -4401,7 +4441,7 @@ spec:
description: All allows specifying resources which will description: All allows specifying resources which will
be ANDed be ANDed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -4616,7 +4656,7 @@ spec:
description: Any allows specifying resources which will description: Any allows specifying resources which will
be ORed be ORed
items: items:
description: ResourceFilters allow users to "AND" or "OR" description: ResourceFilter allow users to "AND" or "OR"
between resources between resources
properties: properties:
clusterRoles: clusterRoles:
@ -5027,11 +5067,11 @@ spec:
description: Mutation is used to modify matching resources. description: Mutation is used to modify matching resources.
properties: properties:
foreach: foreach:
description: ForEach applies policy rule changes to nested description: ForEachMutation applies policy rule changes
elements. to nested elements.
items: items:
description: ForEach applies policy rule changes to nested description: ForEachMutation applies policy rule changes
elements. to nested elements.
properties: properties:
context: context:
description: Context defines variables and data sources description: Context defines variables and data sources
@ -5096,7 +5136,7 @@ spec:
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
preconditions: preconditions:
description: 'Preconditions are used to determine description: 'AnyAllConditions are used to determine
if a policy rule should be applied by evaluating if a policy rule should be applied by evaluating
a set of conditions. The declaration can contain a set of conditions. The declaration can contain
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
@ -5119,12 +5159,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -5160,12 +5205,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -5261,8 +5311,8 @@ spec:
description: ForEach applies policy rule changes to nested description: ForEach applies policy rule changes to nested
elements. elements.
items: items:
description: ForEach applies policy rule checks to nested description: ForEachValidation applies policy rule checks
elements. to nested elements.
properties: properties:
anyPattern: anyPattern:
description: AnyPattern specifies list of validation description: AnyPattern specifies list of validation
@ -5344,7 +5394,7 @@ spec:
used to check resources. used to check resources.
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
preconditions: preconditions:
description: 'Preconditions are used to determine description: 'AnyAllConditions are used to determine
if a policy rule should be applied by evaluating if a policy rule should be applied by evaluating
a set of conditions. The declaration can contain a set of conditions. The declaration can contain
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
@ -5367,12 +5417,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -5408,12 +5463,17 @@ spec:
operator: operator:
description: Operator is the operation to description: Operator is the operation to
perform. Valid operators are Equals, NotEquals, perform. Valid operators are Equals, NotEquals,
In and NotIn. In, AnyIn, AllIn and NotIn, AnyNotIn,
AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -5471,7 +5531,7 @@ spec:
the attestation check is satisfied as long there the attestation check is satisfied as long there
are predicates that match the predicate type. are predicates that match the predicate type.
items: items:
description: AnyAllCondition consists of conditions description: AnyAllConditions consists of conditions
wrapped denoting a logical criteria to be fulfilled. wrapped denoting a logical criteria to be fulfilled.
AnyConditions get fulfilled when at least one AnyConditions get fulfilled when at least one
of its sub-conditions passes. AllConditions of its sub-conditions passes. AllConditions
@ -5497,12 +5557,17 @@ spec:
operator: operator:
description: Operator is the operation description: Operator is the operation
to perform. Valid operators are Equals, to perform. Valid operators are Equals,
NotEquals, In and NotIn. NotEquals, In, AnyIn, AllIn and NotIn,
AnyNotIn, AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -5539,12 +5604,17 @@ spec:
operator: operator:
description: Operator is the operation description: Operator is the operation
to perform. Valid operators are Equals, to perform. Valid operators are Equals,
NotEquals, In and NotIn. NotEquals, In, AnyIn, AllIn and NotIn,
AnyNotIn, AllNotIn.
enum: enum:
- Equals - Equals
- NotEquals - NotEquals
- In - In
- AnyIn
- AllIn
- NotIn - NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals - GreaterThanOrEquals
- GreaterThan - GreaterThan
- LessThanOrEquals - LessThanOrEquals
@ -5585,6 +5655,14 @@ spec:
specified Repository will override the default OCI image specified Repository will override the default OCI image
repository configured for the installation. repository configured for the installation.
type: string type: string
roots:
description: Roots is the PEM encoded Root certificate
chain used for keyless signing
type: string
subject:
description: Subject is the verified identity used for
keyless signing, for example the email address
type: string
type: object type: object
type: array type: array
type: object type: object

4
go.mod
View file

@ -32,8 +32,8 @@ require (
github.com/pkg/errors v0.9.1 github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.11.0 github.com/prometheus/client_golang v1.11.0
github.com/robfig/cron/v3 v3.0.1 github.com/robfig/cron/v3 v3.0.1
github.com/sigstore/cosign v1.2.2-0.20211026212745-19fce8415194 github.com/sigstore/cosign v1.3.0
github.com/sigstore/sigstore v0.0.0-20211005102407-3ab959fb2809 github.com/sigstore/sigstore v1.0.0
github.com/spf13/cobra v1.2.1 github.com/spf13/cobra v1.2.1
github.com/stretchr/testify v1.7.0 github.com/stretchr/testify v1.7.0
github.com/xanzy/ssh-agent v0.3.0 // indirect github.com/xanzy/ssh-agent v0.3.0 // indirect

48
go.sum
View file

@ -1,6 +1,7 @@
bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8= bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8=
bazil.org/fuse v0.0.0-20180421153158-65cc252bf669/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8= bazil.org/fuse v0.0.0-20180421153158-65cc252bf669/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8=
bitbucket.org/creachadair/shell v0.0.6/go.mod h1:8Qqi/cYk7vPnsOePHroKXDJYmb5x7ENhtiFtfZq8K+M= bitbucket.org/creachadair/shell v0.0.6/go.mod h1:8Qqi/cYk7vPnsOePHroKXDJYmb5x7ENhtiFtfZq8K+M=
bou.ke/monkey v1.0.2/go.mod h1:OqickVX3tNx6t33n1xvtTtu85YN5s6cKwVug+oHMaIA=
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
@ -309,6 +310,7 @@ github.com/cenkalti/backoff/v3 v3.0.0 h1:ske+9nBpD9qZsTBoF41nW5L+AIuFBKMeze18XQ3
github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/census-instrumentation/opencensus-proto v0.3.0 h1:t/LhUZLVitR1Ow2YOnduCsavhwFUklBMoGVYUCqmCqk=
github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
@ -333,9 +335,11 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 h1:hzAQntlaYRkVSFEfj9OTWlVV1H155FMD8BTKktLv0QI=
github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84 h1:FVNvmN/CMjk4idVJRMfH/9naYjEwakhKo8Ho8z5JGXI=
github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
github.com/cockroachdb/apd/v2 v2.0.1/go.mod h1:DDxRlzC2lo3/vSlmSoS7JkqbbrARPuFOGr0B9pvN3Gw= github.com/cockroachdb/apd/v2 v2.0.1/go.mod h1:DDxRlzC2lo3/vSlmSoS7JkqbbrARPuFOGr0B9pvN3Gw=
@ -443,7 +447,9 @@ github.com/coreos/etcd v3.3.17+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc
github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
github.com/coreos/go-oidc v2.1.0+incompatible h1:sdJrfw8akMnCuUlaZU3tE/uYXFgfqom8DBE9so9EBsM=
github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
github.com/coreos/go-oidc/v3 v3.0.0 h1:/mAA0XMgYJw2Uqm7WKGCsKnjitE/+A0FFbOmiRJm7LQ=
github.com/coreos/go-oidc/v3 v3.0.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo= github.com/coreos/go-oidc/v3 v3.0.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo=
github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@ -491,7 +497,7 @@ github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0/go.mod h1:J70FGZSbzsjecRTiTzER+
github.com/denisenkom/go-mssqldb v0.9.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= github.com/denisenkom/go-mssqldb v0.9.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0= github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0=
github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY=
github.com/dgraph-io/badger/v3 v3.2103.1/go.mod h1:dULbq6ehJ5K0cGW/1TQ9iSfUk0gbSiToDWmWmTsJ53E= github.com/dgraph-io/badger/v3 v3.2103.2/go.mod h1:RHo4/GmYcKKh5Lxu63wLEMHJ70Pac2JqZRYGhlyAo2M=
github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug= github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug=
github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
@ -555,9 +561,11 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y
github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021 h1:fP+fF0up6oPY49OrjPrhIJ8yQfdIM85NXMLkMg1EXVs=
github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/envoyproxy/protoc-gen-validate v0.3.0-java/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.3.0-java/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/envoyproxy/protoc-gen-validate v0.6.1 h1:4CF52PCseTFt4bE+Yk3dIpdVi7XWuPVMhPtm4FaIJPM=
github.com/envoyproxy/protoc-gen-validate v0.6.1/go.mod h1:txg5va2Qkip90uYoSKH+nkAAmXrb2j3iq4FLwdrCbXQ= github.com/envoyproxy/protoc-gen-validate v0.6.1/go.mod h1:txg5va2Qkip90uYoSKH+nkAAmXrb2j3iq4FLwdrCbXQ=
github.com/etcd-io/gofail v0.0.0-20190801230047-ad7f989257ca/go.mod h1:49H/RkXP8pKaZy4h0d+NW16rSLhyVBt4o6VLJbmOqDE= github.com/etcd-io/gofail v0.0.0-20190801230047-ad7f989257ca/go.mod h1:49H/RkXP8pKaZy4h0d+NW16rSLhyVBt4o6VLJbmOqDE=
github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
@ -721,8 +729,8 @@ github.com/go-openapi/strfmt v0.19.11/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLs
github.com/go-openapi/strfmt v0.20.0/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc= github.com/go-openapi/strfmt v0.20.0/go.mod h1:UukAYgTaQfqJuAFlNxxMWNvMYiwiXtLsF2VwmoFtbtc=
github.com/go-openapi/strfmt v0.20.1/go.mod h1:43urheQI9dNtE5lTZQfuFJvjYJKPrxicATpEfZwHUNk= github.com/go-openapi/strfmt v0.20.1/go.mod h1:43urheQI9dNtE5lTZQfuFJvjYJKPrxicATpEfZwHUNk=
github.com/go-openapi/strfmt v0.20.2/go.mod h1:43urheQI9dNtE5lTZQfuFJvjYJKPrxicATpEfZwHUNk= github.com/go-openapi/strfmt v0.20.2/go.mod h1:43urheQI9dNtE5lTZQfuFJvjYJKPrxicATpEfZwHUNk=
github.com/go-openapi/strfmt v0.20.3 h1:YVG4ZgPZ00km/lRHrIf7c6cKL5/4FAUtG2T9RxWAgDY= github.com/go-openapi/strfmt v0.21.0 h1:hX2qEZKmYks+t0hKeb4VTJpUm2UYsdL3+DCid5swxIs=
github.com/go-openapi/strfmt v0.20.3/go.mod h1:43urheQI9dNtE5lTZQfuFJvjYJKPrxicATpEfZwHUNk= github.com/go-openapi/strfmt v0.21.0/go.mod h1:ZRQ409bWMj+SOgXofQAGTIo2Ebu72Gs+WaRADcS5iNg=
github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
@ -757,6 +765,7 @@ github.com/go-playground/validator v9.31.0+incompatible h1:UA72EPEogEnq76ehGdEDp
github.com/go-playground/validator v9.31.0+incompatible/go.mod h1:yrEkQXlcI+PugkyDjY2bRrL/UBU4f3rvrgkN3V8JEig= github.com/go-playground/validator v9.31.0+incompatible/go.mod h1:yrEkQXlcI+PugkyDjY2bRrL/UBU4f3rvrgkN3V8JEig=
github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI= github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI=
github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
github.com/go-rod/rod v0.101.8/go.mod h1:N/zlT53CfSpq74nb6rOR0K8UF0SPUPBmzBnArrms+mY=
github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
@ -880,7 +889,6 @@ github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB
github.com/google/certificate-transparency-go v1.1.2-0.20210422104406-9f33727a7a18/go.mod h1:6CKh9dscIRoqc2kC6YUFICHZMT9NrClyPrRVFrdw1QQ= github.com/google/certificate-transparency-go v1.1.2-0.20210422104406-9f33727a7a18/go.mod h1:6CKh9dscIRoqc2kC6YUFICHZMT9NrClyPrRVFrdw1QQ=
github.com/google/certificate-transparency-go v1.1.2-0.20210512142713-bed466244fa6/go.mod h1:aF2dp7Dh81mY8Y/zpzyXps4fQW5zQbDu2CxfpJB6NkI= github.com/google/certificate-transparency-go v1.1.2-0.20210512142713-bed466244fa6/go.mod h1:aF2dp7Dh81mY8Y/zpzyXps4fQW5zQbDu2CxfpJB6NkI=
github.com/google/certificate-transparency-go v1.1.2-0.20210728111105-5f7e9ba4be3d/go.mod h1:QlgnNWdf1mzSEE/MhazcXTm561Uf2xkqpaA3AEJbFaI= github.com/google/certificate-transparency-go v1.1.2-0.20210728111105-5f7e9ba4be3d/go.mod h1:QlgnNWdf1mzSEE/MhazcXTm561Uf2xkqpaA3AEJbFaI=
github.com/google/flatbuffers v1.12.0/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@ -1160,8 +1168,9 @@ github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdY
github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
github.com/klauspost/compress v1.13.0/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/klauspost/compress v1.13.0/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
github.com/klauspost/compress v1.13.5 h1:9O69jUPDcsT9fEm74W92rZL9FQY7rCdaXVneq+yyzl4=
github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc=
github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
github.com/klauspost/cpuid v1.2.3/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= github.com/klauspost/cpuid v1.2.3/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
github.com/klauspost/cpuid v1.3.1/go.mod h1:bYW4mA6ZgKPob1/Dlai2LviZJO7KGI3uoWLd42rAQw4= github.com/klauspost/cpuid v1.3.1/go.mod h1:bYW4mA6ZgKPob1/Dlai2LviZJO7KGI3uoWLd42rAQw4=
github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
@ -1380,7 +1389,7 @@ github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDs
github.com/onsi/gomega v1.16.0 h1:6gjqkI8iiRHMvdccRJM8rVKjCWk6ZIm6FTm3ddIe4/c= github.com/onsi/gomega v1.16.0 h1:6gjqkI8iiRHMvdccRJM8rVKjCWk6ZIm6FTm3ddIe4/c=
github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
github.com/open-policy-agent/opa v0.33.1/go.mod h1:Zb+IdRe0s7M++Rv/KgyuB0qvxO3CUpQ+ZW5v+w/cRUo= github.com/open-policy-agent/opa v0.34.0/go.mod h1:buysXn+6zB/b+6JgLkP4WgKZ9+UgUtFAgtemYGrL9Ik=
github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@ -1558,6 +1567,7 @@ github.com/secure-io/sio-go v0.3.1/go.mod h1:+xbkjDzPjwh4Axd07pRKSNriS9SCiYksWnZ
github.com/secure-systems-lab/go-securesystemslib v0.1.0 h1:wZNQ7t1UTOQtDL/+PBPzxI52gLQGyC7qfXyJh6Lgf1Y= github.com/secure-systems-lab/go-securesystemslib v0.1.0 h1:wZNQ7t1UTOQtDL/+PBPzxI52gLQGyC7qfXyJh6Lgf1Y=
github.com/secure-systems-lab/go-securesystemslib v0.1.0/go.mod h1:eIjBmIP8LD2MLBL/DkQWayLiz006Q4p+hCu79rvWleY= github.com/secure-systems-lab/go-securesystemslib v0.1.0/go.mod h1:eIjBmIP8LD2MLBL/DkQWayLiz006Q4p+hCu79rvWleY=
github.com/segmentio/ksuid v1.0.3/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/segmentio/ksuid v1.0.3/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
@ -1567,15 +1577,16 @@ github.com/shibumi/go-pathspec v1.2.0 h1:KVKEDHYk7bQolRMs7nfzjT3SBOCgcXFJzccnj9b
github.com/shibumi/go-pathspec v1.2.0/go.mod h1:bDxCftD0fST3qXIlHoQ/fChsU4mWMVklXp1yPErQaaY= github.com/shibumi/go-pathspec v1.2.0/go.mod h1:bDxCftD0fST3qXIlHoQ/fChsU4mWMVklXp1yPErQaaY=
github.com/shirou/gopsutil/v3 v3.21.4/go.mod h1:ghfMypLDrFSWN2c9cDYFLHyynQ+QUht0cv/18ZqVczw= github.com/shirou/gopsutil/v3 v3.21.4/go.mod h1:ghfMypLDrFSWN2c9cDYFLHyynQ+QUht0cv/18ZqVczw=
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
github.com/sigstore/cosign v1.2.2-0.20211026212745-19fce8415194 h1:8aJ6cKkTxHbBtuXLvrdu7oHhwDnjA45i4zOBmP0uRsg= github.com/sigstore/cosign v1.3.0 h1:FDrrxBpI/whZxgB2Fv+d0bT0bjvP0SE+Kng/wCag8Co=
github.com/sigstore/cosign v1.2.2-0.20211026212745-19fce8415194/go.mod h1:22SReYzQUATcJimnZiM5pAJvhNgsyObf0GCyh2kx86o= github.com/sigstore/cosign v1.3.0/go.mod h1:Fs3y5LJ2GwoiNq8HSLXmd/A834lRSzACoDhpMvCVwpg=
github.com/sigstore/fulcio v0.1.2-0.20210831152525-42f7422734bb h1:smRYK5Ii+6MzPPz6yisB65v2Pam5oHPOTLDlxyM3qYY= github.com/sigstore/fulcio v0.1.2-0.20210831152525-42f7422734bb h1:smRYK5Ii+6MzPPz6yisB65v2Pam5oHPOTLDlxyM3qYY=
github.com/sigstore/fulcio v0.1.2-0.20210831152525-42f7422734bb/go.mod h1:LznI5ABAkquvZrJ1PQaGCgspMfw2CB6ODBCQyhU3Q0w= github.com/sigstore/fulcio v0.1.2-0.20210831152525-42f7422734bb/go.mod h1:LznI5ABAkquvZrJ1PQaGCgspMfw2CB6ODBCQyhU3Q0w=
github.com/sigstore/rekor v0.3.0 h1:OBEvo/Rv8NKKtiWq0WRHgXFpVPe1fGiqz93dfBh/Myo= github.com/sigstore/rekor v0.3.0 h1:OBEvo/Rv8NKKtiWq0WRHgXFpVPe1fGiqz93dfBh/Myo=
github.com/sigstore/rekor v0.3.0/go.mod h1:cL9B3+/gp3BG+/bhkSHBA3MQZMten5xM6BhJYd5b5zU= github.com/sigstore/rekor v0.3.0/go.mod h1:cL9B3+/gp3BG+/bhkSHBA3MQZMten5xM6BhJYd5b5zU=
github.com/sigstore/sigstore v0.0.0-20210713222344-1fee53516622/go.mod h1:aOSeNrlcHsfUD8Q1hwWd8KloNqBnxEZlu4k47cFg5rg= github.com/sigstore/sigstore v0.0.0-20210713222344-1fee53516622/go.mod h1:aOSeNrlcHsfUD8Q1hwWd8KloNqBnxEZlu4k47cFg5rg=
github.com/sigstore/sigstore v0.0.0-20211005102407-3ab959fb2809 h1:TOJFXiYjA1ZNQersM/yPDvQV03kco9xFxw9r1LRuJ2Y=
github.com/sigstore/sigstore v0.0.0-20211005102407-3ab959fb2809/go.mod h1:5ZdSfwXq/9WSzar9eVfYWXqK7hvdPhnwbr1UcSCe3o0= github.com/sigstore/sigstore v0.0.0-20211005102407-3ab959fb2809/go.mod h1:5ZdSfwXq/9WSzar9eVfYWXqK7hvdPhnwbr1UcSCe3o0=
github.com/sigstore/sigstore v1.0.0 h1:yQUDL9euUBOL2eVrlTtLW5kNtt5YdGrLElf+PFE7P4A=
github.com/sigstore/sigstore v1.0.0/go.mod h1:IVOe2lNKO5KEEj6GW58CnpwqcFQ8H+2RZQCKDwphta8=
github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@ -1587,6 +1598,7 @@ github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic
github.com/sirupsen/logrus v1.8.0/go.mod h1:4GuYW9TZmE769R5STWrRakJc4UqQ3+QQ95fyz7ENv1A= github.com/sirupsen/logrus v1.8.0/go.mod h1:4GuYW9TZmE769R5STWrRakJc4UqQ3+QQ95fyz7ENv1A=
github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM= github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
@ -1745,6 +1757,11 @@ github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca/go.mod h1:ce1O1j6Ut
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b/go.mod h1:HptNXiXVDcJjXe9SqMd0v2FsL9f8dz4GnXgltU6q/co= github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b/go.mod h1:HptNXiXVDcJjXe9SqMd0v2FsL9f8dz4GnXgltU6q/co=
github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
github.com/ysmood/goob v0.3.0/go.mod h1:S3lq113Y91y1UBf1wj1pFOxeahvfKkCk6mTWTWbDdWs=
github.com/ysmood/got v0.15.1/go.mod h1:pE1l4LOwOBhQg6A/8IAatkGp7uZjnalzrZolnlhhMgY=
github.com/ysmood/gotrace v0.2.2/go.mod h1:TzhIG7nHDry5//eYZDYcTzuJLYQIkykJzCRIo4/dzQM=
github.com/ysmood/gson v0.6.4/go.mod h1:3Kzs5zDl21g5F/BlLTNcuAGAYLKt2lV5G8D1zF3RNmg=
github.com/ysmood/leakless v0.7.0/go.mod h1:R8iAXPRaG97QJwqxs74RdwzcRHT1SWCGTNqY8q0JvMQ=
github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@ -1794,8 +1811,9 @@ go.mongodb.org/mongo-driver v1.4.3/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4S
go.mongodb.org/mongo-driver v1.4.4/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= go.mongodb.org/mongo-driver v1.4.4/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc=
go.mongodb.org/mongo-driver v1.4.6/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= go.mongodb.org/mongo-driver v1.4.6/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc=
go.mongodb.org/mongo-driver v1.5.1/go.mod h1:gRXCHX4Jo7J0IJ1oDQyUxF7jfy19UfxniMS4xxMmUqw= go.mongodb.org/mongo-driver v1.5.1/go.mod h1:gRXCHX4Jo7J0IJ1oDQyUxF7jfy19UfxniMS4xxMmUqw=
go.mongodb.org/mongo-driver v1.6.0 h1:ccc26ylcoRWJQRbjU7GvqfxNzwKcoIcEL3BPuFR/pJ0=
go.mongodb.org/mongo-driver v1.6.0/go.mod h1:Q4oFMbo1+MSNqICAdYMlC/zSTrwCogR4R8NzkI+yfU8= go.mongodb.org/mongo-driver v1.6.0/go.mod h1:Q4oFMbo1+MSNqICAdYMlC/zSTrwCogR4R8NzkI+yfU8=
go.mongodb.org/mongo-driver v1.7.3 h1:G4l/eYY9VrQAK/AUgkV0koQKzQnyddnWxrd/Etf0jIs=
go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg=
go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
go.opencensus.io v0.15.0/go.mod h1:UffZAU+4sDEINUGP/B7UfBBkq4fqLu9zXAX7ke6CHW0= go.opencensus.io v0.15.0/go.mod h1:UffZAU+4sDEINUGP/B7UfBBkq4fqLu9zXAX7ke6CHW0=
go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
@ -2195,8 +2213,9 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210909193231-528a39cd75f3/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210909193231-528a39cd75f3/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210917161153-d61c044b1678 h1:J27LZFQBFoihqXoegpscI10HpjZ7B5WQLLKL2FZXQKw=
golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359 h1:2B5p2L5IfGiD7+b9BOoRMC6DgObAVZV+Fsp050NqXik=
golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@ -2318,6 +2337,7 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.7 h1:6j8CgantCy3yc8JGBqkDLMKWqZ0RDU2g1HVgacojGWQ=
golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -2372,8 +2392,9 @@ google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6
google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI=
google.golang.org/api v0.58.0 h1:MDkAbYIB1JpSgCTOCYYoIec/coMlKK4oVbpnBLLcyT0=
google.golang.org/api v0.58.0/go.mod h1:cAbP2FsxoGVNwtgNAmmn3y5G1TWAiVYRmg4yku3lv+E= google.golang.org/api v0.58.0/go.mod h1:cAbP2FsxoGVNwtgNAmmn3y5G1TWAiVYRmg4yku3lv+E=
google.golang.org/api v0.60.0 h1:eq/zs5WPH4J9undYM9IP1O7dSr7Yh8Y0GtSCpzGzIUk=
google.golang.org/api v0.60.0/go.mod h1:d7rl65NZAkEQ90JFzqBjcRq1TVeG5ZoGV3sSpEnnVb4=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@ -2469,8 +2490,9 @@ google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEc
google.golang.org/genproto v0.0.0-20210917145530-b395a37504d4/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210917145530-b395a37504d4/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
google.golang.org/genproto v0.0.0-20210921142501-181ce0d877f6/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20210921142501-181ce0d877f6/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
google.golang.org/genproto v0.0.0-20211016002631-37fc39342514 h1:Rp1vYDPD4TdkMH5S/bZbopsGCsWhPcrLBUwOVhAQCxM=
google.golang.org/genproto v0.0.0-20211016002631-37fc39342514/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211016002631-37fc39342514/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
google.golang.org/genproto v0.0.0-20211021150943-2b146023228c h1:FqrtZMB5Wr+/RecOM3uPJNPfWR8Upb5hAPnt7PU6i4k=
google.golang.org/genproto v0.0.0-20211021150943-2b146023228c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=

92
pkg/cosign/cosign.go
View file

@ -3,14 +3,15 @@ package cosign
import ( import (
"context" "context"
"crypto" "crypto"
"crypto/x509"
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"fmt" "fmt"
"strings" "strings"
"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
"github.com/sigstore/cosign/pkg/oci/remote" "github.com/sigstore/cosign/pkg/oci/remote"
"github.com/gardener/controller-manager-library/pkg/logger"
"github.com/go-logr/logr" "github.com/go-logr/logr"
"github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/authn/k8schain" "github.com/google/go-containerregistry/pkg/authn/k8schain"
@ -51,42 +52,56 @@ func Initialize(client kubernetes.Interface, namespace, serviceAccount string, i
return nil return nil
} }
type Options struct {
ImageRef string
Key string
Roots []byte
Subject string
Repository string
Log logr.Logger
}
// VerifySignature verifies that the image has the expected key // VerifySignature verifies that the image has the expected key
func VerifySignature(imageRef string, key string, repository string, log logr.Logger) (digest string, err error) { func VerifySignature(opts Options) (digest string, err error) {
log := opts.Log
ctx := context.Background() ctx := context.Background()
var pubKey signature.Verifier var remoteOpts []remote.Option
if strings.HasPrefix(key, "-----BEGIN PUBLIC KEY-----") {
pubKey, err = decodePEM([]byte(key))
} else {
pubKey, err = sigs.PublicKeyFromKeyRef(ctx, key)
}
if err != nil {
return "", errors.Wrap(err, "loading key")
}
var opts []remote.Option
ro := options.RegistryOptions{} ro := options.RegistryOptions{}
opts, err = ro.ClientOpts(ctx) remoteOpts, err = ro.ClientOpts(ctx)
if err != nil { if err != nil {
return "", errors.Wrap(err, "constructing client options") return "", errors.Wrap(err, "constructing client options")
} }
if repository != "" {
signatureRepo, err := name.NewRepository(repository)
if err != nil {
return "", errors.Wrapf(err, "failed to parse signature repository %s", repository)
}
opts = append(opts, remote.WithTargetRepository(signatureRepo))
}
cosignOpts := &cosign.CheckOpts{ cosignOpts := &cosign.CheckOpts{
SigVerifier: pubKey, Annotations: map[string]interface{}{},
RegistryClientOpts: opts, RegistryClientOpts: remoteOpts,
} }
ref, err := name.ParseReference(imageRef) if opts.Key != "" {
if strings.HasPrefix(opts.Key, "-----BEGIN PUBLIC KEY-----") {
cosignOpts.SigVerifier, err = decodePEM([]byte(opts.Key))
} else {
cosignOpts.SigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, opts.Key)
}
} else {
cosignOpts.CertEmail = opts.Subject
cosignOpts.RootCerts, err = getX509CertPool(opts.Roots)
}
if err != nil {
return "", errors.Wrap(err, "loading credentials")
}
if opts.Repository != "" {
signatureRepo, err := name.NewRepository(opts.Repository)
if err != nil {
return "", errors.Wrapf(err, "failed to parse signature repository %s", opts.Repository)
}
cosignOpts.RegistryClientOpts = append(cosignOpts.RegistryClientOpts, remote.WithTargetRepository(signatureRepo))
}
ref, err := name.ParseReference(opts.ImageRef)
if err != nil { if err != nil {
return "", errors.Wrap(err, "failed to parse image") return "", errors.Wrap(err, "failed to parse image")
} }
@ -94,7 +109,7 @@ func VerifySignature(imageRef string, key string, repository string, log logr.Lo
verified, _, err := client.Verify(ctx, ref, cosign.SignaturesAccessor, cosignOpts) verified, _, err := client.Verify(ctx, ref, cosign.SignaturesAccessor, cosignOpts)
if err != nil { if err != nil {
msg := err.Error() msg := err.Error()
logger.Info("image verification failed", "error", msg) log.Info("image verification failed", "error", msg)
if strings.Contains(msg, "MANIFEST_UNKNOWN: manifest unknown") { if strings.Contains(msg, "MANIFEST_UNKNOWN: manifest unknown") {
return "", fmt.Errorf("signature not found") return "", fmt.Errorf("signature not found")
} else if strings.Contains(msg, "no matching signatures") { } else if strings.Contains(msg, "no matching signatures") {
@ -104,7 +119,7 @@ func VerifySignature(imageRef string, key string, repository string, log logr.Lo
return "", err return "", err
} }
digest, err = extractDigest(imageRef, verified, log) digest, err = extractDigest(opts.ImageRef, verified, log)
if err != nil { if err != nil {
return "", errors.Wrap(err, "failed to get digest") return "", errors.Wrap(err, "failed to get digest")
} }
@ -112,9 +127,22 @@ func VerifySignature(imageRef string, key string, repository string, log logr.Lo
return digest, nil return digest, nil
} }
func getX509CertPool(roots []byte) (*x509.CertPool, error) {
if roots == nil {
return fulcio.GetRoots(), nil
}
cp := x509.NewCertPool()
if !cp.AppendCertsFromPEM(roots) {
return nil, fmt.Errorf("error creating root cert pool")
}
return cp, nil
}
// FetchAttestations retrieves signed attestations and decodes them into in-toto statements // FetchAttestations retrieves signed attestations and decodes them into in-toto statements
// https://github.com/in-toto/attestation/blob/main/spec/README.md#statement // https://github.com/in-toto/attestation/blob/main/spec/README.md#statement
func FetchAttestations(imageRef string, key string, repository string) ([]map[string]interface{}, error) { func FetchAttestations(imageRef string, key string, repository string, log logr.Logger) ([]map[string]interface{}, error) {
ctx := context.Background() ctx := context.Background()
var pubKey signature.Verifier var pubKey signature.Verifier
var err error var err error
@ -161,7 +189,7 @@ func FetchAttestations(imageRef string, key string, repository string) ([]map[st
verified, _, err := client.Verify(context.Background(), ref, cosign.AttestationsAccessor, cosignOpts) verified, _, err := client.Verify(context.Background(), ref, cosign.AttestationsAccessor, cosignOpts)
if err != nil { if err != nil {
msg := err.Error() msg := err.Error()
logger.Info("failed to fetch attestations", "error", msg) log.Info("failed to fetch attestations", "error", msg)
if strings.Contains(msg, "MANIFEST_UNKNOWN: manifest unknown") { if strings.Contains(msg, "MANIFEST_UNKNOWN: manifest unknown") {
return nil, fmt.Errorf("not found") return nil, fmt.Errorf("not found")
} }
@ -282,6 +310,8 @@ func extractDigest(imgRef string, verified []oci.Signature, log logr.Logger) (st
if err != nil { if err != nil {
return "", errors.Wrap(err, "failed to get payload") return "", errors.Wrap(err, "failed to get payload")
} }
// TODO - change to using payload.SimpleContainerImage after the next Tekton release
if err := json.Unmarshal(payload, &jsonMap); err != nil { if err := json.Unmarshal(payload, &jsonMap); err != nil {
return "", err return "", err
} }

22
pkg/engine/imageVerify.go
View file

@ -135,7 +135,7 @@ func (iv *imageVerifier) verify(imageVerify *v1.ImageVerification, images map[st
var ruleResp *response.RuleResponse var ruleResp *response.RuleResponse
if len(imageVerify.Attestations) == 0 { if len(imageVerify.Attestations) == 0 {
var digest string var digest string
ruleResp, digest = iv.verifySignature(imageVerify.Repository, key, imageInfo) ruleResp, digest = iv.verifySignature(imageVerify, imageInfo)
if ruleResp.Status == response.RuleStatusPass { if ruleResp.Status == response.RuleStatusPass {
iv.patchDigest(imageInfo, digest, ruleResp) iv.patchDigest(imageInfo, digest, ruleResp)
} }
@ -157,7 +157,7 @@ func getSignatureRepository(imageVerify *v1.ImageVerification) string {
return repository return repository
} }
func (iv *imageVerifier) verifySignature(repository, key string, imageInfo *context.ImageInfo) (*response.RuleResponse, string) { func (iv *imageVerifier) verifySignature(imageVerify *v1.ImageVerification, imageInfo *context.ImageInfo) (*response.RuleResponse, string) {
image := imageInfo.String() image := imageInfo.String()
iv.logger.Info("verifying image", "image", image) iv.logger.Info("verifying image", "image", image)
@ -166,8 +166,21 @@ func (iv *imageVerifier) verifySignature(repository, key string, imageInfo *cont
Type: utils.Validation.String(), Type: utils.Validation.String(),
} }
opts := cosign.Options{
ImageRef: image,
Repository: imageVerify.Repository,
Log: iv.logger,
}
if imageVerify.Key != "" {
opts.Key = imageVerify.Key
} else {
opts.Roots = []byte(imageVerify.Roots)
opts.Subject = imageVerify.Subject
}
start := time.Now() start := time.Now()
digest, err := cosign.VerifySignature(image, key, repository, iv.logger) digest, err := cosign.VerifySignature(opts)
if err != nil { if err != nil {
iv.logger.Info("failed to verify image signature", "image", image, "error", err, "duration", time.Since(start).Seconds()) iv.logger.Info("failed to verify image signature", "image", image, "error", err, "duration", time.Since(start).Seconds())
ruleResp.Status = response.RuleStatusFail ruleResp.Status = response.RuleStatusFail
@ -203,9 +216,8 @@ func makeAddDigestPatch(imageInfo *context.ImageInfo, digest string) ([]byte, er
func (iv *imageVerifier) attestImage(repository, key string, imageInfo *context.ImageInfo, attestationChecks []*v1.Attestation) *response.RuleResponse { func (iv *imageVerifier) attestImage(repository, key string, imageInfo *context.ImageInfo, attestationChecks []*v1.Attestation) *response.RuleResponse {
image := imageInfo.String() image := imageInfo.String()
start := time.Now() start := time.Now()
statements, err := cosign.FetchAttestations(image, key, repository) statements, err := cosign.FetchAttestations(image, key, repository, iv.logger)
if err != nil { if err != nil {
iv.logger.Info("failed to fetch attestations", "image", image, "error", err, "duration", time.Since(start).Seconds()) iv.logger.Info("failed to fetch attestations", "image", image, "error", err, "duration", time.Since(start).Seconds())
return ruleError(iv.rule, utils.ImageVerify, fmt.Sprintf("failed to fetch attestations for %s", image), err) return ruleError(iv.rule, utils.ImageVerify, fmt.Sprintf("failed to fetch attestations for %s", image), err)

25
pkg/policy/validate.go
View file

@ -69,9 +69,7 @@ func validateJSONPatchPathForForwardSlash(patch string) error {
return nil return nil
} }
// Validate does some initial check to verify some conditions // Validate checks the policy and rules declarations for required configurations
// - One operation per rule
// - ResourceDescription mandatory checks
func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool, openAPIController *openapi.Controller) error { func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool, openAPIController *openapi.Controller) error {
namespaced := false namespaced := false
background := policy.Spec.Background == nil || *policy.Spec.Background background := policy.Spec.Background == nil || *policy.Spec.Background
@ -225,12 +223,21 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
} }
} }
} }
if rule.HasMutate() { if rule.HasMutate() {
if !ruleOnlyDealsWithResourceMetaData(rule) { if !ruleOnlyDealsWithResourceMetaData(rule) {
return fmt.Errorf("policy can only deal with the metadata field of the resource if" + return fmt.Errorf("policy can only deal with the metadata field of the resource if" +
" the rule does not match any kind") " the rule does not match any kind")
} }
} }
if rule.HasVerifyImages() {
for _, i := range rule.VerifyImages {
if err := validateVerifyImagesRule(i); err != nil {
return errors.Wrapf(err, "failed to validate policy %s rule %s", policy.Name, rule.Name)
}
}
}
} }
//Validate Kind with match resource kinds //Validate Kind with match resource kinds
@ -1390,3 +1397,15 @@ func validateKinds(kinds []string, mock bool, client *dclient.Client, p kyverno.
} }
return nil return nil
} }
func validateVerifyImagesRule(i *kyverno.ImageVerification) error {
hasKey := i.Key != ""
hasRoots := i.Roots != ""
hasSubject := i.Subject != ""
if (hasKey && !hasRoots && !hasSubject) || (hasRoots && hasSubject) {
return nil
}
return fmt.Errorf("either a public key, or root certificates and an email, are required")
}