mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
feat: migrate ignoreSCT from rekor to ctlog (#8166)
* feat: migrate ignoreSCT from rekor to ctlog Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: update tests for new crd Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Vishal Choudhary
GitHub
parent
414c3c77dd
commit
62634af6aa
38 changed files with 4524 additions and 2555 deletions
|
|
@ -142,7 +142,7 @@ func Test_ImageVerification(t *testing.T) {
|
|||
ImageReferences: []string{"*"},
|
||||
Attestors: []AttestorSet{
|
||||
{Entries: []Attestor{{
|
||||
Keyless: &KeylessAttestor{Rekor: &CTLog{}, Issuer: "", Subject: ""},
|
||||
Keyless: &KeylessAttestor{Rekor: &Rekor{}, Issuer: "", Subject: ""},
|
||||
}}},
|
||||
},
|
||||
},
|
||||
|
|
@ -159,7 +159,7 @@ func Test_ImageVerification(t *testing.T) {
|
|||
ImageReferences: []string{"*"},
|
||||
Attestors: []AttestorSet{
|
||||
{Entries: []Attestor{{
|
||||
Keyless: &KeylessAttestor{Rekor: &CTLog{URL: "https://rekor.sigstore.dev"}, Issuer: "bla", Subject: "bla"},
|
||||
Keyless: &KeylessAttestor{Rekor: &Rekor{URL: "https://rekor.sigstore.dev"}, Issuer: "bla", Subject: "bla"},
|
||||
}}},
|
||||
},
|
||||
},
|
||||
|
|
|
|||
|
|
@ -187,11 +187,15 @@ type StaticKeyAttestor struct {
|
|||
// Reference to a Secret resource that contains a public key
|
||||
Secret *SecretReference `json:"secret,omitempty" yaml:"secret,omitempty"`
|
||||
|
||||
// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
|
||||
// or an empty object is provided, the public instance of
|
||||
// Rekor (https://rekor.sigstore.dev) is used.
|
||||
// Rekor provides configuration for the Rekor transparency log service. If an empty object
|
||||
// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
||||
// +kubebuilder:validation:Optional
|
||||
Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
|
||||
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
|
||||
|
||||
// CTLog provides configuration for validation of SCTs.
|
||||
// If the value is nil, default ctlog public key is used
|
||||
// +kubebuilder:validation:Optional
|
||||
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
|
||||
}
|
||||
|
||||
type SecretReference struct {
|
||||
|
|
@ -211,19 +215,27 @@ type CertificateAttestor struct {
|
|||
// +kubebuilder:validation:Optional
|
||||
CertificateChain string `json:"certChain,omitempty" yaml:"certChain,omitempty"`
|
||||
|
||||
// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
|
||||
// Rekor is not checked. If an empty object is provided the public instance of
|
||||
// Rekor (https://rekor.sigstore.dev) is used.
|
||||
// Rekor provides configuration for the Rekor transparency log service. If an empty object
|
||||
// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
||||
// +kubebuilder:validation:Optional
|
||||
Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
|
||||
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
|
||||
|
||||
// CTLog provides configuration for validation of SCTs.
|
||||
// If the value is nil, default ctlog public key is used
|
||||
// +kubebuilder:validation:Optional
|
||||
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
|
||||
}
|
||||
|
||||
type KeylessAttestor struct {
|
||||
// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
|
||||
// Rekor is not checked and a root certificate chain is expected instead. If an empty object
|
||||
// Rekor provides configuration for the Rekor transparency log service. If an empty object
|
||||
// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
||||
// +kubebuilder:validation:Optional
|
||||
Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
|
||||
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
|
||||
|
||||
// CTLog provides configuration for validation of SCTs.
|
||||
// If the value is nil, default ctlog public key is used
|
||||
// +kubebuilder:validation:Optional
|
||||
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
|
||||
|
||||
// Issuer is the certificate issuer used for keyless signing.
|
||||
// +kubebuilder:validation:Optional
|
||||
|
|
@ -243,7 +255,7 @@ type KeylessAttestor struct {
|
|||
AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty" yaml:"additionalExtensions,omitempty"`
|
||||
}
|
||||
|
||||
type CTLog struct {
|
||||
type Rekor struct {
|
||||
// URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
|
||||
// +kubebuilder:validation:Required
|
||||
// +kubebuilder:Default:=https://rekor.sigstore.dev
|
||||
|
|
@ -254,15 +266,21 @@ type CTLog struct {
|
|||
// +kubebuilder:validation:Optional
|
||||
RekorPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
|
||||
|
||||
// IgnoreSCT requires that a certificate contain an embedded SCT during verification. An SCT is proof of inclusion in a certificate transparency log.
|
||||
// +kubebuilder:validation:Optional
|
||||
IgnoreSCT bool `json:"ignoreSCT,omitempty" yaml:"ignoreSCT,omitempty"`
|
||||
|
||||
// IgnoreTlog skip tlog verification
|
||||
// +kubebuilder:validation:Optional
|
||||
IgnoreTlog bool `json:"ignoreTlog,omitempty" yaml:"ignoreTlog,omitempty"`
|
||||
}
|
||||
|
||||
type CTLog struct {
|
||||
// IgnoreSCT requires that a certificate contain an embedded SCT during verification.
|
||||
// +kubebuilder:validation:Optional
|
||||
IgnoreSCT bool `json:"ignoreSCT,omitempty" yaml:"ignoreSCT,omitempty"`
|
||||
|
||||
// CTLogPubKey, if set, is used to validate SCTs against those keys.
|
||||
// +kubebuilder:validation:Optional
|
||||
CTLogPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
|
||||
}
|
||||
|
||||
// Attestation are checks for signed in-toto Statements that are used to verify the image.
|
||||
// See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
||||
// OCI registry and decodes them into a list of Statements.
|
||||
|
|
|
|||
|
|
@ -276,6 +276,11 @@ func (in *CertificateAttestor) DeepCopyInto(out *CertificateAttestor) {
|
|||
*out = *in
|
||||
if in.Rekor != nil {
|
||||
in, out := &in.Rekor, &out.Rekor
|
||||
*out = new(Rekor)
|
||||
**out = **in
|
||||
}
|
||||
if in.CTLog != nil {
|
||||
in, out := &in.CTLog, &out.CTLog
|
||||
*out = new(CTLog)
|
||||
**out = **in
|
||||
}
|
||||
|
|
@ -804,6 +809,11 @@ func (in *KeylessAttestor) DeepCopyInto(out *KeylessAttestor) {
|
|||
*out = *in
|
||||
if in.Rekor != nil {
|
||||
in, out := &in.Rekor, &out.Rekor
|
||||
*out = new(Rekor)
|
||||
**out = **in
|
||||
}
|
||||
if in.CTLog != nil {
|
||||
in, out := &in.CTLog, &out.CTLog
|
||||
*out = new(CTLog)
|
||||
**out = **in
|
||||
}
|
||||
|
|
@ -1081,6 +1091,22 @@ func (in *PolicyStatus) DeepCopy() *PolicyStatus {
|
|||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *Rekor) DeepCopyInto(out *Rekor) {
|
||||
*out = *in
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rekor.
|
||||
func (in *Rekor) DeepCopy() *Rekor {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(Rekor)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *RequestData) DeepCopyInto(out *RequestData) {
|
||||
*out = *in
|
||||
|
|
@ -1394,6 +1420,11 @@ func (in *StaticKeyAttestor) DeepCopyInto(out *StaticKeyAttestor) {
|
|||
}
|
||||
if in.Rekor != nil {
|
||||
in, out := &in.Rekor, &out.Rekor
|
||||
*out = new(Rekor)
|
||||
**out = **in
|
||||
}
|
||||
if in.CTLog != nil {
|
||||
in, out := &in.CTLog, &out.CTLog
|
||||
*out = new(CTLog)
|
||||
**out = **in
|
||||
}
|
||||
|
|
|
|||
|
|
@ -85,7 +85,7 @@ func Test_ImageVerification(t *testing.T) {
|
|||
ImageReferences: []string{"*"},
|
||||
Attestors: []kyvernov1.AttestorSet{
|
||||
{Entries: []kyvernov1.Attestor{{
|
||||
Keyless: &kyvernov1.KeylessAttestor{Rekor: &kyvernov1.CTLog{}, Issuer: "", Subject: ""},
|
||||
Keyless: &kyvernov1.KeylessAttestor{Rekor: &kyvernov1.Rekor{}, Issuer: "", Subject: ""},
|
||||
}}},
|
||||
},
|
||||
},
|
||||
|
|
@ -102,7 +102,7 @@ func Test_ImageVerification(t *testing.T) {
|
|||
ImageReferences: []string{"*"},
|
||||
Attestors: []kyvernov1.AttestorSet{
|
||||
{Entries: []kyvernov1.Attestor{{
|
||||
Keyless: &kyvernov1.KeylessAttestor{Rekor: &kyvernov1.CTLog{URL: "https://rekor.sigstore.dev"}, Issuer: "bla", Subject: "bla"},
|
||||
Keyless: &kyvernov1.KeylessAttestor{Rekor: &kyvernov1.Rekor{URL: "https://rekor.sigstore.dev"}, Issuer: "bla", Subject: "bla"},
|
||||
}}},
|
||||
},
|
||||
},
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
|
@ -1105,13 +1105,13 @@ The variables defined here will be available under <code>variables</code> in oth
|
|||
<tbody>
|
||||
<tr>
|
||||
<td>
|
||||
<code>url</code><br/>
|
||||
<code>ignoreSCT</code><br/>
|
||||
<em>
|
||||
string
|
||||
bool
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>URL is the address of the transparency log. Defaults to the public log <a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>.</p>
|
||||
<p>IgnoreSCT requires that a certificate contain an embedded SCT during verification.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -1122,30 +1122,7 @@ string
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>RekorPubKey is an optional PEM encoded public key to use for a custom Rekor.
|
||||
If set, is used to validate signatures on log entries from Rekor.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>ignoreSCT</code><br/>
|
||||
<em>
|
||||
bool
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>IgnoreSCT requires that a certificate contain an embedded SCT during verification. An SCT is proof of inclusion in a certificate transparency log.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>ignoreTlog</code><br/>
|
||||
<em>
|
||||
bool
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>IgnoreTlog skip tlog verification</p>
|
||||
<p>CTLogPubKey, if set, is used to validate SCTs against those keys.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
|
@ -1193,15 +1170,28 @@ string
|
|||
<td>
|
||||
<code>rekor</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.Rekor">
|
||||
Rekor
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Rekor provides configuration for the Rekor transparency log service. If an empty object
|
||||
is provided the public instance of Rekor (<a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>) is used.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>ctlog</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.CTLog">
|
||||
CTLog
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Rekor provides configuration for the Rekor transparency log service. If the value is nil,
|
||||
Rekor is not checked. If an empty object is provided the public instance of
|
||||
Rekor (<a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>) is used.</p>
|
||||
<p>CTLog provides configuration for validation of SCTs.
|
||||
If the value is nil, default ctlog public key is used</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
|
@ -2404,15 +2394,28 @@ bool
|
|||
<td>
|
||||
<code>rekor</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.Rekor">
|
||||
Rekor
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Rekor provides configuration for the Rekor transparency log service. If an empty object
|
||||
is provided the public instance of Rekor (<a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>) is used.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>ctlog</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.CTLog">
|
||||
CTLog
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Rekor provides configuration for the Rekor transparency log service. If the value is nil,
|
||||
Rekor is not checked and a root certificate chain is expected instead. If an empty object
|
||||
is provided the public instance of Rekor (<a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>) is used.</p>
|
||||
<p>CTLog provides configuration for validation of SCTs.
|
||||
If the value is nil, default ctlog public key is used</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -2943,6 +2946,61 @@ RuleCountStatus
|
|||
</tbody>
|
||||
</table>
|
||||
<hr />
|
||||
<h3 id="kyverno.io/v1.Rekor">Rekor
|
||||
</h3>
|
||||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v1.CertificateAttestor">CertificateAttestor</a>,
|
||||
<a href="#kyverno.io/v1.KeylessAttestor">KeylessAttestor</a>,
|
||||
<a href="#kyverno.io/v1.StaticKeyAttestor">StaticKeyAttestor</a>)
|
||||
</p>
|
||||
<p>
|
||||
</p>
|
||||
<table class="table table-striped">
|
||||
<thead class="thead-dark">
|
||||
<tr>
|
||||
<th>Field</th>
|
||||
<th>Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td>
|
||||
<code>url</code><br/>
|
||||
<em>
|
||||
string
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>URL is the address of the transparency log. Defaults to the public log <a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>pubkey</code><br/>
|
||||
<em>
|
||||
string
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>RekorPubKey is an optional PEM encoded public key to use for a custom Rekor.
|
||||
If set, is used to validate signatures on log entries from Rekor.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>ignoreTlog</code><br/>
|
||||
<em>
|
||||
bool
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>IgnoreTlog skip tlog verification</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<hr />
|
||||
<h3 id="kyverno.io/v1.RequestData">RequestData
|
||||
</h3>
|
||||
<p>
|
||||
|
|
@ -3859,15 +3917,28 @@ SecretReference
|
|||
<td>
|
||||
<code>rekor</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.Rekor">
|
||||
Rekor
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Rekor provides configuration for the Rekor transparency log service. If an empty object
|
||||
is provided the public instance of Rekor (<a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>) is used.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>ctlog</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.CTLog">
|
||||
CTLog
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Rekor provides configuration for the Rekor transparency log service. If the value is nil,
|
||||
or an empty object is provided, the public instance of
|
||||
Rekor (<a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>) is used.</p>
|
||||
<p>CTLog provides configuration for validation of SCTs.
|
||||
If the value is nil, default ctlog public key is used</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
|
|
|||
|
|
@ -23,7 +23,8 @@ package v1
|
|||
type CertificateAttestorApplyConfiguration struct {
|
||||
Certificate *string `json:"cert,omitempty"`
|
||||
CertificateChain *string `json:"certChain,omitempty"`
|
||||
Rekor *CTLogApplyConfiguration `json:"rekor,omitempty"`
|
||||
Rekor *RekorApplyConfiguration `json:"rekor,omitempty"`
|
||||
CTLog *CTLogApplyConfiguration `json:"ctlog,omitempty"`
|
||||
}
|
||||
|
||||
// CertificateAttestorApplyConfiguration constructs an declarative configuration of the CertificateAttestor type for use with
|
||||
|
|
@ -51,7 +52,15 @@ func (b *CertificateAttestorApplyConfiguration) WithCertificateChain(value strin
|
|||
// WithRekor sets the Rekor field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Rekor field is set to the value of the last call.
|
||||
func (b *CertificateAttestorApplyConfiguration) WithRekor(value *CTLogApplyConfiguration) *CertificateAttestorApplyConfiguration {
|
||||
func (b *CertificateAttestorApplyConfiguration) WithRekor(value *RekorApplyConfiguration) *CertificateAttestorApplyConfiguration {
|
||||
b.Rekor = value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithCTLog sets the CTLog field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the CTLog field is set to the value of the last call.
|
||||
func (b *CertificateAttestorApplyConfiguration) WithCTLog(value *CTLogApplyConfiguration) *CertificateAttestorApplyConfiguration {
|
||||
b.CTLog = value
|
||||
return b
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,10 +21,8 @@ package v1
|
|||
// CTLogApplyConfiguration represents an declarative configuration of the CTLog type for use
|
||||
// with apply.
|
||||
type CTLogApplyConfiguration struct {
|
||||
URL *string `json:"url,omitempty"`
|
||||
RekorPubKey *string `json:"pubkey,omitempty"`
|
||||
IgnoreSCT *bool `json:"ignoreSCT,omitempty"`
|
||||
IgnoreTlog *bool `json:"ignoreTlog,omitempty"`
|
||||
CTLogPubKey *string `json:"pubkey,omitempty"`
|
||||
}
|
||||
|
||||
// CTLogApplyConfiguration constructs an declarative configuration of the CTLog type for use with
|
||||
|
|
@ -33,22 +31,6 @@ func CTLog() *CTLogApplyConfiguration {
|
|||
return &CTLogApplyConfiguration{}
|
||||
}
|
||||
|
||||
// WithURL sets the URL field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the URL field is set to the value of the last call.
|
||||
func (b *CTLogApplyConfiguration) WithURL(value string) *CTLogApplyConfiguration {
|
||||
b.URL = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithRekorPubKey sets the RekorPubKey field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the RekorPubKey field is set to the value of the last call.
|
||||
func (b *CTLogApplyConfiguration) WithRekorPubKey(value string) *CTLogApplyConfiguration {
|
||||
b.RekorPubKey = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithIgnoreSCT sets the IgnoreSCT field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the IgnoreSCT field is set to the value of the last call.
|
||||
|
|
@ -57,10 +39,10 @@ func (b *CTLogApplyConfiguration) WithIgnoreSCT(value bool) *CTLogApplyConfigura
|
|||
return b
|
||||
}
|
||||
|
||||
// WithIgnoreTlog sets the IgnoreTlog field in the declarative configuration to the given value
|
||||
// WithCTLogPubKey sets the CTLogPubKey field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the IgnoreTlog field is set to the value of the last call.
|
||||
func (b *CTLogApplyConfiguration) WithIgnoreTlog(value bool) *CTLogApplyConfiguration {
|
||||
b.IgnoreTlog = &value
|
||||
// If called multiple times, the CTLogPubKey field is set to the value of the last call.
|
||||
func (b *CTLogApplyConfiguration) WithCTLogPubKey(value string) *CTLogApplyConfiguration {
|
||||
b.CTLogPubKey = &value
|
||||
return b
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,7 +21,8 @@ package v1
|
|||
// KeylessAttestorApplyConfiguration represents an declarative configuration of the KeylessAttestor type for use
|
||||
// with apply.
|
||||
type KeylessAttestorApplyConfiguration struct {
|
||||
Rekor *CTLogApplyConfiguration `json:"rekor,omitempty"`
|
||||
Rekor *RekorApplyConfiguration `json:"rekor,omitempty"`
|
||||
CTLog *CTLogApplyConfiguration `json:"ctlog,omitempty"`
|
||||
Issuer *string `json:"issuer,omitempty"`
|
||||
Subject *string `json:"subject,omitempty"`
|
||||
Roots *string `json:"roots,omitempty"`
|
||||
|
|
@ -37,11 +38,19 @@ func KeylessAttestor() *KeylessAttestorApplyConfiguration {
|
|||
// WithRekor sets the Rekor field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Rekor field is set to the value of the last call.
|
||||
func (b *KeylessAttestorApplyConfiguration) WithRekor(value *CTLogApplyConfiguration) *KeylessAttestorApplyConfiguration {
|
||||
func (b *KeylessAttestorApplyConfiguration) WithRekor(value *RekorApplyConfiguration) *KeylessAttestorApplyConfiguration {
|
||||
b.Rekor = value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithCTLog sets the CTLog field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the CTLog field is set to the value of the last call.
|
||||
func (b *KeylessAttestorApplyConfiguration) WithCTLog(value *CTLogApplyConfiguration) *KeylessAttestorApplyConfiguration {
|
||||
b.CTLog = value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithIssuer sets the Issuer field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Issuer field is set to the value of the last call.
|
||||
|
|
|
|||
57
pkg/client/applyconfigurations/kyverno/v1/rekor.go
Normal file
57
pkg/client/applyconfigurations/kyverno/v1/rekor.go
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by applyconfiguration-gen. DO NOT EDIT.
|
||||
|
||||
package v1
|
||||
|
||||
// RekorApplyConfiguration represents an declarative configuration of the Rekor type for use
|
||||
// with apply.
|
||||
type RekorApplyConfiguration struct {
|
||||
URL *string `json:"url,omitempty"`
|
||||
RekorPubKey *string `json:"pubkey,omitempty"`
|
||||
IgnoreTlog *bool `json:"ignoreTlog,omitempty"`
|
||||
}
|
||||
|
||||
// RekorApplyConfiguration constructs an declarative configuration of the Rekor type for use with
|
||||
// apply.
|
||||
func Rekor() *RekorApplyConfiguration {
|
||||
return &RekorApplyConfiguration{}
|
||||
}
|
||||
|
||||
// WithURL sets the URL field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the URL field is set to the value of the last call.
|
||||
func (b *RekorApplyConfiguration) WithURL(value string) *RekorApplyConfiguration {
|
||||
b.URL = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithRekorPubKey sets the RekorPubKey field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the RekorPubKey field is set to the value of the last call.
|
||||
func (b *RekorApplyConfiguration) WithRekorPubKey(value string) *RekorApplyConfiguration {
|
||||
b.RekorPubKey = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithIgnoreTlog sets the IgnoreTlog field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the IgnoreTlog field is set to the value of the last call.
|
||||
func (b *RekorApplyConfiguration) WithIgnoreTlog(value bool) *RekorApplyConfiguration {
|
||||
b.IgnoreTlog = &value
|
||||
return b
|
||||
}
|
||||
|
|
@ -25,7 +25,8 @@ type StaticKeyAttestorApplyConfiguration struct {
|
|||
SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty"`
|
||||
KMS *string `json:"kms,omitempty"`
|
||||
Secret *SecretReferenceApplyConfiguration `json:"secret,omitempty"`
|
||||
Rekor *CTLogApplyConfiguration `json:"rekor,omitempty"`
|
||||
Rekor *RekorApplyConfiguration `json:"rekor,omitempty"`
|
||||
CTLog *CTLogApplyConfiguration `json:"ctlog,omitempty"`
|
||||
}
|
||||
|
||||
// StaticKeyAttestorApplyConfiguration constructs an declarative configuration of the StaticKeyAttestor type for use with
|
||||
|
|
@ -69,7 +70,15 @@ func (b *StaticKeyAttestorApplyConfiguration) WithSecret(value *SecretReferenceA
|
|||
// WithRekor sets the Rekor field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Rekor field is set to the value of the last call.
|
||||
func (b *StaticKeyAttestorApplyConfiguration) WithRekor(value *CTLogApplyConfiguration) *StaticKeyAttestorApplyConfiguration {
|
||||
func (b *StaticKeyAttestorApplyConfiguration) WithRekor(value *RekorApplyConfiguration) *StaticKeyAttestorApplyConfiguration {
|
||||
b.Rekor = value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithCTLog sets the CTLog field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the CTLog field is set to the value of the last call.
|
||||
func (b *StaticKeyAttestorApplyConfiguration) WithCTLog(value *CTLogApplyConfiguration) *StaticKeyAttestorApplyConfiguration {
|
||||
b.CTLog = value
|
||||
return b
|
||||
}
|
||||
|
|
|
|||
|
|
@ -105,6 +105,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
|
|||
return &kyvernov1.PolicyApplyConfiguration{}
|
||||
case v1.SchemeGroupVersion.WithKind("PolicyStatus"):
|
||||
return &kyvernov1.PolicyStatusApplyConfiguration{}
|
||||
case v1.SchemeGroupVersion.WithKind("Rekor"):
|
||||
return &kyvernov1.RekorApplyConfiguration{}
|
||||
case v1.SchemeGroupVersion.WithKind("RequestData"):
|
||||
return &kyvernov1.RequestDataApplyConfiguration{}
|
||||
case v1.SchemeGroupVersion.WithKind("ResourceDescription"):
|
||||
|
|
|
|||
|
|
@ -63,8 +63,10 @@ var testPolicyGood = `{
|
|||
"publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHMmDjK65krAyDaGaeyWNzgvIu155JI50B2vezCw8+3CVeE0lJTL5dbL3OP98Za0oAEBJcOxky8Riy/XcmfKZbw==\n-----END PUBLIC KEY-----",
|
||||
"rekor": {
|
||||
"url": "https://rekor.sigstore.dev",
|
||||
"ignoreSCT": true,
|
||||
"ignoreTlog": true
|
||||
},
|
||||
"ctlog": {
|
||||
"ignoreSCT": true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -298,8 +300,10 @@ var testSampleSingleKeyPolicy = `
|
|||
"publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END PUBLIC KEY-----",
|
||||
"rekor": {
|
||||
"url": "https://rekor.sigstore.dev",
|
||||
"ignoreSCT": true,
|
||||
"ignoreTlog": true
|
||||
},
|
||||
"ctlog": {
|
||||
"ignoreSCT": true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -353,8 +357,10 @@ var testSampleMultipleKeyPolicy = `
|
|||
"publicKeys": "KEY1",
|
||||
"rekor": {
|
||||
"url": "https://rekor.sigstore.dev",
|
||||
"ignoreSCT": true,
|
||||
"ignoreTlog": true
|
||||
},
|
||||
"ctlog": {
|
||||
"ignoreSCT": true
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
@ -363,8 +369,10 @@ var testSampleMultipleKeyPolicy = `
|
|||
"publicKeys": "KEY2",
|
||||
"rekor": {
|
||||
"url": "https://rekor.sigstore.dev",
|
||||
"ignoreSCT": true,
|
||||
"ignoreTlog": true
|
||||
},
|
||||
"ctlog": {
|
||||
"ignoreSCT": true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -429,8 +437,10 @@ var testConfigMapMissing = `{
|
|||
"publicKeys": "{{myconfigmap.data.configmapkey}}",
|
||||
"rekor": {
|
||||
"url": "https://rekor.sigstore.dev",
|
||||
"ignoreSCT": true,
|
||||
"ignoreTlog": true
|
||||
},
|
||||
"ctlog": {
|
||||
"ignoreSCT": true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -673,8 +683,10 @@ var testNestedAttestorPolicy = `
|
|||
"publicKeys": "KEY1",
|
||||
"rekor": {
|
||||
"url": "https://rekor.sigstore.dev",
|
||||
"ignoreSCT": true,
|
||||
"ignoreTlog": true
|
||||
},
|
||||
"ctlog": {
|
||||
"ignoreSCT": true
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
@ -686,8 +698,10 @@ var testNestedAttestorPolicy = `
|
|||
"publicKeys": "KEY2",
|
||||
"rekor": {
|
||||
"url": "https://rekor.sigstore.dev",
|
||||
"ignoreSCT": true,
|
||||
"ignoreTlog": true
|
||||
},
|
||||
"ctlog": {
|
||||
"ignoreSCT": true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -895,8 +909,10 @@ func Test_ParsePEMDelimited(t *testing.T) {
|
|||
"publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfVMHGmFK4OgVqhy36KZ7a3r4R4/o\nCwaCVvXZV4ZULFbkFZ0IodGqKqcVmgycnoj7d8TpKpAUVNF8kKh90ewH3A==\n-----END PUBLIC KEY-----\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0f1W0XigyPFbX8Xq3QmkbL9gDFTf\nRfc8jF7UadBcwKxiyvPSOKZn+igQfXzpNjrwPSZ58JGvF4Fs8BB3fSRP2g==\n-----END PUBLIC KEY-----",
|
||||
"rekor": {
|
||||
"url": "https://rekor.sigstore.dev",
|
||||
"ignoreSCT": true,
|
||||
"ignoreTlog": true
|
||||
},
|
||||
"ctlog": {
|
||||
"ignoreSCT": true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -525,13 +525,18 @@ func (iv *ImageVerifier) buildCosignVerifier(
|
|||
if attestor.Keys.Rekor != nil {
|
||||
opts.RekorURL = attestor.Keys.Rekor.URL
|
||||
opts.RekorPubKey = attestor.Keys.Rekor.RekorPubKey
|
||||
opts.IgnoreSCT = attestor.Keys.Rekor.IgnoreSCT
|
||||
opts.IgnoreTlog = attestor.Keys.Rekor.IgnoreTlog
|
||||
} else {
|
||||
opts.RekorURL = "https://rekor.sigstore.dev"
|
||||
opts.IgnoreSCT = false
|
||||
opts.IgnoreTlog = false
|
||||
}
|
||||
|
||||
if attestor.Keys.CTLog != nil {
|
||||
opts.IgnoreSCT = attestor.Keys.CTLog.IgnoreSCT
|
||||
} else {
|
||||
opts.IgnoreSCT = false
|
||||
}
|
||||
opts.SignatureAlgorithm = attestor.Keys.SignatureAlgorithm
|
||||
} else if attestor.Certificates != nil {
|
||||
path = path + ".certificates"
|
||||
|
|
@ -545,7 +550,6 @@ func (iv *ImageVerifier) buildCosignVerifier(
|
|||
if attestor.Keyless.Rekor != nil {
|
||||
opts.RekorURL = attestor.Keyless.Rekor.URL
|
||||
opts.RekorPubKey = attestor.Keyless.Rekor.RekorPubKey
|
||||
opts.IgnoreSCT = attestor.Keyless.Rekor.IgnoreSCT
|
||||
opts.IgnoreTlog = attestor.Keyless.Rekor.IgnoreTlog
|
||||
} else {
|
||||
opts.RekorURL = "https://rekor.sigstore.dev"
|
||||
|
|
@ -553,6 +557,12 @@ func (iv *ImageVerifier) buildCosignVerifier(
|
|||
opts.IgnoreTlog = false
|
||||
}
|
||||
|
||||
if attestor.Keyless.CTLog != nil {
|
||||
opts.IgnoreSCT = attestor.Keyless.CTLog.IgnoreSCT
|
||||
} else {
|
||||
opts.IgnoreSCT = false
|
||||
}
|
||||
|
||||
opts.Roots = attestor.Keyless.Roots
|
||||
opts.Issuer = attestor.Keyless.Issuer
|
||||
opts.Subject = attestor.Keyless.Subject
|
||||
|
|
|
|||
|
|
@ -28,4 +28,5 @@ spec:
|
|||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
|
|||
|
|
@ -26,9 +26,10 @@ spec:
|
|||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ignoreSCT: true
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
|
|
@ -64,6 +65,7 @@ spec:
|
|||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ignoreSCT: true
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
@ -30,4 +30,5 @@ spec:
|
|||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
@ -30,4 +30,5 @@ spec:
|
|||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
|
|||
|
|
@ -27,4 +27,5 @@ spec:
|
|||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
|
|||
|
|
@ -45,4 +45,5 @@ spec:
|
|||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
|
|||
|
|
@ -25,9 +25,10 @@ spec:
|
|||
BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ignoreSCT: true
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
- keys:
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
|
|
@ -35,6 +36,7 @@ spec:
|
|||
FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ignoreSCT: true
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ spec:
|
|||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
imageReferences:
|
||||
- ghcr.io/kyverno/test-verify-image:*
|
||||
|
|
@ -53,6 +54,7 @@ spec:
|
|||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
imageReferences:
|
||||
- my.local.repo/*
|
||||
|
|
|
|||
|
|
@ -28,4 +28,5 @@ spec:
|
|||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ spec:
|
|||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
validationFailureAction: Audit
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
|
|||
|
|
@ -30,5 +30,6 @@ spec:
|
|||
subject: "https://github.com/*"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
required: true
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ spec:
|
|||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
conditions:
|
||||
- all:
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ spec:
|
|||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
conditions:
|
||||
- all:
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ spec:
|
|||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
conditions:
|
||||
- all:
|
||||
|
|
|
|||
|
|
@ -27,12 +27,14 @@ spec:
|
|||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
- keyless:
|
||||
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
count: 1
|
||||
conditions:
|
||||
|
|
|
|||
|
|
@ -27,12 +27,14 @@ spec:
|
|||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
- keyless:
|
||||
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
count: 2
|
||||
conditions:
|
||||
|
|
|
|||
|
|
@ -27,12 +27,14 @@ spec:
|
|||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
- keyless:
|
||||
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
conditions:
|
||||
- all:
|
||||
|
|
|
|||
|
|
@ -25,4 +25,5 @@ spec:
|
|||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
@ -25,4 +25,5 @@ spec:
|
|||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
@ -25,4 +25,5 @@ spec:
|
|||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
@ -34,4 +34,5 @@ spec:
|
|||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
Loading…
Add table
Reference in a new issue