feat: update verify images types with better descriptions (#8779)

* feat: update verify images types with better descriptions

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: revert cert and certchain

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

api/kyverno/v1/image_verification_types.go

@@ -96,11 +96,11 @@ type ImageVerification struct {
 	// +kubebuilder:validation:Optional
 	Required bool `json:"required" yaml:"required"`
 
-	// ImageRegistryCredentials provides credentials that will be used for authentication with registry
+	// ImageRegistryCredentials provides credentials that will be used for authentication with registry.
 	// +kubebuilder:validation:Optional
 	ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
 
-	// UseCache enables caching of image verify responses for this rule
+	// UseCache enables caching of image verify responses for this rule.
 	// +kubebuilder:default=true
 	// +kubebuilder:validation:Optional
 	UseCache bool `json:"useCache" yaml:"useCache"`
@@ -128,11 +128,11 @@ func (as AttestorSet) RequiredCount() int {
 }
 
 type Attestor struct {
-	// Keys specifies one or more public keys
+	// Keys specifies one or more public keys.
 	// +kubebuilder:validation:Optional
 	Keys *StaticKeyAttestor `json:"keys,omitempty" yaml:"keys,omitempty"`
 
-	// Certificates specifies one or more certificates
+	// Certificates specifies one or more certificates.
 	// +kubebuilder:validation:Optional
 	Certificates *CertificateAttestor `json:"certificates,omitempty" yaml:"certificates,omitempty"`
 
@@ -141,7 +141,7 @@ type Attestor struct {
 	// +kubebuilder:validation:Optional
 	Keyless *KeylessAttestor `json:"keyless,omitempty" yaml:"keyless,omitempty"`
 
-	// Attestor is a nested AttestorSet used to specify a more complex set of match authorities
+	// Attestor is a nested set of Attestor used to specify a more complex set of match authorities.
 	// +kubebuilder:validation:Optional
 	Attestor *apiextv1.JSON `json:"attestor,omitempty" yaml:"attestor,omitempty"`
 
@@ -166,7 +166,7 @@ type StaticKeyAttestor struct {
 	// (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
 	PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`
 
-	// Specify signature algorithm for public keys. Supported values are sha256 and sha512
+	// Specify signature algorithm for public keys. Supported values are sha256 and sha512.
 	// +kubebuilder:default=sha256
 	SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`
 
@@ -182,8 +182,8 @@ type StaticKeyAttestor struct {
 	// +kubebuilder:validation:Optional
 	Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
 
-	// CTLog provides configuration for validation of SCTs.
-	// If the value is nil, default ctlog public key is used
+	// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+	// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
 	// +kubebuilder:validation:Optional
 	CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
 }
@@ -197,11 +197,11 @@ type SecretReference struct {
 }
 
 type CertificateAttestor struct {
-	// Certificate is an optional PEM encoded public certificate.
+	// Cert is an optional PEM-encoded public certificate.
 	// +kubebuilder:validation:Optional
 	Certificate string `json:"cert,omitempty" yaml:"cert,omitempty"`
 
-	// CertificateChain is an optional PEM encoded set of certificates used to verify
+	// CertChain is an optional PEM encoded set of certificates used to verify.
 	// +kubebuilder:validation:Optional
 	CertificateChain string `json:"certChain,omitempty" yaml:"certChain,omitempty"`
 
@@ -210,8 +210,8 @@ type CertificateAttestor struct {
 	// +kubebuilder:validation:Optional
 	Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
 
-	// CTLog provides configuration for validation of SCTs.
-	// If the value is nil, default ctlog public key is used
+	// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+	// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
 	// +kubebuilder:validation:Optional
 	CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
 }
@@ -222,8 +222,8 @@ type KeylessAttestor struct {
 	// +kubebuilder:validation:Optional
 	Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
 
-	// CTLog provides configuration for validation of SCTs.
-	// If the value is nil, default ctlog public key is used
+	// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+	// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
 	// +kubebuilder:validation:Optional
 	CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
 
@@ -231,7 +231,7 @@ type KeylessAttestor struct {
 	// +kubebuilder:validation:Optional
 	Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
 
-	// Subject is the verified identity used for keyless signing, for example the email address
+	// Subject is the verified identity used for keyless signing, for example the email address.
 	// +kubebuilder:validation:Optional
 	Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
 
@@ -246,27 +246,28 @@ type KeylessAttestor struct {
 }
 
 type Rekor struct {
-	// URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+	// URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
 	// +kubebuilder:validation:Required
 	// +kubebuilder:Default:=https://rekor.sigstore.dev
 	URL string `json:"url" yaml:"url"`
 
-	// RekorPubKey is an optional PEM encoded public key to use for a custom Rekor.
-	// If set, is used to validate signatures on log entries from Rekor.
+	// RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+	// If set, this will be used to validate transparency log signatures from a custom Rekor.
 	// +kubebuilder:validation:Optional
 	RekorPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
 
-	// IgnoreTlog skip tlog verification
+	// IgnoreTlog skips transparency log verification.
 	// +kubebuilder:validation:Optional
 	IgnoreTlog bool `json:"ignoreTlog,omitempty" yaml:"ignoreTlog,omitempty"`
 }
 
 type CTLog struct {
-	// IgnoreSCT requires that a certificate contain an embedded SCT during verification.
+	// IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+	// timestamp. Default is false. Set to true if this was opted out during signing.
 	// +kubebuilder:validation:Optional
 	IgnoreSCT bool `json:"ignoreSCT,omitempty" yaml:"ignoreSCT,omitempty"`
 
-	// CTLogPubKey, if set, is used to validate SCTs against those keys.
+	// PubKey, if set, is used to validate SCTs against a custom source.
 	// +kubebuilder:validation:Optional
 	CTLogPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
 }
@@ -283,7 +284,7 @@ type Attestation struct {
 	// +kubebuilder:validation:Optional
 	Type string `json:"type" yaml:"type"`
 
-	// Attestors specify the required attestors (i.e. authorities)
+	// Attestors specify the required attestors (i.e. authorities).
 	// +kubebuilder:validation:Optional
 	Attestors []AttestorSet `json:"attestors" yaml:"attestors"`
 
@@ -294,17 +295,17 @@ type Attestation struct {
 }
 
 type ImageRegistryCredentials struct {
-	// AllowInsecureRegistry allows insecure access to a registry
+	// AllowInsecureRegistry allows insecure access to a registry.
 	// +kubebuilder:validation:Optional
 	AllowInsecureRegistry bool `json:"allowInsecureRegistry,omitempty" yaml:"allowInsecureRegistry,omitempty"`
 
-	// Providers specifies a list of OCI Registry names, whose authentication providers are provided
-	// It can be of one of these values: default,google,azure,amazon,github
+	// Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+	// It can be of one of these values: default,google,azure,amazon,github.
 	// +kubebuilder:validation:Optional
 	Providers []ImageRegistryCredentialsProvidersType `json:"providers,omitempty" yaml:"providers,omitempty"`
 
-	// Secrets specifies a list of secrets that are provided for credentials
-	// Secrets must live in the Kyverno namespace
+	// Secrets specifies a list of secrets that are provided for credentials.
+	// Secrets must live in the Kyverno namespace.
 	// +kubebuilder:validation:Optional
 	Secrets []string `json:"secrets,omitempty" yaml:"secrets,omitempty"`
 }

config/crds/kyverno.io_cleanuppolicies.yaml

@@ -226,12 +226,12 @@ spec:
                           properties:
                             allowInsecureRegistry:
                               description: AllowInsecureRegistry allows insecure access
-                                to a registry
+                                to a registry.
                               type: boolean
                             providers:
                               description: 'Providers specifies a list of OCI Registry
-                                names, whose authentication providers are provided
-                                It can be of one of these values: default,google,azure,amazon,github'
+                                names, whose authentication providers are provided.
+                                It can be of one of these values: default,google,azure,amazon,github.'
                               items:
                                 description: ImageRegistryCredentialsProvidersType
                                   provides the list of credential providers required.
@@ -245,8 +245,8 @@ spec:
                               type: array
                             secrets:
                               description: Secrets specifies a list of secrets that
-                                are provided for credentials Secrets must live in
-                                the Kyverno namespace
+                                are provided for credentials. Secrets must live in
+                                the Kyverno namespace.
                               items:
                                 type: string
                               type: array
@@ -1467,12 +1467,12 @@ spec:
                           properties:
                             allowInsecureRegistry:
                               description: AllowInsecureRegistry allows insecure access
-                                to a registry
+                                to a registry.
                               type: boolean
                             providers:
                               description: 'Providers specifies a list of OCI Registry
-                                names, whose authentication providers are provided
-                                It can be of one of these values: default,google,azure,amazon,github'
+                                names, whose authentication providers are provided.
+                                It can be of one of these values: default,google,azure,amazon,github.'
                               items:
                                 description: ImageRegistryCredentialsProvidersType
                                   provides the list of credential providers required.
@@ -1486,8 +1486,8 @@ spec:
                               type: array
                             secrets:
                               description: Secrets specifies a list of secrets that
-                                are provided for credentials Secrets must live in
-                                the Kyverno namespace
+                                are provided for credentials. Secrets must live in
+                                the Kyverno namespace.
                               items:
                                 type: string
                               type: array

config/crds/kyverno.io_clustercleanuppolicies.yaml

@@ -226,12 +226,12 @@ spec:
                           properties:
                             allowInsecureRegistry:
                               description: AllowInsecureRegistry allows insecure access
-                                to a registry
+                                to a registry.
                               type: boolean
                             providers:
                               description: 'Providers specifies a list of OCI Registry
-                                names, whose authentication providers are provided
-                                It can be of one of these values: default,google,azure,amazon,github'
+                                names, whose authentication providers are provided.
+                                It can be of one of these values: default,google,azure,amazon,github.'
                               items:
                                 description: ImageRegistryCredentialsProvidersType
                                   provides the list of credential providers required.
@@ -245,8 +245,8 @@ spec:
                               type: array
                             secrets:
                               description: Secrets specifies a list of secrets that
-                                are provided for credentials Secrets must live in
-                                the Kyverno namespace
+                                are provided for credentials. Secrets must live in
+                                the Kyverno namespace.
                               items:
                                 type: string
                               type: array
@@ -1467,12 +1467,12 @@ spec:
                           properties:
                             allowInsecureRegistry:
                               description: AllowInsecureRegistry allows insecure access
-                                to a registry
+                                to a registry.
                               type: boolean
                             providers:
                               description: 'Providers specifies a list of OCI Registry
-                                names, whose authentication providers are provided
-                                It can be of one of these values: default,google,azure,amazon,github'
+                                names, whose authentication providers are provided.
+                                It can be of one of these values: default,google,azure,amazon,github.'
                               items:
                                 description: ImageRegistryCredentialsProvidersType
                                   provides the list of credential providers required.
@@ -1486,8 +1486,8 @@ spec:
                               type: array
                             secrets:
                               description: Secrets specifies a list of secrets that
-                                are provided for credentials Secrets must live in
-                                the Kyverno namespace
+                                are provided for credentials. Secrets must live in
+                                the Kyverno namespace.
                               items:
                                 type: string
                               type: array

docs/user/crd/index.html

@@ -792,7 +792,7 @@ string
 </em>
 </td>
 <td>
-<p>Attestors specify the required attestors (i.e. authorities)</p>
+<p>Attestors specify the required attestors (i.e. authorities).</p>
 </td>
 </tr>
 <tr>
@@ -838,7 +838,7 @@ StaticKeyAttestor
 </em>
 </td>
 <td>
-<p>Keys specifies one or more public keys</p>
+<p>Keys specifies one or more public keys.</p>
 </td>
 </tr>
 <tr>
@@ -851,7 +851,7 @@ CertificateAttestor
 </em>
 </td>
 <td>
-<p>Certificates specifies one or more certificates</p>
+<p>Certificates specifies one or more certificates.</p>
 </td>
 </tr>
 <tr>
@@ -878,7 +878,7 @@ Kubernetes apiextensions/v1.JSON
 </em>
 </td>
 <td>
-<p>Attestor is a nested AttestorSet used to specify a more complex set of match authorities</p>
+<p>Attestor is a nested set of Attestor used to specify a more complex set of match authorities.</p>
 </td>
 </tr>
 <tr>
@@ -1109,7 +1109,8 @@ bool
 </em>
 </td>
 <td>
-<p>IgnoreSCT requires that a certificate contain an embedded SCT during verification.</p>
+<p>IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+timestamp. Default is false. Set to true if this was opted out during signing.</p>
 </td>
 </tr>
 <tr>
@@ -1120,7 +1121,7 @@ string
 </em>
 </td>
 <td>
-<p>CTLogPubKey, if set, is used to validate SCTs against those keys.</p>
+<p>PubKey, if set, is used to validate SCTs against a custom source.</p>
 </td>
 </tr>
 </tbody>
@@ -1150,7 +1151,7 @@ string
 </em>
 </td>
 <td>
-<p>Certificate is an optional PEM encoded public certificate.</p>
+<p>Cert is an optional PEM-encoded public certificate.</p>
 </td>
 </tr>
 <tr>
@@ -1161,7 +1162,7 @@ string
 </em>
 </td>
 <td>
-<p>CertificateChain is an optional PEM encoded set of certificates used to verify</p>
+<p>CertChain is an optional PEM encoded set of certificates used to verify.</p>
 </td>
 </tr>
 <tr>
@@ -1188,8 +1189,8 @@ CTLog
 </em>
 </td>
 <td>
-<p>CTLog provides configuration for validation of SCTs.
-If the value is nil, default ctlog public key is used</p>
+<p>CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.</p>
 </td>
 </tr>
 </tbody>
@@ -2085,7 +2086,7 @@ bool
 </em>
 </td>
 <td>
-<p>AllowInsecureRegistry allows insecure access to a registry</p>
+<p>AllowInsecureRegistry allows insecure access to a registry.</p>
 </td>
 </tr>
 <tr>
@@ -2098,8 +2099,8 @@ bool
 </em>
 </td>
 <td>
-<p>Providers specifies a list of OCI Registry names, whose authentication providers are provided
-It can be of one of these values: default,google,azure,amazon,github</p>
+<p>Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+It can be of one of these values: default,google,azure,amazon,github.</p>
 </td>
 </tr>
 <tr>
@@ -2110,8 +2111,8 @@ It can be of one of these values: default,google,azure,amazon,github</p>
 </em>
 </td>
 <td>
-<p>Secrets specifies a list of secrets that are provided for credentials
-Secrets must live in the Kyverno namespace</p>
+<p>Secrets specifies a list of secrets that are provided for credentials.
+Secrets must live in the Kyverno namespace.</p>
 </td>
 </tr>
 </tbody>
@@ -2335,7 +2336,7 @@ ImageRegistryCredentials
 </em>
 </td>
 <td>
-<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
+<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry.</p>
 </td>
 </tr>
 <tr>
@@ -2346,7 +2347,7 @@ bool
 </em>
 </td>
 <td>
-<p>UseCache enables caching of image verify responses for this rule</p>
+<p>UseCache enables caching of image verify responses for this rule.</p>
 </td>
 </tr>
 </tbody>
@@ -2402,8 +2403,8 @@ CTLog
 </em>
 </td>
 <td>
-<p>CTLog provides configuration for validation of SCTs.
-If the value is nil, default ctlog public key is used</p>
+<p>CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.</p>
 </td>
 </tr>
 <tr>
@@ -2425,7 +2426,7 @@ string
 </em>
 </td>
 <td>
-<p>Subject is the verified identity used for keyless signing, for example the email address</p>
+<p>Subject is the verified identity used for keyless signing, for example the email address.</p>
 </td>
 </tr>
 <tr>
@@ -2969,7 +2970,7 @@ string
 </em>
 </td>
 <td>
-<p>URL is the address of the transparency log. Defaults to the public log <a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>.</p>
+<p>URL is the address of the transparency log. Defaults to the public Rekor log instance <a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>.</p>
 </td>
 </tr>
 <tr>
@@ -2980,8 +2981,8 @@ string
 </em>
 </td>
 <td>
-<p>RekorPubKey is an optional PEM encoded public key to use for a custom Rekor.
-If set, is used to validate signatures on log entries from Rekor.</p>
+<p>RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+If set, this will be used to validate transparency log signatures from a custom Rekor.</p>
 </td>
 </tr>
 <tr>
@@ -2992,7 +2993,7 @@ bool
 </em>
 </td>
 <td>
-<p>IgnoreTlog skip tlog verification</p>
+<p>IgnoreTlog skips transparency log verification.</p>
 </td>
 </tr>
 </tbody>
@@ -3882,7 +3883,7 @@ string
 </em>
 </td>
 <td>
-<p>Specify signature algorithm for public keys. Supported values are sha256 and sha512</p>
+<p>Specify signature algorithm for public keys. Supported values are sha256 and sha512.</p>
 </td>
 </tr>
 <tr>
@@ -3934,8 +3935,8 @@ CTLog
 </em>
 </td>
 <td>
-<p>CTLog provides configuration for validation of SCTs.
-If the value is nil, default ctlog public key is used</p>
+<p>CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.</p>
 </td>
 </tr>
 </tbody>