diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go
index 4922c3d34a..a5041ed9b2 100644
--- a/api/kyverno/v1/image_verification_types.go
+++ b/api/kyverno/v1/image_verification_types.go
@@ -96,11 +96,11 @@ type ImageVerification struct {
// +kubebuilder:validation:Optional
Required bool `json:"required" yaml:"required"`
- // ImageRegistryCredentials provides credentials that will be used for authentication with registry
+ // ImageRegistryCredentials provides credentials that will be used for authentication with registry.
// +kubebuilder:validation:Optional
ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
- // UseCache enables caching of image verify responses for this rule
+ // UseCache enables caching of image verify responses for this rule.
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
UseCache bool `json:"useCache" yaml:"useCache"`
@@ -128,11 +128,11 @@ func (as AttestorSet) RequiredCount() int {
}
type Attestor struct {
- // Keys specifies one or more public keys
+ // Keys specifies one or more public keys.
// +kubebuilder:validation:Optional
Keys *StaticKeyAttestor `json:"keys,omitempty" yaml:"keys,omitempty"`
- // Certificates specifies one or more certificates
+ // Certificates specifies one or more certificates.
// +kubebuilder:validation:Optional
Certificates *CertificateAttestor `json:"certificates,omitempty" yaml:"certificates,omitempty"`
@@ -141,7 +141,7 @@ type Attestor struct {
// +kubebuilder:validation:Optional
Keyless *KeylessAttestor `json:"keyless,omitempty" yaml:"keyless,omitempty"`
- // Attestor is a nested AttestorSet used to specify a more complex set of match authorities
+ // Attestor is a nested set of Attestor used to specify a more complex set of match authorities.
// +kubebuilder:validation:Optional
Attestor *apiextv1.JSON `json:"attestor,omitempty" yaml:"attestor,omitempty"`
@@ -166,7 +166,7 @@ type StaticKeyAttestor struct {
// (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`
- // Specify signature algorithm for public keys. Supported values are sha256 and sha512
+ // Specify signature algorithm for public keys. Supported values are sha256 and sha512.
// +kubebuilder:default=sha256
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`
@@ -182,8 +182,8 @@ type StaticKeyAttestor struct {
// +kubebuilder:validation:Optional
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
- // CTLog provides configuration for validation of SCTs.
- // If the value is nil, default ctlog public key is used
+ // CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ // Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
// +kubebuilder:validation:Optional
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
}
@@ -197,11 +197,11 @@ type SecretReference struct {
}
type CertificateAttestor struct {
- // Certificate is an optional PEM encoded public certificate.
+ // Cert is an optional PEM-encoded public certificate.
// +kubebuilder:validation:Optional
Certificate string `json:"cert,omitempty" yaml:"cert,omitempty"`
- // CertificateChain is an optional PEM encoded set of certificates used to verify
+ // CertChain is an optional PEM encoded set of certificates used to verify.
// +kubebuilder:validation:Optional
CertificateChain string `json:"certChain,omitempty" yaml:"certChain,omitempty"`
@@ -210,8 +210,8 @@ type CertificateAttestor struct {
// +kubebuilder:validation:Optional
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
- // CTLog provides configuration for validation of SCTs.
- // If the value is nil, default ctlog public key is used
+ // CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ // Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
// +kubebuilder:validation:Optional
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
}
@@ -222,8 +222,8 @@ type KeylessAttestor struct {
// +kubebuilder:validation:Optional
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
- // CTLog provides configuration for validation of SCTs.
- // If the value is nil, default ctlog public key is used
+ // CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+ // Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
// +kubebuilder:validation:Optional
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
@@ -231,7 +231,7 @@ type KeylessAttestor struct {
// +kubebuilder:validation:Optional
Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
- // Subject is the verified identity used for keyless signing, for example the email address
+ // Subject is the verified identity used for keyless signing, for example the email address.
// +kubebuilder:validation:Optional
Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
@@ -246,27 +246,28 @@ type KeylessAttestor struct {
}
type Rekor struct {
- // URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ // URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
// +kubebuilder:validation:Required
// +kubebuilder:Default:=https://rekor.sigstore.dev
URL string `json:"url" yaml:"url"`
- // RekorPubKey is an optional PEM encoded public key to use for a custom Rekor.
- // If set, is used to validate signatures on log entries from Rekor.
+ // RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+ // If set, this will be used to validate transparency log signatures from a custom Rekor.
// +kubebuilder:validation:Optional
RekorPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
- // IgnoreTlog skip tlog verification
+ // IgnoreTlog skips transparency log verification.
// +kubebuilder:validation:Optional
IgnoreTlog bool `json:"ignoreTlog,omitempty" yaml:"ignoreTlog,omitempty"`
}
type CTLog struct {
- // IgnoreSCT requires that a certificate contain an embedded SCT during verification.
+ // IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+ // timestamp. Default is false. Set to true if this was opted out during signing.
// +kubebuilder:validation:Optional
IgnoreSCT bool `json:"ignoreSCT,omitempty" yaml:"ignoreSCT,omitempty"`
- // CTLogPubKey, if set, is used to validate SCTs against those keys.
+ // PubKey, if set, is used to validate SCTs against a custom source.
// +kubebuilder:validation:Optional
CTLogPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
}
@@ -283,7 +284,7 @@ type Attestation struct {
// +kubebuilder:validation:Optional
Type string `json:"type" yaml:"type"`
- // Attestors specify the required attestors (i.e. authorities)
+ // Attestors specify the required attestors (i.e. authorities).
// +kubebuilder:validation:Optional
Attestors []AttestorSet `json:"attestors" yaml:"attestors"`
@@ -294,17 +295,17 @@ type Attestation struct {
}
type ImageRegistryCredentials struct {
- // AllowInsecureRegistry allows insecure access to a registry
+ // AllowInsecureRegistry allows insecure access to a registry.
// +kubebuilder:validation:Optional
AllowInsecureRegistry bool `json:"allowInsecureRegistry,omitempty" yaml:"allowInsecureRegistry,omitempty"`
- // Providers specifies a list of OCI Registry names, whose authentication providers are provided
- // It can be of one of these values: default,google,azure,amazon,github
+ // Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+ // It can be of one of these values: default,google,azure,amazon,github.
// +kubebuilder:validation:Optional
Providers []ImageRegistryCredentialsProvidersType `json:"providers,omitempty" yaml:"providers,omitempty"`
- // Secrets specifies a list of secrets that are provided for credentials
- // Secrets must live in the Kyverno namespace
+ // Secrets specifies a list of secrets that are provided for credentials.
+ // Secrets must live in the Kyverno namespace.
// +kubebuilder:validation:Optional
Secrets []string `json:"secrets,omitempty" yaml:"secrets,omitempty"`
}
diff --git a/charts/kyverno/charts/crds/templates/crds.yaml b/charts/kyverno/charts/crds/templates/crds.yaml
index 030e0d53db..88ae32e129 100644
--- a/charts/kyverno/charts/crds/templates/crds.yaml
+++ b/charts/kyverno/charts/crds/templates/crds.yaml
@@ -873,12 +873,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
- to a registry
+ to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -892,8 +892,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
items:
type: string
type: array
@@ -2114,12 +2114,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
- to a registry
+ to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -2133,8 +2133,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
items:
type: string
type: array
@@ -4024,12 +4024,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
- to a registry
+ to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -4043,8 +4043,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
items:
type: string
type: array
@@ -5265,12 +5265,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
- to a registry
+ to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -5284,8 +5284,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
items:
type: string
type: array
@@ -6577,13 +6577,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -6598,8 +6598,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -8276,14 +8276,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -8298,8 +8298,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -8609,14 +8609,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -8631,8 +8631,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -9164,14 +9164,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -9186,8 +9186,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -9421,38 +9421,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -9463,20 +9467,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -9495,20 +9500,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -9523,20 +9532,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -9550,28 +9560,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -9606,20 +9620,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -9645,7 +9660,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -9816,7 +9831,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -9847,38 +9862,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -9890,21 +9911,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -9923,20 +9945,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -9952,21 +9980,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -9980,28 +10009,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -10040,21 +10075,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -10081,7 +10117,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -10262,38 +10298,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -10304,20 +10344,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -10336,20 +10376,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -10364,20 +10408,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -10391,28 +10435,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -10446,20 +10494,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -10485,7 +10533,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -10515,16 +10563,16 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -10538,8 +10586,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -10586,7 +10634,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -10860,13 +10908,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -10881,8 +10929,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -12636,14 +12684,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -12659,8 +12707,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -12984,14 +13032,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -13007,8 +13055,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -13569,14 +13617,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -13592,8 +13640,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -13836,38 +13884,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -13879,21 +13933,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -13912,20 +13967,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -13941,21 +14002,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -13969,28 +14031,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -14029,21 +14097,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -14070,7 +14139,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -14245,7 +14314,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -14279,41 +14348,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -14327,21 +14401,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -14360,22 +14436,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -14393,21 +14476,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -14423,30 +14508,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -14489,21 +14581,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -14532,7 +14626,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -14719,38 +14813,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -14761,21 +14861,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -14794,20 +14895,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -14822,21 +14929,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -14850,28 +14958,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -14908,21 +15022,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -14949,7 +15064,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -14980,17 +15095,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -15005,8 +15120,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -15053,7 +15168,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -15439,13 +15554,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -15460,8 +15575,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -16712,14 +16827,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -16734,8 +16849,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -17045,14 +17160,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -17067,8 +17182,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -17779,14 +17894,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -17801,8 +17916,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -18036,38 +18151,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -18078,20 +18197,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18110,20 +18230,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -18138,20 +18262,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18165,28 +18290,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -18221,20 +18350,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18260,7 +18390,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -18420,7 +18550,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -18451,38 +18581,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -18494,21 +18630,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18527,20 +18664,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -18556,21 +18699,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18584,28 +18728,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -18644,21 +18794,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18685,7 +18836,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -18866,38 +19017,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -18908,20 +19063,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18940,20 +19095,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -18968,20 +19127,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18995,28 +19154,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -19050,20 +19213,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -19089,7 +19252,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -19120,12 +19283,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -19139,8 +19302,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -19449,13 +19612,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -19470,8 +19633,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -21225,14 +21388,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -21248,8 +21411,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -21573,14 +21736,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -21596,8 +21759,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -22158,14 +22321,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -22181,8 +22344,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -22425,38 +22588,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -22468,21 +22637,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -22501,20 +22671,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -22530,21 +22706,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -22558,28 +22735,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -22618,21 +22801,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -22659,7 +22843,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -22834,7 +23018,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -22868,41 +23052,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -22916,21 +23105,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -22949,22 +23140,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -22982,21 +23180,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -23012,30 +23212,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -23078,21 +23285,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -23121,7 +23330,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -23308,38 +23517,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -23350,21 +23565,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -23383,20 +23599,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -23411,21 +23633,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -23439,28 +23662,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -23497,21 +23726,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -23538,7 +23768,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -23569,17 +23799,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -23594,8 +23824,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -23642,7 +23872,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -24055,13 +24285,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -24076,8 +24306,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -25754,14 +25984,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -25776,8 +26006,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -26087,14 +26317,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -26109,8 +26339,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -26642,14 +26872,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -26664,8 +26894,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -26899,38 +27129,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -26941,20 +27175,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -26973,20 +27208,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -27001,20 +27240,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27028,28 +27268,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -27084,20 +27328,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27123,7 +27368,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -27294,7 +27539,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -27325,38 +27570,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -27368,21 +27619,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27401,20 +27653,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -27430,21 +27688,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27458,28 +27717,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -27518,21 +27783,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27559,7 +27825,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -27740,38 +28006,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -27782,20 +28052,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27814,20 +28084,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -27842,20 +28116,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27869,28 +28143,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -27924,20 +28202,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27963,7 +28241,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -27993,16 +28271,16 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -28016,8 +28294,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -28064,7 +28342,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -28339,13 +28617,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -28360,8 +28638,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -30115,14 +30393,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -30138,8 +30416,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -30463,14 +30741,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -30486,8 +30764,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -31048,14 +31326,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -31071,8 +31349,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -31315,38 +31593,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -31358,21 +31642,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -31391,20 +31676,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -31420,21 +31711,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -31448,28 +31740,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -31508,21 +31806,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -31549,7 +31848,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -31724,7 +32023,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -31758,41 +32057,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -31806,21 +32110,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -31839,22 +32145,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -31872,21 +32185,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -31902,30 +32217,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -31968,21 +32290,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -32011,7 +32335,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -32198,38 +32522,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -32240,21 +32570,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -32273,20 +32604,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -32301,21 +32638,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -32329,28 +32667,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -32387,21 +32731,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -32428,7 +32773,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -32459,17 +32804,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -32484,8 +32829,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -32532,7 +32877,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -32919,13 +33264,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -32940,8 +33285,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -34192,14 +34537,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -34214,8 +34559,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -34525,14 +34870,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -34547,8 +34892,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -35259,14 +35604,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -35281,8 +35626,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -35516,38 +35861,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -35558,20 +35907,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -35590,20 +35940,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -35618,20 +35972,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -35645,28 +36000,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -35701,20 +36060,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -35740,7 +36100,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -35900,7 +36260,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -35931,38 +36291,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -35974,21 +36340,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -36007,20 +36374,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -36036,21 +36409,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -36064,28 +36438,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -36124,21 +36504,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -36165,7 +36546,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -36346,38 +36727,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -36388,20 +36773,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -36420,20 +36805,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -36448,20 +36837,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -36475,28 +36864,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -36530,20 +36923,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -36569,7 +36962,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -36600,12 +36993,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -36619,8 +37012,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -36929,13 +37322,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -36950,8 +37343,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -38705,14 +39098,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -38728,8 +39121,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -39053,14 +39446,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -39076,8 +39469,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -39638,14 +40031,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -39661,8 +40054,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -39905,38 +40298,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -39948,21 +40347,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -39981,20 +40381,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -40010,21 +40416,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -40038,28 +40445,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -40098,21 +40511,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -40139,7 +40553,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -40314,7 +40728,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -40348,41 +40762,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -40396,21 +40815,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -40429,22 +40850,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -40462,21 +40890,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -40492,30 +40922,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -40558,21 +40995,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -40601,7 +41040,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -40788,38 +41227,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -40830,21 +41275,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -40863,20 +41309,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -40891,21 +41343,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -40919,28 +41372,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -40977,21 +41436,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -41018,7 +41478,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -41049,17 +41509,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -41074,8 +41534,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -41122,7 +41582,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
index cf66c9ecea..2b6b88b169 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
@@ -271,13 +271,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -292,8 +292,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -1970,14 +1970,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -1992,8 +1992,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -2303,14 +2303,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2325,8 +2325,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -2858,14 +2858,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2880,8 +2880,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -3115,38 +3115,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -3157,20 +3161,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3189,20 +3194,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -3217,20 +3226,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3244,28 +3254,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -3300,20 +3314,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3339,7 +3354,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -3510,7 +3525,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -3541,38 +3556,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -3584,21 +3605,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3617,20 +3639,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -3646,21 +3674,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3674,28 +3703,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -3734,21 +3769,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3775,7 +3811,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -3956,38 +3992,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -3998,20 +4038,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -4030,20 +4070,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -4058,20 +4102,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -4085,28 +4129,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -4140,20 +4188,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -4179,7 +4227,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -4209,16 +4257,16 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -4232,8 +4280,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -4280,7 +4328,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -4554,13 +4602,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -4575,8 +4623,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -6330,14 +6378,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -6353,8 +6401,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -6678,14 +6726,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -6701,8 +6749,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -7263,14 +7311,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7286,8 +7334,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -7530,38 +7578,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -7573,21 +7627,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -7606,20 +7661,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -7635,21 +7696,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -7663,28 +7725,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -7723,21 +7791,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -7764,7 +7833,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -7939,7 +8008,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -7973,41 +8042,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -8021,21 +8095,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8054,22 +8130,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -8087,21 +8170,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8117,30 +8202,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -8183,21 +8275,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8226,7 +8320,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -8413,38 +8507,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -8455,21 +8555,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8488,20 +8589,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -8516,21 +8623,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8544,28 +8652,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -8602,21 +8716,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8643,7 +8758,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -8674,17 +8789,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -8699,8 +8814,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -8747,7 +8862,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -9133,13 +9248,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9154,8 +9269,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -10406,14 +10521,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -10428,8 +10543,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -10739,14 +10854,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -10761,8 +10876,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -11473,14 +11588,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -11495,8 +11610,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -11730,38 +11845,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -11772,20 +11891,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -11804,20 +11924,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -11832,20 +11956,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -11859,28 +11984,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -11915,20 +12044,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -11954,7 +12084,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -12114,7 +12244,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -12145,38 +12275,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -12188,21 +12324,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12221,20 +12358,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -12250,21 +12393,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12278,28 +12422,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -12338,21 +12488,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12379,7 +12530,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -12560,38 +12711,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -12602,20 +12757,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12634,20 +12789,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -12662,20 +12821,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12689,28 +12848,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -12744,20 +12907,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12783,7 +12946,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -12814,12 +12977,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -12833,8 +12996,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -13143,13 +13306,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -13164,8 +13327,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -14919,14 +15082,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -14942,8 +15105,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -15267,14 +15430,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -15290,8 +15453,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -15852,14 +16015,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -15875,8 +16038,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -16119,38 +16282,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -16162,21 +16331,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16195,20 +16365,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -16224,21 +16400,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16252,28 +16429,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -16312,21 +16495,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16353,7 +16537,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -16528,7 +16712,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -16562,41 +16746,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -16610,21 +16799,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16643,22 +16834,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -16676,21 +16874,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16706,30 +16906,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -16772,21 +16979,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16815,7 +17024,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -17002,38 +17211,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -17044,21 +17259,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -17077,20 +17293,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -17105,21 +17327,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -17133,28 +17356,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -17191,21 +17420,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -17232,7 +17462,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -17263,17 +17493,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -17288,8 +17518,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -17336,7 +17566,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
index 0b00ecb329..f0c8222a15 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
@@ -272,13 +272,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -293,8 +293,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -1971,14 +1971,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -1993,8 +1993,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -2304,14 +2304,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2326,8 +2326,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -2859,14 +2859,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2881,8 +2881,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -3116,38 +3116,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -3158,20 +3162,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3190,20 +3195,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -3218,20 +3227,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3245,28 +3255,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -3301,20 +3315,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3340,7 +3355,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -3511,7 +3526,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -3542,38 +3557,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -3585,21 +3606,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3618,20 +3640,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -3647,21 +3675,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3675,28 +3704,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -3735,21 +3770,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3776,7 +3812,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -3957,38 +3993,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -3999,20 +4039,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -4031,20 +4071,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -4059,20 +4103,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -4086,28 +4130,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -4141,20 +4189,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -4180,7 +4228,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -4210,16 +4258,16 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -4233,8 +4281,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -4281,7 +4329,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -4556,13 +4604,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -4577,8 +4625,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -6332,14 +6380,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -6355,8 +6403,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -6680,14 +6728,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -6703,8 +6751,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -7265,14 +7313,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7288,8 +7336,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -7532,38 +7580,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -7575,21 +7629,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -7608,20 +7663,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -7637,21 +7698,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -7665,28 +7727,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -7725,21 +7793,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -7766,7 +7835,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -7941,7 +8010,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -7975,41 +8044,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -8023,21 +8097,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8056,22 +8132,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -8089,21 +8172,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8119,30 +8204,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -8185,21 +8277,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8228,7 +8322,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -8415,38 +8509,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -8457,21 +8557,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8490,20 +8591,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -8518,21 +8625,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8546,28 +8654,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -8604,21 +8718,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8645,7 +8760,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -8676,17 +8791,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -8701,8 +8816,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -8749,7 +8864,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -9136,13 +9251,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9157,8 +9272,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -10409,14 +10524,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -10431,8 +10546,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -10742,14 +10857,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -10764,8 +10879,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -11476,14 +11591,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -11498,8 +11613,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -11733,38 +11848,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -11775,20 +11894,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -11807,20 +11927,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -11835,20 +11959,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -11862,28 +11987,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -11918,20 +12047,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -11957,7 +12087,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -12117,7 +12247,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -12148,38 +12278,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -12191,21 +12327,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12224,20 +12361,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -12253,21 +12396,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12281,28 +12425,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -12341,21 +12491,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12382,7 +12533,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -12563,38 +12714,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -12605,20 +12760,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12637,20 +12792,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -12665,20 +12824,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12692,28 +12851,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -12747,20 +12910,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12786,7 +12949,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -12817,12 +12980,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -12836,8 +12999,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -13146,13 +13309,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -13167,8 +13330,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -14922,14 +15085,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -14945,8 +15108,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -15270,14 +15433,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -15293,8 +15456,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -15855,14 +16018,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -15878,8 +16041,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -16122,38 +16285,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -16165,21 +16334,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16198,20 +16368,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -16227,21 +16403,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16255,28 +16432,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -16315,21 +16498,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16356,7 +16540,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -16531,7 +16715,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -16565,41 +16749,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -16613,21 +16802,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16646,22 +16837,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -16679,21 +16877,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16709,30 +16909,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -16775,21 +16982,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16818,7 +17027,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -17005,38 +17214,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -17047,21 +17262,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -17080,20 +17296,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -17108,21 +17330,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -17136,28 +17359,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -17194,21 +17423,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -17235,7 +17465,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -17266,17 +17496,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -17291,8 +17521,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -17339,7 +17569,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
diff --git a/config/crds/kyverno.io_cleanuppolicies.yaml b/config/crds/kyverno.io_cleanuppolicies.yaml
index 5f65f945fc..dcba01e640 100644
--- a/config/crds/kyverno.io_cleanuppolicies.yaml
+++ b/config/crds/kyverno.io_cleanuppolicies.yaml
@@ -226,12 +226,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
- to a registry
+ to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -245,8 +245,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
items:
type: string
type: array
@@ -1467,12 +1467,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
- to a registry
+ to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -1486,8 +1486,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
items:
type: string
type: array
diff --git a/config/crds/kyverno.io_clustercleanuppolicies.yaml b/config/crds/kyverno.io_clustercleanuppolicies.yaml
index 472f8c9bfa..f36f32c4f7 100644
--- a/config/crds/kyverno.io_clustercleanuppolicies.yaml
+++ b/config/crds/kyverno.io_clustercleanuppolicies.yaml
@@ -226,12 +226,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
- to a registry
+ to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -245,8 +245,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
items:
type: string
type: array
@@ -1467,12 +1467,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
- to a registry
+ to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -1486,8 +1486,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
items:
type: string
type: array
diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml
index cf66c9ecea..2b6b88b169 100644
--- a/config/crds/kyverno.io_clusterpolicies.yaml
+++ b/config/crds/kyverno.io_clusterpolicies.yaml
@@ -271,13 +271,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -292,8 +292,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -1970,14 +1970,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -1992,8 +1992,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -2303,14 +2303,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2325,8 +2325,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -2858,14 +2858,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2880,8 +2880,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -3115,38 +3115,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -3157,20 +3161,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3189,20 +3194,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -3217,20 +3226,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3244,28 +3254,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -3300,20 +3314,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3339,7 +3354,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -3510,7 +3525,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -3541,38 +3556,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -3584,21 +3605,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3617,20 +3639,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -3646,21 +3674,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3674,28 +3703,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -3734,21 +3769,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3775,7 +3811,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -3956,38 +3992,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -3998,20 +4038,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -4030,20 +4070,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -4058,20 +4102,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -4085,28 +4129,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -4140,20 +4188,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -4179,7 +4227,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -4209,16 +4257,16 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -4232,8 +4280,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -4280,7 +4328,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -4554,13 +4602,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -4575,8 +4623,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -6330,14 +6378,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -6353,8 +6401,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -6678,14 +6726,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -6701,8 +6749,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -7263,14 +7311,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7286,8 +7334,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -7530,38 +7578,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -7573,21 +7627,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -7606,20 +7661,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -7635,21 +7696,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -7663,28 +7725,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -7723,21 +7791,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -7764,7 +7833,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -7939,7 +8008,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -7973,41 +8042,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -8021,21 +8095,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8054,22 +8130,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -8087,21 +8170,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8117,30 +8202,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -8183,21 +8275,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8226,7 +8320,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -8413,38 +8507,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -8455,21 +8555,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8488,20 +8589,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -8516,21 +8623,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8544,28 +8652,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -8602,21 +8716,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8643,7 +8758,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -8674,17 +8789,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -8699,8 +8814,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -8747,7 +8862,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -9133,13 +9248,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9154,8 +9269,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -10406,14 +10521,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -10428,8 +10543,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -10739,14 +10854,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -10761,8 +10876,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -11473,14 +11588,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -11495,8 +11610,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -11730,38 +11845,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -11772,20 +11891,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -11804,20 +11924,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -11832,20 +11956,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -11859,28 +11984,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -11915,20 +12044,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -11954,7 +12084,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -12114,7 +12244,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -12145,38 +12275,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -12188,21 +12324,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12221,20 +12358,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -12250,21 +12393,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12278,28 +12422,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -12338,21 +12488,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12379,7 +12530,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -12560,38 +12711,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -12602,20 +12757,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12634,20 +12789,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -12662,20 +12821,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12689,28 +12848,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -12744,20 +12907,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12783,7 +12946,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -12814,12 +12977,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -12833,8 +12996,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -13143,13 +13306,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -13164,8 +13327,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -14919,14 +15082,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -14942,8 +15105,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -15267,14 +15430,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -15290,8 +15453,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -15852,14 +16015,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -15875,8 +16038,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -16119,38 +16282,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -16162,21 +16331,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16195,20 +16365,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -16224,21 +16400,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16252,28 +16429,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -16312,21 +16495,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16353,7 +16537,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -16528,7 +16712,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -16562,41 +16746,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -16610,21 +16799,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16643,22 +16834,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -16676,21 +16874,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16706,30 +16906,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -16772,21 +16979,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16815,7 +17024,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -17002,38 +17211,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -17044,21 +17259,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -17077,20 +17293,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -17105,21 +17327,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -17133,28 +17356,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -17191,21 +17420,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -17232,7 +17462,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -17263,17 +17493,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -17288,8 +17518,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -17336,7 +17566,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml
index 0b00ecb329..f0c8222a15 100644
--- a/config/crds/kyverno.io_policies.yaml
+++ b/config/crds/kyverno.io_policies.yaml
@@ -272,13 +272,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -293,8 +293,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -1971,14 +1971,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -1993,8 +1993,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -2304,14 +2304,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2326,8 +2326,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -2859,14 +2859,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -2881,8 +2881,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -3116,38 +3116,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -3158,20 +3162,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3190,20 +3195,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -3218,20 +3227,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3245,28 +3255,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -3301,20 +3315,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3340,7 +3355,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -3511,7 +3526,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -3542,38 +3557,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -3585,21 +3606,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3618,20 +3640,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -3647,21 +3675,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3675,28 +3704,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -3735,21 +3770,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -3776,7 +3812,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -3957,38 +3993,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -3999,20 +4039,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -4031,20 +4071,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -4059,20 +4103,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -4086,28 +4130,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -4141,20 +4189,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -4180,7 +4228,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -4210,16 +4258,16 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -4233,8 +4281,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -4281,7 +4329,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -4556,13 +4604,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -4577,8 +4625,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -6332,14 +6380,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -6355,8 +6403,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -6680,14 +6728,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -6703,8 +6751,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -7265,14 +7313,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -7288,8 +7336,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -7532,38 +7580,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -7575,21 +7629,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -7608,20 +7663,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -7637,21 +7698,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -7665,28 +7727,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -7725,21 +7793,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -7766,7 +7835,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -7941,7 +8010,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -7975,41 +8044,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -8023,21 +8097,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8056,22 +8132,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -8089,21 +8172,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8119,30 +8204,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -8185,21 +8277,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8228,7 +8322,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -8415,38 +8509,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -8457,21 +8557,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8490,20 +8591,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -8518,21 +8625,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8546,28 +8654,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -8604,21 +8718,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -8645,7 +8760,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -8676,17 +8791,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -8701,8 +8816,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -8749,7 +8864,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -9136,13 +9251,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -9157,8 +9272,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -10409,14 +10524,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -10431,8 +10546,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -10742,14 +10857,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -10764,8 +10879,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -11476,14 +11591,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -11498,8 +11613,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -11733,38 +11848,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -11775,20 +11894,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -11807,20 +11927,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -11835,20 +11959,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -11862,28 +11987,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -11918,20 +12047,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -11957,7 +12087,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -12117,7 +12247,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -12148,38 +12278,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -12191,21 +12327,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12224,20 +12361,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -12253,21 +12396,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12281,28 +12425,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -12341,21 +12491,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12382,7 +12533,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -12563,38 +12714,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -12605,20 +12760,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12637,20 +12792,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -12665,20 +12824,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12692,28 +12851,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -12747,20 +12910,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -12786,7 +12949,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -12817,12 +12980,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -12836,8 +12999,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -13146,13 +13309,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -13167,8 +13330,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -14922,14 +15085,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -14945,8 +15108,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -15270,14 +15433,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -15293,8 +15456,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -15855,14 +16018,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -15878,8 +16041,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -16122,38 +16285,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -16165,21 +16334,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16198,20 +16368,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -16227,21 +16403,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16255,28 +16432,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -16315,21 +16498,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16356,7 +16540,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -16531,7 +16715,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -16565,41 +16749,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -16613,21 +16802,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16646,22 +16837,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -16679,21 +16877,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16709,30 +16909,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -16775,21 +16982,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -16818,7 +17027,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -17005,38 +17214,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -17047,21 +17262,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -17080,20 +17296,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -17108,21 +17330,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -17136,28 +17359,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -17194,21 +17423,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -17235,7 +17465,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -17266,17 +17496,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -17291,8 +17521,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -17339,7 +17569,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index b3f28465b9..9276b27a36 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -1084,12 +1084,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
- to a registry
+ to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -1103,8 +1103,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
items:
type: string
type: array
@@ -2325,12 +2325,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
- to a registry
+ to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -2344,8 +2344,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
items:
type: string
type: array
@@ -4241,12 +4241,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
- to a registry
+ to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -4260,8 +4260,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
items:
type: string
type: array
@@ -5482,12 +5482,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
- to a registry
+ to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -5501,8 +5501,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
items:
type: string
type: array
@@ -6796,13 +6796,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -6817,8 +6817,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -8495,14 +8495,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -8517,8 +8517,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -8828,14 +8828,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -8850,8 +8850,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -9383,14 +9383,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -9405,8 +9405,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -9640,38 +9640,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -9682,20 +9686,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -9714,20 +9719,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -9742,20 +9751,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -9769,28 +9779,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -9825,20 +9839,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -9864,7 +9879,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -10035,7 +10050,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -10066,38 +10081,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -10109,21 +10130,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -10142,20 +10164,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -10171,21 +10199,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -10199,28 +10228,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -10259,21 +10294,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -10300,7 +10336,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -10481,38 +10517,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -10523,20 +10563,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -10555,20 +10595,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -10583,20 +10627,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -10610,28 +10654,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -10665,20 +10713,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -10704,7 +10752,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -10734,16 +10782,16 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -10757,8 +10805,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -10805,7 +10853,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -11079,13 +11127,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -11100,8 +11148,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -12855,14 +12903,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -12878,8 +12926,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -13203,14 +13251,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -13226,8 +13274,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -13788,14 +13836,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -13811,8 +13859,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -14055,38 +14103,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -14098,21 +14152,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -14131,20 +14186,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -14160,21 +14221,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -14188,28 +14250,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -14248,21 +14316,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -14289,7 +14358,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -14464,7 +14533,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -14498,41 +14567,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -14546,21 +14620,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -14579,22 +14655,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -14612,21 +14695,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -14642,30 +14727,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -14708,21 +14800,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -14751,7 +14845,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -14938,38 +15032,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -14980,21 +15080,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -15013,20 +15114,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -15041,21 +15148,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -15069,28 +15177,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -15127,21 +15241,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -15168,7 +15283,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -15199,17 +15314,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -15224,8 +15339,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -15272,7 +15387,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -15658,13 +15773,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -15679,8 +15794,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -16931,14 +17046,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -16953,8 +17068,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -17264,14 +17379,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -17286,8 +17401,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -17998,14 +18113,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -18020,8 +18135,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -18255,38 +18370,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -18297,20 +18416,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18329,20 +18449,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -18357,20 +18481,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18384,28 +18509,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -18440,20 +18569,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18479,7 +18609,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -18639,7 +18769,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -18670,38 +18800,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -18713,21 +18849,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18746,20 +18883,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -18775,21 +18918,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18803,28 +18947,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -18863,21 +19013,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -18904,7 +19055,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -19085,38 +19236,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -19127,20 +19282,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -19159,20 +19314,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -19187,20 +19346,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -19214,28 +19373,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -19269,20 +19432,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -19308,7 +19471,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -19339,12 +19502,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -19358,8 +19521,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -19668,13 +19831,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -19689,8 +19852,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -21444,14 +21607,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -21467,8 +21630,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -21792,14 +21955,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -21815,8 +21978,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -22377,14 +22540,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -22400,8 +22563,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -22644,38 +22807,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -22687,21 +22856,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -22720,20 +22890,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -22749,21 +22925,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -22777,28 +22954,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -22837,21 +23020,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -22878,7 +23062,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -23053,7 +23237,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -23087,41 +23271,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -23135,21 +23324,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -23168,22 +23359,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -23201,21 +23399,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -23231,30 +23431,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -23297,21 +23504,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -23340,7 +23549,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -23527,38 +23736,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -23569,21 +23784,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -23602,20 +23818,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -23630,21 +23852,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -23658,28 +23881,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -23716,21 +23945,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -23757,7 +23987,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -23788,17 +24018,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -23813,8 +24043,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -23861,7 +24091,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -24276,13 +24506,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -24297,8 +24527,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -25975,14 +26205,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -25997,8 +26227,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -26308,14 +26538,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -26330,8 +26560,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -26863,14 +27093,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -26885,8 +27115,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -27120,38 +27350,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -27162,20 +27396,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27194,20 +27429,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -27222,20 +27461,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27249,28 +27489,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -27305,20 +27549,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27344,7 +27589,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -27515,7 +27760,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -27546,38 +27791,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -27589,21 +27840,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27622,20 +27874,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -27651,21 +27909,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27679,28 +27938,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -27739,21 +28004,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -27780,7 +28046,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -27961,38 +28227,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -28003,20 +28273,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -28035,20 +28305,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -28063,20 +28337,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -28090,28 +28364,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -28145,20 +28423,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -28184,7 +28462,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -28214,16 +28492,16 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -28237,8 +28515,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -28285,7 +28563,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -28560,13 +28838,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -28581,8 +28859,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -30336,14 +30614,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -30359,8 +30637,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -30684,14 +30962,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -30707,8 +30985,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -31269,14 +31547,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -31292,8 +31570,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -31536,38 +31814,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -31579,21 +31863,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -31612,20 +31897,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -31641,21 +31932,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -31669,28 +31961,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -31729,21 +32027,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -31770,7 +32069,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -31945,7 +32244,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -31979,41 +32278,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -32027,21 +32331,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -32060,22 +32366,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -32093,21 +32406,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -32123,30 +32438,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -32189,21 +32511,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -32232,7 +32556,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -32419,38 +32743,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -32461,21 +32791,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -32494,20 +32825,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -32522,21 +32859,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -32550,28 +32888,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -32608,21 +32952,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -32649,7 +32994,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -32680,17 +33025,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -32705,8 +33050,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -32753,7 +33098,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
@@ -33140,13 +33485,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -33161,8 +33506,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -34413,14 +34758,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -34435,8 +34780,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -34746,14 +35091,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -34768,8 +35113,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -35480,14 +35825,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a
list of OCI Registry names, whose
- authentication providers are provided
+ authentication providers are provided.
It can be of one of these values:
- default,google,azure,amazon,github'
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -35502,8 +35847,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list
- of secrets that are provided for credentials
- Secrets must live in the Kyverno namespace
+ of secrets that are provided for credentials.
+ Secrets must live in the Kyverno namespace.
items:
type: string
type: array
@@ -35737,38 +36082,42 @@ spec:
key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set of
+ Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates used
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -35779,20 +36128,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -35811,20 +36161,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -35839,20 +36193,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -35866,28 +36221,32 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate Timestamps
+ (SCTs). If the value is unset, the
+ default behavior by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate
+ Timestamp (SCT) log to check for
+ a certificate timestamp. Default
+ is false. Set to true if this
+ was opted out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -35922,20 +36281,21 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use
- for a custom Rekor. If set, is
- used to validate signatures on
- log entries from Rekor.
+ PEM-encoded public key to use
+ for a custom Rekor. If set, this
+ will be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -35961,7 +36321,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -36121,7 +36481,7 @@ spec:
properties:
attestors:
description: Attestors specify the required attestors
- (i.e. authorities)
+ (i.e. authorities).
items:
properties:
count:
@@ -36152,38 +36512,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -36195,21 +36561,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -36228,20 +36595,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -36257,21 +36630,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -36285,28 +36659,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -36345,21 +36725,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -36386,7 +36767,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -36567,38 +36948,42 @@ spec:
pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
+ description: Attestor is a nested set of Attestor
used to specify a more complex set of match
- authorities
+ authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or
- more certificates
+ more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an optional
+ description: CertChain is an optional
PEM encoded set of certificates used
- to verify
+ to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -36609,20 +36994,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -36641,20 +37026,24 @@ spec:
signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -36669,20 +37058,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -36696,28 +37085,32 @@ spec:
subject:
description: Subject is the verified identity
used for keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one or more public
- keys
+ keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key is
- used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for validation
+ of Signed Certificate Timestamps (SCTs).
+ If the value is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires that
- a certificate contain an embedded
- SCT during verification.
+ description: IgnoreSCT defines whether
+ to use the Signed Certificate Timestamp
+ (SCT) log to check for a certificate
+ timestamp. Default is false. Set
+ to true if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is used
+ to validate SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -36751,20 +37144,20 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips transparency
+ log verification.
type: boolean
pubkey:
description: RekorPubKey is an optional
- PEM encoded public key to use for
- a custom Rekor. If set, is used
- to validate signatures on log entries
- from Rekor.
+ PEM-encoded public key to use for
+ a custom Rekor. If set, this will
+ be used to validate transparency
+ log signatures from a custom Rekor.
type: string
url:
description: URL is the address of
the transparency log. Defaults to
- the public log https://rekor.sigstore.dev.
+ the public Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -36790,7 +37183,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
- sha256 and sha512
+ sha256 and sha512.
type: string
type: object
repository:
@@ -36821,12 +37214,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
- names, whose authentication providers are provided
- It can be of one of these values: default,google,azure,amazon,github'
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@@ -36840,8 +37233,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
- are provided for credentials Secrets must live in
- the Kyverno namespace
+ are provided for credentials. Secrets must live
+ in the Kyverno namespace.
items:
type: string
type: array
@@ -37150,13 +37543,13 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
- insecure access to a registry
+ insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of
OCI Registry names, whose authentication
- providers are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ providers are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -37171,8 +37564,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets
- must live in the Kyverno namespace
+ that are provided for credentials. Secrets
+ must live in the Kyverno namespace.
items:
type: string
type: array
@@ -38926,14 +39319,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -38949,8 +39342,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -39274,14 +39667,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -39297,8 +39690,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -39859,14 +40252,14 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
- allows insecure access to a registry
+ allows insecure access to a registry.
type: boolean
providers:
description: 'Providers specifies
a list of OCI Registry names,
whose authentication providers
- are provided It can be of one
- of these values: default,google,azure,amazon,github'
+ are provided. It can be of one
+ of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential
@@ -39882,8 +40275,8 @@ spec:
secrets:
description: Secrets specifies a
list of secrets that are provided
- for credentials Secrets must live
- in the Kyverno namespace
+ for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -40126,38 +40519,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set
- of match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more
+ complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain is
- an optional PEM encoded set of
- certificates used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -40169,21 +40568,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -40202,20 +40602,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -40231,21 +40637,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -40259,28 +40666,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the
- value is nil, default ctlog public
- key is used
+ description: CTLog (certificate
+ timestamp log) provides a configuration
+ for validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior
+ by Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp (SCT)
+ log to check for a certificate
+ timestamp. Default is false.
+ Set to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey, if
- set, is used to validate SCTs
- against those keys.
+ description: PubKey, if set,
+ is used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -40319,21 +40732,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip
- tlog verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is
- an optional PEM encoded public
+ an optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries
- from Rekor.
+ If set, this will be used
+ to validate transparency log
+ signatures from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -40360,7 +40774,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -40535,7 +40949,7 @@ spec:
properties:
attestors:
description: Attestors specify the required
- attestors (i.e. authorities)
+ attestors (i.e. authorities).
items:
properties:
count:
@@ -40569,41 +40983,46 @@ spec:
type: object
attestor:
description: Attestor is a nested
- AttestorSet used to specify a
- more complex set of match authorities
+ set of Attestor used to specify
+ a more complex set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
- one or more certificates
+ one or more certificates.
properties:
cert:
- description: Certificate is
- an optional PEM encoded public
- certificate.
+ description: Cert is an optional
+ PEM-encoded public certificate.
type: string
certChain:
- description: CertificateChain
- is an optional PEM encoded
- set of certificates used to
- verify
+ description: CertChain is an
+ optional PEM encoded set of
+ certificates used to verify.
type: string
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
rekor:
@@ -40617,21 +41036,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -40650,22 +41071,29 @@ spec:
used for keyless signing.
type: object
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
issuer:
@@ -40683,21 +41111,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -40713,30 +41143,37 @@ spec:
description: Subject is the
verified identity used for
keyless signing, for example
- the email address
+ the email address.
type: string
type: object
keys:
description: Keys specifies one
- or more public keys
+ or more public keys.
properties:
ctlog:
- description: CTLog provides
+ description: CTLog (certificate
+ timestamp log) provides a
configuration for validation
- of SCTs. If the value is nil,
- default ctlog public key is
- used
+ of Signed Certificate Timestamps
+ (SCTs). If the value is unset,
+ the default behavior by Cosign
+ is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain
- an embedded SCT during
- verification.
+ description: IgnoreSCT defines
+ whether to use the Signed
+ Certificate Timestamp
+ (SCT) log to check for
+ a certificate timestamp.
+ Default is false. Set
+ to true if this was opted
+ out during signing.
type: boolean
pubkey:
- description: CTLogPubKey,
- if set, is used to validate
- SCTs against those keys.
+ description: PubKey, if
+ set, is used to validate
+ SCTs against a custom
+ source.
type: string
type: object
kms:
@@ -40779,21 +41216,23 @@ spec:
properties:
ignoreTlog:
description: IgnoreTlog
- skip tlog verification
+ skips transparency log
+ verification.
type: boolean
pubkey:
description: RekorPubKey
- is an optional PEM encoded
+ is an optional PEM-encoded
public key to use for
a custom Rekor. If set,
- is used to validate signatures
- on log entries from Rekor.
+ this will be used to validate
+ transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the
address of the transparency
log. Defaults to the public
- log https://rekor.sigstore.dev.
+ Rekor log instance https://rekor.sigstore.dev.
type: string
required:
- url
@@ -40822,7 +41261,7 @@ spec:
description: Specify signature
algorithm for public keys.
Supported values are sha256
- and sha512
+ and sha512.
type: string
type: object
repository:
@@ -41009,38 +41448,44 @@ spec:
may contain other key-value pairs.
type: object
attestor:
- description: Attestor is a nested AttestorSet
- used to specify a more complex set of
- match authorities
+ description: Attestor is a nested set
+ of Attestor used to specify a more complex
+ set of match authorities.
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one
- or more certificates
+ or more certificates.
properties:
cert:
- description: Certificate is an optional
- PEM encoded public certificate.
+ description: Cert is an optional PEM-encoded
+ public certificate.
type: string
certChain:
- description: CertificateChain is an
- optional PEM encoded set of certificates
- used to verify
+ description: CertChain is an optional
+ PEM encoded set of certificates
+ used to verify.
type: string
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
rekor:
@@ -41051,21 +41496,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -41084,20 +41530,26 @@ spec:
for keyless signing.
type: object
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
issuer:
@@ -41112,21 +41564,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -41140,28 +41593,34 @@ spec:
subject:
description: Subject is the verified
identity used for keyless signing,
- for example the email address
+ for example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
- public keys
+ public keys.
properties:
ctlog:
- description: CTLog provides configuration
- for validation of SCTs. If the value
- is nil, default ctlog public key
- is used
+ description: CTLog (certificate timestamp
+ log) provides a configuration for
+ validation of Signed Certificate
+ Timestamps (SCTs). If the value
+ is unset, the default behavior by
+ Cosign is used.
properties:
ignoreSCT:
- description: IgnoreSCT requires
- that a certificate contain an
- embedded SCT during verification.
+ description: IgnoreSCT defines
+ whether to use the Signed Certificate
+ Timestamp (SCT) log to check
+ for a certificate timestamp.
+ Default is false. Set to true
+ if this was opted out during
+ signing.
type: boolean
pubkey:
- description: CTLogPubKey, if set,
- is used to validate SCTs against
- those keys.
+ description: PubKey, if set, is
+ used to validate SCTs against
+ a custom source.
type: string
type: object
kms:
@@ -41198,21 +41657,22 @@ spec:
is used.
properties:
ignoreTlog:
- description: IgnoreTlog skip tlog
- verification
+ description: IgnoreTlog skips
+ transparency log verification.
type: boolean
pubkey:
description: RekorPubKey is an
- optional PEM encoded public
+ optional PEM-encoded public
key to use for a custom Rekor.
- If set, is used to validate
- signatures on log entries from
- Rekor.
+ If set, this will be used to
+ validate transparency log signatures
+ from a custom Rekor.
type: string
url:
description: URL is the address
of the transparency log. Defaults
- to the public log https://rekor.sigstore.dev.
+ to the public Rekor log instance
+ https://rekor.sigstore.dev.
type: string
required:
- url
@@ -41239,7 +41699,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
- are sha256 and sha512
+ are sha256 and sha512.
type: string
type: object
repository:
@@ -41270,17 +41730,17 @@ spec:
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
- that will be used for authentication with registry
+ that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
- access to a registry
+ access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
- are provided It can be of one of these values:
- default,google,azure,amazon,github'
+ are provided. It can be of one of these values:
+ default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers
@@ -41295,8 +41755,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets
- that are provided for credentials Secrets must
- live in the Kyverno namespace
+ that are provided for credentials. Secrets must
+ live in the Kyverno namespace.
items:
type: string
type: array
@@ -41343,7 +41803,7 @@ spec:
useCache:
default: true
description: UseCache enables caching of image verify
- responses for this rule
+ responses for this rule.
type: boolean
verifyDigest:
default: true
diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html
index c6760ab078..2799a42cbf 100644
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@@ -792,7 +792,7 @@ string
|
- Attestors specify the required attestors (i.e. authorities)
+Attestors specify the required attestors (i.e. authorities).
|
@@ -838,7 +838,7 @@ StaticKeyAttestor
|
- Keys specifies one or more public keys
+Keys specifies one or more public keys.
|
@@ -851,7 +851,7 @@ CertificateAttestor
|
- Certificates specifies one or more certificates
+Certificates specifies one or more certificates.
|
@@ -878,7 +878,7 @@ Kubernetes apiextensions/v1.JSON
|
- Attestor is a nested AttestorSet used to specify a more complex set of match authorities
+Attestor is a nested set of Attestor used to specify a more complex set of match authorities.
|
@@ -1109,7 +1109,8 @@ bool
|
- IgnoreSCT requires that a certificate contain an embedded SCT during verification.
+IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+timestamp. Default is false. Set to true if this was opted out during signing.
|
@@ -1120,7 +1121,7 @@ string
|
- CTLogPubKey, if set, is used to validate SCTs against those keys.
+PubKey, if set, is used to validate SCTs against a custom source.
|
@@ -1150,7 +1151,7 @@ string
- Certificate is an optional PEM encoded public certificate.
+Cert is an optional PEM-encoded public certificate.
|
@@ -1161,7 +1162,7 @@ string
|
- CertificateChain is an optional PEM encoded set of certificates used to verify
+CertChain is an optional PEM encoded set of certificates used to verify.
|
@@ -1188,8 +1189,8 @@ CTLog
|
- CTLog provides configuration for validation of SCTs.
-If the value is nil, default ctlog public key is used
+CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
@@ -2085,7 +2086,7 @@ bool
- AllowInsecureRegistry allows insecure access to a registry
+AllowInsecureRegistry allows insecure access to a registry.
|
@@ -2098,8 +2099,8 @@ bool
|
- Providers specifies a list of OCI Registry names, whose authentication providers are provided
-It can be of one of these values: default,google,azure,amazon,github
+Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+It can be of one of these values: default,google,azure,amazon,github.
|
@@ -2110,8 +2111,8 @@ It can be of one of these values: default,google,azure,amazon,github
|
- Secrets specifies a list of secrets that are provided for credentials
-Secrets must live in the Kyverno namespace
+Secrets specifies a list of secrets that are provided for credentials.
+Secrets must live in the Kyverno namespace.
|
@@ -2335,7 +2336,7 @@ ImageRegistryCredentials
- ImageRegistryCredentials provides credentials that will be used for authentication with registry
+ImageRegistryCredentials provides credentials that will be used for authentication with registry.
|
@@ -2346,7 +2347,7 @@ bool
|
- UseCache enables caching of image verify responses for this rule
+UseCache enables caching of image verify responses for this rule.
|
@@ -2402,8 +2403,8 @@ CTLog
- CTLog provides configuration for validation of SCTs.
-If the value is nil, default ctlog public key is used
+CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
@@ -2425,7 +2426,7 @@ string
|
- Subject is the verified identity used for keyless signing, for example the email address
+Subject is the verified identity used for keyless signing, for example the email address.
|
@@ -2969,7 +2970,7 @@ string
|
- URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
|
@@ -2980,8 +2981,8 @@ string
|
- RekorPubKey is an optional PEM encoded public key to use for a custom Rekor.
-If set, is used to validate signatures on log entries from Rekor.
+RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+If set, this will be used to validate transparency log signatures from a custom Rekor.
|
@@ -2992,7 +2993,7 @@ bool
|
- IgnoreTlog skip tlog verification
+IgnoreTlog skips transparency log verification.
|
@@ -3882,7 +3883,7 @@ string
- Specify signature algorithm for public keys. Supported values are sha256 and sha512
+Specify signature algorithm for public keys. Supported values are sha256 and sha512.
|
@@ -3934,8 +3935,8 @@ CTLog
|
- CTLog provides configuration for validation of SCTs.
-If the value is nil, default ctlog public key is used
+CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|