1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

feat: update verify images types with better descriptions (#8779)

* feat: update verify images types with better descriptions

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: revert cert and certchain

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Vishal Choudhary 2023-10-31 10:22:07 +05:30 committed by GitHub
parent fb530626ba
commit 99c5f66fab
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 8820 additions and 6978 deletions

View file

@ -96,11 +96,11 @@ type ImageVerification struct {
// +kubebuilder:validation:Optional
Required bool `json:"required" yaml:"required"`
// ImageRegistryCredentials provides credentials that will be used for authentication with registry
// ImageRegistryCredentials provides credentials that will be used for authentication with registry.
// +kubebuilder:validation:Optional
ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
// UseCache enables caching of image verify responses for this rule
// UseCache enables caching of image verify responses for this rule.
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
UseCache bool `json:"useCache" yaml:"useCache"`
@ -128,11 +128,11 @@ func (as AttestorSet) RequiredCount() int {
}
type Attestor struct {
// Keys specifies one or more public keys
// Keys specifies one or more public keys.
// +kubebuilder:validation:Optional
Keys *StaticKeyAttestor `json:"keys,omitempty" yaml:"keys,omitempty"`
// Certificates specifies one or more certificates
// Certificates specifies one or more certificates.
// +kubebuilder:validation:Optional
Certificates *CertificateAttestor `json:"certificates,omitempty" yaml:"certificates,omitempty"`
@ -141,7 +141,7 @@ type Attestor struct {
// +kubebuilder:validation:Optional
Keyless *KeylessAttestor `json:"keyless,omitempty" yaml:"keyless,omitempty"`
// Attestor is a nested AttestorSet used to specify a more complex set of match authorities
// Attestor is a nested set of Attestor used to specify a more complex set of match authorities.
// +kubebuilder:validation:Optional
Attestor *apiextv1.JSON `json:"attestor,omitempty" yaml:"attestor,omitempty"`
@ -166,7 +166,7 @@ type StaticKeyAttestor struct {
// (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`
// Specify signature algorithm for public keys. Supported values are sha256 and sha512
// Specify signature algorithm for public keys. Supported values are sha256 and sha512.
// +kubebuilder:default=sha256
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`
@ -182,8 +182,8 @@ type StaticKeyAttestor struct {
// +kubebuilder:validation:Optional
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
// CTLog provides configuration for validation of SCTs.
// If the value is nil, default ctlog public key is used
// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
// +kubebuilder:validation:Optional
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
}
@ -197,11 +197,11 @@ type SecretReference struct {
}
type CertificateAttestor struct {
// Certificate is an optional PEM encoded public certificate.
// Cert is an optional PEM-encoded public certificate.
// +kubebuilder:validation:Optional
Certificate string `json:"cert,omitempty" yaml:"cert,omitempty"`
// CertificateChain is an optional PEM encoded set of certificates used to verify
// CertChain is an optional PEM encoded set of certificates used to verify.
// +kubebuilder:validation:Optional
CertificateChain string `json:"certChain,omitempty" yaml:"certChain,omitempty"`
@ -210,8 +210,8 @@ type CertificateAttestor struct {
// +kubebuilder:validation:Optional
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
// CTLog provides configuration for validation of SCTs.
// If the value is nil, default ctlog public key is used
// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
// +kubebuilder:validation:Optional
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
}
@ -222,8 +222,8 @@ type KeylessAttestor struct {
// +kubebuilder:validation:Optional
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
// CTLog provides configuration for validation of SCTs.
// If the value is nil, default ctlog public key is used
// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
// +kubebuilder:validation:Optional
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
@ -231,7 +231,7 @@ type KeylessAttestor struct {
// +kubebuilder:validation:Optional
Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
// Subject is the verified identity used for keyless signing, for example the email address
// Subject is the verified identity used for keyless signing, for example the email address.
// +kubebuilder:validation:Optional
Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
@ -246,27 +246,28 @@ type KeylessAttestor struct {
}
type Rekor struct {
// URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
// URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
// +kubebuilder:validation:Required
// +kubebuilder:Default:=https://rekor.sigstore.dev
URL string `json:"url" yaml:"url"`
// RekorPubKey is an optional PEM encoded public key to use for a custom Rekor.
// If set, is used to validate signatures on log entries from Rekor.
// RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
// If set, this will be used to validate transparency log signatures from a custom Rekor.
// +kubebuilder:validation:Optional
RekorPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
// IgnoreTlog skip tlog verification
// IgnoreTlog skips transparency log verification.
// +kubebuilder:validation:Optional
IgnoreTlog bool `json:"ignoreTlog,omitempty" yaml:"ignoreTlog,omitempty"`
}
type CTLog struct {
// IgnoreSCT requires that a certificate contain an embedded SCT during verification.
// IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
// timestamp. Default is false. Set to true if this was opted out during signing.
// +kubebuilder:validation:Optional
IgnoreSCT bool `json:"ignoreSCT,omitempty" yaml:"ignoreSCT,omitempty"`
// CTLogPubKey, if set, is used to validate SCTs against those keys.
// PubKey, if set, is used to validate SCTs against a custom source.
// +kubebuilder:validation:Optional
CTLogPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
}
@ -283,7 +284,7 @@ type Attestation struct {
// +kubebuilder:validation:Optional
Type string `json:"type" yaml:"type"`
// Attestors specify the required attestors (i.e. authorities)
// Attestors specify the required attestors (i.e. authorities).
// +kubebuilder:validation:Optional
Attestors []AttestorSet `json:"attestors" yaml:"attestors"`
@ -294,17 +295,17 @@ type Attestation struct {
}
type ImageRegistryCredentials struct {
// AllowInsecureRegistry allows insecure access to a registry
// AllowInsecureRegistry allows insecure access to a registry.
// +kubebuilder:validation:Optional
AllowInsecureRegistry bool `json:"allowInsecureRegistry,omitempty" yaml:"allowInsecureRegistry,omitempty"`
// Providers specifies a list of OCI Registry names, whose authentication providers are provided
// It can be of one of these values: default,google,azure,amazon,github
// Providers specifies a list of OCI Registry names, whose authentication providers are provided.
// It can be of one of these values: default,google,azure,amazon,github.
// +kubebuilder:validation:Optional
Providers []ImageRegistryCredentialsProvidersType `json:"providers,omitempty" yaml:"providers,omitempty"`
// Secrets specifies a list of secrets that are provided for credentials
// Secrets must live in the Kyverno namespace
// Secrets specifies a list of secrets that are provided for credentials.
// Secrets must live in the Kyverno namespace.
// +kubebuilder:validation:Optional
Secrets []string `json:"secrets,omitempty" yaml:"secrets,omitempty"`
}

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -226,12 +226,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
to a registry
to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
names, whose authentication providers are provided
It can be of one of these values: default,google,azure,amazon,github'
names, whose authentication providers are provided.
It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@ -245,8 +245,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
are provided for credentials Secrets must live in
the Kyverno namespace
are provided for credentials. Secrets must live in
the Kyverno namespace.
items:
type: string
type: array
@ -1467,12 +1467,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
to a registry
to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
names, whose authentication providers are provided
It can be of one of these values: default,google,azure,amazon,github'
names, whose authentication providers are provided.
It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@ -1486,8 +1486,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
are provided for credentials Secrets must live in
the Kyverno namespace
are provided for credentials. Secrets must live in
the Kyverno namespace.
items:
type: string
type: array

View file

@ -226,12 +226,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
to a registry
to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
names, whose authentication providers are provided
It can be of one of these values: default,google,azure,amazon,github'
names, whose authentication providers are provided.
It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@ -245,8 +245,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
are provided for credentials Secrets must live in
the Kyverno namespace
are provided for credentials. Secrets must live in
the Kyverno namespace.
items:
type: string
type: array
@ -1467,12 +1467,12 @@ spec:
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
to a registry
to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI Registry
names, whose authentication providers are provided
It can be of one of these values: default,google,azure,amazon,github'
names, whose authentication providers are provided.
It can be of one of these values: default,google,azure,amazon,github.'
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
@ -1486,8 +1486,8 @@ spec:
type: array
secrets:
description: Secrets specifies a list of secrets that
are provided for credentials Secrets must live in
the Kyverno namespace
are provided for credentials. Secrets must live in
the Kyverno namespace.
items:
type: string
type: array

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -792,7 +792,7 @@ string
</em>
</td>
<td>
<p>Attestors specify the required attestors (i.e. authorities)</p>
<p>Attestors specify the required attestors (i.e. authorities).</p>
</td>
</tr>
<tr>
@ -838,7 +838,7 @@ StaticKeyAttestor
</em>
</td>
<td>
<p>Keys specifies one or more public keys</p>
<p>Keys specifies one or more public keys.</p>
</td>
</tr>
<tr>
@ -851,7 +851,7 @@ CertificateAttestor
</em>
</td>
<td>
<p>Certificates specifies one or more certificates</p>
<p>Certificates specifies one or more certificates.</p>
</td>
</tr>
<tr>
@ -878,7 +878,7 @@ Kubernetes apiextensions/v1.JSON
</em>
</td>
<td>
<p>Attestor is a nested AttestorSet used to specify a more complex set of match authorities</p>
<p>Attestor is a nested set of Attestor used to specify a more complex set of match authorities.</p>
</td>
</tr>
<tr>
@ -1109,7 +1109,8 @@ bool
</em>
</td>
<td>
<p>IgnoreSCT requires that a certificate contain an embedded SCT during verification.</p>
<p>IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
timestamp. Default is false. Set to true if this was opted out during signing.</p>
</td>
</tr>
<tr>
@ -1120,7 +1121,7 @@ string
</em>
</td>
<td>
<p>CTLogPubKey, if set, is used to validate SCTs against those keys.</p>
<p>PubKey, if set, is used to validate SCTs against a custom source.</p>
</td>
</tr>
</tbody>
@ -1150,7 +1151,7 @@ string
</em>
</td>
<td>
<p>Certificate is an optional PEM encoded public certificate.</p>
<p>Cert is an optional PEM-encoded public certificate.</p>
</td>
</tr>
<tr>
@ -1161,7 +1162,7 @@ string
</em>
</td>
<td>
<p>CertificateChain is an optional PEM encoded set of certificates used to verify</p>
<p>CertChain is an optional PEM encoded set of certificates used to verify.</p>
</td>
</tr>
<tr>
@ -1188,8 +1189,8 @@ CTLog
</em>
</td>
<td>
<p>CTLog provides configuration for validation of SCTs.
If the value is nil, default ctlog public key is used</p>
<p>CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.</p>
</td>
</tr>
</tbody>
@ -2085,7 +2086,7 @@ bool
</em>
</td>
<td>
<p>AllowInsecureRegistry allows insecure access to a registry</p>
<p>AllowInsecureRegistry allows insecure access to a registry.</p>
</td>
</tr>
<tr>
@ -2098,8 +2099,8 @@ bool
</em>
</td>
<td>
<p>Providers specifies a list of OCI Registry names, whose authentication providers are provided
It can be of one of these values: default,google,azure,amazon,github</p>
<p>Providers specifies a list of OCI Registry names, whose authentication providers are provided.
It can be of one of these values: default,google,azure,amazon,github.</p>
</td>
</tr>
<tr>
@ -2110,8 +2111,8 @@ It can be of one of these values: default,google,azure,amazon,github</p>
</em>
</td>
<td>
<p>Secrets specifies a list of secrets that are provided for credentials
Secrets must live in the Kyverno namespace</p>
<p>Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.</p>
</td>
</tr>
</tbody>
@ -2335,7 +2336,7 @@ ImageRegistryCredentials
</em>
</td>
<td>
<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry.</p>
</td>
</tr>
<tr>
@ -2346,7 +2347,7 @@ bool
</em>
</td>
<td>
<p>UseCache enables caching of image verify responses for this rule</p>
<p>UseCache enables caching of image verify responses for this rule.</p>
</td>
</tr>
</tbody>
@ -2402,8 +2403,8 @@ CTLog
</em>
</td>
<td>
<p>CTLog provides configuration for validation of SCTs.
If the value is nil, default ctlog public key is used</p>
<p>CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.</p>
</td>
</tr>
<tr>
@ -2425,7 +2426,7 @@ string
</em>
</td>
<td>
<p>Subject is the verified identity used for keyless signing, for example the email address</p>
<p>Subject is the verified identity used for keyless signing, for example the email address.</p>
</td>
</tr>
<tr>
@ -2969,7 +2970,7 @@ string
</em>
</td>
<td>
<p>URL is the address of the transparency log. Defaults to the public log <a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>.</p>
<p>URL is the address of the transparency log. Defaults to the public Rekor log instance <a href="https://rekor.sigstore.dev">https://rekor.sigstore.dev</a>.</p>
</td>
</tr>
<tr>
@ -2980,8 +2981,8 @@ string
</em>
</td>
<td>
<p>RekorPubKey is an optional PEM encoded public key to use for a custom Rekor.
If set, is used to validate signatures on log entries from Rekor.</p>
<p>RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
If set, this will be used to validate transparency log signatures from a custom Rekor.</p>
</td>
</tr>
<tr>
@ -2992,7 +2993,7 @@ bool
</em>
</td>
<td>
<p>IgnoreTlog skip tlog verification</p>
<p>IgnoreTlog skips transparency log verification.</p>
</td>
</tr>
</tbody>
@ -3882,7 +3883,7 @@ string
</em>
</td>
<td>
<p>Specify signature algorithm for public keys. Supported values are sha256 and sha512</p>
<p>Specify signature algorithm for public keys. Supported values are sha256 and sha512.</p>
</td>
</tr>
<tr>
@ -3934,8 +3935,8 @@ CTLog
</em>
</td>
<td>
<p>CTLog provides configuration for validation of SCTs.
If the value is nil, default ctlog public key is used</p>
<p>CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.</p>
</td>
</tr>
</tbody>