From caab013a8604d2c440910be8e4826e42f491089f Mon Sep 17 00:00:00 2001
From: Pratik Shah <pratik@infracloud.io>
Date: Fri, 14 Oct 2022 15:10:46 +0530
Subject: [PATCH] Fixed issue-4530: Added separate attestor type for secrets
and KMS (#4733)
Signed-off-by: Pratik Shah <pratik@infracloud.io>
Signed-off-by: Vyankatesh <vyankateshkd@gmail.com>
---
api/kyverno/v1/image_verification_test.go | 2 +-
api/kyverno/v1/image_verification_types.go | 19 +-
api/kyverno/v1/zz_generated.deepcopy.go | 20 ++
.../v2beta1/image_verification_test.go | 2 +-
charts/kyverno/templates/crds.yaml | 256 ++++++++++++++
config/crds/kyverno.io_clusterpolicies.yaml | 164 +++++++++
config/crds/kyverno.io_policies.yaml | 164 +++++++++
config/install.yaml | 328 ++++++++++++++++++
config/install_debug.yaml | 328 ++++++++++++++++++
docs/crd/v1/index.html | 66 ++++
pkg/engine/imageVerify.go | 9 +-
pkg/engine/imageVerify_test.go | 56 ++-
test/e2e/verifyimages/config.go | 27 +-
test/e2e/verifyimages/resources.go | 63 ++++
test/e2e/verifyimages/verifyimages_test.go | 17 +-
15 files changed, 1501 insertions(+), 20 deletions(-)
diff --git a/api/kyverno/v1/image_verification_test.go b/api/kyverno/v1/image_verification_test.go
index e07c60f4ee..731695fafe 100644
--- a/api/kyverno/v1/image_verification_test.go
+++ b/api/kyverno/v1/image_verification_test.go
@@ -121,7 +121,7 @@ func Test_ImageVerification(t *testing.T) {
errors: func(i *ImageVerification) field.ErrorList {
return field.ErrorList{
field.Invalid(path.Child("attestors").Index(0).Child("entries").Index(0).Child("keys"),
- i.Attestors[0].Entries[0].Keys, "A key is required"),
+ i.Attestors[0].Entries[0].Keys, "A public key, kms key or secret is required"),
}
},
},
diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go
index 735ec54732..b110b91918 100644
--- a/api/kyverno/v1/image_verification_types.go
+++ b/api/kyverno/v1/image_verification_types.go
@@ -136,6 +136,13 @@ type StaticKeyAttestor struct {
// +kubebuilder:default=sha256
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`
+ // KMS provides the URI to the public key stored in a Key Management System. See:
+ // https://github.com/sigstore/cosign/blob/main/KMS.md
+ KMS string `json:"kms,omitempty" yaml:"kms,omitempty"`
+
+ // Reference to a Secret resource that contains a public key
+ Secret *SecretReference `json:"secret,omitempty" yaml:"secret,omitempty"`
+
// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
// Rekor is not checked. If an empty object is provided the public instance of
// Rekor (https://rekor.sigstore.dev) is used.
@@ -143,6 +150,14 @@ type StaticKeyAttestor struct {
Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
}
+type SecretReference struct {
+ // name of the secret
+ Name string `json:"name" yaml:"name"`
+
+ // namespace name in which secret is created
+ Namespace string `json:"namespace" yaml:"namespace"`
+}
+
type CertificateAttestor struct {
// Certificate is an optional PEM encoded public certificate.
// +kubebuilder:validation:Optional
@@ -306,8 +321,8 @@ func AttestorSetUnmarshal(o *apiextv1.JSON) (*AttestorSet, error) {
}
func (ska *StaticKeyAttestor) Validate(path *field.Path) (errs field.ErrorList) {
- if ska.PublicKeys == "" {
- errs = append(errs, field.Invalid(path, ska, "A key is required"))
+ if ska.PublicKeys == "" && ska.KMS == "" && ska.Secret == nil {
+ errs = append(errs, field.Invalid(path, ska, "A public key, kms key or secret is required"))
}
if ska.PublicKeys != "" && ska.SignatureAlgorithm != "" && ska.SignatureAlgorithm != "sha256" && ska.SignatureAlgorithm != "sha512" {
errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided"))
diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go
index 85b815d881..16b5449fbe 100755
--- a/api/kyverno/v1/zz_generated.deepcopy.go
+++ b/api/kyverno/v1/zz_generated.deepcopy.go
@@ -1237,6 +1237,21 @@ func (in *Rule) DeepCopy() *Rule {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretReference) DeepCopyInto(out *SecretReference) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretReference.
+func (in *SecretReference) DeepCopy() *SecretReference {
+ if in == nil {
+ return nil
+ }
+ out := new(SecretReference)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Spec) DeepCopyInto(out *Spec) {
*out = *in
@@ -1294,6 +1309,11 @@ func (in *Spec) DeepCopy() *Spec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *StaticKeyAttestor) DeepCopyInto(out *StaticKeyAttestor) {
*out = *in
+ if in.Secret != nil {
+ in, out := &in.Secret, &out.Secret
+ *out = new(SecretReference)
+ **out = **in
+ }
if in.Rekor != nil {
in, out := &in.Rekor, &out.Rekor
*out = new(CTLog)
diff --git a/api/kyverno/v2beta1/image_verification_test.go b/api/kyverno/v2beta1/image_verification_test.go
index b8fc488d2f..9adab20eca 100644
--- a/api/kyverno/v2beta1/image_verification_test.go
+++ b/api/kyverno/v2beta1/image_verification_test.go
@@ -64,7 +64,7 @@ func Test_ImageVerification(t *testing.T) {
errors: func(i *ImageVerification) field.ErrorList {
return field.ErrorList{
field.Invalid(path.Child("attestors").Index(0).Child("entries").Index(0).Child("keys"),
- i.Attestors[0].Entries[0].Keys, "A key is required"),
+ i.Attestors[0].Entries[0].Keys, "A public key, kms key or secret is required"),
}
},
},
diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml
index 7ed5849b44..9af3c1d25b 100644
--- a/charts/kyverno/templates/crds.yaml
+++ b/charts/kyverno/templates/crds.yaml
@@ -2387,6 +2387,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -2399,6 +2402,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -2678,6 +2694,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -2690,6 +2709,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -4132,6 +4164,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -4144,6 +4179,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -4423,6 +4471,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -4435,6 +4486,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -5828,6 +5892,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -5840,6 +5907,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -6109,6 +6189,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -6121,6 +6204,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -7548,6 +7644,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -7560,6 +7659,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -7839,6 +7951,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -7851,6 +7966,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -9840,6 +9968,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -9852,6 +9983,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -10131,6 +10275,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -10143,6 +10290,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -11585,6 +11745,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -11597,6 +11760,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -11876,6 +12052,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -11888,6 +12067,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -13281,6 +13473,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -13293,6 +13488,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -13562,6 +13770,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -13574,6 +13785,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -15001,6 +15225,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -15013,6 +15240,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@@ -15292,6 +15532,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
+ kms:
+ description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@@ -15304,6 +15547,19 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml
index 6845a3ba4f..b4c0e935ce 100644
--- a/config/crds/kyverno.io_clusterpolicies.yaml
+++ b/config/crds/kyverno.io_clusterpolicies.yaml
@@ -2262,6 +2262,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@@ -2291,6 +2296,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -2704,6 +2724,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@@ -2732,6 +2757,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -5129,6 +5169,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a
+ Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -5160,6 +5205,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name
+ in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -5583,6 +5644,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a Key
+ Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -5613,6 +5679,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in
+ which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -7799,6 +7881,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@@ -7828,6 +7915,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -8226,6 +8328,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@@ -8254,6 +8361,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -10626,6 +10748,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a
+ Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -10657,6 +10784,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name
+ in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -11080,6 +11223,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a Key
+ Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -11110,6 +11258,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in
+ which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml
index f6a85fdb87..04bd65f964 100644
--- a/config/crds/kyverno.io_policies.yaml
+++ b/config/crds/kyverno.io_policies.yaml
@@ -2263,6 +2263,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@@ -2292,6 +2297,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -2705,6 +2725,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@@ -2733,6 +2758,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -5131,6 +5171,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a
+ Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -5162,6 +5207,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name
+ in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -5585,6 +5646,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a Key
+ Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -5615,6 +5681,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in
+ which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -7802,6 +7884,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@@ -7831,6 +7918,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -8229,6 +8331,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@@ -8257,6 +8364,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -10629,6 +10751,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a
+ Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -10660,6 +10787,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name
+ in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -11083,6 +11226,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a Key
+ Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -11113,6 +11261,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in
+ which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
diff --git a/config/install.yaml b/config/install.yaml
index 4c33428335..e26aa43dc1 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -3556,6 +3556,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@@ -3585,6 +3590,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -3998,6 +4018,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@@ -4026,6 +4051,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -6423,6 +6463,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a
+ Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -6454,6 +6499,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name
+ in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -6877,6 +6938,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a Key
+ Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -6907,6 +6973,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in
+ which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -9093,6 +9175,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@@ -9122,6 +9209,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -9520,6 +9622,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@@ -9548,6 +9655,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -11920,6 +12042,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a
+ Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -11951,6 +12078,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name
+ in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -12374,6 +12517,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a Key
+ Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -12404,6 +12552,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in
+ which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -15403,6 +15567,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@@ -15432,6 +15601,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -15845,6 +16029,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@@ -15873,6 +16062,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -18271,6 +18475,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a
+ Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -18302,6 +18511,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name
+ in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -18725,6 +18950,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a Key
+ Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -18755,6 +18985,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in
+ which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -20942,6 +21188,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@@ -20971,6 +21222,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -21369,6 +21635,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@@ -21397,6 +21668,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -23769,6 +24055,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a
+ Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -23800,6 +24091,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name
+ in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -24223,6 +24530,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a Key
+ Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -24253,6 +24565,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in
+ which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
diff --git a/config/install_debug.yaml b/config/install_debug.yaml
index 329ebcabe6..03df7e5b46 100644
--- a/config/install_debug.yaml
+++ b/config/install_debug.yaml
@@ -3550,6 +3550,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@@ -3579,6 +3584,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -3992,6 +4012,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@@ -4020,6 +4045,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -6417,6 +6457,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a
+ Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -6448,6 +6493,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name
+ in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -6871,6 +6932,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a Key
+ Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -6901,6 +6967,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in
+ which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -9087,6 +9169,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@@ -9116,6 +9203,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -9514,6 +9616,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@@ -9542,6 +9649,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -11914,6 +12036,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a
+ Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -11945,6 +12072,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name
+ in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -12368,6 +12511,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a Key
+ Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -12398,6 +12546,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in
+ which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -15394,6 +15558,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@@ -15423,6 +15592,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -15836,6 +16020,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@@ -15864,6 +16053,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -18262,6 +18466,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a
+ Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -18293,6 +18502,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name
+ in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -18716,6 +18941,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a Key
+ Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -18746,6 +18976,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in
+ which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -20933,6 +21179,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@@ -20962,6 +21213,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -21360,6 +21626,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
+ kms:
+ description: 'KMS provides the URI to
+ the public key stored in a Key Management
+ System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@@ -21388,6 +21659,21 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret resource
+ that contains a public key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in which
+ secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -23760,6 +24046,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a
+ Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -23791,6 +24082,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name
+ in which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@@ -24214,6 +24521,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
+ kms:
+ description: 'KMS provides the URI
+ to the public key stored in a Key
+ Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
+ type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@@ -24244,6 +24556,22 @@ spec:
required:
- url
type: object
+ secret:
+ description: Reference to a Secret
+ resource that contains a public
+ key
+ properties:
+ name:
+ description: name of the secret
+ type: string
+ namespace:
+ description: namespace name in
+ which secret is created
+ type: string
+ required:
+ - name
+ - namespace
+ type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
diff --git a/docs/crd/v1/index.html b/docs/crd/v1/index.html
index 8844762616..bab6fe095c 100644
--- a/docs/crd/v1/index.html
+++ b/docs/crd/v1/index.html
@@ -3205,6 +3205,47 @@ Generation
</tbody>
</table>
<hr />
+<h3 id="kyverno.io/v1.SecretReference">SecretReference
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#kyverno.io/v1.StaticKeyAttestor">StaticKeyAttestor</a>)
+</p>
+<p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>name</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>name of the secret</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>namespace</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>namespace name in which secret is created</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
<h3 id="kyverno.io/v1.Spec">Spec
</h3>
<p>
@@ -3416,6 +3457,31 @@ string
</tr>
<tr>
<td>
+<code>kms</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>KMS provides the URI to the public key stored in a Key Management System. See:
+<a href="https://github.com/sigstore/cosign/blob/main/KMS.md">https://github.com/sigstore/cosign/blob/main/KMS.md</a></p>
+</td>
+</tr>
+<tr>
+<td>
+<code>secret</code><br/>
+<em>
+<a href="#kyverno.io/v1.SecretReference">
+SecretReference
+</a>
+</em>
+</td>
+<td>
+<p>Reference to a Secret resource that contains a public key</p>
+</td>
+</tr>
+<tr>
+<td>
<code>rekor</code><br/>
<em>
<a href="#kyverno.io/v1.CTLog">
diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go
index 906f9104af..aa747b77f9 100644
--- a/pkg/engine/imageVerify.go
+++ b/pkg/engine/imageVerify.go
@@ -425,7 +425,14 @@ func (iv *imageVerifier) buildOptionsAndPath(attestor kyvernov1.Attestor, imageV
if attestor.Keys != nil {
path = path + ".keys"
- opts.Key = attestor.Keys.PublicKeys
+ if attestor.Keys.PublicKeys != "" {
+ opts.Key = attestor.Keys.PublicKeys
+ } else if attestor.Keys.Secret != nil {
+ opts.Key = fmt.Sprintf("k8s://%s/%s", attestor.Keys.Secret.Namespace,
+ attestor.Keys.Secret.Name)
+ } else if attestor.Keys.KMS != "" {
+ opts.Key = attestor.Keys.KMS
+ }
if attestor.Keys.Rekor != nil {
opts.RekorURL = attestor.Keys.Rekor.URL
}
diff --git a/pkg/engine/imageVerify_test.go b/pkg/engine/imageVerify_test.go
index 4682cd8c7b..a7d0e6449a 100644
--- a/pkg/engine/imageVerify_test.go
+++ b/pkg/engine/imageVerify_test.go
@@ -535,26 +535,62 @@ func Test_NestedAttestors(t *testing.T) {
}
func Test_ExpandKeys(t *testing.T) {
- as := expandStaticKeys(createStaticKeyAttestorSet(""))
+ as := expandStaticKeys(createStaticKeyAttestorSet("", true, false, false))
assert.Equal(t, 1, len(as.Entries))
- as = expandStaticKeys(createStaticKeyAttestorSet(testOtherKey))
+ as = expandStaticKeys(createStaticKeyAttestorSet(testOtherKey, true, false, false))
assert.Equal(t, 1, len(as.Entries))
- as = expandStaticKeys(createStaticKeyAttestorSet(testOtherKey + testOtherKey + testOtherKey))
+ as = expandStaticKeys(createStaticKeyAttestorSet(testOtherKey+testOtherKey+testOtherKey, true, false, false))
assert.Equal(t, 3, len(as.Entries))
+
+ as = expandStaticKeys(createStaticKeyAttestorSet("", false, true, false))
+ assert.Equal(t, 1, len(as.Entries))
+ assert.DeepEqual(t, &kyverno.SecretReference{Name: "testsecret", Namespace: "default"},
+ as.Entries[0].Keys.Secret)
+
+ as = expandStaticKeys(createStaticKeyAttestorSet("", false, false, true))
+ assert.Equal(t, 1, len(as.Entries))
+ assert.DeepEqual(t, "gcpkms://projects/test_project_id/locations/asia-south1/keyRings/test_key_ring_name/cryptoKeys/test_key_name/versions/1", as.Entries[0].Keys.KMS)
+
+ as = expandStaticKeys((createStaticKeyAttestorSet(testOtherKey, true, true, false)))
+ assert.Equal(t, 2, len(as.Entries))
+ assert.DeepEqual(t, testOtherKey, as.Entries[0].Keys.PublicKeys)
+ assert.DeepEqual(t, &kyverno.SecretReference{Name: "testsecret", Namespace: "default"},
+ as.Entries[1].Keys.Secret)
}
-func createStaticKeyAttestorSet(s string) kyverno.AttestorSet {
- return kyverno.AttestorSet{
- Entries: []kyverno.Attestor{
- {
- Keys: &kyverno.StaticKeyAttestor{
- PublicKeys: s,
+func createStaticKeyAttestorSet(s string, withPublicKey, withSecret, withKMS bool) kyverno.AttestorSet {
+ var entries []kyverno.Attestor
+ if withPublicKey {
+ attestor := kyverno.Attestor{
+ Keys: &kyverno.StaticKeyAttestor{
+ PublicKeys: s,
+ },
+ }
+ entries = append(entries, attestor)
+ }
+ if withSecret {
+ attestor := kyverno.Attestor{
+ Keys: &kyverno.StaticKeyAttestor{
+ Secret: &kyverno.SecretReference{
+ Name: "testsecret",
+ Namespace: "default",
},
},
- },
+ }
+ entries = append(entries, attestor)
}
+ if withKMS {
+ kmsKey := "gcpkms://projects/test_project_id/locations/asia-south1/keyRings/test_key_ring_name/cryptoKeys/test_key_name/versions/1"
+ attestor := kyverno.Attestor{
+ Keys: &kyverno.StaticKeyAttestor{
+ KMS: kmsKey,
+ },
+ }
+ entries = append(entries, attestor)
+ }
+ return kyverno.AttestorSet{Entries: entries}
}
func Test_ChangedAnnotation(t *testing.T) {
diff --git a/test/e2e/verifyimages/config.go b/test/e2e/verifyimages/config.go
index a468b07a96..e9f22ca1ea 100644
--- a/test/e2e/verifyimages/config.go
+++ b/test/e2e/verifyimages/config.go
@@ -5,7 +5,10 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema"
)
-var taskGVR = e2e.GetGVR("tekton.dev", "v1beta1", "tasks")
+var (
+ taskGVR = e2e.GetGVR("tekton.dev", "v1beta1", "tasks")
+ podGVR = e2e.GetGVR("", "v1", "pods")
+)
var VerifyImagesTests = []struct {
// TestName - Name of the Test
@@ -80,4 +83,26 @@ var VerifyImagesTests = []struct {
ResourceRaw: tektonTaskVerified,
MustSucceed: true,
},
+ {
+ // Success case to check secret in attestors.entries.keys
+ TestName: "secret-in-keys-success",
+ PolicyName: "secret-in-keys",
+ PolicyRaw: kyvernoPolicyWithSecretInKeys,
+ ResourceName: "test-secret-pod",
+ ResourceNamespace: "test-verify-images",
+ ResourceGVR: podGVR,
+ ResourceRaw: secretPodResourceSuccess,
+ MustSucceed: true,
+ },
+ {
+ // Failed case to check secret in attestors.entries.keys
+ TestName: "secret-in-keys-failure",
+ PolicyName: "secret-in-keys",
+ PolicyRaw: kyvernoPolicyWithSecretInKeys,
+ ResourceName: "test-secret-pod",
+ ResourceNamespace: "test-verify-images",
+ ResourceGVR: podGVR,
+ ResourceRaw: secretPodResourceFailed,
+ MustSucceed: false,
+ },
}
diff --git a/test/e2e/verifyimages/resources.go b/test/e2e/verifyimages/resources.go
index 3c0ddc24aa..17c95d8791 100644
--- a/test/e2e/verifyimages/resources.go
+++ b/test/e2e/verifyimages/resources.go
@@ -61,6 +61,69 @@ spec:
image: ghcr.io/sigstore/cosign/cosign
`)
+// not adding cosign.key and cosign.password as we only need cosign.pub
+var secretResource = []byte(`
+apiVersion: v1
+kind: Secret
+metadata:
+ name: testsecret
+ namespace: test-verify-images
+data:
+ cosign.pub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFOG5YUmg5NTBJWmJSajhSYS9OOXNicU9QWnJmTQo1L0tBUU4wL0tqSGNvcm0vSjV5Y3RWZDdpRWNuZXNzUlFqVTkxN2htS082SldWR0hwRGd1SXlha1pBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t
+type: Opaque
+`)
+
+var secretPodResourceSuccess = []byte(`
+apiVersion: v1
+kind: Pod
+metadata:
+ name: test-secret-pod
+ namespace: test-verify-images
+spec:
+ containers:
+ - image: ghcr.io/kyverno/test-verify-image:signed
+ name: test-secret
+`)
+
+var secretPodResourceFailed = []byte(`
+apiVersion: v1
+kind: Pod
+metadata:
+ name: test-secret-pod
+ namespace: test-verify-images
+spec:
+ containers:
+ - image: ghcr.io/kyverno/test-verify-image:unsigned
+ name: test-secret
+`)
+
+var kyvernoPolicyWithSecretInKeys = []byte(`
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: secret-in-keys
+spec:
+ validationFailureAction: enforce
+ background: false
+ webhookTimeoutSeconds: 30
+ failurePolicy: Fail
+ rules:
+ - name: check-secret-in-keys
+ match:
+ resources:
+ kinds:
+ - Pod
+ verifyImages:
+ - imageReferences:
+ - "ghcr.io/kyverno/test-verify-image:*"
+ attestors:
+ - entries:
+ - keys:
+ secret:
+ name: testsecret
+ namespace: test-verify-images
+`)
+
var kyvernoTaskPolicyWithSimpleExtractor = []byte(`
apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/e2e/verifyimages/verifyimages_test.go b/test/e2e/verifyimages/verifyimages_test.go
index 565fba32f3..f2b5b5ea16 100644
--- a/test/e2e/verifyimages/verifyimages_test.go
+++ b/test/e2e/verifyimages/verifyimages_test.go
@@ -21,6 +21,8 @@ var (
policyGVR = e2e.GetGVR("kyverno.io", "v1", "clusterpolicies")
// Namespace GVR
namespaceGVR = e2e.GetGVR("", "v1", "namespaces")
+ // Secret GVR
+ secretGVR = e2e.GetGVR("", "v1", "secrets")
crdGVR = e2e.GetGVR("apiextensions.k8s.io", "v1", "customresourcedefinitions")
@@ -84,7 +86,8 @@ func TestImageVerify(t *testing.T) {
_ = e2eClient.DeleteClusteredResource(namespaceGVR, test.ResourceNamespace)
By("Wait Till Deletion of Namespace...")
- err = e2e.GetWithRetry(1*time.Second, 15, func() error {
+ // deleting test-secret-pod might take some time. hence increasing timeout period
+ err = e2e.GetWithRetry(20*time.Second, 15, func() error {
_, err := e2eClient.GetClusteredResource(namespaceGVR, test.ResourceNamespace)
if err != nil {
return nil
@@ -120,6 +123,12 @@ func TestImageVerify(t *testing.T) {
})
Expect(err).NotTo(HaveOccurred())
+ if test.PolicyName == "secret-in-keys" {
+ By("Creating testsecret...")
+ _, err := e2eClient.CreateNamespacedResourceYaml(secretGVR, test.ResourceNamespace, "testsecret", secretResource)
+ Expect(err).NotTo(HaveOccurred())
+ }
+
Expect(e2eClient.ClusterPolicyReady(test.PolicyName)).To(BeTrue())
By("Creating Resource...")
@@ -138,7 +147,8 @@ func TestImageVerify(t *testing.T) {
// Clear Namespace
e2eClient.DeleteClusteredResource(namespaceGVR, nspace)
// Wait Till Deletion of Namespace
- e2e.GetWithRetry(time.Duration(1*time.Second), 15, func() error {
+ // deleting test-secret-pod might take some time. hence increasing timeout period
+ e2e.GetWithRetry(time.Duration(20*time.Second), 15, func() error {
_, err := e2eClient.GetClusteredResource(namespaceGVR, nspace)
if err != nil {
return nil
@@ -149,9 +159,8 @@ func TestImageVerify(t *testing.T) {
By(fmt.Sprintf("Test %s Completed \n\n\n", test.TestName))
}
- //CleanUp CRDs
+ // CleanUp CRDs
e2eClient.DeleteClusteredResource(crdGVR, crdName)
-
}
func Test_BoolFields(t *testing.T) {