From e9e44291bf230a96b5e6e11a467f210fd5e8faf8 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Tue, 15 Aug 2023 19:55:55 +0530 Subject: [PATCH] Support for Cosign 2.0 (#7248) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * cosign 2.0 version upgrade Signed-off-by: Vishal Choudhary * IgnoreTlog and IgnoreSCT updated Signed-off-by: Vishal Choudhary * removed cli packages Signed-off-by: Vishal Choudhary * lazy evaluate vars in conditions (#7238) * lazy evaluate vars in conditions Signed-off-by: Jim Bugwadia * remove unnecessary conversion Signed-off-by: Jim Bugwadia * fix test Signed-off-by: Jim Bugwadia * Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/conditions/03-manifests.yaml Signed-off-by: shuting * Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/README.md Signed-off-by: shuting * added error check in test Signed-off-by: Jim Bugwadia --------- Signed-off-by: Jim Bugwadia Signed-off-by: shuting Co-authored-by: shuting Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com> Signed-off-by: Vishal Choudhary * in-toto-golang update Signed-off-by: Vishal Choudhary * added rekor Signed-off-by: Vishal Choudhary * quote image in error (#7259) Signed-off-by: bakito Signed-off-by: Vishal Choudhary * fix: auto update webhooks not configuring fail endpoint (#7261) Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Vishal Choudhary * fix latest version check (#7263) Signed-off-by: ShutingZhao Signed-off-by: Vishal Choudhary * chore(deps): bump svenstaro/upload-release-action from 2.5.0 to 2.6.0 (#7270) Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/svenstaro/upload-release-action/releases) - [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md) - [Commits](https://github.com/svenstaro/upload-release-action/compare/7319e4733ec7a184d739a6f412c40ffc339b69c7...58d525808845e4c8ff229ea1d5d7c496504a79bc) --- updated-dependencies: - dependency-name: svenstaro/upload-release-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary * chore(deps): bump sigs.k8s.io/controller-runtime from 0.14.6 to 0.15.0 (#7272) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.14.6 to 0.15.0. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.14.6...v0.15.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary * feat: add yaml util to check empty document (#7276) Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Vishal Choudhary * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * go mod update Signed-off-by: Vishal Choudhary * removed cosign 1.13.1 dependency Signed-off-by: Vishal Choudhary * added default rekor url Signed-off-by: Vishal Choudhary * updated cosign option Signed-off-by: Vishal Choudhary * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * go mod update Signed-off-by: Vishal Choudhary * go sum fix Signed-off-by: Vishal Choudhary * NIT Signed-off-by: Vishal Choudhary * fix failing test: Test_VerifyManifest_MustAll_InvalidYAML Signed-off-by: Vishal Choudhary * suggestions from jim Signed-off-by: Vishal Choudhary * go mod fix Signed-off-by: Vishal Choudhary * updates to cosign verification Signed-off-by: Vishal Choudhary * kuttl test ignore sct Signed-off-by: Vishal Choudhary * go mod fixes Signed-off-by: Vishal Choudhary * go mod update Signed-off-by: Vishal Choudhary * downgrading gcr version Signed-off-by: Vishal Choudhary * null pointer error Signed-off-by: Vishal Choudhary * updated failing cli tests Signed-off-by: Vishal Choudhary * updated kuttl test with complete subjects Signed-off-by: Vishal Choudhary * fixed issue with wildcard replacement Signed-off-by: Vishal Choudhary * engine tests Signed-off-by: Vishal Choudhary * removed conflicts with notary Signed-off-by: Vishal Choudhary * updated go mod Signed-off-by: Vishal Choudhary * codegen and test Signed-off-by: Vishal Choudhary * added pubkeys test Signed-off-by: Vishal Choudhary * add default CTLogPubKeys Signed-off-by: Vishal Choudhary * cleanup Signed-off-by: Vishal Choudhary * unwanted test Signed-off-by: Vishal Choudhary * fix: auth checks with the APIVersion and the subresource (#7628) * fix auth checks with apiVersion and subresource Signed-off-by: ShutingZhao * add kuttl tests Signed-off-by: ShutingZhao * remove duplicate code Signed-off-by: ShutingZhao * update permissions Signed-off-by: ShutingZhao --------- Signed-off-by: ShutingZhao * fix: harden rbac permissions (#7638) Signed-off-by: Charles-Edouard Brétéché * chore(deps): bump sigstore/cosign-installer from 3.0.5 to 3.1.0 (#7664) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.5 to 3.1.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/dd6b2e2b610a11fd73dd187a43d57cc1394e35f9...d13028333d784fcc802b67ec924bcebe75aa0a5f) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#7663) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.3 to 2.2.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/80e868c13c90f172d68d1f4501dee99e2479f7af...08b4669551908b1024bb425080c797723083c031) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * [Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 (#7650) * Bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 Signed-off-by: webstradev * fixed tests Signed-off-by: Vishal Choudhary * added tests for repository Signed-off-by: Vishal Choudhary --------- Signed-off-by: webstradev Signed-off-by: Vishal Choudhary Co-authored-by: webstradev Co-authored-by: shuting * fix: vscode debug config (#7653) Signed-off-by: Charles-Edouard Brétéché * fix: pr updater workflow (#7665) Signed-off-by: Charles-Edouard Brétéché * refactor: add specific loaders from #7597 (#7671) Signed-off-by: Charles-Edouard Brétéché * feat: add cluster select and relabling config for ServiceMonitors (#7659) * feat: add cluster select and relabling config for ServiceMonitors Signed-off-by: Frank Jogeleit * feat: add cluster select and relabling config for ServiceMonitors Signed-off-by: Frank Jogeleit --------- Signed-off-by: Frank Jogeleit * fix: cleanup controller context from #7597 (#7672) Signed-off-by: Charles-Edouard Brétéché * fix: cleanup controller rbac (#7669) Signed-off-by: Charles-Edouard Brétéché * refactor: migrate context loaders (part 1) from #7597 (#7676) Signed-off-by: Charles-Edouard Brétéché * refactor: migrate context loaders (part 2) from #7597 (#7677) * refactor: migrate context loaders (part 1) from #7597 Signed-off-by: Charles-Edouard Brétéché * refactor: migrate context loaders (part 2) from #7597 Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché * feat: add lazy loading feature flag (#7680) Signed-off-by: Charles-Edouard Brétéché * fix: image verification (#7652) Signed-off-by: Charles-Edouard Brétéché * Fix deferred loading (#7597) * handle nested contexts Signed-off-by: Jim Bugwadia * add feature flag Signed-off-by: Jim Bugwadia * fix tests Signed-off-by: Jim Bugwadia * add kuttl tests Signed-off-by: Jim Bugwadia * fix linter issues Signed-off-by: Jim Bugwadia * fix CLI regclient Signed-off-by: Jim Bugwadia * fix: token permissions on report vulns workflow (#7611) Signed-off-by: Charles-Edouard Brétéché * fix: token permissions (#7619) Signed-off-by: Charles-Edouard Brétéché * fix: update the flag descriptions of the reports-controller (#7617) Signed-off-by: emmanuel-ferdman * fix: panic if env var not defined (#7613) * fix: panic if env var not defined Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché * use toggles instead of a flag Signed-off-by: Jim Bugwadia * update toggle name Signed-off-by: Jim Bugwadia * update toggle name Signed-off-by: Jim Bugwadia * fix roles Signed-off-by: Jim Bugwadia * fix role Signed-off-by: Jim Bugwadia * update manifests Signed-off-by: Jim Bugwadia * remove extra unlock Signed-off-by: Jim Bugwadia * fix loader reset Signed-off-by: Jim Bugwadia * add tests Signed-off-by: Jim Bugwadia * propagate context Signed-off-by: Charles-Edouard Brétéché * cm resolver Signed-off-by: Charles-Edouard Brétéché * level management Signed-off-by: Charles-Edouard Brétéché * address review comments Signed-off-by: Jim Bugwadia * add enableDeferredLoading to other controllers Signed-off-by: Jim Bugwadia * re-enable ACR credhelper Signed-off-by: Jim Bugwadia * improve tests Signed-off-by: Jim Bugwadia * remove image registry client init Signed-off-by: Jim Bugwadia * check for invalid reset/restore Signed-off-by: Jim Bugwadia * recursive kuttl test Signed-off-by: Charles-Edouard Brétéché * add pre/post queries Signed-off-by: Jim Bugwadia * add check for a recursive match Signed-off-by: Jim Bugwadia * new test suite Signed-off-by: Charles-Edouard Brétéché * eval loaders at creation level Signed-off-by: Jim Bugwadia * kuttl test Signed-off-by: Charles-Edouard Brétéché * add an index for resolving deps in order Signed-off-by: Jim Bugwadia * improve comment Signed-off-by: Jim Bugwadia * extract remove method Signed-off-by: Jim Bugwadia * merge main Signed-off-by: Charles-Edouard Brétéché * flags Signed-off-by: Charles-Edouard Brétéché * feature flag Signed-off-by: Charles-Edouard Brétéché * fix flag Signed-off-by: Charles-Edouard Brétéché * update unit tests Signed-off-by: ShutingZhao * two rules kuttl test Signed-off-by: Charles-Edouard Brétéché * update unit tests Signed-off-by: ShutingZhao * revert Signed-off-by: ShutingZhao * per rule checkpoint Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * fix mutate chained rules Signed-off-by: ShutingZhao * per rule checpoint/restore Signed-off-by: Charles-Edouard Brétéché * log error Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Jim Bugwadia Signed-off-by: Charles-Edouard Brétéché Signed-off-by: emmanuel-ferdman Signed-off-by: ShutingZhao Co-authored-by: Charles-Edouard Brétéché Co-authored-by: Emmanuel Ferdman Co-authored-by: shuting * fix: factorise confimap informer code (#7667) Signed-off-by: Charles-Edouard Brétéché Co-authored-by: shuting Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1 (#7689) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/d13028333d784fcc802b67ec924bcebe75aa0a5f...6e04d228eb30da1757ee4e1dd75a0ec73a653e06) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: Swap any/all in the error message. (#7688) Signed-off-by: JaeHeung Han Co-authored-by: Charles-Edouard Brétéché * feat: add background only policy support (#6666) * feat: add background only policy support Signed-off-by: Charles-Edouard Brétéché * webhook Signed-off-by: Charles-Edouard Brétéché * validation Signed-off-by: Charles-Edouard Brétéché * kuttl Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * all disabled Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché * fix: pr updater workflow (#7697) * fix: pr updater workflow Signed-off-by: Charles-Edouard Brétéché * Update .github/workflows/pr-update.yaml Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: customizable tracer configuration (#7644) * fix: customizable tracer configuration Signed-off-by: Daniel Laszlo Signed-off-by: Daniel Laszlo * fix: harden rbac permissions (#7638) Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Daniel Laszlo * chore(deps): bump sigstore/cosign-installer from 3.0.5 to 3.1.0 (#7664) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.5 to 3.1.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/dd6b2e2b610a11fd73dd187a43d57cc1394e35f9...d13028333d784fcc802b67ec924bcebe75aa0a5f) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Daniel Laszlo * chore(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#7663) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.3 to 2.2.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/80e868c13c90f172d68d1f4501dee99e2479f7af...08b4669551908b1024bb425080c797723083c031) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Daniel Laszlo * use resource.New instead of Merge Signed-off-by: Daniel Laszlo * fix tabs Signed-off-by: Daniel Laszlo * [Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 (#7650) * Bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 Signed-off-by: webstradev * fixed tests Signed-off-by: Vishal Choudhary * added tests for repository Signed-off-by: Vishal Choudhary --------- Signed-off-by: webstradev Signed-off-by: Vishal Choudhary Co-authored-by: webstradev Co-authored-by: shuting Signed-off-by: Daniel Laszlo * fix: vscode debug config (#7653) Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Daniel Laszlo * fix: pr updater workflow (#7665) Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Daniel Laszlo * refactor: add specific loaders from #7597 (#7671) Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Daniel Laszlo * feat: add cluster select and relabling config for ServiceMonitors (#7659) * feat: add cluster select and relabling config for ServiceMonitors Signed-off-by: Frank Jogeleit * feat: add cluster select and relabling config for ServiceMonitors Signed-off-by: Frank Jogeleit --------- Signed-off-by: Frank Jogeleit Signed-off-by: Daniel Laszlo * fix: cleanup controller context from #7597 (#7672) Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Daniel Laszlo * fix: cleanup controller rbac (#7669) Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Daniel Laszlo * refactor: migrate context loaders (part 1) from #7597 (#7676) Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Daniel Laszlo * refactor: migrate context loaders (part 2) from #7597 (#7677) * refactor: migrate context loaders (part 1) from #7597 Signed-off-by: Charles-Edouard Brétéché * refactor: migrate context loaders (part 2) from #7597 Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Daniel Laszlo * feat: add lazy loading feature flag (#7680) Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Daniel Laszlo * fix: image verification (#7652) Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Daniel Laszlo * Fix deferred loading (#7597) * handle nested contexts Signed-off-by: Jim Bugwadia * add feature flag Signed-off-by: Jim Bugwadia * fix tests Signed-off-by: Jim Bugwadia * add kuttl tests Signed-off-by: Jim Bugwadia * fix linter issues Signed-off-by: Jim Bugwadia * fix CLI regclient Signed-off-by: Jim Bugwadia * fix: token permissions on report vulns workflow (#7611) Signed-off-by: Charles-Edouard Brétéché * fix: token permissions (#7619) Signed-off-by: Charles-Edouard Brétéché * fix: update the flag descriptions of the reports-controller (#7617) Signed-off-by: emmanuel-ferdman * fix: panic if env var not defined (#7613) * fix: panic if env var not defined Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché * use toggles instead of a flag Signed-off-by: Jim Bugwadia * update toggle name Signed-off-by: Jim Bugwadia * update toggle name Signed-off-by: Jim Bugwadia * fix roles Signed-off-by: Jim Bugwadia * fix role Signed-off-by: Jim Bugwadia * update manifests Signed-off-by: Jim Bugwadia * remove extra unlock Signed-off-by: Jim Bugwadia * fix loader reset Signed-off-by: Jim Bugwadia * add tests Signed-off-by: Jim Bugwadia * propagate context Signed-off-by: Charles-Edouard Brétéché * cm resolver Signed-off-by: Charles-Edouard Brétéché * level management Signed-off-by: Charles-Edouard Brétéché * address review comments Signed-off-by: Jim Bugwadia * add enableDeferredLoading to other controllers Signed-off-by: Jim Bugwadia * re-enable ACR credhelper Signed-off-by: Jim Bugwadia * improve tests Signed-off-by: Jim Bugwadia * remove image registry client init Signed-off-by: Jim Bugwadia * check for invalid reset/restore Signed-off-by: Jim Bugwadia * recursive kuttl test Signed-off-by: Charles-Edouard Brétéché * add pre/post queries Signed-off-by: Jim Bugwadia * add check for a recursive match Signed-off-by: Jim Bugwadia * new test suite Signed-off-by: Charles-Edouard Brétéché * eval loaders at creation level Signed-off-by: Jim Bugwadia * kuttl test Signed-off-by: Charles-Edouard Brétéché * add an index for resolving deps in order Signed-off-by: Jim Bugwadia * improve comment Signed-off-by: Jim Bugwadia * extract remove method Signed-off-by: Jim Bugwadia * merge main Signed-off-by: Charles-Edouard Brétéché * flags Signed-off-by: Charles-Edouard Brétéché * feature flag Signed-off-by: Charles-Edouard Brétéché * fix flag Signed-off-by: Charles-Edouard Brétéché * update unit tests Signed-off-by: ShutingZhao * two rules kuttl test Signed-off-by: Charles-Edouard Brétéché * update unit tests Signed-off-by: ShutingZhao * revert Signed-off-by: ShutingZhao * per rule checkpoint Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * fix mutate chained rules Signed-off-by: ShutingZhao * per rule checpoint/restore Signed-off-by: Charles-Edouard Brétéché * log error Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Jim Bugwadia Signed-off-by: Charles-Edouard Brétéché Signed-off-by: emmanuel-ferdman Signed-off-by: ShutingZhao Co-authored-by: Charles-Edouard Brétéché Co-authored-by: Emmanuel Ferdman Co-authored-by: shuting Signed-off-by: Daniel Laszlo * fix: factorise confimap informer code (#7667) Signed-off-by: Charles-Edouard Brétéché Co-authored-by: shuting Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Daniel Laszlo * chore(deps): bump sigstore/cosign-installer from 3.1.0 to 3.1.1 (#7689) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/d13028333d784fcc802b67ec924bcebe75aa0a5f...6e04d228eb30da1757ee4e1dd75a0ec73a653e06) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Daniel Laszlo * Update pkg/tracing/config.go Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Daniel Laszlo Signed-off-by: Daniel Laszlo Signed-off-by: Charles-Edouard Brétéché Signed-off-by: dependabot[bot] Signed-off-by: webstradev Signed-off-by: Vishal Choudhary Signed-off-by: Frank Jogeleit Signed-off-by: Jim Bugwadia Signed-off-by: emmanuel-ferdman Signed-off-by: ShutingZhao Co-authored-by: Charles-Edouard Brétéché Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Vishal Choudhary Co-authored-by: webstradev Co-authored-by: shuting Co-authored-by: Frank Jogeleit Co-authored-by: Jim Bugwadia Co-authored-by: Emmanuel Ferdman Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix: lock schema manager when updating it (#7704) Signed-off-by: Charles-Edouard Brétéché * test: add kuttl tests for background only policies (#7709) Signed-off-by: Charles-Edouard Brétéché * Feat: Upgrade controller-gen to v0.12.0 and fix tooling (#7683) * Upgrade controller-gen and fix tooling Signed-off-by: shahbaz * Address comments Signed-off-by: shahbaz * Add a marker in the sed command Signed-off-by: shahbaz * Upgrade to the latest version and rearrange the annotations Signed-off-by: shahbaz * Fix failing Verify Codegen tests Signed-off-by: shahbaz * Remove unnecessary file Signed-off-by: shahbaz * Restore original version in test folder Signed-off-by: shahbaz * Add creationTimestamp: null again in the test folder Signed-off-by: shahbaz --------- Signed-off-by: shahbaz Co-authored-by: shahbaz Co-authored-by: Charles-Edouard Brétéché * fix: release signing (#7711) (#7713) Signed-off-by: Charles-Edouard Brétéché * chore: use github token instead of pat (#7716) Signed-off-by: Charles-Edouard Brétéché * fix: reduce token permissions (#7719) Signed-off-by: Charles-Edouard Brétéché * fix: reduce token permissions (#7721) * fix: reduce token permissions Signed-off-by: Charles-Edouard Brétéché * fix: reduce token permissions Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché * fix: make `test --fail-only` return 1 if there are failed tests (#7717) Signed-off-by: Carles Figuerola Co-authored-by: Charles-Edouard Brétéché * remove redundant tests (#7702) Signed-off-by: ShutingZhao Co-authored-by: Charles-Edouard Brétéché * fix: use gh token instead of pat (#7723) Signed-off-by: Charles-Edouard Brétéché * fix: remove obsolete scripts (#7720) Signed-off-by: Charles-Edouard Brétéché * fix: reduce token permission (#7729) Signed-off-by: Charles-Edouard Brétéché * fix: use github token instead of pat (#7727) * fix: remove jmespath replace directive Signed-off-by: Charles-Edouard Brétéché * fix: use github token instead of pat Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché * fix: use golang builtin version management (#7654) * fix: use golang builtin version management Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché * feat: template for user setup in kuttl (#7731) Signed-off-by: Alok N * feat: Add option to add imagePullSecrets to cleanup CronJobs (#7730) * Add option to add imagePullSecrets to cleanup CronJobs Signed-off-by: Alexander Olzem * Update chart README Signed-off-by: Alexander Olzem --------- Signed-off-by: Alexander Olzem Co-authored-by: Charles-Edouard Brétéché * fix: typo in check cmd (#7733) Signed-off-by: emmanuel-ferdman * fix: nits in cli flags (#7736) Signed-off-by: Charles-Edouard Brétéché * chore: bump ko version (#7738) Signed-off-by: Charles-Edouard Brétéché * chore: bump kind node versions (#7737) Signed-off-by: Charles-Edouard Brétéché * fix: refactor cli values loading and remove dead code (#7739) Signed-off-by: Charles-Edouard Brétéché * [Feature] round() JMESPath function (#7489) * adding roundoff Signed-off-by: Rexbeast2 * removing unnecessary Signed-off-by: Rexbeast2 * adding test Signed-off-by: Rexbeast2 * adding edge case Signed-off-by: Rexbeast2 * fixing error Signed-off-by: Rexbeast2 * updating function call Signed-off-by: Rexbeast2 * updating function jpRound Signed-off-by: Rexbeast2 * error handling negative Signed-off-by: Rexbeast2 * fix Signed-off-by: Rexbeast2 * fix linter Signed-off-by: Charles-Edouard Brétéché * parsing Signed-off-by: Charles-Edouard Brétéché * cleanup Signed-off-by: Charles-Edouard Brétéché * fix tests Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Rexbeast2 Signed-off-by: Charles-Edouard Brétéché Co-authored-by: Charles-Edouard Brétéché * chore(deps): bump ubuntu from `6120be6` to `0bced47` in /.devcontainer (#7744) Bumps ubuntu from `6120be6` to `0bced47`. --- updated-dependencies: - dependency-name: ubuntu dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: improve cli apply args check (#7746) Signed-off-by: Charles-Edouard Brétéché * fix: remove cli dead code (#7748) Signed-off-by: Charles-Edouard Brétéché * Replaced gcr crane with gcr remote (#7747) * fix: oras-go/v2 version in go.sum Signed-off-by: Vishal Choudhary * refactor: move kyverno constants out of v1 package (#7760) Signed-off-by: Charles-Edouard Brétéché * chore: use register-gen to register k8s types (#7761) Signed-off-by: Charles-Edouard Brétéché * chore(deps): bump fluxcd/flux2 from 0.41.2 to 2.0.0 (#7764) Bumps [fluxcd/flux2](https://github.com/fluxcd/flux2) from 0.41.2 to 2.0.0. - [Release notes](https://github.com/fluxcd/flux2/releases) - [Changelog](https://github.com/fluxcd/flux2/blob/main/.goreleaser.yml) - [Commits](https://github.com/fluxcd/flux2/compare/dbda8fbdb8b58ed1ee69343025a6091eae0d1828...9ea0a535eab2c99121fb3ac742e333b4a9f07970) --- updated-dependencies: - dependency-name: fluxcd/flux2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché * chore: introduce defaulters-gen (#7765) Signed-off-by: Charles-Edouard Brétéché * feat: add table output to cli apply command (#7757) * feat: add table output to cli apply command Signed-off-by: Charles-Edouard Brétéché * factorise Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché Co-authored-by: shuting * chore: bump cosign in gh workflows (#7715) Signed-off-by: Charles-Edouard Brétéché * chore: switch to deepcopy-gen (#7766) * chore: switch to deepcopy-gen Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché * chore: increase linter timeout (#7767) Signed-off-by: Charles-Edouard Brétéché * undo: revert back to cosign 2.0.2 cosign 2.1.1 has dependency conflicts with oras Signed-off-by: Vishal Choudhary * remove markers Signed-off-by: Charles-Edouard Brétéché * chore: remove 0_14 version of gcr k8s-sigstore-manifest got a new version so we can finally upgrade gcr to v0.15 Signed-off-by: Vishal Choudhary * add: add logging to tlogs and sct Signed-off-by: Vishal Choudhary * undo: remove registryOpts in favor of registry client opts added the missing parts from registryOptions in registry client opts Signed-off-by: Vishal Choudhary * chore: add generated files Signed-off-by: Vishal Choudhary * chore: clean go mod Signed-off-by: Vishal Choudhary * fix: remove bad logs Signed-off-by: Vishal Choudhary * bug: fix go mod Signed-off-by: Vishal Choudhary * fix: update kubebuilder version in crds Signed-off-by: Vishal Choudhary * update: rollback policy to ignore tlog Signed-off-by: Vishal Choudhary * chore: update codegen Signed-off-by: Vishal Choudhary --------- Signed-off-by: Vishal Choudhary Signed-off-by: Jim Bugwadia Signed-off-by: shuting Signed-off-by: bakito Signed-off-by: Charles-Edouard Brétéché Signed-off-by: ShutingZhao Signed-off-by: dependabot[bot] Signed-off-by: webstradev Signed-off-by: Frank Jogeleit Signed-off-by: emmanuel-ferdman Signed-off-by: JaeHeung Han Signed-off-by: Daniel Laszlo Signed-off-by: Daniel Laszlo Signed-off-by: shahbaz Signed-off-by: Carles Figuerola Signed-off-by: Alok N Signed-off-by: Alexander Olzem Signed-off-by: Rexbeast2 Co-authored-by: Jim Bugwadia Co-authored-by: shuting Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com> Co-authored-by: Marc Brugger Co-authored-by: Charles-Edouard Brétéché Co-authored-by: shuting Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: webstradev Co-authored-by: Frank Jogeleit Co-authored-by: Emmanuel Ferdman Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: JaeHeung Han Co-authored-by: Daniel Laszlo Co-authored-by: Md Shahbaz Alam Co-authored-by: shahbaz Co-authored-by: Carles-Figuerola Co-authored-by: Alok Naushad Co-authored-by: Alex Olzem Co-authored-by: SukhveerS <78963782+Rexbeast2@users.noreply.github.com> --- api/kyverno/v1/image_verification_types.go | 15 +- charts/kyverno/templates/crds/crds.yaml | 1556 ++++++++++++++++- config/crds/kyverno.io_clusterpolicies.yaml | 778 ++++++++- config/crds/kyverno.io_policies.yaml | 778 ++++++++- config/install-latest-testing.yaml | 1556 ++++++++++++++++- docs/user/crd/index.html | 36 +- go.mod | 129 +- go.sum | 296 ++-- .../applyconfigurations/kyverno/v1/ctlog.go | 29 +- pkg/cosign/client.go | 4 +- pkg/cosign/cosign.go | 56 +- pkg/cosign/cosign_test.go | 65 +- pkg/cosign/mock.go | 35 +- pkg/engine/api/client.go | 2 +- .../validation/validate_manifest_test.go | 2 +- pkg/engine/image_verify_test.go | 56 +- pkg/engine/internal/imageverifier.go | 15 + pkg/images/verifier.go | 5 +- pkg/notary/notary.go | 15 +- pkg/registryclient/client.go | 7 +- pkg/validation/policy/validate.go | 2 +- test/cli/test/images/signatures/policies.yaml | 4 + .../images/verify-signature/policies.yaml | 10 +- .../background/verify-image-fail/policy.yaml | 4 + .../background/verify-image-pass/policy.yaml | 4 + .../wildcard/block-verifyimage/policy.yaml | 4 + .../validate/e2e/yaml-signing/policy.yaml | 4 + .../multi-signatures/policy.yaml | 8 + .../multiple-attestors/01-policy.yaml | 8 + .../standard/empty-image/policy.yaml | 4 + .../policy.yaml | 4 + .../policy.yaml | 1 + .../01-manifests.yaml | 3 + .../standard/keyed-basic/01-manifests.yaml | 3 + .../standard/keyed-secret/01-manifests.yaml | 3 + .../01-manifests.yaml | 1 + .../01-manifests.yaml | 1 + .../01-manifests.yaml | 1 + .../01-manifests.yaml | 2 + .../01-manifests.yaml | 2 + .../01-manifests.yaml | 2 + .../01-manifests.yaml | 3 +- .../01-manifests.yaml | 3 +- .../01-manifests.yaml | 3 +- .../rollback-image-verification/policy.yaml | 6 +- 45 files changed, 5026 insertions(+), 499 deletions(-) diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go index 7f30312881..dbfd9a8f75 100644 --- a/api/kyverno/v1/image_verification_types.go +++ b/api/kyverno/v1/image_verification_types.go @@ -188,7 +188,7 @@ type StaticKeyAttestor struct { Secret *SecretReference `json:"secret,omitempty" yaml:"secret,omitempty"` // Rekor provides configuration for the Rekor transparency log service. If the value is nil, - // Rekor is not checked. If an empty object is provided the public instance of + // or an empty object is provided, the public instance of // Rekor (https://rekor.sigstore.dev) is used. // +kubebuilder:validation:Optional Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"` @@ -248,6 +248,19 @@ type CTLog struct { // +kubebuilder:validation:Required // +kubebuilder:Default:=https://rekor.sigstore.dev URL string `json:"url" yaml:"url"` + + // RekorPubKey is an optional PEM encoded public key to use for a custom Rekor. + // If set, is used to validate signatures on log entries from Rekor. + // +kubebuilder:validation:Optional + RekorPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"` + + // IgnoreSCT requires that a certificate contain an embedded SCT during verification. An SCT is proof of inclusion in a certificate transparency log. + // +kubebuilder:validation:Optional + IgnoreSCT bool `json:"ignoreSCT,omitempty" yaml:"ignoreSCT,omitempty"` + + // IgnoreTlog skip tlog verification + // +kubebuilder:validation:Optional + IgnoreTlog bool `json:"ignoreTlog,omitempty" yaml:"ignoreTlog,omitempty"` } // Attestation are checks for signed in-toto Statements that are used to verify the image. diff --git a/charts/kyverno/templates/crds/crds.yaml b/charts/kyverno/templates/crds/crds.yaml index 3a18bc01b0..a5aaf20f7a 100644 --- a/charts/kyverno/templates/crds/crds.yaml +++ b/charts/kyverno/templates/crds/crds.yaml @@ -6836,6 +6836,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -6871,6 +6889,24 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -6922,11 +6958,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7188,6 +7242,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7224,6 +7298,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7279,11 +7373,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7521,6 +7634,24 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -7555,6 +7686,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -7605,11 +7754,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is + used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -10903,6 +11070,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -10939,6 +11126,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -10994,11 +11201,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11270,6 +11496,27 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -11308,6 +11555,27 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -11368,12 +11636,33 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an + empty object is provided, + the public instance of Rekor + (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -11621,6 +11910,26 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11656,6 +11965,26 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11709,11 +12038,31 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty + object is provided, the public instance + of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -14734,6 +15083,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -14769,6 +15136,24 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -14820,11 +15205,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15071,6 +15474,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15107,6 +15530,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15162,11 +15605,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15404,6 +15866,24 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -15438,6 +15918,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -15488,11 +15986,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is + used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -18761,6 +19277,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -18797,6 +19333,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -18852,11 +19408,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -19128,6 +19703,27 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -19166,6 +19762,27 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -19226,12 +19843,33 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an + empty object is provided, + the public instance of Rekor + (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -19479,6 +20117,26 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -19514,6 +20172,26 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -19567,11 +20245,31 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty + object is provided, the public instance + of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -22863,6 +23561,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -22898,6 +23614,24 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -22949,11 +23683,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -23215,6 +23967,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -23251,6 +24023,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -23306,11 +24098,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -23548,6 +24359,24 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -23582,6 +24411,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -23632,11 +24479,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is + used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -26931,6 +27796,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -26967,6 +27852,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -27022,11 +27927,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -27298,6 +28222,27 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -27336,6 +28281,27 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -27396,12 +28362,33 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an + empty object is provided, + the public instance of Rekor + (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -27649,6 +28636,26 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -27684,6 +28691,26 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -27737,11 +28764,31 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty + object is provided, the public instance + of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -30763,6 +31810,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -30798,6 +31863,24 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -30849,11 +31932,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -31100,6 +32201,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -31136,6 +32257,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -31191,11 +32332,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -31433,6 +32593,24 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -31467,6 +32645,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -31517,11 +32713,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is + used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -34790,6 +36004,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -34826,6 +36060,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -34881,11 +36135,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -35157,6 +36430,27 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -35195,6 +36489,27 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -35255,12 +36570,33 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an + empty object is provided, + the public instance of Rekor + (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -35508,6 +36844,26 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -35543,6 +36899,26 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -35596,11 +36972,31 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty + object is provided, the public instance + of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index 1950826e1f..62fdb6cb25 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -3019,6 +3019,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -3054,6 +3072,24 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -3105,11 +3141,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -3371,6 +3425,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -3407,6 +3481,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -3462,11 +3556,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -3704,6 +3817,24 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -3738,6 +3869,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -3788,11 +3937,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is + used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -7086,6 +7253,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7122,6 +7309,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7177,11 +7384,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7453,6 +7679,27 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -7491,6 +7738,27 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -7551,12 +7819,33 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an + empty object is provided, + the public instance of Rekor + (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -7804,6 +8093,26 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7839,6 +8148,26 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7892,11 +8221,31 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty + object is provided, the public instance + of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -10917,6 +11266,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -10952,6 +11319,24 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11003,11 +11388,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11254,6 +11657,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11290,6 +11713,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11345,11 +11788,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11587,6 +12049,24 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -11621,6 +12101,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -11671,11 +12169,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is + used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -14944,6 +15460,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -14980,6 +15516,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15035,11 +15591,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15311,6 +15886,27 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -15349,6 +15945,27 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -15409,12 +16026,33 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an + empty object is provided, + the public instance of Rekor + (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -15662,6 +16300,26 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15697,6 +16355,26 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15750,11 +16428,31 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty + object is provided, the public instance + of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index 301883152c..17324b7a8f 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -3020,6 +3020,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -3055,6 +3073,24 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -3106,11 +3142,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -3372,6 +3426,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -3408,6 +3482,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -3463,11 +3557,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -3705,6 +3818,24 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -3739,6 +3870,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -3789,11 +3938,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is + used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -7088,6 +7255,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7124,6 +7311,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7179,11 +7386,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7455,6 +7681,27 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -7493,6 +7740,27 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -7553,12 +7821,33 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an + empty object is provided, + the public instance of Rekor + (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -7806,6 +8095,26 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7841,6 +8150,26 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7894,11 +8223,31 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty + object is provided, the public instance + of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -10920,6 +11269,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -10955,6 +11322,24 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11006,11 +11391,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11257,6 +11660,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11293,6 +11716,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11348,11 +11791,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11590,6 +12052,24 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -11624,6 +12104,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -11674,11 +12172,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is + used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -14947,6 +15463,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -14983,6 +15519,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15038,11 +15594,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15314,6 +15889,27 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -15352,6 +15948,27 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -15412,12 +16029,33 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an + empty object is provided, + the public instance of Rekor + (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -15665,6 +16303,26 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15700,6 +16358,26 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15753,11 +16431,31 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty + object is provided, the public instance + of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 41dc039c35..28bf33a224 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -7039,6 +7039,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7074,6 +7092,24 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7125,11 +7161,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7391,6 +7445,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7427,6 +7501,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7482,11 +7576,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -7724,6 +7837,24 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -7758,6 +7889,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -7808,11 +7957,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is + used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -11106,6 +11273,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11142,6 +11329,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11197,11 +11404,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11473,6 +11699,27 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -11511,6 +11758,27 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -11571,12 +11839,33 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an + empty object is provided, + the public instance of Rekor + (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -11824,6 +12113,26 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11859,6 +12168,26 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -11912,11 +12241,31 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty + object is provided, the public instance + of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -14937,6 +15286,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -14972,6 +15339,24 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15023,11 +15408,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15274,6 +15677,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15310,6 +15733,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15365,11 +15808,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -15607,6 +16069,24 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -15641,6 +16121,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -15691,11 +16189,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is + used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -18964,6 +19480,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -19000,6 +19536,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -19055,11 +19611,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -19331,6 +19906,27 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -19369,6 +19965,27 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -19429,12 +20046,33 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an + empty object is provided, + the public instance of Rekor + (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -19682,6 +20320,26 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -19717,6 +20375,26 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -19770,11 +20448,31 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty + object is provided, the public instance + of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -23066,6 +23764,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -23101,6 +23817,24 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -23152,11 +23886,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -23418,6 +24170,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -23454,6 +24226,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -23509,11 +24301,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -23751,6 +24562,24 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -23785,6 +24614,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -23835,11 +24682,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is + used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -27134,6 +27999,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -27170,6 +28055,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -27225,11 +28130,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -27501,6 +28425,27 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -27539,6 +28484,27 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -27599,12 +28565,33 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an + empty object is provided, + the public instance of Rekor + (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -27852,6 +28839,26 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -27887,6 +28894,26 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -27940,11 +28967,31 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty + object is provided, the public instance + of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -30966,6 +32013,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -31001,6 +32066,24 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -31052,11 +32135,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion in + a certificate transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -31303,6 +32404,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -31339,6 +32460,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -31394,11 +32535,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -31636,6 +32796,24 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -31670,6 +32848,24 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -31720,11 +32916,29 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + If the value is nil, or an empty object + is provided, the public instance of + Rekor (https://rekor.sigstore.dev) is + used. properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. An SCT + is proof of inclusion in a certificate + transparency log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults to @@ -34993,6 +36207,26 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -35029,6 +36263,26 @@ spec: Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -35084,11 +36338,30 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + or an empty object is provided, + the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -35360,6 +36633,27 @@ spec: instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -35398,6 +36692,27 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -35458,12 +36773,33 @@ spec: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an + empty object is provided, + the public instance of Rekor + (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. An SCT is + proof of inclusion in + a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string url: description: URL is the address of the transparency @@ -35711,6 +37047,26 @@ spec: the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -35746,6 +37102,26 @@ spec: of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults @@ -35799,11 +37175,31 @@ spec: rekor: description: Rekor provides configuration for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) + If the value is nil, or an empty + object is provided, the public instance + of Rekor (https://rekor.sigstore.dev) is used. properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + An SCT is proof of inclusion + in a certificate transparency + log. + type: boolean + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string url: description: URL is the address of the transparency log. Defaults diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 5ed81fbc6d..40b63ee24b 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -1098,6 +1098,40 @@ string

URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.

+ + +pubkey
+ +string + + + +

RekorPubKey is an optional PEM encoded public key to use for a custom Rekor. +If set, is used to validate signatures on log entries from Rekor.

+ + + + +ignoreSCT
+ +bool + + + +

IgnoreSCT requires that a certificate contain an embedded SCT during verification. An SCT is proof of inclusion in a certificate transparency log.

+ + + + +ignoreTlog
+ +bool + + + +

IgnoreTlog skip tlog verification

+ +
@@ -3816,7 +3850,7 @@ CTLog

Rekor provides configuration for the Rekor transparency log service. If the value is nil, -Rekor is not checked. If an empty object is provided the public instance of +or an empty object is provided, the public instance of Rekor (https://rekor.sigstore.dev) is used.

diff --git a/go.mod b/go.mod index 3c73ef7398..ad6fbd7a82 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/google/gnostic v0.6.9 github.com/google/go-containerregistry v0.16.1 github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230403180904-b8d1c0a1df12 - github.com/in-toto/in-toto-golang v0.6.0 + github.com/in-toto/in-toto-golang v0.9.0 github.com/jmoiron/jsonq v0.0.0-20150511023944-e874b168d07e github.com/julienschmidt/httprouter v1.3.0 github.com/kataras/tablewriter v0.0.0-20180708051242-e063d29b7c23 @@ -39,9 +39,14 @@ require ( github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.16.0 github.com/robfig/cron v1.2.0 - github.com/sigstore/cosign v1.13.1 - github.com/sigstore/k8s-manifest-sigstore v0.4.4 - github.com/sigstore/sigstore v1.5.2 + github.com/sigstore/cosign/v2 v2.1.1 + github.com/sigstore/k8s-manifest-sigstore v0.5.1 + github.com/sigstore/rekor v1.2.2-0.20230530122220-67cc9e58bd23 + github.com/sigstore/sigstore v1.7.1 + github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.1 + github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.1 + github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.7.1 + github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.7.1 github.com/spf13/cobra v1.7.0 github.com/stretchr/testify v1.8.4 github.com/zach-klippenstein/goregen v0.0.0-20160303162051-795b5e3961ea @@ -81,6 +86,7 @@ require ( sigs.k8s.io/controller-runtime v0.15.1 sigs.k8s.io/kustomize/api v0.13.4 sigs.k8s.io/kustomize/kyaml v0.14.2 + sigs.k8s.io/release-utils v0.7.4 sigs.k8s.io/structured-merge-diff/v4 v4.3.0 sigs.k8s.io/yaml v1.3.0 ) @@ -94,25 +100,30 @@ require ( require ( cloud.google.com/go/compute/metadata v0.2.3 // indirect - cloud.google.com/go/iam v1.0.0 // indirect - cloud.google.com/go/kms v1.10.1 // indirect - cuelang.org/go v0.4.3 // indirect + cloud.google.com/go/iam v1.1.0 // indirect + cloud.google.com/go/kms v1.12.1 // indirect + cuelang.org/go v0.5.0 // indirect dario.cat/mergo v1.0.0 // indirect + filippo.io/edwards25519 v1.0.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v0.12.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest v0.11.28 // indirect + github.com/Azure/go-autorest/autorest v0.11.29 // indirect github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect - github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect - github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect - github.com/Masterminds/semver/v3 v3.2.0 // indirect + github.com/Masterminds/semver/v3 v3.2.1 // indirect github.com/Microsoft/go-winio v0.6.1 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 // indirect @@ -130,23 +141,24 @@ require ( github.com/alibabacloud-go/tea-utils v1.4.5 // indirect github.com/alibabacloud-go/tea-xml v1.1.3 // indirect github.com/aliyun/credentials-go v1.2.7 // indirect - github.com/aws/aws-sdk-go-v2 v1.17.7 // indirect - github.com/aws/aws-sdk-go-v2/config v1.18.19 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.13.18 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.1 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.32 // indirect + github.com/aws/aws-sdk-go-v2 v1.18.1 // indirect + github.com/aws/aws-sdk-go-v2/config v1.18.27 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.13.26 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.35 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.18.7 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.15.6 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.25 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.20.8 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.12.6 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.6 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.18.7 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.28 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.22.2 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.12.12 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.12 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.19.2 // indirect github.com/aws/smithy-go v1.13.5 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect + github.com/buildkite/agent/v3 v3.49.0 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect @@ -155,9 +167,11 @@ require ( github.com/cockroachdb/apd/v2 v2.0.2 // indirect github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect - github.com/coreos/go-oidc/v3 v3.5.0 // indirect + github.com/coreos/go-oidc/v3 v3.6.0 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect github.com/davecgh/go-spew v1.1.1 // indirect + github.com/digitorus/pkcs7 v0.0.0-20221212123742-001c36b64ec3 // indirect + github.com/digitorus/timestamp v0.0.0-20221019182153-ef3b63b79b31 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect github.com/djherbis/times v1.5.0 // indirect github.com/docker/cli v24.0.0+incompatible // indirect @@ -172,6 +186,7 @@ require ( github.com/felixge/httpsnoop v1.0.3 // indirect github.com/fsnotify/fsnotify v1.6.0 // indirect github.com/fxamacker/cbor/v2 v2.4.0 // indirect + github.com/gabriel-vasile/mimetype v1.4.2 // indirect github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-errors/errors v1.4.2 // indirect @@ -184,15 +199,15 @@ require ( github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/loads v0.21.2 // indirect - github.com/go-openapi/runtime v0.25.0 // indirect - github.com/go-openapi/spec v0.20.8 // indirect + github.com/go-openapi/runtime v0.26.0 // indirect + github.com/go-openapi/spec v0.20.9 // indirect github.com/go-openapi/strfmt v0.21.7 // indirect - github.com/go-openapi/swag v0.22.3 // indirect + github.com/go-openapi/swag v0.22.4 // indirect github.com/go-openapi/validate v0.22.1 // indirect github.com/go-piv/piv-go v1.11.0 // indirect github.com/go-playground/locales v0.14.1 // indirect github.com/go-playground/universal-translator v0.18.1 // indirect - github.com/go-playground/validator/v10 v10.12.0 // indirect + github.com/go-playground/validator/v10 v10.14.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect @@ -201,18 +216,17 @@ require ( github.com/golang/protobuf v1.5.3 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/btree v1.1.2 // indirect - github.com/google/certificate-transparency-go v1.1.4 // indirect + github.com/google/certificate-transparency-go v1.1.6 // indirect github.com/google/go-cmp v0.5.9 // indirect - github.com/google/go-github/v45 v45.2.0 // indirect + github.com/google/go-github/v50 v50.2.0 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/gxui v0.0.0-20151028112939-f85e0a97b3a4 // indirect - github.com/google/s2a-go v0.1.3 // indirect + github.com/google/s2a-go v0.1.4 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/google/trillian v1.5.1 // indirect github.com/google/uuid v1.3.0 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect - github.com/googleapis/gax-go/v2 v2.8.0 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.2.4 // indirect + github.com/googleapis/gax-go/v2 v2.11.0 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect @@ -224,20 +238,21 @@ require ( github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/hashicorp/go-sockaddr v1.0.2 // indirect github.com/hashicorp/hcl v1.0.0 // indirect - github.com/hashicorp/vault/api v1.9.0 // indirect + github.com/hashicorp/vault/api v1.9.2 // indirect github.com/huandu/xstrings v1.3.3 // indirect github.com/imdario/mergo v0.3.15 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/jedisct1/go-minisign v0.0.0-20230211184525-1f273d8dc776 // indirect - github.com/jellydator/ttlcache/v2 v2.11.1 // indirect + github.com/jellydator/ttlcache/v3 v3.0.1 // indirect github.com/jinzhu/copier v0.3.5 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect github.com/klauspost/compress v1.16.5 // indirect - github.com/leodido/go-urn v1.2.2 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect + github.com/leodido/go-urn v1.2.4 // indirect github.com/letsencrypt/boulder v0.0.0-20230331213904-8c67769be400 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/magiconair/properties v1.8.7 // indirect @@ -258,15 +273,18 @@ require ( github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect github.com/nxadm/tail v1.4.8 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/oliveagle/jsonpath v0.0.0-20180606110733-2e52cf6e6852 // indirect github.com/open-policy-agent/gatekeeper v0.0.0-20210824170141-dd97b8a7e966 // indirect - github.com/open-policy-agent/opa v0.51.0 // indirect + github.com/open-policy-agent/opa v0.52.0 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect - github.com/pelletier/go-toml/v2 v2.0.7 // indirect + github.com/pborman/uuid v1.2.1 // indirect + github.com/pelletier/go-toml/v2 v2.0.8 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pjbgf/sha1cd v0.3.0 // indirect + github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_model v0.4.0 // indirect github.com/prometheus/common v0.42.0 // indirect @@ -276,37 +294,36 @@ require ( github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/rivo/uniseg v0.4.4 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect - github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect - github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect + github.com/sassoftware/relic v7.2.1+incompatible // indirect + github.com/secure-systems-lab/go-securesystemslib v0.6.0 // indirect github.com/segmentio/ksuid v1.0.4 // indirect github.com/sergi/go-diff v1.3.1 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect github.com/shopspring/decimal v1.2.0 // indirect - github.com/sigstore/fulcio v1.1.0 // indirect - github.com/sigstore/rekor v1.0.1 // indirect - github.com/sirupsen/logrus v1.9.1 // indirect + github.com/sigstore/fulcio v1.3.1 // indirect + github.com/sigstore/timestamp-authority v1.1.1 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect github.com/skeema/knownhosts v1.2.0 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect github.com/spf13/afero v1.9.5 // indirect - github.com/spf13/cast v1.5.0 // indirect + github.com/spf13/cast v1.5.1 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/spf13/viper v1.15.0 // indirect - github.com/spiffe/go-spiffe/v2 v2.1.3 // indirect + github.com/spf13/viper v1.16.0 // indirect + github.com/spiffe/go-spiffe/v2 v2.1.6 // indirect github.com/subosito/gotenv v1.4.2 // indirect github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/tektoncd/chains v0.15.0 // indirect - github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect github.com/thales-e-security/pool v0.0.2 // indirect github.com/theupdateframework/go-tuf v0.5.2 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tjfoc/gmsm v1.4.1 // indirect - github.com/transparency-dev/merkle v0.0.1 // indirect + github.com/transparency-dev/merkle v0.0.2 // indirect github.com/vbatts/tar-split v0.11.3 // indirect github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - github.com/xanzy/go-gitlab v0.81.0 // indirect + github.com/xanzy/go-gitlab v0.86.0 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect @@ -319,19 +336,20 @@ require ( go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.39.0 // indirect go.opentelemetry.io/proto/otlp v0.19.0 // indirect go.starlark.net v0.0.0-20230302034142-4b1e35fe2254 // indirect + go.step.sm/crypto v0.32.1 // indirect golang.org/x/mod v0.12.0 // indirect golang.org/x/net v0.12.0 // indirect - golang.org/x/oauth2 v0.8.0 // indirect + golang.org/x/oauth2 v0.9.0 // indirect golang.org/x/sync v0.3.0 // indirect golang.org/x/sys v0.11.0 // indirect golang.org/x/term v0.11.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.9.3 // indirect - google.golang.org/api v0.122.0 // indirect + google.golang.org/api v0.128.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect + google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect google.golang.org/protobuf v1.30.0 // indirect gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect @@ -342,5 +360,4 @@ require ( k8s.io/kubectl v0.26.3 // indirect oras.land/oras-go/v2 v2.2.1 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/release-utils v0.7.3 // indirect ) diff --git a/go.sum b/go.sum index cde900074c..aa040cab34 100644 --- a/go.sum +++ b/go.sum @@ -20,7 +20,7 @@ cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHOb cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY= -cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys= +cloud.google.com/go v0.110.2 h1:sdFPBr6xG9/wkBbfhmUz/JmZC7X6LavQgcrVINrKiVA= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= @@ -29,17 +29,15 @@ cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4g cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= cloud.google.com/go/compute v1.19.3 h1:DcTwsFgGev/wV5+q8o2fzgcHOaac+DKGC91ZlvpsQds= cloud.google.com/go/compute v1.19.3/go.mod h1:qxvISKp/gYnXkSAD1ppcSOveRAmzxicEv/JlizULFrI= -cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= -cloud.google.com/go/iam v1.0.0 h1:hlQJMovyJJwYjZcTohUH4o1L8Z8kYz+E+W/zktiLCBc= -cloud.google.com/go/iam v1.0.0/go.mod h1:ikbQ4f1r91wTmBmmOtBCOtuEOei6taatNXytzB7Cxew= -cloud.google.com/go/kms v1.10.1 h1:7hm1bRqGCA1GBRQUrp831TwJ9TWhP+tvLuP497CQS2g= -cloud.google.com/go/kms v1.10.1/go.mod h1:rIWk/TryCkR59GMC3YtHtXeLzd634lBbKenvyySAyYI= -cloud.google.com/go/longrunning v0.4.1 h1:v+yFJOfKC3yZdY6ZUI933pIYdhyhV8S3NpWrXWmg7jM= +cloud.google.com/go/iam v1.1.0 h1:67gSqaPukx7O8WLLHMa0PNs3EBGd2eE4d+psbO/CO94= +cloud.google.com/go/iam v1.1.0/go.mod h1:nxdHjaKfCr7fNYx/HJMM8LgiMugmveWlkatear5gVyk= +cloud.google.com/go/kms v1.12.1 h1:xZmZuwy2cwzsocmKDOPu4BL7umg8QXagQx6fKVmf45U= +cloud.google.com/go/kms v1.12.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= @@ -54,25 +52,39 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo= contrib.go.opencensus.io/exporter/prometheus v0.3.0/go.mod h1:rpCPVQKhiyH8oomWgm34ZmgIdZa8OVYO5WAIygPbBBE= contrib.go.opencensus.io/exporter/stackdriver v0.13.4/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc= -cuelang.org/go v0.4.3 h1:W3oBBjDTm7+IZfCKZAmC8uDG0eYfJL4Pp/xbbCMKaVo= -cuelang.org/go v0.4.3/go.mod h1:7805vR9H+VoBNdWFdI7jyDR3QLUPp4+naHfbcgp55HI= +cuelang.org/go v0.5.0 h1:D6N0UgTGJCOxFKU8RU+qYvavKNsVc/+ZobmifStVJzU= +cuelang.org/go v0.5.0/go.mod h1:okjJBHFQFer+a41sAe2SaGm1glWS8oEb6CmJvn5Zdws= dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +filippo.io/edwards25519 v1.0.0 h1:0wAIcmJUqRdI8IJ/3eGi5/HwXZWPujYXXlkrQogz0Ek= +filippo.io/edwards25519 v1.0.0/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns= +github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230329111138-12e09aba5ebd h1:1tbEqR4NyQLgiod7vLXSswHteGetAVZrMGCqrJxLKRs= github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 h1:8+4G8JaejP8Xa6W46PzJEwisNgBXMvFcz78N6zG/ARw= github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1 h1:SEy2xmstIphdPwNBUi7uhvjyjhVKISfwjfOJmuy7kg4= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v0.12.0 h1:4Kynh6Hn2ekyIsBgNQJb3dn1+/MyvzfUJebti2emB/A= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v0.12.0/go.mod h1:Q28U+75mpCaSCDowNEmhIo/rmgdkqmkmzI7N6TGR4UY= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 h1:T028gtTPiYt/RMUfs8nVsAL7FDQrfLlrm/NnRG/zcC4= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0/go.mod h1:cw4zVQgBby0Z5f2v0itn6se2dDP17nTjbZFXW5uPyHA= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= -github.com/Azure/go-autorest/autorest v0.11.28 h1:ndAExarwr5Y+GaHE6VCaY1kyS/HwwGGyuimVhWsHOEM= -github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA= +github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw= +github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs= github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= +github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk= github.com/Azure/go-autorest/autorest/adal v0.9.23 h1:Yepx8CvFxwNKpH6ja7RZ+sKX+DWYNldbLiALMC3BTz8= github.com/Azure/go-autorest/autorest/adal v0.9.23/go.mod h1:5pcMqFkdPhviJdlEy3kC/v1ZLnQl0MH6XA5YCcMhy4c= github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk= @@ -86,10 +98,6 @@ github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935 github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= -github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= -github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= -github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac= -github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= @@ -97,6 +105,8 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY= +github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= @@ -109,8 +119,9 @@ github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJ github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= -github.com/Masterminds/semver/v3 v3.2.0 h1:3MEsd0SM6jqZojhjLWWeBY+Kcjy9i6MQAeY7YgDP83g= github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= +github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= +github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= @@ -218,41 +229,51 @@ github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.36.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= -github.com/aws/aws-sdk-go v1.44.204 h1:7/tPUXfNOHB390A63t6fJIwmlwVQAkAwcbzKsU2/6OQ= +github.com/aws/aws-sdk-go v1.44.288 h1:Ln7fIao/nl0ACtelgR1I4AiEw/GLNkKcXfCaHupUW5Q= github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= -github.com/aws/aws-sdk-go-v2 v1.17.7 h1:CLSjnhJSTSogvqUGhIC6LqFKATMRexcxLZ0i/Nzk9Eg= github.com/aws/aws-sdk-go-v2 v1.17.7/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= -github.com/aws/aws-sdk-go-v2/config v1.18.19 h1:AqFK6zFNtq4i1EYu+eC7lcKHYnZagMn6SW171la0bGw= +github.com/aws/aws-sdk-go-v2 v1.18.1 h1:+tefE750oAb7ZQGzla6bLkOwfcQCEtC5y2RqoqCeqKo= +github.com/aws/aws-sdk-go-v2 v1.18.1/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2/config v1.18.19/go.mod h1:XvTmGMY8d52ougvakOv1RpiTLPz9dlG/OQHsKU/cMmY= -github.com/aws/aws-sdk-go-v2/credentials v1.13.18 h1:EQMdtHwz0ILTW1hoP+EwuWhwCG1hD6l3+RWFQABET4c= +github.com/aws/aws-sdk-go-v2/config v1.18.27 h1:Az9uLwmssTE6OGTpsFqOnaGpLnKDqNYOJzWuC6UAYzA= +github.com/aws/aws-sdk-go-v2/config v1.18.27/go.mod h1:0My+YgmkGxeqjXZb5BYme5pc4drjTnM+x1GJ3zv42Nw= github.com/aws/aws-sdk-go-v2/credentials v1.13.18/go.mod h1:vnwlwjIe+3XJPBYKu1et30ZPABG3VaXJYr8ryohpIyM= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.1 h1:gt57MN3liKiyGopcqgNzJb2+d9MJaKT/q1OksHNXVE4= +github.com/aws/aws-sdk-go-v2/credentials v1.13.26 h1:qmU+yhKmOCyujmuPY7tf5MxR/RKyZrOPO3V4DobiTUk= +github.com/aws/aws-sdk-go-v2/credentials v1.13.26/go.mod h1:GoXt2YC8jHUBbA4jr+W3JiemnIbkXOfxSXcisUsZ3os= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.1/go.mod h1:lfUx8puBRdM5lVVMQlwt2v+ofiG/X6Ms+dy0UkG/kXw= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31 h1:sJLYcS+eZn5EeNINGHSCRAwUJMFVqklwkH36Vbyai7M= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4 h1:LxK/bitrAr4lnh9LnIS6i7zWbCOdMsfzKFBI6LUCS0I= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4/go.mod h1:E1hLXN/BL2e6YizK1zFlYd8vsfi2GTjbjBazinMmeaM= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31/go.mod h1:QT0BqUvX1Bh2ABdTGnjqEjvjzrCfIniM9Sc8zn9Yndo= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25 h1:1mnRASEKnkqsntcxHaysxwgVoUUp5dkiB+l3llKnqyg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 h1:A5UqQEmPaCFpedKouS4v+dHCTUo2sKqhoKO9U5kxyWo= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34/go.mod h1:wZpTEecJe0Btj3IYnDx/VlUzor9wm3fJHyvLpQF0VwY= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25/go.mod h1:zBHOPwhBc3FlQjQJE/D3IfPWiWaQmT06Vq9aNukDo0k= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.32 h1:p5luUImdIqywn6JpQsW3tq5GNOxKmOnEpybzPx+d1lk= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28 h1:srIVS45eQuewqz6fKKu6ZGXaq6FuFg5NzgQBAM6g8Y4= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28/go.mod h1:7VRpKQQedkfIEXb4k52I7swUnZP0wohVajJMRn3vsUw= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.32/go.mod h1:XGhIBZDEgfqmFIugclZ6FU7v75nHhBDtzuB4xB/tEi4= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.35 h1:LWA+3kDM8ly001vJ1X1waCuLJdtTl48gwkPKWy9sosI= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.35/go.mod h1:0Eg1YjxE0Bhn56lx+SHJwCzhW+2JGtizsrx+lCqrfm0= github.com/aws/aws-sdk-go-v2/service/ecr v1.18.7 h1:oQ1Esut3iaL2Dydt2RBd9gbuUevToXpdTI+Uh1xXryI= github.com/aws/aws-sdk-go-v2/service/ecr v1.18.7/go.mod h1:RHhgOMnMIkgB4TmxQat9obSnZ6fF1fuA27+itZKUi1o= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.15.6 h1:An1fWO68q8iu/v3E23lz4RwwSU4NagPJZlbGM4KmOTk= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.15.6/go.mod h1:6Oe4un07H6Hv/VNTtubGHUNP5S2HwgmQk19hOnbkSGc= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.25 h1:5LHn8JQ0qvjD9L9JhMtylnkcw7j05GDZqM9Oin6hpr0= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.25/go.mod h1:/95IA+0lMnzW6XzqYJRpjjsAbKEORVeO0anQqjd2CNU= -github.com/aws/aws-sdk-go-v2/service/kms v1.20.8 h1:R5f4VOFi3ScTe7TtePyxLqEhNqTJIAxL57MzrXFNs6I= -github.com/aws/aws-sdk-go-v2/service/kms v1.20.8/go.mod h1:OtP3pBOgmJM+acQyQcQXtQHets3yJoVuanCx2T5M7v4= -github.com/aws/aws-sdk-go-v2/service/sso v1.12.6 h1:5V7DWLBd7wTELVz5bPpwzYy/sikk0gsgZfj40X+l5OI= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.28 h1:bkRyG4a929RCnpVSTvLM2j/T4ls015ZhhYApbmYs15s= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.28/go.mod h1:jj7znCIg05jXlaGBlFMGP8+7UN3VtCkRBG2spnmRQkU= +github.com/aws/aws-sdk-go-v2/service/kms v1.22.2 h1:jwmtdM1/l1DRNy5jQrrYpsQm8zwetkgeqhAqefDr1yI= +github.com/aws/aws-sdk-go-v2/service/kms v1.22.2/go.mod h1:aNfh11Smy55o65PB3MyKbkM8BFyFUcZmj1k+4g8eNfg= github.com/aws/aws-sdk-go-v2/service/sso v1.12.6/go.mod h1:Y1VOmit/Fn6Tz1uFAeCO6Q7M2fmfXSCLeL5INVYsLuY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.6 h1:B8cauxOH1W1v7rd8RdI/MWnoR4Ze0wIHWrb90qczxj4= +github.com/aws/aws-sdk-go-v2/service/sso v1.12.12 h1:nneMBM2p79PGWBQovYO/6Xnc2ryRMw3InnDJq1FHkSY= +github.com/aws/aws-sdk-go-v2/service/sso v1.12.12/go.mod h1:HuCOxYsF21eKrerARYO6HapNeh9GBNq7fius2AcwodY= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.6/go.mod h1:Lh/bc9XUf8CfOY6Jp5aIkQtN+j1mc+nExc+KXj9jx2s= -github.com/aws/aws-sdk-go-v2/service/sts v1.18.7 h1:bWNgNdRko2x6gqa0blfATqAZKZokPIeM1vfmQt2pnvM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.12 h1:2qTR7IFk7/0IN/adSFhYu9Xthr0zVFTgBrmPldILn80= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.12/go.mod h1:E4VrHCPzmVB/KFXtqBGKb3c8zpbNBgKe3fisDNLAW5w= github.com/aws/aws-sdk-go-v2/service/sts v1.18.7/go.mod h1:JuTnSoeePXmMVe9G8NcjjwgOKEfZ4cOjMuT2IBT/2eI= +github.com/aws/aws-sdk-go-v2/service/sts v1.19.2 h1:XFJ2Z6sNUUcAz9poj+245DMkrHE4h2j5I9/xD50RHfE= +github.com/aws/aws-sdk-go-v2/service/sts v1.19.2/go.mod h1:dp0yLPsLBOi++WTxzCjA/oZqi6NPIhoR+uF7GeMU9eg= github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20230322223720-077b4a917a90 h1:GN8SzriwBUX5aagQft8cJ5sKUaXdHUdX8q2gS2mkom8= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20230322223720-077b4a917a90/go.mod h1:V97RBAXo2x0elgRWnSfhWLDkwwEl7dNmmBRAvbwmEoA= -github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= @@ -267,8 +288,9 @@ github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnweb github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc= -github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA= github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= +github.com/buildkite/agent/v3 v3.49.0 h1:FSmRQz8YFhaCXg4MfE7JucPcY7mQ/HWM55ir1j3E9qM= +github.com/buildkite/agent/v3 v3.49.0/go.mod h1:iasSyh3KPjOPCnyvnZB1trkkX7jrdL8PnLBgjdVJxgU= github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/bytecodealliance/wasmtime-go v0.27.0 h1:b/mvyw1YJSwF5zNxqLH9V24ENkZGAvp+KgIKHOFHk1c= github.com/bytecodealliance/wasmtime-go v0.27.0/go.mod h1:q320gUxqyI8yB+ZqRuaJOEnGkAnHh6WtJjMaT2CW4wI= @@ -322,8 +344,8 @@ github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= -github.com/coreos/go-oidc/v3 v3.5.0 h1:VxKtbccHZxs8juq7RdJntSqtXFtde9YpNpGn0yqgEHw= -github.com/coreos/go-oidc/v3 v3.5.0/go.mod h1:ecXRtV4romGPeO6ieExAsUK9cb/3fp9hXNz1tlv8PIM= +github.com/coreos/go-oidc/v3 v3.6.0 h1:AKVxfYw1Gmkn/w96z0DbT/B/xFnzTd3MkZvWLjF4n/o= +github.com/coreos/go-oidc/v3 v3.6.0/go.mod h1:ZpHUsHBucTUj6WOkrP4E20UPynbLZzhTQ1XKCXkxyPc= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= @@ -342,7 +364,6 @@ github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7/g github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/daixiang0/gci v0.2.8/go.mod h1:+4dZ7TISfSmqfAGv59ePaHfNzgGtIkHAhhdKggP1JAc= -github.com/danieljoos/wincred v1.0.2/go.mod h1:SnuYRW9lp1oJrZX/dXJqr0cPK5gYXqx3EJbmjhLdK9U= github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0= github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -356,12 +377,18 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= +github.com/digitorus/pkcs7 v0.0.0-20221019075359-21b8b40e6bb4/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= +github.com/digitorus/pkcs7 v0.0.0-20221212123742-001c36b64ec3 h1:rjCXeRWazGsbcBlExMcAW8H1LGdgJ9r619y7+aeKgds= +github.com/digitorus/pkcs7 v0.0.0-20221212123742-001c36b64ec3/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= +github.com/digitorus/timestamp v0.0.0-20221019182153-ef3b63b79b31 h1:3go0tpsBpbs9L/oysk3jDwRprlLRRkpSU7YxKlTfU+o= +github.com/digitorus/timestamp v0.0.0-20221019182153-ef3b63b79b31/go.mod h1:6V2ND8Yf8TOJ4h+9pmUlx8kXvNLBB2QplToVVZQ3rF0= github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= github.com/distribution/distribution v2.8.2+incompatible h1:k9+4DKdOG+quPFZXT/mUsiQrGu9vYCp+dXpuPkuqhk8= github.com/distribution/distribution v2.8.2+incompatible/go.mod h1:EgLm2NgWtdKgzF9NpMzUKgzmR7AMmb0VQi2B+ZzDRjc= github.com/djherbis/times v1.5.0 h1:79myA211VwPhFTqUk8xehWrsEO+zcIZj0zT8mXPVARU= github.com/djherbis/times v1.5.0/go.mod h1:5q7FDLvbNg1L/KaBmPcWlVR9NmoKo3+ucqUA3ijQhA0= +github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/docker/cli v24.0.0+incompatible h1:0+1VshNwBQzQAx9lOl+OYCTCEAD8fKs/qeXMx3O0wqM= github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= @@ -423,7 +450,7 @@ github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHqu github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= -github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= +github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= @@ -433,6 +460,8 @@ github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3n github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88= github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= github.com/fzipp/gocyclo v0.3.1/go.mod h1:DJHO6AUmbdqj2ET4Z9iArSuwWgYDRryYt2wASxc7x3E= +github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU= +github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v0.0.0-20180820084758-c7ce16629ff4/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= @@ -504,15 +533,15 @@ github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En github.com/go-openapi/loads v0.21.1/go.mod h1:/DtAMXXneXFjbQMGEtbamCZb+4x7eGwkvZCvBmwUG+g= github.com/go-openapi/loads v0.21.2 h1:r2a/xFIYeZ4Qd2TnGpWDIQNcP80dIaZgf704za8enro= github.com/go-openapi/loads v0.21.2/go.mod h1:Jq58Os6SSGz0rzh62ptiu8Z31I+OTHqmULx5e/gJbNw= -github.com/go-openapi/runtime v0.25.0 h1:7yQTCdRbWhX8vnIjdzU8S00tBYf7Sg71EBeorlPHvhc= -github.com/go-openapi/runtime v0.25.0/go.mod h1:Ux6fikcHXyyob6LNWxtE96hWwjBPYF0DXgVFuMTneOs= +github.com/go-openapi/runtime v0.26.0 h1:HYOFtG00FM1UvqrcxbEJg/SwvDRvYLQKGhw2zaQjTcc= +github.com/go-openapi/runtime v0.26.0/go.mod h1:QgRGeZwrUcSHdeh4Ka9Glvo0ug1LC5WyE+EV88plZrQ= github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= github.com/go-openapi/spec v0.19.5/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk= github.com/go-openapi/spec v0.20.3/go.mod h1:gG4F8wdEDN+YPBMVnzE85Rbhf+Th2DTvA9nFPQ5AYEg= github.com/go-openapi/spec v0.20.4/go.mod h1:faYFR1CvsJZ0mNsmsphTMSoRrNV3TEDoAM7FOEWeq8I= github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= -github.com/go-openapi/spec v0.20.8 h1:ubHmXNY3FCIOinT8RNrrPfGc9t7I1qhPtdOGoG2AxRU= -github.com/go-openapi/spec v0.20.8/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= +github.com/go-openapi/spec v0.20.9 h1:xnlYNQAwKd2VQRRfwTEI0DcK+2cbuvI/0c7jx3gA8/8= +github.com/go-openapi/spec v0.20.9/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= github.com/go-openapi/strfmt v0.21.0/go.mod h1:ZRQ409bWMj+SOgXofQAGTIo2Ebu72Gs+WaRADcS5iNg= github.com/go-openapi/strfmt v0.21.1/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k= github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg= @@ -523,8 +552,9 @@ github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= -github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU= +github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-openapi/validate v0.22.1 h1:G+c2ub6q47kfX1sOBLwIQwzBVt8qmOAARyo/9Fqs9NU= github.com/go-openapi/validate v0.22.1/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg= github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg= @@ -534,10 +564,10 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= -github.com/go-playground/validator/v10 v10.12.0 h1:E4gtWgxWxp8YSxExrQFv5BpCahla0PVF2oTTEYaWQGI= -github.com/go-playground/validator/v10 v10.12.0/go.mod h1:hCAPuzYvKdP33pxWa+2+6AIKXEKqjIUyqsNCtbsSJrA= +github.com/go-playground/validator/v10 v10.14.0 h1:vgvQWe3XCz3gIeFDm/HnTIbj6UGmg/+t63MyGU2n5js= +github.com/go-playground/validator/v10 v10.14.0/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU= github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= -github.com/go-rod/rod v0.112.6 h1:zMirUmhsBeshMWyf285BD0UGtGq54HfThLDGSjcP3lU= +github.com/go-rod/rod v0.113.3 h1:oLiKZW721CCMwA5g7977cWfcAKQ+FuosP47Zf1QiDrA= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -581,7 +611,6 @@ github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/V github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= -github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= github.com/gofrs/flock v0.8.0/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -635,7 +664,6 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2/go.mod h1:k9Qvh+8juN+UKMCS/3jFtGICgW8O96FVaZsaxdzDkR4= @@ -656,8 +684,8 @@ github.com/google/cel-go v0.12.6 h1:kjeKudqV0OygrAqA9fX6J55S8gj+Jre2tckIm5RoG4M= github.com/google/cel-go v0.12.6/go.mod h1:Jk7ljRzLBhkmiAwBoUxB1sZSCVBAzkqPF25olK/iRDw= github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= github.com/google/certificate-transparency-go v1.1.1/go.mod h1:FDKqPvSXawb2ecErVRrD+nfy23RCzyl7eqVCEmlT1Zs= -github.com/google/certificate-transparency-go v1.1.4 h1:hCyXHDbtqlr/lMXU0D4WgbalXL0Zk4dSWWMbPV8VrqY= -github.com/google/certificate-transparency-go v1.1.4/go.mod h1:D6lvbfwckhNrbM9WVl1EVeMOyzC19mpIjMOI4nxBHtQ= +github.com/google/certificate-transparency-go v1.1.6 h1:SW5K3sr7ptST/pIvNkSVWMiJqemRmkjJPPT0jzXdOOY= +github.com/google/certificate-transparency-go v1.1.6/go.mod h1:0OJjOsOk+wj6aYQgP7FU0ioQ0AJUmnWPFMqTjQeazPQ= github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= github.com/google/gnostic v0.6.9 h1:ZK/5VhkoX835RikCHpSUJV9a+S3e1zLh59YnyWeBW+0= github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E= @@ -680,8 +708,8 @@ github.com/google/go-containerregistry v0.16.1 h1:rUEt426sR6nyrL3gt+18ibRcvYpKYd github.com/google/go-containerregistry v0.16.1/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230403180904-b8d1c0a1df12 h1:LLLVB/7zCZVKI27rqA7bbZHZJxH1lL2jbLxdomX1Eew= github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230403180904-b8d1c0a1df12/go.mod h1:CSeefFZsOfyNrYGXDafpWNkf3tUz17nKReR5INPRaMI= -github.com/google/go-github/v45 v45.2.0 h1:5oRLszbrkvxDDqBCNj2hjDZMKmvexaZ1xw/FCD+K3FI= -github.com/google/go-github/v45 v45.2.0/go.mod h1:FObaZJEDSTa/WGCzZ2Z3eoCDXWJKMenWWTrd8jrta28= +github.com/google/go-github/v50 v50.2.0 h1:j2FyongEHlO9nxXLc+LP3wuBSVU9mVxfpdYUexMpIfk= +github.com/google/go-github/v50 v50.2.0/go.mod h1:VBY8FB6yPIjrtKhozXv4FQupxKLS6H4m6xFZlT43q8Q= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -705,27 +733,26 @@ github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20221103000818-d260c55eee4c h1:lvddKcYTQ545ADhBujtIJmqQrZBDsGo7XIMbAQe/sNY= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= -github.com/google/s2a-go v0.1.3 h1:FAgZmpLl/SXurPEZyCMPBIiiYeTbqfjlbdnCNTAkbGE= -github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= +github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= +github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/trillian v1.3.11/go.mod h1:0tPraVHrSDkA3BO6vKX67zgLXs6SsOAbHEivX+9mPgw= -github.com/google/trillian v1.5.1 h1:2p1l13f0eWd7eOShwarwIxutYYnGzY/5S+xYewQIPkU= -github.com/google/trillian v1.5.1/go.mod h1:EcDttN8nf+EoAiyLigBAp9ebncZI6rhJPyxZ+dQ6HSo= github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k= -github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/enterprise-certificate-proxy v0.2.4 h1:uGy6JWR/uMIILU8wbf+OkstIrNiMjGpEIyhx8f6W7s4= +github.com/googleapis/enterprise-certificate-proxy v0.2.4/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gax-go/v2 v2.8.0 h1:UBtEZqx1bjXtOQ5BVTkuYghXrr3N4V123VKJK67vJZc= -github.com/googleapis/gax-go/v2 v2.8.0/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI= +github.com/googleapis/gax-go/v2 v2.11.0 h1:9V9PWXEsWnPpQhu/PeQIkS4eGzMlTLGgt80cUUI8Ki4= +github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI= github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= @@ -742,7 +769,6 @@ github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gostaticanalysis/analysisutil v0.0.0-20190318220348-4088753ea4d3/go.mod h1:eEOZF4jCKGi+aprrirO9e7WKB3beBRtWgqGunKl6pKE= @@ -811,9 +837,8 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= -github.com/hashicorp/vault/api v1.9.0 h1:ab7dI6W8DuCY7yCU8blo0UCYl2oHre/dloCmzMWg9w8= -github.com/hashicorp/vault/api v1.9.0/go.mod h1:lloELQP4EyhjnCQhF8agKvWIVTmxbpEJj70b98959sM= -github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= +github.com/hashicorp/vault/api v1.9.2 h1:YjkZLJ7K3inKgMZ0wzCU9OHqc+UqMQyXsPXnf3Cl2as= +github.com/hashicorp/vault/api v1.9.2/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo= github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4= @@ -829,8 +854,8 @@ github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM= github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= -github.com/in-toto/in-toto-golang v0.6.0 h1:1s7cyzb5zGyzKPLgFsi4sC0o3EA24HLKlne8BrnOrSc= -github.com/in-toto/in-toto-golang v0.6.0/go.mod h1:NaFLcsxtvZgbwQpyHwK8MlDXN9b+NuOMXqeIqxzfBoA= +github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU= +github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= @@ -839,8 +864,8 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jedisct1/go-minisign v0.0.0-20230211184525-1f273d8dc776 h1:WXhZ7psl6HhDDW58rDWIJE6oB0ETjaQA4U6d8U7lMyg= github.com/jedisct1/go-minisign v0.0.0-20230211184525-1f273d8dc776/go.mod h1:09CTTv5TZgz94QHts03Xnuzy5LmxCE8BNqQRFigO5gA= -github.com/jellydator/ttlcache/v2 v2.11.1 h1:AZGME43Eh2Vv3giG6GeqeLeFXxwxn1/qHItqWZl6U64= -github.com/jellydator/ttlcache/v2 v2.11.1/go.mod h1:RtE5Snf0/57e+2cLWFYWCCsLas2Hy3c5Z4n14XmSvTI= +github.com/jellydator/ttlcache/v3 v3.0.1 h1:cHgCSMS7TdQcoprXnWUptJZzyFsqs18Lt8VVhRuZYVU= +github.com/jellydator/ttlcache/v3 v3.0.1/go.mod h1:WwTaEmcXQ3MTjOm4bsZoDFiCu/hMvNWLO1w67RXz6h4= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jgautheron/goconst v1.4.0/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4= github.com/jhump/protoreflect v1.6.1/go.mod h1:RZQ/lnuN+zqeRVpQigTwO6o0AJUkxbnSnpuG7toUTG4= @@ -924,15 +949,15 @@ github.com/ldez/gomoddirectives v0.2.1/go.mod h1:sGicqkRgBOg//JfpXwkB9Hj0X5RyJ7m github.com/ldez/tagliatelle v0.2.0/go.mod h1:8s6WJQwEYHbKZDsp/LjArytKOG8qaMrKQQ3mFukHs88= github.com/lensesio/tableprinter v0.0.0-20201125135848-89e81fc956e7 h1:k/1ku0yehLCPqERCHkIHMDqDg1R02AcCScRuHbamU3s= github.com/lensesio/tableprinter v0.0.0-20201125135848-89e81fc956e7/go.mod h1:YR/zYthNdWfO8+0IOyHDcIDBBBS2JMnYUIwSsnwmRqU= -github.com/leodido/go-urn v1.2.2 h1:7z68G0FCGvDk646jz1AelTYNYWrTNm0bEcFAo147wt4= -github.com/leodido/go-urn v1.2.2/go.mod h1:kUaIbLZWttglzwNuG0pgsh5vuV6u2YcGBYz1hIPjtOQ= +github.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q= +github.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4= github.com/letsencrypt/boulder v0.0.0-20230331213904-8c67769be400 h1:MCvRs18gGwUDcIt/3FFEOyaujL0emWNBmJLYuYqzk2g= github.com/letsencrypt/boulder v0.0.0-20230331213904-8c67769be400/go.mod h1:fSFykYyAT0KcvYiaxt4trooef9ZSghqvtArlLSazmYk= github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw= +github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= @@ -1061,6 +1086,8 @@ github.com/notaryproject/notation-core-go v1.0.0 h1:FgOAihtFW4XU9JYyTzItg1xW3OaN github.com/notaryproject/notation-core-go v1.0.0/go.mod h1:eoHFJ2e6b31GZO9hckCms5kfXvHLTySvJ1QwRLB9ZCk= github.com/notaryproject/notation-go v1.0.0 h1:pH+0NVmZu1IhE8zUhK9Oxna3OlHNdy+crNntnuCiThs= github.com/notaryproject/notation-go v1.0.0/go.mod h1:NpfUnDt94vLSCJ8fAWplgTbf3fmq3JLSEnjDFl7j16U= +github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE= +github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= @@ -1105,8 +1132,8 @@ github.com/open-policy-agent/gatekeeper v0.0.0-20210824170141-dd97b8a7e966 h1:p8 github.com/open-policy-agent/gatekeeper v0.0.0-20210824170141-dd97b8a7e966/go.mod h1:JO6AV/tyZ/MsNGsvnjTK6lGpiJyMLtt7UxkT6Eq9kDE= github.com/open-policy-agent/opa v0.24.0/go.mod h1:qEyD/i8j+RQettHGp4f86yjrjvv+ZYia+JHCMv2G7wA= github.com/open-policy-agent/opa v0.29.4/go.mod h1:ZCOTD3yyFR8JvF8ETdWdiSPn9WcF1dXeQWOv7VoPorU= -github.com/open-policy-agent/opa v0.51.0 h1:2hS5xhos8HtkN+mgpqMhNJSFtn/1n/h3wh+AeTPJg6Q= -github.com/open-policy-agent/opa v0.51.0/go.mod h1:OjmwLfXdeR7skSxrt8Yd3ScXTqPxyJn7GeTRJrcEerU= +github.com/open-policy-agent/opa v0.52.0 h1:Rv3F+VCDqsufaiYy/3S9/Iuk0yfcREK4iZmWbNsKZjA= +github.com/open-policy-agent/opa v0.52.0/go.mod h1:2n99s7WY/BXZUWUOq10JdTgK+G6XM4FYGoe7kQ5Vg0s= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0= @@ -1126,10 +1153,12 @@ github.com/orcaman/concurrent-map/v2 v2.0.1/go.mod h1:9Eq3TG2oBe5FirmYWQfYO5iH1q github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= +github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw= +github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= -github.com/pelletier/go-toml/v2 v2.0.7 h1:muncTPStnKRos5dpVKULv2FVd4bMOhNePj9CjgDb8Us= -github.com/pelletier/go-toml/v2 v2.0.7/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek= +github.com/pelletier/go-toml/v2 v2.0.8 h1:0ctb6s9mE31h0/lhu+J6OPmVeDxJn+kYnJc2jZR9tGQ= +github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4= github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= @@ -1139,6 +1168,8 @@ github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU= +github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= github.com/pkg/errors v0.0.0-20181023235946-059132a15dd0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -1215,7 +1246,6 @@ github.com/quasilyte/go-ruleguard/dsl v0.3.2/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQP github.com/quasilyte/go-ruleguard/rules v0.0.0-20201231183845-9e62ed36efe1/go.mod h1:7JTjp89EGyU1d6XfBiXihJNG37wB2VRkd125Q1u7Plc= github.com/quasilyte/go-ruleguard/rules v0.0.0-20210203162857-b223e0831f88/go.mod h1:4cgAphtvu7Ftv7vOT2ZOYhC6CvBxZixcasr8qIOTA50= github.com/quasilyte/regex/syntax v0.0.0-20200407221936-30656e2c4a95/go.mod h1:rlzQ04UMyJXu/aOvhd8qT+hvDrFpiwqp8MRXDY9szc0= -github.com/qur/ar v0.0.0-20130629153254-282534b91770/go.mod h1:SjlYv2m9lpV0UW6K7lDqVJwEIIvSjaHbGk7nIfY8Hxw= github.com/r3labs/diff v1.1.0 h1:V53xhrbTHrWFWq3gI4b94AjgEJOerO1+1l0xyHOBi8M= github.com/r3labs/diff v1.1.0/go.mod h1:7WjXasNzi0vJetRcB/RqNl5dlIsmXcTTLmF5IoH6Xig= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= @@ -1238,7 +1268,6 @@ github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/rwtodd/Go.Sed v0.0.0-20210816025313-55464686f9ef/go.mod h1:8AEUvGVi2uQ5b24BIhcr0GCcpd/RNAFWaN2CJFrWIIQ= github.com/ryancurrah/gomodguard v1.2.0/go.mod h1:rNqbC4TOIdUDcVMSIpNNAzTbzXAZa6W5lnUepvuMMgQ= github.com/ryanrolds/sqlclosecheck v0.3.0/go.mod h1:1gREqxyTGR3lVtpngyFo3hZAgk0KCtEdgEkHwDbigdA= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= @@ -1247,13 +1276,11 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= github.com/sanposhiho/wastedassign v1.0.0/go.mod h1:LGpq5Hsv74QaqM47WtIsRSF/ik9kqk07kchgv66tLVE= -github.com/sassoftware/go-rpmutils v0.1.1/go.mod h1:euhXULoBpvAxqrBHEyJS4Tsu3hHxUmQWNymxoJbzgUY= -github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 h1:sUNzanSKA9z/h8xXl+ZJoxIYZL0Qx306MmxqRrvUgr0= -github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74/go.mod h1:YlB8wFIZmFLZ1JllNBfSURzz52fBxbliNgYALk1UDmk= -github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A= +github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/secure-systems-lab/go-securesystemslib v0.4.0 h1:b23VGrQhTA8cN2CbBw7/FulN9fTtqYUdS5+Oxzt+DUE= -github.com/secure-systems-lab/go-securesystemslib v0.4.0/go.mod h1:FGBZgq2tXWICsxWQW1msNf49F0Pf2Op5Htayx335Qbs= +github.com/secure-systems-lab/go-securesystemslib v0.6.0 h1:T65atpAVCJQK14UA57LMdZGpHi4QYSH/9FZyNGqMYIA= +github.com/secure-systems-lab/go-securesystemslib v0.6.0/go.mod h1:8Mtpo9JKks/qhPG4HGZ2LGMvrPbzuxwfz/f/zLfEWkk= github.com/securego/gosec/v2 v2.7.0/go.mod h1:xNbGArrGUspJLuz3LS5XCY1EBW/0vABAl/LWfSklmiM= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= @@ -1269,16 +1296,26 @@ github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFR github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sigstore/cosign v1.13.1 h1:+5oF8jisEcDw2TuXxCADC1u5//HfdnJhGbpv9Isiwu4= -github.com/sigstore/cosign v1.13.1/go.mod h1:PlfJODkovUOKsLrGI7Su57Ie/Eb/Ks7hRHw3tn5hQS4= -github.com/sigstore/fulcio v1.1.0 h1:mzzJ05Ccu8Y2inyioklNvc8MpzlGHxu8YqNeTm0dHfU= -github.com/sigstore/fulcio v1.1.0/go.mod h1:zv1ZQTXZbUwQdRwajlQksc34pRas+2aZYpIZoQBNev8= -github.com/sigstore/k8s-manifest-sigstore v0.4.4 h1:7ae///+L0nqFBsRwr26anJc5bnJxoDXCGhVHXQB1GSo= -github.com/sigstore/k8s-manifest-sigstore v0.4.4/go.mod h1:PJSnSF8Nh7PqV4xhU3BRweqEFwGvJq6Xi2B5yhYjxb0= -github.com/sigstore/rekor v1.0.1 h1:rcESXSNkAPRWFYZel9rarspdvneET60F2ngNkadi89c= -github.com/sigstore/rekor v1.0.1/go.mod h1:ecTKdZWGWqE1pl3U1m1JebQJLU/hSjD9vYHOmHQ7w4g= -github.com/sigstore/sigstore v1.5.2 h1:rvZSPJDH2ysoc8kjW9v4nv1UX3XwSA8y4x6Dk7hA0D4= -github.com/sigstore/sigstore v1.5.2/go.mod h1:wxhp9KoaOpeb1VLKILruD283KJqPSqX+3TuBByVDZ6E= +github.com/sigstore/cosign/v2 v2.1.1 h1:HOI6pWaEie0wLituDWWaqC5U9MaXablKNf6QroVhj6k= +github.com/sigstore/cosign/v2 v2.1.1/go.mod h1:S9KGmdQ/Dd29TdgUwGCNeXR7scJWZwREh4A9Za2PRPY= +github.com/sigstore/fulcio v1.3.1 h1:0ntW9VbQbt2JytoSs8BOGB84A65eeyvGSavWteYp29Y= +github.com/sigstore/fulcio v1.3.1/go.mod h1:/XfqazOec45ulJZpyL9sq+OsVQ8g2UOVoNVi7abFgqU= +github.com/sigstore/k8s-manifest-sigstore v0.5.1 h1:jGYuk6LXJm/GzZB/RR2RZ23T84BCP/j96jmhWRV2Q+g= +github.com/sigstore/k8s-manifest-sigstore v0.5.1/go.mod h1:YL1Yf0ta9jDxYimhZP/DGGaiwMG1CrKupOqfOdMk5d8= +github.com/sigstore/rekor v1.2.2-0.20230530122220-67cc9e58bd23 h1:eZY7mQFcc0VvNr0fiAK3/n7kh73+T06KzBEIUYzFSDQ= +github.com/sigstore/rekor v1.2.2-0.20230530122220-67cc9e58bd23/go.mod h1:h1tOLhldpfILtziWpUDgGBu0vulWk9Kh72t6XzBGJok= +github.com/sigstore/sigstore v1.7.1 h1:fCATemikcBK0cG4+NcM940MfoIgmioY1vC6E66hXxks= +github.com/sigstore/sigstore v1.7.1/go.mod h1:0PmMzfJP2Y9+lugD0wer4e7TihR5tM7NcIs3bQNk5xg= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.1 h1:rDHrG/63b3nBq3G9plg7iYnWN6lBhOfq/XultlCZgII= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.1/go.mod h1:hl0LRidnJG1uL1lLSHGEjcs+MxLjT65NJ7pX/TQDIsk= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.1 h1:X3ezwolP+b1jP3R6XPOWhUU0TZKONiv6EIRuySlZGrY= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.1/go.mod h1:SG2NPEdX2Vi7CBp/o93kJqXrovkis/T9ou9oxZONyEA= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.7.1 h1:mj1KhdzzP1me994bt1UXhq5KZGSR1SoqxTqcT+hfPMk= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.7.1/go.mod h1:Z7LFrKKfj5ZPhy0YS9HcI4H6kbUQzBsE3e3hR+R3YY8= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.7.1 h1:fhOToGY5fC5TY101an8i/oDYpoLzUJ1nUFwhnHA1+XY= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.7.1/go.mod h1:SN4QZHHDs2VqXh5bRXrIi8vqLbOijIp2XoSlmV/WJ/c= +github.com/sigstore/timestamp-authority v1.1.1 h1:EldrdeBED0edNzDMvYZDf5CyWgtSchtR9DKYyksNR8M= +github.com/sigstore/timestamp-authority v1.1.1/go.mod h1:cEDLEHl/L3ppqKDaiZ3Cg4ikcaYleuq90I/BFNePzF0= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= @@ -1287,12 +1324,13 @@ github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrf github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/sirupsen/logrus v1.9.1 h1:Ou41VVR3nMWWmTiEUnj0OlsgOSCUFgsPAOl6jRIcVtQ= -github.com/sirupsen/logrus v1.9.1/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/skeema/knownhosts v1.2.0 h1:h9r9cf0+u7wSE+M183ZtMGgOJKiL96brpaz5ekfJCpM= github.com/skeema/knownhosts v1.2.0/go.mod h1:g4fPeYpque7P0xefxtGzV81ihjC8sX2IqpAoNkjxbMo= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= +github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/assertions v1.1.0 h1:MkTeG1DMwsrdH7QtLXy5W+fUxWq+vmb6cLmyJ7aRtF0= github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo= @@ -1309,12 +1347,11 @@ github.com/spf13/afero v1.9.5 h1:stMpOSZFs//0Lv29HduCmli3GUfpFoF3Y1Q/aXj/wVM= github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w= -github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU= +github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA= +github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48= github.com/spf13/cobra v0.0.0-20181021141114-fe5e611709b0/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= -github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI= github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= @@ -1329,19 +1366,17 @@ github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= -github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= -github.com/spf13/viper v1.15.0 h1:js3yy885G8xwJa6iOISGFwd+qlUo5AvyXb7CiihdtiU= -github.com/spf13/viper v1.15.0/go.mod h1:fFcTBJxvhhzSJiZy8n+PeW6t8l+KeT/uTARa0jHOQLA= -github.com/spiffe/go-spiffe/v2 v2.1.3 h1:P5L9Ixo5eqJiHnktAU0UD/6UfHsQs7yAtc8a/FFUi9M= -github.com/spiffe/go-spiffe/v2 v2.1.3/go.mod h1:eVDqm9xFvyqao6C+eQensb9ZPkyNEeaUbqbBpOhBnNk= +github.com/spf13/viper v1.16.0 h1:rGGH0XDZhdUOryiDWjmIvUSWpbNqisK8Wk0Vyefw8hc= +github.com/spf13/viper v1.16.0/go.mod h1:yg78JgCJcbrQOvV9YLXgkLaZqUidkY9K+Dd1FofRzQg= +github.com/spiffe/go-spiffe/v2 v2.1.6 h1:4SdizuQieFyL9eNU+SPiCArH4kynzaKOOj0VvM8R7Xo= +github.com/spiffe/go-spiffe/v2 v2.1.6/go.mod h1:eVDqm9xFvyqao6C+eQensb9ZPkyNEeaUbqbBpOhBnNk= github.com/ssgreg/nlreturn/v2 v2.1.0/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= -github.com/streadway/amqp v1.0.0/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -1362,6 +1397,7 @@ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1F github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= @@ -1374,8 +1410,6 @@ github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwD github.com/tdakkota/asciicheck v0.0.0-20200416200610-e657995f937b/go.mod h1:yHp0ai0Z9gUljN3o0xMhYJnH/IcvkdTBOX2fmJ93JEM= github.com/tektoncd/chains v0.15.0 h1:1x22WlNqiE7+HUBBkK6MbDi6rMqTirWWX3f/t8cDlbc= github.com/tektoncd/chains v0.15.0/go.mod h1:PA0su6Q+acJh2eG6d4VK1s6Jq0lGRaQml2FSQDWVTiQ= -github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 h1:iGnD/q9160NWqKZZ5vY4p0dMiYMRknzctfSkqA4nBDw= -github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613/go.mod h1:g6AnIpDSYMcphz193otpSIzN+11Rs+AAIIC6rm1enug= github.com/tetafro/godot v1.4.6/go.mod h1:LR3CJpxDVGlYOWn3ZZg1PgNZdTUvzsZWu8xaEohUpn8= github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg= github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= @@ -1397,9 +1431,8 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1 github.com/tomarrell/wrapcheck/v2 v2.1.0/go.mod h1:crK5eI4RGSUrb9duDTQ5GqcukbKZvi85vX6nbhsBAeI= github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4= github.com/tommy-muehle/go-mnd/v2 v2.3.2/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw= -github.com/transparency-dev/merkle v0.0.1 h1:T9/9gYB8uZl7VOJIhdwjALeRWlxUxSfDEysjfmx+L9E= -github.com/transparency-dev/merkle v0.0.1/go.mod h1:B8FIw5LTq6DaULoHsVFRzYIUDkl8yuSwCdZnOZGKL/A= -github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= +github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= +github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= github.com/ultraware/funlen v0.0.3/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA= github.com/ultraware/whitespace v0.0.4/go.mod h1:aVMh/gQve5Maj9hQ/hg+F75lr/X5A89uZnzAmWSineA= @@ -1418,8 +1451,8 @@ github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi github.com/viki-org/dnscache v0.0.0-20130720023526-c70c1f23c5d8/go.mod h1:dniwbG03GafCjFohMDmz6Zc6oCuiqgH6tGNyXTkHzXE= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -github.com/xanzy/go-gitlab v0.81.0 h1:ofbhZ5ZY9AjHATWQie4qd2JfncdUmvcSA/zfQB767Dk= -github.com/xanzy/go-gitlab v0.81.0/go.mod h1:VMbY3JIWdZ/ckvHbQqkyd3iYk2aViKrNIQ23IbFMQDo= +github.com/xanzy/go-gitlab v0.86.0 h1:jR8V9cK9jXRQDb46KOB20NCF3ksY09luaG0IfXE6p7w= +github.com/xanzy/go-gitlab v0.86.0/go.mod h1:5ryv+MnpZStBH8I/77HuQBsMbBGANtVpLWC15qOjWAw= github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= @@ -1433,7 +1466,6 @@ github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= -github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= @@ -1443,7 +1475,9 @@ github.com/yashtewari/glob-intersection v0.1.0 h1:6gJvMYQlTDOL3dMsPF6J0+26vwX9MB github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= github.com/yeya24/promlinter v0.1.0/go.mod h1:rs5vtZzeBHqqMwXqFScncpCF6u06lezhZepno9AB1Oc= github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= +github.com/ysmood/fetchup v0.2.3 h1:ulX+SonA0Vma5zUFXtv52Kzip/xe7aj4vqT5AJwQ+ZQ= github.com/ysmood/goob v0.4.0 h1:HsxXhyLBeGzWXnqVKtmT9qM7EuVs/XOgkX7T6r1o1AQ= +github.com/ysmood/got v0.34.1 h1:IrV2uWLs45VXNvZqhJ6g2nIhY+pgIG1CUoOcqfXFl1s= github.com/ysmood/gson v0.7.3 h1:QFkWbTH8MxyUTKPkVWAENJhxqdBa4lYTQWqZCiLG6kE= github.com/ysmood/leakless v0.8.0 h1:BzLrVoiwxikpgEQR0Lk8NyBN5Cit2b1z+u0mgL4ZJak= github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg= @@ -1458,7 +1492,6 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/zach-klippenstein/goregen v0.0.0-20160303162051-795b5e3961ea h1:CyhwejzVGvZ3Q2PSbQ4NRRYn+ZWv5eS1vlaEusT+bAI= github.com/zach-klippenstein/goregen v0.0.0-20160303162051-795b5e3961ea/go.mod h1:eNr558nEUjP8acGw8FFjTeWvSgU1stO7FAO6eknhHe4= -github.com/zalando/go-keyring v0.1.0/go.mod h1:RaxNwUITJaHVdQ0VC7pELPZ3tOWn13nr0gZMZEhpVU0= github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= @@ -1514,6 +1547,8 @@ go.opentelemetry.io/proto/otlp v0.19.0 h1:IVN6GR+mhC4s5yfcTbmzHYODqvWAp3ZedA2SJP go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= go.starlark.net v0.0.0-20230302034142-4b1e35fe2254 h1:Ss6D3hLXTM0KobyBYEAygXzFfGcjnmfEJOBgSbemCtg= go.starlark.net v0.0.0-20230302034142-4b1e35fe2254/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= +go.step.sm/crypto v0.32.1 h1:kAiL21zTqAgYu1geOYxH+ApUCUX+oclB25TccnNEYTU= +go.step.sm/crypto v0.32.1/go.mod h1:JwarCq+Sn6N8IbRSKfSJfjUNKfO8c4N1mcNxYXuxXzc= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= @@ -1555,9 +1590,7 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191219195013-becbf705a915/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20200930160638-afb6bcd081ae/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= @@ -1631,7 +1664,6 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -1659,7 +1691,6 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200927032502-5d4f70055728/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200930145003-4acb6c075d10/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= @@ -1680,8 +1711,6 @@ golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= -golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= @@ -1697,9 +1726,8 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= -golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.9.0 h1:BPpt2kU7oMRq3kCHAA1tbSEshXRw1LpG2ztgDwrzuAs= +golang.org/x/oauth2 v0.9.0/go.mod h1:qYgFZaFiu6Wg24azG8bdV52QJXJGbZzIIsRCdVKzbLw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1709,7 +1737,6 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200930132711-30421366ff76/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1792,6 +1819,7 @@ golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1814,7 +1842,6 @@ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9sn golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0= @@ -1830,7 +1857,6 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= @@ -1948,7 +1974,6 @@ golang.org/x/tools v0.0.0-20210104081019-d8d6ddbec6ee/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210112230658-8b4aab62c064/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.2-0.20210512205948-8287d5da45e4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= @@ -1985,8 +2010,8 @@ google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz513 google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= -google.golang.org/api v0.122.0 h1:zDobeejm3E7pEG1mNHvdxvjs5XJoCMzyNH+CmwL94Es= -google.golang.org/api v0.122.0/go.mod h1:gcitW0lvnyWjSp9nKxAbdHKIZ6vF4aajGueeslZOyms= +google.golang.org/api v0.128.0 h1:RjPESny5CnQRn9V6siglged+DZCgfu9l6mO9dkX9VOg= +google.golang.org/api v0.128.0/go.mod h1:Y611qgqaE92On/7g65MQgxYul3c0rEB894kniWLY750= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2045,12 +2070,12 @@ google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54 h1:9NWlQfY2ePejTmfwUH1OWwmznFa+0kKcHGPDvcPza9M= -google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54/go.mod h1:zqTuNwFlFRsw5zIts5VnzLQxSRqh+CGOTVMlYbY0Eyk= -google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9 h1:m8v1xLLLzMe1m5P+gCTF8nJB9epwZQUBERm20Oy1poQ= -google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc h1:8DyZCyvI8mE1IdLy/60bS+52xfymkE72wv1asokgtao= +google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64= +google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc h1:kVKPf/IiYSBWEWtkIn6wZXwWGCnLKcC8oWfZvXjsGnM= +google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc h1:XSJ8Vk1SWuNr8S18z1NZSziL0CPIXLCCMDOEFtHBOFc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -2095,7 +2120,6 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= @@ -2228,8 +2252,8 @@ sigs.k8s.io/kustomize/api v0.13.4 h1:E38Hfx0G9R9v7vRgKshviPotJQETG0S2gD3JdHLCAsI sigs.k8s.io/kustomize/api v0.13.4/go.mod h1:Bkaavz5RKK6ZzP0zgPrB7QbpbBJKiHuD3BB0KujY7Ls= sigs.k8s.io/kustomize/kyaml v0.14.2 h1:9WSwztbzwGszG1bZTziQUmVMrJccnyrLb5ZMKpJGvXw= sigs.k8s.io/kustomize/kyaml v0.14.2/go.mod h1:AN1/IpawKilWD7V+YvQwRGUvuUOOWpjsHu6uHwonSF4= -sigs.k8s.io/release-utils v0.7.3 h1:6pS8x6c5RmdUgR9qcg1LO6hjUzuE4Yo9TGZ3DemrZdM= -sigs.k8s.io/release-utils v0.7.3/go.mod h1:n0mVez/1PZYZaZUTJmxewxH3RJ/Lf7JUDh7TG1CASOE= +sigs.k8s.io/release-utils v0.7.4 h1:17LmJrydpUloTCtaoWj95uKlcrUp4h2A9Sa+ZL+lV9w= +sigs.k8s.io/release-utils v0.7.4/go.mod h1:JEt2QPHItd5Pg2UKLAU8PEaSlF4bUjCZimpxFDgymVU= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.1.0/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= diff --git a/pkg/client/applyconfigurations/kyverno/v1/ctlog.go b/pkg/client/applyconfigurations/kyverno/v1/ctlog.go index b1a968f779..5aafe91527 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/ctlog.go +++ b/pkg/client/applyconfigurations/kyverno/v1/ctlog.go @@ -21,7 +21,10 @@ package v1 // CTLogApplyConfiguration represents an declarative configuration of the CTLog type for use // with apply. type CTLogApplyConfiguration struct { - URL *string `json:"url,omitempty"` + URL *string `json:"url,omitempty"` + RekorPubKey *string `json:"pubkey,omitempty"` + IgnoreSCT *bool `json:"ignoreSCT,omitempty"` + IgnoreTlog *bool `json:"ignoreTlog,omitempty"` } // CTLogApplyConfiguration constructs an declarative configuration of the CTLog type for use with @@ -37,3 +40,27 @@ func (b *CTLogApplyConfiguration) WithURL(value string) *CTLogApplyConfiguration b.URL = &value return b } + +// WithRekorPubKey sets the RekorPubKey field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the RekorPubKey field is set to the value of the last call. +func (b *CTLogApplyConfiguration) WithRekorPubKey(value string) *CTLogApplyConfiguration { + b.RekorPubKey = &value + return b +} + +// WithIgnoreSCT sets the IgnoreSCT field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the IgnoreSCT field is set to the value of the last call. +func (b *CTLogApplyConfiguration) WithIgnoreSCT(value bool) *CTLogApplyConfiguration { + b.IgnoreSCT = &value + return b +} + +// WithIgnoreTlog sets the IgnoreTlog field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the IgnoreTlog field is set to the value of the last call. +func (b *CTLogApplyConfiguration) WithIgnoreTlog(value bool) *CTLogApplyConfiguration { + b.IgnoreTlog = &value + return b +} diff --git a/pkg/cosign/client.go b/pkg/cosign/client.go index dd4a086527..7a3c2ab053 100644 --- a/pkg/cosign/client.go +++ b/pkg/cosign/client.go @@ -4,8 +4,8 @@ import ( "context" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/pkg/cosign" - "github.com/sigstore/cosign/pkg/oci" + "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v2/pkg/oci" ) var client Cosign = &driver{} diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index 64ab5599e9..07e0ff5afd 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -16,17 +16,17 @@ import ( "github.com/kyverno/kyverno/pkg/tracing" datautils "github.com/kyverno/kyverno/pkg/utils/data" wildcard "github.com/kyverno/kyverno/pkg/utils/wildcard" - "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" - "github.com/sigstore/cosign/cmd/cosign/cli/options" - "github.com/sigstore/cosign/cmd/cosign/cli/rekor" - "github.com/sigstore/cosign/pkg/cosign" - "github.com/sigstore/cosign/pkg/cosign/attestation" - "github.com/sigstore/cosign/pkg/oci" - "github.com/sigstore/cosign/pkg/oci/remote" - sigs "github.com/sigstore/cosign/pkg/signature" + "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v2/pkg/cosign/attestation" + "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v2/pkg/oci/remote" + sigs "github.com/sigstore/cosign/v2/pkg/signature" + rekorclient "github.com/sigstore/rekor/pkg/client" "github.com/sigstore/sigstore/pkg/cryptoutils" + "github.com/sigstore/sigstore/pkg/fulcioroots" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/payload" + "github.com/sigstore/sigstore/pkg/tuf" "go.opentelemetry.io/otel/trace" "go.uber.org/multierr" ) @@ -94,11 +94,7 @@ func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.Check "sha256": crypto.SHA256, "sha512": crypto.SHA512, } - ro := options.RegistryOptions{} - remoteOpts, err = ro.ClientOpts(ctx) - if err != nil { - return nil, fmt.Errorf("constructing client options: %w", err) - } + remoteOpts = append(remoteOpts, opts.Client.BuildRemoteOption(ctx)) cosignOpts := &cosign.CheckOpts{ Annotations: map[string]interface{}{}, @@ -166,7 +162,7 @@ func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.Check } else { // if key, cert, and roots are not provided, default to Fulcio roots if cosignOpts.RootCerts == nil { - roots, err := fulcio.GetRoots() + roots, err := fulcioroots.Get() if err != nil { return nil, fmt.Errorf("failed to get roots from fulcio: %w", err) } @@ -178,11 +174,21 @@ func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.Check } } - if opts.RekorURL != "" { - cosignOpts.RekorClient, err = rekor.NewClient(opts.RekorURL) - if err != nil { - return nil, fmt.Errorf("failed to create Rekor client from URL %s: %w", opts.RekorURL, err) - } + cosignOpts.IgnoreTlog = opts.IgnoreTlog + cosignOpts.RekorClient, err = rekorclient.GetRekorClient(opts.RekorURL) + if err != nil { + return nil, fmt.Errorf("failed to create Rekor client from URL %s: %w", opts.RekorURL, err) + } + + cosignOpts.RekorPubKeys, err = getRekorPubs(ctx, opts.RekorPubKey) + if err != nil { + return nil, fmt.Errorf("failed to load Rekor public keys: %w", err) + } + + cosignOpts.IgnoreSCT = opts.IgnoreSCT + cosignOpts.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx) + if err != nil { + return nil, fmt.Errorf("failed to load Rekor public keys: %w", err) } if opts.Repository != "" { @@ -565,3 +571,15 @@ func checkAnnotations(payload []payload.SimpleContainerImage, annotations map[st } return nil } + +func getRekorPubs(ctx context.Context, rekorPubKey string) (*cosign.TrustedTransparencyLogPubKeys, error) { + if rekorPubKey == "" { + return cosign.GetRekorPubs(ctx) + } + + publicKeys := cosign.NewTrustedTransparencyLogPubKeys() + if err := publicKeys.AddTransparencyLogPubKey([]byte(rekorPubKey), tuf.Active); err != nil { + return nil, fmt.Errorf("AddRekorPubKey: %w", err) + } + return &publicKeys, nil +} diff --git a/pkg/cosign/cosign_test.go b/pkg/cosign/cosign_test.go index 7dce759649..00690a60c7 100644 --- a/pkg/cosign/cosign_test.go +++ b/pkg/cosign/cosign_test.go @@ -11,9 +11,9 @@ import ( "github.com/google/go-containerregistry/pkg/v1/types" "github.com/kyverno/kyverno/pkg/images" "github.com/kyverno/kyverno/pkg/registryclient" - "github.com/sigstore/cosign/pkg/cosign" - "github.com/sigstore/cosign/pkg/cosign/bundle" - "github.com/sigstore/cosign/pkg/oci" + "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v2/pkg/cosign/bundle" + "github.com/sigstore/cosign/v2/pkg/oci" "gotest.tools/assert" ) @@ -57,10 +57,23 @@ const keylessPayload = `{ } }` +const globalRekorPubKey = `-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwr +kBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw== +-----END PUBLIC KEY----- +` + +const wrongRekorPubKey = `-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoiR2ouEAp4JS/JIgkCVYCxpp/dMe +4Mkc/92O8rbWs6xIAcIEju7+Z2yecpQH6RbztEVCZbBZhEVfMdRgWKOrrQ== +-----END PUBLIC KEY-----` + func TestCosignPayload(t *testing.T) { image := "registry-v2.nirmata.io/pause" signedPayloads := cosign.SignedPayload{Payload: []byte(cosignPayload)} - p, err := extractPayload([]oci.Signature{&sig{cosignPayload: signedPayloads}}) + ociSig, err := getSignature(signedPayloads) + assert.NilError(t, err) + p, err := extractPayload([]oci.Signature{ociSig}) assert.NilError(t, err) a := map[string]string{"foo": "bar"} err = checkAnnotations(p, a) @@ -71,7 +84,10 @@ func TestCosignPayload(t *testing.T) { image2 := "ghcr.io/kyverno/test-verify-image" signedPayloads2 := cosign.SignedPayload{Payload: []byte(keylessPayload)} - signatures2 := []oci.Signature{&sig{cosignPayload: signedPayloads2}} + ociSig, err = getSignature(signedPayloads2) + assert.NilError(t, err) + signatures2 := []oci.Signature{ociSig} + p2, err := extractPayload(signatures2) assert.NilError(t, err) @@ -82,9 +98,11 @@ func TestCosignPayload(t *testing.T) { func TestCosignKeyless(t *testing.T) { opts := images.Options{ - ImageRef: "ghcr.io/jimbugwadia/pause2", - Issuer: "https://github.com/", - Subject: "jim", + ImageRef: "ghcr.io/jimbugwadia/pause2", + Issuer: "https://github.com/", + Subject: "jim", + RekorURL: "https://rekor.sigstore.dev", + IgnoreSCT: true, } rc, err := registryclient.New() @@ -104,6 +122,29 @@ func TestCosignKeyless(t *testing.T) { assert.NilError(t, err) } +func TestRekorPubkeys(t *testing.T) { + opts := images.Options{ + ImageRef: "ghcr.io/jimbugwadia/pause2", + Issuer: "https://github.com/login/oauth", + Subject: "jim@nirmata.com", + RekorURL: "--INVALID--", // To avoid using the default rekor url as thats where signature is uploaded + RekorPubKey: wrongRekorPubKey, + IgnoreSCT: true, + } + + rc, err := registryclient.New() + assert.NilError(t, err) + opts.Client = rc + + verifier := &cosignVerifier{} + _, err = verifier.VerifySignature(context.TODO(), opts) + assert.ErrorContains(t, err, "rekor log public key not found for payload") + + opts.RekorPubKey = globalRekorPubKey + _, err = verifier.VerifySignature(context.TODO(), opts) + assert.NilError(t, err) +} + func TestCosignMatchCertificateData(t *testing.T) { pem1 := "-----BEGIN CERTIFICATE-----\nMIIDtzCCAzygAwIBAgIUX9MdOHZMlRONmc0Iu3DtiLXLVLYwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjIxMDA3MTkyNDI0WhcNMjIxMDA3MTkzNDI0WjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAE0+a5/FhwY4fREWP++3V4rciGiqWGRgHaiP1z\nSlWihKkU71sBVeTzjdrcN8wXzBAefqh5URBfCeE8pJRfQsVKxKOCAlswggJXMA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUJy79\nhpkwHtXtLWOvFu/icY56bwgwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wbgYDVR0RAQH/BGQwYoZgaHR0cHM6Ly9naXRodWIuY29tL0ppbUJ1Z3dhZGlh\nL2RlbW8tamF2YS10b21jYXQvLmdpdGh1Yi93b3JrZmxvd3MvcHVibGlzaC55YW1s\nQHJlZnMvdGFncy92MC4wLjIyMDkGCisGAQQBg78wAQEEK2h0dHBzOi8vdG9rZW4u\nYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wEgYKKwYBBAGDvzABAgQEcHVz\naDA2BgorBgEEAYO/MAEDBChjNzY0NTI4NGZhN2FlYmU1NTQ2MThlZWU4NzliNGQ2\nOTQ3Zjg1NjRlMB8GCisGAQQBg78wAQQEEWJ1aWxkLXNpZ24tYXR0ZXN0MCoGCisG\nAQQBg78wAQUEHEppbUJ1Z3dhZGlhL2RlbW8tamF2YS10b21jYXQwHwYKKwYBBAGD\nvzABBgQRcmVmcy90YWdzL3YwLjAuMjIwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgAI\nYJLwKFL/aEXR0WsnhJxFZxisFj3DONJt5rwiBjZvcgAAAYOz5+pbAAAEAwBHMEUC\nIBb8fwsLBOu+qJkL6UhT4pwGvRVAN2n74BF1BL703rqPAiEAznbfgYJbqA+JIUiQ\nwwLiFOD8pqidSl+HhW8Lhdg3o+wwCgYIKoZIzj0EAwMDaQAwZgIxAJIBIkZBhM+K\nkBIFNeuWBsyVaAcFRallz3C8jvPQCPbec0ZpIsw624dUs8zD3c96AQIxALf875rt\n+oZgwE6hsDazJzoTcBZ1mYVF6bAlwVdtMiC98aApG6T+qaBirxSgu7IGQw==\n-----END CERTIFICATE-----\n" cert1, err := loadCert([]byte(pem1)) @@ -171,6 +212,10 @@ func (ts testSignature) Payload() ([]byte, error) { return nil, fmt.Errorf("not implemented") } +func (ts testSignature) Signature() ([]byte, error) { + return nil, fmt.Errorf("not implemented") +} + func (ts testSignature) Base64Signature() (string, error) { return "", fmt.Errorf("not implemented") } @@ -187,6 +232,10 @@ func (ts testSignature) Bundle() (*bundle.RekorBundle, error) { return nil, fmt.Errorf("not implemented") } +func (ts testSignature) RFC3161Timestamp() (*bundle.RFC3161Timestamp, error) { + return nil, nil +} + func TestCosignMatchSignatures(t *testing.T) { pem1 := "-----BEGIN CERTIFICATE-----\nMIIDtzCCAzygAwIBAgIUX9MdOHZMlRONmc0Iu3DtiLXLVLYwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjIxMDA3MTkyNDI0WhcNMjIxMDA3MTkzNDI0WjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAE0+a5/FhwY4fREWP++3V4rciGiqWGRgHaiP1z\nSlWihKkU71sBVeTzjdrcN8wXzBAefqh5URBfCeE8pJRfQsVKxKOCAlswggJXMA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUJy79\nhpkwHtXtLWOvFu/icY56bwgwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wbgYDVR0RAQH/BGQwYoZgaHR0cHM6Ly9naXRodWIuY29tL0ppbUJ1Z3dhZGlh\nL2RlbW8tamF2YS10b21jYXQvLmdpdGh1Yi93b3JrZmxvd3MvcHVibGlzaC55YW1s\nQHJlZnMvdGFncy92MC4wLjIyMDkGCisGAQQBg78wAQEEK2h0dHBzOi8vdG9rZW4u\nYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wEgYKKwYBBAGDvzABAgQEcHVz\naDA2BgorBgEEAYO/MAEDBChjNzY0NTI4NGZhN2FlYmU1NTQ2MThlZWU4NzliNGQ2\nOTQ3Zjg1NjRlMB8GCisGAQQBg78wAQQEEWJ1aWxkLXNpZ24tYXR0ZXN0MCoGCisG\nAQQBg78wAQUEHEppbUJ1Z3dhZGlhL2RlbW8tamF2YS10b21jYXQwHwYKKwYBBAGD\nvzABBgQRcmVmcy90YWdzL3YwLjAuMjIwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgAI\nYJLwKFL/aEXR0WsnhJxFZxisFj3DONJt5rwiBjZvcgAAAYOz5+pbAAAEAwBHMEUC\nIBb8fwsLBOu+qJkL6UhT4pwGvRVAN2n74BF1BL703rqPAiEAznbfgYJbqA+JIUiQ\nwwLiFOD8pqidSl+HhW8Lhdg3o+wwCgYIKoZIzj0EAwMDaQAwZgIxAJIBIkZBhM+K\nkBIFNeuWBsyVaAcFRallz3C8jvPQCPbec0ZpIsw624dUs8zD3c96AQIxALf875rt\n+oZgwE6hsDazJzoTcBZ1mYVF6bAlwVdtMiC98aApG6T+qaBirxSgu7IGQw==\n-----END CERTIFICATE-----\n" cert1, err := loadCert([]byte(pem1)) diff --git a/pkg/cosign/mock.go b/pkg/cosign/mock.go index a46ba0cfe1..da8e500867 100644 --- a/pkg/cosign/mock.go +++ b/pkg/cosign/mock.go @@ -5,8 +5,9 @@ import ( "fmt" "github.com/google/go-containerregistry/pkg/name" - "github.com/sigstore/cosign/pkg/cosign" - "github.com/sigstore/cosign/pkg/oci" + "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v2/pkg/oci" + "github.com/sigstore/cosign/v2/pkg/oci/static" ) func SetMock(image string, data [][]byte) error { @@ -53,17 +54,31 @@ func (m *mock) getSignatures(signedImgRef name.Reference) ([]oci.Signature, bool sigs := make([]oci.Signature, 0, len(results)) for _, sp := range results { - sigs = append(sigs, &sig{cosignPayload: sp}) + ociSig, err := getSignature(sp) + if err != nil { + return nil, false, err + } + sigs = append(sigs, ociSig) } return sigs, true, nil } -type sig struct { - oci.Signature - cosignPayload cosign.SignedPayload -} - -func (s *sig) Payload() ([]byte, error) { - return s.cosignPayload.Payload, nil +func getSignature(sp cosign.SignedPayload) (oci.Signature, error) { + chain := make([]byte, 0) + for _, cert := range sp.Chain { + chain = append(chain, cert.Raw...) + } + staticOpts := []static.Option{} + if sp.Cert != nil { + staticOpts = append(staticOpts, static.WithCertChain(sp.Cert.Raw, chain)) + } + if sp.Bundle != nil { + staticOpts = append(staticOpts, static.WithBundle(sp.Bundle)) + } + ociSig, err := static.NewSignature(sp.Payload, sp.Base64Signature, staticOpts...) + if err != nil { + return nil, fmt.Errorf("failed to get signature %v", err) + } + return ociSig, nil } diff --git a/pkg/engine/api/client.go b/pkg/engine/api/client.go index 3c0b9e605f..70a4bdf43d 100644 --- a/pkg/engine/api/client.go +++ b/pkg/engine/api/client.go @@ -6,7 +6,7 @@ import ( "github.com/google/go-containerregistry/pkg/authn" gcrremote "github.com/google/go-containerregistry/pkg/v1/remote" - "github.com/sigstore/cosign/pkg/oci/remote" + "github.com/sigstore/cosign/v2/pkg/oci/remote" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) diff --git a/pkg/engine/handlers/validation/validate_manifest_test.go b/pkg/engine/handlers/validation/validate_manifest_test.go index 26303044fb..a2b51d4dd9 100644 --- a/pkg/engine/handlers/validation/validate_manifest_test.go +++ b/pkg/engine/handlers/validation/validate_manifest_test.go @@ -714,7 +714,7 @@ func Test_VerifyManifest_MustAll_InvalidYAML(t *testing.T) { }) logger := logr.Discard() verified, _, err := h.verifyManifest(context.TODO(), logger, policyContext, verifyRule) - errMsg := `.attestors[0].entries[1].keys: failed to verify signature: verification failed for 1 signature. all trials: ["[publickey 1/1] [signature 1/1] error: cosign.VerifyBlobCmd() returned an error: invalid signature when validating ASN.1 encoded signature"]` + errMsg := `.attestors[0].entries[1].keys: failed to verify signature: verification failed for 1 signature. all trials: ["[publickey 1/1] [signature 1/1] error: cosign.VerifyBlobCmd.Exec() returned an error: invalid signature when validating ASN.1 encoded signature"]` assert.Error(t, err, errMsg) assert.Equal(t, verified, false) } diff --git a/pkg/engine/image_verify_test.go b/pkg/engine/image_verify_test.go index db7833dafb..eb8aed0626 100644 --- a/pkg/engine/image_verify_test.go +++ b/pkg/engine/image_verify_test.go @@ -60,7 +60,12 @@ var testPolicyGood = `{ "entries": [ { "keys": { - "publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHMmDjK65krAyDaGaeyWNzgvIu155JI50B2vezCw8+3CVeE0lJTL5dbL3OP98Za0oAEBJcOxky8Riy/XcmfKZbw==\n-----END PUBLIC KEY-----" + "publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHMmDjK65krAyDaGaeyWNzgvIu155JI50B2vezCw8+3CVeE0lJTL5dbL3OP98Za0oAEBJcOxky8Riy/XcmfKZbw==\n-----END PUBLIC KEY-----", + "rekor": { + "url": "https://rekor.sigstore.dev", + "ignoreSCT": true, + "ignoreTlog": true + } } } ] @@ -290,7 +295,12 @@ var testSampleSingleKeyPolicy = ` "entries": [ { "keys": { - "publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END PUBLIC KEY-----" + "publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END PUBLIC KEY-----", + "rekor": { + "url": "https://rekor.sigstore.dev", + "ignoreSCT": true, + "ignoreTlog": true + } } } ] @@ -340,12 +350,22 @@ var testSampleMultipleKeyPolicy = ` "entries": [ { "keys": { - "publicKeys": "KEY1" + "publicKeys": "KEY1", + "rekor": { + "url": "https://rekor.sigstore.dev", + "ignoreSCT": true, + "ignoreTlog": true + } } }, { "keys": { - "publicKeys": "KEY2" + "publicKeys": "KEY2", + "rekor": { + "url": "https://rekor.sigstore.dev", + "ignoreSCT": true, + "ignoreTlog": true + } } } ] @@ -406,7 +426,12 @@ var testConfigMapMissing = `{ "entries": [ { "keys": { - "publicKeys": "{{myconfigmap.data.configmapkey}}" + "publicKeys": "{{myconfigmap.data.configmapkey}}", + "rekor": { + "url": "https://rekor.sigstore.dev", + "ignoreSCT": true, + "ignoreTlog": true + } } } ] @@ -645,7 +670,12 @@ var testNestedAttestorPolicy = ` "entries": [ { "keys": { - "publicKeys": "KEY1" + "publicKeys": "KEY1", + "rekor": { + "url": "https://rekor.sigstore.dev", + "ignoreSCT": true, + "ignoreTlog": true + } } }, { @@ -653,7 +683,12 @@ var testNestedAttestorPolicy = ` "entries": [ { "keys": { - "publicKeys": "KEY2" + "publicKeys": "KEY2", + "rekor": { + "url": "https://rekor.sigstore.dev", + "ignoreSCT": true, + "ignoreTlog": true + } } } ] @@ -857,7 +892,12 @@ func Test_ParsePEMDelimited(t *testing.T) { "entries": [ { "keys": { - "publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfVMHGmFK4OgVqhy36KZ7a3r4R4/o\nCwaCVvXZV4ZULFbkFZ0IodGqKqcVmgycnoj7d8TpKpAUVNF8kKh90ewH3A==\n-----END PUBLIC KEY-----\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0f1W0XigyPFbX8Xq3QmkbL9gDFTf\nRfc8jF7UadBcwKxiyvPSOKZn+igQfXzpNjrwPSZ58JGvF4Fs8BB3fSRP2g==\n-----END PUBLIC KEY-----" + "publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfVMHGmFK4OgVqhy36KZ7a3r4R4/o\nCwaCVvXZV4ZULFbkFZ0IodGqKqcVmgycnoj7d8TpKpAUVNF8kKh90ewH3A==\n-----END PUBLIC KEY-----\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0f1W0XigyPFbX8Xq3QmkbL9gDFTf\nRfc8jF7UadBcwKxiyvPSOKZn+igQfXzpNjrwPSZ58JGvF4Fs8BB3fSRP2g==\n-----END PUBLIC KEY-----", + "rekor": { + "url": "https://rekor.sigstore.dev", + "ignoreSCT": true, + "ignoreTlog": true + } } } ] diff --git a/pkg/engine/internal/imageverifier.go b/pkg/engine/internal/imageverifier.go index 7a48730a42..42f75f84b0 100644 --- a/pkg/engine/internal/imageverifier.go +++ b/pkg/engine/internal/imageverifier.go @@ -505,6 +505,7 @@ func (iv *ImageVerifier) buildCosignVerifier( if attestation != nil { opts.PredicateType = attestation.PredicateType opts.Type = attestation.Type + opts.IgnoreSCT = true // TODO: Add option to allow SCT when attestors are not provided if attestation.PredicateType != "" && attestation.Type == "" { iv.logger.Info("predicate type has been deprecated, please use type instead") opts.Type = attestation.PredicateType @@ -523,6 +524,13 @@ func (iv *ImageVerifier) buildCosignVerifier( } if attestor.Keys.Rekor != nil { opts.RekorURL = attestor.Keys.Rekor.URL + opts.RekorPubKey = attestor.Keys.Rekor.RekorPubKey + opts.IgnoreSCT = attestor.Keys.Rekor.IgnoreSCT + opts.IgnoreTlog = attestor.Keys.Rekor.IgnoreTlog + } else { + opts.RekorURL = "https://rekor.sigstore.dev" + opts.IgnoreSCT = false + opts.IgnoreTlog = false } opts.SignatureAlgorithm = attestor.Keys.SignatureAlgorithm } else if attestor.Certificates != nil { @@ -536,6 +544,13 @@ func (iv *ImageVerifier) buildCosignVerifier( path = path + ".keyless" if attestor.Keyless.Rekor != nil { opts.RekorURL = attestor.Keyless.Rekor.URL + opts.RekorPubKey = attestor.Keyless.Rekor.RekorPubKey + opts.IgnoreSCT = attestor.Keyless.Rekor.IgnoreSCT + opts.IgnoreTlog = attestor.Keyless.Rekor.IgnoreTlog + } else { + opts.RekorURL = "https://rekor.sigstore.dev" + opts.IgnoreSCT = false + opts.IgnoreTlog = false } opts.Roots = attestor.Keyless.Roots diff --git a/pkg/images/verifier.go b/pkg/images/verifier.go index 201999cc18..ca0a7ed200 100644 --- a/pkg/images/verifier.go +++ b/pkg/images/verifier.go @@ -4,7 +4,7 @@ import ( "context" "github.com/google/go-containerregistry/pkg/authn" - "github.com/sigstore/cosign/pkg/oci/remote" + "github.com/sigstore/cosign/v2/pkg/oci/remote" ) type ImageVerifier interface { @@ -34,6 +34,9 @@ type Options struct { Annotations map[string]string Repository string RekorURL string + RekorPubKey string + IgnoreSCT bool + IgnoreTlog bool SignatureAlgorithm string PredicateType string Type string diff --git a/pkg/notary/notary.go b/pkg/notary/notary.go index 6dc18c617b..2d60dc5f82 100644 --- a/pkg/notary/notary.go +++ b/pkg/notary/notary.go @@ -9,7 +9,7 @@ import ( "github.com/go-logr/logr" "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/google/go-containerregistry/pkg/v1/remote" + gcrremote "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/kyverno/kyverno/pkg/images" "github.com/kyverno/kyverno/pkg/logging" _ "github.com/notaryproject/notation-core-go/signature/cose" @@ -146,16 +146,17 @@ func (v *notaryVerifier) FetchAttestations(ctx context.Context, opts images.Opti v.log.V(4).Info("client setup done", "repo", ref) - repoDesc, err := remote.Head(ref, remoteOpts...) + repoDesc, err := gcrremote.Head(ref, remoteOpts...) if err != nil { return nil, err } v.log.V(4).Info("fetched repository", "repoDesc", repoDesc) - referrers, err := remote.Referrers(ref.Context().Digest(repoDesc.Digest.String()), remoteOpts...) + referrers, err := gcrremote.Referrers(ref.Context().Digest(repoDesc.Digest.String()), remoteOpts...) if err != nil { return nil, err } + referrersDescs, err := referrers.IndexManifest() if err != nil { return nil, err @@ -265,7 +266,7 @@ func verifyAttestators(ctx context.Context, v *notaryVerifier, ref name.Referenc return targetDesc, nil } -func extractStatements(ctx context.Context, repoRef name.Reference, desc v1.Descriptor, remoteOpts []remote.Option) ([]map[string]interface{}, error) { +func extractStatements(ctx context.Context, repoRef name.Reference, desc v1.Descriptor, remoteOpts []gcrremote.Option) ([]map[string]interface{}, error) { statements := make([]map[string]interface{}, 0) data, err := extractStatement(ctx, repoRef, desc, remoteOpts) if err != nil { @@ -279,14 +280,14 @@ func extractStatements(ctx context.Context, repoRef name.Reference, desc v1.Desc return statements, nil } -func extractStatement(ctx context.Context, repoRef name.Reference, desc v1.Descriptor, remoteOpts []remote.Option) (map[string]interface{}, error) { +func extractStatement(ctx context.Context, repoRef name.Reference, desc v1.Descriptor, remoteOpts []gcrremote.Option) (map[string]interface{}, error) { refStr := repoRef.Context().RegistryStr() + "/" + repoRef.Context().RepositoryStr() + "@" + desc.Digest.String() ref, err := name.ParseReference(refStr) if err != nil { return nil, errors.Wrapf(err, "failed to parse image reference: %s", refStr) } - remoteDesc, err := remote.Get(ref, remoteOpts...) + remoteDesc, err := gcrremote.Get(ref, remoteOpts...) if err != nil { return nil, fmt.Errorf("error in fetching manifest: %w", err) } @@ -307,7 +308,7 @@ func extractStatement(ctx context.Context, repoRef name.Reference, desc v1.Descr } predicateDesc := manifest.Layers[0] - layer, err := remote.Layer(ref.Context().Digest(predicateDesc.Digest.String()), remoteOpts...) + layer, err := gcrremote.Layer(ref.Context().Digest(predicateDesc.Digest.String()), remoteOpts...) if err != nil { return nil, err } diff --git a/pkg/registryclient/client.go b/pkg/registryclient/client.go index dd65523d6c..acc39c6cff 100644 --- a/pkg/registryclient/client.go +++ b/pkg/registryclient/client.go @@ -7,6 +7,7 @@ import ( "io" "net" "net/http" + "runtime" "time" "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" @@ -17,10 +18,11 @@ import ( "github.com/google/go-containerregistry/pkg/v1/google" gcrremote "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/kyverno/kyverno/pkg/tracing" - "github.com/sigstore/cosign/pkg/oci/remote" + "github.com/sigstore/cosign/v2/pkg/oci/remote" "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp" "k8s.io/apimachinery/pkg/util/sets" corev1listers "k8s.io/client-go/listers/core/v1" + "sigs.k8s.io/release-utils/version" ) var ( @@ -40,6 +42,8 @@ var ( TLSHandshakeTimeout: 10 * time.Second, ExpectContinueTimeout: 1 * time.Second, } + + userAgent = fmt.Sprintf("cosign/%s (%s; %s)", version.GetVersionInfo().GitVersion, runtime.GOOS, runtime.GOARCH) ) // Client provides registry related objects. @@ -171,6 +175,7 @@ func (c *client) BuildRemoteOption(ctx context.Context) remote.Option { gcrremote.WithAuthFromKeychain(c.keychain), gcrremote.WithTransport(c.transport), gcrremote.WithContext(ctx), + gcrremote.WithUserAgent(userAgent), ) } diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index d7452daee4..15d1d9d5b8 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -1324,7 +1324,7 @@ func checkForDeprecatedFieldsInVerifyImages(rule kyvernov1.Rule, warnings *[]str for _, imageVerify := range rule.VerifyImages { for _, attestation := range imageVerify.Attestations { if attestation.PredicateType != "" { - msg := fmt.Sprintf("predicateType has been deprecated use 'type: %s' instead of 'prediacteType: %s'", attestation.PredicateType, attestation.PredicateType) + msg := fmt.Sprintf("predicateType has been deprecated use 'type: %s' instead of 'predicateType: %s'", attestation.PredicateType, attestation.PredicateType) *warnings = append(*warnings, msg) } } diff --git a/test/cli/test/images/signatures/policies.yaml b/test/cli/test/images/signatures/policies.yaml index c5e8e5fb5b..51368548f2 100644 --- a/test/cli/test/images/signatures/policies.yaml +++ b/test/cli/test/images/signatures/policies.yaml @@ -25,3 +25,7 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true diff --git a/test/cli/test/images/verify-signature/policies.yaml b/test/cli/test/images/verify-signature/policies.yaml index fe3a273393..088a80dc42 100644 --- a/test/cli/test/images/verify-signature/policies.yaml +++ b/test/cli/test/images/verify-signature/policies.yaml @@ -25,6 +25,10 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -58,4 +62,8 @@ spec: -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== - -----END PUBLIC KEY----- \ No newline at end of file + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true \ No newline at end of file diff --git a/test/conformance/kuttl/reports/background/verify-image-fail/policy.yaml b/test/conformance/kuttl/reports/background/verify-image-fail/policy.yaml index 0d1ff4f3cf..157c8e2437 100644 --- a/test/conformance/kuttl/reports/background/verify-image-fail/policy.yaml +++ b/test/conformance/kuttl/reports/background/verify-image-fail/policy.yaml @@ -27,3 +27,7 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true \ No newline at end of file diff --git a/test/conformance/kuttl/reports/background/verify-image-pass/policy.yaml b/test/conformance/kuttl/reports/background/verify-image-pass/policy.yaml index 0d1ff4f3cf..d912a96d25 100644 --- a/test/conformance/kuttl/reports/background/verify-image-pass/policy.yaml +++ b/test/conformance/kuttl/reports/background/verify-image-pass/policy.yaml @@ -27,3 +27,7 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/wildcard/block-verifyimage/policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/wildcard/block-verifyimage/policy.yaml index d82f1791cd..cc7f0f19ac 100644 --- a/test/conformance/kuttl/validate/clusterpolicy/standard/wildcard/block-verifyimage/policy.yaml +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/wildcard/block-verifyimage/policy.yaml @@ -24,3 +24,7 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true diff --git a/test/conformance/kuttl/validate/e2e/yaml-signing/policy.yaml b/test/conformance/kuttl/validate/e2e/yaml-signing/policy.yaml index ccb29f1d73..20487f9f4d 100644 --- a/test/conformance/kuttl/validate/e2e/yaml-signing/policy.yaml +++ b/test/conformance/kuttl/validate/e2e/yaml-signing/policy.yaml @@ -42,3 +42,7 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true diff --git a/test/conformance/kuttl/verify-manifests/multi-signatures/policy.yaml b/test/conformance/kuttl/verify-manifests/multi-signatures/policy.yaml index 13e977e840..55dddce888 100644 --- a/test/conformance/kuttl/verify-manifests/multi-signatures/policy.yaml +++ b/test/conformance/kuttl/verify-manifests/multi-signatures/policy.yaml @@ -24,9 +24,17 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true - keys: publicKeys: |- -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml index 6e94f745d6..6a6c428f53 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml @@ -25,6 +25,10 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true imageReferences: - ghcr.io/kyverno/test-verify-image:* mutateDigest: true @@ -46,6 +50,10 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOUD2uzRHLnx1oH6XAnF+8haL73BF zh9pMI1x1/c4Nj/w+rsrgMCDyV/S8hmsXEbizhYD3QndVtV1piBDfDIb8w== -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true imageReferences: - my.local.repo/* mutateDigest: false diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy.yaml index 19592cea08..e4e74c4784 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy.yaml @@ -25,3 +25,7 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml index 397730342e..699aa1be7c 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml @@ -28,5 +28,9 @@ spec: - entries: - keys: publicKeys: '{{myconfigmap.data.configmapkey}}' + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true validationFailureAction: Audit webhookTimeoutSeconds: 30 diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml index 0e0ecc7719..2421f87e78 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml @@ -30,4 +30,5 @@ spec: subject: "https://github.com/*" rekor: url: https://rekor.sigstore.dev + ignoreSCT: true required: true diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-manifests.yaml index fb71b09071..72035aea49 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-manifests.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-manifests.yaml @@ -45,3 +45,6 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml index e34fe892a7..d0e96819a4 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml @@ -30,3 +30,6 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml index 40270f4793..3c9d37c7ea 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml @@ -28,6 +28,9 @@ spec: secret: name: testsecret namespace: test-verify-images + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true --- apiVersion: v1 kind: Secret diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml index 3ad2cb4d58..8caf290a42 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml @@ -28,6 +28,7 @@ spec: issuer: "https://token.actions.githubusercontent.com" rekor: url: https://rekor.sigstore.dev + ignoreSCT: true conditions: - all: - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml index 1a5272d177..558b425454 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml @@ -27,6 +27,7 @@ spec: issuer: "https://token.actions.githubusercontent.com" rekor: url: https://rekor.sigstore.dev + ignoreSCT: true conditions: - all: - key: "{{ regex_match('^pkg:github/aquasecurity/trivy@0.34.0','{{ scanner.uri }}') }}" diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml index 3cd0fb3e56..05cc1b9a65 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml @@ -27,6 +27,7 @@ spec: issuer: "https://token.actions.githubusercontent.com" rekor: url: https://rekor.sigstore.dev + ignoreSCT: true conditions: - all: - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml index 7e93706b3d..dd1f1618e5 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml @@ -27,11 +27,13 @@ spec: issuer: "https://token.actions.githubusercontent.com" rekor: url: https://rekor.sigstore.dev + ignoreSCT: true - keyless: subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" issuer: "https://token.actions.githubusercontent.com" rekor: url: https://rekor.sigstore.dev + ignoreSCT: true count: 1 conditions: - all: diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml index 86c95d6292..d0bb01ff0e 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml @@ -27,11 +27,13 @@ spec: issuer: "https://token.actions.githubusercontent.com" rekor: url: https://rekor.sigstore.dev + ignoreSCT: true - keyless: subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" issuer: "https://token.actions.githubusercontent.com" rekor: url: https://rekor.sigstore.dev + ignoreSCT: true count: 2 conditions: - all: diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml index 03a366d3c4..63f68fdb56 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml @@ -27,11 +27,13 @@ spec: issuer: "https://token.actions.githubusercontent.com" rekor: url: https://rekor.sigstore.dev + ignoreSCT: true - keyless: subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" issuer: "https://token.actions.githubusercontent.com" rekor: url: https://rekor.sigstore.dev + ignoreSCT: true conditions: - all: - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml index 5ef445722c..fe6a649946 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml @@ -24,4 +24,5 @@ spec: subject: "https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*" issuer: "https://token.actions.githubusercontent.com" rekor: - url: https://rekor.sigstore.dev \ No newline at end of file + url: https://rekor.sigstore.dev + ignoreSCT: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml index 8d92bd6f57..431a025bf0 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml @@ -24,4 +24,5 @@ spec: subject: "https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*" issuer: "https://token.actions.githubusercontent.com" rekor: - url: https://rekor.sigstore.dev \ No newline at end of file + url: https://rekor.sigstore.dev + ignoreSCT: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml index 0e0589ae3c..20a6fe1b60 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml @@ -24,4 +24,5 @@ spec: subject: "https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*" issuer: "https://token.actions.githubusercontent.com" rekor: - url: https://rekor.sigstore.dev \ No newline at end of file + url: https://rekor.sigstore.dev + ignoreSCT: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml index 461e11afb8..11644d950b 100644 --- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml @@ -30,4 +30,8 @@ spec: -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfnYaFSrs2pLp4ShcWBgMLJM6Gki/ 1tC5ZWN2IuJTe2RbyVrDEn1qLBXNzGKhIXbsUyO5+BuIfgMdek1pDYFZGQ== - -----END PUBLIC KEY----- \ No newline at end of file + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ignoreSCT: true \ No newline at end of file