Merge pull request #346 from joejstuart/imageRef-volatileCriteria

Add imageRef field to VolatileCriteria
enterprise-contract · Jun 20, 2024 · 01a3c00 · 01a3c00
2 parents 9bacde2 + 0b1c0e9
commit 01a3c00
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 53 deletions.
diff --git a/api/config/appstudio.redhat.com_enterprisecontractpolicies.yaml b/api/config/appstudio.redhat.com_enterprisecontractpolicies.yaml
@@ -165,6 +165,10 @@ spec:
                                 effectiveUntil:
                                   format: date-time
                                   type: string
+                                imageRef:
+                                  description: ImageRef is used to specify an image by its digest.
+                                  pattern: ^sha256:[a-fA-F0-9]{64}$
+                                  type: string
                                 value:
                                   type: string
                               required:
@@ -187,6 +191,10 @@ spec:
                                 effectiveUntil:
                                   format: date-time
                                   type: string
+                                imageRef:
+                                  description: ImageRef is used to specify an image by its digest.
+                                  pattern: ^sha256:[a-fA-F0-9]{64}$
+                                  type: string
                                 value:
                                   type: string
                               required:

diff --git a/api/v1alpha1/enterprisecontractpolicy_types.go b/api/v1alpha1/enterprisecontractpolicy_types.go
@@ -99,6 +99,11 @@ type VolatileCriteria struct {
 	// +optional
 	// +kubebuilder:validation:Format:=date-time
 	EffectiveUntil string `json:"effectiveUntil,omitempty"`
+
+	// ImageRef is used to specify an image by its digest.
+	// +optional
+	// +kubebuilder:validation:Pattern=`^sha256:[a-fA-F0-9]{64}$`
+	ImageRef string `json:"imageRef,omitempty"`
 }
 
 // VolatileSourceConfig specifies volatile configuration for a policy source.

diff --git a/api/v1alpha1/policy_spec.json b/api/v1alpha1/policy_spec.json
@@ -167,6 +167,10 @@
         "effectiveUntil": {
           "type": "string",
           "description": "+optional\n+kubebuilder:validation:Format:=date-time"
+        },
+        "imageRef": {
+          "type": "string",
+          "description": "ImageRef is used to specify an image by its digest.\n+optional\n+kubebuilder:validation:Pattern=`^sha256:[a-fA-F0-9]{64}$`"
         }
       },
       "additionalProperties": false,

diff --git a/config/crd/bases/appstudio.redhat.com_enterprisecontractpolicies.yaml b/config/crd/bases/appstudio.redhat.com_enterprisecontractpolicies.yaml
@@ -165,6 +165,10 @@ spec:
                                 effectiveUntil:
                                   format: date-time
                                   type: string
+                                imageRef:
+                                  description: ImageRef is used to specify an image by its digest.
+                                  pattern: ^sha256:[a-fA-F0-9]{64}$
+                                  type: string
                                 value:
                                   type: string
                               required:
@@ -187,6 +191,10 @@ spec:
                                 effectiveUntil:
                                   format: date-time
                                   type: string
+                                imageRef:
+                                  description: ImageRef is used to specify an image by its digest.
+                                  pattern: ^sha256:[a-fA-F0-9]{64}$
+                                  type: string
                                 value:
                                   type: string
                               required:

diff --git a/docs/modules/ROOT/pages/reference.adoc b/docs/modules/ROOT/pages/reference.adoc
@@ -33,21 +33,14 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr
 | *`apiVersion`* __string__ | `appstudio.redhat.com/v1alpha1`
 | *`kind`* __string__ | `EnterpriseContractPolicy`
 | *`kind`* __string__ | Kind is a string value representing the REST resource this object represents. +
-
 Servers may infer this from the endpoint the client submits requests to. +
-
 Cannot be updated. +
-
 In CamelCase. +
-
-More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds +
 | *`apiVersion`* __string__ | APIVersion defines the versioned schema of this representation of an object. +
-
 Servers should convert recognized schemas to the latest internal value, and +
-
 may reject unrecognized values. +
-
-More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources +
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
 | *`spec`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-enterprisecontractpolicyspec[$$EnterpriseContractPolicySpec$$]__ | 
@@ -68,14 +61,11 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr
 |===
 | Field | Description
 | *`exclude`* __string array__ | Exclude set of policy exclusions that, in case of failure, do not block +
-
-the success of the outcome.
+the success of the outcome. +
 | *`include`* __string array__ | Include set of policy inclusions that are added to the policy evaluation. +
-
-These override excluded rules.
+These override excluded rules. +
 | *`collections`* __string array__ | Collections set of predefined rules.  DEPRECATED: Collections can be listed in include +
-
-with the "@" prefix.
+with the "@" prefix. +
 |===
 
 
@@ -92,21 +82,14 @@ EnterpriseContractPolicyList contains a list of EnterpriseContractPolicy
 | *`apiVersion`* __string__ | `appstudio.redhat.com/v1alpha1`
 | *`kind`* __string__ | `EnterpriseContractPolicyList`
 | *`kind`* __string__ | Kind is a string value representing the REST resource this object represents. +
-
 Servers may infer this from the endpoint the client submits requests to. +
-
 Cannot be updated. +
-
 In CamelCase. +
-
-More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds +
 | *`apiVersion`* __string__ | APIVersion defines the versioned schema of this representation of an object. +
-
 Servers should convert recognized schemas to the latest internal value, and +
-
 may reject unrecognized values. +
-
-More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources +
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#listmeta-v1-meta[$$ListMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
 | *`items`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-enterprisecontractpolicy[$$EnterpriseContractPolicy$$] array__ | 
@@ -124,13 +107,13 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`name`* __string__ | Optional name of the policy
-| *`description`* __string__ | Description of the policy or its intended use
-| *`sources`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-source[$$Source$$] array__ | One or more groups of policy rules
-| *`configuration`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-enterprisecontractpolicyconfiguration[$$EnterpriseContractPolicyConfiguration$$]__ | Configuration handles policy modification configuration (exclusions and inclusions)
-| *`rekorUrl`* __string__ | URL of the Rekor instance. Empty string disables Rekor integration
-| *`publicKey`* __string__ | Public key used to validate the signature of images and attestations
-| *`identity`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-identity[$$Identity$$]__ | Identity to be used for keyless verification. This is an experimental feature.
+| *`name`* __string__ | Optional name of the policy +
+| *`description`* __string__ | Description of the policy or its intended use +
+| *`sources`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-source[$$Source$$] array__ | One or more groups of policy rules +
+| *`configuration`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-enterprisecontractpolicyconfiguration[$$EnterpriseContractPolicyConfiguration$$]__ | Configuration handles policy modification configuration (exclusions and inclusions) +
+| *`rekorUrl`* __string__ | URL of the Rekor instance. Empty string disables Rekor integration +
+| *`publicKey`* __string__ | Public key used to validate the signature of images and attestations +
+| *`identity`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-identity[$$Identity$$]__ | Identity to be used for keyless verification. This is an experimental feature. +
 |===
 
 
@@ -155,14 +138,12 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`subject`* __string__ | Subject is the URL of the certificate identity for keyless verification.
+| *`subject`* __string__ | Subject is the URL of the certificate identity for keyless verification. +
 | *`subjectRegExp`* __string__ | SubjectRegExp is a regular expression to match the URL of the certificate identity for +
-
-keyless verification.
-| *`issuer`* __string__ | Issuer is the URL of the certificate OIDC issuer for keyless verification.
+keyless verification. +
+| *`issuer`* __string__ | Issuer is the URL of the certificate OIDC issuer for keyless verification. +
 | *`issuerRegExp`* __string__ | IssuerRegExp is a regular expression to match the URL of the certificate OIDC issuer for +
-
-keyless verification.
+keyless verification. +
 |===
 
 
@@ -177,16 +158,14 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`name`* __string__ | Optional name for the source
-| *`policy`* __string array__ | List of go-getter style policy source urls
-| *`data`* __string array__ | List of go-getter style policy data source urls
-| *`ruleData`* __xref:{anchor_prefix}-k8s-io-apiextensions-apiserver-pkg-apis-apiextensions-v1-json[$$JSON$$]__ | Arbitrary rule data that will be visible to policy rules
+| *`name`* __string__ | Optional name for the source +
+| *`policy`* __string array__ | List of go-getter style policy source urls +
+| *`data`* __string array__ | List of go-getter style policy data source urls +
+| *`ruleData`* __xref:{anchor_prefix}-k8s-io-apiextensions-apiserver-pkg-apis-apiextensions-v1-json[$$JSON$$]__ | Arbitrary rule data that will be visible to policy rules +
 | *`config`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-sourceconfig[$$SourceConfig$$]__ | Config specifies which policy rules are included, or excluded, from the +
-
-provided policy source urls.
+provided policy source urls. +
 | *`volatileConfig`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-volatilesourceconfig[$$VolatileSourceConfig$$]__ | Specifies volatile configuration that can include or exclude policy rules +
-
-based on effective time.
+based on effective time. +
 |===
 
 
@@ -202,11 +181,9 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr
 |===
 | Field | Description
 | *`exclude`* __string array__ | Exclude is a set of policy exclusions that, in case of failure, do not block +
-
-the success of the outcome.
+the success of the outcome. +
 | *`include`* __string array__ | Include is a set of policy inclusions that are added to the policy evaluation. +
-
-These take precedence over policy exclusions.
+These take precedence over policy exclusions. +
 |===
 
 
@@ -224,6 +201,7 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr
 | *`value`* __string__ | 
 | *`effectiveOn`* __string__ | 
 | *`effectiveUntil`* __string__ | 
+| *`imageRef`* __string__ | ImageRef is used to specify an image by its digest. +
 |===
 
 
@@ -239,11 +217,9 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr
 |===
 | Field | Description
 | *`exclude`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-volatilecriteria[$$VolatileCriteria$$] array__ | Exclude is a set of policy exclusions that, in case of failure, do not block +
-
-the success of the outcome.
+the success of the outcome. +
 | *`include`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-volatilecriteria[$$VolatileCriteria$$] array__ | Include is a set of policy inclusions that are added to the policy evaluation. +
-
-These take precedence over policy exclusions.
+These take precedence over policy exclusions. +
 |===