From 0b1c0e9b59eb2929fa0581dddf858dcc35b3dd1c Mon Sep 17 00:00:00 2001 From: jstuart Date: Fri, 14 Jun 2024 13:42:17 -0500 Subject: [PATCH] Add imageRef field to VolatileCriteria https://issues.redhat.com/browse/EC-630 --- ...redhat.com_enterprisecontractpolicies.yaml | 8 ++ .../enterprisecontractpolicy_types.go | 5 ++ api/v1alpha1/policy_spec.json | 4 + ...redhat.com_enterprisecontractpolicies.yaml | 8 ++ docs/modules/ROOT/pages/reference.adoc | 82 +++++++------------ 5 files changed, 54 insertions(+), 53 deletions(-) diff --git a/api/config/appstudio.redhat.com_enterprisecontractpolicies.yaml b/api/config/appstudio.redhat.com_enterprisecontractpolicies.yaml index 0249c48..1e1238a 100644 --- a/api/config/appstudio.redhat.com_enterprisecontractpolicies.yaml +++ b/api/config/appstudio.redhat.com_enterprisecontractpolicies.yaml @@ -165,6 +165,10 @@ spec: effectiveUntil: format: date-time type: string + imageRef: + description: ImageRef is used to specify an image by its digest. + pattern: ^sha256:[a-fA-F0-9]{64}$ + type: string value: type: string required: @@ -187,6 +191,10 @@ spec: effectiveUntil: format: date-time type: string + imageRef: + description: ImageRef is used to specify an image by its digest. + pattern: ^sha256:[a-fA-F0-9]{64}$ + type: string value: type: string required: diff --git a/api/v1alpha1/enterprisecontractpolicy_types.go b/api/v1alpha1/enterprisecontractpolicy_types.go index 394c454..1ed1013 100644 --- a/api/v1alpha1/enterprisecontractpolicy_types.go +++ b/api/v1alpha1/enterprisecontractpolicy_types.go @@ -99,6 +99,11 @@ type VolatileCriteria struct { // +optional // +kubebuilder:validation:Format:=date-time EffectiveUntil string `json:"effectiveUntil,omitempty"` + + // ImageRef is used to specify an image by its digest. + // +optional + // +kubebuilder:validation:Pattern=`^sha256:[a-fA-F0-9]{64}$` + ImageRef string `json:"imageRef,omitempty"` } // VolatileSourceConfig specifies volatile configuration for a policy source. diff --git a/api/v1alpha1/policy_spec.json b/api/v1alpha1/policy_spec.json index fae29bb..512a46e 100644 --- a/api/v1alpha1/policy_spec.json +++ b/api/v1alpha1/policy_spec.json @@ -167,6 +167,10 @@ "effectiveUntil": { "type": "string", "description": "+optional\n+kubebuilder:validation:Format:=date-time" + }, + "imageRef": { + "type": "string", + "description": "ImageRef is used to specify an image by its digest.\n+optional\n+kubebuilder:validation:Pattern=`^sha256:[a-fA-F0-9]{64}$`" } }, "additionalProperties": false, diff --git a/config/crd/bases/appstudio.redhat.com_enterprisecontractpolicies.yaml b/config/crd/bases/appstudio.redhat.com_enterprisecontractpolicies.yaml index 0249c48..1e1238a 100644 --- a/config/crd/bases/appstudio.redhat.com_enterprisecontractpolicies.yaml +++ b/config/crd/bases/appstudio.redhat.com_enterprisecontractpolicies.yaml @@ -165,6 +165,10 @@ spec: effectiveUntil: format: date-time type: string + imageRef: + description: ImageRef is used to specify an image by its digest. + pattern: ^sha256:[a-fA-F0-9]{64}$ + type: string value: type: string required: @@ -187,6 +191,10 @@ spec: effectiveUntil: format: date-time type: string + imageRef: + description: ImageRef is used to specify an image by its digest. + pattern: ^sha256:[a-fA-F0-9]{64}$ + type: string value: type: string required: diff --git a/docs/modules/ROOT/pages/reference.adoc b/docs/modules/ROOT/pages/reference.adoc index 6222d2e..91f2725 100644 --- a/docs/modules/ROOT/pages/reference.adoc +++ b/docs/modules/ROOT/pages/reference.adoc @@ -33,21 +33,14 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr | *`apiVersion`* __string__ | `appstudio.redhat.com/v1alpha1` | *`kind`* __string__ | `EnterpriseContractPolicy` | *`kind`* __string__ | Kind is a string value representing the REST resource this object represents. + - Servers may infer this from the endpoint the client submits requests to. + - Cannot be updated. + - In CamelCase. + - -More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + | *`apiVersion`* __string__ | APIVersion defines the versioned schema of this representation of an object. + - Servers should convert recognized schemas to the latest internal value, and + - may reject unrecognized values. + - -More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. | *`spec`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-enterprisecontractpolicyspec[$$EnterpriseContractPolicySpec$$]__ | @@ -68,14 +61,11 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr |=== | Field | Description | *`exclude`* __string array__ | Exclude set of policy exclusions that, in case of failure, do not block + - -the success of the outcome. +the success of the outcome. + | *`include`* __string array__ | Include set of policy inclusions that are added to the policy evaluation. + - -These override excluded rules. +These override excluded rules. + | *`collections`* __string array__ | Collections set of predefined rules. DEPRECATED: Collections can be listed in include + - -with the "@" prefix. +with the "@" prefix. + |=== @@ -92,21 +82,14 @@ EnterpriseContractPolicyList contains a list of EnterpriseContractPolicy | *`apiVersion`* __string__ | `appstudio.redhat.com/v1alpha1` | *`kind`* __string__ | `EnterpriseContractPolicyList` | *`kind`* __string__ | Kind is a string value representing the REST resource this object represents. + - Servers may infer this from the endpoint the client submits requests to. + - Cannot be updated. + - In CamelCase. + - -More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + | *`apiVersion`* __string__ | APIVersion defines the versioned schema of this representation of an object. + - Servers should convert recognized schemas to the latest internal value, and + - may reject unrecognized values. + - -More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#listmeta-v1-meta[$$ListMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. | *`items`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-enterprisecontractpolicy[$$EnterpriseContractPolicy$$] array__ | @@ -124,13 +107,13 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr [cols="25a,75a", options="header"] |=== | Field | Description -| *`name`* __string__ | Optional name of the policy -| *`description`* __string__ | Description of the policy or its intended use -| *`sources`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-source[$$Source$$] array__ | One or more groups of policy rules -| *`configuration`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-enterprisecontractpolicyconfiguration[$$EnterpriseContractPolicyConfiguration$$]__ | Configuration handles policy modification configuration (exclusions and inclusions) -| *`rekorUrl`* __string__ | URL of the Rekor instance. Empty string disables Rekor integration -| *`publicKey`* __string__ | Public key used to validate the signature of images and attestations -| *`identity`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-identity[$$Identity$$]__ | Identity to be used for keyless verification. This is an experimental feature. +| *`name`* __string__ | Optional name of the policy + +| *`description`* __string__ | Description of the policy or its intended use + +| *`sources`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-source[$$Source$$] array__ | One or more groups of policy rules + +| *`configuration`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-enterprisecontractpolicyconfiguration[$$EnterpriseContractPolicyConfiguration$$]__ | Configuration handles policy modification configuration (exclusions and inclusions) + +| *`rekorUrl`* __string__ | URL of the Rekor instance. Empty string disables Rekor integration + +| *`publicKey`* __string__ | Public key used to validate the signature of images and attestations + +| *`identity`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-identity[$$Identity$$]__ | Identity to be used for keyless verification. This is an experimental feature. + |=== @@ -155,14 +138,12 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr [cols="25a,75a", options="header"] |=== | Field | Description -| *`subject`* __string__ | Subject is the URL of the certificate identity for keyless verification. +| *`subject`* __string__ | Subject is the URL of the certificate identity for keyless verification. + | *`subjectRegExp`* __string__ | SubjectRegExp is a regular expression to match the URL of the certificate identity for + - -keyless verification. -| *`issuer`* __string__ | Issuer is the URL of the certificate OIDC issuer for keyless verification. +keyless verification. + +| *`issuer`* __string__ | Issuer is the URL of the certificate OIDC issuer for keyless verification. + | *`issuerRegExp`* __string__ | IssuerRegExp is a regular expression to match the URL of the certificate OIDC issuer for + - -keyless verification. +keyless verification. + |=== @@ -177,16 +158,14 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr [cols="25a,75a", options="header"] |=== | Field | Description -| *`name`* __string__ | Optional name for the source -| *`policy`* __string array__ | List of go-getter style policy source urls -| *`data`* __string array__ | List of go-getter style policy data source urls -| *`ruleData`* __xref:{anchor_prefix}-k8s-io-apiextensions-apiserver-pkg-apis-apiextensions-v1-json[$$JSON$$]__ | Arbitrary rule data that will be visible to policy rules +| *`name`* __string__ | Optional name for the source + +| *`policy`* __string array__ | List of go-getter style policy source urls + +| *`data`* __string array__ | List of go-getter style policy data source urls + +| *`ruleData`* __xref:{anchor_prefix}-k8s-io-apiextensions-apiserver-pkg-apis-apiextensions-v1-json[$$JSON$$]__ | Arbitrary rule data that will be visible to policy rules + | *`config`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-sourceconfig[$$SourceConfig$$]__ | Config specifies which policy rules are included, or excluded, from the + - -provided policy source urls. +provided policy source urls. + | *`volatileConfig`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-volatilesourceconfig[$$VolatileSourceConfig$$]__ | Specifies volatile configuration that can include or exclude policy rules + - -based on effective time. +based on effective time. + |=== @@ -202,11 +181,9 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr |=== | Field | Description | *`exclude`* __string array__ | Exclude is a set of policy exclusions that, in case of failure, do not block + - -the success of the outcome. +the success of the outcome. + | *`include`* __string array__ | Include is a set of policy inclusions that are added to the policy evaluation. + - -These take precedence over policy exclusions. +These take precedence over policy exclusions. + |=== @@ -224,6 +201,7 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr | *`value`* __string__ | | *`effectiveOn`* __string__ | | *`effectiveUntil`* __string__ | +| *`imageRef`* __string__ | ImageRef is used to specify an image by its digest. + |=== @@ -239,11 +217,9 @@ Appears In: xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contr |=== | Field | Description | *`exclude`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-volatilecriteria[$$VolatileCriteria$$] array__ | Exclude is a set of policy exclusions that, in case of failure, do not block + - -the success of the outcome. +the success of the outcome. + | *`include`* __xref:{anchor_prefix}-github-com-enterprise-contract-enterprise-contract-controller-api-v1alpha1-volatilecriteria[$$VolatileCriteria$$] array__ | Include is a set of policy inclusions that are added to the policy evaluation. + - -These take precedence over policy exclusions. +These take precedence over policy exclusions. + |===