Fix 1608, 1613

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
sigstore · Mar 16, 2022 · c10665b · c10665b
1 parent 36d7646
commit c10665b
Show file tree

Hide file tree

Showing 11 changed files with 38 additions and 34 deletions.
diff --git a/config/300-clusterimagepolicy.yaml b/config/300-clusterimagepolicy.yaml
@@ -46,8 +46,6 @@ spec:
                     properties:
                       ctlog:
                         type: object
-                        required:
-                          - url
                         properties:
                           url:
                             type: string
@@ -72,7 +70,7 @@ spec:
                       keyless:
                         type: object
                         properties:
-                          ca-key:
+                          ca-cert:
                             type: object
                             properties:
                               data:

diff --git a/pkg/apis/config/image_policies_test.go b/pkg/apis/config/image_policies_test.go
@@ -73,8 +73,8 @@ func TestGetAuthorities(t *testing.T) {
 		t.Error("Wanted a config, got none.")
 	}
 	want = "cakey chilling here"
-	if got := c[0].Keyless.CAKey.Data; got != want {
-		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.CAKey.Data)
+	if got := c[0].Keyless.CACert.Data; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.CACert.Data)
 	}
 	want = "issuer"
 	if got := c[0].Keyless.Identities[0].Issuer; got != want {

diff --git a/pkg/apis/config/testdata/config-image-policies.yaml b/pkg/apis/config/testdata/config-image-policies.yaml
@@ -46,8 +46,8 @@ data:
       - glob: rando3
       authorities:
       - keyless:
-          ca-key:
-            data: cakey chilling here
+          ca-cert:
+            data: cacert chilling here
           url: http://keylessurl.here
           identities:
           - issuer: issuer

diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go
@@ -60,8 +60,10 @@ type ClusterImagePolicySpec struct {
 // If multiple patterns match a particular image, then ALL of
 // those authorities must be satisfied for the image to be admitted.
 type ImagePattern struct {
-	Glob  string `json:"glob"`
-	Regex string `json:"regex"`
+	// +optional
+	Glob string `json:"glob,omitempty"`
+	// +optional
+	Regex string `json:"regex,omitempty"`
 }
 
 // The authorities block defines the rules for discovering and
@@ -99,12 +101,14 @@ type KeyRef struct {
 
 // Source specifies the location of the signature
 type Source struct {
-	OCI string `json:"oci"`
+	// +optional
+	OCI string `json:"oci,omitempty"`
 }
 
 // TLog specifies the URL to a transparency log that holds
 // the signature and public key information
 type TLog struct {
+	// +optional
 	URL *apis.URL `json:"url,omitempty"`
 }
 
@@ -117,14 +121,16 @@ type KeylessRef struct {
 	// +optional
 	Identities []Identity `json:"identities,omitempty"`
 	// +optional
-	CAKey *KeyRef `json:"ca-key,omitempty"`
+	CACert *KeyRef `json:"ca-cert,omitempty"`
 }
 
-// Identity may contain the issue and/or the subject found in the transparency log.
+// Identity may contain the issuer and/or the subject found in the transparency log.
 // Either field supports a pattern glob.
 type Identity struct {
-	Issuer  string `json:"issuer"`
-	Subject string `json:"subject"`
+	// +optional
+	Issuer string `json:"issuer,omitempty"`
+	// +optional
+	Subject string `json:"subject,omitempty"`
 }
 
 // ClusterImagePolicyList is a list of ClusterImagePolicy resources

diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go
@@ -108,16 +108,16 @@ func (key *KeyRef) Validate(ctx context.Context) *apis.FieldError {
 
 func (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError {
 	var errs *apis.FieldError
-	if keyless.URL == nil && keyless.Identities == nil && keyless.CAKey == nil {
-		errs = errs.Also(apis.ErrMissingOneOf("url", "identities", "ca-key"))
+	if keyless.URL == nil && keyless.Identities == nil && keyless.CACert == nil {
+		errs = errs.Also(apis.ErrMissingOneOf("url", "identities", "ca-cert"))
 	}
 
 	if keyless.URL != nil {
-		if keyless.CAKey != nil || keyless.Identities != nil {
-			errs = errs.Also(apis.ErrMultipleOneOf("url", "identities", "ca-key"))
+		if keyless.CACert != nil || keyless.Identities != nil {
+			errs = errs.Also(apis.ErrMultipleOneOf("url", "identities", "ca-cert"))
 		}
-	} else if keyless.CAKey != nil && keyless.Identities != nil {
-		errs = errs.Also(apis.ErrMultipleOneOf("url", "identities", "ca-key"))
+	} else if keyless.CACert != nil && keyless.Identities != nil {
+		errs = errs.Also(apis.ErrMultipleOneOf("url", "identities", "ca-cert"))
 	}
 
 	if keyless.Identities != nil && len(keyless.Identities) == 0 {

diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go
@@ -281,7 +281,7 @@ func TestKeylessValidation(t *testing.T) {
 								URL: &apis.URL{
 									Host: "myhost",
 								},
-								CAKey: &KeyRef{
+								CACert: &KeyRef{
 									Data: "---certificate---",
 								},
 							},

diff --git a/pkg/apis/cosigned/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/cosigned/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go b/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go
@@ -134,10 +134,10 @@ func (r *Reconciler) inlineSecrets(ctx context.Context, cip *v1alpha1.ClusterIma
 				return nil, err
 			}
 		}
-		if authority.Keyless != nil && authority.Keyless.CAKey != nil &&
-			authority.Keyless.CAKey.SecretRef != nil {
-			if err := r.inlineAndTrackSecret(ctx, ret, authority.Keyless.CAKey); err != nil {
-				logging.FromContext(ctx).Errorf("Failed to read secret %q: %v", authority.Keyless.CAKey.SecretRef.Name, err)
+		if authority.Keyless != nil && authority.Keyless.CACert != nil &&
+			authority.Keyless.CACert.SecretRef != nil {
+			if err := r.inlineAndTrackSecret(ctx, ret, authority.Keyless.CACert); err != nil {
+				logging.FromContext(ctx).Errorf("Failed to read secret %q: %v", authority.Keyless.CACert.SecretRef.Name, err)
 				return nil, err
 			}
 		}

diff --git a/pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go b/pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go
@@ -76,7 +76,7 @@ RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==
 	inlinedSecretKeyPatch = `[{"op":"replace","path":"/data/test-cip","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}"}]`
 
 	// This is the patch for inlined secret for keyless cakey ref data
-	inlinedSecretKeylessPatch = `[{"op":"replace","path":"/data/test-cip-2","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"keyless\":{\"ca-key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}}]}"}]`
+	inlinedSecretKeylessPatch = `[{"op":"replace","path":"/data/test-cip-2","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"keyless\":{\"ca-cert\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}}]}"}]`
 )
 
 func TestReconcile(t *testing.T) {
@@ -324,7 +324,7 @@ func TestReconcile(t *testing.T) {
 				}),
 				WithAuthority(v1alpha1.Authority{
 					Keyless: &v1alpha1.KeylessRef{
-						CAKey: &v1alpha1.KeyRef{
+						CACert: &v1alpha1.KeyRef{
 							SecretRef: &corev1.SecretReference{
 								Name: keylessSecretName,
 							},
@@ -481,7 +481,7 @@ func TestReconcile(t *testing.T) {
 				}),
 				WithAuthority(v1alpha1.Authority{
 					Keyless: &v1alpha1.KeylessRef{
-						CAKey: &v1alpha1.KeyRef{
+						CACert: &v1alpha1.KeyRef{
 							SecretRef: &corev1.SecretReference{
 								Name: keylessSecretName,
 							}},

diff --git a/test/testdata/cosigned/invalid/keylessref-with-multiple-properties.yaml b/test/testdata/cosigned/invalid/keylessref-with-multiple-properties.yaml
@@ -21,9 +21,9 @@ spec:
   - glob: image*
   authorities:
   - keyless:
-      ca-key:
+      ca-cert:
         secretRef:
-          name: ca-key-secret
+          name: ca-cert-secret
           namespace: some-namespace
       identities:
       - issuer: "issue-details"

diff --git a/test/testdata/cosigned/valid/valid-policy.yaml b/test/testdata/cosigned/valid/valid-policy.yaml
@@ -22,9 +22,9 @@ spec:
   - glob: image*
   authorities:
   - keyless:
-      ca-key:
+      ca-cert:
         secretRef:
-          name: ca-key-secret
+          name: ca-cert-secret
           namespace: some-namespacemak
   - keyless:
       identities: