From c10665bdc7c15b46760dec7661603b5d0d3f6920 Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Wed, 16 Mar 2022 14:55:48 +0200 Subject: [PATCH] Fix 1608, 1613 Signed-off-by: Ville Aikas --- config/300-clusterimagepolicy.yaml | 4 +--- pkg/apis/config/image_policies_test.go | 4 ++-- .../testdata/config-image-policies.yaml | 4 ++-- .../v1alpha1/clusterimagepolicy_types.go | 20 ++++++++++++------- .../v1alpha1/clusterimagepolicy_validation.go | 12 +++++------ .../clusterimagepolicy_validation_test.go | 2 +- .../v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../clusterimagepolicy/clusterimagepolicy.go | 8 ++++---- .../clusterimagepolicy_test.go | 6 +++--- .../keylessref-with-multiple-properties.yaml | 4 ++-- .../testdata/cosigned/valid/valid-policy.yaml | 4 ++-- 11 files changed, 38 insertions(+), 34 deletions(-) diff --git a/config/300-clusterimagepolicy.yaml b/config/300-clusterimagepolicy.yaml index eccde421c7bd..5301b2cb5fa4 100644 --- a/config/300-clusterimagepolicy.yaml +++ b/config/300-clusterimagepolicy.yaml @@ -46,8 +46,6 @@ spec: properties: ctlog: type: object - required: - - url properties: url: type: string @@ -72,7 +70,7 @@ spec: keyless: type: object properties: - ca-key: + ca-cert: type: object properties: data: diff --git a/pkg/apis/config/image_policies_test.go b/pkg/apis/config/image_policies_test.go index c3e6da151568..91083b23e924 100644 --- a/pkg/apis/config/image_policies_test.go +++ b/pkg/apis/config/image_policies_test.go @@ -73,8 +73,8 @@ func TestGetAuthorities(t *testing.T) { t.Error("Wanted a config, got none.") } want = "cakey chilling here" - if got := c[0].Keyless.CAKey.Data; got != want { - t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.CAKey.Data) + if got := c[0].Keyless.CACert.Data; got != want { + t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.CACert.Data) } want = "issuer" if got := c[0].Keyless.Identities[0].Issuer; got != want { diff --git a/pkg/apis/config/testdata/config-image-policies.yaml b/pkg/apis/config/testdata/config-image-policies.yaml index 61f2ceb1f92f..057b8f4a05d5 100644 --- a/pkg/apis/config/testdata/config-image-policies.yaml +++ b/pkg/apis/config/testdata/config-image-policies.yaml @@ -46,8 +46,8 @@ data: - glob: rando3 authorities: - keyless: - ca-key: - data: cakey chilling here + ca-cert: + data: cacert chilling here url: http://keylessurl.here identities: - issuer: issuer diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go index b35753e082cd..d8f30028da45 100644 --- a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go +++ b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go @@ -60,8 +60,10 @@ type ClusterImagePolicySpec struct { // If multiple patterns match a particular image, then ALL of // those authorities must be satisfied for the image to be admitted. type ImagePattern struct { - Glob string `json:"glob"` - Regex string `json:"regex"` + // +optional + Glob string `json:"glob,omitempty"` + // +optional + Regex string `json:"regex,omitempty"` } // The authorities block defines the rules for discovering and @@ -99,12 +101,14 @@ type KeyRef struct { // Source specifies the location of the signature type Source struct { - OCI string `json:"oci"` + // +optional + OCI string `json:"oci,omitempty"` } // TLog specifies the URL to a transparency log that holds // the signature and public key information type TLog struct { + // +optional URL *apis.URL `json:"url,omitempty"` } @@ -117,14 +121,16 @@ type KeylessRef struct { // +optional Identities []Identity `json:"identities,omitempty"` // +optional - CAKey *KeyRef `json:"ca-key,omitempty"` + CACert *KeyRef `json:"ca-cert,omitempty"` } -// Identity may contain the issue and/or the subject found in the transparency log. +// Identity may contain the issuer and/or the subject found in the transparency log. // Either field supports a pattern glob. type Identity struct { - Issuer string `json:"issuer"` - Subject string `json:"subject"` + // +optional + Issuer string `json:"issuer,omitempty"` + // +optional + Subject string `json:"subject,omitempty"` } // ClusterImagePolicyList is a list of ClusterImagePolicy resources diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go index 05a3fc0a1857..1ae1a235ada5 100644 --- a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go +++ b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go @@ -108,16 +108,16 @@ func (key *KeyRef) Validate(ctx context.Context) *apis.FieldError { func (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError { var errs *apis.FieldError - if keyless.URL == nil && keyless.Identities == nil && keyless.CAKey == nil { - errs = errs.Also(apis.ErrMissingOneOf("url", "identities", "ca-key")) + if keyless.URL == nil && keyless.Identities == nil && keyless.CACert == nil { + errs = errs.Also(apis.ErrMissingOneOf("url", "identities", "ca-cert")) } if keyless.URL != nil { - if keyless.CAKey != nil || keyless.Identities != nil { - errs = errs.Also(apis.ErrMultipleOneOf("url", "identities", "ca-key")) + if keyless.CACert != nil || keyless.Identities != nil { + errs = errs.Also(apis.ErrMultipleOneOf("url", "identities", "ca-cert")) } - } else if keyless.CAKey != nil && keyless.Identities != nil { - errs = errs.Also(apis.ErrMultipleOneOf("url", "identities", "ca-key")) + } else if keyless.CACert != nil && keyless.Identities != nil { + errs = errs.Also(apis.ErrMultipleOneOf("url", "identities", "ca-cert")) } if keyless.Identities != nil && len(keyless.Identities) == 0 { diff --git a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go index 117d8c1767ee..264f07354813 100644 --- a/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go +++ b/pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go @@ -281,7 +281,7 @@ func TestKeylessValidation(t *testing.T) { URL: &apis.URL{ Host: "myhost", }, - CAKey: &KeyRef{ + CACert: &KeyRef{ Data: "---certificate---", }, }, diff --git a/pkg/apis/cosigned/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/cosigned/v1alpha1/zz_generated.deepcopy.go index 4556c6c2b251..2c1c886712ce 100644 --- a/pkg/apis/cosigned/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/cosigned/v1alpha1/zz_generated.deepcopy.go @@ -215,8 +215,8 @@ func (in *KeylessRef) DeepCopyInto(out *KeylessRef) { *out = make([]Identity, len(*in)) copy(*out, *in) } - if in.CAKey != nil { - in, out := &in.CAKey, &out.CAKey + if in.CACert != nil { + in, out := &in.CACert, &out.CACert *out = new(KeyRef) (*in).DeepCopyInto(*out) } diff --git a/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go b/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go index 50fc4022d5ef..9358d526cd05 100644 --- a/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go +++ b/pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go @@ -134,10 +134,10 @@ func (r *Reconciler) inlineSecrets(ctx context.Context, cip *v1alpha1.ClusterIma return nil, err } } - if authority.Keyless != nil && authority.Keyless.CAKey != nil && - authority.Keyless.CAKey.SecretRef != nil { - if err := r.inlineAndTrackSecret(ctx, ret, authority.Keyless.CAKey); err != nil { - logging.FromContext(ctx).Errorf("Failed to read secret %q: %v", authority.Keyless.CAKey.SecretRef.Name, err) + if authority.Keyless != nil && authority.Keyless.CACert != nil && + authority.Keyless.CACert.SecretRef != nil { + if err := r.inlineAndTrackSecret(ctx, ret, authority.Keyless.CACert); err != nil { + logging.FromContext(ctx).Errorf("Failed to read secret %q: %v", authority.Keyless.CACert.SecretRef.Name, err) return nil, err } } diff --git a/pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go b/pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go index e1cb10ead1db..d2f151757875 100644 --- a/pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go +++ b/pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go @@ -76,7 +76,7 @@ RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ== inlinedSecretKeyPatch = `[{"op":"replace","path":"/data/test-cip","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}"}]` // This is the patch for inlined secret for keyless cakey ref data - inlinedSecretKeylessPatch = `[{"op":"replace","path":"/data/test-cip-2","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"keyless\":{\"ca-key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}}]}"}]` + inlinedSecretKeylessPatch = `[{"op":"replace","path":"/data/test-cip-2","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"keyless\":{\"ca-cert\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}}]}"}]` ) func TestReconcile(t *testing.T) { @@ -324,7 +324,7 @@ func TestReconcile(t *testing.T) { }), WithAuthority(v1alpha1.Authority{ Keyless: &v1alpha1.KeylessRef{ - CAKey: &v1alpha1.KeyRef{ + CACert: &v1alpha1.KeyRef{ SecretRef: &corev1.SecretReference{ Name: keylessSecretName, }, @@ -481,7 +481,7 @@ func TestReconcile(t *testing.T) { }), WithAuthority(v1alpha1.Authority{ Keyless: &v1alpha1.KeylessRef{ - CAKey: &v1alpha1.KeyRef{ + CACert: &v1alpha1.KeyRef{ SecretRef: &corev1.SecretReference{ Name: keylessSecretName, }}, diff --git a/test/testdata/cosigned/invalid/keylessref-with-multiple-properties.yaml b/test/testdata/cosigned/invalid/keylessref-with-multiple-properties.yaml index 0e19fd353c63..1d3af5bcf24c 100644 --- a/test/testdata/cosigned/invalid/keylessref-with-multiple-properties.yaml +++ b/test/testdata/cosigned/invalid/keylessref-with-multiple-properties.yaml @@ -21,9 +21,9 @@ spec: - glob: image* authorities: - keyless: - ca-key: + ca-cert: secretRef: - name: ca-key-secret + name: ca-cert-secret namespace: some-namespace identities: - issuer: "issue-details" diff --git a/test/testdata/cosigned/valid/valid-policy.yaml b/test/testdata/cosigned/valid/valid-policy.yaml index ee32abc0e8e4..fe9038ebf491 100644 --- a/test/testdata/cosigned/valid/valid-policy.yaml +++ b/test/testdata/cosigned/valid/valid-policy.yaml @@ -22,9 +22,9 @@ spec: - glob: image* authorities: - keyless: - ca-key: + ca-cert: secretRef: - name: ca-key-secret + name: ca-cert-secret namespace: some-namespacemak - keyless: identities: