From 1a30d73a93b4e20815b13293c259a4107f364b15 Mon Sep 17 00:00:00 2001 From: Qi Wang Date: Thu, 14 Nov 2024 17:11:23 -0500 Subject: [PATCH] validaiton with featuregate Signed-off-by: Qi Wang --- .../SigstoreImageVerification.yaml | 28 +------------------ .../SigstoreImageVerification.yaml | 28 +------------------ config/v1alpha1/types_image_policy.go | 12 ++++---- ...sterimagepolicies-CustomNoUpgrade.crd.yaml | 15 +++++++--- ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 15 +++++++--- ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 1 - ..._01_imagepolicies-CustomNoUpgrade.crd.yaml | 15 +++++++--- ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 15 +++++++--- ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 1 - .../SigstoreImageVerification.yaml | 1 - .../SigstoreImageVerificationPKI.yaml | 15 +++++++--- .../SigstoreImageVerification.yaml | 1 - .../SigstoreImageVerificationPKI.yaml | 15 +++++++--- .../zz_generated.swagger_doc_generated.go | 2 +- .../generated_openapi/zz_generated.openapi.go | 2 +- openapi/openapi.json | 2 +- ...sterimagepolicies-CustomNoUpgrade.crd.yaml | 15 +++++++--- ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 15 +++++++--- ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 1 - ..._01_imagepolicies-CustomNoUpgrade.crd.yaml | 15 +++++++--- ...imagepolicies-DevPreviewNoUpgrade.crd.yaml | 15 +++++++--- ...magepolicies-TechPreviewNoUpgrade.crd.yaml | 1 - 22 files changed, 122 insertions(+), 108 deletions(-) diff --git a/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml index ad32f44b9ac..94c98c04ad3 100644 --- a/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ b/config/v1alpha1/tests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -450,30 +450,4 @@ tests: policyType: PublicKey publicKey: keyData: Zm9vIGJhcg== - - name: Should be able to create a minimal ClusterImagePolicy with policyType PKI - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: Zm9vIGJhcg== - pkiCertificateSubject: - email: test-user@example.com - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ClusterImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: Zm9vIGJhcg== - pkiCertificateSubject: - email: test-user@example.com + diff --git a/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml index f27de891e49..2f096afaf91 100644 --- a/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ b/config/v1alpha1/tests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -450,30 +450,4 @@ tests: policyType: PublicKey publicKey: keyData: Zm9vIGJhcg== - - name: Should be able to create a minimal ImagePolicy with policyType PKI - initial: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: Zm9vIGJhcg== - pkiCertificateSubject: - email: test-user@example.com - expected: | - apiVersion: config.openshift.io/v1alpha1 - kind: ImagePolicy - spec: - scopes: - - example.com - policy: - rootOfTrust: - policyType: PKI - pki: - caRootsData: Zm9vIGJhcg== - pkiCertificateSubject: - email: test-user@example.com + diff --git a/config/v1alpha1/types_image_policy.go b/config/v1alpha1/types_image_policy.go index 73d6470c7aa..61cf5c1de60 100644 --- a/config/v1alpha1/types_image_policy.go +++ b/config/v1alpha1/types_image_policy.go @@ -73,6 +73,7 @@ type Policy struct { // +union // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'PublicKey' ? has(self.publicKey) : !has(self.publicKey)",message="publicKey is required when policyType is PublicKey, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.policyType) && self.policyType == 'FulcioCAWithRekor' ? has(self.fulcioCAWithRekor) : !has(self.fulcioCAWithRekor)",message="fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=SigstoreImageVerificationPKI,rule="has(self.policyType) && self.policyType == 'PKI' ? has(self.pki) : !has(self.pki)",message="pki is required when policyType is PKI, and forbidden otherwise" type PolicyRootOfTrust struct { // policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. // "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. @@ -95,7 +96,8 @@ type PolicyRootOfTrust struct { PKI *PKI `json:"pki,omitempty"` } -// +kubebuilder:validation:Enum=PublicKey;FulcioCAWithRekor;PKI +// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerification,enum=PublicKey;FulcioCAWithRekor +// +openshift:validation:FeatureGateAwareEnum:featureGate=SigstoreImageVerificationPKI,enum=PublicKey;FulcioCAWithRekor;PKI type PolicyType string const ( @@ -169,16 +171,16 @@ type PKI struct { } // PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued. -// +kubebuilder:validation:XValidation:rule="has(self.email) || has(self.hostname)", message="at least one of email or hostname must be set in pkiCertificateSubject" +// +kubebuilder:validation:XValidation:rule="(has(self.email) && self.email != '') || (has(self.hostname) && self.hostname != '')", message="at least one of email or hostname must be set in pkiCertificateSubject" // +openshift:enable:FeatureGate=SigstoreImageVerificationPKI type PKICertificateSubject struct { // email specifies the expected email address imposed on the subject to which the certificate was issued. // +optional - // +kubebuilder:validation:XValidation:rule=`self.matches('^\\S+@\\S+$')`,message="invalid email address in pkiCertificateSubject" + // +kubebuilder:validation:XValidation:rule=`self != '' ? self.matches('^\\S+@\\S+$') : true`,message="invalid email address in pkiCertificateSubject" Email string `json:"email,omitempty"` - // Hostname specifies the expected hostname imposed on the subject to which the certificate was issued. + // hostname specifies the expected hostname imposed on the subject to which the certificate was issued. // +optional - // +kubebuilder:validation:XValidation:rule=`self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$')`,message="invalid hostname in pkiCertificateSubject" + // +kubebuilder:validation:XValidation:rule=`self != '' ? self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') : true`,message="invalid hostname in pkiCertificateSubject" Hostname string `json:"hostname,omitempty"` } diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml index 30d41a09e85..41d3cf718b6 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml @@ -133,20 +133,23 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'') + : true' hostname: - description: Hostname specifies the expected hostname + description: hostname specifies the expected hostname imposed on the subject to which the certificate was issued. type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) + rule: (has(self.email) && self.email != '') || (has(self.hostname) + && self.hostname != '') required: - caRootsData - pkiCertificateSubject @@ -187,6 +190,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml index 27268d207db..cd64762fbe3 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -133,20 +133,23 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'') + : true' hostname: - description: Hostname specifies the expected hostname + description: hostname specifies the expected hostname imposed on the subject to which the certificate was issued. type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) + rule: (has(self.email) && self.email != '') || (has(self.hostname) + && self.hostname != '') required: - caRootsData - pkiCertificateSubject @@ -187,6 +190,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml index 727efc92f3d..5b741d16ec6 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml index 955771035ef..694a4ae80d9 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml @@ -133,20 +133,23 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'') + : true' hostname: - description: Hostname specifies the expected hostname + description: hostname specifies the expected hostname imposed on the subject to which the certificate was issued. type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) + rule: (has(self.email) && self.email != '') || (has(self.hostname) + && self.hostname != '') required: - caRootsData - pkiCertificateSubject @@ -187,6 +190,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml index fcfddacb9e0..91fcdb2c614 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -133,20 +133,23 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'') + : true' hostname: - description: Hostname specifies the expected hostname + description: hostname specifies the expected hostname imposed on the subject to which the certificate was issued. type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) + rule: (has(self.email) && self.email != '') || (has(self.hostname) + && self.hostname != '') required: - caRootsData - pkiCertificateSubject @@ -187,6 +190,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml index 8da264ed7f1..7534d8b5307 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml index 313a7c19bb3..b345146042f 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml index 49d16eada24..57cc42409f5 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clusterimagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -133,20 +133,23 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'') + : true' hostname: - description: Hostname specifies the expected hostname + description: hostname specifies the expected hostname imposed on the subject to which the certificate was issued. type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) + rule: (has(self.email) && self.email != '') || (has(self.hostname) + && self.hostname != '') required: - caRootsData - pkiCertificateSubject @@ -187,6 +190,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml index d0747f8c231..008fea2e3e6 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerification.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml index e9103f6fab6..dbc20e42230 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/imagepolicies.config.openshift.io/SigstoreImageVerificationPKI.yaml @@ -133,20 +133,23 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'') + : true' hostname: - description: Hostname specifies the expected hostname + description: hostname specifies the expected hostname imposed on the subject to which the certificate was issued. type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) + rule: (has(self.email) && self.email != '') || (has(self.hostname) + && self.hostname != '') required: - caRootsData - pkiCertificateSubject @@ -187,6 +190,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index 7abd41eb89d..bed71d20f95 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -181,7 +181,7 @@ func (PKI) SwaggerDoc() map[string]string { var map_PKICertificateSubject = map[string]string{ "": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", "email": "email specifies the expected email address imposed on the subject to which the certificate was issued.", - "hostname": "Hostname specifies the expected hostname imposed on the subject to which the certificate was issued.", + "hostname": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued.", } func (PKICertificateSubject) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 84aabd75ffa..cc1caa3b6b2 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -20787,7 +20787,7 @@ func schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref common.Refer }, "hostname": { SchemaProps: spec.SchemaProps{ - Description: "Hostname specifies the expected hostname imposed on the subject to which the certificate was issued.", + Description: "hostname specifies the expected hostname imposed on the subject to which the certificate was issued.", Type: []string{"string"}, Format: "", }, diff --git a/openapi/openapi.json b/openapi/openapi.json index 795be5a3a0e..65633b34eb1 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -11324,7 +11324,7 @@ "type": "string" }, "hostname": { - "description": "Hostname specifies the expected hostname imposed on the subject to which the certificate was issued.", + "description": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued.", "type": "string" } } diff --git a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml index 30d41a09e85..41d3cf718b6 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-CustomNoUpgrade.crd.yaml @@ -133,20 +133,23 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'') + : true' hostname: - description: Hostname specifies the expected hostname + description: hostname specifies the expected hostname imposed on the subject to which the certificate was issued. type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) + rule: (has(self.email) && self.email != '') || (has(self.hostname) + && self.hostname != '') required: - caRootsData - pkiCertificateSubject @@ -187,6 +190,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml index 27268d207db..cd64762fbe3 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -133,20 +133,23 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'') + : true' hostname: - description: Hostname specifies the expected hostname + description: hostname specifies the expected hostname imposed on the subject to which the certificate was issued. type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) + rule: (has(self.email) && self.email != '') || (has(self.hostname) + && self.hostname != '') required: - caRootsData - pkiCertificateSubject @@ -187,6 +190,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml index 727efc92f3d..5b741d16ec6 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on diff --git a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml index 955771035ef..694a4ae80d9 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-CustomNoUpgrade.crd.yaml @@ -133,20 +133,23 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'') + : true' hostname: - description: Hostname specifies the expected hostname + description: hostname specifies the expected hostname imposed on the subject to which the certificate was issued. type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) + rule: (has(self.email) && self.email != '') || (has(self.hostname) + && self.hostname != '') required: - caRootsData - pkiCertificateSubject @@ -187,6 +190,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml index fcfddacb9e0..91fcdb2c614 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-DevPreviewNoUpgrade.crd.yaml @@ -133,20 +133,23 @@ spec: type: string x-kubernetes-validations: - message: invalid email address in pkiCertificateSubject - rule: self.matches('^\\S+@\\S+$') + rule: 'self != '''' ? self.matches(''^\\S+@\\S+$'') + : true' hostname: - description: Hostname specifies the expected hostname + description: hostname specifies the expected hostname imposed on the subject to which the certificate was issued. type: string x-kubernetes-validations: - message: invalid hostname in pkiCertificateSubject - rule: self.matches('^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$') + rule: 'self != '''' ? self.matches(''^(\\*\\.)?([a-zA-Z0-9-]+\\.)*[a-zA-Z0-9-]+\\.[a-zA-Z]{2,}$'') + : true' type: object x-kubernetes-validations: - message: at least one of email or hostname must be set in pkiCertificateSubject - rule: has(self.email) || has(self.hostname) + rule: (has(self.email) && self.email != '') || (has(self.hostname) + && self.hostname != '') required: - caRootsData - pkiCertificateSubject @@ -187,6 +190,10 @@ spec: - policyType type: object x-kubernetes-validations: + - message: pki is required when policyType is PKI, and forbidden + otherwise + rule: 'has(self.policyType) && self.policyType == ''PKI'' ? + has(self.pki) : !has(self.pki)' - message: publicKey is required when policyType is PublicKey, and forbidden otherwise rule: 'has(self.policyType) && self.policyType == ''PublicKey'' diff --git a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml index 8da264ed7f1..7534d8b5307 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml @@ -111,7 +111,6 @@ spec: enum: - PublicKey - FulcioCAWithRekor - - PKI type: string publicKey: description: publicKey defines the root of trust based on