saschagrunert · May 16, 2023 08:17
diff --git a/api.go b/api.go
 package api

 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

 type ImagePolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	Spec              ImagePolicySpec   `json:"spec"`
 	Status            ImagePolicyStatus `json:"status,omitempty"`
 }

 type ImagePolicySpec struct {
 	// Images holds images/repositories to be verified.
 	Images []Image `json:"images"`

 	// Policy defines the verification policy.
 	Policy Policy `json:"policy"`
 }

 // Image defines the list of images assinged to a policy. For more information
 // about the format, see the document about the location field:
 // https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker
 type Image string

 type Policy struct {
 	// KeyData contains inline base64 data of the public key. Can be empty if
 	// the image got signed keyless.
 	KeyData string `json:"keyData,omitempty"`

 	// OIDCIssuer contains the expected OIDC issuer.
 	// Example: "https://expected.OIDC.issuer/"
 	OIDCIssuer string `json:"oidcIssuer,omitempty"`

 	// SubjectEmail holds the email address of the subject.
 	// Example: "[email protected]"
 	SubjectEmail string `json:"subjectEmail,omitempty"`

 	// SignedIdentity specifies what image identity the signature claims about
 	// the image.
 	SignedIdentity Identity `json:"signedIdentity,omitempty"`

 	// FulcioCAData contains inline base64 data for the fulcio CA certificate.
 	// Defaults to the base64 encoded contents of:
 	// https://raw.githubusercontent.com/sigstore/root-signing/main/targets/fulcio_v1.crt.pem
 	FulcioCAData string `json:"fulcioCAData,omitempty"`

 	// RekorKeyData contains inline base64 data of the rekor public key.
 	// Defaults to the base64 encoded contents of:
 	// https://raw.githubusercontent.com/sigstore/root-signing/main/targets/rekor.pub
 	RekorKeyData string `json:"rekorKeyData,omitempty"`
 }

 type Identity struct {
 	IdentityMatchPolicy IdentityMatchPolicy `json:"identityMatchPolicy,omitempty"`
 	Prefix              string              `json:"prefix,omitempty"`
 	SignedPrefix        string              `json:"signedPrefix,omitempty"`
 }

 type ImagePolicyStatus struct {
 	// TODO: DO we need conditions?
 	// Conditions []Condition `json:"conditions,omitempty"`

 	// PolicyJSON contains the whole policy applied to the namespace which got
 	// written to disk. This includes cluster-wide policies from the
 	// `openshift-config` namespace as well.
 	PolicyJSON string `json:"policyJSON,omitempty"`
 }
	package api

	import (
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	)

	type ImagePolicy struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec ImagePolicySpec `json:"spec"`
	Status ImagePolicyStatus `json:"status,omitempty"`
	}

	type ImagePolicySpec struct {
	// Images holds images/repositories to be verified.
	Images []Image `json:"images"`

	// Policy defines the verification policy.
	Policy Policy `json:"policy"`
	}

	// Image defines the list of images assinged to a policy. For more information
	// about the format, see the document about the location field:
	// https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker
	type Image string

	type Policy struct {
	// KeyData contains inline base64 data of the public key. Can be empty if
	// the image got signed keyless.
	KeyData string `json:"keyData,omitempty"`

	// OIDCIssuer contains the expected OIDC issuer.
	// Example: "https://expected.OIDC.issuer/"
	OIDCIssuer string `json:"oidcIssuer,omitempty"`

	// SubjectEmail holds the email address of the subject.
	// Example: "[email protected]"
	SubjectEmail string `json:"subjectEmail,omitempty"`

	// SignedIdentity specifies what image identity the signature claims about
	// the image.
	SignedIdentity Identity `json:"signedIdentity,omitempty"`

	// FulcioCAData contains inline base64 data for the fulcio CA certificate.
	// Defaults to the base64 encoded contents of:
	// https://raw.githubusercontent.com/sigstore/root-signing/main/targets/fulcio_v1.crt.pem
	FulcioCAData string `json:"fulcioCAData,omitempty"`

	// RekorKeyData contains inline base64 data of the rekor public key.
	// Defaults to the base64 encoded contents of:
	// https://raw.githubusercontent.com/sigstore/root-signing/main/targets/rekor.pub
	RekorKeyData string `json:"rekorKeyData,omitempty"`
	}

	type Identity struct {
	IdentityMatchPolicy IdentityMatchPolicy `json:"identityMatchPolicy,omitempty"`
	Prefix string `json:"prefix,omitempty"`
	SignedPrefix string `json:"signedPrefix,omitempty"`
	}

	type ImagePolicyStatus struct {
	// TODO: DO we need conditions?
	// Conditions []Condition `json:"conditions,omitempty"`

	// PolicyJSON contains the whole policy applied to the namespace which got
	// written to disk. This includes cluster-wide policies from the
	// `openshift-config` namespace as well.
	PolicyJSON string `json:"policyJSON,omitempty"`
	}