...

Source file src/github.com/fluxcd/source-controller/api/v1/ociverification_types.go

Documentation: github.com/fluxcd/source-controller/api/v1 

     1  /*
     2  Copyright 2024 The Flux authors
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package v1
    18  
    19  import (
    20  	"github.com/fluxcd/pkg/apis/meta"
    21  )
    22  
    23  // OCIRepositoryVerification verifies the authenticity of an OCI Artifact
    24  type OCIRepositoryVerification struct {
    25  	// Provider specifies the technology used to sign the OCI Artifact.
    26  	// +kubebuilder:validation:Enum=cosign;notation
    27  	// +kubebuilder:default:=cosign
    28  	Provider string `json:"provider"`
    29  
    30  	// SecretRef specifies the Kubernetes Secret containing the
    31  	// trusted public keys.
    32  	// +optional
    33  	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
    34  
    35  	// MatchOIDCIdentity specifies the identity matching criteria to use
    36  	// while verifying an OCI artifact which was signed using Cosign keyless
    37  	// signing. The artifact's identity is deemed to be verified if any of the
    38  	// specified matchers match against the identity.
    39  	// +optional
    40  	MatchOIDCIdentity []OIDCIdentityMatch `json:"matchOIDCIdentity,omitempty"`
    41  }
    42  
    43  // OIDCIdentityMatch specifies options for verifying the certificate identity,
    44  // i.e. the issuer and the subject of the certificate.
    45  type OIDCIdentityMatch struct {
    46  	// Issuer specifies the regex pattern to match against to verify
    47  	// the OIDC issuer in the Fulcio certificate. The pattern must be a
    48  	// valid Go regular expression.
    49  	// +required
    50  	Issuer string `json:"issuer"`
    51  	// Subject specifies the regex pattern to match against to verify
    52  	// the identity subject in the Fulcio certificate. The pattern must
    53  	// be a valid Go regular expression.
    54  	// +required
    55  	Subject string `json:"subject"`
    56  }
    57  

View as plain text