Fix 1608, 1613 (#1617)

Signed-off-by: Ville Aikas <[email protected]>

Author: vaikas

config/300-clusterimagepolicy.yaml

@@ -46,8 +46,6 @@ spec:
                     properties:
                       ctlog:
                         type: object
-                        required:
-                          - url
                         properties:
                           url:
                             type: string
@@ -72,7 +70,7 @@ spec:
                       keyless:
                         type: object
                         properties:
-                          ca-key:
+                          ca-cert:
                             type: object
                             properties:
                               data:

pkg/apis/config/image_policies_test.go

@@ -72,9 +72,9 @@ func TestGetAuthorities(t *testing.T) {
 	if len(c) == 0 {
 		t.Error("Wanted a config, got none.")
 	}
-	want = "cakey chilling here"
-	if got := c[0].Keyless.CAKey.Data; got != want {
-		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.CAKey.Data)
+	want = "cacert chilling here"
+	if got := c[0].Keyless.CACert.Data; got != want {
+		t.Errorf("Did not get what I wanted %q, got %+v", want, c[0].Keyless.CACert.Data)
 	}
 	want = "issuer"
 	if got := c[0].Keyless.Identities[0].Issuer; got != want {

pkg/apis/config/testdata/config-image-policies.yaml

@@ -46,8 +46,8 @@ data:
       - glob: rando3
       authorities:
       - keyless:
-          ca-key:
-            data: cakey chilling here
+          ca-cert:
+            data: cacert chilling here
           url: http://keylessurl.here
           identities:
           - issuer: issuer

pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go

@@ -60,8 +60,10 @@ type ClusterImagePolicySpec struct {
 // If multiple patterns match a particular image, then ALL of
 // those authorities must be satisfied for the image to be admitted.
 type ImagePattern struct {
-	Glob  string `json:"glob"`
-	Regex string `json:"regex"`
+	// +optional
+	Glob string `json:"glob,omitempty"`
+	// +optional
+	Regex string `json:"regex,omitempty"`
 }
 
 // The authorities block defines the rules for discovering and
@@ -99,12 +101,14 @@ type KeyRef struct {
 
 // Source specifies the location of the signature
 type Source struct {
-	OCI string `json:"oci"`
+	// +optional
+	OCI string `json:"oci,omitempty"`
 }
 
 // TLog specifies the URL to a transparency log that holds
 // the signature and public key information
 type TLog struct {
+	// +optional
 	URL *apis.URL `json:"url,omitempty"`
 }
 
@@ -117,14 +121,16 @@ type KeylessRef struct {
 	// +optional
 	Identities []Identity `json:"identities,omitempty"`
 	// +optional
-	CAKey *KeyRef `json:"ca-key,omitempty"`
+	CACert *KeyRef `json:"ca-cert,omitempty"`
 }
 
-// Identity may contain the issue and/or the subject found in the transparency log.
+// Identity may contain the issuer and/or the subject found in the transparency log.
 // Either field supports a pattern glob.
 type Identity struct {
-	Issuer  string `json:"issuer"`
-	Subject string `json:"subject"`
+	// +optional
+	Issuer string `json:"issuer,omitempty"`
+	// +optional
+	Subject string `json:"subject,omitempty"`
 }
 
 // ClusterImagePolicyList is a list of ClusterImagePolicy resources

pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go

@@ -108,16 +108,16 @@ func (key *KeyRef) Validate(ctx context.Context) *apis.FieldError {
 
 func (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError {
 	var errs *apis.FieldError
-	if keyless.URL == nil && keyless.Identities == nil && keyless.CAKey == nil {
-		errs = errs.Also(apis.ErrMissingOneOf("url", "identities", "ca-key"))
+	if keyless.URL == nil && keyless.Identities == nil && keyless.CACert == nil {
+		errs = errs.Also(apis.ErrMissingOneOf("url", "identities", "ca-cert"))
 	}
 
 	if keyless.URL != nil {
-		if keyless.CAKey != nil || keyless.Identities != nil {
-			errs = errs.Also(apis.ErrMultipleOneOf("url", "identities", "ca-key"))
+		if keyless.CACert != nil || keyless.Identities != nil {
+			errs = errs.Also(apis.ErrMultipleOneOf("url", "identities", "ca-cert"))
 		}
-	} else if keyless.CAKey != nil && keyless.Identities != nil {
-		errs = errs.Also(apis.ErrMultipleOneOf("url", "identities", "ca-key"))
+	} else if keyless.CACert != nil && keyless.Identities != nil {
+		errs = errs.Also(apis.ErrMultipleOneOf("url", "identities", "ca-cert"))
 	}
 
 	if keyless.Identities != nil && len(keyless.Identities) == 0 {

pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation_test.go

@@ -281,7 +281,7 @@ func TestKeylessValidation(t *testing.T) {
 								URL: &apis.URL{
 									Host: "myhost",
 								},
-								CAKey: &KeyRef{
+								CACert: &KeyRef{
 									Data: "---certificate---",
 								},
 							},

pkg/apis/cosigned/v1alpha1/zz_generated.deepcopy.go

@@ -134,10 +134,10 @@ func (r *Reconciler) inlineSecrets(ctx context.Context, cip *v1alpha1.ClusterIma
 				return nil, err
 			}
 		}
-		if authority.Keyless != nil && authority.Keyless.CAKey != nil &&
-			authority.Keyless.CAKey.SecretRef != nil {
-			if err := r.inlineAndTrackSecret(ctx, ret, authority.Keyless.CAKey); err != nil {
-				logging.FromContext(ctx).Errorf("Failed to read secret %q: %v", authority.Keyless.CAKey.SecretRef.Name, err)
+		if authority.Keyless != nil && authority.Keyless.CACert != nil &&
+			authority.Keyless.CACert.SecretRef != nil {
+			if err := r.inlineAndTrackSecret(ctx, ret, authority.Keyless.CACert); err != nil {
+				logging.FromContext(ctx).Errorf("Failed to read secret %q: %v", authority.Keyless.CACert.SecretRef.Name, err)
 				return nil, err
 			}
 		}

pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go

@@ -55,10 +55,10 @@ RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==
 -----END PUBLIC KEY-----`
 
 	// This is the patch for replacing a single entry in the ConfigMap
-	replaceCIPPatch = `[{"op":"replace","path":"/data/test-cip","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}"}]`
+	replaceCIPPatch = `[{"op":"replace","path":"/data/test-cip","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\"}],\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}"}]`
 
 	// This is the patch for adding an entry for non-existing KMS for cipName2
-	addCIP2Patch = `[{"op":"add","path":"/data/test-cip-2","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"key\":{\"data\":\"azure-kms://foo/bar\"}}]}"}]`
+	addCIP2Patch = `[{"op":"add","path":"/data/test-cip-2","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\"}],\"authorities\":[{\"key\":{\"data\":\"azure-kms://foo/bar\"}}]}"}]`
 
 	// This is the patch for removing the last entry, leaving just the
 	// configmap objectmeta, no data.
@@ -73,10 +73,10 @@ RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==
 	removeSingleEntryKeylessPatch = `[{"op":"remove","path":"/data/test-cip-2"}]`
 
 	// This is the patch for inlined secret for key ref data
-	inlinedSecretKeyPatch = `[{"op":"replace","path":"/data/test-cip","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}"}]`
+	inlinedSecretKeyPatch = `[{"op":"replace","path":"/data/test-cip","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\"}],\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}"}]`
 
 	// This is the patch for inlined secret for keyless cakey ref data
-	inlinedSecretKeylessPatch = `[{"op":"replace","path":"/data/test-cip-2","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"keyless\":{\"ca-key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}}]}"}]`
+	inlinedSecretKeylessPatch = `[{"op":"replace","path":"/data/test-cip-2","value":"{\"images\":[{\"glob\":\"ghcr.io/example/*\"}],\"authorities\":[{\"keyless\":{\"ca-cert\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}}]}"}]`
 )
 
 func TestReconcile(t *testing.T) {
@@ -324,7 +324,7 @@ func TestReconcile(t *testing.T) {
 				}),
 				WithAuthority(v1alpha1.Authority{
 					Keyless: &v1alpha1.KeylessRef{
-						CAKey: &v1alpha1.KeyRef{
+						CACert: &v1alpha1.KeyRef{
 							SecretRef: &corev1.SecretReference{
 								Name: keylessSecretName,
 							},
@@ -481,7 +481,7 @@ func TestReconcile(t *testing.T) {
 				}),
 				WithAuthority(v1alpha1.Authority{
 					Keyless: &v1alpha1.KeylessRef{
-						CAKey: &v1alpha1.KeyRef{
+						CACert: &v1alpha1.KeyRef{
 							SecretRef: &corev1.SecretReference{
 								Name: keylessSecretName,
 							}},
@@ -544,7 +544,7 @@ func makeConfigMap() *corev1.ConfigMap {
 			Name:      config.ImagePoliciesConfigName,
 		},
 		Data: map[string]string{
-			cipName: `{"images":[{"glob":"ghcr.io/example/*","regex":""}],"authorities":[{"key":{"data":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n-----END PUBLIC KEY-----"}}]}`,
+			cipName: `{"images":[{"glob":"ghcr.io/example/*"}],"authorities":[{"key":{"data":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n-----END PUBLIC KEY-----"}}]}`,
 		},
 	}
 }
@@ -557,7 +557,7 @@ func makeDifferentConfigMap() *corev1.ConfigMap {
 			Name:      config.ImagePoliciesConfigName,
 		},
 		Data: map[string]string{
-			cipName: `{"images":[{"glob":"ghcr.io/example/*","regex":""}],"authorities":[{"key":{"data":"-----BEGIN NOTPUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n-----END NOTPUBLIC KEY-----"}}]}`,
+			cipName: `{"images":[{"glob":"ghcr.io/example/*"}],"authorities":[{"key":{"data":"-----BEGIN NOTPUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n-----END NOTPUBLIC KEY-----"}}]}`,
 		},
 	}
 }
@@ -570,7 +570,7 @@ func makeConfigMapWithTwoEntries() *corev1.ConfigMap {
 			Name:      config.ImagePoliciesConfigName,
 		},
 		Data: map[string]string{
-			cipName:  `{"images":[{"glob":"ghcr.io/example/*","regex":""}],"authorities":[{"key":{"data":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n-----END PUBLIC KEY-----"}}]}`,
+			cipName:  `{"images":[{"glob":"ghcr.io/example/*"}],"authorities":[{"key":{"data":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\n-----END PUBLIC KEY-----"}}]}`,
 			cipName2: "remove me please",
 		},
 	}
@@ -585,7 +585,7 @@ func makeConfigMapWithTwoEntriesNotPublicKeyFromSecret() *corev1.ConfigMap {
 			Name:      config.ImagePoliciesConfigName,
 		},
 		Data: map[string]string{
-			cipName:  `{"images":[{"glob":"ghcr.io/example/*","regex":""}],"authorities":[{"key":{"data":"NOT A REAL PUBLIC KEY"}}]}`,
+			cipName:  `{"images":[{"glob":"ghcr.io/example/*"}],"authorities":[{"key":{"data":"NOT A REAL PUBLIC KEY"}}]}`,
 			cipName2: "remove me please",
 		},
 	}

pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go

@@ -21,9 +21,9 @@ spec:
   - glob: image*
   authorities:
   - keyless:
-      ca-key:
+      ca-cert:
         secretRef:
-          name: ca-key-secret
+          name: ca-cert-secret
           namespace: some-namespace
       identities:
       - issuer: "issue-details"

test/testdata/cosigned/invalid/keylessref-with-multiple-properties.yaml

@@ -22,9 +22,9 @@ spec:
   - glob: image*
   authorities:
   - keyless:
-      ca-key:
+      ca-cert:
         secretRef:
-          name: ca-key-secret
+          name: ca-cert-secret
           namespace: some-namespacemak
   - keyless:
       identities: