diff --git a/api/v1beta2/ocirepository_types.go b/api/v1beta2/ocirepository_types.go
index 97593442e..6dc05167c 100644
--- a/api/v1beta2/ocirepository_types.go
+++ b/api/v1beta2/ocirepository_types.go
@@ -191,25 +191,26 @@ type OCIRepositoryVerification struct {
// +optional
SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
- // CosignIdentityMatch specifies the identity matching criteria to use
+ // MatchOIDCIdentity specifies the identity matching criteria to use
// while verifying an OCI artifact which was signed using Cosign keyless
// signing.
- CosignIdentityMatch *CosignIdentityMatch `json:"cosignIdentityMatch,omitempty"`
+ // +optional
+ MatchOIDCIdentity *MatchOIDCIdentity `json:"matchOIDCIdentity,omitempty"`
}
-// CosignIdentityMatch specifies options for verifying the certificate identity,
+// MatchOIDCIdentity specifies options for verifying the certificate identity,
// i.e. the issuer and the subject of the certificate.
-type CosignIdentityMatch struct {
- // IssuerRegExp specifies the regex pattern to match against to verify
+type MatchOIDCIdentity struct {
+ // Issuer specifies the regex pattern to match against to verify
// the OIDC issuer in the Fulcio certificate. The pattern must be a
// valid Go regular expression.
// +optional
- IssuerRegExp string `json:"issuerRegExp,omitempty"`
- // SubjectRegExp specifies the regex pattern to match against to verify
+ Issuer string `json:"issuer,omitempty"`
+ // Subject specifies the regex pattern to match against to verify
// the identity in the Fulcio certificate. The pattern must be a
// valid Go regular expression.
// +optional
- SubjectRegExp string `json:"subjectRegExp,omitempty"`
+ Subject string `json:"subject,omitempty"`
}
// OCIRepositoryStatus defines the observed state of OCIRepository
diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
index 8b2e41dff..c69ee345e 100644
--- a/api/v1beta2/zz_generated.deepcopy.go
+++ b/api/v1beta2/zz_generated.deepcopy.go
@@ -185,21 +185,6 @@ func (in *BucketStatus) DeepCopy() *BucketStatus {
return out
}
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CosignIdentityMatch) DeepCopyInto(out *CosignIdentityMatch) {
- *out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CosignIdentityMatch.
-func (in *CosignIdentityMatch) DeepCopy() *CosignIdentityMatch {
- if in == nil {
- return nil
- }
- out := new(CosignIdentityMatch)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitRepository) DeepCopyInto(out *GitRepository) {
*out = *in
@@ -663,6 +648,21 @@ func (in *LocalHelmChartSourceReference) DeepCopy() *LocalHelmChartSourceReferen
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MatchOIDCIdentity) DeepCopyInto(out *MatchOIDCIdentity) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchOIDCIdentity.
+func (in *MatchOIDCIdentity) DeepCopy() *MatchOIDCIdentity {
+ if in == nil {
+ return nil
+ }
+ out := new(MatchOIDCIdentity)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OCILayerSelector) DeepCopyInto(out *OCILayerSelector) {
*out = *in
@@ -849,9 +849,9 @@ func (in *OCIRepositoryVerification) DeepCopyInto(out *OCIRepositoryVerification
*out = new(meta.LocalObjectReference)
**out = **in
}
- if in.CosignIdentityMatch != nil {
- in, out := &in.CosignIdentityMatch, &out.CosignIdentityMatch
- *out = new(CosignIdentityMatch)
+ if in.MatchOIDCIdentity != nil {
+ in, out := &in.MatchOIDCIdentity, &out.MatchOIDCIdentity
+ *out = new(MatchOIDCIdentity)
**out = **in
}
}
diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml
index 5e72ca06b..b0c9971dc 100644
--- a/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml
+++ b/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml
@@ -411,19 +411,19 @@ spec:
Chart dependencies, which are not bundled in the umbrella chart
artifact, are not verified.
properties:
- cosignIdentityMatch:
- description: CosignIdentityMatch specifies the identity matching
+ matchOIDCIdentity:
+ description: MatchOIDCIdentity specifies the identity matching
criteria to use while verifying an OCI artifact which was signed
using Cosign keyless signing.
properties:
- issuerRegExp:
- description: IssuerRegExp specifies the regex pattern to match
- against to verify the OIDC issuer in the Fulcio certificate.
- The pattern must be a valid Go regular expression.
+ issuer:
+ description: Issuer specifies the regex pattern to match against
+ to verify the OIDC issuer in the Fulcio certificate. The
+ pattern must be a valid Go regular expression.
type: string
- subjectRegExp:
- description: SubjectRegExp specifies the regex pattern to
- match against to verify the identity in the Fulcio certificate.
+ subject:
+ description: Subject specifies the regex pattern to match
+ against to verify the identity in the Fulcio certificate.
The pattern must be a valid Go regular expression.
type: string
type: object
diff --git a/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml
index 00f8f946d..d0675b466 100644
--- a/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml
+++ b/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml
@@ -164,19 +164,19 @@ spec:
public keys used to verify the signature and specifies which provider
to use to check whether OCI image is authentic.
properties:
- cosignIdentityMatch:
- description: CosignIdentityMatch specifies the identity matching
+ matchOIDCIdentity:
+ description: MatchOIDCIdentity specifies the identity matching
criteria to use while verifying an OCI artifact which was signed
using Cosign keyless signing.
properties:
- issuerRegExp:
- description: IssuerRegExp specifies the regex pattern to match
- against to verify the OIDC issuer in the Fulcio certificate.
- The pattern must be a valid Go regular expression.
+ issuer:
+ description: Issuer specifies the regex pattern to match against
+ to verify the OIDC issuer in the Fulcio certificate. The
+ pattern must be a valid Go regular expression.
type: string
- subjectRegExp:
- description: SubjectRegExp specifies the regex pattern to
- match against to verify the identity in the Fulcio certificate.
+ subject:
+ description: Subject specifies the regex pattern to match
+ against to verify the identity in the Fulcio certificate.
The pattern must be a valid Go regular expression.
type: string
type: object
diff --git a/docs/api/v1beta2/source.md b/docs/api/v1beta2/source.md
index 7085b245c..5491c2827 100644
--- a/docs/api/v1beta2/source.md
+++ b/docs/api/v1beta2/source.md
@@ -1614,56 +1614,6 @@ github.com/fluxcd/pkg/apis/meta.ReconcileRequestStatus
-
-
-(Appears on:
-OCIRepositoryVerification)
-
-CosignIdentityMatch specifies options for verifying the certificate identity,
-i.e. the issuer and the subject of the certificate.
-
@@ -2838,6 +2788,56 @@ string
+
+
+(Appears on:
+OCIRepositoryVerification)
+
+MatchOIDCIdentity specifies options for verifying the certificate identity,
+i.e. the issuer and the subject of the certificate.
+
@@ -3347,15 +3347,16 @@ trusted public keys.
-cosignIdentityMatch
+matchOIDCIdentity
-
-CosignIdentityMatch
+
+MatchOIDCIdentity
|
- CosignIdentityMatch specifies the identity matching criteria to use
+(Optional)
+ MatchOIDCIdentity specifies the identity matching criteria to use
while verifying an OCI artifact which was signed using Cosign keyless
signing.
|
diff --git a/docs/spec/v1beta2/helmcharts.md b/docs/spec/v1beta2/helmcharts.md
index c422b185f..532206d1f 100644
--- a/docs/spec/v1beta2/helmcharts.md
+++ b/docs/spec/v1beta2/helmcharts.md
@@ -308,10 +308,10 @@ For publicly available HelmCharts, which are signed using the
you can enable the verification by omitting the `.verify.secretRef` field.
To verify that the subject and the OIDC issuer present in the Fulcio certificate
-you can specify `.spec.verify.cosignIdentityMatch`. It provides two fields:
+you can specify `.spec.verify.oidcMatchIdentity`. It provides two fields:
-- `.issuerRegExp`, to sepcify a regexp that matches against the OIDC issuer.
-- `.subjectRegExp`, to specify a regexp that matches against the identity in
+- `.issuer`, to sepcify a regexp that matches against the OIDC issuer.
+- `.subject`, to specify a regexp that matches against the identity in
the certificate.
Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).
@@ -333,9 +333,9 @@ spec:
version: ">=6.1.6"
verify:
provider: cosign
- cosignIdentityMatch:
- subjectRegExp: "stefanprodan"
- issuerRegExp: "^https://token.actions.githubusercontent.com$"
+ oidcMatchIdentity:
+ subject: "stefanprodan"
+ issuer: "^https://token.actions.githubusercontent.com$"
```
```yaml
diff --git a/docs/spec/v1beta2/ocirepositories.md b/docs/spec/v1beta2/ocirepositories.md
index b23895211..56e4c89fc 100644
--- a/docs/spec/v1beta2/ocirepositories.md
+++ b/docs/spec/v1beta2/ocirepositories.md
@@ -506,7 +506,7 @@ signatures. The field offers two subfields:
- `.provider`, to specify the verification provider. Only supports `cosign` at present.
- `.secretRef.name`, to specify a reference to a Secret in the same namespace as
the OCIRepository, containing the Cosign public keys of trusted authors.
-- `.cosignIdentityMatch`, to specify the identity matching criteria if the
+- `.oidcMatchIdentity`, to specify the identity matching criteria if the
artifact was signed using Cosign keyless signing.
```yaml
@@ -558,10 +558,10 @@ For publicly available OCI artifacts, which are signed using the
you can enable the verification by omitting the `.verify.secretRef` field.
To verify that the subject and the OIDC issuer present in the Fulcio certificate
-you can specify `.spec.verify.cosignIdentityMatch`. It provides two fields:
+you can specify `.spec.verify.oidcMatchIdentity`. It provides two fields:
-- `.issuerRegExp`, to sepcify a regexp that matches against the OIDC issuer.
-- `.subjectRegExp`, to specify a regexp that matches against the identity in
+- `.issuer`, to sepcify a regexp that matches against the OIDC issuer.
+- `.subject`, to specify a regexp that matches against the identity in
the certificate.
Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).
@@ -578,9 +578,9 @@ spec:
url: oci://ghcr.io/stefanprodan/manifests/podinfo
verify:
provider: cosign
- cosignIdentityMatch:
- subjectRegExp: "stefanprodan"
- issuerRegExp: "^https://token.actions.githubusercontent.com$"
+ oidcMatchIdentity:
+ subject: "stefanprodan"
+ issuer: "^https://token.actions.githubusercontent.com$"
```
The controller verifies the signatures using the Fulcio root CA and the Rekor
diff --git a/internal/controller/helmchart_controller.go b/internal/controller/helmchart_controller.go
index 4b4207610..dc6d20d47 100644
--- a/internal/controller/helmchart_controller.go
+++ b/internal/controller/helmchart_controller.go
@@ -1338,13 +1338,13 @@ func (r *HelmChartReconciler) makeVerifiers(ctx context.Context, obj *helmv1.Hel
}
// if no secret is provided, add a keyless verifier
- if obj.Spec.Verify.CosignIdentityMatch != nil {
- if obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp != "" {
- defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp))
+ if obj.Spec.Verify.MatchOIDCIdentity != nil {
+ if obj.Spec.Verify.MatchOIDCIdentity.Issuer != "" {
+ defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.MatchOIDCIdentity.Issuer))
}
- if obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp != "" {
- defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp))
+ if obj.Spec.Verify.MatchOIDCIdentity.Subject != "" {
+ defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.MatchOIDCIdentity.Subject))
}
}
verifier, err := soci.NewCosignVerifier(ctx, defaultCosignOciOpts...)
diff --git a/internal/controller/helmchart_controller_test.go b/internal/controller/helmchart_controller_test.go
index c34099a28..fe9d6aa1a 100644
--- a/internal/controller/helmchart_controller_test.go
+++ b/internal/controller/helmchart_controller_test.go
@@ -2560,9 +2560,9 @@ func TestHelmChartRepository_reconcileSource_verifyOCISourceSignature_keyless(t
version: "6.5.1",
want: sreconcile.ResultSuccess,
beforeFunc: func(obj *helmv1.HelmChart) {
- obj.Spec.Verify.CosignIdentityMatch = &helmv1.CosignIdentityMatch{
- SubjectRegExp: "stefanprodan",
- IssuerRegExp: "^https://token.actions.githubusercontent.com$",
+ obj.Spec.Verify.MatchOIDCIdentity = &helmv1.MatchOIDCIdentity{
+ Subject: "stefanprodan",
+ Issuer: "^https://token.actions.githubusercontent.com$",
}
},
assertConditions: []metav1.Condition{
@@ -2578,9 +2578,9 @@ func TestHelmChartRepository_reconcileSource_verifyOCISourceSignature_keyless(t
wantErr: true,
want: sreconcile.ResultEmpty,
beforeFunc: func(obj *helmv1.HelmChart) {
- obj.Spec.Verify.CosignIdentityMatch = &helmv1.CosignIdentityMatch{
- SubjectRegExp: "intruder",
- IssuerRegExp: "^https://honeypot.com$",
+ obj.Spec.Verify.MatchOIDCIdentity = &helmv1.MatchOIDCIdentity{
+ Subject: "intruder",
+ Issuer: "^https://honeypot.com$",
}
},
assertConditions: []metav1.Condition{
diff --git a/internal/controller/ocirepository_controller.go b/internal/controller/ocirepository_controller.go
index 3a152218b..b08e22fff 100644
--- a/internal/controller/ocirepository_controller.go
+++ b/internal/controller/ocirepository_controller.go
@@ -665,13 +665,13 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
// if no secret is provided, try keyless verification
ctrl.LoggerFrom(ctx).Info("no secret reference is provided, trying to verify the image using keyless method")
- if obj.Spec.Verify.CosignIdentityMatch != nil {
- if obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp != "" {
- defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp))
+ if obj.Spec.Verify.MatchOIDCIdentity != nil {
+ if obj.Spec.Verify.MatchOIDCIdentity.Issuer != "" {
+ defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.MatchOIDCIdentity.Issuer))
}
- if obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp != "" {
- defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp))
+ if obj.Spec.Verify.MatchOIDCIdentity.Subject != "" {
+ defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.MatchOIDCIdentity.Subject))
}
}
verifier, err := soci.NewCosignVerifier(ctxTimeout, defaultCosignOciOpts...)
diff --git a/internal/controller/ocirepository_controller_test.go b/internal/controller/ocirepository_controller_test.go
index 69d989852..bb7cea8c9 100644
--- a/internal/controller/ocirepository_controller_test.go
+++ b/internal/controller/ocirepository_controller_test.go
@@ -1467,9 +1467,9 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignature_keyless(t *testi
},
want: sreconcile.ResultSuccess,
beforeFunc: func(obj *ociv1.OCIRepository) {
- obj.Spec.Verify.CosignIdentityMatch = &ociv1.CosignIdentityMatch{
- SubjectRegExp: "stefanprodan",
- IssuerRegExp: "^https://token.actions.githubusercontent.com$",
+ obj.Spec.Verify.MatchOIDCIdentity = &ociv1.MatchOIDCIdentity{
+ Subject: "stefanprodan",
+ Issuer: "^https://token.actions.githubusercontent.com$",
}
},
assertConditions: []metav1.Condition{
@@ -1487,9 +1487,9 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignature_keyless(t *testi
wantErr: true,
want: sreconcile.ResultEmpty,
beforeFunc: func(obj *ociv1.OCIRepository) {
- obj.Spec.Verify.CosignIdentityMatch = &ociv1.CosignIdentityMatch{
- SubjectRegExp: "intruder",
- IssuerRegExp: "^https://honeypot.com$",
+ obj.Spec.Verify.MatchOIDCIdentity = &ociv1.MatchOIDCIdentity{
+ Subject: "intruder",
+ Issuer: "^https://honeypot.com$",
}
},
assertConditions: []metav1.Condition{
diff --git a/internal/oci/verifier.go b/internal/oci/verifier.go
index 1adbacc8e..770753e73 100644
--- a/internal/oci/verifier.go
+++ b/internal/oci/verifier.go
@@ -64,15 +64,15 @@ func WithRemoteOptions(opts ...remote.Option) Options {
}
}
-func WithSubjectRegexp(subjectRegExp string) Options {
+func WithSubjectRegexp(subject string) Options {
return func(opts *options) {
- opts.SubjectRegExp = subjectRegExp
+ opts.SubjectRegExp = subject
}
}
-func WithIssuerRegexp(issuerRegExp string) Options {
+func WithIssuerRegexp(issuer string) Options {
return func(opts *options) {
- opts.IssuerRegExp = issuerRegExp
+ opts.IssuerRegExp = issuer
}
}