cosign: change cosignIdentityMatch to matchOIDCIdentity

Signed-off-by: Sanskar Jaiswal <[email protected]>

api/v1beta2/ocirepository_types.go

@@ -191,25 +191,26 @@ type OCIRepositoryVerification struct {
 	// +optional
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
-	// CosignIdentityMatch specifies the identity matching criteria to use
+	// MatchOIDCIdentity specifies the identity matching criteria to use
 	// while verifying an OCI artifact which was signed using Cosign keyless
 	// signing.
-	CosignIdentityMatch *CosignIdentityMatch `json:"cosignIdentityMatch,omitempty"`
+	// +optional
+	MatchOIDCIdentity *MatchOIDCIdentity `json:"matchOIDCIdentity,omitempty"`
 }
 
-// CosignIdentityMatch specifies options for verifying the certificate identity,
+// MatchOIDCIdentity specifies options for verifying the certificate identity,
 // i.e. the issuer and the subject of the certificate.
-type CosignIdentityMatch struct {
-	// IssuerRegExp specifies the regex pattern to match against to verify
+type MatchOIDCIdentity struct {
+	// Issuer specifies the regex pattern to match against to verify
 	// the OIDC issuer in the Fulcio certificate. The pattern must be a
 	// valid Go regular expression.
 	// +optional
-	IssuerRegExp string `json:"issuerRegExp,omitempty"`
-	// SubjectRegExp specifies the regex pattern to match against to verify
+	Issuer string `json:"issuer,omitempty"`
+	// Subject specifies the regex pattern to match against to verify
 	// the identity in the Fulcio certificate. The pattern must be a
 	// valid Go regular expression.
 	// +optional
-	SubjectRegExp string `json:"subjectRegExp,omitempty"`
+	Subject string `json:"subject,omitempty"`
 }
 
 // OCIRepositoryStatus defines the observed state of OCIRepository

config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml

@@ -411,19 +411,19 @@ spec:
                   Chart dependencies, which are not bundled in the umbrella chart
                   artifact, are not verified.
                 properties:
-                  cosignIdentityMatch:
-                    description: CosignIdentityMatch specifies the identity matching
+                  matchOIDCIdentity:
+                    description: MatchOIDCIdentity specifies the identity matching
                       criteria to use while verifying an OCI artifact which was signed
                       using Cosign keyless signing.
                     properties:
-                      issuerRegExp:
-                        description: IssuerRegExp specifies the regex pattern to match
-                          against to verify the OIDC issuer in the Fulcio certificate.
-                          The pattern must be a valid Go regular expression.
+                      issuer:
+                        description: Issuer specifies the regex pattern to match against
+                          to verify the OIDC issuer in the Fulcio certificate. The
+                          pattern must be a valid Go regular expression.
                         type: string
-                      subjectRegExp:
-                        description: SubjectRegExp specifies the regex pattern to
-                          match against to verify the identity in the Fulcio certificate.
+                      subject:
+                        description: Subject specifies the regex pattern to match
+                          against to verify the identity in the Fulcio certificate.
                           The pattern must be a valid Go regular expression.
                         type: string
                     type: object

config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml

@@ -164,19 +164,19 @@ spec:
                   public keys used to verify the signature and specifies which provider
                   to use to check whether OCI image is authentic.
                 properties:
-                  cosignIdentityMatch:
-                    description: CosignIdentityMatch specifies the identity matching
+                  matchOIDCIdentity:
+                    description: MatchOIDCIdentity specifies the identity matching
                       criteria to use while verifying an OCI artifact which was signed
                       using Cosign keyless signing.
                     properties:
-                      issuerRegExp:
-                        description: IssuerRegExp specifies the regex pattern to match
-                          against to verify the OIDC issuer in the Fulcio certificate.
-                          The pattern must be a valid Go regular expression.
+                      issuer:
+                        description: Issuer specifies the regex pattern to match against
+                          to verify the OIDC issuer in the Fulcio certificate. The
+                          pattern must be a valid Go regular expression.
                         type: string
-                      subjectRegExp:
-                        description: SubjectRegExp specifies the regex pattern to
-                          match against to verify the identity in the Fulcio certificate.
+                      subject:
+                        description: Subject specifies the regex pattern to match
+                          against to verify the identity in the Fulcio certificate.
                           The pattern must be a valid Go regular expression.
                         type: string
                     type: object

docs/api/v1beta2/source.md

@@ -1614,56 +1614,6 @@ github.com/fluxcd/pkg/apis/meta.ReconcileRequestStatus
 </table>
 </div>
 </div>
-<h3 id="source.toolkit.fluxcd.io/v1beta2.CosignIdentityMatch">CosignIdentityMatch
-</h3>
-<p>
-(<em>Appears on:</em>
-<a href="#source.toolkit.fluxcd.io/v1beta2.OCIRepositoryVerification">OCIRepositoryVerification</a>)
-</p>
-<p>CosignIdentityMatch specifies options for verifying the certificate identity,
-i.e. the issuer and the subject of the certificate.</p>
-<div class="md-typeset__scrollwrap">
-<div class="md-typeset__table">
-<table>
-<thead>
-<tr>
-<th>Field</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td>
-<code>issuerRegExp</code><br>
-<em>
-string
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>IssuerRegExp specifies the regex pattern to match against to verify
-the OIDC issuer in the Fulcio certificate. The pattern must be a
-valid Go regular expression.</p>
-</td>
-</tr>
-<tr>
-<td>
-<code>subjectRegExp</code><br>
-<em>
-string
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>SubjectRegExp specifies the regex pattern to match against to verify
-the identity in the Fulcio certificate. The pattern must be a
-valid Go regular expression.</p>
-</td>
-</tr>
-</tbody>
-</table>
-</div>
-</div>
 <h3 id="source.toolkit.fluxcd.io/v1beta2.GitRepositoryInclude">GitRepositoryInclude
 </h3>
 <p>
@@ -2838,6 +2788,56 @@ string
 </table>
 </div>
 </div>
+<h3 id="source.toolkit.fluxcd.io/v1beta2.MatchOIDCIdentity">MatchOIDCIdentity
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#source.toolkit.fluxcd.io/v1beta2.OCIRepositoryVerification">OCIRepositoryVerification</a>)
+</p>
+<p>MatchOIDCIdentity specifies options for verifying the certificate identity,
+i.e. the issuer and the subject of the certificate.</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>issuer</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Issuer specifies the regex pattern to match against to verify
+the OIDC issuer in the Fulcio certificate. The pattern must be a
+valid Go regular expression.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>subject</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Subject specifies the regex pattern to match against to verify
+the identity in the Fulcio certificate. The pattern must be a
+valid Go regular expression.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
 <h3 id="source.toolkit.fluxcd.io/v1beta2.OCILayerSelector">OCILayerSelector
 </h3>
 <p>
@@ -3347,15 +3347,16 @@ trusted public keys.</p>
 </tr>
 <tr>
 <td>
-<code>cosignIdentityMatch</code><br>
+<code>matchOIDCIdentity</code><br>
 <em>
-<a href="#source.toolkit.fluxcd.io/v1beta2.CosignIdentityMatch">
-CosignIdentityMatch
+<a href="#source.toolkit.fluxcd.io/v1beta2.MatchOIDCIdentity">
+MatchOIDCIdentity
 </a>
 </em>
 </td>
 <td>
-<p>CosignIdentityMatch specifies the identity matching criteria to use
+<em>(Optional)</em>
+<p>MatchOIDCIdentity specifies the identity matching criteria to use
 while verifying an OCI artifact which was signed using Cosign keyless
 signing.</p>
 </td>

docs/spec/v1beta2/helmcharts.md

@@ -308,10 +308,10 @@ For publicly available HelmCharts, which are signed using the
 you can enable the verification by omitting the `.verify.secretRef` field.
 
 To verify that the subject and the OIDC issuer present in the Fulcio certificate
-you can specify `.spec.verify.cosignIdentityMatch`. It provides two fields:
+you can specify `.spec.verify.matchOIDCIdentity`. It provides two fields:
 
-- `.issuerRegExp`, to sepcify a regexp that matches against the OIDC issuer.
-- `.subjectRegExp`, to specify a regexp that matches against the identity in
+- `.issuer`, to sepcify a regexp that matches against the OIDC issuer.
+- `.subject`, to specify a regexp that matches against the identity in
    the certificate.
 Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).
 
@@ -333,9 +333,9 @@ spec:
   version: ">=6.1.6"
   verify:
     provider: cosign
-    cosignIdentityMatch:
-      subjectRegExp: "stefanprodan"
-      issuerRegExp: "^https://token.actions.githubusercontent.com$"
+    matchOIDCIdentity:
+      subject: "^https://github.com/stefanprodan/podinfo.*$"
+      issuer: "^https://token.actions.githubusercontent.com$"
 ```
 
 ```yaml

docs/spec/v1beta2/ocirepositories.md

@@ -506,7 +506,7 @@ signatures. The field offers two subfields:
 - `.provider`, to specify the verification provider. Only supports `cosign` at present.
 - `.secretRef.name`, to specify a reference to a Secret in the same namespace as
   the OCIRepository, containing the Cosign public keys of trusted authors.
-- `.cosignIdentityMatch`, to specify the identity matching criteria if the
+- `.matchOIDCIdentity`, to specify the identity matching criteria if the
    artifact was signed using Cosign keyless signing.
 
 ```yaml
@@ -558,10 +558,10 @@ For publicly available OCI artifacts, which are signed using the
 you can enable the verification by omitting the `.verify.secretRef` field.
 
 To verify that the subject and the OIDC issuer present in the Fulcio certificate
-you can specify `.spec.verify.cosignIdentityMatch`. It provides two fields:
+you can specify `.spec.verify.matchOIDCIdentity`. It provides two fields:
 
-- `.issuerRegExp`, to sepcify a regexp that matches against the OIDC issuer.
-- `.subjectRegExp`, to specify a regexp that matches against the identity in
+- `.issuer`, to sepcify a regexp that matches against the OIDC issuer.
+- `.subject`, to specify a regexp that matches against the identity in
    the certificate.
 Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).
 
@@ -578,9 +578,9 @@ spec:
   url: oci://ghcr.io/stefanprodan/manifests/podinfo
   verify:
     provider: cosign
-    cosignIdentityMatch:
-      subjectRegExp: "stefanprodan"
-      issuerRegExp: "^https://token.actions.githubusercontent.com$"
+    matchOIDCIdentity:
+      subject: "^https://github.com/stefanprodan/podinfo.*$"
+      issuer: "^https://token.actions.githubusercontent.com$"
 ```
 
 The controller verifies the signatures using the Fulcio root CA and the Rekor

internal/controller/helmchart_controller.go

@@ -1338,13 +1338,13 @@ func (r *HelmChartReconciler) makeVerifiers(ctx context.Context, obj *helmv1.Hel
 		}
 
 		// if no secret is provided, add a keyless verifier
-		if obj.Spec.Verify.CosignIdentityMatch != nil {
-			if obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp != "" {
-				defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp))
+		if obj.Spec.Verify.MatchOIDCIdentity != nil {
+			if obj.Spec.Verify.MatchOIDCIdentity.Issuer != "" {
+				defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.MatchOIDCIdentity.Issuer))
 			}
 
-			if obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp != "" {
-				defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp))
+			if obj.Spec.Verify.MatchOIDCIdentity.Subject != "" {
+				defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.MatchOIDCIdentity.Subject))
 			}
 		}
 		verifier, err := soci.NewCosignVerifier(ctx, defaultCosignOciOpts...)

internal/controller/ocirepository_controller.go

@@ -665,13 +665,13 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 		// if no secret is provided, try keyless verification
 		ctrl.LoggerFrom(ctx).Info("no secret reference is provided, trying to verify the image using keyless method")
 
-		if obj.Spec.Verify.CosignIdentityMatch != nil {
-			if obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp != "" {
-				defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.CosignIdentityMatch.IssuerRegExp))
+		if obj.Spec.Verify.MatchOIDCIdentity != nil {
+			if obj.Spec.Verify.MatchOIDCIdentity.Issuer != "" {
+				defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithIssuerRegexp(obj.Spec.Verify.MatchOIDCIdentity.Issuer))
 			}
 
-			if obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp != "" {
-				defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.CosignIdentityMatch.SubjectRegExp))
+			if obj.Spec.Verify.MatchOIDCIdentity.Subject != "" {
+				defaultCosignOciOpts = append(defaultCosignOciOpts, soci.WithSubjectRegexp(obj.Spec.Verify.MatchOIDCIdentity.Subject))
 			}
 		}
 		verifier, err := soci.NewCosignVerifier(ctxTimeout, defaultCosignOciOpts...)