Documentation
¶
Index ¶
- Constants
- Variables
- func ValidatePolicy(ctx context.Context, policyConfig string) error
- type FakeKubernetesClient
- type Options
- type Policy
- func NewInertPolicy(ctx context.Context, policyRef string) (Policy, error)
- func NewInputPolicy(ctx context.Context, policyRef string, effectiveTime string) (Policy, error)
- func NewOfflinePolicy(ctx context.Context, effectiveTime string) (Policy, error)
- func NewPolicy(ctx context.Context, opts Options) (Policy, error)
- func PreProcessPolicy(ctx context.Context, policyOptions Options) (Policy, *cache.PolicyCache, error)
- type SigstoreOpts
Constants ¶
const ( Now = "now" AtAttestation = "attestation" DateFormat = "2006-01-02" )
Variables ¶
var PolicySourcesFrom = source.PolicySourcesFrom
Functions ¶
Types ¶
type FakeKubernetesClient ¶
type FakeKubernetesClient struct {
Policy ecc.EnterpriseContractPolicySpec
Snapshot app.SnapshotSpec
FetchError bool
}
func (*FakeKubernetesClient) FetchEnterpriseContractPolicy ¶
func (c *FakeKubernetesClient) FetchEnterpriseContractPolicy(ctx context.Context, ref string) (*ecc.EnterpriseContractPolicy, error)
func (*FakeKubernetesClient) FetchSnapshot ¶
type Policy ¶
type Policy interface {
PublicKeyPEM() ([]byte, error)
CheckOpts() (*cosign.CheckOpts, error)
WithSpec(spec ecc.EnterpriseContractPolicySpec) Policy
Spec() ecc.EnterpriseContractPolicySpec
EffectiveTime() time.Time
AttestationTime(time.Time)
Identity() cosign.Identity
Keyless() bool
SigstoreOpts() (SigstoreOpts, error)
}
func NewInertPolicy ¶
NewInertPolicy construct and return a new instance of Policy that doesn't perform strict checks on the consistency of the policy.
The policyRef parameter is expected to be either a JSON-encoded instance of EnterpriseContractPolicySpec, or reference to the location of the EnterpriseContractPolicy resource in Kubernetes using the format: [namespace/]name
If policyRef is blank, an empty EnterpriseContractPolicySpec is used.
func NewInputPolicy ¶
NewInputPolicy constructs and returns a new instance of Policy that doesn't perform strict checks on the consistency of the policy, but can evaluate based on provided effectiveTime
The policyRef parameter is expected to be either a YAML/JSON-encoded instance of EnterpriseContractPolicySpec, or reference to the location of the EnterpriseContractPolicy resource in Kubernetes using the format: [namespace/]name
If policyRef is blank, an empty EnterpriseContractPolicySpec is used.
func NewOfflinePolicy ¶
NewOfflinePolicy construct and return a new instance of Policy that is used in offline scenarios, i.e. without cluster or specific services access, and no signature verification being performed.
func NewPolicy ¶
NewPolicy construct and return a new instance of Policy.
The policyRef parameter is expected to be either a JSON-encoded instance of EnterpriseContractPolicySpec, or reference to the location of the EnterpriseContractPolicy resource in Kubernetes using the format: [namespace/]name
If policyRef is blank, an empty EnterpriseContractPolicySpec is used.
rekorUrl and publicKey provide a mechanism to overwrite the attributes, of same name, in the EnterpriseContractPolicySpec.
The public key is resolved as part of object construction. If the public key is a reference to a kubernetes resource, for example, the cluster will be contacted.
func PreProcessPolicy ¶
func PreProcessPolicy(ctx context.Context, policyOptions Options) (Policy, *cache.PolicyCache, error)
PreProcessPolicy fetches policy sources and returns a policy object with pinned SHA/image digest URL where applicable, along with a policy cache object.
type SigstoreOpts ¶
type SigstoreOpts struct {
CertificateIdentity string `json:"certificate_identity"`
CertificateIdentityRegExp string `json:"certificate_identity_regexp"`
CertificateOIDCIssuer string `json:"certificate_oidc_issuer"`
CertificateOIDCIssuerRegExp string `json:"certificate_oidc_issuer_regexp"`
IgnoreRekor bool `json:"ignore_rekor"`
PublicKey string `json:"public_key"`
RekorURL string `json:"rekor_url"`
}
Source Files
Directories